From nobody Fri Jul 1 07:49:07 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3FC112D143 for ; Fri, 1 Jul 2016 07:49:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.727 X-Spam-Level: X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZOU4K-u0hnm for ; Fri, 1 Jul 2016 07:49:04 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1D8512D681 for ; Fri, 1 Jul 2016 07:48:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id C34ABBE56; Fri, 1 Jul 2016 15:48:48 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gl3ConNHYpw7; Fri, 1 Jul 2016 15:48:48 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 2A3A7BE54; Fri, 1 Jul 2016 15:48:48 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467384528; bh=Jmrkgfo7vDJbXUlGLKDSrmGvQDMmBnOrW3hEC/SlHNA=; h=Subject:To:References:From:Date:In-Reply-To:From; b=iLo66wN4wCTB2LQrIQB+Ei+2a8oKIlOiMgXmiBCAzyS62JZaHEpUFIAAmTITSGhGm IaUfh0T2f7YejQ4GyHhg/oh/tSZ9J5Ok9dO5XVWGsGUl3mpoPHLjTyWi9mmvpuaOke sqDdP7HdlTLQHX5OnhUKznzL+kJcebtjoJnqKb2Q= To: Fernando Gont , "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <577682D0.100@cs.tcd.ie> Date: Fri, 1 Jul 2016 15:48:48 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <57758609.8090602@si6networks.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090706040604090903070908" Archived-At: Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 14:49:05 -0000 This is a cryptographically signed message in MIME format. --------------ms090706040604090903070908 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable (bcc'd the privsec programme, lets keep the discussion of this on the saag list as we're talking about a BCP) Hiya, On 30/06/16 21:50, Fernando Gont wrote: > On 06/30/2016 11:22 AM, Stephen Farrell wrote: >> >> - Kick off discussion now on the saag list (this mail) >> - Get folks' feedback on changes they'd like (if that gets >> too voluminous we'll start a new list) >=20 > As could possibly be expected, we'd like to see additional requirements= > wrt transient numeric identifiers. >=20 > Please see: draft-gont-numeric-ids-sec-considerations-00 > (Security Considerations for Transient Numeric Identifiers Employed in > Network Protocols) >=20 > In that respect, I wonder if, to keep the problem tractable, this could= > be worked out in draft-gont-numeric-ids-sec-considerations to have it > formally update RFC3552, and then have the bis document pick up what we= > agreed on and incorporate it in the bis document. >=20 > FWIW, other wg's have followed this path for bis documents (e.g., TCPM'= s > revision of RFC0793 (!)). So I think what you're suggesting is that we develop a new RFC for your stuff that becomes a part of BCP72 while at the same time we're working on a bis for 3552 which would then replace both 3552 and the new document with your stuff. I don't see that makes much sense in this case TBH, unless you assume that the 3552bis work will take years, which I hope won't be the case. I think instead, we'd be better to roll any BCP-like statements (on which we have consensus) from your stuff into a 3552bis and just develop one new document. I think that's also likely to help us to end up with something that's more readable/useful for the audience too, rather than have a BCP with multiple RFCs. (*) And to be clear, personally I do think that a 3552bis should make the kind of statements about identifiers that your draft includes, and I do hope that we'll reach consensus about those statements as we go along. Cheers, S. (*) For those less familiar with process minutiae, a BCP can consist of more than one RFC, e.g. BCP9. [1] [1] https://tools.ietf.org/html/bcp9 >=20 > Thoughts? >=20 > Thanks! >=20 > Best regards, >=20 --------------ms090706040604090903070908 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MDEx NDQ4NDhaMC8GCSqGSIb3DQEJBDEiBCBf6wEyJJqbAQIyJy8TyAuJwNS0za9cZEVtl8oPUdVt ejBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQB4G6pXw3UcgCYKzgcfihA1/KrOHOoviuwTR8tkTMokn3exXqPYfokN xuyF++hs3LLYd7qI/iNvW1qXm8DqsFLcGSyD7JWaBo48rNHv0jTltDKBTN6f8ZGq5z3iXUQf t/sAQ902AdEOZBcN8N2EwNlGMvTaMz6JCfCjZm8sRruo6IlPMtT+rGc6/PxRwhKCTgIfho7D slLMfNVzxLLRagsNwFya4eKTKkQIoo0PD6AP2Smcr8QRKwBAunu+AXA9xxVuELQ74GqD9LkS uDfBFxXSdXiwX/EY6OrrWr4okInQT+3h3IYH9bUgTQn/1U4jXqqGJy97eGMaL5cCIxpRYyXa AAAAAAAA --------------ms090706040604090903070908-- From nobody Fri Jul 1 08:35:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2034112D736 for ; Fri, 1 Jul 2016 08:35:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.727 X-Spam-Level: X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LZtIouPUjwR for ; Fri, 1 Jul 2016 08:35:27 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D976412D733 for ; Fri, 1 Jul 2016 08:35:26 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 2BD5CBE53 for ; Fri, 1 Jul 2016 16:35:24 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UOa9GaGK57eE for ; Fri, 1 Jul 2016 16:35:24 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 99668BDCA for ; Fri, 1 Jul 2016 16:35:23 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467387324; bh=c49Zb2sF5cAynJe2J+MeDMzDCC36rePD9VhxYlSRW5U=; h=To:From:Subject:Date:From; b=tD27CBPA1f2wtUOUkRWqksiMa6UAO6MNT+Bpnsw4fGpDz11bLAx7oIv3xnRXHv15y WIEUtvoKi5ttsfHX1K/CaNOqo2EI5FUE8Pe4+dMVtu+jEiPdviMsWxDvmg24GUTSNM mJ+/RaBpXHbMlvQGzM5Rf4xuvqeGAY+JxRhQKXRs= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <57768DBB.6010402@cs.tcd.ie> Date: Fri, 1 Jul 2016 16:35:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020605070404030607060607" Archived-At: Subject: [saag] draft saag agenda for IETF976 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 15:35:29 -0000 This is a cryptographically signed message in MIME format. --------------ms020605070404030607060607 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, I posted the draft agenda [1], more as I get it. Cheers, S. [1] https://www.ietf.org/proceedings/96/agenda/agenda-96-saag --------------ms020605070404030607060607 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MDEx NTM1MjNaMC8GCSqGSIb3DQEJBDEiBCBqrBrmSQIqli6tHLVccwi5gFRJCxiT3u/O03UJ1rFw jjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCVRnfyZEfK/yT2h0TgZZGWE2VOX1qCjDqE5wXho4D9W74XfrxeK7qT vA2XkLUA/rLA8wnh2cEk08Qv89dX3jfRQySsvn0go53l8igd3gWxVO+i3R/+1CkMqAQc2Niw U5eIBjyDPhqrToNYVd0Rp9msiOXjEt6p9ZImQCIEtqS7hSQa54z0QEdKQ7j5B+amaWdmP7Al 7i93PsbwGS6emK5mln1v7gSwPhpaYHq4fSpSUpfJ9t0UllKsKwq5x6bUNMEaN7faqBm9pXqG HdavyCpVxg2F9e4yQGUjKB1bmqjkUCcypSUr5g8EOGO97V8KHQdomh5181AiFeAdBSCMYtTk AAAAAAAA --------------ms020605070404030607060607-- From nobody Sat Jul 2 05:58:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 071E712B02C for ; Sat, 2 Jul 2016 05:58:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjSNHLgq3GqI for ; Sat, 2 Jul 2016 05:58:02 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B89F12B042 for ; Sat, 2 Jul 2016 05:58:02 -0700 (PDT) Received: from [192.168.31.104] (unknown [31.45.238.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id A726380241; Sat, 2 Jul 2016 14:57:55 +0200 (CEST) To: Stephen Farrell , "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <5777B9F2.9080709@si6networks.com> Date: Sat, 2 Jul 2016 14:56:18 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <577682D0.100@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 12:58:05 -0000 Hi, Stephen, On 07/01/2016 04:48 PM, Stephen Farrell wrote: > On 30/06/16 21:50, Fernando Gont wrote: >> On 06/30/2016 11:22 AM, Stephen Farrell wrote: >>> >>> - Kick off discussion now on the saag list (this mail) >>> - Get folks' feedback on changes they'd like (if that gets >>> too voluminous we'll start a new list) >> >> As could possibly be expected, we'd like to see additional requirements >> wrt transient numeric identifiers. >> >> Please see: draft-gont-numeric-ids-sec-considerations-00 >> (Security Considerations for Transient Numeric Identifiers Employed in >> Network Protocols) >> >> In that respect, I wonder if, to keep the problem tractable, this could >> be worked out in draft-gont-numeric-ids-sec-considerations to have it >> formally update RFC3552, and then have the bis document pick up what we >> agreed on and incorporate it in the bis document. >> >> FWIW, other wg's have followed this path for bis documents (e.g., TCPM's >> revision of RFC0793 (!)). > > So I think what you're suggesting is that we develop a new RFC for > your stuff that becomes a part of BCP72 while at the same time we're > working on a bis for 3552 which would then replace both 3552 and > the new document with your stuff. What I propose is: 1) Develop a new and shot RFC for the numeric identifiers stuff, that formally updates RFC3552. Actually, we have publish that document already, so I don't think there's much more to it than a round of comments, and a WGLC. 2) In paralell, work on RFC3552bis, which eventuacally can incorporate stuff from the above RFC. Eventually when 3553bis get published, it will obsolete both RFC3552 and the above RFC. I would expect at least one-year difference in the publication of #1 vs #2. And having #1 published asap helps in at least two areas: 1) We don't keep publishing flawed RFCs or keep discussing flawed ideas (see e.g. the 6man threads I've forwarded here) 2) This topic will not have to be discussed in the context of rfc3552 (since it will have already been discused while publication of rfc #1 above). > I don't see that makes much sense in this case TBH, unless you assume > that the 3552bis work will take years, which I hope won't be the case. My experience with bis documents is that they take time. So, while I'd like to believe that 3552bis will not take years, I'd bet that there would be at least one-year difference between getting rfc3552 out and getting a short bcp on numeric ids out. > I think instead, we'd be better to roll any BCP-like statements (on > which we have consensus) from your stuff into a 3552bis and just > develop one new document. Problem with that is that, meanwhile, such bcp (until published) doesn't apply. I have invested/wasted cycles and cycles meanwhile on the topic of numeric ids, which a bcp on numeric ids would have saved. > I think that's also likely to help us to > end up with something that's more readable/useful for the audience > too, rather than have a BCP with multiple RFCs. (*) FWIW, I don't want a bcp with multiple RFCs. When 3552bis gets published, it can obsolete both rfc2552 and the bcp on numeric ids. Thoughts? Thanks! -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Sat Jul 2 11:36:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E2312D100 for ; Sat, 2 Jul 2016 11:36:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.727 X-Spam-Level: X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nq3MYxNlVbyB for ; Sat, 2 Jul 2016 11:36:27 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 538CA12B028 for ; Sat, 2 Jul 2016 11:36:27 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5EFC9BE3F; Sat, 2 Jul 2016 19:36:25 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgGiFNCcUKmQ; Sat, 2 Jul 2016 19:36:24 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C70C2BDCC; Sat, 2 Jul 2016 19:36:23 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467484584; bh=ZxzEat12ZE1E1Sn50d568qgb26BdqyYcUnPXc71aayg=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Gvx1pU0v7YnvkHve6NxvQtsS5o/0NwB9KZxpWD+e9g9x57P+K1KvFKFjF1A+gGXOJ DqoIvgJLtlxOqSYTFHgEG7M9e0OHGL/18pmVXLMumOo5vwHq0kUxzbRe5GOI0OmAj7 jm77+nFx0Xu7CTiHvkIgMiQ+BE5nhUrTMCKOFPfU= To: Fernando Gont , "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <577809A7.4070203@cs.tcd.ie> Date: Sat, 2 Jul 2016 19:36:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <5777B9F2.9080709@si6networks.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040305040409090507000803" Archived-At: Cc: =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 18:36:29 -0000 This is a cryptographically signed message in MIME format. --------------ms040305040409090507000803 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 02/07/16 13:56, Fernando Gont wrote: > Thoughts? You've re-iterated what I thought you said. I'll not re-iterate what I said :-) Let's see what other opinions folks express, about this specific point, but also (and IMO more importantly) about the overall 3552bis plan and set of changes needed. S. >=20 > Thanks! >=20 --------------ms040305040409090507000803 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MDIx ODM2MjNaMC8GCSqGSIb3DQEJBDEiBCAHuvYfo41ouB6XnRWdx8aDbXiaGs9T27w9KFnabM0n 4zBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAVzdtS12XbAISCkLcGU8H40ftvqrsAEdV1Dt75pgrE7fZQ1rcaxT3c /EpUoZK78KeeH6Aoid+j9C9NOP+5kIgj2WBHuGj1wdvaql4aqCk1lHikIz2nr9BaMfB3oq2l j7WWMk7mMA89rIQSIivoqW7GSuPAdEDqEdjcJSbwwMvzukBrS1r4KLsjJ0hNPS8ehsEIoo+0 hskOA30NCWkhRLiqhCnS3nuFCaAlEgXcBVCnw+jJmaXVOEMP0uSIPt+5sdidmqWORWwgRIfW q2I8/H9v4KKdMeLsPmjFzqNhJ4RhpZvYn+F2DiTw/ZGc7nG41VkXeCunm69FR0tRsqyya8GG AAAAAAAA --------------ms040305040409090507000803-- From nobody Sat Jul 2 11:45:38 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05161288B8 for ; Sat, 2 Jul 2016 11:45:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQsW7rp3mAja for ; Sat, 2 Jul 2016 11:45:34 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EDD9127078 for ; Sat, 2 Jul 2016 11:45:33 -0700 (PDT) Received: from [192.168.31.104] (unknown [31.45.238.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 212F1805AA; Sat, 2 Jul 2016 20:45:25 +0200 (CEST) To: Stephen Farrell , "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <57780BB6.5060307@si6networks.com> Date: Sat, 2 Jul 2016 20:45:10 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <577809A7.4070203@cs.tcd.ie> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 18:45:37 -0000 On 07/02/2016 08:36 PM, Stephen Farrell wrote: > > > On 02/07/16 13:56, Fernando Gont wrote: >> Thoughts? > > You've re-iterated what I thought you said. I'll not > re-iterate what I said :-) > > Let's see what other opinions folks express, about this > specific point, but also (and IMO more importantly) about > the overall 3552bis plan and set of changes needed. A side question is how to proceed with the other two spin-off documents. Essentially, one informational document which provides historical perspective of how we've done in terms of transient numeric identifiers, and another document possibly bcp or informational which contains the different categories for the numeric identifiers, and possible algorithms to generate them. No matter how we proceed with the rfc3552 update, the question of how to proceed with the other two documents remains. :-) Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Sun Jul 3 07:49:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C00212D0BF for ; Sun, 3 Jul 2016 07:49:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UT7-B9zqt4tD for ; Sun, 3 Jul 2016 07:49:24 -0700 (PDT) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C72912B004 for ; Sun, 3 Jul 2016 07:49:23 -0700 (PDT) Received: by mail-qt0-x232.google.com with SMTP id f89so78099198qtd.2 for ; Sun, 03 Jul 2016 07:49:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=er3cAMmzgbDwVfJwnX9GTK5cRmLChzJcie7NPxEi3Bk=; b=l7vH4+wdsSfgm7yWetiJeJOX3ux848iAK+o31b2Xl6y4dITT8Ynka580gixEN7uu4p AVyffaMgJDr3hEcK7Jf4QaB8JZkoAseiTHwMjlvh6KBVT3JsV+j5h/JGdNk9+f6ROv83 cnxyaWvTjNBCQkfmf4PLs2bXf9aXwyoNZatHc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=er3cAMmzgbDwVfJwnX9GTK5cRmLChzJcie7NPxEi3Bk=; b=Mrv0S58Kqi0vPbUOBKxJL2WnoF9iqpvMD48Rt2FjOCeuonNr/UM9nVx2KRkf97I+AF DYdXZTi0LautsNEB5L+AxJnpKH8T/MTLc+cFyM9oFrNdoatcRDZAkpC+YIwi3Y8+oZRA FsMq7v3gKwz1+WkrJMC0CPpfDvbEuMAiW5qCSwjS14Hoc0mUwt+sbSKDnI4v0GlSHvEw xl/p5mkqV6osqNUtfrOYzYlEWdIXttfCNg9hdQykLp3Vl/VLUrVvanGY9GpA0qombGcd KhQsw4VlCuF6vjcSj/yyuVGfYoZaxvE5M6ZF+uWmqDkHE8M8JOekERVS+ZzsBmpgydfJ /Dsg== X-Gm-Message-State: ALyK8tKmQpuoVwbRGCYK9yWBw2PPA5QfRKSxSCLDjG8PBLggEkFgqmj3KsYctPWcLzSC4A== X-Received: by 10.237.53.151 with SMTP id c23mr12342789qte.51.1467557362513; Sun, 03 Jul 2016 07:49:22 -0700 (PDT) Received: from [192.168.100.100] ([186.158.219.123]) by smtp.googlemail.com with ESMTPSA id a28sm470291qte.6.2016.07.03.07.49.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 Jul 2016 07:49:21 -0700 (PDT) To: Stephen Farrell , Fernando Gont , "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> From: Programa STIC Message-ID: <54ca2117-08ad-0740-22cc-e5af6b1cfbee@fundacionsadosky.org.ar> Date: Sun, 3 Jul 2016 11:50:37 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <577809A7.4070203@cs.tcd.ie> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2016 14:49:26 -0000 Hello El 2/7/16 a las 15:36, Stephen Farrell escribió: > > > On 02/07/16 13:56, Fernando Gont wrote: >> Thoughts? > > You've re-iterated what I thought you said. I'll not > re-iterate what I said :-) > > Let's see what other opinions folks express, about this > specific point, but also (and IMO more importantly) about > the overall 3552bis plan and set of changes needed. > > S. > My opinion is that rather than try to get an all encompassing 3552bis by collecting all the proposed changes to 3552 in a single long-winded effort it would be easier, faster and more effective to break out the process in manageable parts. I'd rather see a process roughly like this: 1- Documents that update 3552 with guidance on specific topics are discussed and eventually published 2- Once a number of documents in 1) have been published, they are reviewed and a set is proposed to be collated for 3552bis 3- 3552bis results from the effort in 2) and ends up obsoleting those from 1) I do not know how many documents seek to update 3552 at the moment, I am only aware of the I-D about predictable-ids that I co-authored. I believe this discussion would be easier and more concrete if we had a list of proposed changes to 3552 with the corresponding reference regards, -ivan -- Programa de Seguridad en TIC Fundación Dr. Manuel Sadosky Av. Córdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164 From nobody Sun Jul 3 18:34:14 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C6C212D0B6 for ; Sun, 3 Jul 2016 18:34:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CWiyxskl5OJ0 for ; Sun, 3 Jul 2016 18:34:10 -0700 (PDT) Received: from xsmtp01.mail2web.com (xsmtp01.mail2web.com [168.144.250.230]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C988712D09C for ; Sun, 3 Jul 2016 18:34:10 -0700 (PDT) Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1bJsm0-0000gU-Oh for saag@ietf.org; Sun, 03 Jul 2016 21:34:09 -0400 Received: (qmail 26221 invoked from network); 4 Jul 2016 01:34:07 -0000 Received: from unknown (HELO huitema1) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender ) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 4 Jul 2016 01:34:07 -0000 From: "Christian Huitema" To: "'Fernando Gont'" , "'Stephen Farrell'" , References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> In-Reply-To: <57780BB6.5060307@si6networks.com> Date: Sun, 3 Jul 2016 18:34:05 -0700 Message-ID: <061801d1d594$29801130$7c803390$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHdiwChYcKQB/zbn8GqAoZkFXGAdwHoe/wuAbcq+6gBSNBl2wIDwTGdAREQz9SfsCS8cA== Content-Language: en-us Archived-At: Cc: =?Windows-1252?Q?'Iv=E1n_Arce'?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2016 01:34:12 -0000 On Saturday, July 2, 2016 11:45 AM, Fernando Gont wrote: > > On 07/02/2016 08:36 PM, Stephen Farrell wrote: > > > > > > On 02/07/16 13:56, Fernando Gont wrote: > >> Thoughts? > > > > You've re-iterated what I thought you said. I'll not > > re-iterate what I said :-) > > > > Let's see what other opinions folks express, about this > > specific point, but also (and IMO more importantly) about > > the overall 3552bis plan and set of changes needed. I think the first step would be to rewrite the "Goal of security" section of 3552, to incorporate the "Goals of privacy." At that stage, we should have the big Privacy related headers. Some of that is common with the currents security topics, e.g. confidentiality. But some is not: linkability, identifiers, etc. We should get a consensus on that before we start formulating the actual guidance. > A side question is how to proceed with the other two spin-off documents. I don't think we have established a need for spin-off documents yet. Let's have a principled approach, and start from establishing clear goals. I like informative documents explaining the mistakes of the past or even listing alternative algorithms, but we should refrain from publishing normative documents before we have a good grasp on the goals. In particular, we may want to revisit the thread on the ietf-privacy list, "Is there an official working definition for Privacy Online?" 3552bis should start by answering that question. -- Christian Huitema From nobody Mon Jul 4 01:10:46 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3F2312D0B7; Mon, 4 Jul 2016 01:10:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xxWRljqcg-Mc; Mon, 4 Jul 2016 01:10:43 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8050812D0B2; Mon, 4 Jul 2016 01:10:42 -0700 (PDT) X-AuditID: c1b4fb2d-f79936d0000030e4-fd-577a19ffd373 Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.183.72]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id A4.A3.12516.FF91A775; Mon, 4 Jul 2016 10:10:40 +0200 (CEST) Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.74) with Microsoft SMTP Server id 14.3.294.0; Mon, 4 Jul 2016 10:10:39 +0200 Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 2547D51B07; Mon, 4 Jul 2016 11:11:35 +0300 (EEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 98CD44E9B6; Mon, 4 Jul 2016 11:11:34 +0300 (EEST) References: <20160704080138.2542.90162.idtracker@ietfa.amsl.com> To: "saag@ietf.org" From: Mohit Sethi X-Forwarded-Message-Id: <20160704080138.2542.90162.idtracker@ietfa.amsl.com> Message-ID: <577A19FF.6050609@ericsson.com> Date: Mon, 4 Jul 2016 11:10:39 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <20160704080138.2542.90162.idtracker@ietfa.amsl.com> Content-Type: multipart/alternative; boundary="------------060105030902020102080005" X-Virus-Scanned: ClamAV using ClamSMTP X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupikeLIzCtJLcpLzFFi42KZGbHdQ5dBqircoP8hp8Wx9WtZLKb0dzJZ vJm4kd2B2eP468WsHkuW/GQKYIrisklJzcksSy3St0vgyti95xxbQZNlReen6ywNjAd1uhg5 OSQETCTmfVrGCmGLSVy4t56ti5GLQ0jgCKPErAmfmSCcrYwSe67PgsqsY5Q4d+YNC4Qzn1Fi 0dsrbCD9wgKuEhdmTgOaxQGUcJBofOsDEhYRUJZY/uc5O4jNLOAo0dnaDmazCehJdJ47zgxS LiHgI/G/MxckzCugLXHi7zFGkDCLgIrE0ythIGFRgQiJWdt/MEGUCEqcnPmEBaSEE2jiya/1 ICazQJjEtlZZiFfUJK6e28QMYgsJqEts7TjAOIFRZBaS5lkIHbPALrOQmDn/PCOELS+x/e0c ZghbQ6J1zlx2ZPEFjGyrGEWLU4uLc9ONjPVSizKTi4vz8/TyUks2MQJj6OCW37o7GFe/djzE KMDBqMTD+6CrMlyINbGsuDL3EKMEB7OSCG+NeFW4EG9KYmVValF+fFFpTmrxIUZpDhYlcV7/ l4rhQgLpiSWp2ampBalFMFkmDk6pBka7oJ2ZOcU6T/hEen2TYp2sD1rc/BUmtdjv4XVd/Qf5 on2uSZV/hGrqvmw5FTrt4L6vi/Vu9T9L/V2mm83ubWz9xO6jCcM+nu9Vt/p9Nyz/ErLD+86y fe+lDhzaEJHu0Fn18Mbr5nAj652WM/ukIuqtZ0k6b1F47niEKXKFsEz7u0dTc7aJFyixFGck GmoxFxUnAgBv/pz+nQIAAA== Archived-At: Cc: emu@ietf.org Subject: [saag] Fwd: New Version Notification for draft-aura-eap-noob-01.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2016 08:10:45 -0000 --------------060105030902020102080005 Content-Type: text/plain; charset="utf-8"; format=flowed Content-Transfer-Encoding: 7bit Dear all We have uploaded the next version of our draft on Nimble out-of-band authentication for EAP (EAP-NOOB). The new version is available here: https://tools.ietf.org/html/draft-aura-eap-noob-01 Since the last IETF, we have been working on implementing this EAP method. Based on this implementation, we have added message examples for both inband and out-of-band (OOB) channels. This version also contains minor fixes to the fast reconnect exchange. The local event and server state transition tables have been improved. The saag schedule at the Berlin IETF is rather tight so we are currently unsure if we will have time to present the updates during the session. However, a bunch of us would be hacking and implementing EAP-NOOB during the IETF hackathon preceding the meeting (on Saturday and Sunday). If you are interested in IoT bootstrapping, please come and join us to hack together or just to have a look at the demo. Thanks /--Mohit -------- Forwarded Message -------- Subject: New Version Notification for draft-aura-eap-noob-01.txt Date: Mon, 04 Jul 2016 01:01:38 -0700 From: internet-drafts@ietf.org To: Tuomas Aura , Mohit Sethi A new version of I-D, draft-aura-eap-noob-01.txt has been successfully submitted by Mohit Sethi and posted to the IETF repository. Name: draft-aura-eap-noob Revision: 01 Title: Nimble out-of-band authentication for EAP (EAP-NOOB) Document date: 2016-07-04 Group: Individual Submission Pages: 36 URL:https://www.ietf.org/internet-drafts/draft-aura-eap-noob-01.txt Status:https://datatracker.ietf.org/doc/draft-aura-eap-noob/ Htmlized:https://tools.ietf.org/html/draft-aura-eap-noob-01 Diff:https://www.ietf.org/rfcdiff?url2=draft-aura-eap-noob-01 Abstract: Extensible Authentication Protocol (EAP) provides support for multiple authentication methods. This document defines the EAP-NOOB authentication method for nimble out-of-band (OOB) authentication and key derivation. This EAP method is intended for bootstrapping all kinds of Internet-of-Things (IoT) devices that have a minimal user interface and no pre-configured authentication credentials. The method makes use of a user-assisted one-directional OOB channel between the peer device and authentication server. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat --------------060105030902020102080005 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit Dear all

We have uploaded the next version of our draft on Nimble out-of-band authentication for EAP (EAP-NOOB). The new version is available here:
https://tools.ietf.org/html/draft-aura-eap-noob-01

Since the last IETF, we have been working on implementing this EAP method. Based on this implementation, we have added message examples for both inband and out-of-band (OOB) channels. This version also contains minor fixes to the fast reconnect exchange. The local event and server state transition tables have been improved.

The saag schedule at the Berlin IETF is rather tight so we are currently unsure if we will have time to present the updates during the session.

However, a bunch of us would be hacking and implementing EAP-NOOB during the IETF hackathon preceding the meeting (on Saturday and Sunday). If you are interested in IoT bootstrapping, please come and join us to hack together or just to have a look at the demo.

Thanks
/--Mohit


-------- Forwarded Message --------
Subject: New Version Notification for draft-aura-eap-noob-01.txt
Date: Mon, 04 Jul 2016 01:01:38 -0700
From: internet-drafts@ietf.org
To: Tuomas Aura <tuomas.aura@aalto.fi>, Mohit Sethi <mohit@piuha.net> 


A new version of I-D, draft-aura-eap-noob-01.txt
has been successfully submitted by Mohit Sethi and posted to the
IETF repository.

Name:		draft-aura-eap-noob
Revision:	01
Title:		Nimble out-of-band authentication for EAP (EAP-NOOB)
Document date:	2016-07-04
Group:		Individual Submission
Pages:		36
URL:            https://www.ietf.org/internet-drafts/draft-aura-eap-noob-01.txt
Status:         https://datatracker.ietf.org/doc/draft-aura-eap-noob/
Htmlized:       https://tools.ietf.org/html/draft-aura-eap-noob-01
Diff:           https://www.ietf.org/rfcdiff?url2=draft-aura-eap-noob-01

Abstract:
   Extensible Authentication Protocol (EAP) provides support for
   multiple authentication methods.  This document defines the EAP-NOOB
   authentication method for nimble out-of-band (OOB) authentication and
   key derivation.  This EAP method is intended for bootstrapping all
   kinds of Internet-of-Things (IoT) devices that have a minimal user
   interface and no pre-configured authentication credentials.  The
   method makes use of a user-assisted one-directional OOB channel
   between the peer device and authentication server.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


--------------060105030902020102080005-- From nobody Tue Jul 5 22:05:05 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6242D12D6AD for ; Tue, 5 Jul 2016 22:05:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rIqzHwNkjN5i for ; Tue, 5 Jul 2016 22:05:00 -0700 (PDT) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB9412D66A for ; Tue, 5 Jul 2016 22:04:59 -0700 (PDT) Received: by mail-vk0-x22f.google.com with SMTP id k68so204430532vkb.0 for ; Tue, 05 Jul 2016 22:04:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6tIz3iKa0ktfZVg3Q4fvLuxCmZXNBKwvxmKwbEu+Iwc=; b=PPQd/V8JsPYVxGocVDob1FuJRguWAxO7qB8RM9nRVCFR+ubZ7p3iXYezWCNJceNUAi x4jbyJ2hVciA0PXNYkZ3Act2VjUsNYhgjqijuYJxmhrO07EcFdMkfDZ2SF+aWnr0oCD1 bfSvI7eA+chQ9QIQD2hcVPDfcLjBpsO5fMNdMh5+suB+nfPZhftYJG1GMI7tT0YeYRJR zv36qzsV5XD2YTg0hDzsdeBiQ1SS/YcbwlIGE5vIAMV6JqJ28mqeM1tsDbfmj4FvThVs b0WwSZOC8IOrudixUG9E9B6xqcgMGHkLxwN9FEuB+980wvD6YWUuAfk++q1KT1dHLk0v zuuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6tIz3iKa0ktfZVg3Q4fvLuxCmZXNBKwvxmKwbEu+Iwc=; b=ActPmC1nbm2giqHxaWxvLBUGeCWUQiorAykliKNafho5neY3bslVceSHdboxE1b9Lz ouQRWlirtfrxiIeGi4JuS6+GGCfvRlwwymCYZ/vt3vtHkI33nRIq3Muj/UfkIZSpgsbf 1w0+IBkiWwLrouuln97981OXCjshM28A8L7xIzMmW60MCtu1zfGmZpWC2RwDUGmylIJy QAkVhljkxz4EXSJHV32oQ1+wQ9+cRhF8S0O4bTZJ3cBDVJfmLIGbNeEPZW9SlBQKC0/C oduT0IRuSOW4K+Naook2dO1e7TmNjyqdp56GL8CVe6I77Tly0ivmVPCl6VLut5m1GxwE PswQ== X-Gm-Message-State: ALyK8tJA7H1Zp3/Lt/fmKNqCLB/xzg5kn3LXJSFDTIdNLpG3DlqE+H9aEjL2tgUEdtWBjVmDx/BTqEPCkJ/+pA== X-Received: by 10.31.129.203 with SMTP id c194mr7653896vkd.26.1467781498628; Tue, 05 Jul 2016 22:04:58 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.39.194 with HTTP; Tue, 5 Jul 2016 22:04:58 -0700 (PDT) In-Reply-To: <061801d1d594$29801130$7c803390$@huitema.net> References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> From: Watson Ladd Date: Tue, 5 Jul 2016 22:04:58 -0700 Message-ID: To: Christian Huitema Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" , =?UTF-8?Q?Iv=C3=A1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 05:05:03 -0000 On Sun, Jul 3, 2016 at 6:34 PM, Christian Huitema wrote: > On Saturday, July 2, 2016 11:45 AM, Fernando Gont wrote: >> >> On 07/02/2016 08:36 PM, Stephen Farrell wrote: >> > >> > >> > On 02/07/16 13:56, Fernando Gont wrote: >> >> Thoughts? >> > >> > You've re-iterated what I thought you said. I'll not >> > re-iterate what I said :-) >> > >> > Let's see what other opinions folks express, about this >> > specific point, but also (and IMO more importantly) about >> > the overall 3552bis plan and set of changes needed. > > I think the first step would be to rewrite the "Goal of security" section of > 3552, to incorporate the "Goals of privacy." At that stage, we should have > the big Privacy related headers. Some of that is common with the currents > security topics, e.g. confidentiality. But some is not: linkability, > identifiers, etc. We should get a consensus on that before we start > formulating the actual guidance. And what privacy goals aren't contained within confidentiality? We're still missing a ton of things people have learned over the past decade in security such as: -Formats write their own exploits: the more complex the grammar a program accepts, the more likely the parser is wrong -Configuration complexity is the #1 reason for poor configurations and insecure protocols surviving -You can't meet a goal you don't have: it's essential to think about what needs to be protected -Formal analysis of realistic cryptographic protocols is possible now -Depreciation never happens -Unexercised code is broken code These considerations belong in any Security Considerations section. > >> A side question is how to proceed with the other two spin-off documents. > > I don't think we have established a need for spin-off documents yet. Let's > have a principled approach, and start from establishing clear goals. I like > informative documents explaining the mistakes of the past or even listing > alternative algorithms, but we should refrain from publishing normative > documents before we have a good grasp on the goals. > > In particular, we may want to revisit the thread on the ietf-privacy list, > "Is there an official working definition for Privacy Online?" 3552bis should > start by answering that question. > > -- Christian Huitema > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -- "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Tue Jul 5 22:45:54 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9BEB12D500 for ; Tue, 5 Jul 2016 22:45:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.647 X-Spam-Level: X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqb3GzskPnMy for ; Tue, 5 Jul 2016 22:45:50 -0700 (PDT) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67AB12B03D for ; Tue, 5 Jul 2016 22:45:50 -0700 (PDT) X-AuditID: 12074422-567ff70000004b13-8d-577c9b0c9511 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 3C.72.19219.C0B9C775; Wed, 6 Jul 2016 01:45:49 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u665jmaa020992; Wed, 6 Jul 2016 01:45:48 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u665jg42027725 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 6 Jul 2016 01:45:46 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u665jgSL007204; Wed, 6 Jul 2016 01:45:42 -0400 (EDT) Date: Wed, 6 Jul 2016 01:45:41 -0400 (EDT) From: Benjamin Kaduk To: Watson Ladd In-Reply-To: Message-ID: References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpmleLIzCtJLcpLzFFi42IR4hRV1uWdXRNusPasgsXkxtnsFrefrWGz mNLfyWTR03mSzYHF43H3KiaPnbPusnvcmnGKxWPJkp9MASxRXDYpqTmZZalF+nYJXBkn5z9m LtjOVPGu5RF7A+Nvxi5GTg4JAROJyTdeAdlcHEICbUwSLYfPsUI4GxgllrT+hcocZJI49rMX rEVIoF5i1+yL7CA2i4CWxMk9b1lAbDYBFYmZbzaygdgiAuoSE5ZvYgFpZhaYwijx5M4XsISw gLHEofOfwAZxCgRK3Jn6nRXE5hVwkPh7cD7U6j1MEl0d78GmigroSKzeP4UFokhQ4uTMJ2A2 M9Dm5dO3sUxgFJiFJDULSWoBI9MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXVO93MwSvdSU0k2M oPBld1HawTjxn9chRgEORiUe3gnPq8OFWBPLiitzDzFKcjApifKyfAMK8SXlp1RmJBZnxBeV 5qQWH2KU4GBWEuHdPr0mXIg3JbGyKrUoHyYlzcGiJM4bFHksTEggPbEkNTs1tSC1CCYrw8Gh JMFrOguoUbAoNT21Ii0zpwQhzcTBCTKcB2i4IkgNb3FBYm5xZjpE/hSjLseCH7fXMgmx5OXn pUqJ84qDFAmAFGWU5sHNAaed3UyqrxjFgd4S5v05E6iKB5iy4Ca9AlrCBLTkp0s1yJKSRISU VANjlcqxr5PcDXb/0d/2+LoP14TGFwy9bi8lTn973l+8/whz0RHfnRudfzpv8+ueEN99Y7tM iRv7srm+vCfMNToz5A0lLCQyLohuXHuBU2uFovrHWbmGv9Lecer3+aUd3DG19v9Fxk5OyffH Fu8Lu11SOSU30cGkPj33/IPKO+s8J1y75OJoNzNeiaU4I9FQi7moOBEA1WEPNRYDAAA= Archived-At: Cc: "saag@ietf.org" , =?ISO-8859-15?Q?Iv=E1n_Arce?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 05:45:52 -0000 On Wed, 6 Jul 2016, Watson Ladd wrote: > And what privacy goals aren't contained within confidentiality? We're At risk of being flippant, "all the metadata". Cross-session correlations, cross-protocol associations, you name it. Not that I disagree with everything else you wrote, of course. -Ben From nobody Tue Jul 5 23:04:26 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB41E12B03D for ; Tue, 5 Jul 2016 23:04:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.947 X-Spam-Level: X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4plLiVTdtQm for ; Tue, 5 Jul 2016 23:04:23 -0700 (PDT) Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E7F12B028 for ; Tue, 5 Jul 2016 23:04:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2519; q=dns/txt; s=iport; t=1467785063; x=1468994663; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=LCltMWsjljxzrxY35Qy5Jab9BDUA1UQyI1oYPpJIJgg=; b=mCNBQIWbql3xhAY7JgCJTuhaf6b18tk5xv78H2jIOMSm4f3UBm57M7Xn A+kMp44NmWL19QfmziQ8n7VYRUiQpEJ2JnTlIrHl+sa2fFJHlD6Qmg0OR 9lCJpEOspIhgM8SHSsfnA6AGaPkMBXB6/wANZBfxnRG4nFEHVtkUVDW5I 8=; X-Files: signature.asc : 481 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEBAC1nnxX/xbLJq1chD66IIF3hhgCg?= =?us-ascii?q?WgUAQEBAQEBAWUnhE0BBSNRBRALGCoCAlcGAQwIAQGILKtVj38BAQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEBEA6IH4JVgTmGCIJaAQSZE4MvgWyDaIVEiUuFX5AKHjaCFYFdO?= =?us-ascii?q?okkAQEB?= X-IronPort-AV: E=Sophos;i="5.28,317,1464652800"; d="asc'?scan'208";a="635551217" Received: from aer-iport-nat.cisco.com (HELO aer-core-2.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 06 Jul 2016 06:04:21 +0000 Received: from [10.61.78.119] (ams3-vpn-dhcp3703.cisco.com [10.61.78.119]) by aer-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u6664KmH023941; Wed, 6 Jul 2016 06:04:20 GMT To: Christian Huitema , "'Fernando Gont'" , "'Stephen Farrell'" , saag@ietf.org References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> From: Eliot Lear Message-ID: <44e113f6-d360-37ec-92f2-fb0d4b2db1e7@cisco.com> Date: Wed, 6 Jul 2016 08:04:19 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <061801d1d594$29801130$7c803390$@huitema.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qWX7DBE0ChfaEkqnpuboxewxSLWBtWtva" Archived-At: Cc: =?UTF-8?Q?'Iv=c3=a1n_Arce'?= Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 06:04:25 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --qWX7DBE0ChfaEkqnpuboxewxSLWBtWtva Content-Type: multipart/mixed; boundary="OqupOJ7OA9smdJjK6GnO4r03haoHTtTm3" From: Eliot Lear To: Christian Huitema , 'Fernando Gont' , 'Stephen Farrell' , saag@ietf.org Cc: =?UTF-8?Q?'Iv=c3=a1n_Arce'?= Message-ID: <44e113f6-d360-37ec-92f2-fb0d4b2db1e7@cisco.com> Subject: Re: [saag] [Privsec-program] RFC3552bis... References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> In-Reply-To: <061801d1d594$29801130$7c803390$@huitema.net> --OqupOJ7OA9smdJjK6GnO4r03haoHTtTm3 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 7/4/16 3:34 AM, Christian Huitema wrote: > I think the first step would be to rewrite the "Goal of security" secti= on of > 3552, to incorporate the "Goals of privacy." At that stage, we should h= ave > the big Privacy related headers. Some of that is common with the curren= ts > security topics, e.g. confidentiality. But some is not: linkability, > identifiers, etc. We should get a consensus on that before we start > formulating the actual guidance. Yes, so long as privacy is clearly explained in a broad context. A good test of extremes might be a baby monitor versus an oil derrick. At the same time, the document should not become a 200 page tome that one must master in order to produce a specification. Eliot --OqupOJ7OA9smdJjK6GnO4r03haoHTtTm3-- --qWX7DBE0ChfaEkqnpuboxewxSLWBtWtva Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQEcBAEBCAAGBQJXfJ9kAAoJEIe2a0bZ0noz3lgIAI0Sgi5sv1WVwESmSYpsCVo7 RqxITThEvUDCO/DEoeSsczqxUvsWH7808SllZWVdYSbIAEDKX+v5C/m57AQrB3ba /ciODGUQ8qlChwgAkkwDE5hyb3ere3XxzGLF4vyWsLT8lTFb3mZUHGMEmKEt0zAc 3UWkZrwPQGJZeqYmgamjQP8BPJVTJk83mWFgwN09NJEygGwhUATP3BLc1+T1NXoz +UjLzD4SvajSxhts6fB20PBTYNViiamWetdHwVKA8sDMeVlTITLlXB57ZDz0iTWp FToYR1TBNOE34ZyaB7jfixw7jRZdErbK7eVt0xQlmuztoEKE65hAfaJrMUtjRI8= =8yiu -----END PGP SIGNATURE----- --qWX7DBE0ChfaEkqnpuboxewxSLWBtWtva-- From nobody Wed Jul 6 05:01:09 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A487812D1C7 for ; Wed, 6 Jul 2016 05:01:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NK2S7OYjET2 for ; Wed, 6 Jul 2016 05:01:07 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8FC112B00F for ; Wed, 6 Jul 2016 05:01:06 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bKlVo-0007Su-NB; Wed, 06 Jul 2016 12:01:05 +0000 Date: Wed, 06 Jul 2016 21:00:57 +0900 Message-ID: From: Randy Bush To: Watson Ladd In-Reply-To: References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 12:01:09 -0000 > And what privacy goals aren't contained within confidentiality? metadata such as traffic analysis randy From nobody Wed Jul 6 09:45:17 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E12BA12D61C for ; Wed, 6 Jul 2016 09:45:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cooperw.in header.b=BZl+BVTf; dkim=pass (1024-bit key) header.d=messagingengine.com header.b=Tl1P5UcS Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDYA7A8XboYi for ; Wed, 6 Jul 2016 09:45:14 -0700 (PDT) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAD4412D159 for ; Wed, 6 Jul 2016 09:45:13 -0700 (PDT) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 49192203F4; Wed, 6 Jul 2016 12:45:13 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute7.internal (MEProxy); Wed, 06 Jul 2016 12:45:13 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=GhgIYIFfQjVdA3YKxTIeSWcRfbo=; b=BZl+BV TfmuBTi0tj6qV/JLuf0+OF05zjTIOJKn3hL9GxOSAQlInbsjB6UfkY9vfEuE+IYI 6WIxyO3VP5baFztQBSOpB8Ck+wcym+JuvEBKyY7GKscCG4vs4z1aJNU4Z+GO/pPO MGmXR1TbvJy+ouYpvQqxAHsVhJOxvEsI8Ck7A= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=GhgIYIFfQjVdA3Y KxTIeSWcRfbo=; b=Tl1P5UcSc9WPNssTMPvsoP/4ZYBcLV6C0zDYvHhhlU+rtAy vQkgClXkvvnAVnvCrnbEyOZxynqEylTRTYzA1lgOaV99UV73R1l2slPMUaRcrSCL x92HvBi17b4ikNPtWKhivv4Yex+azXrkNLgnga8omwdyujBxjwddxuBOhq4g= X-Sasl-enc: 9ZO70DH8mn4a4SKJMehl8z0X6ujPZNS+EKMW6GPbd+nq 1467823512 Received: from dhcp-171-68-20-42.cisco.com (dhcp-171-68-20-42.cisco.com [171.68.20.42]) by mail.messagingengine.com (Postfix) with ESMTPA id AE49ECCDB4; Wed, 6 Jul 2016 12:45:11 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alissa Cooper In-Reply-To: <5774E4E3.2030605@cs.tcd.ie> Date: Wed, 6 Jul 2016 09:45:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: <1028DD6E-0FE9-4811-A453-264C9C554F7C@cooperw.in> References: <5774E4E3.2030605@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.3124) Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 16:45:16 -0000 Couple of thoughts based on the experience with RFC 6973. - The structure of RFC 6973 was highly influenced by RFC 3552. So = integrating bits section-by-section wouldn=E2=80=99t be that hard for = some sections (threat model, common issues). But this would likely not = achieve the goal of making the document shorter. - IIRC we had a goals section in early drafts of 6973 and ended up = ditching it because we couldn't come up with something useful to say = that people agreed about. Worth trying again though probably. - RFC 6973 didn=E2=80=99t contemplate pervasive attackers. A 3552bis = should. Alissa > On Jun 30, 2016, at 2:22 AM, Stephen Farrell = wrote: >=20 >=20 > Hiya, >=20 > RFC3552/BCP72 [1] is about to become a teenager:-) For those > of you that don't know it by heart, that's the one that tells > folks what to put into their security considerations sections > and it dates back to July 2003. >=20 > Following on from discussion at saag in B-A, partly driven by > the work Fernando and others have done on identifiers, but also > other chats going back to the STRINT workshop, Kathleen and I > have discussed what to do about all that and having re-read the > text we reckon that now would be a good time to start work on > an RFC3552bis document to replace the current one. >=20 > In outline, we think the main tasks there we'd like to see happen > would be to a) update numerous things that are out of date, b) add > text about things that weren't so important in 2003, such as privacy, > perhaps borrowing bits from RFC6973 [2] that make sense as BCP-like > statements, and c) to make it as understandable and easy to grasp > as possible and ideally a good bit shorter. >=20 > Having figured out what we'd like, and being lazy ADs, we needed > some other folks to do the actual work so we asked Yoav Nir and > Magnus Westerlund (both cc'd) and we're delighted to say that > they've agreed to be editors for this effort. (Thanks again to > you both.) >=20 > The overall plan then is roughly to:- >=20 > - Kick off discussion now on the saag list (this mail) > - Get folks' feedback on changes they'd like (if that gets > too voluminous we'll start a new list) > - Have a short slot at the saag session in Berlin where the > editors can review the plan and get more feedback/comments > - The editors will send some mail about tooling (e.g. if > they want to use github, they'll say that etc.) > - The editors will produce a -00 and we'll iterate on that > until done > - A more substantive discussion of remaining open issues > in November at IETF97 if needed, (which we suspect will > be needed:-) > - Hopefully we end up ready for IETF LC around the end of > the year or early in 2017. > - We have what'll quite probably be a fun IETF LC:-) > - Mid-2017: BCP72 will become the new RFC. >=20 > So please do re-read [1,2] and send your comments on what you > think needs changing to this list and/or the editors and/or to > Kathleen or I as appropriate. >=20 > Cheers, > S&K. >=20 > [1] https://tools.ietf.org/html/bcp72 > [2] https://tools.ietf.org/html/rfc6973 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Wed Jul 6 10:15:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E3A12D595 for ; Wed, 6 Jul 2016 10:15:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.921 X-Spam-Level: X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Fh4KwP0Prne for ; Wed, 6 Jul 2016 10:15:27 -0700 (PDT) Received: from bos-mailout2.raytheon.com (bos-mailout2.raytheon.com [199.46.198.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E069012D519 for ; Wed, 6 Jul 2016 10:15:26 -0700 (PDT) Received: from ma-mailout1.directory.ray.com (ma-mailout1.directory.ray.com [147.25.130.100]) by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66HFP6a026570 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Wed, 6 Jul 2016 17:15:25 GMT Received: from smtp.bbn.com ([128.33.0.80]) by ma-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66HFOQt030987 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) sender kent@bbn.com for ; Wed, 6 Jul 2016 17:15:25 GMT Received: from ssh.bbn.com ([192.1.122.15]:48175 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bKqQ0-0007Ck-Fi for saag@ietf.org; Wed, 06 Jul 2016 13:15:24 -0400 To: saag@ietf.org References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> From: Stephen Kent Message-ID: Date: Wed, 6 Jul 2016 13:15:29 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-06_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=3 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607060149 Archived-At: Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 17:15:29 -0000 Randy, TA has been considered as part of confidentiality for about 30 years. >> And what privacy goals aren't contained within confidentiality? > metadata such as traffic analysis > > randy > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > From nobody Wed Jul 6 13:58:20 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3F6F12D6AA for ; Wed, 6 Jul 2016 13:58:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.921 X-Spam-Level: X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zn6pzhdkP_Wh for ; Wed, 6 Jul 2016 13:58:15 -0700 (PDT) Received: from xsmtp12.mail2web.com (xsmtp12.mail2web.com [168.144.250.177]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3724612D69C for ; Wed, 6 Jul 2016 13:58:14 -0700 (PDT) Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp12.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1bKttc-0002Vk-MU for saag@ietf.org; Wed, 06 Jul 2016 16:58:13 -0400 Received: (qmail 22803 invoked from network); 6 Jul 2016 20:58:11 -0000 Received: from unknown (HELO huitema2) (Authenticated-user:_huitema@huitema.net@[131.107.147.201]) (envelope-sender ) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 6 Jul 2016 20:58:11 -0000 From: "Christian Huitema" To: "'Stephen Kent'" , References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> In-Reply-To: Date: Wed, 6 Jul 2016 13:58:07 -0700 Message-ID: <00cd01d1d7c9$199d42b0$4cd7c810$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHdiwChYcKQB/zbn8GqAoZkFXGAdwHoe/wuAbcq+6gBSNBl2wIDwTGdAREQz9QBWtLTcwHqIUVJAY5+reECryGLB594exGA Content-Language: en-us Archived-At: Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 20:58:20 -0000 On Wednesday, July 6, 2016 10:15 AM, Stephen Kent wrote: > > TA has been considered as part of confidentiality for about 30 years. I am sure that defense against traffic analysis was considered by many experts for many years. On the other hand, it obviously was not considered a priority by IETF protocol designers for a long time. Documents like 3552bis should correct that. Yes, we should say, "please care about confidentiality." But we need to say a bit more, such as "do not spread metadata all over the place." And it would be nice to give some broad guidelines about the big categories that we care about. -- Christian Huitema From nobody Thu Jul 7 11:01:15 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5530C12B004 for ; Thu, 7 Jul 2016 11:01:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.727 X-Spam-Level: X-Spam-Status: No, score=-5.727 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l_UeWnckkRSH for ; Thu, 7 Jul 2016 11:01:10 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE97612D0EA for ; Thu, 7 Jul 2016 11:01:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 210B8BE54; Thu, 7 Jul 2016 19:01:08 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RhGVq9K0Atfm; Thu, 7 Jul 2016 19:01:06 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E085EBDD8; Thu, 7 Jul 2016 19:01:05 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467914466; bh=LVYmIAt3o/osq/CWBBVW3XjM9DufdDaLbGm0z3o62lM=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=ZCF23abk1BuMzi8IRqxz2SZXq/arm7Rb2EqDuE1XoHQvdWpw8DaHYC8jqY1yNekno Mfh1aK9ecP/Ww9N3Tu0580vNR6ndHbPsYa3uO+ebLxRxZVh1+j2ZVIZ69F1/UJLN7K E4j5f2krcKdLOxaaL9aWsqQBzBJZIY2VUhq7oB40= To: saag@ietf.org References: <20160524192400.GA9721@pfrc.org> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <577E98E1.7000407@cs.tcd.ie> Date: Thu, 7 Jul 2016 19:01:05 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <20160524192400.GA9721@pfrc.org> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090607030909040204000206" Archived-At: Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 18:01:14 -0000 This is a cryptographically signed message in MIME format. --------------ms090607030909040204000206 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Folks, Is there anyone who'll be in Berlin who'd be able to take a few minutes to chat with Jeff and friends about bfd security? We're often quite rightly scathing when folks develop protocols in the IETF that have no or not well designed security and in this case Jeff is asking for help to try avoid that bad outcome and hoefully lead to the kind of good outcome that we security folks keep on saying is what's needed. If you're willing to meet Jeff and co for a chat/beer/coffee in Berlin please drop Kathleen or I a line and we'll send the right set of intros. In case it helps, I think this could be an interesting enough challenge - iiuc bfd is trying to amortise crypto costs over a bunch of messages in the face of pretty tight performance constraints. Anyway, we'd really appreciate if if someone could help out here, Thanks in advance, S. On 24/05/16 20:24, Jeffrey Haas wrote: > Security-folk, >=20 > Partially as a response to work concluded in the KARP Working Group, th= ere > was previously some effort to enhance the cryptographic authentication > mechanisms present in BFD. The core BFD protocol is described in RFC 5= 880, > including its authentication mechanisms. >=20 > The two main documents covering this work are below: >=20 > https://tools.ietf.org/html/draft-ietf-bfd-generic-crypto-auth-06 > https://tools.ietf.org/html/draft-ietf-bfd-hmac-sha-05 >=20 > To somewhat tritely summarize the work in these two documents, the gene= ric > doc provides for: > - Increase the number space of authentication sequence number to 64 bit= s > from 32. > - Provide a larger numbering space for key identifiers, from 8 bits to = 16 > bits. > - Re-using this structure for all future types rather than making it a > property of the individual authentication section for a given mechani= sm. >=20 > The hmac-sha doc describe SHA-2 variants of ciphers. >=20 > In general, these are understood to be the Right Things to do for BFD. > However, lack of interest in the industry from either vendors or custom= ers, > and lack of drive from within the working group have contributed to the= se > documents going stale. >=20 > There is also the secondary issue that as a result of the speed at whic= h BFD > operates and the fact it is often operating under extremely constrained= > compute resources, even existing ciphers are not well deployed in spite= of > the known weaknesses in the strength of those ciphers. There is a sepa= rate > effort beginning in BFD that may mitigate these issues, but I have requ= ested > the authors of that draft to contact the security area separately to di= scuss > their proposal: >=20 > https://datatracker.ietf.org/doc/draft-ietf-bfd-optimizing-authenticati= on/ >=20 > Now to my question: >=20 > It's generally understood that implementations of security mechanisms o= ften > lag their specifications. It's also generally understood that you want= > those specifications to exist because when you need them, it's possibly= > already too late. >=20 > Given this, I'm looking at options to help drive the BFD generic crypto= and > hmac-sha document to publication. >=20 > As mentioned, the interest in the BFD WG is low. >=20 > My question is what is the perceived status of security related documen= ts > that are on the Experimental track? =20 >=20 > For these documents to progress on the standards track, they'd have to = have > some likelihood of being deployed. That point is, as above, unclear. >=20 > -- Jeff >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >=20 --------------ms090607030909040204000206 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MDcx ODAxMDVaMC8GCSqGSIb3DQEJBDEiBCCahK9d8sRoBcqh8JBogi308D/0oOo+/rpe9g1PYscP 5jBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQBAKzBLfTzsQ8zFCj2TUlxr92D6OzW8P2PhzgnQTPkEkp03BJyHtASh 5fEmrtNZnoJ8UGluxcX1qfqCIQGdIBxHRhhgC2RpKiMk9me9WAUKUJujxwgogZB1P9O6XBA9 cR3OWJCocYBJZ6PW9HxpDemaZWTLtXDk/S2upafd/97h4Pq9HNL09AApcknZRb8zGeCF+0VP ziwN3/oSm/pbjjI1jDJZKXtcFePtCjtlLreRqRR0KdAh6VlRI/c1tCJKNQO16L1NnaFgi517 vyv6k+4Pco8bR8ECuwTcXSNv4n19/5cTKBijtHIoQCPxPNaxX/mIp+DoczUuktAv980mRhZL AAAAAAAA --------------ms090607030909040204000206-- From nobody Thu Jul 7 12:21:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AFCF12D1CB for ; Thu, 7 Jul 2016 12:21:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q12oNlnX3joP for ; Thu, 7 Jul 2016 12:21:03 -0700 (PDT) Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id C90EB12D0C2 for ; Thu, 7 Jul 2016 12:21:02 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id DD40FA68; Thu, 7 Jul 2016 19:21:01 +0000 (UTC) Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Ur4QldWO1Wp; Thu, 7 Jul 2016 19:21:01 +0000 (UTC) Received: from [192.168.120.42] (unknown [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id 74969681; Thu, 7 Jul 2016 19:21:01 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alan DeKok In-Reply-To: <577E98E1.7000407@cs.tcd.ie> Date: Thu, 7 Jul 2016 15:21:00 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> To: Stephen Farrell X-Mailer: Apple Mail (2.3124) Archived-At: Cc: saag@ietf.org Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 19:21:05 -0000 On Jul 7, 2016, at 2:01 PM, Stephen Farrell = wrote: > Is there anyone who'll be in Berlin who'd be able to take a few > minutes to chat with Jeff and friends about bfd security? I should be there, barring last-minute surprises. I've talked with Jeff in passing before about BFD. I've implemented = RFC 5880, and have been on the mailing list for a while, but unable to = keep up with recent activity. > If you're willing to meet Jeff and co for a chat/beer/coffee in > Berlin please drop Kathleen or I a line and we'll send the right > set of intros. Count this as my interest. > In case it helps, I think this could be an interesting enough > challenge - iiuc bfd is trying to amortise crypto costs over a > bunch of messages in the face of pretty tight performance > constraints. Hmm...=20 https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-01 Authenticating every BFD [RFC5880] packet with a Simple Password, or with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash Algorithm (SHA-1) algorithms is computationally intensive process, making it difficult if not impossible to authenticate every packet - particularly at faster rates. What "faster" rates are required here? As a case in point, RADIUS = requires that each packet be authenticated via MD5, and possibly = HMAC-MD5. Sometimes both. Commodity hardware is easily capable of = doing 10Kpps. I've managed to get 500Kpps with dedicated = implementations. Even older hardware (2000 era or so) was easily able = to reach 2Kpps without much engineering effort. Alan DeKok. From nobody Thu Jul 7 20:04:02 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66D6412B00D for ; Thu, 7 Jul 2016 20:04:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jV43TAwj2uaH for ; Thu, 7 Jul 2016 20:03:58 -0700 (PDT) Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55C21126FDC for ; Thu, 7 Jul 2016 20:03:52 -0700 (PDT) Received: by mail-vk0-x22d.google.com with SMTP id d67so45195524vkh.1 for ; Thu, 07 Jul 2016 20:03:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=tyKyDSq2YmuYJi9mcQHAjJBSQBPCD2Iw5fvP0RRIhiI=; b=G1BJ07iEKnY1ai7ooJDFrvL/cPGwDT49pxWmUsFaoNT0hboVQ9Qg/dAKrVQ14AjrQu Q0lYcXtwLQMM1akXEU1WutGiWTx7I8zCGDIposSzItryJ1geVySA345xKuQHW/6cRa5r O1Y9YhYlOP6/N9qtgLW57U6+VHpkEIzJ2XIw/L73jDaVzDL9iiAWxafe6NTL4iDOxh/Z upqZcT8D0Tlaeia79EWCxgYSq0p6nVeQsigS4Djtn4ibygU2RG2mz1DShzQrGEw8FgL/ o/SelaBPVC/P0KPqLpz3sjT5zluTHlv0mdKVC0guuvJMSZt/sFlhm0EAOjLAN/hyhcgX dTvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=tyKyDSq2YmuYJi9mcQHAjJBSQBPCD2Iw5fvP0RRIhiI=; b=NmFP88eItGjou8mdTHbYd0m9pBKbieE1dZZY60amy6j8q5x2rdsFkzK1GiW8rp5Zw6 wef0jD9hFnKXUBHcftGZzbaQTHIz78IbV6bzcrmSeHkC5y7rWbCdnFrxA6Bty0pLMWN1 B4GBmOtwKxY5HmzW+1PD3g99jvRdVTiaM2iv/PYNW8sD9Vy+5WiF2O+UUmR3cjZiQAoB u7vNHQMmOLCl4biKfnLbIzMLfaLJHW2HhU5ijnq0MC9MgS9Pm+8mjFG32ApAstip2VSj CzKgV4ZVbckopT1YgrP0tMyWurVSfSfSAD3s/31ki6vUr8HZsYAIGBYmlgsIUJnOuac5 kBFQ== X-Gm-Message-State: ALyK8tJsXL4lqNTH+cABjCcMRWWXnAYLi0xEzvuDy/BOcYE9cOaPVaeFpdZkCTmkPKd/2ROFN1JAWx2MFZgHJg== X-Received: by 10.159.33.201 with SMTP id 67mr1774259uac.90.1467947031402; Thu, 07 Jul 2016 20:03:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.39.194 with HTTP; Thu, 7 Jul 2016 20:03:50 -0700 (PDT) In-Reply-To: <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> From: Watson Ladd Date: Thu, 7 Jul 2016 20:03:50 -0700 Message-ID: To: Alan DeKok Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 03:04:00 -0000 On Jul 7, 2016 12:21 PM, "Alan DeKok" wrote: > > On Jul 7, 2016, at 2:01 PM, Stephen Farrell w= rote: > > Is there anyone who'll be in Berlin who'd be able to take a few > > minutes to chat with Jeff and friends about bfd security? > > I should be there, barring last-minute surprises. > > I've talked with Jeff in passing before about BFD. I've implemented RF= C 5880, and have been on the mailing list for a while, but unable to keep u= p with recent activity. > > > If you're willing to meet Jeff and co for a chat/beer/coffee in > > Berlin please drop Kathleen or I a line and we'll send the right > > set of intros. > > Count this as my interest. > > > In case it helps, I think this could be an interesting enough > > challenge - iiuc bfd is trying to amortise crypto costs over a > > bunch of messages in the face of pretty tight performance > > constraints. > > Hmm... > > https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-01 > > Authenticating every BFD [RFC5880] packet with a Simple Password, or > with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash > Algorithm (SHA-1) algorithms is computationally intensive process, > making it difficult if not impossible to authenticate every packet - > particularly at faster rates. > > What "faster" rates are required here? As a case in point, RADIUS requ= ires that each packet be authenticated via MD5, and possibly HMAC-MD5. Som= etimes both. Commodity hardware is easily capable of doing 10Kpps. I've m= anaged to get 500Kpps with dedicated implementations. Even older hardware = (2000 era or so) was easily able to reach 2Kpps without much engineering ef= fort. You want speed? Ask Cisco about GCM. Or Intel about GCM. Yes, these require nonces, but they can also be used with both keys the output of a PRF applied to a much longer nonce, and thus make a random nonce safe. (The risk of collision is for a single value of H: changing the key solves the problem). For commodity CPUs without binary multipliers Poly1305 is a viable solution, as discussed in RFC 7539. It would be nice to know what hardware we are thinking of. If these haven't been considered yet, they should be. > > Alan DeKok. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Thu Jul 7 21:57:21 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56B1612D633 for ; Thu, 7 Jul 2016 21:57:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.253 X-Spam-Level: X-Spam-Status: No, score=-0.253 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_DYNAMIC=0.982, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m4zQ0FoNmPOl for ; Thu, 7 Jul 2016 21:57:19 -0700 (PDT) Received: from mail.suchdamage.org (ec2-52-9-186-167.us-west-1.compute.amazonaws.com [52.9.186.167]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57EC612B053 for ; Thu, 7 Jul 2016 21:57:19 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.suchdamage.org (Postfix) with ESMTP id 32BC2253F8; Fri, 8 Jul 2016 00:57:19 -0400 (EDT) Received: from mail.suchdamage.org ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1sk1NlF9wMW; Fri, 8 Jul 2016 00:57:18 -0400 (EDT) Received: from carter-zimmerman.suchdamage.org (unknown [137.158.22.239]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) (Authenticated sender: hartmans-laptop) by mail.suchdamage.org (Postfix) with ESMTPSA; Fri, 8 Jul 2016 00:57:18 -0400 (EDT) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 67E8C815B7; Fri, 8 Jul 2016 00:57:15 -0400 (EDT) From: Sam Hartman To: Watson Ladd References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> Date: Fri, 08 Jul 2016 00:57:15 -0400 In-Reply-To: (Watson Ladd's message of "Thu, 7 Jul 2016 20:03:50 -0700") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 04:57:20 -0000 >>>>> "Watson" == Watson Ladd writes: Watson> You want speed? Ask Cisco about GCM. Or Intel about Watson> GCM. Yes, these require nonces, but they can also be used Watson> with both keys the output of a PRF applied to a much longer Watson> nonce, and thus make a random nonce safe. (The risk of Watson> collision is for a single value of H: changing the key Watson> solves the problem). For commodity CPUs without binary Watson> multipliers Poly1305 is a viable solution, as discussed in Watson> RFC 7539. It would be nice to know what hardware we are Watson> thinking of. Not surprisingly, this has been hashed to death already. When the BFD security analysis team brought their findings to KARP, all of this was discussed. Plenty of people who are well aware of counter-mode-based MACs as well as other fast MAC solutions discussed BFD in great detail. I don't remember the specific conclusions--there were lots of tradeoffs involving existing hardware, and constraints on what changes could be made. However, this is a case where asking questions rather than jumping in with a solution is far more helpful. I'd suggest one of your first questions should be a request for pointers to the extensive discussions including the BFD security analysis draft. From nobody Fri Jul 8 09:23:24 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54DC12D51B for ; Fri, 8 Jul 2016 09:23:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2OymwMQ-ISgy for ; Fri, 8 Jul 2016 09:23:20 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 109EE12D0A8 for ; Fri, 8 Jul 2016 09:23:20 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id A8590805E5; Fri, 8 Jul 2016 18:23:15 +0200 (CEST) References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> To: "saag@ietf.org" From: Fernando Gont X-Enigmail-Draft-Status: N1110 X-Forwarded-Message-Id: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> Message-ID: <577FD369.2010202@si6networks.com> Date: Fri, 8 Jul 2016 18:23:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: [saag] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 16:23:23 -0000 Folks, As suggested by a number of folks during the SAAG meeing in Buenos Aires, we have submitted the history of flawed numeric IDs as a stand-alone I-D. It is available at: We believe this information provides good background and motivation for pursuing further work in this area, and learning about errors from the past. Your input will be very appreciated. Thanks! Fernando -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-numeric-ids-history-00.txt Date: Fri, 08 Jul 2016 09:17:38 -0700 From: internet-drafts@ietf.org To: Ivan Arce , Fernando Gont A new version of I-D, draft-gont-numeric-ids-history-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-numeric-ids-history Revision: 00 Title: Unfortunate History of Transient Numeric Identifiers Document date: 2016-07-08 Group: Individual Submission Pages: 13 URL: https://www.ietf.org/internet-drafts/draft-gont-numeric-ids-history-00.txt Status: https://datatracker.ietf.org/doc/draft-gont-numeric-ids-history/ Htmlized: https://tools.ietf.org/html/draft-gont-numeric-ids-history-00 Abstract: This document performs an analysis of the security and privacy implications of different types of "numeric identifiers" used in IETF protocols, and tries to categorize them based on their interoperability requirements and the associated failure severity when such requirements are not met. It describes a number of algorithms that have been employed in real implementations to meet such requirements and analyzes their security and privacy properties. Additionally, it provides advice on possible algorithms that could be employed to satisfy the interoperability requirements of each identifier type, while minimizing the security and privacy implications, thus providing guidance to protocol designers and protocol implementers. Finally, it provides recommendations for future protocol specifications regarding the specification of the aforementioned numeric identifiers. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Fri Jul 8 09:27:42 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 524CF12D783 for ; Fri, 8 Jul 2016 09:27:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id REo8E97XCuTO for ; Fri, 8 Jul 2016 09:27:37 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0F3812D518 for ; Fri, 8 Jul 2016 09:27:36 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1C320802DC; Fri, 8 Jul 2016 18:27:34 +0200 (CEST) References: <20160708161348.32063.37084.idtracker@ietfa.amsl.com> From: Fernando Gont X-Enigmail-Draft-Status: N1110 To: "saag@ietf.org" X-Forwarded-Message-Id: <20160708161348.32063.37084.idtracker@ietfa.amsl.com> Message-ID: <577FD470.40603@si6networks.com> Date: Fri, 8 Jul 2016 18:27:28 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <20160708161348.32063.37084.idtracker@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: [saag] Advice on transient numeric ID generation (Fwd: New Version Notification for draft-gont-numeric-ids-generation-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 16:27:40 -0000 Folks, As with the other I-D, we have submitted this one as a stand-alone document. It is available at: This document aims to provide concrete advice for selecting algorithms for the generation of transient numeric identifiers. While RFC3552bis might provide general guidance on desirable properties for transient numeric IDs, we think that selecting an algorithm for generating transient numeric IDs based on interoperability properties and associated failure severities deserves its own documents. We have tried to incorporate many of the comments we've received so far. Further input will be very welcome. Thanks! Best regards, Fernando -------- Forwarded Message -------- Subject: New Version Notification for draft-gont-numeric-ids-generation-00.txt Date: Fri, 08 Jul 2016 09:13:48 -0700 From: internet-drafts@ietf.org To: Ivan Arce , Fernando Gont A new version of I-D, draft-gont-numeric-ids-generation-00.txt has been successfully submitted by Fernando Gont and posted to the IETF repository. Name: draft-gont-numeric-ids-generation Revision: 00 Title: On the Generation of Transient Numeric Identifiers Document date: 2016-07-08 Group: Individual Submission Pages: 30 URL: https://www.ietf.org/internet-drafts/draft-gont-numeric-ids-generation-00.txt Status: https://datatracker.ietf.org/doc/draft-gont-numeric-ids-generation/ Htmlized: https://tools.ietf.org/html/draft-gont-numeric-ids-generation-00 Abstract: This document performs an analysis of the security and privacy implications of different types of "numeric identifiers" used in IETF protocols, and tries to categorize them based on their interoperability requirements and the associated failure severity when such requirements are not met. Subsequently, it provides advice on possible algorithms that could be employed to satisfy the interoperability requirements of each identifier type, while minimizing the security and privacy implications, thus providing guidance to protocol designers and protocol implementers. Finally, describes a number of algorithms that have been employed in real implementations to generate transient numeric identifiers and analyzes their security and privacy properties. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Fri Jul 8 11:08:21 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D302312D790 for ; Fri, 8 Jul 2016 11:08:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id It0zLCW0DCID for ; Fri, 8 Jul 2016 11:08:16 -0700 (PDT) Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0139.outbound.protection.outlook.com [104.47.34.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241A012D621 for ; Fri, 8 Jul 2016 11:08:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=PAsv638lqZLWK+3gMoLM3N3nbpsdbu703TYkbZq3D/E=; b=gYuetmmU1DRQIzaztL/CNSVADfNQuKlZKJjLC3JugltJQGia+uh1WGN6pMfF1NdcPAsg4T2i53Hu36OiG8K4YQuj72KB6f8Tup9z4BvLBztZtAUuuxliAW+SbvneCsOWDlcK6WmWS+2I6Yqv9uRf2IXrrjqASKNq5B40gbgrgNQ= Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.523.12; Fri, 8 Jul 2016 18:08:15 +0000 Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0523.028; Fri, 8 Jul 2016 18:08:15 +0000 From: Christian Huitema To: Fernando Gont , "saag@ietf.org" Thread-Topic: [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) Thread-Index: AQHR2TUQsvqVZ/QFv0GZe+GUKMaZ76AO0lQA Date: Fri, 8 Jul 2016 18:08:15 +0000 Message-ID: References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> In-Reply-To: <577FD369.2010202@si6networks.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com; x-originating-ip: [2001:4898:80e8:b::734] x-ms-office365-filtering-correlation-id: 4a3b1600-c74a-489e-6850-08d3a75ad505 x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0655; 6:zaCtnXSVF0sRBWwz6M72iP+44LxvX/F0o8QegPUvlF9uDXPwNu5MnK18ur2KKVdJMvVGv2hzSAvP2AKw3JwjOmYQguaz5PFz2R7gckAIy32f++9mRr//g709EZW/WlN2vBDcLjm9RK8WYoI4I1BHXitXTayIpIuiscbQN5oPf+jz1dgdWkEgEz1fD0tugxngwxamlWC1+rRiVjSr9TSO2ejXjg75wZdD8H9nlJ2wN0RqlRLLPmZugz2CBT/9jtcw93IB1/m7pui6DnhW+fwoxmwDC9SAgw6eof+/zscJ7xzClw+BTELv2J14zzd2djjNSYA0T4vbcLs4aUjt8HF5OA==; 5:t9ymZ3JJQqvYBrspvN7AFrcBQld2BJYEqV8AoZrco/POLwS7vZUdB5mDf9BqTAYCOq33G9bHy37NFELcfAFop8rpsxLIhGPuqyVbkf8iNLcTy/DjIfYLzLCFUowis1E8TzH80iN6+xotd/eEQfBMOA==; 24:kJ7EwA8L2xkxRf+htquurKXYWB0caxPv75GEDvab5vezx7PUKOYbgvN55V9ZHo4Kn1TkaiyEg53ZOwzBZ/15zQWVNWKWxigjXNLl8RoDzR4=; 7:bVkQbfx3j1hs8XZxX5wwNu9P0NMU8maBNlcVRd4MltSqjH4XQ3UsiffbzZO7PG3Gfe/4AUtJS7mg/LWybeXbZGAqZG4KjBH1SRaCNcDRE/XnBkdPJU30w8uwhcEQUiMnSORM2J0Yg2FoKs94Z5cb3jD13HOVuZPsW+zuZ+TX4avDgYDLA0z36rPwoIKLzJZ7ghWiteD3P1j9p+CiMngqlwp5D/xE2VKJzu0Ycg7qf7wRAyEeSGODxRwXho+8hUeT x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0655; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:DM2PR0301MB0655; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0655; x-forefront-prvs: 0997523C40 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2473001)(24454002)(189002)(199003)(377454003)(5003600100003)(7696003)(7736002)(7846002)(3660700001)(33656002)(3280700002)(9686002)(8990500004)(5001770100001)(10290500002)(10400500002)(8936002)(5005710100001)(68736007)(8676002)(81166006)(10090500001)(74316002)(586003)(99286002)(19580395003)(2501003)(76576001)(305945005)(102836003)(4326007)(6116002)(5002640100001)(106356001)(2906002)(2900100001)(76176999)(54356999)(81156014)(105586002)(15975445007)(86612001)(230783001)(11100500001)(77096005)(86362001)(2950100001)(101416001)(87936001)(97736004)(189998001)(106116001)(92566002)(50986999)(122556002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0655; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Jul 2016 18:08:15.0457 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0655 Archived-At: Cc: "privsec-program@iab.org" , =?iso-8859-1?Q?Iv=E1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 18:08:18 -0000 On Friday, July 8, 2016 9:23 AM, Fernando Gont wrote: >=20 > Folks, >=20 > As suggested by a number of folks during the SAAG meeing in Buenos Aires,= we > have submitted the history of flawed numeric IDs as a stand-alone I-D. It= is > available at: > Nice. > We believe this information provides good background and motivation for > pursuing further work in this area, and learning about errors from the pa= st. >=20 > Your input will be very appreciated. Your draft only provides two examples, IPv4/IPv6 packet identifiers and TCP= initial sequence numbers. I would suggest splitting the IPv4 packet identi= fier and IPv6 fragment identifier in separate cases, and also adding some t= ext at the beginning of each example about the purpose of the identifier. Also, these two examples do not outline the privacy issues related to other= identifier choices. Have you considered adding an history of IPv6 IIDs? Th= is would be a good way to introduce failure modes like "allowing remote sca= n" or "linkability". >From a privacy point of view, there are other interesting examples. For exa= mple, the initial design of MP-TCP uses a "super-cookie", and the WG is jus= t now trying to mitigate that. There is a similar "super-cookie" issue with= the identifiers used to resume sessions in TLS, and it is only getting mit= igated in TLS 1.3. I believe adding more examples would result in a better document. -- Christian Huitema From nobody Fri Jul 8 11:38:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7725512D590 for ; Fri, 8 Jul 2016 11:38:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAqoZiXjbYYF for ; Fri, 8 Jul 2016 11:38:47 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A53712D813 for ; Fri, 8 Jul 2016 11:38:47 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 8A0E680097; Fri, 8 Jul 2016 20:38:38 +0200 (CEST) To: Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <577FF2F9.8000108@si6networks.com> Date: Fri, 8 Jul 2016 20:37:45 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 18:38:50 -0000 On 07/08/2016 08:08 PM, Christian Huitema wrote: [....] >> We believe this information provides good background and motivation >> for pursuing further work in this area, and learning about errors >> from the past. >> >> Your input will be very appreciated. > > Your draft only provides two examples, IPv4/IPv6 packet identifiers > and TCP initial sequence numbers. Yes. We're planning to at least add one more example: DNS TxID... But we could also add others (e.g., transport protocol numbers). > I would suggest splitting the IPv4 > packet identifier and IPv6 fragment identifier in separate cases, The reason we kept them together was to note how addressing the problem in the IPv4 case didn't reflect into improvements into the IPv6 case... Please let us know if you think splitting would be better. > and > also adding some text at the beginning of each example about the > purpose of the identifier. Will do. > Also, these two examples do not outline the privacy issues related to > other identifier choices. Have you considered adding an history of > IPv6 IIDs? This would be a good way to introduce failure modes like > "allowing remote scan" or "linkability". You certainly raise a very good point. Adding a section on IPv6 IIDs will certainly be a good thing. I'll craft some text and send it n the list for review. >> From a privacy point of view, there are other interesting examples. >> For example, the initial design of MP-TCP uses a "super-cookie", >> and the WG is just now trying to mitigate that. There is a similar >> "super-cookie" issue with the identifiers used to resume sessions >> in TLS, and it is only getting mitigated in TLS 1.3. > > I believe adding more examples would result in a better document. Will do. We will certainly add one or both examples of the super cookie thing. For instance, ow that you mention it, I we talked on the corridors about the TLS one. Thanks so much for your comments! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Fri Jul 8 12:18:09 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BFC12D1AC; Fri, 8 Jul 2016 12:18:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yPsBQn-HIeWR; Fri, 8 Jul 2016 12:18:03 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52D4C12D189; Fri, 8 Jul 2016 12:18:03 -0700 (PDT) Received: from [128.9.184.232] ([128.9.184.232]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u68JE3Lv003950 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 8 Jul 2016 12:14:04 -0700 (PDT) To: Christian Huitema , Fernando Gont , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> From: Joe Touch Message-ID: <577FFB79.2020101@isi.edu> Date: Fri, 8 Jul 2016 12:14:01 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:18:04 -0000 On Friday, July 8, 2016 9:23 AM, Fernando Gont wrote: > > > > Folks, > > > > As suggested by a number of folks during the SAAG meeing in Buenos Aires, we > > have submitted the history of flawed numeric IDs as a stand-alone I-D. It is > > available at: > > IPv4 IDs are supposed to not be reused within one MDL. See RFC6864 Sec 4.3. Because IDs aren't used if DF=1, they can (and might be) set to anything at all (RFC6864 Sec 4.1). This is important context for this doc. Joe From nobody Fri Jul 8 12:25:00 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561BA12D0AF for ; Fri, 8 Jul 2016 12:24:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c15fslpGB3oR for ; Fri, 8 Jul 2016 12:24:55 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5890312D59E for ; Fri, 8 Jul 2016 12:24:51 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 52F7B80B66; Fri, 8 Jul 2016 21:24:49 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> From: Fernando Gont Message-ID: <577FFDFB.1040704@si6networks.com> Date: Fri, 8 Jul 2016 21:24:43 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <577FFB79.2020101@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:24:57 -0000 On 07/08/2016 09:14 PM, Joe Touch wrote: > On Friday, July 8, 2016 9:23 AM, Fernando Gont wrote: > >>> >>> Folks, >>> >>> As suggested by a number of folks during the SAAG meeing in Buenos Aires, we >>> have submitted the history of flawed numeric IDs as a stand-alone I-D. It is >>> available at: >>> > IPv4 IDs are supposed to not be reused within one MDL. See RFC6864 Sec 4.3. > > Because IDs aren't used if DF=1, they can (and might be) set to anything > at all (RFC6864 Sec 4.1). > > This is important context for this doc. Problem here is that, as described in the Silbersack2005 reference, there were boxes that, despite DF, would fragment anyway. That's why setting the ID to anything wasn't a "safe" option. -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Fri Jul 8 12:39:42 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FBCA12D0D3; Fri, 8 Jul 2016 12:39:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctbbf3meo6WS; Fri, 8 Jul 2016 12:39:36 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A65E12D0AF; Fri, 8 Jul 2016 12:39:36 -0700 (PDT) Received: from [128.9.184.232] ([128.9.184.232]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u68JbQbe012108 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 8 Jul 2016 12:37:28 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> From: Joe Touch Message-ID: <578000F3.4060709@isi.edu> Date: Fri, 8 Jul 2016 12:37:23 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <577FFDFB.1040704@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:39:37 -0000 On 7/8/2016 12:24 PM, Fernando Gont wrote: > On 07/08/2016 09:14 PM, Joe Touch wrote: >> On Friday, July 8, 2016 9:23 AM, Fernando Gont wrote: >> >>>> Folks, >>>> >>>> As suggested by a number of folks during the SAAG meeing in Buenos Aires, we >>>> have submitted the history of flawed numeric IDs as a stand-alone I-D. It is >>>> available at: >>>> >> IPv4 IDs are supposed to not be reused within one MDL. See RFC6864 Sec 4.3. >> >> Because IDs aren't used if DF=1, they can (and might be) set to anything >> at all (RFC6864 Sec 4.1). >> >> This is important context for this doc. > Problem here is that, as described in the Silbersack2005 reference, > there were boxes that, despite DF, would fragment anyway. That's why > setting the ID to anything wasn't a "safe" option. > That's like saying that it's not safe to generate packets with invalid IPv4 header checksums because there are devices which ignore them. The correct action is to fix the behavior of those devices, for many reasons - not the least of which is that sending packets with DF=1 and ID=0 has been commonplace as well (but at least that behavior is now standard). Joe From nobody Fri Jul 8 12:45:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C11612D91C for ; Fri, 8 Jul 2016 12:45:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5DmAQUIZxKU for ; Fri, 8 Jul 2016 12:45:39 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5DFA12D16F for ; Fri, 8 Jul 2016 12:45:39 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 85D5980784; Fri, 8 Jul 2016 21:45:37 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <578002DE.8020406@si6networks.com> Date: Fri, 8 Jul 2016 21:45:34 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <578000F3.4060709@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:45:42 -0000 On 07/08/2016 09:37 PM, Joe Touch wrote: >>> Because IDs aren't used if DF=1, they can (and might be) set to anything >>> at all (RFC6864 Sec 4.1). >>> >>> This is important context for this doc. >> Problem here is that, as described in the Silbersack2005 reference, >> there were boxes that, despite DF, would fragment anyway. That's why >> setting the ID to anything wasn't a "safe" option. > > That's like saying that it's not safe to generate packets with invalid > IPv4 header checksums because there are devices which ignore them. It's not. You don't miss much by always setting the Frag ID. Besides your host doesn't control the misbehaviour of the boxes that are fragmenting despite DF. > The correct action is to fix the behavior of those devices, for many > reasons - not the least of which is that sending packets with DF=1 and > ID=0 has been commonplace as well (but at least that behavior is now > standard). If you send all packets with the Frag ID=0, and there's a device that fragments anyway and there's packet loss, you run the risk of getting all your traffic discarded. OTOH, there doesn't seem to be much of a drawback in properly setting the frag ID to a non-zero value. Note: It's not that I love this misbehaving boxes. But me not liking them does not result in interoperability. -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Fri Jul 8 12:50:30 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D160612D14B; Fri, 8 Jul 2016 12:50:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJczNuF09USU; Fri, 8 Jul 2016 12:50:23 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9323C12D133; Fri, 8 Jul 2016 12:50:23 -0700 (PDT) Received: from [128.9.184.232] ([128.9.184.232]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id u68Jo8JT026980 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 8 Jul 2016 12:50:09 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> From: Joe Touch Message-ID: <578003EE.3040507@isi.edu> Date: Fri, 8 Jul 2016 12:50:06 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <578002DE.8020406@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:50:26 -0000 On 7/8/2016 12:45 PM, Fernando Gont wrote: > OTOH, there doesn't seem to be much of a > drawback in properly setting the frag ID to a non-zero value. See RFC6864. It either limits your transmit rate or increases the probability of mis-reassembled fragments. This doc should not be directly inconsistent with existing standards. Joe From nobody Fri Jul 8 12:52:54 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C4512B04F for ; Fri, 8 Jul 2016 12:52:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.328 X-Spam-Level: X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hj_6mYOG8Cia for ; Fri, 8 Jul 2016 12:52:51 -0700 (PDT) Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 8CCE4127058 for ; Fri, 8 Jul 2016 12:52:51 -0700 (PDT) Received: by slice.pfrc.org (Postfix, from userid 1001) id E0FFD1E3C2; Fri, 8 Jul 2016 15:53:08 -0400 (EDT) Date: Fri, 8 Jul 2016 15:53:08 -0400 From: Jeffrey Haas To: Alan DeKok Message-ID: <20160708195308.GF3711@pfrc.org> References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Cc: saag@ietf.org Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:52:53 -0000 [Choosing this message as my reply point.] On Thu, Jul 07, 2016 at 03:21:00PM -0400, Alan DeKok wrote: > Hmm... > > https://tools.ietf.org/html/draft-ietf-bfd-optimizing-authentication-01 > > Authenticating every BFD [RFC5880] packet with a Simple Password, or > with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash > Algorithm (SHA-1) algorithms is computationally intensive process, > making it difficult if not impossible to authenticate every packet - > particularly at faster rates. > > What "faster" rates are required here? As a case in point, RADIUS requires that each packet be authenticated via MD5, and possibly HMAC-MD5. Sometimes both. Commodity hardware is easily capable of doing 10Kpps. I've managed to get 500Kpps with dedicated implementations. Even older hardware (2000 era or so) was easily able to reach 2Kpps without much engineering effort. RADIUS won't get unhappy with you if you ignore it for 10ms. It's likely obvious to all on this mailing list that with sufficient CPU, it's possible to send N 3.3ms BFD packets using a given MAC mechanism in a given slice of time. To properly implement BFD, you'll be sending those N packets every 3.3ms. In the absence of meticulous crypto mode in BFD, you don't have to do anything other than I/O. Once you do need to do meticulous crypto mode in BFD, CPU must be spent on the MAC. Given a CPU of a particular size, and I/O taking a known amount of time, it's pretty easy to figure out what the maximum number of 3.3ms sessions you could support if you were doing nothing other than BFD. The issue is line card CPUs are never doing just BFD. The problem BFD developers are facing is how to do the most work in the available amount of time slice they can be given for the BFD task along with everything else, and schedule things sufficiently such that BFD sessions are maintained without issue. This resource scheduling issue really isn't the item up for debate here. The constraints a given implementor faces in trying to write their code will depend on environment, OS and other things. However, it does mean that trying to work on this problem from the standpoint of "the crypto isn't expensive" isn't a good starting point for our problem. It's expensive enough that it simply isn't getting deployed in existing hardware. Future hardware is of course amenable to different tradeoffs. -- Jeff From nobody Fri Jul 8 12:55:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37A7412B019 for ; Fri, 8 Jul 2016 12:55:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8Eue4MnS0dB for ; Fri, 8 Jul 2016 12:55:28 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F030312B04F for ; Fri, 8 Jul 2016 12:55:27 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 9043980784; Fri, 8 Jul 2016 21:55:24 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <57800529.7030403@si6networks.com> Date: Fri, 8 Jul 2016 21:55:21 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <578003EE.3040507@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:55:30 -0000 On 07/08/2016 09:50 PM, Joe Touch wrote: > > > On 7/8/2016 12:45 PM, Fernando Gont wrote: >> OTOH, there doesn't seem to be much of a >> drawback in properly setting the frag ID to a non-zero value. > > See RFC6864. It either limits your transmit rate or increases the > probability of mis-reassembled fragments. Well, we're setting DF anyway, so... why should setting the ID be worse than setting it to zero? > This doc should not be directly inconsistent with existing standards. It is not meant to. Please flag offending text and/or suggest text where we could be doing better -- I'd be pleased to improve the doc. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Fri Jul 8 12:57:15 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A20FD12D128 for ; Fri, 8 Jul 2016 12:57:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.328 X-Spam-Level: X-Spam-Status: No, score=-3.328 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51MqjAKuwllY for ; Fri, 8 Jul 2016 12:57:13 -0700 (PDT) Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 7124D12B04F for ; Fri, 8 Jul 2016 12:57:13 -0700 (PDT) Received: by slice.pfrc.org (Postfix, from userid 1001) id D71531E3C3; Fri, 8 Jul 2016 15:57:30 -0400 (EDT) Date: Fri, 8 Jul 2016 15:57:30 -0400 From: Jeffrey Haas To: Watson Ladd Message-ID: <20160708195730.GG3711@pfrc.org> References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 19:57:14 -0000 On Thu, Jul 07, 2016 at 08:03:50PM -0700, Watson Ladd wrote: > For commodity CPUs without binary multipliers > Poly1305 is a viable solution, as discussed in RFC 7539. It would be > nice to know what hardware we are thinking of. To pick a random example, feel free to consider an MPC8548 clocked at around 1Ghz. -- Jeff From nobody Fri Jul 8 13:00:37 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E02E12B04F; Fri, 8 Jul 2016 13:00:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c_qEZZOFwiAG; Fri, 8 Jul 2016 13:00:30 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D48DD12B019; Fri, 8 Jul 2016 13:00:30 -0700 (PDT) Received: from [128.9.184.232] ([128.9.184.232]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id u68Jxol7028995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Fri, 8 Jul 2016 12:59:50 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <57800529.7030403@si6networks.com> From: Joe Touch Message-ID: <57800633.9090800@isi.edu> Date: Fri, 8 Jul 2016 12:59:47 -0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <57800529.7030403@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 20:00:32 -0000 On 7/8/2016 12:55 PM, Fernando Gont wrote: > On 07/08/2016 09:50 PM, Joe Touch wrote: >> >> On 7/8/2016 12:45 PM, Fernando Gont wrote: >>> OTOH, there doesn't seem to be much of a >>> drawback in properly setting the frag ID to a non-zero value. >> See RFC6864. It either limits your transmit rate or increases the >> probability of mis-reassembled fragments. > Well, we're setting DF anyway, so... why should setting the ID be worse > than setting it to zero? It's fine to document setting DF as incorrect behavior. Anything else is a waste of time to discuss. This doc should not discuss setting the IPv4 ID in ways that are not consistent with RFC6864, just as it should also be compatible with existing standards for IPv6. Joe From nobody Fri Jul 8 13:18:33 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2F5612D17A for ; Fri, 8 Jul 2016 13:18:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iICRG6-jlqJm for ; Fri, 8 Jul 2016 13:18:29 -0700 (PDT) Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 9B30412D179 for ; Fri, 8 Jul 2016 13:18:29 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.networkradius.com (Postfix) with ESMTP id C389D861; Fri, 8 Jul 2016 20:18:28 +0000 (UTC) Received: from mail.networkradius.com ([127.0.0.1]) by localhost (mail-server.vmhost2.networkradius.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZNC4L24H9cX; Fri, 8 Jul 2016 20:18:28 +0000 (UTC) Received: from [192.168.120.42] (unknown [23.233.24.114]) by mail.networkradius.com (Postfix) with ESMTPSA id E0B3A11E; Fri, 8 Jul 2016 20:18:27 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alan DeKok In-Reply-To: <20160708195308.GF3711@pfrc.org> Date: Fri, 8 Jul 2016 16:18:25 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <416E6D2C-34EB-48F6-AF1F-46A879A1D1B5@deployingradius.com> References: <20160524192400.GA9721@pfrc.org> <577E98E1.7000407@cs.tcd.ie> <67F3902A-634B-4FBA-B219-A65360741417@deployingradius.com> <20160708195308.GF3711@pfrc.org> To: Jeffrey Haas X-Mailer: Apple Mail (2.3124) Archived-At: Cc: saag@ietf.org Subject: Re: [saag] Fate of BFD extended authentication mechanisms X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 20:18:32 -0000 On Jul 8, 2016, at 3:53 PM, Jeffrey Haas wrote: > RADIUS won't get unhappy with you if you ignore it for 10ms. Very true. > The problem BFD developers are facing is how to do the most work in = the > available amount of time slice they can be given for the BFD task = along with > everything else, and schedule things sufficiently such that BFD = sessions are > maintained without issue. I've gone back and read RFC 7492. The latency and load requirements = are clearly laid out there. > This resource scheduling issue really isn't the item up for debate = here. > The constraints a given implementor faces in trying to write their = code will > depend on environment, OS and other things. However, it does mean = that > trying to work on this problem from the standpoint of "the crypto = isn't > expensive" isn't a good starting point for our problem. It's = expensive > enough that it simply isn't getting deployed in existing hardware. = Future > hardware is of course amenable to different tradeoffs. The question then becomes what crypto will be adequate, while still = meeting the latency / load requirements. I'll do some more reading and research. We can get together in = Berlin. Alan DeKok. From nobody Sat Jul 9 03:37:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E37C412B05C for ; Sat, 9 Jul 2016 03:37:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bdVL3jcBlddg for ; Sat, 9 Jul 2016 03:37:51 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE1CE12D137 for ; Sat, 9 Jul 2016 03:37:50 -0700 (PDT) Received: from [192.168.0.41] (cable-178-148-3-93.dynamic.sbb.rs [178.148.3.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 62FCA802DC; Sat, 9 Jul 2016 12:37:47 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <5780D1C9.4010008@si6networks.com> Date: Sat, 9 Jul 2016 12:28:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <578003EE.3040507@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 10:37:54 -0000 Hi, Joe, On 07/08/2016 09:50 PM, Joe Touch wrote: > > > On 7/8/2016 12:45 PM, Fernando Gont wrote: >> OTOH, there doesn't seem to be much of a >> drawback in properly setting the frag ID to a non-zero value. > > See RFC6864. It either limits your transmit rate or increases the > probability of mis-reassembled fragments. > > This doc should not be directly inconsistent with existing standards. Our document does not really mention the case of setting the Frag ID when MF=0... so it's not really being inconsistent with existing standards (as far as I can see). That said, from a completeness point of view, I guess we could note the spec update performed by RFC6864. How about something like: February 2013: [RFC6864] updates [RFC0791] such that the Identification value is only meaningful when DF=0. This eliminates e.g. information leakage attacks when the corresponding traffic is not fragmented. However, [RFC6864] does not introduce any security and privacy considerations for setting the Identification field. ? (please suggest tweaks if necessary) P.S.: This I-D aside, I don't think setting the ID to non-zero for DF == 0 limits the data rate: compliant boxes will not fragment the packets anyway, so for them this is the same as setting the ID to 0. For non-compliant boxes that do fragment packets when DF=1, you reduce the chances of frag id collisions at the receiving end... Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From jon@secureutah.org Sat Jul 9 12:25:57 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6923912D5E9 for ; Sat, 9 Jul 2016 12:25:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.699 X-Spam-Level: X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=secureutah-org.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kv2yKRIsXW2 for ; Sat, 9 Jul 2016 12:25:55 -0700 (PDT) Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E39F12D18E for ; Sat, 9 Jul 2016 12:25:55 -0700 (PDT) Received: by mail-lf0-x233.google.com with SMTP id f6so46840921lfg.0 for ; Sat, 09 Jul 2016 12:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secureutah-org.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xLBRupKYtP4Ks99RgUSSr9EJsQKbdSKmhYoDodFHFW4=; b=arFn1QK1c/b9MGD5OQb02ds4ewfSkPXFFRGJ5lEEsihPFPXUamSF0ntPUeNqZeE8GD yN/BgypQ7xTaaMdipOIqnvqHX7EaN4TaNSi7FQ7kUfZUf6Aa6wlyjgC7HHV3t+KfE5yI yGP5A/AqFTq+Jqr32jgAFFJbumrtc49q9v5eSnrw/cUYAiemLeMBfZfEBF7QxUAG8/o9 PTOCVzLh6F9AaE7AOrWeKI11nSr6hY+ffLqLxZxiWmYe7KwkyHdu+gPJiBw4FKlGXnUv XmfgLyZAQttunWoEzgiI7LzLNaLg0g+JIMCZ40kMvCaXIbefuQlrrNmOJ2HKyRo56yEi Yllg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xLBRupKYtP4Ks99RgUSSr9EJsQKbdSKmhYoDodFHFW4=; b=MB53T0+pyUajJHSGfiLmGWkw1CrZ+51E7HWZ/+7EJeekiEgpusJke6fZ6cCES9FCaK hNAJp8NVkHHbYEzlL67WmTr76SWhafG/ilyL/KSYOQwbWB2YLW0B8RWtsgYkFj5lfHKt vRO0Y3S8gVyOCsWKNyOHeKJbSPgMEUb/aKlEr1vUP8t69ji4DAucSAG9a5Wo/CjDppqk NpKlAqdKpX1P50LLitg13sWI1kbaaq4hUt6NjDIhDzyTyStayKqlaDdaK8VP3G6SgsHo txUlOqiYe+VEftm772A/14fMBTPuJ4asP9u9NbKTzJcxawj7giGWG47w0YosxGsH7a+H y3rg== X-Gm-Message-State: ALyK8tLmlQj+v3Kwzt9y8xgoO73IIAtKJlNRfxcCuq7tMOcPb6rLgb0kMRi2At70PD4t/7pBasU+bSe3i7qpDw== X-Received: by 10.25.207.209 with SMTP id f200mr3131670lfg.195.1468092353164; Sat, 09 Jul 2016 12:25:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.159.135 with HTTP; Sat, 9 Jul 2016 12:25:33 -0700 (PDT) X-Originating-IP: [2607:f0d0:2002:70::2] From: Jon Date: Sat, 9 Jul 2016 14:25:33 -0500 Message-ID: To: saag@ietf.org Content-Type: multipart/alternative; boundary=001a114003fe355d24053738e3c5 Archived-At: X-Mailman-Approved-At: Sun, 10 Jul 2016 08:01:44 -0700 Subject: [saag] Comments on "No MTI Crypto without Public Review" X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 19:27:51 -0000 --001a114003fe355d24053738e3c5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Greetings, This email contains comments on the draft version of "No MTI Crypto without Public Review" at http://www.ietf.org/id/draft-rsalz-drbg-speck-wap-wep-01.txt 1)=E2=80=8B "...more IETF protocols are using, or looking at, cryptography= to increase =E2=80=8Bprivacy=E2=80=8B on the Internet..." I like and agree with RFC7258 and I agree that encryption provides some privacy benefits (mainly by increasing the amount of effort needed to conduct useful traffic analysis, yes?), and I agree that public review should be a MUST before implementing crypto. However, the wording here doesn't quite sound right - is it correct to say that cryptography is being adopted in RFCs solely to increase privacy, or even to say that privacy itself is the main driver? Instead of "to increase privacy", what about something more specific, like "increase data integrity and ease of endpoint authentication"? Isn't it technically more feasible to measure/quantify those qualities than privacy? If a public review of a new crypto method demonstrates that data integrity is preserved and robust, and if the endpoints (user/user, client/server) can authenticate themselves to each other in an easy and non-falsifiable way, then can't it be said that the new method will provide some level of confidence of privacy greater than previous crypto implementations? Maybe I'm splitting hairs with this thought, or maybe it's understood that integrity and authentication are automatic results of strong crypto and don't need to be explicitly stated. 2) Under the section Terminology, the phrase 'mandatory to implement' is missing hyphens, unlike its use elsewhere in the doc. 3) 'Snake oil' is defined and included in Terminology but it doesn't appear to be used anywhere else - is it needed? I understand the term and its relevance but it reads like slang or a buzzword that's out of place in an RFC. 4) "Cryptography is becoming more important to the IETF and its protocols, and more IETF protocols are using, or looking at..." Depending on the history of crypto use in RFCs, would it be more accurate to replace "is becoming" with "has become"? Also, since the doc mentions protocols plural, it would help to provide more examples of recent RFCs that feature crypto. For example, DNS over TLS - https://tools.ietf.org/html/rfc7858 Thank you for the opportunity to comment. Jon Jarvis --001a114003fe355d24053738e3c5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Greetings,

This emai= l contains comments on the draft version of "No MTI Crypto without Pub= lic Review" at=C2=A0http://www.ietf.org/id/draft-rsalz= -drbg-speck-wap-wep-01.txt


1)=E2=80=8B =C2=A0"...more IETF protocols are using, or looking at, = cryptography to increase =E2=80=8Bprivacy=E2=80=8B on the Internet..."=

I like and ag= ree with RFC7258 =C2=A0and I agree that encryption provides some privacy be= nefits (mainly by increasing the amount of effort needed to conduct useful = traffic analysis, yes?), and I agree that public review should be a MUST be= fore implementing crypto.=C2=A0 However, the wording here doesn't quite= sound right - is it correct to say that cryptography is being adopted in R= FCs solely to increase privacy, or even to say that privacy itself is the m= ain driver?

Instead of "to increase privacy&q= uot;, what about something more specific, like "increase data integrit= y and ease of endpoint authentication"?=C2=A0 Isn't it technically= more feasible to measure/quantify those qualities than privacy?=C2=A0 If a= public review of a new crypto method demonstrates that data integrity is p= reserved and robust, and if the endpoints (user/user, client/server) can au= thenticate themselves to each other in an easy and non-falsifiable way, the= n can't it be said that the new method will provide some level of confi= dence of privacy greater than previous crypto implementations?
Maybe I'm splitting hairs with this thought, or maybe it&#= 39;s understood that integrity and authentication are automatic results of = strong crypto and don't need to be explicitly stated.



2) =C2=A0Under the section Terminology, the phrase 'mandatory to= implement' is missing hyphens, unlike its use elsewhere in the doc.



3) =C2=A0'Snake oi= l' is defined and included in Terminology but it doesn't appear to = be used anywhere else - is it needed?=C2=A0 I understand the term and its r= elevance but it reads like slang or a buzzword that's out of place in a= n RFC.



4) =C2=A0&quo= t;Cryptography is becoming more important to the IETF and its protocols, an= d more IETF protocols are using, or looking at..."

Depending on the history of crypto use in RFCs, would it be more accu= rate to replace "is becoming" with "has become"?=C2=A0 = Also, since the doc mentions protocols plural, it would help to provide mor= e examples of recent RFCs that feature crypto.=C2=A0 For example, DNS over = TLS -=C2=A0https://tools.ietf.org/html/rfc7858



Thank you for = the opportunity to comment.

=
Jon Jarvis
--001a114003fe355d24053738e3c5-- From nobody Sun Jul 10 08:18:53 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E634B12B015 for ; Sun, 10 Jul 2016 08:18:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XL5zAdXLawob for ; Sun, 10 Jul 2016 08:18:49 -0700 (PDT) Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F63E126579 for ; Sun, 10 Jul 2016 08:18:49 -0700 (PDT) Received: by mail-vk0-x231.google.com with SMTP id b192so110114974vke.0 for ; Sun, 10 Jul 2016 08:18:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=NvzTO1+VUToNEvuwR8CiKUNnfvRZ2E0uRH9+Kbb7Ktc=; b=ZlgDhzMGLVMeibUQ009JbRbksCYRIjedUoh27qyjg5L2zVyZk+Fo8qZQWoAJEDNCDv B6Profr15NruErZRARPo5ABOtaFm9uOCZ1wWGlK+/QdIbuiOCdV13yBKKXOoL8VFQ09q dAz4EEqrv5Spv4qS9Ceuj+f8qlTbgG7J55Ki8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-transfer-encoding; bh=NvzTO1+VUToNEvuwR8CiKUNnfvRZ2E0uRH9+Kbb7Ktc=; b=E8b+NVaUh+ZLPgdTsDVuUwvYF5PUFjVxFOhPnPRUzb4IH3aU/vBrO+G8vcSiYvFb+f Lja3gnQzEmHVgO7Y1fI5ZnZcWo90ON/flQNqi6RbxVUyVEycAGR/YqHn8o6E5fXFYYIm rbdepCbQOsKpWdv9YvpWtXEuYDKN4aNm0U3HiahjMPjel5vybqMiCtw6/6cFN3d48pCe nV+oVzmWMAodshpbSVQqeT1D7CyGd1P0nqQS9713EmiicOonMZ//Y7iGojE5dtkbVbN3 kg6HfUrgEK7l5joQwXTvW8axe5M7At5iKFLNG2ldGLIDVqAz+8+9OfIja/CehSDN7bDt dE0g== X-Gm-Message-State: ALyK8tJFfOliLHpOt8GRbYN7h1XB6FpTn3LgtZSN/gXovbD45tiZBf3qLx1CCUHHkkPcrIUc74UCirAuHL9G7gjc X-Received: by 10.176.65.33 with SMTP id j30mr7118610uad.151.1468163928089; Sun, 10 Jul 2016 08:18:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.29.71 with HTTP; Sun, 10 Jul 2016 08:18:28 -0700 (PDT) In-Reply-To: <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> From: Joseph Lorenzo Hall Date: Sun, 10 Jul 2016 11:18:28 -0400 Message-ID: To: "saag@ietf.org" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:18:52 -0000 This issues wasRich submitted a -01 to this recently: https://tools.ietf.org/html/draft-rsalz-drbg-speck-wap-wep-01 (Rich, I can turn these PRs/issues if you'd like.) Here are some comments: * I think the new section on MTI goes a long way towards addressing Jon's third point above. * Importantly, I do think there's thinking/work to be done in the doc on Jon's first and second point. It's not clear that in each case what the document is calling for as BCP would have worked in those cases. * Section 4, list of schemes developed in private: really need some more words for each of these cases as to how developing those schemes in private lead to weakness, etc. * Section 4: this seems like a great place to deal with Dual_EC_DRBG head on and identify what specifically was problematic in that case (either at the time or now in retrospect). It seems if we want to identify the root of that particular problem, it would be that agreement on key parameters (P and Q) was done in private, rather than through a more trustworthy/public process for chosing those parameters. (although that was when it was introduced to ANSI X9.82, right?) * Section 6: The paragraph about NIST could be made a bit more clinical in tone (happy to offer edits) and you could add that NIST worked quickly to pull Dual-EC and then start a process to re-examine their own cryptographic standardization process (again, can provide language). * Section 6.1: Ah, here is the good stuff! Here the doc says that open competitions "seem to be good," but it would be great to tease apart what features of these competitions lead to better algos that are more appropriate for IETF MTI. Is it that anyone can compete? Is it that anyone can cryptanalyze? Is it that certain things are required of algos entered into the competition? Whatever the parts of these competitions that lead to good things should be noted here. * Same feedback wrt to publishing in Crypto and USENIX... what makes algorithms reviewed for those publication forums particularly good and can we point to features of the review process or the "table stakes" required to even have a competitive submission as contributing here? Nits: * Abstract, first paragraph: * s/or looking at/or considering the use of/ * maybe s/privacy/confidentiality and integrity/ ? * It is a bit confusing to have "snake oil" defined in Terminology but then not used in the document. * You should just copy the language from the abstract into the Intro as there were a few changes between -01 and -00 in the abstract that aren't in the Intro. * Section 3: * you can probably zap "(XXX reference)" after the [acoustic] ref. * s/This issues was/This issue was/ * Section 5: s/Internet-Drfats/Internet-Drafts/ * Section 6: s/deployed based/deployed base/ * Section 6.1: s/noted exports/noted experts/ On Wed, Apr 6, 2016 at 12:50 AM, Jon Callas wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Steven, Rich, > > I read through the possible draft on standards-track crypto and I have mi= xed feelings about it. > > On the one hand, how could anyone be against it? What it proposes is like= motherhood and apple pie. It almost goes without saying that we shouldn't = use bad crypto in mandatory-to-implement (MTI) on standards track. > > On the other hand, I remember a bit of advice from Jeff Schiller back in = the day, that the purpose of a standard is interoperability. Standards exis= t so that I can decode a protocol to know what it means, and to encode it s= o someone else can do the same. While, of course, one can take this princip= le to excess, it's an important one to remember. > > Thus, one has to figure out just the right path for a BCP that it hits th= e right notes. I recognize that in looking at this draft, I have to fill in= a lot in my head and see where you're going with it. So I apologize if I m= isinterpret anything. > > What constitutes "public review" is a thorny issue, and one that revolves= around. I'm glad that the document admits that this is a thorny issue, but= it's really a lynchpin of the idea. We can have a vague definition -- even= "I know it when I see it" is fine, but it's not clear that it adds anythin= g to the existing IETF processes. We're still going to hum. > > Another core issue is whether it refers to MTI crypto only, or if it's su= pposed to be broader. I hope that the answer is that of course it's only ap= plies to MTI and not optional-to-implement (OTI), because if it's saying MT= I but means OTI, then that's a problem with the document structure -- at th= e very least, a BCP ought to say what it means. > > An issue that I see with this from a very high level is the possibility t= hat it could produce the opposite effect that is intended. That is, that it= would provide *cover* for bad crypto to resist being replace. > > Let's look at a slightly hypothetical scenario where someone has put DUAL= _EC_DRBG into an IETF standard (or one about to become one) so as to cover = any possible errors in the host operating system's random number generator.= Quickly, we'll say that the standard says that the protocol should seed DU= AL_EC_DRBG as a whitening function. We'll also presume there's no malice he= re, only something that will look stupid in the future as it is a flaw that= ruins the whole protocol. Let us also assume that this discussion is *afte= r* the CRYPTO Rump Session talk noting that you can't show it to be secure,= but before we get consensus that it isn't secure. > > How would you use this BCP to help challenge this use? DUAL_EC_DRBG *is* = peer-reviewed. It's a NIST standard, part of ANSI X9, part of NSA Suite B, = and so on. The problem in this case is that the peers have made a mistake t= hat will become apparent later. It is also a mistake that looks and sounds = paranoid and conspiracy-theory until the Snowden documents show otherwise. > > I have the concern that implicit in the goal of this BCP, to somehow argu= e for "good crypto" is hindered by the BCP as it's presently going. It woul= d be better not to have a BCP than to have one that supports bad crypto tha= t has peer review. Phrased another way, this BCP assumes that peer review i= s a proxy for goodness, but I believe that it fails in one of its main exam= ples. > > There are some other examples that I think are side-points, or get to the= MTI/OTI issue. > > If we look at the history of A5/*, the GSMA picked those a long time ago = with a different set of goals, and those goals included the compute power a= vailable, as well as the legal environment of the day. I'm hardly suggestin= g A5/* as anything worth doing, but I don't see how it's an example here of= anything relevant to the IETF in specific because it's such a period piece= and an example of how a closed standards body did something we disagree wi= th. > > The WEP/WPA examples are interesting, and this is a place that Russ House= ley can help with. He's given some *very* interesting talks on how we got i= nto the WEP mess, and how WPA led the way out. It's interesting because it = is a standards failure, and because it moved in fits and starts and with a = set of goals that included having to be field-replaceable. I think it has a= place here, but like DUAL_EC_DRBG, WEP used peer-reviewed crypto. I have t= o ask how this BCP could help prevent or *replace* WEP or prevent it, as op= posed to propping it up or preventing it in the first place. > > Patented crypto in general is something I don't worry about, and I think = can be handled on the basis of intellectual property concerns. In general, = I don't worry about it. If we look at the history of ECC, back in the days = when it was kinda dodgy, it was also constrained by patents. It's possible = that fewer patents would have hurried research, but I think we benefitted b= y giving ECC a few places to have its own sandbox, but largely dealing with= it as a new technology *because* it had patents restricting it. The first = generation of public key systems are an exception, really. > > This gets back to the idea that standards are for interoperability. I rea= lly care about being *forced* to use things that are new or encumbered, but= traditionally the IETF has supported a community of interest that wants to= standardize some protocol for their own uses. I think this is also a good = thing. Let the new things win in the marketplace of ideas. We should be ver= y, very careful to make it so that it really is crazy talk that the IETF is= a cabal with its own agenda. > > Traditionally, the IETF has supported things that have a community of int= erest but people might not like the security of. For example, there are doc= uments for IBE systems, and while I'm not at all a fan of IBE (because they= 're all implicitly key escrow systems), they have uses in closed communitie= s or people who need or want them. I don't have a problem with RFC 5091, 54= 08, 5409, 6508, 6509, 6539, or any of the others, as long as I don't *have*= to use them. It's OTI as opposed to MTI. Let people have all sorts of stuf= f as OTI, and as a standards body we just make sure it doesn't sneak into b= eing MTI. Perhaps we don't want a thousand flowers blooming, but a dozen or= two is a good thing, and let time settle it out. > > This gets me to my big raised eyebrow, the example of Algebraic Eraser. T= he cryptographic merits of Algebraic Eraser are complex. Personally, as a c= ryptographer, I put it into the same bin of things that are useful in place= s just not everywhere. IBE is also in that bin. For me, GCM is in that bin.= "Lightweight" crypto and things like Speck (which is in the document name,= but not yet mentioned in the document) are in there for me, too. > > What is relevant to this BCP, is that the Algebraic Eraser people have ne= ver asked to be MTI crypto, and yet this document seems to be suggesting th= at they shouldn't be allowed to be OTI. Initially, as I was first writing t= his set of comments, I kinda brushed it off and suggested that you just dro= p it. But the other discussion of late makes me think that this is somehow = *directed* towards Algebraic Eraser, that part of its point is to stop it f= rom being in documents. It is the *only* controversial algorithm mentioned.= The document mentions A5/*, DUAL_EC_DRBG, RC4 obliquely through WEP/WPA, a= nd an algorithm that only wants to be an OTI algorithm. > > I could ask why, but it's just easier to say that mentioning it all makes= it look like this BCP has an agenda that is not its stated goal, so it's b= est that that be deleted. It makes it look like this is using MTI restricti= ons as a rationale for OTI restrictions, which I'm sure is not its intent. = Let's just move on. > > So to summarize, I think there are major structural things this document = needs: > > (1) Attention to making sure it doesn't become that which it is opposed t= o. It needs a document philosophy security review. It needs to look at how = it could have prevented problems in the past. It needs to red-team itself a= nd look at scenarios like how well it defends DUAL_EC_DRBG against the doub= ts that Shumow and Ferguson bring up. > > (2) The document needs to make its case within the context of the IETF. T= he example of A5 in the GSMA isn't relevant because the IETF is not the GSM= A. The WEP/WPA case is less orthogonal, but you'd need to say that this BCP= , if only used over there with people who have similar goals, could have av= oided it. All the examples you have at present are mistakes others have mad= e. > > (3) The document needs to look at traditional goals of the IETF itself, p= articularly with the MTI/OTI separation. It is a *strength* of the IETF tha= t it permits standardization as interoperability, as opposed to being a qua= lity gate. It is a *strength* of the IETF that it permits communities of in= terest that use new and innovative technology. That it is not the crypto eq= uivalent of L'Acad=C3=A9mie fran=C3=A7aise, that it lets a few flowers bloo= m and fend for themselves. If the IETF loses that, then it loses what makes= it valuable. > > At the end of everything, I think the challenge is to turn the basic idea= that no one could possibly disagree with into something useful, actionable= , and a step forward. > > Jon > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGP Universal 3.3.0 (Build 9060) > Charset: utf-8 > > wsBVAwUBVwSVkvD9H+HfsTZWAQgu2wf+M4bce+W+wI+0nOrsfBb8nFHlk7YR50td > 3jqNG2MqObqh/FaPKjjLGpfxjyvIT3QH87L2k5PidL9zuEnFCMveIvRTcTyRJgLM > jpy3s0muAfePN2PUAROPrD2RxZPXbIUbTklXXcxQmjdDxalRaZLf4O3edycs5/tE > qqRRrLi/+5+hqoqdaFbmBVfe21xQQBeDp6uC5ilixCtHjWYfqT8vrNuu1c0UBT7U > AZabjGWBJ/KKZotKxvnI3OCyDmg1JeSbJiqLUXkqzdRWwrN+GE7ey9xtJU5AL9Ia > 4JjGtX1SbUhJmUdAoBpQ9ML/M9VSDeJ0kBIXT9/v+vLGsz+y5ObdKA=3D=3D > =3DhClU > -----END PGP SIGNATURE----- > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --=20 Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 From nobody Sun Jul 10 08:26:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F4712B031 for ; Sun, 10 Jul 2016 08:26:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PL2aVFNLZFXk for ; Sun, 10 Jul 2016 08:26:25 -0700 (PDT) Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 034A5126579 for ; Sun, 10 Jul 2016 08:26:24 -0700 (PDT) Received: by mail-vk0-x234.google.com with SMTP id f7so95051054vkb.3 for ; Sun, 10 Jul 2016 08:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=O8b/Yz0IpAMxwQlNhkMws4GtptK8uVcqGd4dv6bvOSY=; b=BLLJCZIo4nR6AjePqDrTlO0lA79IakgQT9HV0RiLUqnnvN7o371KNaN1sIj8h20cVz 7Y7gCbQtlOnhg4NWwsLYNHMOW/a71ixkDLC6UbX8PTFmGJwPHrieBli89SDUdAZcMpVo NAwu41fR2nRagzrpLZd564oowcRg3sDFVjFcs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=O8b/Yz0IpAMxwQlNhkMws4GtptK8uVcqGd4dv6bvOSY=; b=I146uFCKHdpF5t4I3mVaK5Pu/YiRBWxwVmi/57tSYGlUmXDvP3C/MyKq0vVz7Lc7sU GdBT910tqJyKF7M5NZ1rbhtcmWLB93AnYKE5Yof1IAewNp7/Dsc2RUP8ZkH2hWNtybVk FI3/TjYDDLh6raFArDIfDD8vcFY3PpGANlfbkqjOtVj6Ik4uQFH4p8RHtWZH8ab3Z2eq xSChh1mE0xcXXuc9Q4r02qJ5pAvHHCImDb1/74aEU01xYUIpAhGAABvsir3q8jon8mBp T+uWO6Jh3PMsukjzM8DlMh+FWY40O/zxak4beaGKM947pbfbd3Kiz9f9ahZEPwAmWwHi V7kA== X-Gm-Message-State: ALyK8tI9FzyTkNXQoKD4zeH1GeE07LHb6CqUKx564dX1nzCLm+K1u02q7R4zLlr4UgHpSHw9GzRr0kU9BoPiX7nO MIME-Version: 1.0 X-Received: by 10.31.83.134 with SMTP id h128mr7157163vkb.75.1468164384116; Sun, 10 Jul 2016 08:26:24 -0700 (PDT) Received: by 10.103.29.71 with HTTP; Sun, 10 Jul 2016 08:26:24 -0700 (PDT) In-Reply-To: References: Date: Sun, 10 Jul 2016 11:26:24 -0400 Message-ID: From: Joseph Lorenzo Hall To: Jon Content-Type: multipart/alternative; boundary=001a114e52f8966924053749a888 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Comments on "No MTI Crypto without Public Review" X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 15:26:27 -0000 --001a114e52f8966924053749a888 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable (apologies for replying on an older thread!) On Saturday, July 9, 2016, Jon wrote: > Greetings, > > This email contains comments on the draft version of "No MTI Crypto > without Public Review" at > http://www.ietf.org/id/draft-rsalz-drbg-speck-wap-wep-01.txt > > > 1)=E2=80=8B "...more IETF protocols are using, or looking at, cryptograp= hy to > increase =E2=80=8Bprivacy=E2=80=8B on the Internet..." > > I like and agree with RFC7258 and I agree that encryption provides some > privacy benefits (mainly by increasing the amount of effort needed to > conduct useful traffic analysis, yes?), and I agree that public review > should be a MUST before implementing crypto. However, the wording here > doesn't quite sound right - is it correct to say that cryptography is bei= ng > adopted in RFCs solely to increase privacy, or even to say that privacy > itself is the main driver? > > Instead of "to increase privacy", what about something more specific, lik= e > "increase data integrity and ease of endpoint authentication"? Isn't it > technically more feasible to measure/quantify those qualities than > privacy? If a public review of a new crypto method demonstrates that dat= a > integrity is preserved and robust, and if the endpoints (user/user, > client/server) can authenticate themselves to each other in an easy and > non-falsifiable way, then can't it be said that the new method will provi= de > some level of confidence of privacy greater than previous crypto > implementations? > > Maybe I'm splitting hairs with this thought, or maybe it's understood tha= t > integrity and authentication are automatic results of strong crypto and > don't need to be explicitly stated. > > > > 2) Under the section Terminology, the phrase 'mandatory to implement' is > missing hyphens, unlike its use elsewhere in the doc. > > > > 3) 'Snake oil' is defined and included in Terminology but it doesn't > appear to be used anywhere else - is it needed? I understand the term an= d > its relevance but it reads like slang or a buzzword that's out of place i= n > an RFC. > > > > 4) "Cryptography is becoming more important to the IETF and its > protocols, and more IETF protocols are using, or looking at..." > > Depending on the history of crypto use in RFCs, would it be more accurate > to replace "is becoming" with "has become"? Also, since the doc mentions > protocols plural, it would help to provide more examples of recent RFCs > that feature crypto. For example, DNS over TLS - > https://tools.ietf.org/html/rfc7858 > > > > Thank you for the opportunity to comment. > > Jon Jarvis > --=20 Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 --001a114e52f8966924053749a888 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable (apologies for replying on an older thread!)

On Saturda= y, July 9, 2016, Jon <jon@secureut= ah.org> wrote:
Greetings,

This email contains comments= on the draft version of "No MTI Crypto without Public Review" at= =C2=A0http://www.ietf.org/id/draft-rsalz-drbg-speck-wap-wep= -01.txt


1)=E2=80=8B =C2= =A0"...more IETF protocols are using, or looking at, cryptography to i= ncrease =E2=80=8Bprivacy=E2=80=8B on the Internet..."

I like and agree with RFC7258 = =C2=A0and I agree that encryption provides some privacy benefits (mainly by= increasing the amount of effort needed to conduct useful traffic analysis,= yes?), and I agree that public review should be a MUST before implementing= crypto.=C2=A0 However, the wording here doesn't quite sound right - is= it correct to say that cryptography is being adopted in RFCs solely to inc= rease privacy, or even to say that privacy itself is the main driver?
=

Instead of "to increase privacy", what about = something more specific, like "increase data integrity and ease of end= point authentication"?=C2=A0 Isn't it technically more feasible to= measure/quantify those qualities than privacy?=C2=A0 If a public review of= a new crypto method demonstrates that data integrity is preserved and robu= st, and if the endpoints (user/user, client/server) can authenticate themse= lves to each other in an easy and non-falsifiable way, then can't it be= said that the new method will provide some level of confidence of privacy = greater than previous crypto implementations?

Mayb= e I'm splitting hairs with this thought, or maybe it's understood t= hat integrity and authentication are automatic results of strong crypto and= don't need to be explicitly stated.



2) =C2=A0U= nder the section Terminology, the phrase 'mandatory to implement' i= s missing hyphens, unlike its use elsewhere in the doc.



3) =C2=A0'Snake oil' is defined= and included in Terminology but it doesn't appear to be used anywhere = else - is it needed?=C2=A0 I understand the term and its relevance but it r= eads like slang or a buzzword that's out of place in an RFC.
=


4) =C2=A0"Cryptography is= becoming more important to the IETF and its protocols, and more IETF proto= cols are using, or looking at..."

Depending o= n the history of crypto use in RFCs, would it be more accurate to replace &= quot;is becoming" with "has become"?=C2=A0 Also, since the d= oc mentions protocols plural, it would help to provide more examples of rec= ent RFCs that feature crypto.=C2=A0 For example, DNS over TLS -=C2=A0https://tools.i= etf.org/html/rfc7858



Thank you for the opportunity t= o comment.

Jon Jarvis


--
Joseph Lorenzo Hall
Chief Technologist, Cent= er for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC= 20005-3497
e: joe@cdt= .org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8= D7B 9F6D DBD3 4B10 =C2=A01607 5F86 6987 40A9 A871
--001a114e52f8966924053749a888-- From nobody Sun Jul 10 11:24:26 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30E412B031 for ; Sun, 10 Jul 2016 11:24:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Maa2YXNLnD5N for ; Sun, 10 Jul 2016 11:24:18 -0700 (PDT) Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B02E41200DF for ; Sun, 10 Jul 2016 11:24:18 -0700 (PDT) Received: by mail-qk0-x233.google.com with SMTP id 82so75214071qko.3 for ; Sun, 10 Jul 2016 11:24:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=sender:subject:to:references:cc:from:organization:reply-to :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=jcxF3Vve6IOgOApzhSlThJKMMvgVLEI+ENcFQgJLBPE=; b=LN/o/XB0sQfEdamjvSdN/s+c53n3jTbq6qkKSlpg3QONDGJuDdeGcmLnOhrx5Vd3JI jbPtXdOjkFk7925r+WBYhCChKn+UgZiKclMd4qsVEJQEHIIY4kwtHEAY48v3ZszktYzk YR/UjpbfgwladU2L2zgUJRmprdcSCOkzQ7T8A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:subject:to:references:cc:from :organization:reply-to:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=jcxF3Vve6IOgOApzhSlThJKMMvgVLEI+ENcFQgJLBPE=; b=g+U1H8Q5xWCuyxiBCuYfwmM4rmaaJIO0m05mbgItPJM5fwk7cXPWkHBRZ2hcLaMgiX zVMICPQx3S7pM5Qwbmgz35FEhd8/8tNTuH50HD+hzIMAZ8tdmk4fFTX1456lM5rLVCsw N/Jp/GRmUJlvlZBye5WqrS7sFO8lPYDcdvfnmWgMHxWG5T+L0Myd1grqWhcv+VhUaazY hIwMSmlYjfIbX0GCMKPN6hw175aQRCupsAHrQxEzopQL1ynViS+8GXn9Tgx9RDKmSAJg C9oru6jhOrPtz+w2PESRujzWvg1tMcDDlPBrL7a+X76APK7YB8PiRef4BENQuRMVfwrS f+AA== X-Gm-Message-State: ALyK8tKmcOUDffmiNp4w8E7u2/+Uncm8LbJVywa1bOf+ND3RlcdfHWuGD3JMF7Q63zUpGw== X-Received: by 10.55.53.4 with SMTP id c4mr19555812qka.92.1468175057770; Sun, 10 Jul 2016 11:24:17 -0700 (PDT) Received: from [192.168.100.100] ([186.158.219.123]) by smtp.googlemail.com with ESMTPSA id h32sm1954645qth.39.2016.07.10.11.24.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Jul 2016 11:24:17 -0700 (PDT) Sender: Ivan Arce To: "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> From: Programa STIC Organization: =?UTF-8?Q?Fundaci=c3=b3n_Dr._Manuel_Sadosky?= Message-ID: Date: Sun, 10 Jul 2016 15:25:51 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <5780D1C9.4010008@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: stic@fundacionsadosky.org.ar List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 18:24:22 -0000 Hello First of all, I'd like to point out that the I-D we are discussing is an historical account of security & privacy issues derived from specification or implementation of dynamically generated numeric ids. It is not a normative document. So, while context is relevant and RFC6864 should be cited because it is pertinent, that does not change the fact that the IP ID field was abused for attacks with varying impact prior to 2013. Moving on to the matter being discussed: El 9/7/16 a las 7:28, Fernando Gont escribió: > > That said, from a completeness point of view, I guess we could note the > spec update performed by RFC6864. > > How about something like: > > February 2013: > [RFC6864] updates [RFC0791] such that the Identification value is > only meaningful when DF=0. This eliminates e.g. information leakage > attacks when the corresponding traffic is not fragmented. However, > [RFC6864] does not introduce any security and privacy > considerations for setting the Identification field. > > ? > (please suggest tweaks if necessary) After careful reading, I believe RFC 6864 still does not address the information leakage problem. Section 4.1 says: " >> Originating sources MAY set the IPv4 ID field of atomic datagrams to any value." which means that an implementation may still set the ID field to the value of a monotonically increasing global counter, thus leaking information while being in complaint with RFC 6864. >From the security & privacy perspective, a more sane specification would have been: " >>> Originating source MUST set the IPv4 ID field of atomic datagrams to 0" That would ensure that atomic fragments don't leak information in their ID field. I understand there may be interoperability issues with existing equipment if such text was used instead but those issues weren't avoided by letting implementations use "any" value either. Furthermore, section 4.3 of RFC 6864 did not change the following specification: ">> Sources emitting non-atomic datagrams MUST NOT repeat IPv4 ID values within one MDL for a given source address/destination address/protocol tuple." However, in the context of the I-D about predictable ids the above paragraph underspecificies the desired behavior, leaving it open for an implementation to generate values for the IP ID field using an algorithm that renders the endpoints vulnerable to off-path attacks. It is also worth nothing that Section 7 ("Security considerations") of RFC6864 does mention the possible introduction of a covert channel in making the value of the IP ID field meaningless for atomic datagrams. The last paragraph of the same section recognizes the existence of a side channel that leaks information and the possibility for a given implementation to address one instance of possible attacks but does not provide explicit guidance on how to do so. https://tools.ietf.org/html/rfc6864#page-16 In my opinion, this discussion highlights the value and the need for a document such as https://www.ietf.org/id/draft-gont-numeric-ids-generation-00.txt in which guidance and specific algorithms are proposed to avoid known problems in the generation of values for id fields. -ivan From nobody Sun Jul 10 12:24:33 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79A8412D0D1 for ; Sun, 10 Jul 2016 12:24:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3ticM8fFiEN for ; Sun, 10 Jul 2016 12:24:30 -0700 (PDT) Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5EE912D0CE for ; Sun, 10 Jul 2016 12:24:29 -0700 (PDT) Received: by mail-vk0-x22e.google.com with SMTP id b192so114056668vke.0 for ; Sun, 10 Jul 2016 12:24:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=IAnlNk8qNuIoW9Wxqq1Yb72I5kEknAigpS5DqINDiXc=; b=mhTt2qIJZ3zclh3iM4Kke/dCN7fgs7WX+lMgpAbJ9htpYXeFRAVO7QJKllim7RXE0E SdlWrLtn1hRni6IeAysaU22EwQKAQ13WzYL5gskRkmwLLlxJKYeihtGJJxGZhFU7jADw 5isi7PSXDwkG8S+idWPXP+gya09b4IBCynOn71yAxaZxkvyukDlSAFdExP6J+JzgiNIa Kuiyctoz4IIOhditNE6rZ9yPA6yFBkVWcQLQlQ7lQw36eKy4FQgheJkk5bzNMnCpAY+B D8/g36fsHtH6z/J5JixsDFJfSXdA5f26ovdgOuyPkwqvrxG7KfMV4gGQE7x8Zo3gTKIA 5W4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=IAnlNk8qNuIoW9Wxqq1Yb72I5kEknAigpS5DqINDiXc=; b=L/Gp0pnQAetTdD9wowgHDQOJWlBGs7/kuhQX82GdkqxRtUPRYvbF9xZU99Su/nwKjZ VjXk2gs35KLUCTKmZbODGEqDtpTSlzmjb1NnmAHiHeBXwU9fw0tCnUUhroh1B45Gwgov mU3Z1hkrLKEgZYnoO32uw1RvCpFXfBn15P6xQlHrNhVMVZYDXFCwzq0zG9qj62t/1Np2 calJpFImj2zucS3Zfg9JeRrxt3nYppP1LCWseix74Ude1K1yFqUdbvBDZvuNZ9OkitXs scQD0NFX4+/Qic0WgpfAjzb3Eflz7tUyRAXGRiQioyOREi5Y3/mRpXeyVnGLvSb6xBib McHQ== X-Gm-Message-State: ALyK8tKs00mMcP/UqLVhHC82MWO0SiPgvNxpCt84+50+7Zv9C1lZffWTgDv5C1w10irY9g2ZgFBtUkJBdlb5Bw== X-Received: by 10.159.39.193 with SMTP id b59mr7440271uab.109.1468178668726; Sun, 10 Jul 2016 12:24:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.39.194 with HTTP; Sun, 10 Jul 2016 12:24:28 -0700 (PDT) From: Watson Ladd Date: Sun, 10 Jul 2016 12:24:28 -0700 Message-ID: To: Joseph Lorenzo Hall Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" Subject: [saag] The History of Dual_EC, RC4, and MtE (MD5 bonus) (was possible BCP on public review being needed for standards-track crypto) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 19:24:31 -0000 Dear all, I'm hoping our email clients are smart enough to put this email in the right place. The history of cryptography is extremely well documented, and it's important to get this right before making judgments about it. I'm going to discuss the history of all four, in great detail, so that we understand what was known, and why standards bodies ignored it. Dual_EC has a fairly incomplete story, but DJB has done a lot of work, along with Matthew Green in exposing it.. The relevant facts are that in 2005 Certicom patented the backdoor in Dual EC, in 2006 a bias was discovered in the output, in 2007 the backdoor was independently published, and in 2011 NIST decided to go through and standardize it anyway. The ANSI crypto committee had members who were listed as inventors on the Certicom patent, but neverthless standardized it anyway. I don't have a copy of the standard, but I don't recall it describing the backdoor. In short had NIST bothered to do even the most cursory of searches in 2011 they would have seen that Dual_EC failed to meet minimal security requirements, that it had a backdoor, and that it was slow as molasses. A bit of thinking about what encrypting with AES means would show that you don't need to have number theoretic based RNGs. NIST and ANSI nevertheless proceeded to standardize Dual_EC without noting these concerns. It is unclear what happened to Juniper: no one has sued them yet to the best of my knowledge. (Please do if you have standing: we want to know what happened!) RC4 was broken within a year of public disclosure: the first byte biases can be noted in fairly trivial experiments, and were. Long-term biases in RC4 output were certainly known in 2001, and RC4 was never required by the TLS specification. Nevertheless it took over a decade to finally kill: the problem was ignored until 2013, and in fact worsened by the response to errors in CBC mode, which was to use RC4 instead of adopt AES-GCM. Why was CBC mode vulnerable? During the development of IPsec the fact that EtM is secure was well-known: the often cited 2001 Vaudenay and Rogaway papers merely demonstrated that what was not known to be true was in fact false in many circumstances. The conservativism of EtM was well known in 1995 as the Rogaway IPsec comments show. TLS 1.1 did not fix this mistake. But this was not the only the only failure in CBC mode ciphers: the use of a predictable IV breaks the necessary condition in CBC indistinguishability results. This mistake was fixed in TLS 1.1, but uptake was slow until exploits were developed. MD5 has been exploited as late as 2012, 16 years after the first freestart collision, and 8 years after the first collision. What should have been an immediate ban on issuing new certificates using MD5 and replacement with SHA1, followed by gradual phaseout, was instead a series of stopgaps, making the eventual end extremely messy and drawn out. To this day we have to worry about the Bleichnbacher attack on PKCS 1.5 encryption. The obvious remedy is to not implement partial countermeasure after countermeasure, but to root-and-branch replace it. Each time we worry about the pain it will cause, and add another stopgap, we only delay the inevitable. In each of these cases actual cryptographers with actual knowledge advised repeatedly against the decisions that were actually made. In each case attacks were dismissed as theoretical possibilities, and standardization bodies never looked at the actual state of knowledge at the time. When standards bodies did react, there was no wider understanding that migration was necessary. Implementors assumed that standards bodies had knowledge: they did not. Were MD5, Dual_EC, RC4, and MtE insufficiently reviewed? The answer is clearly no: the issues were very well known, and in many cases documented. The response was insufficient because of varying degrees of concern for backwards compatibility (despite negotiation mechanisms intended to enable change), failure to understand the issues, and some people rather like being able to exploit everything in sight. This email could easily be four times the size.: Does anyone use policy mapping? The horror that is OpenPGP has been passed over in silence. XML has its own share of crypto related mistakes. IPsec compatibility issues have forced password based modes to remain for years. Many standardized schemes receive almost no review: they are slighter better then the random crypto related github project, but chances are not much. When review does happen the attitude taken is not one of "this must be obviously correct" but "do I really need to change it? Is this really an attack?". It's common in design discussions for spurious considerations to be given equal or greater weight to core cryptographic security considerations in working groups: not the real constraints of migration and backwards compatibility, but imaginary concerns. Sincerely, Watson Ladd From nobody Sun Jul 10 12:29:00 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8259212D0E6 for ; Sun, 10 Jul 2016 12:28:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.988 X-Spam-Level: X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yeQgML-2SDJf for ; Sun, 10 Jul 2016 12:28:53 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 9BE7812D0C5 for ; Sun, 10 Jul 2016 12:28:53 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 7DB2C4237E8; Sun, 10 Jul 2016 19:28:52 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 6398D4237CF; Sun, 10 Jul 2016 19:28:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468178932; bh=28ZPdeR88vLN/zLo3OoYtLavWgLJacK4xU8leYn57vk=; l=345; h=From:To:CC:Date:References:In-Reply-To:From; b=XTrWOID8zJCntOo6Wsf1kWWK8WbUnlM3s8sIdsRF89ypiCnRi80j6bpkYCyEk+5NK nrdDq0gCkyS56BO8XrZME0euGHaVguVFAP5arOJVtqRkFPwshhL0pxdCEhh7xM9Oq6 UbnTEPbwY76uBCfsgzSQwNEc6dgc9VNDAp7lcl3k= Received: from email.msg.corp.akamai.com (usma1ex-cas3.msg.corp.akamai.com [172.27.123.32]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 5DD471FC86; Sun, 10 Jul 2016 19:28:52 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Sun, 10 Jul 2016 15:28:51 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1130.005; Sun, 10 Jul 2016 15:28:51 -0400 From: "Salz, Rich" To: Watson Ladd , Joseph Lorenzo Hall Thread-Topic: [saag] The History of Dual_EC, RC4, and MtE (MD5 bonus) (was possible BCP on public review being needed for standards-track crypto) Thread-Index: AQHR2uCzJtKRM7lq2kiqz8GO1SClP6ASDH3A Date: Sun, 10 Jul 2016 19:28:51 +0000 Message-ID: <895661d2f0ae470090abce7dc755aebc@usma1ex-dag1mb1.msg.corp.akamai.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.46.51] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] The History of Dual_EC, RC4, and MtE (MD5 bonus) (was possible BCP on public review being needed for standards-track crypto) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 19:28:55 -0000 > In short had NIST bothered to do even the most cursory of searches in > 2011 they would have seen that Dual_EC failed to meet minimal security > requirements, that it had a backdoor, and that it was slow as molasses. Are you aware that, by law, the NSA is the crypto expert body for NIST? That probably had something to do with it. From nobody Sun Jul 10 22:48:48 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59EE612B062; Sun, 10 Jul 2016 22:48:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdDStvw8B7kc; Sun, 10 Jul 2016 22:48:46 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 318B212B03B; Sun, 10 Jul 2016 22:48:46 -0700 (PDT) Received: from [172.20.6.185] ([12.222.78.158]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u6B5lNl7018902 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 10 Jul 2016 22:47:33 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> From: Joe Touch Message-ID: <578332E8.9020302@isi.edu> Date: Sun, 10 Jul 2016 22:47:20 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <5780D1C9.4010008@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 05:48:47 -0000 On 7/9/2016 3:28 AM, Fernando Gont wrote: > Hi, Joe, > > On 07/08/2016 09:50 PM, Joe Touch wrote: >> >> On 7/8/2016 12:45 PM, Fernando Gont wrote: >>> OTOH, there doesn't seem to be much of a >>> drawback in properly setting the frag ID to a non-zero value. >> See RFC6864. It either limits your transmit rate or increases the >> probability of mis-reassembled fragments. >> >> This doc should not be directly inconsistent with existing standards. > Our document does not really mention the case of setting the Frag ID > when MF=0... so it's not really being inconsistent with existing > standards (as far as I can see). > > That said, from a completeness point of view, I guess we could note the > spec update performed by RFC6864. > > How about something like: > > February 2013: > [RFC6864] updates [RFC0791] such that the Identification value is > only meaningful when DF=0. This eliminates e.g. information leakage > attacks when the corresponding traffic is not fragmented. However, > [RFC6864] does not introduce any security and privacy > considerations for setting the Identification field. > > ? > (please suggest tweaks if necessary) [RFC6864] updates [RFC0791] such that the IPv4 Identification value is only meaningful when DF=0. This allows nonfragmented/nonfragmentable traffic ('atomic', per that RFC) to use arbitrary ID values including values that repeat within 2MSL. Use of uninteresting fixed ID values for atomic traffic (e.g., ID=0) eliminates information leakage attacks for that traffic. However, [RFC6864] does not introduce any new security and privacy considerations for setting the Identification field. > P.S.: This I-D aside, I don't think setting the ID to non-zero for DF == > 0 limits the data rate: RFC6994 explains what happens if the packet is non-atomic, i.e., it is susceptible to reassembly errors if the ID repeats within an IP flow (src, dst, next proto) within the amount of reordering experienced. The limit is a function of the amount of reordering, which can depend on the data rate, e.g., if reordering is the result of fixed time delays between multiple paths. > compliant boxes will not fragment the packets > anyway, That's for DF=1. > so for them this is the same as setting the ID to 0. For > non-compliant boxes that do fragment packets when DF=1, you reduce the > chances of frag id collisions at the receiving end... If you really meant "setting the ID for DF=1/MF=0", i.e., setting the ID on atomic packets, then see above- yes, there is a limit to reuse of those IDs if you intend that they are useful for reassembly -- regardless of whether that's for compliant processing of DF=0 or DF=1/MF=1 (non-atomic) or for non-compliant processing of DF=1/MF=0 (atomic). > > Thanks! > > Cheers, From nobody Mon Jul 11 04:04:00 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F76A12D0AD for ; Mon, 11 Jul 2016 04:03:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTdrqXUykz7l for ; Mon, 11 Jul 2016 04:03:55 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61609127078 for ; Mon, 11 Jul 2016 04:03:55 -0700 (PDT) Received: from [192.168.1.148] (unknown [79.118.9.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 2AC9B80120; Mon, 11 Jul 2016 13:03:48 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <57837AD5.4000702@si6networks.com> Date: Mon, 11 Jul 2016 12:54:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <578332E8.9020302@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 11:03:58 -0000 Hi, Joe, On 07/11/2016 07:47 AM, Joe Touch wrote: >> How about something like: >> >> February 2013: >> [RFC6864] updates [RFC0791] such that the Identification value is >> only meaningful when DF=0. This eliminates e.g. information leakage >> attacks when the corresponding traffic is not fragmented. However, >> [RFC6864] does not introduce any security and privacy >> considerations for setting the Identification field. >> >> ? >> (please suggest tweaks if necessary) > > [RFC6864] updates [RFC0791] such that the IPv4 Identification value is > only meaningful when DF=0. This allows nonfragmented/nonfragmentable traffic > ('atomic', per that RFC) to use arbitrary ID values including values that > repeat within 2MSL. Use of uninteresting fixed ID values for atomic traffic > (e.g., ID=0) eliminates information leakage > attacks for that traffic. However, > [RFC6864] does not introduce any new security and privacy > considerations for setting the Identification field. I'm fine with the above text. However, the part that says: "Use of uninteresting fixed ID values for atomic traffic (e.g., ID=0) eliminates information leakage attacks for that traffic." seems misleading. A host could still set the ID with an algorithm that leaks information. That is, RFC6864 still leaves this unspecified, because it doesn't say "set it to 0 when DF=1". >> P.S.: This I-D aside, I don't think setting the ID to non-zero for DF == >> 0 limits the data rate: > > RFC6994 explains what happens if the packet is non-atomic, i.e., it is > susceptible to reassembly errors if the ID repeats within an IP flow > (src, dst, next proto) within the amount of reordering experienced. NOt just reordering, but also packet loss. If a fragment gets lost, then that Frag ID is trashed for 60 secs. >> compliant boxes will not fragment the packets >> anyway, > That's for DF=1. > > >> so for them this is the same as setting the ID to 0. For >> non-compliant boxes that do fragment packets when DF=1, you reduce the >> chances of frag id collisions at the receiving end... > > If you really meant "setting the ID for DF=1/MF=0", i.e., setting the ID > on atomic packets, then see above- yes, there is a limit to reuse of > those IDs if you intend that they are useful for reassembly -- > regardless of whether that's for compliant processing of DF=0 or > DF=1/MF=1 (non-atomic) or for non-compliant processing of DF=1/MF=0 > (atomic). I meant that, yeS. In that case, from an interoperability pov, setting the ID regardless of DF will still be better than setting it to a constant value. If the packet does not get fragmented, no improvements or drwbacks. But if it does get fragmented, you'll certainly have lower probability of collisions by setting the ID to a different value for each packet than setting it to a constant value (e.g., "0"). Setting it to a constant value essentially guarantees to if the packet is non-compliant-ly fragmented en-route, there will be a frag id collision. So I don't see the drawback of just always setting the Frag ID, regardless of DF. Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Mon Jul 11 17:11:07 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB7C012D69F; Mon, 11 Jul 2016 17:11:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MA45plNfAsNa; Mon, 11 Jul 2016 17:11:00 -0700 (PDT) Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5809212D5FB; Mon, 11 Jul 2016 17:11:00 -0700 (PDT) Received: from [75.217.102.46] (46.sub-75-217-102.myvzw.com [75.217.102.46]) (authenticated bits=0) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id u6C09PWn006896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Jul 2016 17:09:27 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> From: Joe Touch Message-ID: <57843532.6090708@isi.edu> Date: Mon, 11 Jul 2016 17:09:22 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <57837AD5.4000702@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 00:11:02 -0000 On 7/11/2016 3:54 AM, Fernando Gont wrote: > Hi, Joe, > > On 07/11/2016 07:47 AM, Joe Touch wrote: >>> How about something like: >>> >>> February 2013: >>> [RFC6864] updates [RFC0791] such that the Identification value is >>> only meaningful when DF=0. This eliminates e.g. information leakage >>> attacks when the corresponding traffic is not fragmented. However, >>> [RFC6864] does not introduce any security and privacy >>> considerations for setting the Identification field. >>> >>> ? >>> (please suggest tweaks if necessary) >> [RFC6864] updates [RFC0791] such that the IPv4 Identification value is >> only meaningful when DF=0. This allows nonfragmented/nonfragmentable traffic >> ('atomic', per that RFC) to use arbitrary ID values including values that >> repeat within 2MSL. Use of uninteresting fixed ID values for atomic traffic >> (e.g., ID=0) eliminates information leakage >> attacks for that traffic. However, >> [RFC6864] does not introduce any new security and privacy >> considerations for setting the Identification field. > I'm fine with the above text. However, the part that says: > "Use of uninteresting fixed ID values for atomic traffic > (e.g., ID=0) eliminates information leakage > attacks for that traffic." > > seems misleading. A host could still set the ID with an algorithm that > leaks information. That is, RFC6864 still leaves this unspecified, > because it doesn't say "set it to 0 when DF=1". It is 6864 which permits the use of a non-varying value when DF=0 and not already source fragmented. Yes, given this doc doesn't introduce new info, it might be OK to drop that, though. (note - that does beg the rationale for this draft in the first place. there seems no utility in merely documenting the history of the mistakes people have made per se) > >>> P.S.: This I-D aside, I don't think setting the ID to non-zero for DF == >>> 0 limits the data rate: >> RFC6994 explains what happens if the packet is non-atomic, i.e., it is >> susceptible to reassembly errors if the ID repeats within an IP flow >> (src, dst, next proto) within the amount of reordering experienced. > NOt just reordering, but also packet loss. If a fragment gets lost, then > that Frag ID is trashed for 60 secs. 6864 allows reuse within the expected reordering interval. Note that *expected* reordering is not the actual; presumably, most actual reordering would be smaller. >>> compliant boxes will not fragment the packets >>> anyway, >> That's for DF=1. and all of IPv6... >> >> >>> so for them this is the same as setting the ID to 0. For >>> non-compliant boxes that do fragment packets when DF=1, you reduce the >>> chances of frag id collisions at the receiving end... >> If you really meant "setting the ID for DF=1/MF=0", i.e., setting the ID >> on atomic packets, then see above- yes, there is a limit to reuse of >> those IDs if you intend that they are useful for reassembly -- >> regardless of whether that's for compliant processing of DF=0 or >> DF=1/MF=1 (non-atomic) or for non-compliant processing of DF=1/MF=0 >> (atomic). > I meant that, yeS. In that case, from an interoperability pov, setting > the ID regardless of DF will still be better than setting it to a > constant value. If the packet does not get fragmented, no improvements > or drwbacks > . It has a cost, though - you should not reuse those IDs within your expected max reordering interval. That, coupled with the size of the ID field, sets a limit on packet generation. If the packets are atomic, there is no such limit *because* the ID field is meaningless. > . But if it does get fragmented, you'll certainly have lower > probability of collisions by setting the ID to a different value for > each packet than setting it to a constant value (e.g., "0"). Any device that ignores the DF=1 bit might also ignore the ID and overwrite it. All bets are off as to what it is doing. And there is zero utility in documenting noncompliant behavior of this sort unless it is first aimed at correcting that as a bug. > Setting it to a constant value essentially guarantees to if the packet > is non-compliant-ly fragmented en-route, there will be a frag id collision. Only if the fragments are also reordered, FWIW. > So I don't see the drawback of just always setting the Frag ID, > regardless of DF. It limits your effective throughput, which is why the need to do so was deprecated in RFC6864. Joe From nobody Mon Jul 11 18:09:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A70412D733 for ; Mon, 11 Jul 2016 18:09:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_w9bOATOBqw for ; Mon, 11 Jul 2016 18:09:33 -0700 (PDT) Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0099.outbound.protection.outlook.com [104.47.40.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F36212D6B9 for ; Mon, 11 Jul 2016 18:09:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pMfiq96WEKubKNHvG1yFIpErFfYmYoPqwrpd3ScAEwU=; b=d2bYGMYAv8mG+VS0lqA4a1vCmGyBPrGWqeLBd8s6vvYDRJDGE8fj82SpY16MeSDA/Wb89qpAdL4ykuuE35l0m/lijZTP3J21vV75DCtcUjSqWyer7SgbxA6YAsiZlmVqPf+TCb9hE/sN70RCEFfsNXAjI4zp5bbmztUbQ6RptaM= Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0653.namprd03.prod.outlook.com (10.160.96.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.539.14; Tue, 12 Jul 2016 01:09:32 +0000 Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0523.028; Tue, 12 Jul 2016 01:09:32 +0000 From: Christian Huitema To: Joe Touch , Fernando Gont , "saag@ietf.org" Thread-Topic: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) Thread-Index: AQHR2TUQsvqVZ/QFv0GZe+GUKMaZ76AO0lQAgAAVBoCAAAL+gIAAA4qAgAACSQCAAAFEAIAA9WaAgALWIQCAAFW+gIAA3ioAgAANQSA= Date: Tue, 12 Jul 2016 01:09:31 +0000 Message-ID: References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> In-Reply-To: <57843532.6090708@isi.edu> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com; x-originating-ip: [2001:4898:80e8:d::14d] x-ms-office365-filtering-correlation-id: 65a1fd80-101d-406b-0c57-08d3a9f12eae x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0653; 6:dS0ANte+mx22ZA7cpwep64LGTxW2yttl8T8V32ahGGwOwCRFmUtA+zt2ilx9M64DYpQzwjYDyffWoUW4u8JnvU6p3k3/wn/ZJTb56MfVPFHRAcDYB81BqugDa6RSPVeGyldqLu5oz3UpRBUUw7tc8Fs99tSXfaSeXHl69aaVoGGv0xu24YblChrgZrXYhnWqTFJJ+0+xBaER2lr6F+w+N8Ea2PFUeN4a8mFwRUPvoRrk5q5yAOycrWIGGX+tVHayzlyZc1UGd4Q9IAoaeNhpl+VK/KuPIptvx5r4ZL06Le7SeWv1zJCPOIkvQ6lpCt80fk93RBIUiRWOOm4g0FKiEw==; 5:AxpY5GywrvAZkFHtgMhElEDWOj8BhIctlgws417ZOx/dVFvacEDnFz1z6wyXIwLZDZMtZA4dNq5RaizBWxd5sHUyRckJtz7PDLk0gKgX4a84aRD+9GuvR3zc19s+aDHiJ7GkK0+0KqNM94rRCvVlZA==; 24:YCr4YMP5D6E6DlnrvSdUOsXp4RdKNw31BpbtLvqdbN7Y3zd9mOzbkqdmqpAr0CrbrbpBaWCtYeGo/etjzo9uxj/jSuFbI7uzJbDlu+3OVko=; 7:nAsfm4zEaub7siNLU9F39t1Dz+Vey6gyVWJjDx6SeWEeXIHRThvtuaRFm8WrRVYVOGYBUmoxxZwOohik4chPobNwb/m7eghJTr4NfWR0OKB8PZSWLJxwfwWq2aLvhkLS2hAJA8JQjNGJDy4TNAQLPHwLehMlm+3bkuYrjNoXiE32KvGQqlT9rZEAoT7bZHLfFQQtpiTZ0+MPwSog18h2Uf4rs1G2nwRyqPV9bwtCbhdPPMevXKOfQPYbYmtqa/B/ x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0653; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(100405760836317); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:DM2PR0301MB0653; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0653; x-forefront-prvs: 0001227049 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(7916002)(189002)(24454002)(199003)(377454003)(2473001)(8676002)(106116001)(5002640100001)(8936002)(106356001)(3280700002)(230783001)(74316002)(68736007)(105586002)(11100500001)(9686002)(50986999)(10090500001)(2501003)(86362001)(93886004)(122556002)(86612001)(3660700001)(81166006)(81156014)(92566002)(10290500002)(10400500002)(5005710100001)(54356999)(76576001)(6116002)(102836003)(2906002)(8990500004)(586003)(189998001)(7846002)(2171001)(7736002)(87936001)(97736004)(4326007)(5001770100001)(99286002)(101416001)(76176999)(33656002)(305945005)(2900100001)(2950100001)(7696003)(5003600100003)(77096005)(3826002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0653; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2016 01:09:31.9478 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0653 Archived-At: Cc: "privsec-program@iab.org" , =?iso-8859-1?Q?Iv=E1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 01:09:37 -0000 On Monday, July 11, 2016 5:09 PM, Joe Touch wrote: >=20 > ... > (note - that does beg the rationale for this draft in the first place. > there seems no utility in merely documenting the history of the mistakes > people have made per se) Actually, during the previous presentation in SAAG, there was a clear conse= nsus that documenting past mistakes *is* interesting. OTOH, the draft needs to document something else besides IP and TCP issues.= Otherwise, the draft seems to be picking on TCP-IP. Plus, if the point is = to show that many people are making the same mistakes, then the draft shoul= d have a variety of examples. -- Christian Huitema From nobody Mon Jul 11 20:11:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E599F12B069; Mon, 11 Jul 2016 20:11:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.187 X-Spam-Level: X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uroJcNimJGL; Mon, 11 Jul 2016 20:11:11 -0700 (PDT) Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0971612B046; Mon, 11 Jul 2016 20:11:11 -0700 (PDT) Received: from [172.20.6.185] ([12.222.78.158]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id u6C3AQ9K020756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 11 Jul 2016 20:10:27 -0700 (PDT) To: Christian Huitema , Fernando Gont , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> From: Joe Touch Message-ID: <57845FA0.2060503@isi.edu> Date: Mon, 11 Jul 2016 20:10:24 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-MailScanner-ID: u6C3AQ9K020756 X-ISI-4-69-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 03:11:12 -0000 On 7/11/2016 6:09 PM, Christian Huitema wrote: > On Monday, July 11, 2016 5:09 PM, Joe Touch wrote: >> ... >> (note - that does beg the rationale for this draft in the first place. >> there seems no utility in merely documenting the history of the mistakes >> people have made per se) > Actually, during the previous presentation in SAAG, there was a clear consensus that documenting past mistakes *is* interesting. To what end, other than consuming cycles? If there's a broader purpose, more information is needed (e.g., whether each issue is a incorrect to the spec, highlights a spec ambiguity, or is correct to spec but creates a vulnerability anyway). E.g., see RFC2525 > OTOH, the draft needs to document something else besides IP and TCP issues. Otherwise, the draft seems to be picking on TCP-IP. Plus, if the point is to show that many people are making the same mistakes, then the draft should have a variety of examples. Multiple examples does not provide information unless there's a pattern (see above). Joe From nobody Mon Jul 11 23:41:53 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D605D12B02D for ; Mon, 11 Jul 2016 23:41:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9lA2O3b45Jg5 for ; Mon, 11 Jul 2016 23:41:49 -0700 (PDT) Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B0B412B007 for ; Mon, 11 Jul 2016 23:41:49 -0700 (PDT) Received: by mail-qt0-x229.google.com with SMTP id 52so3279522qtq.3 for ; Mon, 11 Jul 2016 23:41:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=51nT6trjptLXS0FlomKx1D7lImW0r/u8lakM3PZwgws=; b=XSFI1MwfvOPQn/rd84tmiGLnXeWY2yGJt5OY7mVhUqP3UA6zO3nEOxp4u2U8cvqVo6 hxzFxRaEgdvriKiubZ9FciHG2WyJNde94fRhlUF4MBMBDAjN9zv8u8jMWykgr+15IrvM 5SSIRjR5wFhE20/wvhbY1JwPDu0YdZnDiAk4M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=51nT6trjptLXS0FlomKx1D7lImW0r/u8lakM3PZwgws=; b=Ogq+iHp5HDpGqDBWtgBvgO4KudMwwXTDRydSrjqgjcP73aLFaQ/5kAWvrrpdUUS5RD X571nsdwMtdeGWCeP9pwGHd7aaALU4c0cs9oFb6fQz5pDVl8xlLu/sADTyafl87SWvon +3KvQOQOq3eY1pMCpo/BuTWGNLyrV+kBBmmWmIoC6X0rNFF6S6LLhRSFHfMPU9lzaPOd SILosB88cOosE4GCDW6E+trXbZGmEMpILHLBXvLpxxxJqgYkdQDPPRpZyGBOebu0QSWD RVt9pJuWDn75JBNvJnI3tY5ruMkL8bhs7GiukvSbajYc5lnpMAnQUy/lFadAphb7AePT 3xxA== X-Gm-Message-State: ALyK8tK+LapHDBPQxG8IvvC55CHdk+VXQbkLyEUja11hR7Mk4MLBZrAQmK1HibN06lxisA== X-Received: by 10.200.50.199 with SMTP id a7mr920337qtb.43.1468305708408; Mon, 11 Jul 2016 23:41:48 -0700 (PDT) Received: from [192.168.100.100] ([186.158.219.123]) by smtp.googlemail.com with ESMTPSA id v19sm4253120qkl.22.2016.07.11.23.41.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 23:41:47 -0700 (PDT) To: "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> From: Programa STIC Message-ID: <6651b3d3-5233-2368-b1f3-a6abd935ab5a@fundacionsadosky.org.ar> Date: Tue, 12 Jul 2016 03:43:21 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <57845FA0.2060503@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 06:41:51 -0000 El 12/7/16 a las 0:10, Joe Touch escribió: > > E.g., see RFC2525 > RFC 2525 is specific to TCP problems only. What we are trying to point out is that there is a type of problem, namely the use naive/weak algorithms to generate values for IDs fields in various protocols, that ends up creating security and/or privacy issues. >> OTOH, the draft needs to document something else besides IP and TCP >> issues. Otherwise, the draft seems to be picking on TCP-IP. Plus, >> if the point is to show that many people are making the same >> mistakes, then the draft should have a variety of examples. > > Multiple examples does not provide information unless there's a > pattern (see above). > > Joe > There is a pattern. The same problem re-occured at different working groups and network layers over 30+ years. Off the top of my head: TCP ISN, DNS TxID, ONC RPC XID, IPv4 IP ID, IPv6 FragID, IPv6 IIDs, NetBIOS NBNS TransactionID, IKE fragmentation ID, RTP sequence number, NFS file handles. Documenting past mistakes and showing that the same issue appeared over and over was deemed useful to justify the need for a set of consistent rules that provide guidance for the use of dynamically generated values in ID fields in ways that minimize security & privacy risk. "Those who don't know history are doomed to repeat it." - Edmund Burke cheers, -ivan > _______________________________________________ saag mailing list > saag@ietf.org https://www.ietf.org/mailman/listinfo/saag > -- Programa de Seguridad en TIC Fundación Dr. Manuel Sadosky Av. Córdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164 From nobody Tue Jul 12 00:08:09 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49FE12D675; Tue, 12 Jul 2016 00:08:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.107 X-Spam-Level: X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 943NAktKY_o3; Tue, 12 Jul 2016 00:08:07 -0700 (PDT) Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B45812D669; Tue, 12 Jul 2016 00:08:07 -0700 (PDT) Received: from [172.16.0.188] (no-dns-yet.convergencegroup.co.uk [46.255.117.114] (may be forged)) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u6C78YTJ023915 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Tue, 12 Jul 2016 00:08:37 -0700 To: Fernando Gont , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FF2F9.8000108@si6networks.com> From: Dave Crocker Organization: Brandenburg InternetWorking Message-ID: <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> Date: Tue, 12 Jul 2016 08:07:54 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <577FF2F9.8000108@si6networks.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dcrocker@bbiw.net List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 07:08:08 -0000 On 7/8/2016 7:37 PM, Fernando Gont wrote: > Yes. We're planning to at least add one more example: DNS TxID... But we > could also add others (e.g., transport protocol numbers). Are there any examples from application-level protocols that work here? I'm not immediately thinking of any, but suspect it would help the utility of the document's goal as pedagogy to include an example from that part of the stack, if possible. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Tue Jul 12 02:07:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A596012B016 for ; Tue, 12 Jul 2016 02:07:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0vH4g4XyLLQ for ; Tue, 12 Jul 2016 02:07:02 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B255512D754 for ; Tue, 12 Jul 2016 02:07:00 -0700 (PDT) Received: from [192.168.1.148] (unknown [79.118.9.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id E470A800B2; Tue, 12 Jul 2016 11:06:55 +0200 (CEST) To: Joe Touch , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <5784B329.6080601@si6networks.com> Date: Tue, 12 Jul 2016 11:06:49 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <57845FA0.2060503@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 09:07:03 -0000 On 07/12/2016 05:10 AM, Joe Touch wrote: > > > On 7/11/2016 6:09 PM, Christian Huitema wrote: >> On Monday, July 11, 2016 5:09 PM, Joe Touch wrote: >>> ... (note - that does beg the rationale for this draft in the >>> first place. there seems no utility in merely documenting the >>> history of the mistakes people have made per se) >> Actually, during the previous presentation in SAAG, there was a >> clear consensus that documenting past mistakes *is* interesting. > > To what end, other than consuming cycles? "those who ignore history are doomed to repeat it". > If there's a broader purpose, more information is needed (e.g., > whether each issue is a incorrect to the spec, highlights a spec > ambiguity, or is correct to spec but creates a vulnerability > anyway). Will clarify this in the next rev. Thanks for the input! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Jul 12 02:37:42 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4185612D773; Tue, 12 Jul 2016 02:37:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pR1iLVxdvMx3; Tue, 12 Jul 2016 02:37:38 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF39212D769; Tue, 12 Jul 2016 02:37:38 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bMu80-00005A-1r; Tue, 12 Jul 2016 09:37:20 +0000 Date: Tue, 12 Jul 2016 11:37:18 +0200 Message-ID: From: Randy Bush To: Fernando Gont In-Reply-To: <5784B329.6080601@si6networks.com> References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: Christian Huitema , "privsec-program@iab.org" , "saag@ietf.org" , Iv1n Arce Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 09:37:41 -0000 >> To what end, other than consuming cycles? > "those who ignore history are doomed to repeat it". cf post by watson ladd From nobody Tue Jul 12 07:35:19 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AD4712D96A for ; Tue, 12 Jul 2016 07:35:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xp2TgXtW-Pj4 for ; Tue, 12 Jul 2016 07:35:11 -0700 (PDT) Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBC8712D89C for ; Tue, 12 Jul 2016 06:43:48 -0700 (PDT) Received: by mail-qk0-x229.google.com with SMTP id o67so13843957qke.1 for ; Tue, 12 Jul 2016 06:43:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=w5DXWfwvIYZlSK8tq6HOnv9iZE+HpQZ5ReGLAligvaM=; b=gjtb6w1D77sd6+WC6SBGJuSdOnSEDhgsMzMNGPjGckvknRhouH4TsiblL2sbL3PsMV gCBGCOUW0Y0tEJs15R76Ps/uvAc3RJy1Xd/GIAPLdGGf7fWa2ync1CGP5st8Y0mx3X6+ nzIWxmd+hSNx8yOnVkNntxyAtG0/HuLckiayk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=w5DXWfwvIYZlSK8tq6HOnv9iZE+HpQZ5ReGLAligvaM=; b=dy0Qf/fgPC5vxEB4zTdlYKnDadm3NnjgMdWEuWSWljvpx0z4EgGhYmJG7o5MXRdsxN 3iauJfBrfATmqfk7BprfNiLGHBTf+sDUaW3jNZiqJJHtpa+G1jnGu4jkr1KWl/PwDa0+ FO5umXfq7JZnyFs2uPVMy7QjXXtVttAqxpKBFXg9lpWV7o4ka8VXUmbgQyq+BE85qXj5 vh6+8JEnBUenaQMzcACU9s0joZfMFDf5XKb21/MoHm+kRncXE12rJwBsZMiy+8/iPj8l 8w8q0xvNsQ6tQgpsjccS8glISYz6VJkvNG0vB4G9W89URET3S/AbQIRaoQ1MSXtPZa2w vA/A== X-Gm-Message-State: ALyK8tJHoAhn6Ej5dot9BY1XE9CCoDDTwFUn54qIaRmp3uLbh0/H744juTmnyREyuWveSA== X-Received: by 10.55.190.134 with SMTP id o128mr2963886qkf.181.1468331027232; Tue, 12 Jul 2016 06:43:47 -0700 (PDT) Received: from [192.168.100.100] ([186.158.219.123]) by smtp.googlemail.com with ESMTPSA id 128sm441998qke.10.2016.07.12.06.43.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 06:43:46 -0700 (PDT) To: "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FF2F9.8000108@si6networks.com> <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> From: Programa STIC Message-ID: <6bed1f78-de0e-8237-2f5d-ba3d5b44a13d@fundacionsadosky.org.ar> Date: Tue, 12 Jul 2016 10:45:21 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 14:35:13 -0000 El 12/7/16 a las 4:07, Dave Crocker escribió: > On 7/8/2016 7:37 PM, Fernando Gont wrote: >> Yes. We're planning to at least add one more example: DNS TxID... But we >> could also add others (e.g., transport protocol numbers). > > > Are there any examples from application-level protocols that work here? > I'm not immediately thinking of any, but suspect it would help the > utility of the document's goal as pedagogy to include an example from > that part of the stack, if possible. > > d/ > Predictable session IDs in the web app session level have plagued web apps and frameworks. Use of predictable numeric IDs in URL query string parameters have cause a lot of issues too, specially in web applications with authentication but without authorization. I am not sure we want to include examples of web app layer stuff, seem like opening another big pandora's box -ivan -- Programa de Seguridad en TIC Fundación Dr. Manuel Sadosky Av. Córdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164 From nobody Tue Jul 12 08:20:24 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0633812D1D1; Tue, 12 Jul 2016 08:20:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.187 X-Spam-Level: X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2E7uc_DLUv8z; Tue, 12 Jul 2016 08:20:23 -0700 (PDT) Received: from nitro.isi.edu (nitro.isi.edu [128.9.208.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25E5812DD75; Tue, 12 Jul 2016 07:53:23 -0700 (PDT) Received: from [172.20.6.185] ([12.222.78.10]) (authenticated bits=0) by nitro.isi.edu (8.13.8/8.13.8) with ESMTP id u6CEr3Tn021745 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 12 Jul 2016 07:53:04 -0700 (PDT) To: Fernando Gont , Christian Huitema , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> From: Joe Touch Message-ID: <5785044D.5030008@isi.edu> Date: Tue, 12 Jul 2016 07:53:01 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <5784B329.6080601@si6networks.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-MailScanner-ID: u6CEr3Tn021745 X-ISI-4-69-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 15:20:24 -0000 On 7/12/2016 2:06 AM, Fernando Gont wrote: > On 07/12/2016 05:10 AM, Joe Touch wrote: >> >> On 7/11/2016 6:09 PM, Christian Huitema wrote: >>> On Monday, July 11, 2016 5:09 PM, Joe Touch wrote: >>>> ... (note - that does beg the rationale for this draft in the >>>> first place. there seems no utility in merely documenting the >>>> history of the mistakes people have made per se) >>> Actually, during the previous presentation in SAAG, there was a >>> clear consensus that documenting past mistakes *is* interesting. >> To what end, other than consuming cycles? > "those who ignore history are doomed to repeat it". The problem is that this is repeating history. At least from 2009. Joe From nobody Tue Jul 12 08:33:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F2912D9DD; Tue, 12 Jul 2016 08:33:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.107 X-Spam-Level: X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKEDKaG99X50; Tue, 12 Jul 2016 08:33:43 -0700 (PDT) Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 443C112DBDD; Tue, 12 Jul 2016 08:14:11 -0700 (PDT) Received: from [172.16.0.188] (no-dns-yet.convergencegroup.co.uk [46.255.117.114] (may be forged)) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u6CFE7S0006103 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Tue, 12 Jul 2016 08:14:33 -0700 To: Programa STIC , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FF2F9.8000108@si6networks.com> <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> <6bed1f78-de0e-8237-2f5d-ba3d5b44a13d@fundacionsadosky.org.ar> From: Dave Crocker Organization: Brandenburg InternetWorking Message-ID: Date: Tue, 12 Jul 2016 16:13:24 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <6bed1f78-de0e-8237-2f5d-ba3d5b44a13d@fundacionsadosky.org.ar> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dcrocker@bbiw.net List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 15:33:44 -0000 On 7/12/2016 2:45 PM, Programa STIC wrote: > I am not sure we want to include examples of web app layer stuff, seem > like opening another big pandora's box attending to strings that might be problematic by helping pervasive monitoring at one layer of the stack is not very useful if the same problem is ignored at another layer. this sort of privacy concern needs to receive (forgive the pun) pervasively. it's a version of the basic lesson of interoperability, which teach that all components in the sequence have to conform to all of the same protocol conventions. the version here is that seeking meaningful privacy means attending to all occurrences of information that might enable identifying an actor. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Tue Jul 12 08:38:39 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10ABF12D885 for ; Tue, 12 Jul 2016 08:38:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryvv7l2i2K5q for ; Tue, 12 Jul 2016 08:38:21 -0700 (PDT) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E81412DACF for ; Tue, 12 Jul 2016 08:24:34 -0700 (PDT) Received: by mail-qt0-x22f.google.com with SMTP id u25so9884063qtb.1 for ; Tue, 12 Jul 2016 08:24:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=ytN0Erwv9+2LSNkj82IO/5RY0R21FoyNSYdW0KN9Zsk=; b=AocqeV9wN1gc4xgc2RSVsdWpdr7kXZz42qz5ryhJdggNdluu+hlbuKr9x3hygQlvRp P/uKvuCD/gobLfwB1rZCHaCpHBk9OyA6ZkbCZ/hgADqyPyD1NJax51P5Lab+ELDt5rI9 zF69gtnO+uLTcC/Va+JygpdQDRBNLtS2FZ5rY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=ytN0Erwv9+2LSNkj82IO/5RY0R21FoyNSYdW0KN9Zsk=; b=ZTwM/Z3IyVDgZ/blX4LDw8lHG+M8PSvt5vCOa2H36Tx5I5eJ3lsTEsndFYr0VZGFiS O5fo/T8P7S0kfMix7OM5QniD4UZlEBRcCGa41Xe6885KCy//lbyTXtVSphX5/MpcZ6iO m1KXxb/5tSf+NInQ2mRd4+IvFd1PLaDopF5Y/XF/cFCXdTP9jm3Od6WONrw3LP3mwIZH Czo9r9yajKV5V2F2Yc88q1Kkvd6gX+Uz2FAunrGmqX2imarhd+4Q+G0MljtYOieDN+mS 4zuphRhjtpkoA0VUEOGuMgbB4iR8Zd2BK1uHS9zYx+DQ/B+d6s/5aY97kYZRjL2XLQXa X89g== X-Gm-Message-State: ALyK8tKMzzPn3oF2dGBUj1P5VhMGaTnphczlIFkqnWeYBhlvkgTEClnwlsI/FueyiRcDVg== X-Received: by 10.200.53.24 with SMTP id y24mr4331283qtb.16.1468337073798; Tue, 12 Jul 2016 08:24:33 -0700 (PDT) Received: from [192.168.100.100] ([186.158.219.123]) by smtp.googlemail.com with ESMTPSA id g188sm996666qkf.7.2016.07.12.08.24.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 08:24:33 -0700 (PDT) To: "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> <5785044D.5030008@isi.edu> From: Programa STIC Message-ID: <9915c71c-84a8-c0a5-7803-b6c49e6a8265@fundacionsadosky.org.ar> Date: Tue, 12 Jul 2016 12:26:07 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <5785044D.5030008@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 15:38:35 -0000 Hello Joe El 12/7/16 a las 11:53, Joe Touch escribió: >>> To what end, other than consuming cycles? >> "those who ignore history are doomed to repeat it". > > The problem is that this is repeating history. At least from 2009. > Can you elaborate? Is there a document already detailing the security and privacy problems of using predictable values in numeric id fields in many network protocols? -ivan -- Programa de Seguridad en TIC Fundación Dr. Manuel Sadosky Av. Córdoba 744 Piso 5 Oficina I TE/FAX: 4328-5164 From nobody Tue Jul 12 09:39:01 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6A0B12D575 for ; Tue, 12 Jul 2016 09:39:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0uVi_JgnaOFD for ; Tue, 12 Jul 2016 09:38:59 -0700 (PDT) Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7888C12D559 for ; Tue, 12 Jul 2016 09:38:59 -0700 (PDT) Received: (qmail 13155 invoked from network); 12 Jul 2016 16:38:58 -0000 Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 12 Jul 2016 16:38:58 -0000 Date: 12 Jul 2016 16:38:36 -0000 Message-ID: <20160712163836.32515.qmail@ary.lan> From: "John Levine" To: saag@ietf.org In-Reply-To: <5784B329.6080601@si6networks.com> Organization: X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 16:39:01 -0000 >>>> ... (note - that does beg the rationale for this draft in the >>>> first place. there seems no utility in merely documenting the >>>> history of the mistakes people have made per se) >>> Actually, during the previous presentation in SAAG, there was a >>> clear consensus that documenting past mistakes *is* interesting. >> >> To what end, other than consuming cycles? > >"those who ignore history are doomed to repeat it". "History repeats itself, first as tragedy, then as farce." R's, John From nobody Tue Jul 12 10:38:17 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C7C312D58E; Tue, 12 Jul 2016 10:38:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VirChfJ2Fly9; Tue, 12 Jul 2016 10:38:15 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 903EA12D511; Tue, 12 Jul 2016 10:38:15 -0700 (PDT) Received: from [128.9.184.115] ([128.9.184.115]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u6CHbndS002289 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 12 Jul 2016 10:37:50 -0700 (PDT) To: Programa STIC , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> <5785044D.5030008@isi.edu> <9915c71c-84a8-c0a5-7803-b6c49e6a8265@fundacionsadosky.org.ar> From: Joe Touch Message-ID: <57852AEC.5010104@isi.edu> Date: Tue, 12 Jul 2016 10:37:48 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <9915c71c-84a8-c0a5-7803-b6c49e6a8265@fundacionsadosky.org.ar> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 17:38:16 -0000 On 7/12/2016 8:26 AM, Programa STIC wrote: > El 12/7/16 a las 11:53, Joe Touch escribió: >>>> >>> To what end, other than consuming cycles? >>> >> "those who ignore history are doomed to repeat it". >> > >> > The problem is that this is repeating history. At least from 2009. >> > > Can you elaborate? I'm referring to the general process of generating documents that describe "existing deployment" problems without committing to whether they are buggy/incorrect implementations. > Is there a document already detailing the security and privacy problems > of using predictable values in numeric id fields in many network protocols There are more than a few that already deal with this issue for host identification. Joe From nobody Tue Jul 12 12:37:38 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB8012D50D for ; Tue, 12 Jul 2016 12:37:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fundacionsadosky.org.ar Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WctaRjr7zM11 for ; Tue, 12 Jul 2016 12:37:31 -0700 (PDT) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 618D412B005 for ; Tue, 12 Jul 2016 12:37:30 -0700 (PDT) Received: by mail-qt0-x230.google.com with SMTP id j35so13991528qtj.2 for ; Tue, 12 Jul 2016 12:37:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fundacionsadosky.org.ar; s=google; h=sender:reply-to:subject:references:to:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=ISvp/smJzWwOMZ7/KtFfMgzVaidzJvYOHGgHy+X0Jes=; b=PEzbHhVQMpDbaIRhkKLXgORhUZ/5GKL9t0XJVxtdh6plqDY4SIR2DRQw5hRiKpppVq A+YO6N8TO2Jlfkq7jJlhSoFKuBJxX3nRgVC/ed/4QHZ85PBCsEEivPqE081jQaFlEXEl 45aUZtoWCnvWbGPtLCEAVmzd5WfKtDeR1g8ic= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:reply-to:subject:references:to:cc:from :organization:message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=ISvp/smJzWwOMZ7/KtFfMgzVaidzJvYOHGgHy+X0Jes=; b=WECna6ZlQKgeSK+OiJtCEUXtyPQt8rkT87LGALUIknEv4PyB0os4JV1V8H1HMn+wzf hjgAE8M0vEXy1ut/tCc6fo8Yv80XCzhFQJfT0mYIzVeFUUL+F8q8pKK1lFEAZ2PU8fvV 0kM0IL1FyEw8n5RAi6RU2yoAKjMy83gGnruiKVM1SO4cvWUjX+GWU0bDkZyvdYyhi6En /FJoyAoeRCQjQvGXjVBbGiaESLL0xzT1492revGD10JpH/5iLisUs/E3DcOt88+xWyRI 8jd4ZajbkCKMl/D+iujVTRu9ZpZgeWQCqJFnybhMkEd2khs/tB64ClNtXh3mzvKkSPlj UmLA== X-Gm-Message-State: ALyK8tLKQPklJI3Nsm0gh2Wqskzuuns1H/cWetXpqw8TQWQL+axHv6Qd6+nvpOuQrwYW6Q== X-Received: by 10.200.39.150 with SMTP id w22mr6041446qtw.78.1468352250078; Tue, 12 Jul 2016 12:37:30 -0700 (PDT) Received: from [192.168.3.118] ([200.61.165.17]) by smtp.googlemail.com with ESMTPSA id 7sm1292625qkd.25.2016.07.12.12.37.28 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jul 2016 12:37:29 -0700 (PDT) Sender: Ivan Arce References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> <5785044D.5030008@isi.edu> <9915c71c-84a8-c0a5-7803-b6c49e6a8265@fundacionsadosky.org.ar> <57852AEC.5010104@isi.edu> To: "saag@ietf.org" From: Programa STIC Organization: =?UTF-8?Q?Fundaci=c3=b3n_Dr._Manuel_Sadosky?= Message-ID: <6a433c30-1df8-62a1-3680-95301fc49aa7@fundacionsadosky.org.ar> Date: Tue, 12 Jul 2016 16:39:04 -0300 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 Lightning/4.7.1.1 MIME-Version: 1.0 In-Reply-To: <57852AEC.5010104@isi.edu> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: stic@fundacionsadosky.org.ar List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 19:37:33 -0000 El 12/7/16 a las 14:37, Joe Touch escribió: > > > On 7/12/2016 8:26 AM, Programa STIC wrote: >> El 12/7/16 a las 11:53, Joe Touch escribió: >>>>>>>> To what end, other than consuming cycles? >>>>>> "those who ignore history are doomed to repeat it". >>>> >>>> The problem is that this is repeating history. At least from 2009. >>>> >> Can you elaborate? > > I'm referring to the general process of generating documents that > describe "existing deployment" problems without committing to whether > they are buggy/incorrect implementations. Sorry I am not understandin your point. We have split an original I-D in 3 as suggested at IETF95: - One is informational and describes existing problems in various protocols and known attacks that exploited those problems. - One seeks to be BCP and provides specific algorithms that generate numeric ids taking into consideration security, privacy and interoperability issues. It provides guidance to protocol designers and implementers. - One seeks to update RFC 3552 to indicate that authors of RFCs specifying numeric id fields with dynamically generated values should consider the (above) BCP to select algorithms that provide proper balance between interop and security & privacy. Is your opinion the the first document of the list above (which is what originated this thread) should not exist? >> Is there a document already detailing the security and privacy problems >> of using predictable values in numeric id fields in many network protocols > > There are more than a few that already deal with this issue for host > identification. > Could you please provide the corresponding references? thanks, -ivan From nobody Tue Jul 12 13:54:32 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D68A12D80F; Tue, 12 Jul 2016 13:54:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mq9xrRImdZjs; Tue, 12 Jul 2016 13:54:25 -0700 (PDT) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01BBB12D7EB; Tue, 12 Jul 2016 13:54:24 -0700 (PDT) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u6CKplJG007308; Tue, 12 Jul 2016 13:54:23 -0700 Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 242xmm455w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 12 Jul 2016 13:54:23 -0700 Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 12 Jul 2016 13:54:22 -0700 Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Tue, 12 Jul 2016 13:54:22 -0700 From: Paul Lambert To: Christian Huitema , Joe Touch , Fernando Gont , "saag@ietf.org" Thread-Topic: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) Thread-Index: AQHR2UO4Ww08s+3WV02zbz7V6FckOaAPXJaAgAAC/YCAAAOKgIAAAkkAgAABRQCAAPVmgIAC1iEAgABVvoCAAN4pAIAAEM6AgADVsoA= Date: Tue, 12 Jul 2016 20:54:22 +0000 Message-ID: References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.5.160527 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.94.250.30] Content-Type: text/plain; charset="Windows-1252" Content-ID: <27DF6E11D7A9CE4892F9934253BFA0D2@marvell.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-12_09:, , signatures=0 X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607120192 Archived-At: Cc: "privsec-program@iab.org" , =?Windows-1252?Q?Iv=E1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 20:54:26 -0000 >>=20 >> ... >> (note - that does beg the rationale for this draft in the first place. >> there seems no utility in merely documenting the history of the mistakes >> people have made per se) > >Actually, during the previous presentation in SAAG, there was a clear >consensus that documenting past mistakes *is* interesting. Yes - this is interesting, especially if there can also be clarity on action items to fix identified problems. > >OTOH, the draft needs to document something else besides IP and TCP >issues. One of my favorite =8Cprivacy issues' is in IPsec RFC 4301: "Search the SAD for a match on the combination of SPI, destination address, and source address.=B2 IMHO the binding of the security association explicitly to the src/dst IP addresses creates NATing problems and prevents interesting onion routing like implementations that would hide the end addresses. For best common practice for any security protocol there should be no explicit binding of visible addresses to the identifiers for encrypted information. Paul >=20 From nobody Tue Jul 12 14:12:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0376612D8DE; Tue, 12 Jul 2016 14:12:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HfDEYh7UZUrK; Tue, 12 Jul 2016 14:12:28 -0700 (PDT) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC6F312D8D6; Tue, 12 Jul 2016 14:12:28 -0700 (PDT) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u6CLCPsU021141; Tue, 12 Jul 2016 14:12:28 -0700 Received: from sc-exch01.marvell.com ([199.233.58.181]) by mx0a-0016f401.pphosted.com with ESMTP id 242xmm4712-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 12 Jul 2016 14:12:27 -0700 Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH01.marvell.com (10.93.176.81) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 12 Jul 2016 14:12:14 -0700 Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Tue, 12 Jul 2016 14:12:14 -0700 From: Paul Lambert To: Christian Huitema , Joe Touch , Fernando Gont , "saag@ietf.org" Thread-Topic: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) Thread-Index: AQHR2UO4Ww08s+3WV02zbz7V6FckOaAPXJaAgAAC/YCAAAOKgIAAAkkAgAABRQCAAPVmgIAC1iEAgABVvoCAAN4pAIAAEM6AgADasIA= Date: Tue, 12 Jul 2016 21:12:13 +0000 Message-ID: References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.5.160527 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.94.250.30] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <6ADC61602BFA56498756C8CB6AB5CF53@marvell.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-12_09:, , signatures=0 X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607120195 Archived-At: Cc: "privsec-program@iab.org" , =?iso-8859-1?Q?Iv=E1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 21:12:30 -0000 > >OTOH, the draft needs to document something else besides IP and TCP >issues. Otherwise, the draft seems to be picking on TCP-IP. While not an IETF specification, the NIST SP 800-56A Recommendation for Pair-Wise Key Establishment Schemes is indicative of mistakes in protocol design that institutionalize privacy issues. Specifically, the document provides a detailed list of possible key exchanges - none of which protect the long term identity (static key) from third party observation. For some reason, the specification for all proposed key exchanges sends the static keys first. Best practice would suggest that passive observation of long term identities (the static keys) could be prevented by always sending the ephemeral keys first and then encrypting the transfer of the static keys (which are often embodied in a certificate). Paul From nobody Tue Jul 12 14:15:15 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 504D512D90B; Tue, 12 Jul 2016 14:15:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.186 X-Spam-Level: X-Spam-Status: No, score=-8.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A3LFXX9cjqwh; Tue, 12 Jul 2016 14:15:12 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A56C12D911; Tue, 12 Jul 2016 14:15:09 -0700 (PDT) Received: from [128.9.184.102] ([128.9.184.102]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u6CLF0O9009511 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 12 Jul 2016 14:15:00 -0700 (PDT) To: Paul Lambert , Christian Huitema , Fernando Gont , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> From: Joe Touch Message-ID: <57855DD2.4010902@isi.edu> Date: Tue, 12 Jul 2016 14:14:58 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------010309070708060400010207" X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 21:15:14 -0000 This is a multi-part message in MIME format. --------------010309070708060400010207 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit On 7/12/2016 1:54 PM, Paul Lambert wrote: >> Actually, during the previous presentation in SAAG, there was a clear >> >consensus that documenting past mistakes *is* interesting. > Yes - this is interesting, especially if there can also be clarity on > action items to fix identified problems. Having these as separate documents doesn't help that process. Joe --------------010309070708060400010207 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit

On 7/12/2016 1:54 PM, Paul Lambert wrote:
Actually, during the previous presentation in SAAG, there was a clear
>consensus that documenting past mistakes *is* interesting.

Yes - this is interesting, especially if there can also be clarity on
action items to fix identified problems.

Having these as separate documents doesn't help that process.

Joe
--------------010309070708060400010207-- From nobody Tue Jul 12 14:26:58 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E755512D981; Tue, 12 Jul 2016 14:26:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eirftkJcK2F9; Tue, 12 Jul 2016 14:26:51 -0700 (PDT) Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9F412D988; Tue, 12 Jul 2016 14:26:40 -0700 (PDT) Received: from [128.9.184.102] ([128.9.184.102]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id u6CLPnEE013104 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 12 Jul 2016 14:25:50 -0700 (PDT) To: stic@fundacionsadosky.org.ar, "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> <57845FA0.2060503@isi.edu> <5784B329.6080601@si6networks.com> <5785044D.5030008@isi.edu> <9915c71c-84a8-c0a5-7803-b6c49e6a8265@fundacionsadosky.org.ar> <57852AEC.5010104@isi.edu> <6a433c30-1df8-62a1-3680-95301fc49aa7@fundacionsadosky.org.ar> From: Joe Touch Message-ID: <5785605B.4040000@isi.edu> Date: Tue, 12 Jul 2016 14:25:47 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: <6a433c30-1df8-62a1-3680-95301fc49aa7@fundacionsadosky.org.ar> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-ISI-4-43-8-MailScanner: Found to be clean X-MailScanner-From: touch@isi.edu Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 21:26:52 -0000 On 7/12/2016 12:39 PM, Programa STIC wrote: > We have split an original I-D in 3 as suggested at IETF95: > > - One is informational and describes existing problems in various > protocols and known attacks that exploited those problems. > > - One seeks to be BCP and provides specific algorithms that generate > numeric ids taking into consideration security, privacy and > interoperability issues. It provides guidance to protocol designers and > implementers. > > - One seeks to update RFC 3552 to indicate that authors of RFCs > specifying numeric id fields with dynamically generated values should > consider the (above) BCP to select algorithms that provide proper > balance between interop and security & privacy. > > Is your opinion the the first document of the list above (which is what > originated this thread) should not exist? The problem is in the first doc- you're assuming that the problem is fixed by using different agls (the second doc) or in how protocols are spec'd (the third doc), when you haven't explained whether those problems are implementation errors, specification ambiguities, or specification errors that give rise to the exploits described. Joe From nobody Thu Jul 14 07:54:05 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89A3612D7CE for ; Thu, 14 Jul 2016 07:54:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whXExYMYIBXL for ; Thu, 14 Jul 2016 07:54:01 -0700 (PDT) Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D1C12D78E for ; Thu, 14 Jul 2016 07:54:01 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id 3A8DBE200A for ; Thu, 14 Jul 2016 10:53:30 -0400 (EDT) Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 20303-05 for ; Thu, 14 Jul 2016 10:53:28 -0400 (EDT) Received: from securerf.ihtfp.org (c-50-189-135-154.hsd1.ct.comcast.net [50.189.135.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id BBBBEE2040 for ; Thu, 14 Jul 2016 10:53:27 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1468508007; bh=HH9tnDV/kDa0bbdgymzv8KzuMR6ngSFIeMUR6wAJRZE=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=CtOMXcTcp61z4JRnCjpw3EBlefQFkkt93HOnX/AwKZ4x2wi6k79MidyyNFrttoDZx xzU4s4i8PpPPYZttaLNzhBCR1Ti8PIbQAL6vhVM4iNCUIzEN2ytNnthVKYMgkC3v5j 8Qj30tbp4UGmY0vCOL9SI1FaRrJ+YdfhEbjrAJMM= Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.14.8/Submit) id u6EErKR1013744; Thu, 14 Jul 2016 10:53:20 -0400 From: Derek Atkins To: "saag\@ietf.org" Cc: References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> Date: Thu, 14 Jul 2016 10:53:14 -0400 In-Reply-To: (Joseph Lorenzo Hall's message of "Sun, 10 Jul 2016 11:18:28 -0400") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Virus-Scanned: Maia Mailguard 1.0.2a Archived-At: Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 14:54:03 -0000 Rich, Joseph Lorenzo Hall writes: > This issues wasRich submitted a -01 to this recently: > https://tools.ietf.org/html/draft-rsalz-drbg-speck-wap-wep-01 Thank you for the update to -01. I do have a few comments about section 4: o Algebraic Eraser, prior to its presentation at IETF-xx, received little public interest. I would change this to read: Algebraic Eraser, prior to its presentation at IETF-92, received little public interest within the IETF. Rationale for this change: there had been multiple researchers who explored the technology prior to IETF-92 (and indeed several papers published back and forth). It's just that *you* (personally, and within the IETF in general) had never heard of it before then. There has been a *renewed* interest since IETF-92 (with a few more papers on the subject), but saying "little public interest" prior to that isn't correct. Both of these items are "lattice cryptography" and that might also be a reason for lack of review; the field might not have much interest yet. This is not a true statement in many different ways. Algebraic Eraser is *NOT* a "lattice" based system -- it's based on Braids, a very different algebraic structure than lattices. Moreover, the Crypto community has been spending a significant amount of time studying LBE -- so much so that they've had whole tracks at Crypto on the topic, so I would be hard pressed to say that "the field might not have much interest yet." I do not have a suggested rewording for this sentence. -derek -- Derek Atkins 617-623-3745 derek@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant From nobody Thu Jul 14 07:54:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E54C12D7F0 for ; Thu, 14 Jul 2016 07:54:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.988 X-Spam-Level: X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hpPibllddT5 for ; Thu, 14 Jul 2016 07:54:47 -0700 (PDT) Received: from prod-mail-xrelay08.akamai.com (prod-mail-xrelay08.akamai.com [96.6.114.112]) by ietfa.amsl.com (Postfix) with ESMTP id 9575212D6AA for ; Thu, 14 Jul 2016 07:54:47 -0700 (PDT) Received: from prod-mail-xrelay08.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id D34E3200067; Thu, 14 Jul 2016 14:54:46 +0000 (GMT) Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay08.akamai.com (Postfix) with ESMTP id B53D4200005; Thu, 14 Jul 2016 14:54:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468508086; bh=LZCDma93Y/+kp244Q4i4oE7Dcq8TkzBClSKQICBR93o=; l=27; h=From:To:Date:References:In-Reply-To:From; b=GmdaAEMTWghEzkqhhRclYEojbvPTUt1khYW6zdaIsQBmHtxXU4YIGm4E4kRsKPk7p dVbAYfvjqJqQ46HwjMHF4mcwLsJnP72CMduHQj9HBUNDXlwrEk3JlcDnb8+Yfazylf Xt47QKmBZfvoioRNcUDKAKf4FR64UyulEUV3QRDY= Received: from email.msg.corp.akamai.com (usma1ex-cas2.msg.corp.akamai.com [172.27.123.31]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 9CCF798082; Thu, 14 Jul 2016 14:54:46 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 14 Jul 2016 10:54:45 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Thu, 14 Jul 2016 10:54:45 -0400 From: "Salz, Rich" To: Derek Atkins , "saag@ietf.org" Thread-Topic: [saag] possible BCP on public review being needed for standards-track crypto Thread-Index: AQHR2r5g8tfiFB7GqUe4c8/s/iwGiqAYCa1jgAAAI5A= Date: Thu, 14 Jul 2016 14:54:45 +0000 Message-ID: <2df3a7a34113480d845480c299133f59@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.42.205] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 14:54:49 -0000 Good suggestions, thanks. From nobody Thu Jul 14 09:05:20 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BBFA12D0F9 for ; Thu, 14 Jul 2016 09:05:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.808 X-Spam-Level: X-Spam-Status: No, score=-15.808 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slGjrKzjGzy6 for ; Thu, 14 Jul 2016 09:05:18 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF28512D763 for ; Thu, 14 Jul 2016 09:05:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1243; q=dns/txt; s=iport; t=1468512318; x=1469721918; h=from:to:cc:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=IO8qmBHyEjEU6+Rt6qkr73NsnOvQ4ov82HpwL9Ssob0=; b=c4TxcKiv1voECIgNjaxeNDiEAVj97nDIMY8h8fKrGheFDzc2PlC7zUH+ RJGZJLFEVlHEf4OtfkFtxAqWCwUDVNbDlu66losr5bMuS8iQG4/z35Oce yl56BMZejf8sMDykGjUGCHrNhtxXIZr/PlNruWP3Vd27wj59c3E5iAp+h c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AyAgDct4dX/4MNJK1cgz5WgQK4ZYF7I?= =?us-ascii?q?oV3gTU4FAEBAQEBAQFlHAuEYzo/EgE+Qg8YBAoEGYgcDsB5AQEBAQEBAQEBAQE?= =?us-ascii?q?BAQEBAQEBAQEYBYgiikGCLwWZHQIBhhGIR48xkBgBHjaDcYcaKxh/AQEB?= X-IronPort-AV: E=Sophos;i="5.28,363,1464652800"; d="scan'208";a="129508320" Received: from alln-core-1.cisco.com ([173.36.13.131]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 14 Jul 2016 16:05:17 +0000 Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u6EG5Gn5003497 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Jul 2016 16:05:17 GMT Received: from xch-aln-002.cisco.com (173.36.7.12) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Thu, 14 Jul 2016 11:05:16 -0500 Received: from xch-aln-002.cisco.com ([173.36.7.12]) by XCH-ALN-002.cisco.com ([173.36.7.12]) with mapi id 15.00.1210.000; Thu, 14 Jul 2016 11:05:16 -0500 From: "Matt Miller (mamille2)" To: "saag@ietf.org" Thread-Topic: Ledger BoF Thread-Index: AQHR3emC55AWahLs606FvgjHZXi8+g== Date: Thu, 14 Jul 2016 16:05:16 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.127.32] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: Stefan Thomas , Adam Roach , Adrian Hope-Bailie Subject: [saag] Ledger BoF X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 16:05:19 -0000 Hello all, This is to let you all know about the Ledger BoF. This is a non-working gro= up forming BoF to introduce the InterLedger protocol and crypto conditions = work started in W3C Web Payments. It's on Thursday 21 July at Afternoon II = (16:20 - 18:20) in Potsdam I. The Interledger protocol is an open and neutral protocol for making payment= s between disconnected payment networks and ledgers. It defines schemes and= primitives for dealing with addressing of ledgers, fragmentation of paymen= t networks, and cryptographically secured validation of transfer conditions= and fulfillments. Initially started within a W3C community group in October 2015, the purpose= of this non-working group forming BoF is to introduce Interledger and the = underlying protocols to attendees and discuss how this work might progress = at the IETF. The W3C Community where this work originated is at < https://www.w3.org/com= munity/interledger/ >. The relevant drafts are: * The Interledger Protocol < https://tools.ietf.org/html/draft-thomas-inter= ledger-00 > * Crypto-Conditions < https://tools.ietf.org/html/draft-thomas-crypto-condi= tions-00 > Thank you, -- - m&m Matt Miller Cisco Systems, Inc. From nobody Thu Jul 14 12:23:46 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36E8D12D1D7 for ; Thu, 14 Jul 2016 12:23:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.488 X-Spam-Level: X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7Ei6G4cULyI for ; Thu, 14 Jul 2016 12:23:43 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78AE612D123 for ; Thu, 14 Jul 2016 12:23:43 -0700 (PDT) Received: from ssh.bbn.com ([192.1.122.15]:50030 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bNmEU-000KnD-TD for saag@ietf.org; Thu, 14 Jul 2016 15:23:39 -0400 To: saag@ietf.org References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FFB79.2020101@isi.edu> <577FFDFB.1040704@si6networks.com> <578000F3.4060709@isi.edu> <578002DE.8020406@si6networks.com> <578003EE.3040507@isi.edu> <5780D1C9.4010008@si6networks.com> <578332E8.9020302@isi.edu> <57837AD5.4000702@si6networks.com> <57843532.6090708@isi.edu> From: Stephen Kent Message-ID: <0d2c8374-e7cd-fc65-b292-7630b03494ec@bbn.com> Date: Thu, 14 Jul 2016 15:23:38 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 19:23:45 -0000 Paul, the use of the 5-tuple you cited 4301 is needed to enforce a security policy based on those values. This was very common practice in firewall security policies in the time frame that 4301 was generated, and IPsec was striving to provide crypro-enforced security features analogous to what was available in firewalls. yes, using this approach does cause problems with NATs, but at that time NATs were still viewed as evil ;-). Onion routing compatibility was not a goal for IPsec. Steve > One of my favorite Œprivacy issues' is in IPsec RFC 4301: > "Search the SAD for a match on the combination of SPI, destination > address, and source address.² > > IMHO the binding of the security association explicitly to the src/dst IP > addresses creates NATing problems and prevents interesting onion routing > like implementations that would hide the end addresses. For best common > practice for any security protocol there should be no explicit binding of > visible addresses to the identifiers for encrypted information. > > Paul > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > From nobody Thu Jul 14 12:31:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE80A12D1E3 for ; Thu, 14 Jul 2016 12:31:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.488 X-Spam-Level: X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W_O-MlN91nVA for ; Thu, 14 Jul 2016 12:31:31 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E36DF12D13D for ; Thu, 14 Jul 2016 12:31:30 -0700 (PDT) Received: from ssh.bbn.com ([192.1.122.15]:50309 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bNmM1-0006kr-HB; Thu, 14 Jul 2016 15:31:25 -0400 From: Stephen Kent To: Christian Huitema , saag@ietf.org References: <5774E4E3.2030605@cs.tcd.ie> <57758609.8090602@si6networks.com> <577682D0.100@cs.tcd.ie> <5777B9F2.9080709@si6networks.com> <577809A7.4070203@cs.tcd.ie> <57780BB6.5060307@si6networks.com> <061801d1d594$29801130$7c803390$@huitema.net> <00cd01d1d7c9$199d42b0$4cd7c810$@huitema.net> Message-ID: <1202f11a-0059-7ff5-0eee-8dc41925b5c8@bbn.com> Date: Thu, 14 Jul 2016 15:31:25 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <00cd01d1d7c9$199d42b0$4cd7c810$@huitema.net> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [saag] [Privsec-program] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 19:31:32 -0000 Christian, > On Wednesday, July 6, 2016 10:15 AM, Stephen Kent wrote: >> TA has been considered as part of confidentiality for about 30 years. > I am sure that defense against traffic analysis was considered by many > experts for many years. On the other hand, it obviously was not considered a > priority by IETF protocol designers for a long time. Documents like 3552bis > should correct that. Yes, we should say, "please care about > confidentiality." But we need to say a bit more, such as "do not spread > metadata all over the place." And it would be nice to give some broad > guidelines about the big categories that we care about. I agree that more should be said. I was just noting that Randy's comment was not quite correct in suggesting that TA concerns are not encompassed by "confidentiality". Steve From nobody Thu Jul 14 14:09:28 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B82312DBFB for ; Thu, 14 Jul 2016 14:09:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id irUoyHuZ7bdj for ; Thu, 14 Jul 2016 14:09:26 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2150712DC08 for ; Thu, 14 Jul 2016 14:09:26 -0700 (PDT) Received: from [10.32.60.104] (142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id u6EL9NMq001302 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 14 Jul 2016 14:09:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host 142-254-101-201.dsl.dynamic.fusionbroadband.com [142.254.101.201] claimed to be [10.32.60.104] From: "Paul Hoffman" To: "saag@ietf.org" Date: Thu, 14 Jul 2016 14:09:23 -0700 Message-ID: References: <093274DA-857D-46FA-94D8-3110D8D41E85@icann.org> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.4r5234) Archived-At: Subject: [saag] Invitation to "Upcoming ZSK and KSK Changes to the Root Zone" on Tuesday, 19 June, in Berlin X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 21:09:27 -0000 Greetings. This might be of interest to SAAG folks who didn't see it on the 96attendees list. It's on Tuesday next week, before the SAAG meeting on Thursday, which is why I'm posting it here now. --Paul Hoffman Forwarded message: > From: Matt Larson > To: 96attendees@ietf.org <96attendees@ietf.org> > Subject: [96attendees] Invitation to "Upcoming ZSK and KSK Changes to > the Root Zone" on Tuesday, 19 June, in Berlin > Date: Fri, 8 Jul 2016 19:45:03 +0000 > > Dear IETF colleagues, > > I'd like to invite anyone interested in DNSSEC in the root zone to a > session on "Upcoming ZSK and KSK Changes to the Root Zone" on Tuesday, > 19 June, from 1230-1345 in the Bellevue Room in the InterContinental > Hotel. ICANN and Verisign, as IANA Functions Operator and Root Zone > Manager, respectively, are cooperating on two projects that are > changing aspects of DNSSEC operation in the root zone: the root zone > ZSK is increasing in size from 1024 bits to 2048 > bits > and the root zone KSK will be > changing. Duane > Wessels from Verisign and I will talk about the plans and answer any > questions. > > Because of the critical nature of the root zone and the significance > of these changes, Verisign and ICANN are making a number of > presentations to increase awareness. We approached the IAB about a > presentation in Berlin and they suggested this lunchtime slot. We'd > like to thank the IAB and the Secretariat for graciously offering a > room. > > Thanks and see you in Berlin, > > Matt > -- > Matt Larson > VP of Research > Office of the CTO, ICANN > From nobody Fri Jul 15 04:52:52 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C4EF12DA06 for ; Fri, 15 Jul 2016 04:52:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZkT5H-a4QKeh for ; Fri, 15 Jul 2016 04:52:46 -0700 (PDT) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B45AE12D62F for ; Fri, 15 Jul 2016 04:52:46 -0700 (PDT) Received: by mail-oi0-x230.google.com with SMTP id l72so13542474oig.2 for ; Fri, 15 Jul 2016 04:52:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GEWV792FVeQcJnyE0MJKm91vcPqQS+sGuSvLt2u638g=; b=Ts0sJQZMJFro61YRVHj8csHoZR0dCRv92XyguppPRWNo1kHm+1sgwymDTodcSNa3LW 8DHgVrJYgfWy+qRhwtLF/z8Xn+OFQ9c9aW9z97Z/vdydApl630zanULX4IgKKDLHD9Mb vZbARORoSo3Xb52V5S1gYBjLIUXMTFLAtmaa8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GEWV792FVeQcJnyE0MJKm91vcPqQS+sGuSvLt2u638g=; b=GZKQk9B1HmAyKManvMBrmBH9gaQlsGxkhNnR75bRA1+qehMyZv1IMTtr5elmrCwlYY i4UAmG+/pxei7XfHPcafxACRMxBnEHvctJHm1iMZfURbuI29lgKlCW2jvv3rgHZka7WN nMRf1we8msvx35+hcMkwCLM59MgCX3PR6pbiDyp+6atnMQVPVjZigZv42qoO69j02Hi0 ly3mELXbiLyaAD0R0reXg9Cgb/T8o7RiqH9AhyFKdylqJuH/csjB6iEZgiKdZJwd/+vg 0SLXlfSfMFdOYK24Ew5Gz9C85jG+jkynuLsSCQ4Dk9qzNhZPtpN3zV6NSvbSkqgZuNy9 rVNg== X-Gm-Message-State: ALyK8tKm2OvExsqmkLWBBzvaDXNFVPez3Y8JPmlrFOeUSsNJqmyb7RGuPs3982wUodt2byp2qykEuOmUlfzyZw== X-Received: by 10.202.226.204 with SMTP id z195mr7631865oig.120.1468583565791; Fri, 15 Jul 2016 04:52:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.172.142 with HTTP; Fri, 15 Jul 2016 04:52:44 -0700 (PDT) In-Reply-To: References: From: Adrian Hope-Bailie Date: Fri, 15 Jul 2016 13:52:44 +0200 Message-ID: To: "Matt Miller (mamille2)" Content-Type: multipart/alternative; boundary=001a11408630c32ffc0537ab4109 Archived-At: Cc: Stefan Thomas , Adam Roach , "saag@ietf.org" Subject: Re: [saag] Ledger BoF X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 11:52:50 -0000 --001a11408630c32ffc0537ab4109 Content-Type: text/plain; charset=UTF-8 Hey Matt, There is also a lot of info on the project website https://interledger.org and everything (markdown versions of the Internet Drafts, reference code etc) is in the GitHub repo: https://github.com/interledger/ As first timers to an IETF meeting my colleagues and I will be at the training and meetup on Sunday so we'll be at IETF the whole week and would love to meet anyone that's keen to chat before the BoF. If you read https://tools.ietf.org/html/draft-thomas-interledger-00 you'll see that we've got a lot of the classical networking issues to still figure out on top of this basic protocol like routing (and a variation on that, quoting). We've got some proposals but are keen to get input on those. We're hoping to spend a lot of time next week talking to folks that are especially knowledgeable in those areas so any suggestions or introductions are welcome. With regard to crypto-conditions, we'd also like to hear from anyone that thinks they have a use case that would benefit from something like crypto-conditions. We developed it specifically for our use case but it has pretty general applicability as a drop in replacement for signatures but with a bunch of additional features. Looking forward to meeting you all! Adrian On Thursday, July 14, 2016, Matt Miller (mamille2) wrote: > Hello all, > > This is to let you all know about the Ledger BoF. This is a non-working > group forming BoF to introduce the InterLedger protocol and crypto > conditions work started in W3C Web Payments. It's on Thursday 21 July at > Afternoon II (16:20 - 18:20) in Potsdam I. > > The Interledger protocol is an open and neutral protocol for making > payments between disconnected payment networks and ledgers. It defines > schemes and primitives for dealing with addressing of ledgers, > fragmentation of payment networks, and cryptographically secured validation > of transfer conditions and fulfillments. > > Initially started within a W3C community group in October 2015, the > purpose of this non-working group forming BoF is to introduce Interledger > and the underlying protocols to attendees and discuss how this work might > progress at the IETF. > > The W3C Community where this work originated is at < > https://www.w3.org/community/interledger/ >. > > The relevant drafts are: > > * The Interledger Protocol < > https://tools.ietf.org/html/draft-thomas-interledger-00 > > * Crypto-Conditions < > https://tools.ietf.org/html/draft-thomas-crypto-conditions-00 > > > > Thank you, > > -- > - m&m > > Matt Miller > Cisco Systems, Inc. > > --001a11408630c32ffc0537ab4109 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hey Matt,

There is also a lot of info o= n=C2=A0the project website https://interledger.org and everything (markdown versions of the I= nternet Drafts, reference code etc) is in the GitHub repo: https://github.com/interledger/

As f= irst timers to an IETF meeting my colleagues and I will be at the training = and meetup on Sunday so we'll be at IETF the whole week and would love = to meet anyone that's keen to chat before the BoF.

If= you read https://tools.ietf.org/html/draft-thomas-interledger-0= 0 you'll see that we've got a lot of the classical networking i= ssues to still figure out on top of this basic protocol like routing (and a= variation on that, quoting). We've got some proposals but are keen to = get input on those.

We're hoping to spend a lot of time next wee= k talking to folks that are especially knowledgeable in those areas so any = suggestions or introductions are welcome.

With regard to = crypto-conditions, we'd also like to hear from anyone that thinks they = have a use case that would benefit from something like crypto-conditions. W= e developed it specifically for our use case but it has pretty general appl= icability as a drop in replacement for signatures but with a bunch of addit= ional features.

Looking forward to meeting you= all!

Adrian

On Thursday, Ju= ly 14, 2016, Matt Miller (mamille2) <mamille2@cisco.com> wrote:
Hello all,

This is to let you all know about the Ledger BoF. This is a non-working gro= up forming BoF to introduce the InterLedger protocol and crypto conditions = work started in W3C Web Payments. It's on Thursday 21 July at Afternoon= II (16:20 - 18:20) in Potsdam I.

The Interledger protocol is an open and neutral protocol for making payment= s between disconnected payment networks and ledgers. It defines schemes and= primitives for dealing with addressing of ledgers, fragmentation of paymen= t networks, and cryptographically secured validation of transfer conditions= and fulfillments.

Initially started within a W3C community group in October 2015, the purpose= of this non-working group forming BoF is to introduce Interledger and the = underlying protocols to attendees and discuss how this work might progress = at the IETF.

The W3C Community where this work originated is at < https://www.w3.org/com= munity/interledger/ >.

The relevant drafts are:

* The Interledger Protocol < https://tools.ietf.org/html/draf= t-thomas-interledger-00 >
* Crypto-Conditions < https://tools.ietf.org/html/draft= -thomas-crypto-conditions-00 >


Thank you,

--
- m&m

Matt Miller
Cisco Systems, Inc.

--001a11408630c32ffc0537ab4109-- From nobody Fri Jul 15 17:40:02 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 489F512D52D for ; Fri, 15 Jul 2016 17:40:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBt5u_e_aTPk for ; Fri, 15 Jul 2016 17:39:58 -0700 (PDT) Received: from mx0a-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E75EC12D0D3 for ; Fri, 15 Jul 2016 17:39:57 -0700 (PDT) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u6G0bM9h027574; Fri, 15 Jul 2016 17:39:28 -0700 Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 246garf359-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 15 Jul 2016 17:39:28 -0700 Received: from SC-EXCH03.marvell.com (10.93.176.83) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 15 Jul 2016 17:39:27 -0700 Received: from SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6]) by SC-EXCH03.marvell.com ([fe80::6cb0:4dfa:f3f3:b8b6%21]) with mapi id 15.00.1104.000; Fri, 15 Jul 2016 17:39:27 -0700 From: Paul Lambert To: Stephen Kent , "saag@ietf.org" Thread-Topic: Addresses as Identifiers -> was RE: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) Thread-Index: AdHe+EnUiPCFgkjYSIqFa6pf7p0Quw== Date: Sat, 16 Jul 2016 00:39:27 +0000 Message-ID: <40655069f3794eeeac9164454c0ac9c0@SC-EXCH03.marvell.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.93.176.43] Content-Type: text/plain; charset="windows-1256" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-15_13:, , signatures=0 X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607160005 Archived-At: Subject: [saag] Addresses as Identifiers -> was RE: [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2016 00:40:00 -0000 Steve, > the use of the 5-tuple you cited 4301 is needed to enforce a security > policy based on those values. This was very common practice in firewall > security policies in the time frame that 4301 was generated, and IPsec > was striving to provide crypro-enforced security features analogous to > what was available in firewalls. >=20 > yes, using this approach does cause problems with NATs, but at that time > NATs were still viewed as evil ;-).=20 Yes, at the time the strict enforcement of IP address based policies may ha= ve appeared to be useful. In hindsight, the use of an IP address as the 'id= entity' of a device for the enforcement of policies is problematic. For "Privsec", I'm suggesting that openly visible addresses should not be a= rbitrarily bound to a security encapsulation at any layer. > Onion routing compatibility was not > a goal for IPsec. Perhaps, but the documented restrictions on the use of ESP could be relaxed= to improve behavior through various types of address translations (for NAT= , proxies or Onion-like routing). =20 Paul >=20 > Steve >=20 > > One of my favorite =8Cprivacy issues' is in IPsec RFC 4301: > > "Search the SAD for a match on the combination of SPI, destination > > address, and source address.=B2 > > > > IMHO the binding of the security association explicitly to the src/dst = IP > > addresses creates NATing problems and prevents interesting onion routin= g > > like implementations that would hide the end addresses. For best > common > > practice for any security protocol there should be no explicit binding = of > > visible addresses to the identifiers for encrypted information. > > > > Paul > > > > > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag > > >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Sat Jul 16 04:18:24 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9515812D1BE for ; Sat, 16 Jul 2016 04:18:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LHJy8BAdY8VC for ; Sat, 16 Jul 2016 04:18:20 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A10BE12D0B5 for ; Sat, 16 Jul 2016 04:18:20 -0700 (PDT) Received: from [192.168.1.127] (catv-80-98-181-133.catv.broadband.hu [80.98.181.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 6408B80260; Sat, 16 Jul 2016 13:18:14 +0200 (CEST) To: dcrocker@bbiw.net, "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FF2F9.8000108@si6networks.com> <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <57852496.3030909@si6networks.com> Date: Tue, 12 Jul 2016 19:10:46 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2016 11:18:22 -0000 On 07/12/2016 09:07 AM, Dave Crocker wrote: > On 7/8/2016 7:37 PM, Fernando Gont wrote: >> Yes. We're planning to at least add one more example: DNS TxID... But we >> could also add others (e.g., transport protocol numbers). > > Are there any examples from application-level protocols that work here? I don't remember thinking about application-level protocol examples. But Ivan mentioned NFS file handles.... We'll try to include some of these in the next rev of the document. Thanks! Cheers, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Sat Jul 16 10:57:51 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58FA012D6AA; Sat, 16 Jul 2016 10:57:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.107 X-Spam-Level: X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEHwovKioZFq; Sat, 16 Jul 2016 10:57:46 -0700 (PDT) Received: from simon.songbird.com (unknown [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C80112D180; Sat, 16 Jul 2016 10:57:46 -0700 (PDT) Received: from [192.168.100.172] (p578ab585.dip0.t-ipconnect.de [87.138.181.133]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id u6GHwJRW008824 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sat, 16 Jul 2016 10:58:20 -0700 To: Fernando Gont , "saag@ietf.org" References: <20160708161738.32063.4068.idtracker@ietfa.amsl.com> <577FD369.2010202@si6networks.com> <577FF2F9.8000108@si6networks.com> <2afcc910-75a8-f7ba-1d45-fdc89538cf24@dcrocker.net> <57852496.3030909@si6networks.com> From: Dave Crocker Organization: Brandenburg InternetWorking Message-ID: Date: Sat, 16 Jul 2016 19:57:35 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <57852496.3030909@si6networks.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" Subject: Re: [saag] [Privsec-program] A tale of (flawed) transient numeric identifiers (Fwd: New Version Notification for draft-gont-numeric-ids-history-00.txt) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: dcrocker@bbiw.net List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Jul 2016 17:57:47 -0000 On 7/12/2016 7:10 PM, Fernando Gont wrote: > I don't remember thinking about application-level protocol examples. But > Ivan mentioned NFS file handles.... > > We'll try to include some of these in the next rev of the document. NFS file handles sounds good. Also note that RFCs 5321/5322 produce a 'Received' header field that often contains the IP address and/or domain name of the previous-hop SMTP client. At the start of the transmission sequence, that could be the user's host identifier.... d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Sat Jul 16 20:36:09 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4CE212D0CC for ; Sat, 16 Jul 2016 20:36:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UAogskX5dyGI for ; Sat, 16 Jul 2016 20:36:06 -0700 (PDT) Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3640126D74 for ; Sat, 16 Jul 2016 20:36:05 -0700 (PDT) Received: by mail-vk0-x229.google.com with SMTP id w127so143284129vkh.2 for ; Sat, 16 Jul 2016 20:36:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uok+j25jGlsaXlmWmJI59JpkN+xtJNgj9/ipsBwxKvc=; b=F3PXrUlmI4bcBTRO/4t3URVmS15CcY8+vJ8WrX6Eu5sqdd2j9lef6r0GaDLWsVlBgd WODo3PFJWzptrCdDW+gxUgOQzbJpGFmkHsYiid8fbOFGW/x3Q2QTUauErxslm1XJyAT8 UTG8S6lUvhsoy0vxgAKWsw55g10Cf4ccF150RDWcptEdCJK8ETBfcqgfXKrb8bQGBDSc xNUOI7EXCxW8Dz3oEkiVQeAryOjX48d3vm2GXrUzmGKiwaGAVUI6sii5BWXS+J2grJwn G6v5ZbEijZb/S0BYHFMnHuzvUXqxbK7ft/BUKjrcGAx4pIwEBW0Ys76oNI6fjGEm8KLF fDCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uok+j25jGlsaXlmWmJI59JpkN+xtJNgj9/ipsBwxKvc=; b=G0k3Dmb4E56+6+5cdZImDfeSNB3+TnX6+ubnMELtMRffLiQBCEareGRsOM4nGKKfZl QH9jNVfRxZ9Xrcxo8As6BogzRTb3EJI5hsEku3w7Z+DtXPUH6jj261M9L8AGlMkeLl8/ TNZ6RrL8ovAcU6UPw9NOvhMtWDrLbX4PldUt+yhQbxM/5DgWiIBLPmq6I3Go9Q1o2M7J 4Lv8eUCQazo8fcQGvQDpxE/MdKGXaRMCJe9KlYZmgRXpBEBywnDG66qKV8vjmXx2W/3E xbHQedcQXTfJuLNel3JRECCDK8KbmElfzz36eC0BYNG0EyJ437OSMq5BkaVD8KZUqwOf wUYA== X-Gm-Message-State: ALyK8tKxnKYQZa4MqdnKwV+66Cd+G9g/7VysBaIDTNa4ayb4KkKeaJZ8DX2Y89IPbvnZ/VKn43gY8oMU54bpcQ== X-Received: by 10.159.39.193 with SMTP id b59mr14675259uab.109.1468726564964; Sat, 16 Jul 2016 20:36:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.39.194 with HTTP; Sat, 16 Jul 2016 20:36:04 -0700 (PDT) In-Reply-To: <2df3a7a34113480d845480c299133f59@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> <2df3a7a34113480d845480c299133f59@usma1ex-dag1mb1.msg.corp.akamai.com> From: Watson Ladd Date: Sat, 16 Jul 2016 20:36:04 -0700 Message-ID: To: "Salz, Rich" Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2016 03:36:08 -0000 This draft seems to say that crypto is insufficiently reviewed. I don't think that's really the problem: as my lengthy email of some time ago shows, many of the issues that have been five alarm fires started as smoldering wastebaskets we knew were aflame. On Thu, Jul 14, 2016 at 7:54 AM, Salz, Rich wrote: > Good suggestions, thanks. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag -- "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Sat Jul 16 21:48:51 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E53A112B02A for ; Sat, 16 Jul 2016 21:48:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.988 X-Spam-Level: X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqixYOUvo_3t for ; Sat, 16 Jul 2016 21:48:47 -0700 (PDT) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id C38EC12B00C for ; Sat, 16 Jul 2016 21:48:47 -0700 (PDT) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 891A643340E; Sun, 17 Jul 2016 04:48:46 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 721E6433401; Sun, 17 Jul 2016 04:48:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468730926; bh=F6/oVvN2+JOgr6sJqZWpydXEY4hFADJHY0qJn0rwvBI=; l=834; h=From:To:CC:Date:References:In-Reply-To:From; b=uxK4eboEoT5hLc1nH/PFrauTWApxK/+9IkPt4bLpWiwj2764B9j34O7rLYNzg3p2m dTu7ilfm72IGtzt8IwM/2K16xpiuZ44nIKhwc+i8hrC997fDQG+ltUtAAB4EwP4a9S ccRcioItabgXfNeOv/694lxEMA8T8WZJoF2DX2Y8= Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 6E8CE1FC8E; Sun, 17 Jul 2016 04:48:46 +0000 (GMT) Received: from USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 17 Jul 2016 00:48:46 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 17 Jul 2016 00:48:45 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Sun, 17 Jul 2016 00:48:45 -0400 From: "Salz, Rich" To: Watson Ladd Thread-Topic: [saag] possible BCP on public review being needed for standards-track crypto Thread-Index: AQHR2r5g8tfiFB7GqUe4c8/s/iwGiqAYCa1jgAAAI5CABDxyAP//0N6A Date: Sun, 17 Jul 2016 04:48:44 +0000 Message-ID: <6c953f0da5cc4bf4b04f70fcf26f63c8@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> <2df3a7a34113480d845480c299133f59@usma1ex-dag1mb1.msg.corp.akamai.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.152.101] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2016 04:48:50 -0000 PiBUaGlzIGRyYWZ0IHNlZW1zIHRvIHNheSB0aGF0IGNyeXB0byBpcyBpbnN1ZmZpY2llbnRseSBy ZXZpZXdlZC4gSSBkb24ndCB0aGluaw0KPiB0aGF0J3MgcmVhbGx5IHRoZSBwcm9ibGVtOiBhcyBt eSBsZW5ndGh5IGVtYWlsIG9mIHNvbWUgdGltZSBhZ28gc2hvd3MsIG1hbnkNCj4gb2YgdGhlIGlz c3VlcyB0aGF0IGhhdmUgYmVlbiBmaXZlIGFsYXJtIGZpcmVzIHN0YXJ0ZWQgYXMgc21vbGRlcmlu Zw0KPiB3YXN0ZWJhc2tldHMgd2Uga25ldyB3ZXJlIGFmbGFtZS4NCg0KSSB0aGluayBJIHJlcGxp ZWQgdG8gb25lIG9mIHlvdXIgcG9pbnRzIGluIHRoYXQgbGVuZ3RoIGVtYWlsLCBidXQgZGlkbid0 IHNlZSBhIGNvdW50ZXItcmVwbHkuICBEaWQgSSBtaXNzIGl0Pw0KDQpUaGUgSUVURiBjcnlwdG8g aXMgcHJldHR5IHdlbGwgcmV2aWV3ZWQgbm93LCBidXQgd2UgIGNhbiBhbHdheXMgZG8gYmV0dGVy Lg0KDQpTdHVmZiB0aGF0IGNvbWVzIGluIGZyb20gb3RoZXIgU0RPJ3MgaXMgbm90IGFzIGdvb2Qs IGFuZCBoYXZpbmcgYSBkb2N1bWVudCB0byBwb2ludCB0byB3aGVuIHdlIHNheSAibm8iIGlzIGEg Z29vZCB0aGluZy4NCg0KRG9lcyB0aGF0IG1ha2Ugc2Vuc2U/DQo= From nobody Sun Jul 17 00:12:30 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F84412D0F7 for ; Sun, 17 Jul 2016 00:12:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63xekIfpslFO for ; Sun, 17 Jul 2016 00:12:26 -0700 (PDT) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2083F128E18 for ; Sun, 17 Jul 2016 00:12:26 -0700 (PDT) Received: by mail-wm0-x22b.google.com with SMTP id f126so69774503wma.1 for ; Sun, 17 Jul 2016 00:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xNNCPIbgRO2+CX0FCdaSTpRIjd/V8xE8msUkhGByOAQ=; b=xXNC4y/GGOaspvwUbtb4d9si6gukajhF3Y98R3SlSsuq+m3IGFmFVW4rI3mQIKqp9v cVzrzTvxxfSf7Fj6WpK85pWmcKmjlkDQECM8T8N0ZmxZReHoG8ptC7No+BrT4h4ln5kk yhsMtTwhWpn2wMMrRJC9JzUQXR0A3HohmzK55NJTpnLDB4vsxmaJII1W8laJVAVmnbkc /vBfBMVVXkAXDBW0s48meOBc1mYaxZDn3X0QzT5Ys34R3AlkpqXqY5rsYJ1dBtYDHoHV GbQsQpLPC+h15PQHWSFhg6VpuVdLlfz6g2a5vR5tt25ZBt/NMRxAzyPRqi7/7+s7at/M 7vyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=xNNCPIbgRO2+CX0FCdaSTpRIjd/V8xE8msUkhGByOAQ=; b=R9+eaWjWnSKx6NcRpnA8DS+/mzD7v2cGBKbaQzaZxO8G3rhYCTZASNSSQEJT5xSB5o Ha83sP+aXLpCZ02LQHYlpuJte0JKrlZcGUHY/+MYEdihQoi0SYb8pFTT/IFlecAAPPMp hmzDas6BPCS80NB3zCDUkSUnGOP0h1fRK7HhNjMEPBjW2uTeo+C9ywastiHw53W/jjsn R0qsdDBrOgrBkbsvsr11BgVu5/1xPwcERJNqvB3tvf4aVxj2Vs5u4wiGufhKGMz7a92i WiRPTIMV1P8cNMNI4jsYRPA97S/KHjNl2344MhdSndjAk8fo9v0u8FxifJjLs79JSKk/ 5D5Q== X-Gm-Message-State: ALyK8tK/Cf7cBc2bGYEVjkAz+MquOvLrILFJxxrAh16r7UTks2dYILTfMAO5yKjQHzt0mQ== X-Received: by 10.194.57.9 with SMTP id e9mr7080804wjq.176.1468739544633; Sun, 17 Jul 2016 00:12:24 -0700 (PDT) Received: from [31.133.143.214] (dhcp-8fd6.meeting.ietf.org. [31.133.143.214]) by smtp.gmail.com with ESMTPSA id h10sm3752667wjl.9.2016.07.17.00.12.23 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 17 Jul 2016 00:12:23 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: kathleen.moriarty.ietf@gmail.com X-Mailer: iPhone Mail (13F69) In-Reply-To: <6c953f0da5cc4bf4b04f70fcf26f63c8@usma1ex-dag1mb1.msg.corp.akamai.com> Date: Sun, 17 Jul 2016 09:12:22 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <00725254-AB06-4766-A703-46BF24ADA5C2@gmail.com> References: <56F29DE6.50508@cs.tcd.ie> <8F6A4585-80DC-4D20-A1BF-6EA378A4DDFF@callas.org> <2df3a7a34113480d845480c299133f59@usma1ex-dag1mb1.msg.corp.akamai.com> <6c953f0da5cc4bf4b04f70fcf26f63c8@usma1ex-dag1mb1.msg.corp.akamai.com> To: "Salz, Rich" Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] possible BCP on public review being needed for standards-track crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 17 Jul 2016 07:12:28 -0000 Sent from my iPhone On Jul 17, 2016, at 6:48 AM, Salz, Rich wrote: >> This draft seems to say that crypto is insufficiently reviewed. I don't t= hink >> that's really the problem: as my lengthy email of some time ago shows, ma= ny >> of the issues that have been five alarm fires started as smoldering >> wastebaskets we knew were aflame. >=20 > I think I replied to one of your points in that length email, but didn't s= ee a counter-reply. Did I miss it? >=20 > The IETF crypto is pretty well reviewed now, but we can always do better.= >=20 > Stuff that comes in from other SDO's is not as good, and having a document= to point to when we say "no" is a good thing. That's not a good way to phrase it. IMO. Maybe leave out the other SDOs and= just stick to our process for what's accepted. CFRG might decide something= that went through another SDO is best in the future. Kathleen=20 >=20 > Does that make sense? > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Mon Jul 18 09:06:05 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C903112DA50 for ; Mon, 18 Jul 2016 09:06:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YmIhjkIBRidU for ; Mon, 18 Jul 2016 09:06:00 -0700 (PDT) Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE1AA12DA2C for ; Mon, 18 Jul 2016 09:05:56 -0700 (PDT) Received: by mail-vk0-x22c.google.com with SMTP id w127so186696929vkh.2 for ; Mon, 18 Jul 2016 09:05:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kmt1KXsLHZA1s4EnEb7dhkOksV7K9z0ANyhOpomlGJs=; b=NZhTMJUQR5mmSQTFqgMH46l9dBk+9py1RnCRatt3QLVjxpBi7D3s/DTwCLmEHF/Fom vJ7191KDOHT8j4USafCuUBTQEC79mK0hX/bMkDbfe9fRWqvT1maroMsxj8TSUbhJaVIR zHv2ILxkXJJrUVKjz9NvNU4KQFsW3/0QCskGI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=kmt1KXsLHZA1s4EnEb7dhkOksV7K9z0ANyhOpomlGJs=; b=CWBzkJn2xp1cQzaHYRGjFyU2EQt0sQ9KD9c46RGue01O0uoqnilmLXz/Jpet8+KOXI A+CpHyhITgJnKH38PsubKeHTTZPgRdQDsZU83te3gU7yrk1GQZ9ayDDqaRaWW6EOWhvP fETcA0WfWiSCNrudy1NEUtA9G3ejNlxpePWfPVezaxfok9x8qcb4V1V8hDcubn4ZHxMv 3Yjz8nFZplhpMYsvlOpznlT/AOx48VUGl5hhY8nUTJ63XmsMOGW2jJuuPefovS6Td5YC NNAenGFlqe2MRXNehQ4Ip8pNQ6XbFZOkvI1/xxe9CMjNA5XtKaB13f1g4oAtyMhJV0iB yKOg== X-Gm-Message-State: ALyK8tLiIzVgFUKTmHtQEAv7gOFVqRyrEpy+v4GzMbxkb2P6iLze88DVw893kzCcIh4RgZIC9bwOBDKVifCTem1p X-Received: by 10.31.6.18 with SMTP id 18mr18185068vkg.43.1468857955399; Mon, 18 Jul 2016 09:05:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.29.71 with HTTP; Mon, 18 Jul 2016 09:05:35 -0700 (PDT) In-Reply-To: <576D899F.7000000@cdt.org> References: <576D899F.7000000@cdt.org> From: Joseph Lorenzo Hall Date: Mon, 18 Jul 2016 18:05:35 +0200 Message-ID: To: IETF discussion list , saag@ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: Re: [saag] side event Wed. 20 July at IETF 96: "Open Debate on the Politics of Encryption" X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 16:06:02 -0000 If you have RSVP'd to this and don't have the directions to the venue that the host has provided, please contact me and I can send them to you. best, Joe On Fri, Jun 24, 2016 at 9:27 PM, Joseph Lorenzo Hall wrote: > Dear IETFers, > > Wikimedia Germany and the Global Public Policy Insitute will be hosting > the following event on Wednesday evening of IETF week. > > (Yes, it is scheduled during the IETF plenary on Wednesday evening. We > hope some of you might make it regardless as it's only 15m away from the > IETF venue.) > > RSVP required. best, Joe > > ---- > > Open Debate on the Politics of Encryption > > In modern democracies, societies are built not only on checks and > balances but also on the notion of trust. In the digital age, trust is > strengthened through a variety of technologies that provide for online > privacy and security. Encryption technologies are one key example. They > allow users to securely communicate and do business online, and to > protect data on a computer, a phone or in the cloud. However, those > technologies are also available for less benevolent purposes, providing > criminals with means to protect their communication and data. This has > put encryption at the centre of a debate on the tension between online > security and the notion of national security. Even after years of > struggles - most recently between the FBI and Apple - battle lines > remain murky, and key questions unanswered. > > Are law enforcement agencies really "going dark"? Should (and can) > societies make any compromises on the use of encryption technologies? > What are the ethical obligations for the technical and academic > communities? If multistakeholder institutions, such as the IETF, set > standards on encryption that will be adopted broadly, how does > multistakeholder governance impact best practices, the development and > the implementation of such standards? What effect had the Snowden > disclosures on IETF processes? If we accept the broad and easy use of > encryption technologies, should government agencies have other tools at > hand to fight criminals? And finally, where do we stand on this debate > in Germany and what can we do to help define a united European position? > > On Wednesday, 20 July 2016 - on the occasion of this year's IETF meeting > being held in Berlin - we will address these and similar questions in an > open debate on the politics of encryption. The discussion will be > launched by a conversation between Joe Hall (Center for Democracy & > Technology, CDT), Linus Neumann (Chaos Computer Club, CCC) and Christine > Runnegar (tbc; Internet Society, ISOC), and moderated by Mirko Hohmann > (Global Public Policy Institute, GPPi). > > All guests and participants are invited to join the debate and to openly > discuss the role that civil society and the technical community could > and should play in defining our approach to encryption technologies, and > more widely in Internet policy and governance. > > The discussion will be held in English. > > When: > Wednesday, 20 July 2016 > > Programme: > > 18:30 - Arrival and welcoming snack > 19:00 - Panel discussion > 19:45 - Open debate with all guests > 20:30 - Food, drinks and networking > > Where: > Wikimedia Germany > Tempelhofer Ufer 23/24 - 10963 Berlin > Room Mosaik > > The meeting is the second in a series of events that aims to bring > together different actors from civil society and academia who are > interested in international internet policy and its impact on the > national level. These networking meetings will take place three times > per year, in Berlin, Germany. They are organised by several civil > society groups and academic institutions, including the Global Internet > Governance Academic Network (GigaNet), Medienstadt Leipzig e.V., the WZB > Berlin Social Science Center, the Global Public Policy Institute (GPPi), > the IGF academy and the German section of the Internet Governance Forum > (IGF-D). All stakeholder groups are welcome to join the meetings. This > series of events is supported by ICANN and Wikimedia Germany. > > Please contact us for suggestions regarding potential future topics. > > Participation is free but registration is required. RSVP via email to: > > Lorena Jaume-Palasi: l.jaume-palasi@irights-lab.de > Julia Pohle: julia.pohle@wzb.eu > > -- > Joseph Lorenzo Hall > Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] > 1401 K ST NW STE 200, Washington DC 20005-3497 > e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key > Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 From nobody Mon Jul 18 09:15:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F11E12DAB8 for ; Mon, 18 Jul 2016 09:15:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2X6UtMODXGRF for ; Mon, 18 Jul 2016 09:15:31 -0700 (PDT) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B872E12B060 for ; Mon, 18 Jul 2016 09:15:30 -0700 (PDT) Received: by mail-wm0-x230.google.com with SMTP id o80so124321675wme.1 for ; Mon, 18 Jul 2016 09:15:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=NyuQzb0AUT3wWgGnNEV3Fm9gTEBuIDpeeib8mauhXgw=; b=CCWoJbMyE1ySuC8llMfmKF3TogJaNM0m6SL5vgT9K9Cwh36CN9p4iJAJtoklYQfgxw cSaalH5ug7Lm5ZI6TpSL2TAyShOoJhGBYZ9wd+Y5MF3PfTiIba/KiD3D15pj9HQSxgKS NBUIM8CqhLfznVEZxNbC+sT+yFemjZ1rsTJCAcCjGDJlmXfgMXe0zYKLI+sS9Asak1VF t7Qf0Fnku5E2C29w+485+R80aRpacWiMB5fv9KIrFkq2YmcW/GZg41uEKWRWOKEGf5Ih z5G8neNpkCR3qg9uxQ+dYGVg3j5qumoL3hn0UdtQHnhqNQlA1GjBmKwShXr26sdWlo3A 1asg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=NyuQzb0AUT3wWgGnNEV3Fm9gTEBuIDpeeib8mauhXgw=; b=El25IgRwIOljjxy7Mkp8Mdxn+7CtVi27672wooraFhYZ30vgTeeo2Evp6JUkJNEcao NpZfTX2dVkV/mOZt5VMsUk5p2JEwiWt54+IzEqSGZ6bOGwnEVk6zpF3W2fkP3qlvKZjk CSlQ0m/OVthN/xLhpZ+AyeDm47KQLcUJ3+IgZ7+oZ3kQFarlVTTwpXePy0qI2Ge/Jg8u nw8sKIXowIo7ZtCmy72BHptIj99MnOOnd+l2aTzpiPbE85s0Xt44SRZEg14ALmNYWzc6 s6gblbc4v/IgpGw1BI+awvS3Yb6VmdxzW9moZk7aWm2LobbxGdq6KSPgnFotGfwnqIOK WeEA== X-Gm-Message-State: ALyK8tIt7TGnTRoRKFRIOTAgNXyDKO6uhDbOSdRuNCTQl5nDb0rPYrinB0jxzwglIsxlzA== X-Received: by 10.28.61.11 with SMTP id k11mr39592036wma.34.1468858529094; Mon, 18 Jul 2016 09:15:29 -0700 (PDT) Received: from ?IPv6:2001:67c:370:160:4d6a:efb:6e66:7a4e? ([2001:67c:370:160:4d6a:efb:6e66:7a4e]) by smtp.gmail.com with ESMTPSA id p23sm14606901wme.8.2016.07.18.09.15.28 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 18 Jul 2016 09:15:28 -0700 (PDT) From: Yoav Nir Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <5453844D-3592-4D63-9EA6-6D01630D8E55@gmail.com> Date: Mon, 18 Jul 2016 18:15:27 +0200 To: Security Area Advisory Group Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Archived-At: Subject: [saag] HTTP-Auth update X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jul 2016 16:15:32 -0000 HTTP-Auth met for the last time in Buenos Aires. We will not meet in = Berlin. This Sunday we've requested publication of the last of our drafts: the = MutualAuth set of documents. Barring any surprises, we expect to close the working group once these = documents get past IETF LC and IESG processing. Rifaat & Yoav= From nobody Tue Jul 19 02:40:32 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E33B12DFB3 for ; Tue, 19 Jul 2016 02:40:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.621 X-Spam-Level: X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImqBvcOnH-2w for ; Tue, 19 Jul 2016 02:40:29 -0700 (PDT) Received: from smtp144.dfw.emailsrvr.com (smtp144.dfw.emailsrvr.com [67.192.241.144]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FDE512DFEA for ; Tue, 19 Jul 2016 02:33:05 -0700 (PDT) Received: from smtp15.relay.dfw1a.emailsrvr.com (localhost [127.0.0.1]) by smtp15.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 6C180C0141 for ; Tue, 19 Jul 2016 05:33:04 -0400 (EDT) X-Auth-ID: ogud@ogud.com Received: by smtp15.relay.dfw1a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 0ACB2C0115 for ; Tue, 19 Jul 2016 05:33:03 -0400 (EDT) X-Sender-Id: ogud@ogud.com Received: from [192.168.1.34] (ppp163-135.as.mi.is [217.151.163.135]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.5.4); Tue, 19 Jul 2016 05:33:04 -0400 From: Olafur Gudmundsson Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <601377AE-370E-4149-8506-B2252E7C159A@ogud.com> Date: Tue, 19 Jul 2016 09:33:00 +0000 To: saag@ietf.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Archived-At: Subject: [saag] DANE WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 09:40:31 -0000 Did not meet Second to last document in AUTH48. Last document in WGLC, will close when last document is done. Olafur From nobody Tue Jul 19 04:49:01 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 107B912D1EA for ; Tue, 19 Jul 2016 04:48:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvGXAPawQA53 for ; Tue, 19 Jul 2016 04:48:57 -0700 (PDT) Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8AA112D13B for ; Tue, 19 Jul 2016 04:48:56 -0700 (PDT) Received: by mail-it0-x236.google.com with SMTP id f6so89388252ith.1 for ; Tue, 19 Jul 2016 04:48:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:date:message-id:cc:to:mime-version; bh=r5IXoiEh7gFW0jaIHdrHmOZlsGHtmAMhtJdvQqMC2g0=; b=at4yCenvH8SmRpgsi70ecGkb/NUjPxZjGnc7Dg91RTt+wLrJ/pLr89i7jApu9WTRSM XzS3pywMMEfSX+qyaUH52zkYDxOog3f2s3QXV2pRjH78MMmbsYljFCjSPoRvsqn4lykJ A/HVBIsmXj5fkl76jyacuiedKrdRc24ESQLLyXkYXzYDP+wM75qBTWBOBoa8GibFXPkt lR+BscSmEjE66yjJrCzWWvrgsIzAoi3MhU3AiPNVxK+Sq5kc/vDiw00WchlWOgBgUPJZ qhkAIkDhve9KhI0LYGFnq18vJQAzYKxJl8vU7zXo4hsm7g5ZMkMFTqmmtZv0uwgSn7io BzrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:date:message-id:cc:to:mime-version; bh=r5IXoiEh7gFW0jaIHdrHmOZlsGHtmAMhtJdvQqMC2g0=; b=UTVqEKmyDvBpOn4pdtiGTg05nTnPCEkmZOJVmCLmGr7VLQFv9Sdh+fTOeB/FMpxE0N vA9eWgPSn3AvrJj3zMVLSw7QdfAmTaAmtbHwyBT/E6Unp63ZJ+hKD4olkGi4MbiEk4EC MrTbVDli/2lN5NxLyNpxwQgER6PGmz8oWYrDaz0wwkrUnOFEyyuvZt40Y5+C8xrakd65 S1we7vf9jwtzqisBxGkanD5eT8lP1XuDLmzPFCPb8gAWXujcQv2QlGQujeNgE6bIdcGl RW3TaAOhnuLZ+CBfjwsCTKFzTUTbaGk2PLbunL2QE7TDdEpsck0upFbxtiIok2RWCQkB HeaA== X-Gm-Message-State: ALyK8tKXGAaUJY3jeNpsnZgijlTumdIIJ1mwrggea56hHXoAN9yG1vLRaBXxtq2uCbMNOg== X-Received: by 10.36.60.148 with SMTP id m142mr37262728ita.96.1468928936055; Tue, 19 Jul 2016 04:48:56 -0700 (PDT) Received: from [100.111.66.208] ([174.34.185.243]) by smtp.gmail.com with ESMTPSA id a65sm5638433itd.18.2016.07.19.04.48.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 19 Jul 2016 04:48:55 -0700 (PDT) From: Adam Montville X-Pgp-Agent: GPGMail Content-Type: multipart/signed; boundary="Apple-Mail=_6CC003C1-0952-4FED-9FF3-C10B60583723"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Tue, 19 Jul 2016 13:48:54 +0200 Message-Id: To: saag Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) Archived-At: Subject: [saag] SACM WG Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 11:48:59 -0000 --Apple-Mail=_6CC003C1-0952-4FED-9FF3-C10B60583723 Content-Type: multipart/alternative; boundary="Apple-Mail=_EB84D9F5-DF47-4D01-8191-679D2FB3DDA7" --Apple-Mail=_EB84D9F5-DF47-4D01-8191-679D2FB3DDA7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii SACM met on Monday to discuss open issues on = draft-coffin-sacm-nea-swid-patnc [1], draft-ietf-sacm-information-model = [2], draft-ietf-sacm-requirements [3], and draft-ietf-sacm-terminology = [4]. We will meet again on Friday to discuss draft-birkholz-sacm-coswid [5], = and to begin discussing Selecting a Data Format for an Endpoint = Information Data Model. [1] https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-patnc/ = [2] https://datatracker.ietf.org/doc/draft-ietf-sacm-information-model/ = [3] https://datatracker.ietf.org/doc/draft-ietf-sacm-requirements/ = [4] https://datatracker.ietf.org/doc/draft-ietf-sacm-terminology/ = [5] https://datatracker.ietf.org/doc/draft-birkholz-sacm-coswid/ = --Apple-Mail=_EB84D9F5-DF47-4D01-8191-679D2FB3DDA7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii SACM met on Monday to discuss open issues on = draft-coffin-sacm-nea-swid-patnc [1], draft-ietf-sacm-information-model = [2], draft-ietf-sacm-requirements [3], and draft-ietf-sacm-terminology = [4].

We will meet again on Friday to = discuss draft-birkholz-sacm-coswid [5], and to begin discussing = Selecting a Data Format for an Endpoint Information Data Model.


[1] https://datatracker.ietf.org/doc/draft-coffin-sacm-nea-swid-pat= nc/
[2] https://datatracker.ietf.org/doc/draft-ietf-sacm-information-mo= del/
[3] https://datatracker.ietf.org/doc/draft-ietf-sacm-requirements/<= /a>
[4] https://datatracker.ietf.org/doc/draft-ietf-sacm-terminology/
[5] https://datatracker.ietf.org/doc/draft-birkholz-sacm-coswid/= --Apple-Mail=_EB84D9F5-DF47-4D01-8191-679D2FB3DDA7-- --Apple-Mail=_6CC003C1-0952-4FED-9FF3-C10B60583723 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXjhOmAAoJEDEhyx7etgABp6EP/1s54sXyhef9ja72Itjwjvec 2FD9LQzPDURDhx8Oa6DI0yZJ2JFrJ7yIVPwEd3SteXMpYh8U1CULS5zQc+/vhH06 lxIzY5SHXAxb2DcWnDHr/5YPrRjgX2ZWUErWOdndvFqxD5+RJl3LkmOV2rR8ML/b wz3C5lyq2TW1vxUaHK92jUGacycetE4hf49LeV23c3W/FKGitHzr8hRFkMwUWvXB zr5laHVoGmxFTKFHTTicVkMAWpscKMNhzEYgCIRDWe95BegqlAV9YOf1LWY046Fr Rbzw7zwP4B9lFWc2EYNi2L2LaT1XSUjqWO1L9dUCt/BwCWrpwJEEa9z5PKlGLBdk bzHbrpWzHxSuKm2EdaABBM2L8sMBR0aMszJEUp1PEXIaY8RNF0GP3YKT4pCUWAVU Bca6lKsVeVwYmVQ3c+L7chqNv7EdJ2CWB7RUB+wATTdfW7symSMwk8anvSU+bXkq /p/hyBPEatojfdY9RiNrn5tie8qwQAfJqsURu6Dy2PrDbQgtTXj/cOEDVWfhVvFU 9r5M1z9KtxZrVVDeLjTh7XOYg0TxE+FtMBV/YVcoKb0x33nFwD36Umlh04nKzFCZ do1Afv821tFqNvb8qm6vHqSYTeCO3k46sMPukBjCNUFcq6sCyG+R2r7RPdG6LoUE jg8MR2Z7ZriX4HfLhoL8 =hYJM -----END PGP SIGNATURE----- --Apple-Mail=_6CC003C1-0952-4FED-9FF3-C10B60583723-- From nobody Tue Jul 19 04:56:03 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83D1E12D1B2 for ; Tue, 19 Jul 2016 04:56:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wrv2Ih7JzkY0 for ; Tue, 19 Jul 2016 04:56:01 -0700 (PDT) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F362112D501 for ; Tue, 19 Jul 2016 04:55:52 -0700 (PDT) Received: by mail-lf0-x22d.google.com with SMTP id f93so11965621lfi.2 for ; Tue, 19 Jul 2016 04:55:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=7zKNBlq5jgyLjsdxXuc0z/L2tzZQ8jw1d8pQMFfvPQY=; b=o1V1+hEey/4PmD+gT9kR85dkexKMLd92pUJvLkxPvbaMjmht0hDfSAi4dWRO0i32Tq q9J9Y5rAF6RYXHQDkhp6oY14rv/pdytWgkjQzejOee4rhClCGP9KVAUsolAAenwOvdpw zGb3fuQ8P8/w4tQ/GnXBHJj0/sQCQ7yx6nvr+KgaynhF7le2URWTDlCXf/JiN4nVs3C3 ZK2hhmhpxirUfWQ/XfEq2YwpZk6f9eIRurrS10h6/WocoT37Tw4djXjUXSaGZut7HBKm e4iSVSHd9Z+ae2eWRchJKAUFenNLMdqvJ9Mr6UBqY56UTUuutTmJlf0HiFerKx7wpiT1 V0ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=7zKNBlq5jgyLjsdxXuc0z/L2tzZQ8jw1d8pQMFfvPQY=; b=LGEtXiwrhTiOtjXFPfQk6uzA3QkZEeO+qEgTO1WN/+CnvtmkAv9Fqy0Jh4p8ePjoqa tD9m5Zzr1T0gcDtzfXeuOXrmH5ObcKASK2ehn8vNp9KlDh2YxmaJIO52YxWA2Ty79wcx 7LepDr/HKnwYQyuJSE9BBjxkjG27FZUUjEhjrh2uGChZw2VEP8EyoRDI+yO95nSDtnb/ 39xvbJafb70qtkM9RTsMFHT3m2wxkQGxpaFl/vKlr1P9hEMOWkzI6GKEm2BsF/MhM/BS h4gfZ37f3WcrALzg+mAZD4DvHaHdKECXD/y9LSIgYxxoEY2jGx349eYfJTR4tA4Ozj6F khSw== X-Gm-Message-State: ALyK8tIHbnydCcgeHcH37aB0xtk6gX0ajAWsIACVndEt1LxE3Y0i4KJ30qP1wb5PfJSQwQ== X-Received: by 10.25.83.80 with SMTP id h77mr17690235lfb.83.1468929350870; Tue, 19 Jul 2016 04:55:50 -0700 (PDT) Received: from dhcp-8c0c.meeting.ietf.org ([2001:67c:370:136:e8b7:7a2f:944e:b4e1]) by smtp.googlemail.com with ESMTPSA id m17sm1091080lfg.1.2016.07.19.04.55.49 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jul 2016 04:55:50 -0700 (PDT) To: saag@ietf.org From: Melinda Shore Message-ID: Date: Tue, 19 Jul 2016 13:55:49 +0200 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: [saag] trans wg report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 11:56:02 -0000 Trans is not meeting at IETF 96, although we have had a side meeting. The core deliverable has been through working group last call and requires revision, as does our threat analysis document. The gossip draft is starting to look reasonably well-cooked, and this weekend Linus announced that he had a DNSSEC log server up and running. Melinda From nobody Tue Jul 19 04:58:04 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EE9E12D5A1 for ; Tue, 19 Jul 2016 04:58:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.987 X-Spam-Level: X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iY8fvNZxo4Vc for ; Tue, 19 Jul 2016 04:58:01 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF8212D556 for ; Tue, 19 Jul 2016 04:58:01 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id D53E83F4002 for ; Tue, 19 Jul 2016 11:58:00 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id B4AF63F4001 for ; Tue, 19 Jul 2016 11:58:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468929480; bh=4NHR2nUcTVwysEbTk5QsuHhmJsgT519cC2NsV4+7Fgs=; l=3256; h=From:To:Date:From; b=PryeSAhs5oI/DXoOP3XtYsiN3aKGj8JqHkCgIjw/SE5U0wnSRacL4/a3bQkb8J1kn iNrrjelKwBFBHwsKcavQXPyybI/mkqFD8Xrl3itGtHTUGxhmuhII4xcjs22bW8DJ04 2VylJSM4/WjbMLvbUkbXpfqls9JwvPujaYatJGE8= Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id B1A9E1FC8C for ; Tue, 19 Jul 2016 11:58:00 +0000 (GMT) Received: from USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 19 Jul 2016 07:58:00 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by USMA1EX-EXJRNL1.msg.corp.akamai.com (172.27.123.99) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 19 Jul 2016 07:58:00 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Tue, 19 Jul 2016 07:58:00 -0400 From: "Salz, Rich" To: "saag@ietf.org" Thread-Topic: ACME WG report Thread-Index: AdHhtMtDkRoDWzL6RDSpMihAcnEf/A== Date: Tue, 19 Jul 2016 11:58:00 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.153.26] Content-Type: multipart/alternative; boundary="_000_a28ec962b6094132bcec782c8f95d220usma1exdag1mb1msgcorpak_" MIME-Version: 1.0 Archived-At: Subject: [saag] ACME WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 11:58:03 -0000 --_000_a28ec962b6094132bcec782c8f95d220usma1exdag1mb1msgcorpak_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable At IETF 96 we reviewed progress in the latest draft. We will be "adding bac= k" the older flow in addition to the more complicated/general flow (various= ly termed preconditions or application) added in the latest draft. We are = planning on being in last call before IETF 97. We are actively soliciting drafts to consider for adoption and/or rechartin= g for discussion in the early fall -- Senior Architect, Akamai Technologies IM: richsalz@jabber.at Twitter: RichSalz --_000_a28ec962b6094132bcec782c8f95d220usma1exdag1mb1msgcorpak_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

At IETF 96 we reviewed progress in the latest draft.= We will be "adding back" the older flow in addition to the more = complicated/general flow (variously termed preconditions or application) ad= ded in the latest draft.  We are planning on being in last call before IETF 97.

 

We are actively soliciting drafts to consider for ad= option and/or recharting for discussion in the early fall

 

-- 

Senior Architect, Akamai Technologies

IM: richsalz@jabber.at Twitter: RichSalz<= /p>

 

--_000_a28ec962b6094132bcec782c8f95d220usma1exdag1mb1msgcorpak_-- From nobody Tue Jul 19 05:00:01 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E87BC12D5B6 for ; Tue, 19 Jul 2016 04:59:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.987 X-Spam-Level: X-Spam-Status: No, score=-3.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Idsc-Bdg8T2 for ; Tue, 19 Jul 2016 04:59:58 -0700 (PDT) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 37A7712B02D for ; Tue, 19 Jul 2016 04:59:58 -0700 (PDT) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 94612433434 for ; Tue, 19 Jul 2016 11:59:57 +0000 (GMT) Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 732D74F02D for ; Tue, 19 Jul 2016 11:59:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468929597; bh=ghqL7UPlbUPNrAYlSNtCq4su54gj8KD26jcjkLmJTGo=; l=2615; h=From:To:Date:From; b=VPwil0C2Mh9Te3nF6JpqWqHIEH+IyntTl1c5buRf8r8tz+RXY6GzvfsutL0aqLNma uvGSKWg7xVUlMXSEL7VdeYHwX6MYJMO1mv8Ooll1ox2OWRVZ2vLk8Vz8We/Lxpi2EH meZ7fm5Ojwf374DLdG4YXurIZw6Dh1+r9+Wa81r8= Received: from email.msg.corp.akamai.com (usma1ex-cas1.msg.corp.akamai.com [172.27.123.30]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 701471FC8C for ; Tue, 19 Jul 2016 11:59:57 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 19 Jul 2016 07:59:56 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Tue, 19 Jul 2016 07:59:56 -0400 From: "Salz, Rich" To: "saag@ietf.org" Thread-Topic: CURDLE WG report Thread-Index: AdHhtQ6xQIsqX+bKTIO7ml7L08WfTg== Date: Tue, 19 Jul 2016 11:59:56 +0000 Message-ID: <7b9b20ed1e664c9e93ba36e452d39159@usma1ex-dag1mb1.msg.corp.akamai.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.153.26] Content-Type: multipart/alternative; boundary="_000_7b9b20ed1e664c9e93ba36e452d39159usma1exdag1mb1msgcorpak_" MIME-Version: 1.0 Archived-At: Subject: [saag] CURDLE WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 12:00:00 -0000 --_000_7b9b20ed1e664c9e93ba36e452d39159usma1exdag1mb1msgcorpak_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable CURDLE did not meet at IETF-96. A discussion about OID assignments for curv= es will be held as part of the LAMPS session. -- Senior Architect, Akamai Technologies IM: richsalz@jabber.at Twitter: RichSalz --_000_7b9b20ed1e664c9e93ba36e452d39159usma1exdag1mb1msgcorpak_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

CURDLE did not meet at IETF-96. A discussion about O= ID assignments for curves will be held as part of the LAMPS session.

 

-- 

Senior Architect, Akamai Technologies

IM: richsalz@jabber.at Twitter: RichSalz<= /p>

 

--_000_7b9b20ed1e664c9e93ba36e452d39159usma1exdag1mb1msgcorpak_-- From nobody Tue Jul 19 05:45:32 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46D612D74B for ; Tue, 19 Jul 2016 05:45:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.488 X-Spam-Level: X-Spam-Status: No, score=-0.488 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0iQHZE0njtj for ; Tue, 19 Jul 2016 05:45:26 -0700 (PDT) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18A6812D7B2 for ; Tue, 19 Jul 2016 05:43:42 -0700 (PDT) Received: from hebrews (31.133.168.227) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 19 Jul 2016 05:49:56 -0700 From: Jim Schaad To: Date: Tue, 19 Jul 2016 14:43:36 +0200 Message-ID: <007e01d1e1bb$2c85b870$85912950$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdHhusJkxFczwfUjQZeBnoFLWDVJ5Q== Content-Language: en-us X-Originating-IP: [31.133.168.227] Archived-At: Subject: [saag] JOSE Meeting Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 12:45:32 -0000 The JOSE WG did not meet in Berlin. The chairs and the AD hope to resolve the status of the final document before the F2F meeting ends. After that is resolved then the WG should be ready to close. Jim From nobody Tue Jul 19 06:09:45 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B8612D91E for ; Tue, 19 Jul 2016 06:09:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.807 X-Spam-Level: X-Spam-Status: No, score=-15.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4nPqTPZSxmL for ; Tue, 19 Jul 2016 06:09:42 -0700 (PDT) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7FC312B00A for ; Tue, 19 Jul 2016 06:03:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=51082; q=dns/txt; s=iport; t=1468933417; x=1470143017; h=from:to:subject:date:message-id:mime-version; bh=LdmQARGRVkkOA4NA8vtqBETK+uiecHxX3uQFG8UCgYo=; b=SVqRRjM2WQZsS4aD8WPWW6Sj3dygpFKPlL0eQugl53REN+j+IywV1XAK aUpFOiYs2za0wGIlFHeeG6AXjpCjF+SXGz0JovVztSJjTwWmVtyiKuLbC LoDoJ77xkTjW8kBAQ370YLmV8exOu/Isy6cwyH/PjkBSklve8+rv9Svyh Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BQAgCwI45X/5NdJa1cgnFOVnwGtlKCD?= =?us-ascii?q?4F6IoUugXs4FAEBAQEBAQFlHAuEYy1eAUABPycEiEMOnledbgEBAQEBBQEBAQE?= =?us-ascii?q?BARwFjBeIewWTPCeFQQGGEohPjzeQHQEeNoNzbocmfwEBAQ?= X-IronPort-AV: E=Sophos;i="5.28,389,1464652800"; d="scan'208,217";a="131075893" Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Jul 2016 13:03:37 +0000 Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u6JD3a3e006263 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for ; Tue, 19 Jul 2016 13:03:37 GMT Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 19 Jul 2016 09:03:36 -0400 Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Tue, 19 Jul 2016 09:03:36 -0400 From: "Nancy Cam-Winget (ncamwing)" To: "saag@ietf.org" Thread-Topic: ANIMA Monday meeting report Thread-Index: AQHR4b31y5DzZpX5KU+w6BR3/0CXuw== Date: Tue, 19 Jul 2016 13:03:35 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.6.160626 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.1.202] Content-Type: multipart/alternative; boundary="_000_D3B373301800D5ncamwingciscocom_" MIME-Version: 1.0 Archived-At: Subject: [saag] ANIMA Monday meeting report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 13:09:44 -0000 --_000_D3B373301800D5ncamwingciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Anima met yesterday where updates to GRASP, Anima Reference Model and Boots= trapping were provided. Updates to GRASP included better clarity in different sections; specificall= y around discovery and multicast flood handling. Of interest, there were sustentative points discussed in the Bootstrapping = slot: - What should the MTI set of protocols for Anima bootstrap: still in = discussion - Introduction of more details for using CoAP as part of the bootstra= p transport now in draft https://tools.ietf.org/html/draft-pritikin-coap-bo= otstrap-00 - Potential use of MUD to help with discovery Anima will meet again on Thursday Session II Nancy. --_000_D3B373301800D5ncamwingciscocom_ Content-Type: text/html; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable Normal 0 false false false EN-US JA X-NONE

Anima met yesterday where updat= es to GRASP, Anima Reference Model and Bootstrapping were provided.

Updates to GRASP included bette= r clarity in different sections; specifically around discovery and multicas= t flood handling.

Of interest, there were sustent= ative points discussed in the Bootstrapping slot:

-       What should the MTI set of= protocols for Anima bootstrap: still in discussion

-       Introduction of more detai= ls for using CoAP as part of the bootstrap transport now in draft https://t= ools.ietf.org/html/draft-pritikin-coap-bootstrap-00

-        Potential use of MUD= to help with discovery

Anima will meet again on Thursday Session II 

Nancy.=    
--_000_D3B373301800D5ncamwingciscocom_-- From nobody Tue Jul 19 06:18:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51E6312E084 for ; Tue, 19 Jul 2016 06:18:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCTaCaZjlLju for ; Tue, 19 Jul 2016 06:18:33 -0700 (PDT) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9F0512D913 for ; Tue, 19 Jul 2016 06:08:12 -0700 (PDT) Received: by mail-lf0-x229.google.com with SMTP id f93so13748875lfi.2 for ; Tue, 19 Jul 2016 06:08:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=Yt6jVAlfwu5bRP8hTYAFUKf9g3vBY5TOvL9P60r5RZU=; b=clmPRcUhlsXKj3m7ngPKhLIm/qyRx7EgeolcXgv3lAuL20r5de9TrUqoAoT04Kg2Kc D3TxwHVov9yLXTxxt01QAOh80ngSkM5PxYdeDPz95DoQ3MOHNAMu6zUUrIQ5oC4fVJaM P+l0bS7mEzpqAoCemMwPNseEvAfso5a8K5WDlsUOgeMkPENb1m2ks5n/VNT+Z+zEJbE6 j024bpbu27BILq5QTnBsp+OHBx77hmqI+Dz/1YtDaTGCLZA3XkUf2lSWKJjNP4ocHUHe YYK8LouVVPegWxaPj4rGFdlEawtbo7opX0+77Qu8rIVn2KHUD8oT57d5CH3uqRzOlMfK t5lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=Yt6jVAlfwu5bRP8hTYAFUKf9g3vBY5TOvL9P60r5RZU=; b=RWwJPydBcJI7XyY+09OYt7/baQA7h9YHOvPYlfBmRRA2YvJArvX1DC2S2XrkLZLjby odIK4CRvw2POTE237epGor+J5wtLtf25/0l8qUZBpJXn3EqtpubEH+xbsxZ/PW7NqujZ l1KEDgQsVP+CjcpYKvOzYxg1VL4bJYgOyKf8vMEApOsVIDOJS/87DmbfMbv6chFeZooS rbWSLL+Q5Wkq0EcyeYJfPyZxIbqK1Vk2m+9put6xtYzQDTcZWrbUUus7R18qC7jabspB oOxJ6Li2lywrIga4ldIfCxPjN+3qr3RcApt3gwmRs8s195ha+T8VZxj1XhXlBsd9vCSg FGig== X-Gm-Message-State: ALyK8tLrDMIypMpLaJ/bOBzjXCxKXbe0h5m+FtFO9g7lzoEG0UNMVv9g5X1PHRqJlJiXMQ== X-Received: by 10.25.127.214 with SMTP id a205mr17788450lfd.142.1468933690845; Tue, 19 Jul 2016 06:08:10 -0700 (PDT) Received: from ?IPv6:2001:67c:370:160:48cf:6beb:a726:d082? ([2001:67c:370:160:48cf:6beb:a726:d082]) by smtp.gmail.com with ESMTPSA id r196sm3702845lfd.41.2016.07.19.06.08.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jul 2016 06:08:09 -0700 (PDT) To: SAAG From: Yaron Sheffer Message-ID: <578E2638.7020906@gmail.com> Date: Tue, 19 Jul 2016 15:08:08 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: [saag] LURK BoF report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 13:18:38 -0000 The LURK BoF met Monday evening. We presented the use cases and two protocol proposals, and then moved into discussion of a charter proposal. The sense of the room was that we should take the short-term certificate solution option and propose it to ACME. However, it was not clear there was sufficient understanding of the requirements for the TLS-signing protocol option to justify creating a working group at this time. We would like to use this opportunity to thank the folks that contributed documents and reviews during this process. The LURK mailing list remains open for discussion focused on the need, if any, for a TLS-signing protocol. Thanks, Eric and Yaron From nobody Wed Jul 20 00:54:22 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD6212B017 for ; Wed, 20 Jul 2016 00:54:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgYr-CO0ZnhG for ; Wed, 20 Jul 2016 00:54:19 -0700 (PDT) Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5477312B004 for ; Wed, 20 Jul 2016 00:54:19 -0700 (PDT) Received: by mail-yw0-x22b.google.com with SMTP id j12so31343895ywb.2 for ; Wed, 20 Jul 2016 00:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to; bh=eGFPYesDBHQYzzwnXoJUimnTEAOcLr8DBu7q64Rp9BI=; b=uNvnbnA3fMRH6HDJWaZpMzHY2jrhhboqgiZr2u7+rEvkqcl3bjLSgklNnu0I7sdDB9 h3gV9HrkBEGv/vqnXrr+OuBrsIEZw54l4WZLGZnR0tpphVQwSapnP9ZdoTd2jeL32Rjw 3yOKd8vyj2mmNLMSxHVaPyBCJzPbT15WbpktpqF9TbyN55mHZzDl8fGiQyCkdUWNUiXo nFEAnh9/QD7WQXdivggql6fn2vzODwVvAPQJe85xARBpse5Yz3ZsAXwBC/iyCAX/b35Y yCndajWsGyT25/Y0TwVu1yxhrxkvLY3Jr08hqOsVzUyw5QY4v+U4Bd/weK30/z6LAV0R yiXA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=eGFPYesDBHQYzzwnXoJUimnTEAOcLr8DBu7q64Rp9BI=; b=YKKtalnKEE9qQt8ECGgM5B1aoG456QMF70aBIwMv00aOkADhIgZvQZvwSmW71SQg5u 3D3igcxwLQSC4O1kcAXO4grDodZ3k2e0scQjzWfEwPqopas+/OCHeoKTwEKtHV0h8WL5 Y4i2P5l2SXTeWPvxFJyL9xF1T1aGeyXknrEJFWDAjh5DTCn6t3iMW51qtbXxIEL5kxyk hCFKEDWlNI1wbDQwpOaDGaPb31xtrcP5UOWL79ZbTNBz37E7La7znN55xdzKkOEhX8st DixG5EOY7nEFx6f9d0J3dI5WjBgMvwMlufZuo0GXQ6UXxSSQJCMx8rqjIphtvr96B9af kA4Q== X-Gm-Message-State: ALyK8tI0ImVSHjUSL9xjvioAFkdp9ic6FOKGhtIrrCPlzjI4kH+aVziEqrj6QSmfXeTXBB8IJzWaRBzF2RISgA== X-Received: by 10.37.78.133 with SMTP id c127mr28166444ybb.102.1469001258406; Wed, 20 Jul 2016 00:54:18 -0700 (PDT) MIME-Version: 1.0 Sender: barryleiba@gmail.com Received: by 10.83.33.137 with HTTP; Wed, 20 Jul 2016 00:54:17 -0700 (PDT) From: Barry Leiba Date: Wed, 20 Jul 2016 09:54:17 +0200 X-Google-Sender-Auth: t-4Pikx5GROd9jv5J-MB1hskrwg Message-ID: To: "saag@ietf.org" Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [saag] OpenPGP report for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 07:54:21 -0000 OpenPGP has established draft-ietf-openpgp-4880bis as a working group draft, and the IETF 96 session was spent discussing the changes that need to be made with respect to 4880, concentrating on those for which the resolution is uncertain. Some issues will go to the mailing list for further discussion, including fingerprinting, MTI profile, and the list of algorithms to be deprecated. There was also a brief discussion about how to handle the algorithm registry, with a proposal to use the normal code points only for IETF-recommended algorithms, and to allow any others to be registered, FCFS, as OIDs. Discussion will go to the mailing list. -- Barry and Daniel From nobody Wed Jul 20 02:32:21 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A77E128E18 for ; Wed, 20 Jul 2016 02:32:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ak_y7l5Lp4HH for ; Wed, 20 Jul 2016 02:32:18 -0700 (PDT) Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A165412B01C for ; Wed, 20 Jul 2016 02:32:18 -0700 (PDT) Received: by mail-qk0-x234.google.com with SMTP id o67so39796929qke.1 for ; Wed, 20 Jul 2016 02:32:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=toI/3JCaxJRCDPmxZ6zu+NhqyUB+Ot6OxeBOGrwtEzw=; b=VDtD/S0gskXRHFKr7r1rhJQ4+3Xo0enRoG1u1D/YD4riuHFdrAmzgViV7emMAeSbbc 3yYpxL+cjVlfcVuFZksLMH321/UDePIwXcWO6XnGHuRFaJrKtB3DkrXwKq1G/lnlo7dR 3UlYomxMHWKilxFmGePI4t67ekRYbSGwyq3wxN6ULyzi8NrJI1WVFXdwCIqszvRdsOsY k7Tl8UqDwSb01DjuGTMv0F8LmffAKZyu0H3p4dKNzM56OkntR78jiRBqYl14ZO924bMZ bZkYbSk8qCaJ6kXU6gKMMcSlllOaQkDeo6SCGyjODmikBlfRP7+Psb5gxGEl7wOsB5qU 0EBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=toI/3JCaxJRCDPmxZ6zu+NhqyUB+Ot6OxeBOGrwtEzw=; b=jXok8f4Mjyms5Wc4wOMKCb58UvDEVN2tOenOI0vMPmXuOQvF+WvGpUakouRCFAKOyH +v3vOP1ymiZYx+GPNHZ+iDLLascp483BSe9HlrfOxHk4PpOvJ1z9t6gmVPBGgpi2hvrC aKyvfN2ae1UWOviRc18xpNtDX9juqPg4IlKX6v1HVOQ3EFUDgrPDI1wglAAr+Y5pw3En Zg8bBv/uxDnZVVZl1fGipSMfy/zuR3qBRSvdCI4oPhGmQ+yxIL0jahC+oT6yz+ZXzaLf dxBaP+yPm0OTASQ69TXCXZlADKR6wEWEru+uXeolyIK7vN0O9tGilSa6xd7XVqegBGd4 MTpw== X-Gm-Message-State: ALyK8tI9ZtZwiM+gs3OI+Jg+OmfamcgEsUGVPns5ZxpoU8GLhFMGi4LHQaVjRLNSXfpHHdgyLJucH1gFpWpWIQ== X-Received: by 10.55.23.25 with SMTP id i25mr61034742qkh.142.1469007137836; Wed, 20 Jul 2016 02:32:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.55.75.84 with HTTP; Wed, 20 Jul 2016 02:31:58 -0700 (PDT) From: Joseph Salowey Date: Wed, 20 Jul 2016 11:31:58 +0200 Message-ID: To: "saag@ietf.org" Content-Type: multipart/alternative; boundary=001a114596a89fa70c05380de0b6 Archived-At: Cc: "tls@ietf.org" Subject: [saag] TLS WG Summary for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 09:32:20 -0000 --001a114596a89fa70c05380de0b6 Content-Type: text/plain; charset=UTF-8 The TLS working group met on Tuesday morning. We are continuing progress on TLS 1.3. Main discussion points included a change in the cipher suite model from a monolithic ID approach to a menu based approach. During the hackathon on Saturday we had 7 different TLS 1.3 implementations achieve interoperability to various degrees. We expect to have a draft (probably -16) that "freezes" the wire format at the end of next month available for broad review by the cryptographic and security modeling communities. We plan on holding working group last call before the next IETF. --001a114596a89fa70c05380de0b6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
The TLS working group met= on Tuesday morning. We are continuing progress on TLS 1.3. Main discussion= points included a change in the cipher suite model from a monolithic ID ap= proach to a menu based approach. During the hackathon on Saturday we had 7 = different TLS 1.3 implementations achieve interoperability to various degre= es. We expect to have a draft (probably -16) that "freezes" the w= ire format at the end of next month available for broad review by the crypt= ographic and security modeling communities. We plan on holding working grou= p last call before the next IETF. =C2=A0

--001a114596a89fa70c05380de0b6-- From nobody Wed Jul 20 02:39:03 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCDED12D158 for ; Wed, 20 Jul 2016 02:39:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BP8cutDgjfkk for ; Wed, 20 Jul 2016 02:39:00 -0700 (PDT) Received: from plainfield.sei.cmu.edu (plainfield.sei.cmu.edu [192.58.107.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D40E12B01C for ; Wed, 20 Jul 2016 02:38:55 -0700 (PDT) Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by plainfield.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u6K9cslS027844 for ; Wed, 20 Jul 2016 05:38:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1469007534; bh=Gik3YJq6GKK2auYpRZM2DxsBlJM2RGdPQmlkbAC4fmg=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version:Sender:Reply-To:Cc: In-Reply-To:References; b=koLd4XhbDLbgvJWWRrcZ/k27HuI5BYuWJ5dAVZskkNU2GRyy+bpw0nfup3ztQ38Cm 9KBAMdIJSEapv+pytJQcAj/ujOFygq/SrwXDx1LqvXwS5WefFgxhhHcfkJtvjZq6Y+ UoBZfBsmJpOGduy7l/4kaxMCc1bxp3LuT4VLd0+A= Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by timber.sei.cmu.edu (8.14.4/8.14.4/1543) with ESMTP id u6K9cq5w025577 for ; Wed, 20 Jul 2016 05:38:52 -0400 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0279.002; Wed, 20 Jul 2016 05:38:51 -0400 From: "Roman D. Danyliw" To: "saag@ietf.org" Thread-Topic: DOTS WG Report Thread-Index: AdHiZt5kPLneq3TETRO9jmnNkylDyw== Date: Wed, 20 Jul 2016 09:38:50 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC0104E1CBF8@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [saag] DOTS WG Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 09:39:02 -0000 DOTS met late Tuesday afternoon to discuss the use cases [1], requirements = [2] and architecture [3] drafts; and the emerging protocol drafts [4][5][6]= [7] that have begun implementing them. No new use cases came from the discussion. The requirements and architectu= re drafts are catching up to document them. Collectively, the four protoco= l drafts appear to be covering all known use cases.=20 [1] draft-ietf-dots-use-cases-02 [2] draft-ietf-dots-requirements-02 [3] draft-ietf-dots-architecture-00 [4] draft-reddy-dots-transport-05 [5] draft-francois-dots-ipv6-signal-option-00 [6] draft-fu-dots-ipfix-extension-01 [7] draft-nishizuka-dots-inter-domain-mechanism-01 From nobody Wed Jul 20 05:37:03 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7BD112D0F0 for ; Wed, 20 Jul 2016 05:37:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wz_nY7ffLDnL for ; Wed, 20 Jul 2016 05:37:01 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33FF12D587 for ; Wed, 20 Jul 2016 05:37:00 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u6KCauLq027158 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 20 Jul 2016 15:36:56 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u6KCaukq009136; Wed, 20 Jul 2016 15:36:56 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22415.28776.589102.888243@fireball.acr.fi> Date: Wed, 20 Jul 2016 15:36:56 +0300 From: Tero Kivinen To: saag@ietf.org X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 3 min X-Total-Time: 8 min Archived-At: Subject: [saag] IPsecME report for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 12:37:03 -0000 IPsecME WG met on Tuesday and firstly we discussed about old working items. The DDoS protection draft is through WGLC, and should be going forward soon. The mandatory to implement crypto algorithm drafts (rfc4307bis, rfc7321bis) got some discussion and there will be at new versions submitted before they are ready. Safecurves document is also getting ready for the WGLC, so we should have several documents going out from the WG soon. After that we had discussion about the TCP encapsulation of the IKEv2, and then requirements for the quantum resistance in the IKEv2, both which are new work to be chartered in the WG. We will be updating our charter to add new items (MIT algoritm updates, new algorithms, quantum resistance, TCP encapsulation, split dns, implicit IV). -- kivinen@iki.fi From nobody Wed Jul 20 07:15:15 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C36F12D7B0 for ; Wed, 20 Jul 2016 07:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nUI_2SpCjZsq for ; Wed, 20 Jul 2016 07:15:10 -0700 (PDT) Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E50712D66E for ; Wed, 20 Jul 2016 07:15:10 -0700 (PDT) Received: by mail-oi0-x236.google.com with SMTP id l72so73140175oig.2 for ; Wed, 20 Jul 2016 07:15:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=OFInwQPW4+tZdunu49labXGK6zNB7HFP3UQKQk2pZ+c=; b=ZTH0wl6XxRfcPVaZFCIjaDGXF0dpOhYNgikGMGhpl6sE8gKEwj3JKRSY8j7UJFBjPZ CrTeZaOizJFaRDbCQC3KP6Vn9P/z4xtQBcjU2Mn7ytjn+KjyDNc4vhWXQXSbTEnYBc5h PUBTW8ApwE7neaI7rQTsCHA5r5lNRZAUQ7EJqkTTE111I5s+jihGUAY+HnIgvvedePiz ffkDLc/H0nUEKahcVZRnVahbiHXgf6wqRWdA4Uz+ifRaww7mjqgqtbt1hC1sRpK4Oc7n l2bk+ClfyO3piP/6YW2i2hRrnRmOS5njKKGReNIQro0L9lK1gHbv5GWb1GadOlBKtaan 9p6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=OFInwQPW4+tZdunu49labXGK6zNB7HFP3UQKQk2pZ+c=; b=Gu24TEkHh10yGl4d5eA9eDBLFuFTTU0CN8MNxHzHTZSQASAWic5oyAFhebTH6NJ8dB 7/ve7CDer5fMOsKovCentIo9rrdyYW+GPhd8WLC6rkKx190SREDxPNUZMHHuPrBv1wBY RBYqrzn6FVUyt3WEjvQPlrxKiQy9upKn9Sz/QkjqMTYEP44ZiGbbJ5+H7J6N1wBLzDEz 2DpNa6cuGD5pCXuqQv9TAsBbl87P+gIKuv2c2+aJpVOCmlOfYSo9LNP/U7VcdkJC+qiW P7WH8WeggLUvU7Li4J9KYBIjaUReK/tfsrChIC4HU/6syrWe6u2SEhxyrs76FBKXDq8e 4WRg== X-Gm-Message-State: ALyK8tI/zWUqBx0R+h7rWX+ahs863YD1NA+DgEIvlKgEARkmbQW3+/9AZ8tYQsGYzv3ymQ8Q3xexnn9onkoM3Q== X-Received: by 10.157.51.49 with SMTP id f46mr27731065otc.40.1469024109154; Wed, 20 Jul 2016 07:15:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.222.213 with HTTP; Wed, 20 Jul 2016 07:14:39 -0700 (PDT) From: Ted Hardie Date: Wed, 20 Jul 2016 16:14:39 +0200 Message-ID: To: "saag@ietf.org" Content-Type: multipart/alternative; boundary=001a113d0ece315c34053811d4a3 Archived-At: Subject: [saag] IAB Privacy and Security program meeting X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 14:15:13 -0000 --001a113d0ece315c34053811d4a3 Content-Type: text/plain; charset=UTF-8 Howdy, The IAB program on privacy and security met Monday. After the meeting, we expect a major update to draft-iab-web-pki-problems-02, narrowing its scope substantially. We also anticipate soliciting reviews on the draft from saag with the next revision. The group also discussed draft-hardie-privsec-metadata-insertion and believes that its advice might be best incorporated into RFC 3552bis, if there should be IETF consensus on the advice. We will send text to the editors as a next step. The group also agreed to volunteer as a guinea pig audience for future privacy training as part of the EDU team's program for IETF 97. The group then discussed the general topic of "identifier lifecycle management", with a focus on describing design patterns for avoiding identifier leakage and linkability. A small document team for that has come together. Lastly, the group agreed to review https://www.w3.org/TR/fingerprinting-guidance/ both to provide feedback and to consider a companion document related to technologies outside the web. The description of the program is here: https://www.iab.org/activities/programs/privacy-and-security-program/ regards, Ted Hardie --001a113d0ece315c34053811d4a3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Howdy,

The IAB prog= ram on privacy and security met Monday.=C2=A0 After the meeting,=20 we expect a major update to draft-iab-web-pki-problems-02, narrowing its scope substantially.=C2=A0=C2=A0 We also anticipate soliciting reviews on = the=20 draft from saag with the next revision.=C2=A0 The g= roup also discussed draft-hardie-privsec-metadata-i= nsertion and believes that its advice might be best incorporated into RFC=20 3552bis, if there should be IETF consensus on the advice.=C2=A0 We will sen= d text to the editors as a next step.=C2=A0 The group also agreed to volunt= eer as a guinea pig audience for future privacy=20 training as part of the EDU team's program for IETF 97.=C2=A0 The group= then discussed the general=20 topic of "identifier lifecycle management", with a focus on descr= ibing=20 design patterns for avoiding identifier leakage and linkability.=C2=A0 A=20 small document team for that has come together. Lastly, the group agreed to review https://www.w3.org/TR/fingerprinting-guidance/ both to pro= vide feedback and to consider a companion document related to technologies = outside the web.

The description of the program is here: https://www.iab.org/activities/programs/privacy-and-security-= program/

regards,

Ted Hardie
--001a113d0ece315c34053811d4a3-- From nobody Wed Jul 20 09:23:37 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF94812D195 for ; Wed, 20 Jul 2016 09:23:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.508 X-Spam-Level: X-Spam-Status: No, score=-5.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ETs6-7l9muGe for ; Wed, 20 Jul 2016 09:23:33 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E36012B05E for ; Wed, 20 Jul 2016 09:23:33 -0700 (PDT) X-AuditID: 1209190d-30bff70000002dac-2e-578fa583d90c Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 12.22.11692.385AF875; Wed, 20 Jul 2016 12:23:32 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u6KGNVsI028755 for ; Wed, 20 Jul 2016 12:23:31 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u6KGNSHT021392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 20 Jul 2016 12:23:30 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id u6KGNRoh004151; Wed, 20 Jul 2016 12:23:27 -0400 (EDT) Date: Wed, 20 Jul 2016 12:23:27 -0400 (EDT) From: Benjamin Kaduk To: saag@ietf.org Message-ID: User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrMIsWRmVeSWpSXmKPExsUixCmqrNuytD/c4HuPlMWU/k4mB0aPJUt+ MgUwRnHZpKTmZJalFunbJXBlTGufxVJwgq/i9IllbA2Mn7i7GDk5JARMJKZdesLexcjFISTQ xiTRueo0K4RzlFFiz/kmJpAqIYFrTBLHr1tBJBoYJSY1v2MBSbAIaEu0vlwMZrMJqEjMfLOR DcQWERCUeNA3CSwuLKAqcb15CTOIzSvgILFx30owW1RAR2L1/iksEHFBiZMzn4DZzAJaEsun b2OZwMg7C0lqFpLUAkamVYyyKblVurmJmTnFqcm6xcmJeXmpRbpGermZJXqpKaWbGMFhI8m7 g/HfXa9DjAIcjEo8vBEH+8KFWBPLiitzDzFKcjApifKqivaGC/El5adUZiQWZ8QXleakFh9i lOBgVhLhlV/cHy7Em5JYWZValA+TkuZgURLn3f6tPVxIID2xJDU7NbUgtQgmK8PBoSTBW7YE qFGwKDU9tSItM6cEIc3EwQkynAdo+ASQGt7igsTc4sx0iPwpRkUpcd58kK0CIImM0jy4XnBc 72ZSfcUoDvSKMO9ekHYeYEqA634FNJgJaPAcAbDBJYkIKakGxltPpr4M4GM7tJb7Q88p5klr n3IJnHbWKuQ0WPZ38/spgf4s7S1NARv15ocHLJgo7yQgeadMomH2Tg/b5qCEJyHK1/XuaYiy XJsvsoT74P3Ejx/3Bh6/HnkuOea0Y0ysbUt9esyq5qSY2h/M54vLdD+xbnkatS24fXHnXQG5 /YxJU4rLtrabKLEUZyQaajEXFScCAF4r8/HGAgAA Archived-At: Subject: [saag] kitten WG status for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 16:23:37 -0000 Kitten is not meeting in Berlin. Since Buenos Aires, we have had one document advance to IETF LC (draft-ietf-kitten-aes-cts-hmac-sha2); the WG is happy with it but the secdir reviewer would have preferred different choices for the crypto and that thread is not fully resolved yet. Another draft, draft-ietf-kitten-pkinit-freshness, is on its way to the IESG pending a shepherd writeup. In an attempt to mitigate low working group energy, we have decided to adopt a new scheme for obtaining and tracking document reviews, instead of the traditional WGLC period before advancing documents to the IESG. We'll still get document reviews on the mailing list, but we'll also have a wiki page per document where the chairs (or other participants) will put links to the review thread, along with which version of the document was reviewed and any administrative comments about it. Once the chairs feel a document has gotten enough review, we'll let the WG list know we plan to move it forward and start working on the shepherdd writeup right away, without a fixed wait period for objections. This way the reviews don't all need to come in during a small time window of WGLC. We hope that this scheme will help us clear the backlog of WG documents we've accumulated, documents that ought to get published but are in some sense "insufficiently interesting" to have people championing them and keeping them moving. Documents "ready for WGLC" that are good candidates for this experiment include: draft-ietf-kitten-krb-auth-indicator draft-ietf-kitten-gssapi-extensions-iana draft-ietf-kitten-sasl-saml-ec draft-ietf-kitten-rfc6112bis (once a new revision gets posted; currently waiting for approval) draft-ietf-kitten-pkinit-alg-agility draft-ietf-kitten-rfc5653bis draft-ietf-kitten-iakerb -Ben From nobody Wed Jul 20 13:46:33 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 555E312D66F for ; Wed, 20 Jul 2016 13:46:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.921 X-Spam-Level: X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhul.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDXDQqvhX5wz for ; Wed, 20 Jul 2016 13:46:30 -0700 (PDT) Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0079.outbound.protection.outlook.com [104.47.0.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAC1712D61B for ; Wed, 20 Jul 2016 13:46:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhul.onmicrosoft.com; s=selector1-rhul-ac-uk; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=QaDXNo6tutGif4c8c5kRrK0ZIvAMC+NzK30myEKPmHQ=; b=q0zvBcQWFw0hsX4lAgamqtvJE3HWA9F84WDJhq/bIdihboGICutfM5YLNFLiDPTfDA9Rss9O7uoy2HttRzw79hbXYIYr1WG3JxdN1O3jzU5dpiwP11bJpRM6ZCDoDMEmu7kLpHBl+VPFbXqqaP+VWBJKyydEZlO6+q5umFIvOA0= Received: from VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) by VI1PR03MB1822.eurprd03.prod.outlook.com (10.166.42.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.544.10; Wed, 20 Jul 2016 20:46:24 +0000 Received: from VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) by VI1PR03MB1822.eurprd03.prod.outlook.com ([10.166.42.148]) with mapi id 15.01.0544.014; Wed, 20 Jul 2016 20:46:24 +0000 From: "Paterson, Kenny" To: "saag@ietf.org" Thread-Topic: CFRG status for IETF 96 Thread-Index: AQHR4sfHv0lD6oPPcUW8dn49g4Pp5g== Date: Wed, 20 Jul 2016 20:46:24 +0000 Message-ID: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.5.160527 authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [46.189.28.200] x-ms-office365-filtering-correlation-id: b2d045b9-269c-49d2-a0a2-08d3b0dee9f0 x-microsoft-exchange-diagnostics: 1; VI1PR03MB1822; 6:zmMCT8EF8D+OphXZdyA9eTXVarOBrmSxfwhqwcZAtOij2MQ/dDgcJy7RnClJQObiqW4ukeMcbIY8zgKtCqTNfbmtPkWubLj1be7MA83SGL5LkjmCdT5N/HkCEN031Hm97cwFBIaImJHU/INVE3mrakR59y7qgR0i3yYDne+GgaF7czc0e66QBvZkaV9A/b2FkfDNz82Vcr6dcPKxWN9NFgmB74ygqhsgl1citDlFRqdRcVIl5Ab75vU49BObu+6/5EnlYmkJBxspiyq0GDFMTpVhHaMJaoHE38FVTMKjHjQ=; 5:/dZJSJiTjetmI9Jk5ICpu2ANoD5mtilUG6iu3bzllDC8zfbmaj2eoOClqP50H8GVrna9ZecqBfiye2jGsqPREYEj+cwcF/jNlQedL+X2apQCioXqWoo2nyhW6clzJ1yJb9vQ24QYor4pGq4dSWG3Aw==; 24:NreH13uX43ThlvnWJcUErWJLLGjVQ8FKRbZbMthy5nzGgXGHx9LyeG2mg/DxARDcch9rgtytYPqgfh5ZiQhAEwCy+2fwnRMPZIwo27lX+NQ=; 7:ecpwqucsdrAnt5L4ITeZW6HHmiuKlSLFnFO/0o9ZCAtSZcrFuzWKnvjJ7vvq8VX+DIzj+SsWPA717a8BByhvmkQiT1VDNsmVtGHSNYq+vJWiuyVyl3MuXAdZ7o7fPwE9zsA1pfVHIapd0SfqS6TIGR9tqoVK/PifZeacIMSzxHfao3GvnWQAgCfExN4i5OQMnxjnS+lDXRDfZ3TdTvSK0x0+jERAfBbXLc4grclatjDogOWaM0ouAiVVNGNnd0Re x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR03MB1822; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(278428928389397); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:VI1PR03MB1822; BCL:0; PCL:0; RULEID:; SRVR:VI1PR03MB1822; x-forefront-prvs: 000947967F x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(199003)(551544002)(36756003)(2501003)(1730700003)(189998001)(110136002)(101416001)(8676002)(107886002)(229853001)(4001350100001)(305945005)(7846002)(97736004)(87936001)(8936002)(86362001)(105586002)(81156014)(81166006)(68736007)(7736002)(11100500001)(106116001)(5640700001)(10400500002)(5002640100001)(66066001)(2351001)(106356001)(92566002)(83506001)(3660700001)(102836003)(50986999)(2906002)(3280700002)(54356999)(2900100001)(122556002)(77096005)(74482002)(3846002)(586003)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR03MB1822; H:VI1PR03MB1822.eurprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: <75D823A8EBC190438FA6C0C266B4E37E@eurprd03.prod.outlook.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: rhul.ac.uk X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2016 20:46:24.1419 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR03MB1822 Archived-At: Subject: [saag] CFRG status for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jul 2016 20:46:32 -0000 Q0ZSRyBtZXQgb24gV2VkbmVzZGF5IGF0IElFVEYgOTYuDQoNCkNoYWlycyBhbm5vdW5jZWQgYSBm b3JtYWwgY2FsbCBmb3Igbm9taW5hdGlvbnMgdG8gdGhlIENGUkcgY3J5cHRvIHJldmlldw0KcGFu ZWwuIE5vbWluYXRpb25zIGNsb3NlIG9uIFNlcHRlbWJlciA5dGguIFNlbGYtbm9taW5hdGlvbnMg YXJlIHdlbGNvbWUuDQpDaGFpcnMgYWxzbyBhbm5vdW5jZWQgdGhhdCBDRlJHIHdpbGwgcHV0IHNv bWUgb2YgaXRzIGVuZXJneSBpbnRvIFBBS0VzDQpvdmVyIHRoZSBjb21pbmcgbW9udGhzLg0KDQpX ZSBoYWQgYSBwcmVzZW50YXRpb24gZnJvbSBEbWl0cnkgS2hvdnJhdG92aWNoIG9uIEFyZ29uMiwg dGhlIFBhc3N3b3JkDQpIYXNoaW5nIENvbXBldGl0aW9uIHdpbm5lci4gRG1pdHJ5J3MgdGFsayBj b3ZlcmVkIHRoZSByZWNlbnQgYXR0YWNrcyBvbg0KQXJnb24yIGFuZCB0aGVpciBjb25zZXF1ZW5j ZXMgZm9yIHBhcmFtZXRlciBzZXR0aW5nLg0KDQpXZSBoYWQgYW4gb3ZlcnZpZXcgcHJlc2VudGF0 aW9uIG9uIHRoZSBTRVNQQUtFIHByb3RvY29sIGZyb20gU3RhbmlzbGF2IFYuDQpTbXlzaGx5YWV2 Lg0KDQpPc2NhciBHYXJjaWEtTW9yY2hvbiBnYXZlIGFuIGF3YXJlbmVzcy1yYWlzaW5nIHByZXNl bnRhdGlvbiBvbiBISU1NTywgYQ0Ka2V5IHByZS1kaXN0cmlidXRpb24gc2NoZW1lIHRoYXQgbWF5 IGhhdmUgYXBwbGljYXRpb25zIGluIHNlbnNvci9Jb1QNCmFwcGxpY2F0aW9ucy4NCg0KRmluYWxs eSwgd2UgaGFkIHNob3J0IHByZXNlbnRhdGlvbnMgZnJvbSBSb2IgQXVzdGVpbiBwcm92aWRpbmcg YSBwcm9ncmVzcw0KcmVwb3J0IG9uIENyeXBUZWNoIGFuZCBmcm9tIFBoaWxsaXAgSGFsbGFtLUJh a2VyIG9uIHRoZSBwb3RlbnRpYWwNCmFwcGxpY2F0aW9ucyBvZiBwcm94eSByZS1lbmNyeXB0aW9u IGluIG1lc3NhZ2luZyBzeXN0ZW1zLg0KDQo= From nobody Thu Jul 21 03:26:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D64F12DC6B; Thu, 21 Jul 2016 03:26:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9FFiGkT_yIUE; Thu, 21 Jul 2016 03:26:33 -0700 (PDT) Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0131.outbound.protection.outlook.com [104.47.33.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93D9212DCC1; Thu, 21 Jul 2016 03:26:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xJreuD4rR1WnAD9rC76YAR8nSFaDUOvwp71LYXCkf8I=; b=BjkxYYGIDX40JnX5/tIxOoSE11+pDmqkNHpmWo4iOISij4dg+KZg1HSFVbkMfKvF02GtGuXpKs5j0niJvrK1YbtT+eRtcv0sgyJa9jdxlt/zpTKlFhqa/Jm9i9jb76wmcisnL3u5jZivGrtphUGWecMo9N/wiPch510zZYDpFgY= Received: from BN3PR0301MB0867.namprd03.prod.outlook.com (10.160.155.141) by BN3PR0301MB0866.namprd03.prod.outlook.com (10.160.155.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.539.14; Thu, 21 Jul 2016 10:26:02 +0000 Received: from BN3PR0301MB0867.namprd03.prod.outlook.com ([10.160.155.141]) by BN3PR0301MB0867.namprd03.prod.outlook.com ([10.160.155.141]) with mapi id 15.01.0528.014; Thu, 21 Jul 2016 10:26:02 +0000 From: Orit Levin To: "saag@ietf.org" Thread-Topic: UTA WG Report for IETF 96 to SAAG Thread-Index: AdHjNlJvZIpem68TSMGpkO9f/xjYMQ== Date: Thu, 21 Jul 2016 10:26:01 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=oritl@microsoft.com; x-originating-ip: [2001:67c:370:136:cc91:6a2e:82c8:fadd] x-ms-office365-filtering-correlation-id: 51aadac2-82ed-42ba-cabe-08d3b1516a1e x-microsoft-exchange-diagnostics: 1; BN3PR0301MB0866; 6:xUmviZS0uJyLf8burrDjzVdXSUepZ2hCP+71oba7ofwyV5Ju9k+eUHpjq4phD6VkxL6T5qDMWiXMgRNYUn4Yc218iBG0eeBtD+4JqLCaY97F1bf79womCRS57ASDDo5sN+OCzVc/sfPauVsYhpTouoASJmy5eRYHZ2qMTBw89Cf9RM4jpuHRwH1DMRx89jVJWONL72cI+hojqO7T8BM+D6yCIszR1Jy+un8fDawjH24OqXpLYuu8EsJ1J2fCJmGO2LH6dTsNUwDBSEoqCaE2B3CBu5QNgSMAp4yaARu5ZaEJiqy+QA+gzOxYs8bg2UoIIJotvjHB/XadQ6lMgjZf7g==; 5:Uuc2bsKHB+3JnuE27lC/JtuzzBGPoXsrhYHYn0Prw3QcJ7SyIz1eBlxOcPh+e+vY+zEjaMfGi85GVp0NbIhyLatlXFVxTZy57TAOOg5hV7ydITCF/dSz2+DxpMcOHT9DiXNFJv9kge2+io+O5AYfdQ==; 24:s3F3lHaZ6kh5JNuPwUvSKSME4gtieyxHZ7fz55RnXCVI1bVdtagwgln9/LvpqGCyn1ZcxmxIzdrEK6DH6/ynen3gYs30d5otjpQ/u1v2pyU=; 7:MSwROkOTRNLFcMBrYxpFIW3rcsKCKcfRaVP2sm3r84MSeqvRYgsna23LUgMdNM2j0XpB5TbCwM3O92mJmy06Gca252lG6LW77OhPD35xc9mV0ARYz2Cn1sMdUyHdA/AJZ9n61xOzzhhRT546ZtzYMO03NfO5bg3GBJuyR59Ka9dxam70A9sMzmkKZGYdSa9WEd5EAdeVHHacsnIacDn/4+V8wd7UeGNWB7ZJMe1JVeyZlepbazRGm7RZE/gOAWGt x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB0866; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(211171220733660); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:BN3PR0301MB0866; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB0866; x-forefront-prvs: 0010D93EFE x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(6009001)(7916002)(199003)(189002)(33656002)(586003)(4326007)(101416001)(8990500004)(2351001)(229853001)(5005710100001)(99286002)(76576001)(10290500002)(10400500002)(9686002)(97736004)(106356001)(189998001)(6116002)(102836003)(110136002)(2906002)(50986999)(54356999)(81166006)(68736007)(81156014)(1730700003)(8676002)(10090500001)(7846002)(7696003)(92566002)(122556002)(74316002)(5003600100003)(87936001)(7736002)(305945005)(3660700001)(3280700002)(2501003)(77096005)(5002640100001)(8936002)(86612001)(11100500001)(86362001)(105586002)(5640700001)(2900100001)(450100001)(3826002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB0866; H:BN3PR0301MB0867.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2016 10:26:01.7970 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB0866 Archived-At: Cc: "uta@ietf.org" Subject: [saag] UTA WG Report for IETF 96 to SAAG X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 10:26:35 -0000 UTA WG met on Tue. All agenda topics relate to using TLS with e-mail protocols. Alexey replaced Stephen as the responsible AD. The discussion was highly technical and positive. Some of the main interest= ed parties met for the first time f2f. There is a good chance that the next bulk of work can be done on the list a= nd we may skip the next IETF. Few technical details: MTA-MTA interface: both drafts have been updated before the IETF. More comm= ents were received during the meeting. Main suggestions for improvement and= are in the two areas (1) describing the state machine on both sides in mo= re details and (2) adding considerations regarding protocols' parameters tu= ning (e.g., for HTTPS) suitable for different deployment cases. The authors= will submit new revisions. MUA-MTA interface: the draft has been updated to bring it closer to the STS= mechanism. Areas of possible synergy include registry and common in-band a= nd out-of-band reporting mechanisms. The authors and Victor D. will continu= e iterate on those. The results will be reflected in future drafts' submiss= ions. Orit. From nobody Thu Jul 21 03:30:39 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5814612DD06 for ; Thu, 21 Jul 2016 03:30:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id shbuwXHZnXG4 for ; Thu, 21 Jul 2016 03:30:33 -0700 (PDT) Received: from raoul.w3.org (raoul.w3.org [IPv6:2001:470:8b2d:804:52:12:128:0]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1083D12DC95 for ; Thu, 21 Jul 2016 03:29:53 -0700 (PDT) Received: from [2001:67c:370:176:b17a:55bc:9b13:2b88] by raoul.w3.org with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from ) id 1bQBEm-0007J8-Hm; Thu, 21 Jul 2016 10:29:52 +0000 To: saag@ietf.org From: Wendy Seltzer Organization: W3C Message-ID: <5790A41E.1030104@w3.org> Date: Thu, 21 Jul 2016 06:29:50 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Archived-At: Subject: [saag] W3C update (SRI, WebAppSec, WebAuthn, WebCrypto) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 10:30:36 -0000 An update on security-related W3C activities: Subresource Integrity is a W3C Recommendation https://www.w3.org/TR/SRI/ Web Authentication Working Group launched and published the FPWD of its WebAuthn API (a Web API for strong cryptographic authentication) https://www.w3.org/webauthn/ https://www.w3.org/TR/webauthn/ WebAppSec WG published SRI Rec; Candidate Recommendations of CSP Level 2, Upgrade Insecure Requests, and Mixed Content; near CR on Secure Contexts. Ongoing includes CSP Level 3, Referrer Policy, Permissions API, UI Security (Ironframe). https://www.w3.org/2011/webappsec/ WebCrypto WG is concluding interop testing to reach Proposed Recommendation. https://w3c.github.io/webcrypto/Overview.html Overview of related groups, including Web Payments: https://www.w3.org/Security/ --Wendy -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) Policy Counsel and Domain Lead, World Wide Web Consortium (W3C) http://wendy.seltzer.org/ +1.617.863.0613 (mobile) From nobody Thu Jul 21 03:35:48 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C1EA12DD49 for ; Thu, 21 Jul 2016 03:35:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.508 X-Spam-Level: X-Spam-Status: No, score=-5.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e_y5lykBxR9u for ; Thu, 21 Jul 2016 03:35:42 -0700 (PDT) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83E8E12DD06 for ; Thu, 21 Jul 2016 03:33:48 -0700 (PDT) Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CSY76697; Thu, 21 Jul 2016 10:33:45 +0000 (GMT) Received: from DFWEML703-CAH.china.huawei.com (10.193.5.177) by lhreml706-cah.china.huawei.com (10.201.5.182) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 21 Jul 2016 11:33:44 +0100 Received: from DFWEML501-MBB.china.huawei.com ([10.193.5.179]) by DFWEML703-CAH.china.huawei.com ([10.193.5.177]) with mapi id 14.03.0235.001; Thu, 21 Jul 2016 03:33:38 -0700 From: Linda Dunbar To: Stephen Farrell , "saag@ietf.org" , "kathleen.moriarty.ietf@gmail.com" Thread-Topic: I2NSF short reports to saag l Thread-Index: AQHR4Qo2DvA7unQiCUu9p414cVqbN6Ais77A Date: Thu, 21 Jul 2016 10:33:38 +0000 Message-ID: <4A95BA014132FF49AE685FAB4B9F17F657F09DAF@dfweml501-mbb> References: <578CF424.2020402@cs.tcd.ie> In-Reply-To: <578CF424.2020402@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [10.200.218.235] Content-Type: multipart/mixed; boundary="_002_4A95BA014132FF49AE685FAB4B9F17F657F09DAFdfweml501mbb_" MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090205.5790A50A.0284, ss=1, re=0.000, recu=0.000, reip=0.000, vtr=str, vl=0, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 5f9a062d3ff9c527a2173ca413af91c8 Archived-At: Cc: Adrian Farrel Subject: [saag] I2NSF short reports to saag l X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 10:35:45 -0000 --_002_4A95BA014132FF49AE685FAB4B9F17F657F09DAFdfweml501mbb_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U3RlcGhlbiBhbmQgS2F0aGxlZW4sIA0KDQpTb3JyeSBmb3IgYmVpbmcgbGF0ZS4gSTJOU0YgaGFk IHRvIGhhdmUgbW9yZSBzaWRlIGRpc2N1c3Npb25zIHRvIGNvbnNvbGlkYXRlIGRpZmZlcmVuY2Vz IGFtb25nIG11bHRpcGxlIGRyYWZ0cyB3aGljaCBoYXZlIG9jY3VwaWVkIGEgbG90IG9mIG91ciB0 aW1lLiANCg0KQXR0YWNoZWQgaXMgdGhlIEkyTlNGIHNob3J0IHJlcG9ydC4gDQoNCkxpbmRhICYg QWRyaWFuDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9tOiBTdGVwaGVuIEZhcnJl bGwgW21haWx0bzpzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllXSANClNlbnQ6IE1vbmRheSwgSnVs eSAxOCwgMjAxNiA1OjIyIFBNDQpUbzogc2VjLWNoYWlyc0B0b29scy5pZXRmLm9yZw0KU3ViamVj dDogdXN1YWwgc2hvcnQgcmVwb3J0cyB0byBzYWFnIGxpc3QgcGxlYXNlICphbmQqIHRvIHRyYWNr ZXIgdGhpcyB0aW1lIGlmIHlvdSBjYW4uLi4NCg0KDQpIaXlhLA0KDQpQbGVhc2Ugc2VuZCB5b3Vy IHVzdWFsIHNob3J0IHdnIHVwZGF0ZSB0byB0aGUgc2FhZyBsaXN0IGJlZm9yZSB0aGUNCnNhYWcg c2Vzc2lvbiBvbiBUaHVyc2RheSAycG0uDQoNCkFuZCB0aGlzIHRpbWUsIGlmIHlvdSBjb3VsZCBh bHNvIGFkZCB0aGF0IHRvIHRoZSB0cmFja2VyLCB0aGF0J2QNCmJlIGdyZWF0LiBKdXN0IHJlcGxh Y2UgInV0YSIgaW4gWzFdIHdpdGggeW91ciB3RyBuYW1lLg0KDQpUaGFua3MsDQpTLg0KDQpbMV0g aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy93Zy91dGEvY2hhcnRlci8NCg0K --_002_4A95BA014132FF49AE685FAB4B9F17F657F09DAFdfweml501mbb_ Content-Type: application/vnd.openxmlformats-officedocument.presentationml.presentation; name="I2NSF for SAAG report one page .pptx" Content-Description: I2NSF for SAAG report one page .pptx Content-Disposition: attachment; filename="I2NSF for SAAG report one page .pptx"; size=93636; creation-date="Thu, 21 Jul 2016 10:01:06 GMT"; modification-date="Thu, 21 Jul 2016 10:28:46 GMT" Content-Transfer-Encoding: base64 UEsDBBQABgAIAAAAIQD2IAWg7QEAAMMMAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADM V9tu2kAQfY/Uf7D2tcILaXNphclDL09NEynpB2zWA2y7N+0ONPx9xzYgg0gdMNR9sbW258zxnPGc 9fDm2ehkDiEqZzM2SPssAStdruwkYz8ev/auWRJR2FxoZyFjC4jsZvTmbPi48BATirYxY1NE/5Hz KKdgREydB0t3xi4YgbQME+6F/CUmwM/7/UsunUWw2MMCg42Gd0QgqBySexHwuzCUh3uPPGq6+E0s 3AxjfXGVEjpLPlUwBZOMCe+1kgLpPfjc5lscem48VhJyJ2eGMqc+QKRz+bjRaS3R2wKa78/pumtO tyIi6VjVqVoMTsKpwm6qU1Hh++B8PDaHNXATg5qoG93z/tiMaokO5XTxH3K67JrTUrXTdHGTUkij DHh5bE+ghGnKWGujjX4971qHHRP43T/g9BnGYqYx+fJMZlH5008Pk625r0xhK+UNmto7YgLouBXT 4BVLr0opsjSIOFU+rtTbkeHvZtTgJ3UnOnZRN7CNUHb1EvsabvsvoE7l9YZLfl16CCfFWhcHij7K Ie95siUIqGAt6kv1QPGk4QEXGo5uYzXog1XpXBY5i+hMa2UqmD10eWlUDvqtuRzWqMVuda7g90l2 PGvgQxvlQ0dVWX++0gXYn8NqDhfRO5qDl78goz8AAAD//wMAUEsDBBQABgAIAAAAIQBHvxrQEwEA AHUDAAALAAgCX3JlbHMvLnJlbHMgogQCKKAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArNNLS8QwEADgu+B/CLlv010fiGy6FxH2JlJ/wJhM 22jzIJnK7r83FHwUahXcYzKPfMmQ7e5ge/aGMRnvJF8XJWfolNfGtZI/1ferG84SgdPQe4eSHzHx XXV+tn3EHigXpc6ExHIXlyTviMKtEEl1aCEVPqDLkcZHC5SXsRUB1Cu0KDZleS3i9x68mvRkey15 3OsLzupjyCf/p7ewSKCBQCgfcRVilkUy+S6shtgiSa69esjbacwospqLedDmtCDqBvvswPQzlM9Y 8RKw/Qm0/jvIN41ReOfVYNHRzBDENOPLFAKJEDHlsnHsSy90dUqQGhJ5+8vIxpwl0uUpSXggdBr1 MgpC+BCJyWep3gEAAP//AwBQSwMEFAAGAAgAAAAhADMOHgTBAAAANwEAACAAAABwcHQvc2xpZGVz L19yZWxzL3NsaWRlMS54bWwucmVsc4SPQavCMBCE74L/IezdpL6DijTtRQThnUR/wJJs22CbhGx8 vP57c6wgeJwd5puduv2fRvFHiV3wGrayAkHeBOt8r+F+O28OIDijtzgGTxpmYmib9aq+0oi5hHhw kUWheNYw5ByPSrEZaEKWIZIvThfShLnI1KuI5oE9qZ+q2qm0ZEDzxhQXqyFd7BbEbY6l+Ts7dJ0z dArmOZHPHyoUj87SL87hmQsWU09Zg5TLOy/FXpb3QTW1epvbvAAAAP//AwBQSwMEFAAGAAgAAAAh ABsuNQcTAQAA0AMAAB8ACAFwcHQvX3JlbHMvcHJlc2VudGF0aW9uLnhtbC5yZWxzIKIEASigAAEA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArJPBSsQwEIbvgu8Q5m7TrrqIbLoXEfYgiK4PENtp G0yTkImrfXtjV2t3Weqll4T/D/nnYzJZrT9bzXboSVkjIEtSYGgKWypTC3jZ3l/cAKMgTSm1NSig Q4J1fn62ekItQ7xEjXLEYoohAU0I7pZzKhpsJSXWoYknlfWtDFH6mjtZvMka+SJNl9yPMyA/yGSb UoDflJfAtp2Llf/PtlWlCryzxXuLJpwowZ1HevTWUQyVvsYgYLCSSAr8NMRiTgjSqsQ/gF4S77ds CiKbHeJBUkB/hLI3f4D2YhJrOSdWkK8an0On45gNTzQyp/pzPStInODRI4Vvyft1shlXczLsFH4c Tetg/TaCH/zD/AsAAP//AwBQSwMEFAAGAAgAAAAhAE//W/NNAgAAnAwAABQAAABwcHQvcHJlc2Vu dGF0aW9uLnhtbOyW4Y7aMAzHv0/aO1T5OnGlpbS9inLSNiGdxCQ0uAfwtQaqS9MqCQzu6eekYe2Y Jt0D9FuT2H87PxuTxdOl5t4ZpaoakbPgYco8FEVTVuKQs5fdapIyT2kQJfBGYM6uqNjT8vOnRZu1 EhUKDZpcPZIRKoOcHbVuM99XxRFrUA9Ni4LO9o2sQdNSHvxSwi+Sr7kfTqexX0MlmPOXH/Fv9vuq wO9NcaopfCcikds81LFq1U2t/Yja8BZ/p6TgjNvTq0K9aoRWRIct6dqKlz9AaZTP5Vrpux2vKnMW BlESpbM4InYyMztkGzB/ufD/4z6Uei47kXk88A5776Ht9t0rLjl7DKJoOqXSFdecxek8tQt9balg qpCIIrrMjEKbiUajcm5/LI3bTcNalbiHE9c7vOitvnJcLiCjvc1Guq+fG+lxMD2CYvKytdkNTfiZ By3Z1CDXOaPMgB+ovzjzSGYHr9v3W0S6pObWBGEtvso3w5m0dSXckryPFIpaZnMShe7qYIOZLBQp BXRh5r2hNC1MTUV1gkw1vCpXFed2YdoRv3HpnYGi6UtXjjsrG9Uz3PZQELsvtZhwbS4HGcLdAUJ3 UKi7g0L1OChDqjpkjocRos+wRxPNE5PwyMdCcXxmPZ+uLUc+Z26gOD5RzyeYJUE8NpD5VRkqDtB8 ACgNUzsexglkqDhAcQ8oDFNqoHEEUQcZKg5QMgCURLNxRts/LkPFAUp7QIYOvT/GIX3mhooD9DgA FM+TcUjbDjJU7Dv43ycmPY6Hj/HlbwAAAP//AwBQSwMEFAAGAAgAAAAhAJ7YMY3IDgAATFEAABUA AABwcHQvc2xpZGVzL3NsaWRlMS54bWzsXFtv48YVfi/Q/zDgQ4Ei0VqUKOrSyIFXXm23cDbG2sE+ j6iRxDVvISlfNghQrIsifSj6lBZo+lC0fekl6EMLBAFSFGh/ipEE/Rf9zgxJkbQkW7Z21xvIydqU OBzOOXPmXL5zZt5599R12LEII9v3upp+r6ox4Vn+0PbGXe2Dw36lpbEo5t6QO74nutqZiLR3t7// vXeCTuQMGZ72og7vapM4DjpbW5E1ES6P7vmB8HBv5Icuj/ExHG8NQ36CXl1nq1atmlsutz0teT68 zvP+aGRbYte3pq7wYtVJKBweY+TRxA6itLfgOr0FoYjQjXy6MKRtUGYdOEP6GwWHoRB05R0/DIOD YD+Utx8f74fMHoJfGvO4C7ZoW8mNpJn86KEZLrZKj4/TnnjndBS62+/wDmhjp10NzD+j33iId8Rp zCz1pTX71pq8P6etNXkwp/VW+gKMIHspUaUoukyOkZJz8eLfFy/+dHH+ycX5X1k9I46eYPHpfR/D 0jUaZBTs+dZRpKi0Hh+nfeZJT7+LJPvSMWVEt8yG2ZaE1+t6s2oWqW+1m9WWWdMY8cCoV1utJjXI SOOdIIzih8J3GV10tVBYsRwaP96LYtU0bUIj9vy+7TiSw45X+AJ9qm/AeTyazsE0tLvaR+1q+0Hr QcuoGDXzQcWoDoeVnX7PqJh9vdnYre/2erv6x/Re3ehM7OFQePSadH3oxiWZdG0r9CN/FN+zfHdL CXe6RiDcejW/QiBgNJzId+wh9Ss/hONBzwnZMXe6Wl/+JJzJNdsqjkcyDuSVaNNrRvV+rV3pm61m xRgZjQpxvVLV2/fbZtVoG7v9Im17tifWSBs76WrtRq1xBZFV+XOZSN5x7ViEzLHdrtbKGvHORPDh A28oJzvmtqOuczwhOmY8gQCkU48Vo8Q16JC8D8+IYwP8xQKAtoScTfzwucZOQg51E3045aHQmPPI i+QqjtOLML0YpBdh7PR8zBjWOvcs9NLVrDhUlAc70xjimUiteh292Inig/jMEZIQrF4IPcbh8nBP 9oOLJ/LCOVYd2x7kD2Okdzhj6HV6AxuK0SEfHDwHr3XDqOImxiIbCb7n3Q+PpD4b+V68Ix/iGAxo gor0ktt4ZMK9MbT4/tSz8AKlBBzvILBoVFFg7Vuxkkg9mwe5rmYt7otRua3UeGiG52d3d0ZSTKnP OFJ95toldwdTLIHDU8mYwfTgeXbZBxnZh8cwXYkQDJRS4B1w44lSz5KbNKRQ/gJnj6au7frPsO5B sQOKu5rwKh8cwBSCezWImMYGkluqybSreXgFWcrQPoI58PwDeaWxIxGSXYXJgwojWUkaBpbs3CMD 6djPxY/lxwGPhAOZTO7th74/ktdDO4yhANFJ5MY9R3B0WpVCs0iJ5ZQAGEtmWWTaIj7V560iMRpB eaYMmu55CQOnpHKSaykOLD4LxIhbGOdOaHNHYwH3/IiGXaver0Jl4G/6H4xKYMfWpM9d2wENdXxh TXgYCSmhcl4Ez3X5lvusIjgNkHesKHdjHe+ClIVkxXkn3n5Ue3zQ77BHHpQHUcNinz0W8YkfHrED YUHxx2esT5JOLgbZHEgkdUCPC2+4z0MOGbrL4kIj3UhIJou16tXSiAmeza2cb2hc2IPUDkjTQB7U Yj+qMfOj/nFxjv9/Ln//jF2c/+bi/G8X519dvPjy4vwzeFcX5z/FR2aQuMPxVB7U2n0svdo0DcOU XpZebbf1WsnNajaNumHWlZulo3m7LVuAGamPmjpR1/KzltnPlW0mCXH00mwjtNfdtYywG7AckA1M xJqt4xzFepWaHkzXZ0lhP2HN7q79vIkxfMv1Kk6sLFfJpHnzTRo9YUXJBBcNE7Nh+3ySTXK2OYO9 ZP6IUchwAm+T2anZiuBIDtmQx5y5/lA4EUPYzSw4QKHvwJsYy/uu79mxH8qPUQA7H1FvI8c/Qc+J rQsQX1i2wHsnHMEn99hAAA5Ad5YYssEZCyZnkW1xR/Z4DJ9kimsY0ehtNOMD+TLLseF8yrHTe+zR GSuZzmv4Wa9LOkQYSr/uul7W65SScOoAw4jLjskd5u6bwFW5eOKJsEOmxNe25CqhRRH60/EES3Ho E3rFsMo487Dk7pUEfOY/LPENuRPvydDiGa/8ZF8GFN85hbgOjx3uWDE6WKBK1/GuNfh+cLIUJChd vD9LGO0X3376l69/9cVC769R8P6UuyNxNUgXAEXSSOQCZP6hwu8UGBlMpCEHCOEMH09dFaISHoGg BvZ1SFBdLXmcUDnZj5cBdQtAuSYAKAkRIGAzcWHocowSIJGoZE2v100Z1KJFrWm227LBS/AXZRx4 GQEZAX0mCPajZr3WNBpmtQJ4brdimKZRafV3GpVas6fv7jQwtvs7H2sZk2xAI2ATMRn2Nrc+geWq UD9Zj9n6TEP/UuB9gwD75QTPLzFGBswk2R9v6zMVB84T9+YquauYmOEYUsgLcOa1IIo3h4Mz9kjn feUYspnqkW8+/+M3v/7y63/9Yet/n36hrpjUB5k6wBRRimGWbMgj7mxw8h5MVFeTcB6xPQ3okqRD 3awbej40bJG2mK30RrVdrWM0BMDrCA3NplIns45WigwRxyyZdm5ZcB4VEOxMXYxcIX9ZHAQ4Y+pS CkTC3hLslcoth3FJfhde4ngZwqxAuBHkCBS5ARRI5I3zMOllwczj7PWmWW2n9BfeQUzY5dFEDUze UnyE05BA0AkcnagiBQQC+XbFEKpHANGjK7XeFFh9ZUuo2yRlkYPulsXeCrum37UmvI2VQ3EG3dkj +BoLfQGSjdiAYO1eDE8ar0B2I+DxHkHE9BSxl1h1ePqUh0GCJcSA3R/7BxMeCNmglLpRbelJzyeE fHRzhPwqZNyot9r4dxU0Tjjt3YDGU7g9BxLcEhqHTCWJOvgKZSOJCS3g4ZmRnDmxkAxE9fid6frL mDXlFKRwrxNEfol2MN5+f/AMMbN9LGZ2ULJnpuZzrkTGpQWuBKLbjEvTLCVwKXeQyxeU8gRLWLso p5lTEFAab8wEzPi7zIxap9Avygr26LKcp8eCVk75t5/989svfnvxApjsLy9e/B15bqbPjGny7CV7 muuT/OVVTGqtVm1TvqhgUlvwnY1aYlPTlZua5ZI1pXTQPKVIKW+lEnP57NuYuWv5X0UrN4S9e91G jqKidPazC+84N2UA1TFnFCugzGChGLTaRIn0qZJnby0GSIHqTXgLVNRhQAgoXirIAcKmVrUBVZAV eCyOnzZysNzZWUUOdCjohYLQlpP00gShYdZblxTCRhBIlSUlGrf0evOCsDhFB62f4jTIzr34XKI1 nyBB97uL83NpGb5kytHPwqxZVu6SZkgtDlkHoiTV5UmIVVAEeqPRNEsxVtNotvQmrBQpgla9ZSBP iZcs1gbXrnJaFgys7v1fy+VXVmklR11VqTjSzg2mVLuR8w6fImdB9Ygo8CsUElBRWFpHIEMyVOhM e/hGft3V/vtVwsOyO3sND3aJg1VynXoo3xiEdqLY80hl4U7BOS3cic7cHLG5W5j9LCOESpCBI1x2 gIpFVHJQfuUH3A1+xD6IBELaSESdgmOKZ1WdEE0GuSwph6X9kTJK6NdSTtw1HjD6QRXpKK7YIh5V 7JoXjSqB4kwFObDKNBIVyYxyxmnmRRZJnk+iWnkrIzaAWa9WKYuKKW+lUhCyAgOd51tQAA6VYrYb DZXy36gUqlraqJR4+yEP2I7HHWR0o05xwVzSHrKwENUh3xUtMk+RjHkAJaL4gdJXVmRJAe9emifI dAqp3nKgnVPv6HHN1mKm5ZbFykt8IsywcovnYc4qwZN5Q0sV1ioRsqHrFBwVtVcedK4ZZloXfnPt VcBqS+WQG9BZegXrcb9nhXKlgukN6AxjrBRoqRx7AzqT71r20hcXYS8DnTdw6uI6azA5CyhYDw6z jaIxVHtRuRh7+nCvVwghChZvzmRssO3gNkXvmIxb22sUMyt7/QS5CdQSOYLpxQBjqZWeg1TU601k OOEHIGho6MgMV0tIRa3ebJjIFlNUUTfb9XqaDE0hjxJ8vRyouBqdkFlSGugKBcDzw9vMLyuko5Tl 2/7P7xfLfiFIznrBg6S08Htm8SQ5BCIv8bFmteGLcafiHK4Hd2o0UfVddrMU7pgEicCdkgYg7EbT mdtdd/XMrmHTVDHVTFKyYoL4BvGMyt1lYlAQplfu8WfqvB9iG6rcuKJgoUMRurbnO/74bNXYjohY GwZ3fBMI7q4xVwJP80JGlNilXC6oD6UYUgiOcDbamJeLn9fK45vhnG8Mk0epaFNQXmBz3oIur93L iH3lK/TWNj6rJ335MXmL9mxK01+rtZCsXBKT6yY2FKkGNzcWm5gc2yjT8o9NIRi2g24KwaSnm9sF ne2nlosRa23RLrA7XAi2icmvF5M/enDYZ22TIdk3xvEk5Y09M1OyKTUrpFNf6c6Pq2qM9Kxw+xXV ms2stlGtk9kuIumbWjPy+daDbSOozaZ/SYifVRvKOsM7sf3bNCnFQqhOrV4DDiAP0YH/nJwaVNz+ 3dSb9bbEIG7q2601+qf5WwH9oWqHFY5G2Wz/zs7wWP/27wJ0Vobts6CsgKEkgNwO7bcU2OZMW51j 38eUemdMntihakDkBmPsBKB90D61TW4+fcj6tT72NEd0pNnb7ETgzJohw6keLMLeL+YKgeLzccSG ON8De6Plk4nhPRHiqMP0HyZd9eRO5nLMOR9dXEzcvC3FCZF9btleKaRdtfv8ntqk29yJJrJcJqLN 4DLYQu2S78nN27WUSOzeZnIc4yseu4ccAdiHFPkYm8HB8zE2pBP3sLEI+z3kfMBr8Z1jTJjcPzu0 UXQe4jg55Bhoi/psFOggEkgIYve4GuG9IpcvASibBa0goyWnHeWKyFKH6C4t6MMFK5Sd0DlpIxzr FzHIJgmU7WIjlI3UFMOJQSKKcbQSKlSeiA+ndiiL396GqKqjBUmck0MPSocgzJUo2KXSMS7SUqlT /si6Jwf/WU74Hg/eP5aLEecZAugD5/FVAJVByD+azppQH9gT+X8AAAD//wMAUEsDBBQABgAIAAAA IQDV0ZLxvgAAADcBAAAsAAAAcHB0L3NsaWRlTGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDYueG1s LnJlbHOEj8EKwjAQRO+C/xD2btJ6EJGmXkTw4EX0A5Zk2wbbJGSj6N+bYwXB4+wwb3aa/WsaxZMS u+A11LICQd4E63yv4XY9rrYgOKO3OAZPGt7EsG+Xi+ZCI+YS4sFFFoXiWcOQc9wpxWagCVmGSL44 XUgT5iJTryKaO/ak1lW1UWnOgPaLKU5WQzrZGsT1HUvzf3boOmfoEMxjIp9/VCgenaUzcqZUsJh6 yhqknN95LmpZ3gfVNuprbvsBAAD//wMAUEsDBBQABgAIAAAAIQDV0ZLxvgAAADcBAAAsAAAAcHB0 L3NsaWRlTGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDgueG1sLnJlbHOEj8EKwjAQRO+C/xD2btJ6 EJGmXkTw4EX0A5Zk2wbbJGSj6N+bYwXB4+wwb3aa/WsaxZMSu+A11LICQd4E63yv4XY9rrYgOKO3 OAZPGt7EsG+Xi+ZCI+YS4sFFFoXiWcOQc9wpxWagCVmGSL44XUgT5iJTryKaO/ak1lW1UWnOgPaL KU5WQzrZGsT1HUvzf3boOmfoEMxjIp9/VCgenaUzcqZUsJh6yhqknN95LmpZ3gfVNuprbvsBAAD/ /wMAUEsDBBQABgAIAAAAIQDV0ZLxvgAAADcBAAAtAAAAcHB0L3NsaWRlTGF5b3V0cy9fcmVscy9z bGlkZUxheW91dDEwLnhtbC5yZWxzhI/BCsIwEETvgv8Q9m7SehCRpl5E8OBF9AOWZNsG2yRko+jf m2MFwePsMG92mv1rGsWTErvgNdSyAkHeBOt8r+F2Pa62IDijtzgGTxrexLBvl4vmQiPmEuLBRRaF 4lnDkHPcKcVmoAlZhki+OF1IE+YiU68imjv2pNZVtVFpzoD2iylOVkM62RrE9R1L83926Dpn6BDM YyKff1QoHp2lM3KmVLCYesoapJzfeS5qWd4H1Tbqa277AQAA//8DAFBLAwQUAAYACAAAACEA1dGS 8b4AAAA3AQAALQAAAHBwdC9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxMS54bWwucmVs c4SPwQrCMBBE74L/EPZu0noQkaZeRPDgRfQDlmTbBtskZKPo35tjBcHj7DBvdpr9axrFkxK74DXU sgJB3gTrfK/hdj2utiA4o7c4Bk8a3sSwb5eL5kIj5hLiwUUWheJZw5Bz3CnFZqAJWYZIvjhdSBPm IlOvIpo79qTWVbVRac6A9ospTlZDOtkaxPUdS/N/dug6Z+gQzGMin39UKB6dpTNyplSwmHrKGqSc 33kualneB9U26mtu+wEAAP//AwBQSwMEFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAABwcHQvc2xp ZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0OS54bWwucmVsc4SPwQrCMBBE74L/EPZu0noQkaZe RPDgRfQDlmTbBtskZKPo35tjBcHj7DBvdpr9axrFkxK74DXUsgJB3gTrfK/hdj2utiA4o7c4Bk8a 3sSwb5eL5kIj5hLiwUUWheJZw5Bz3CnFZqAJWYZIvjhdSBPmIlOvIpo79qTWVbVRac6A9ospTlZD OtkaxPUdS/N/dug6Z+gQzGMin39UKB6dpTNyplSwmHrKGqSc33kualneB9U26mtu+wEAAP//AwBQ SwMEFAAGAAgAAAAhAGmiXyEeAQAAxwcAACwAAABwcHQvc2xpZGVNYXN0ZXJzL19yZWxzL3NsaWRl TWFzdGVyMS54bWwucmVsc8TV3WrDIBQH8PvB3kHO/WKStukHNb0Zg8KuRvcAEk8+WKKidixvPykM EiiOQsCbgIrn/Pgr5nj6GXryjcZ2SjLIkhQIykqJTjYMPi9vLzsg1nEpeK8kMhjRwql8fjp+YM+d 32TbTlviq0jLoHVOHyi1VYsDt4nSKP1KrczAnR+ahmpeffEGaZ6mBTXTGlDOapKzYGDOwve/jNp3 /r+2quuuwldVXQeU7k4LavtO4Dsf1dX5stw06BgkyXTeTge7xPOB3petYspWIdk2pmwbkmX5kjTn rxnODvI2Q2/fLORYlPHorcpDsmzJgB6VBTMrYsqKYGZxQwumtomZ2iaYmn/r4z2tWRqyrWPS1iHZ PqZs/yejs99v+QsAAP//AwBQSwMEFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAABwcHQvc2xpZGVM YXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0MS54bWwucmVsc4SPwQrCMBBE74L/EPZu0noQkaZeRPDg RfQDlmTbBtskZKPo35tjBcHj7DBvdpr9axrFkxK74DXUsgJB3gTrfK/hdj2utiA4o7c4Bk8a3sSw b5eL5kIj5hLiwUUWheJZw5Bz3CnFZqAJWYZIvjhdSBPmIlOvIpo79qTWVbVRac6A9ospTlZDOtka xPUdS/N/dug6Z+gQzGMin39UKB6dpTNyplSwmHrKGqSc33kualneB9U26mtu+wEAAP//AwBQSwME FAAGAAgAAAAhANXRkvG+AAAANwEAACwAAABwcHQvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5 b3V0Mi54bWwucmVsc4SPwQrCMBBE74L/EPZu0noQkaZeRPDgRfQDlmTbBtskZKPo35tjBcHj7DBv dpr9axrFkxK74DXUsgJB3gTrfK/hdj2utiA4o7c4Bk8a3sSwb5eL5kIj5hLiwUUWheJZw5Bz3CnF ZqAJWYZIvjhdSBPmIlOvIpo79qTWVbVRac6A9ospTlZDOtkaxPUdS/N/dug6Z+gQzGMin39UKB6d pTNyplSwmHrKGqSc33kualneB9U26mtu+wEAAP//AwBQSwMEFAAGAAgAAAAhANXRkvG+AAAANwEA ACwAAABwcHQvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0My54bWwucmVsc4SPwQrCMBBE 74L/EPZu0noQkaZeRPDgRfQDlmTbBtskZKPo35tjBcHj7DBvdpr9axrFkxK74DXUsgJB3gTrfK/h dj2utiA4o7c4Bk8a3sSwb5eL5kIj5hLiwUUWheJZw5Bz3CnFZqAJWYZIvjhdSBPmIlOvIpo79qTW VbVRac6A9ospTlZDOtkaxPUdS/N/dug6Z+gQzGMin39UKB6dpTNyplSwmHrKGqSc33kualneB9U2 6mtu+wEAAP//AwBQSwMEFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAABwcHQvc2xpZGVMYXlvdXRz L19yZWxzL3NsaWRlTGF5b3V0NC54bWwucmVsc4SPwQrCMBBE74L/EPZu0noQkaZeRPDgRfQDlmTb BtskZKPo35tjBcHj7DBvdpr9axrFkxK74DXUsgJB3gTrfK/hdj2utiA4o7c4Bk8a3sSwb5eL5kIj 5hLiwUUWheJZw5Bz3CnFZqAJWYZIvjhdSBPmIlOvIpo79qTWVbVRac6A9ospTlZDOtkaxPUdS/N/ dug6Z+gQzGMin39UKB6dpTNyplSwmHrKGqSc33kualneB9U26mtu+wEAAP//AwBQSwMEFAAGAAgA AAAhANXRkvG+AAAANwEAACwAAABwcHQvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0Ny54 bWwucmVsc4SPwQrCMBBE74L/EPZu0noQkaZeRPDgRfQDlmTbBtskZKPo35tjBcHj7DBvdpr9axrF kxK74DXUsgJB3gTrfK/hdj2utiA4o7c4Bk8a3sSwb5eL5kIj5hLiwUUWheJZw5Bz3CnFZqAJWYZI vjhdSBPmIlOvIpo79qTWVbVRac6A9ospTlZDOtkaxPUdS/N/dug6Z+gQzGMin39UKB6dpTNyplSw mHrKGqSc33kualneB9U26mtu+wEAAP//AwBQSwMEFAAGAAgAAAAhAF5YjDGuAwAACAwAACIAAABw cHQvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0MTEueG1stFbNctMwEL4zwztozNk4/k3iacI0ScMF 2g4J3FVbqT3IkpGUkMAww2vB4/AkrGQrbdMwJDRcHMfa/bT7fbsrnb1aVxStiJAlZwPHf9lxEGEZ z0t2O3Dez6duz0FSYZZjyhkZOBsinVfD58/O6lTS/A3e8KVCgMFkigdOoVSdep7MClJh+ZLXhMHa gosKK/grbr1c4M+AXVEv6HQSr8Ilc1p/cYg/XyzKjEx4tqwIUw2IIBQriF8WZS0tWn0IWi2IBBjj /TAktakhWyBGzUtFyTnL52sHGXuxghXfGQIF2YzmiOEKPnwA0zLDFBl7BIyhOVkrYybruSBEO7DV a1HP6mthvC9X1wKVuUZrURyvXWjNzF8GZvDi7bjfWiScrheiGp7hFNhB64EDIm70E5xwCkGgrPmY 3X3Niqs9tllxscfasxtABNtNQf+6yehxOoFNZ4cUf5te44MB4w3PPkrEOCSseWjyzC5XFlUnr/ep C9RoorQeDuKiBOUaiVqvxtTQZL2lodrGvyUoSYJ+1GloCrpREvYechV04q5Z14zFvdiPg9hsYpFg kwa6TtV6xPONZvoGfkFQXTQDh2CdfANLpZqpDSVGD2ANp5ASPMCYYt1ohLnvZ9BolRpTgqERW+3U cEzL7CNSHJG8VOgtlooIZCiAtgTIMxBHQW20kITl11jgdzvImlWcws4Qt43XpKCZ/bOO4WMddTVd U5yRgtMcQgl0htAIVrB/klQTt6MotAXUrK2Hw5WN4i4MFlP/+4RNOn6/p9f/l7BQb4iu6FbBJwqt 6TY6ywdCN2IaReFhtzRsHVFbM5JxGFOUrAg9AN5IfQT8vCjF4ehh0yoH8zXlS6GKg4OPjoUvF3vR YZ6etMUi22ITrMiDzjKEPLWzcgVT5QschZgunLanzGwxU1JPVvNyf1yafrZDwg41M7kej7EFHH/6 /Po6jS78USfpu+FkGrlRmMRuP7zouZPo4vw8GkXJuB9+c9oJnkOqqqzItLxdCnK11IfkIdMQCt3E oYZdL/Dh7PeTu7KFUDTKadWJrTpTzvXgvT/5TEU9VZ+FEo1An5ZYwA5Wo78MvmM0Oi0jiWVkRsuc oMtldbPDizkon8oL3C0Bei81ZgyduHz9oB/6Uei7Pd/vupEf99zRpB+509E47E7hNfH72/KVOnMG 0R1btb++/3jx6/vPE9SsObubOyW86luoOYSpeIvrq5WZoXD/hnoam0813LihZLTpnYnGsDf44W8A AAD//wMAUEsDBBQABgAIAAAAIQBwwJR9YgMAACgLAAAiAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlk ZUxheW91dDEwLnhtbKxW23LaMBB970z/QeM+O8bYEPAAmXDrSy5MIX1XbBl7IluuJFxopzP5rfZz 8iVdyRYpKZmBhBdj5N2j3bO7R+pdrDOKSsJFyvK+5Z41LETykEVpvuxbd4up3bGQkDiPMGU56Vsb IqyLwccPvSIQNLrCG7aSCDByEeC+lUhZBI4jwoRkWJyxguTwLWY8wxL+8qUTcfwdsDPqNBuNtpPh NLdqf36IP4vjNCRjFq4ykssKhBOKJcQvkrQQBq04BK3gRACM9t4NSW4KyBaIkYu1hbQdL2HFtQaQ ejinEcpxBguLVFKCgCD0FYzTEFO0IGupzUSx4IQoh7z8zIt5MePa+6accZRGCq1GsZz6Q22m/+Zg Bi/OC/elQcLBOubZoIcDYAWt+xYUb6Oe4IQDCAKF1WL4vBomt3tsw2Syx9oxG0AE202h7kWV0f/p NE06FSnuNqvKFIPrFQsfBMoZ5KnSr9ILb0oDpnJW8EWCqhJIxW9tV33UfBh7AZxqsuR6yKKNSvwe fvUiDqiQc7mhRBMCYeMAwOEB9FOsOpzk9t0cOjyTI0owTEBNnhyMaBo+IMkQiVKJrrGQhCMdDMwD QPaAHQnFqSFJHs0wx19eIKv8cAA7Q9AmQnitKHydSM8QudNTaEZxSBJGIwileQpyFVUWYjyFIai6 3YK+hKYxlTmGcSUjgEKwClpFt49/KBeiJd0S/c56qCbX5RA79ag418TDw2ypkzqiBeYkZDDXlJSE HgCvK3IE/CJJ+eHoXsXowXxN2YrL5ODg/WPh03gvOujOSSfBN5MwxpLsDIAmBKTYaMeb1CWSMPw/ 4KjANDatryVAi4ySonepTQzHhNL5n1N/4g4b7a7tjae+7Xvtlt31Jh177E8uL/2h3x51vV9WLXkR pCrTjEzT5YqT25U6TA4RrUoKlSydO00Xzka3/dy2EIpCOW11WqY6U8aUPv4rULqj3lufWPKqQN9W mMMOpkZv0adXFOm0jLQNI3OaRgTdrLL7F7y0TiHccPcC6L3UaBk6cfu6za7n+p5rd1z33PbdVsce jru+PR2OvPMpvLbd7rZ9hco8h+iO7dqnx9+fnh7/nKBn9RFb3b3gVd3W9PWK8mtc3JZaQ+F+Cv00 0ksF3EjVSQ2mzyYKw9xwB38BAAD//wMAUEsDBBQABgAIAAAAIQCxNeYhhgQAALQQAAAhAAAAcHB0 L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDMueG1szFjbbuM2EH0v0H8g1GevrYslW4i9WCdx+5BN gjr7AbREx8JSl1K0a29RYH+r/Zz9kp6hRF/SFOsmQZAXW+Zl5syZM+TIZ+83uWRroeqsLEaO+67n MFEkZZoV9yPn0920M3BYrXmRclkWYuRsRe28H//4w1kV1zK94ttypRlsFHXMR85S6yrudutkKXJe vysrUWBuUaqca/xU991U8d9hO5ddr9cLuznPCqfdr07ZXy4WWSIuymSVi0I3RpSQXAN/vcyq2lqr TrFWKVHDjNl9DElvK0Rbi+QXwVOHmYVqjSHXGSP2ZCZTVvAcAzORkHNGC4Uys3V1p4SgdcX6Z1XN qltlNl2vbxXLUjLSbna67US7zPwssAwP3Qfb760lHm8WKh+f8RhssM3IQdK29IlNPBYbzZJmMNmP JsubR9Ymy8tHVnetAyDYOUW+qyaif4fj2XDuMi0Fc3dRNUs5tl6VyeeaFSXipPCb8JLrtTVGMZP5 aska6jWZatc1k4YPu742nFqgOyYiz/Nd39ARBL1w2HtAShRFXoBBRtS4fuj1or5xYi3BSWO6ivVm UqZbonSOb2SOF8myhEo17eCxrPVMbyXyjOe1dIGIcXmPMpJQAY9TsfgVQ/WXkQOX8Dk3iU84GOBS tm7bnUj3sUWQzWNQgg8YkZzqURSdTzPUY67PpeBw1Eanx+cySz4zXTKRZpp95LUWihkKUb3ASNa1 8WFMiiK95YoTvEPLlBUewzNYsNEbQigz/51+8N2Uwh1p71byRCxLiWJgHgWJarF5fpISiH0HZQNN W+E8SRDesBdGEIdJnq2SY0H0ez13ELWZaYrsFEHMG5uPCSLn6soUaFakOGnokXI6X13jODVIDmSC I7GZrkuZpdNMSlprTlNxLhVbcwn1begIQjqzQjcjEWAbJSB5u8UmlQd2MNd4MhM71RnpeiTdBmnQ j4ACdJ8A1x28IlzCSGEDub+HO3RR5qfCDV8RLmFs4QZ7uK4fuYTiNHopMiOAV1ADgWzx9g/wDrwB Jfnt4SWQLd5wj9fzBqD3LeIlkC3e6ABvFPinl9tr6oFAtngHe7wE9vR6e028BLLFOzzAG/ajt1lv BLI5iQ+6CHPnE3occrvL3YT19B6ALjrTAtRHPcBT7vnA3vMXXIuje95cqs+951ON1gbN0pLLhb3v m2uNGmFDFz3MDHNNm2a6C9up2D7N3Kr2LjY/DK8LdOzUe/8xDS7dCXrDjn8xDTqBH/Y7Q/9y0LkI Lj98CCZBeD70/3TaNjRFqDrLxTS7Xylxs9IOqez76QBI41qPo67n4j3FDff8AwpZedkurG+zMy1L 6v4O+7CAGpTn5mehVZOg31ZcwYPN0XeaMuP5xBy9LCOhZWSGbkqw61U+f8CL6f2fywveg2H6UWpM /4sO8iXl63pD3w18tzNw3agTuP1BZ3IxDDrTybkfTfEYusOdfGuKvAC6/6vab1//+unb179fQLOm gW7eh/FIL85GilJ95NXN2pxu+K8AekKHi6EK/w5AMrR0v4Rs2H8bxv8AAAD//wMAUEsDBBQABgAI AAAAIQDQrN/cSwMAAPEKAAAhAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDIueG1srFZb ctowFP3vTPegcb8dY2wIeIBMePWnSZhCFqDYMnYjS64kXGinM9lWu5yspFeyTRpCZ6Dw44d8dXTv ucdH6l2tM4oKImTKWd9yLxoWIizkUcqWfet+MbU7FpIKswhTzkjf2hBpXQ3ev+vlgaTRJ7zhK4UA g8kA961EqTxwHBkmJMPygueEwbeYiwwreBVLJxL4G2Bn1Gk2Gm0nwymzqvnikPk8jtOQjHm4yghT JYggFCvIXyZpLmu0/BC0XBAJMGb265TUJodq+cMXC5kgUcCraw2g7nBOI8RwBgOLVFGCgB004kwB kgmQ+UIQokNZ8VHk83wmzLzbYiZQGmmcar7lVB+qMPPKIAwenJ3pyxoJB+tYZIMeDoAMtO5b0LON vsIkHJC1QmE5GL6MhsndntgwmeyJduoFIIPtotDuvKzobTnNupySDndbVRmKYeonHj5KxDjUqcsv ywtvixpM16zh8wSVzCvNbBVXfjR81PESODVkqfWQRxtd+APczSAOqFRztaHEEAJp4wDA4QL0U6yF TZh9PwdhZ2pECQbhV+SpwYim4SNSHJEoVegGS0UEMsnAbwCQPWBHQXMqSMKiGRb48w6yrg8HsDIk XWcIjyWF/ybSq4ms1IRmFIck4TSCJJqn0ZpGIIqa+TMwCg1AtKBb6k5kWMvWECxfMVyyaKiES72k KeOIps5JyOEfpaQg9AB4w/QR8IskFYeje7qPR6BP+Uqo5ODk/WPh03gvOjjJWbXt19oeY0VeCdsQ ArZau8F/+UWk4Hf+Dp6PaWyByWqxm5/a2IY2l5P8IwbL1879Y+pP3GGj3bW98dS3fa/dsrvepGOP /cn1tT/026Ou99OqTCyCUlWakWm6XAlyt9LbA3R+xyze2lBpbtpoLp2mC5uc236RLaSiUc7bnVbd nSnn2vH+Nh6jqFP7EytRNujrCgtYoe7RGR3pvIy0a0bmNI0Iul1lDzu8tE4z5HKfg0MUQO+lxtjQ meXrNrue63uu3XHdS9t3Wx17OO769nQ48i6n8Nh2u1v5Sl05g+yOVe3z068Pz0+/z6BZs2mWpyl4 1Ccvc2Ci4gbnd4XZc+CgCXoamaEcjpZ674XQlxCNUR9VB38AAAD//wMAUEsDBBQABgAIAAAAIQA9 mJ/6NgQAAGAQAAAhAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDEueG1szFhdbuM2EH4v 0DsQ6rPW1r8sxF6s7bgv2SSoswdgJNoWlvopSbt2iwJ7rfY4e5LOkKLlpC42LYzCLw5FDUffzDfD mcnN+33FyY4JWTb12PHeDR3C6rwpyno9dj49LdzUIVLRuqC8qdnYOTDpvJ98/91Nm0le3NFDs1UE dNQyo2Nno1SbDQYy37CKyndNy2p4t2pERRU8ivWgEPQX0F3xgT8cxoOKlrXTnRdvOd+sVmXO5k2+ rVitjBLBOFWAX27KVlpt7Vu0tYJJUKNPv4SkDi1Yq0rFmUO0mNjBhudMwPJ8yQtS0wo2nlCCLHlZ MP1Ktk+CMRSqdz+Kdtk+Cn3ifvcoSFmghu6kM+hedGL6sQYxWAxeHV9bTTTbr0Q1uaEZOILsxw7w dcBfOEQztlckN5t5v5tvHs7I5pvbM9ID+wFAcPwoUN0ai/5ujm/NMY7wjlYZUQpH75r8syR1A3ai +ca8/H5nlaHNqL7dEOP1XAmtrRM177VL7BGp3WqxHp0Rp1E6NB7xvWAY+tFLvyRJ4ocogN7xwmQ4 NBKnVhvVbab206Y4oFef4a9mhWZcqqU6cKa9DT6hGSCHH+CWU8wYVruflpAxlZpxRiGjOmbUZMbL /DNRDWFFqchHKhUTROnokajyBkAoYL5TyerikQr60yvN6DyawZfBHRYhLA0//8xSYFlabp/NN/1L ECW3z4YoiGwIO8vt2wnzgsSLO8aCNI3hTnjJWAx0aUo1Y0nko7RxgkkEbbyJH+uPs4whTXzHPQgc UlFxpzOnrAvIfr2kfA1sQeRBFoOC7T3cdprlgq2ABNyUDWT5ouRcP+AVx2ZckB3lcFHs8WYABsta mZ0kGh6h6vsQhTV7J3qAS6sflh0+1ANLv4caRgl6hlwfXgTZ4Q16vCMv1Gl2fXgRZIc37PEew/D6 ACPKDnB0Ajj1U50W1wcYUXaA4x6w76eQuVcZwoiyA5ycAE7C4EpzDlF2gNMeMKK90qRDlB3g0Qng OEr03X99MYwo9VVt6z2iv0C5h3r5f1X80Fb8OVWMPHKas03DC+g5gktU/kJBk/MrtNiUr6Au6epv CjN2rtp7uFhqR2J/ohuovmc5W6P7rmoF/TU2y78twltvOoxHbjBfhG4YxJE7Cm5Tdx7efvgQTsN4 Ngp+d7q+sQBTVVmxRbneCvawVQ7y9u3mzIDD9isZ+B7MFF7cd2MABbVcth+LLDuLpsE+8JSf8BL8 rKCR0QT9vKUCvmA5+kaLBgy8maPLeiS2HtGjFLnfVs+v/KJ7eZi97ODwn0YLmFlB9VnX6I5YTxmX C1/PHwVeGHhu6nmJG3pR6k7no9BdTGdBsoBl7I2O4StxiKwB3b+N2q9f/vjh65c/LxCzups2Ayws cczVMyoXH2n7sNOXOMz1EE/Qy8JWC5M8NuMg2ougDvufgclfAAAA//8DAFBLAwQUAAYACAAAACEA u63w8ZcHAAAyLwAAIQAAAHBwdC9zbGlkZU1hc3RlcnMvc2xpZGVNYXN0ZXIxLnhtbOxaa27jyBH+ HyB3IJifgVbmUw+MvBjbo80A3llj7T1Ai2xZjFskQ7a89gYB5g65wd5ik385ypwkX1U3KcmWZmRY BmzDgCE1u6uL3fXV23r3/c1cOdeyqrMiH7nedweuI/OkSLP8cuT+cjHu9F2n1iJPhSpyOXJvZe1+ f/jnP70rh7VKfxS1lpUDHnk9FCN3pnU57HbrZCbnov6uKGWOtWlRzYXGY3XZTSvxK3jPVdc/OIi7 c5Hlrt1f7bK/mE6zRJ4UyWIuc22YVFIJjfPXs6ysG27lLtzKStZgw7vXjnSI+yXnKqXvyaX5/FlO nSy9gZQODjz38J0Y8j3lsaqca6FG7uTSc7uH77q0BcR2RJvr8qKSkkb59Q9VeV6eVfSQfLo+q8AT LF0nF3PIlxjwgiXjxxxkhvHa9suGkxjeTKs5nQjicXBCoHhLn9gkhvJGO4mZTJazyeynDbTJ7MMG 6m7zAlytfSndytzo/nX85joXmVbSOVMikbNCpdAVFhHf0GyDFMvTIrmqnbzAnUkU5qoQTsOY7k+v KmeOvi0hJU1sLZ1ZxMnylr5m+TaHbqUSRj0oHYvG74Vx0F+XT9/3BzGtk5Q8LwwO8EBnWTIqq1r/ IIu5Q4ORW8lEsyKI69NaG9KGhNE3BymH+uaoSG8JjAm+gTksDvtnRfWb66iPeT1yB14Y4t2aH/ik rlOtrkzWVrQ6LqBy2CHyBHxGbqIrPksOa3u/0MU0sycyr6SXq1qf61slWS0AnhhCrPjAgZQgg5d5 55dzGPxcHysp4BCsCunDY5UlV44uHJlm2rF2zzDAPYAlSUmzrJilzNMzUYmf73C2ImLZNDIBckaR tqtT0KoT6fKqNvkE0GO1iQTkWtN+jFJ50B5SMBZvY3VrWhVGfjSIg+evVaQWD1IkWJyjrlkj+fqP VCySHutVvaZYUDJWW/PRvJI9xgN0+VwmRZ46Sl5LtQN71rEHsL+YZdXu3FkZHsB9XCwqPdv58KHR xp3hGGfTjdwRRvZq0mFj0idCrwcIFshjTTrV8GK/wcMKNbWmzTBymKBg8sB4EQcR/u6Ytu8FQRsw gjjy/Oj5W/ZavGBTbaICR4hr5ZEpC3UJ769cmkvllPw4idMj90ZzdaGydJwpxQ+U7i3TIH1jsiOd 5dokRr1oGUrbnImDxQof2LZ5Ey/Al9BBzNiGLXoXW/5UpZw1/XMcfvCODuJBJzgZh50QGHQGwYd+ 5yT88P59eBTGx4PgXwiqnDSk0DSdzeU4u1xU8qeFCd3fDn44BstJH/a6voeU04uXXgNHoWPt1zii xjjGRUH59WrEY4N+rHlMkSswoP9YiApvsCZiAhNlUruaSOD5YZNTbbaR/iB61TbSpF3Pz0r2q5Nx o5PnsHzpfFrMJ3c0k53fYzUTRSVYb1JOVvwH+e84ioKvK+drd+CmInh+qtk6cM8fBKi0vE7f83qd 0Iv6naOTQdgZHx0HvTGGsTdoHXhNmpdDO8jjPsRvf/n8x1++fP7PHrw2Fyumlsew6RAkqvpRlA7q f8RMjVoeIXDkplcYTS59mkNBrG8wSq8wEkmCpgMo7KCZwbqZaWmCZgYVkFkKmxkkUGYmamYQNcxM 3MzAZmcqy6+QB9GX60wL9Tcz0YwoYeFWzqm4LRb6Y4pC9s4Mh1rfC3thP4jDAcrSIbUsqo+preVh s83uNVrkS0taW6ltpYWsWr42BdxKC/m0tDYebqWF5Fpa66G20kKmLW18TzLrd4O0W9reN2iBQ0vL TYc1ia/z7a3QDr7BF725lq/HyelXGK8B1zRZVkRhgdc33CKoSQm4vudHsjibktnckOKeA89yISbn yAy5fUF4a9OVkOI0P6qgecCVunO5fQTJDK0GtADPFnmCHojtpJXJEXXMqBuUnCU2b+QrIS/EnF2d LD6hDcnp2IpXQ+cEfK9kRS3MXVNUMCHWq4ksH5SzxSkaViP3r/O/d5QmEJDhiTsLUpiFpL6zkNS0 sC2dXZcqWoVoPtwT8VxUpyM3CP0BXSzL4fYgqk4z0WTnTy1/iNK0M+5gMC6Q2VNSbcT0vsqEcp0y 08lsLOaZQv8sgC0lM1HVEge3ddNkcYwZnh65Xz7/buS3gqOJ1k+BY74Nx7yzBce881Uc2Rx8KpUM Vj1gRf6uxcrvRyh74JJtJfWysfr3Paz8/lPZ3B6xIoCs6wqWWDW93RWw/D4XKa8DrPuG5T+Zg9wj WISQBStcAcs2VV8rWBssi5zuk0SzPYJFCFmwoiVY/kHUY1VbusFXZFn/++99L/gSsCKALFbxClaR F7LTe5VYbUovKJ159oZFCFmweitgDXoeB9w3sL7Wdt4pp9+jFySELFj9JVgmTV9LBl+RF3yxlkUI WbAGK2D1+zE3Cd8s6zlZFiGEInqtPi6HhZ7Jqq2WUTmeGUhtDbn6I4a2BLckTffClGtPUpitVLLG Wb/ISrb5lcz+a6GXJp/N1WPT6XqTz5aCLejRD2GeovPx0hRoc5Hk9f0+53JvGrSlMuFs6U2DELK2 VAO90LRK3zRoSwaOjI77EG8C2pL1xlHvzUlzE7/NNFeTSySey3+E0T99m9+6H/4fAAD//wMAUEsD BBQABgAIAAAAIQCCckOREQQAAMMRAAAhAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDQu eG1s7Fjdcto4FL7fmb6Dxr12jbEx4Al0CsR70yaZQh9AseXgVpZcSRDozs70tXYfp0/SI9kihJAF NlzmJhHyp0863/nRsS/er0qKlkTIgrOB479rOYiwlGcFuxs4X2aJ23OQVJhlmHJGBs6aSOf98M0f F1UsafYRr/lCIeBgMsYDZ65UFXueTOekxPIdrwiDZzkXJVbwU9x5mcD3wF1Sr91qRV6JC+Y068Ux 63meFymZ8HRREqZqEkEoVnB+OS8qadmqY9gqQSTQmNWPj6TWFVir7vn17VcHGZxYwozvDMH0dEoz xHAJE7N7jsacKaAxj2Q1E4RoEFv+KappdSPMiqvljUBFphmalY7XPGhg5icDGAy8neV3lgnHq1yU wwscgxJoNXDAYWv9FxbhmKwUSuvJ9GE2nV/vwabzyz1oz24AJ9hsCr6uaouemtO25swKRQnyN1bV UAxLP/L0m0SMg53a/Nq89GppybTNmr6ao0Z2TdXg6odGD4uXoKkRS61GPFtrw2/hv5nEMZVqqtaU GEHg2DgGcvgD8lOso5ow98sUorpUY0owRH0jnhqOaZF+Q4ojkhUKfcJSEYGUsUtqygtQR4FzGkrC shss8OcdZm0fjmFnOLQ9IQxrCZ8XMrBCNtGEbihOyZzTDA7Rfpms8gdkA6a5AxEI4WF98Iy2Wq6d KAs7XchXE2p+1GrpsdHXBlzYCnow7yAddmGn3elHgXGgZTIC1G62muz1mt6bLqlv0gbHGcm1vPr8 7V69KWi7BYBhew823MZaAGCDPdjWNtYCABs+xfqPzmABgO0cwloAYKNDWAsAbPcQ1gIA2zuEtQDA 9g9ha4DWukkn7RiTTbASAcMmbV6YXTqCTHLJR9lVZ9DuliZwT0joKUk5yxAlS0KPoDdZdgL9bF6I 49lNQpzAnvCFUPOjDx/WGXm0O5Ii38sOt8hZ61r4X3XNaAL3qb0MTrwuduqa8Z+5KnSlMYPtO2Nf XYvC3mthgxvhtbDFr4Vt0wi9FrYjGraOLWwTrMijbs2U4v9f1eomOFPQo+70bcZBzxe4U5riHN5g 9OvIX0l46Y9aUd8NJknohkHUcfvBZc+dhJcfPoSjMBr3g7+dpjPPwFRVlCQp7haCXC/0Ow9caTsd 8NPeGnLL9Itq2PXaPry2+dHDfQxH0SznvXYi652Ec93Gb3fTHX1VvtQ/uRK1g74vsIAdbG99oLk+ xUfnVaRrFZnSIiPoalHe7ugSnUMX+CwA1HulOXA/nyLNJnz9dj/ww8B3e77fdUO/03NHk37oJqNx 0E1gGPn9TfhKbTmD050atb9+/vP2189/zxCzprDUnwhgqD8kmFCk4hOurpeme4NPJxBPYzNVwccS 0EVDHyCaw358Gf4GAAD//wMAUEsDBBQABgAIAAAAIQB95D53bwUAAJIbAAAhAAAAcHB0L3NsaWRl TGF5b3V0cy9zbGlkZUxheW91dDUueG1s7FnbktpGEH1PVf5BpTxjGElIQC24vOySF3t3K+APGKRh UaxbpIGFpFLl30o+x1+S7pYGxEVewfLgqvACgzg66sv0mZ7RzftVGGhLkWZ+HPV19q6layJyY8+P nvv658mo0dG1TPLI40Ecib6+Fpn+fvDzTzdJLwu8j3wdL6QGHFHW4319LmXSazYzdy5Cnr2LExHB f7M4DbmEn+lz00v5C3CHQdNotexmyP1IL+5P69wfz2a+K+5idxGKSOYkqQi4BPuzuZ9kii2pw5ak IgMaunvXJLlOwFv5Ek9Wk5f4cfq7rhE4XcJlpg/Af3cceFrEQ7gwjMOEp34WR/RPlkxSIRATLX9N k3HylNIND8unVPM9JChu1JvFHwWMfkYAg0Fz7/ZnxcR7q1kaDm54D6Khrfo6JG2Nn3AT74mV1Nz8 oru96s4fj2Dd+f0RdFM9ACzYPBTyneQeHbpjKHcmvgyExjZe5VAOt36M3S+ZFsXgJ7qfu+c+LBUZ +oz0yVwrQo9UBS7/k+Kh8BnElIIlV7ext0bHp/BNF3kvyORYrgNIAYyXAaME8J4nZr/loS1dBm/L cHCS98AU+IBkBRzrQESNz2Oog1AOA8GhTopQy8Ew8N0vmow14flS+8QzKVJNUhQyNOAG2CWksqAU kffEUw5G7DBjNHgPngwuKn9gmAe8OuzmJuyY86eAu2IeBx5YYFwiAxhPHaYrzCWVsIpEYLT2pqTV dqDAaV6yttlmzESTtrPTalkt1gFxwTlqm13HJpshDDkRuZ9PCRURlWGNR+48BrWY5pTl7BXJ1kKe fqS68CMPChyH+PTp4gFUjAzJ54KW/dnXDQstnSo3S3ODhgbMnoJQeVWLtXXIilRoB5hpblm7zCIL 6rCyziErUhWs1paVmQ6zEVyLlpC7IUCugrZdou0YHbLhXFrkKmjtLa1hdMCEN1iLXAWtU6J1LJPm 4bnWIldB29nSImf9lB2JLXIVtN0Srd123pQy5CItKdcEKRo+BGbdRrro6ecrHAoOCVy2o3DnqJil VGwYRxJqdUfISDVgqVULxYlLCVb3nAezQsZyicFllcKEg/J6ggmpljGDOVbHaX9Hxsxum0FxIKKO jpEMlRN1sFJt1SmnLAFgqMSkrGRYQhusAgBWSUQJS0qywSoAYFXdl7E4KzdYBQCsKuZKrAIAVlVo JVYBAKvKrhKrAIBVtVSJVQDA5gWiOgGKL4nkxrcfo4KoGYAPVbS0/p7QloyFG0eeFoilCI4U6D49 1cUJ9JO5n9ZnL1b+2oozihepnNc23sorsj69PzvKDr3JRbuzttK1yX53RhafL2p5f5x3Zyhwfyx4 Cm1noXEUbWqVa2ucbbVbBpgLnVhVr8YcUL5rr9bXr70a9MvXXq2vm//HXs1WmnasV6PW6HxZO5Qy 0smzpayqX9tK2bVfw5jv9j/Xfq3iTOe7O579hurar+ERWr4b3I/Nj9qvOUrb7rgUO5tQGzvM84Ut 79c8CQeIu9tRlu+pKvej9NT90y+4uD2wpB+0v5/BWTSeLP81su7ZbcvuNsy7kdWwYJlqdM37TuPO uv/wwbq17GHX/FsvDlk9cFX6oRj5z4tUPC6kjuyvHwvAxoQeLQdO02BwCs/s7TYDTEGWy3bTcFKY H7WP4hjPWMunnc4l8jOT0EEfrkHslaPPU3J02Yh0VUTGge8J7WERTvfiQicRb5238JYHqI+G5pXj lFNCs5m+zOiazDJZo8OY07BYu9O4vetajdHt0HRGMLRZdzN9M/Q8AutOnbXfvv7zy7ev/15gztI5 df62B4b4SoikIkg/8eRxSZtSeBMGM3ZIlxJ49wVxQegWghzqXdrgPwAAAP//AwBQSwMEFAAGAAgA AAAhAN+TKzHWAgAAFAgAACEAAABwcHQvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0Ni54bWysVe1u mzAU/T9p72B5vykh0DRBSarmg/1pk2hpH8AFE1CNzWwnC5sm9bW2x+mT7NpA23Wd1Gn8SYx97/E9 5x7b4/NjwdCBSpULPsHeSQ8jymOR5Hw3wTfXkTPESGnCE8IEpxNcUYXPp+/fjctQseSSVGKvEWBw FZIJzrQuQ9dVcUYLok5ESTmspUIWRMOn3LmJJF8Au2Buv9cbuAXJOW7y5VvyRZrmMV2IeF9QrmsQ SRnRUL/K8lK1aOVb0EpJFcDY7N9L0lUJbHWuGV1zVmFkQ+UBJj08BfbxliWIkwImrk0UsmFmRZXX klIz4oePstyWG2kTVoeNRHliAJpE7DYLTZj95BAGA/dF+q5FIuExlcV0TELQAh0nGFpWmV9IIiE9 ahTXk/HTbJytX4mNs+Ur0W67AVTwuKlhVTP6k06/pVPr4D2yqkMJpF6K+E4hLoCnoV/Ti1eHFsxw NvBlhp4J38TVi1aPNl6BplYsfZyJpDLEb+HfTpKQKb3VFaNWECibhAAOPyA/I8bXlDs3W/B1oeeM EvB9I56ezlke3yEtEE1yja6I0lQi6wI4BQA5BnU0NKeBpDzZEEk+vUA2/EgIO0PRbYUwrCX8u5B+ K+SCaIo2jMQ0EyyBCvpdaJpooPwVjgVhKQYjgks8S9xKaxrwXxqncB6Mu79FwdKb9QYjx19EgRP4 g1Nn5C+HziJYXlwEs2AwH/nfcdPoBKjqvKBRvttLut5r/LZW1QYwzThz+x7cA97gqTdQikHptjtB 251ICOOK5/3xu+hPqmXdoM97ImGHtkfteengHHSryGmryJblCUWrfXH7QpegC13gnQHoV6Wx56Jj +3r9ke8FvucMPe/MCbzToTNbjAInms39swiGA2/0aF9lmHOo7l9d+3D/48PD/c8OPGsvlvrFgaF5 luyjwuQVKdcHe/PBWwx+mtupEl7f5v59CjEY7Ws+/QUAAP//AwBQSwMEFAAGAAgAAAAhAGLnUkGn AgAAwgYAACEAAABwcHQvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0Ny54bWysVVtu2zAQ/C/QOwjs tyLTUhxbsB3ED/UnTYw6OcBGoiwhFKmStGu3KJBrtcfJSbqkrKR1UyBF/WNTq93hzsySGp5vK+5t mNKlFCNCTzrEYyKVWSlWI3J7k/h94mkDIgMuBRuRHdPkfPz2zbCONc8uYSfXxkMMoWMYkcKYOg4C nRasAn0iaybwXS5VBQYf1SrIFHxG7IoH3U6nF1RQCrKvV6+pl3lepmwm03XFhGlAFONgsH9dlLVu 0erXoNWKaYRx1b+3ZHY1sr3jIO6J59LUBgOUjJF5uuSZJ6DCwMRl2KCubxRjdiU271W9rBfK5V5t FsorM1u7ryHB/sU+zT0KTMNFcFC+apEg3uaqGg8hRgm87YigUzv7i0UQs63x0iaYPkfT4vqF3LSY v5AdtBtgB0+bWlYNoz/pdFs6MzDMW3BIWSF5xpRHnwg2VYAolzK9156QSNkq0TBNrzYtrqVvd6oL r5E+Mzh4X9BE4DlB/ZAcdWSdQjbZLdp6jXI7Hc12IrOd1eQO/10QYq7N0uw4c1ohI4hzdNCa8jWJ 5nTS6Q38cJZEfhT2Tv1BOO/7s2h+cRFNot50EH4jbVNI1ZQVS8rVWrHrtcFxgFihwTgGeGCY8G+X 2HdlppwBHqi9PU1zEJvxWdClOLW0N0TBDZJwrTgLRbYABR8PwKxSEGPPSLflhsvGl7+7E7buJFIa 9ORXf7rH8Cc3qjHo0xoU7tB61HrbGPpfHrGjKhK1iix5mTHval3dHegSHkMXvBUR+kVpnO5OkeON L+0OQhqF1O9TeuZH9LTvT2aDyE8m0/AswWWPDp7GV1vmArv716l9fPj+7vHhxxFm1o1uc1Hi0l6k 7i7k6gPU1xs81RDjlwPnaepCNX4r9nfFc4rFaL89458AAAD//wMAUEsDBBQABgAIAAAAIQANiAER 7AQAAB0SAAAhAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDgueG1szFjdkto2GL3vTN9B 414TkP8Az0Imyy69SXZ3CnkAYYu1G/mntiDQTmfyWu3j5El6JFssEBLM7l70Bow5Ovp+zyf76u0m FWTNyyrJs5FF3/QswrMwj5LscWR9nE87A4tUkmURE3nGR9aWV9bb8c8/XRVBJaL3bJuvJAFHVgVs ZMVSFkG3W4UxT1n1Ji94hv+WeZkyiZ/lYzcq2Wdwp6Jr93p+N2VJZjXryzbr8+UyCflNHq5Snsma pOSCSdhfxUlRGbaiDVtR8go0evWhSXJbwNt88ft8YxENK9e4Qa0xPA9nIiIZS3FjkmcSDORzImMy YYWyQ2OqYl5yrtDZ+teymBUPpV56t34oSRIpqobC6jZ/NDD9MwMMF92j5Y+GiQWbZZmOr1iAiJDN yELituoTi1jAN5KE9c3w6W4Y35/AhvHtCXTXbAALdpsi50Xt0bfu2MadeSIFJ3TnVQ1lWPo+Dz9V JMvhp3K/di+8Wxsy5bOiL2JSh18qqgZX/6njYfCVjqkxdBcJ1+ujtnQ47L7T845i4vR6A4c6FlGR odS3G8S+xzVzEcjNdR5tVUQX+EbiWBbGOQp1UcdZVHImtwJpZoFYCwqDCBOP6CSBImBBxJe/4Vb1 58iCSbBpYRzf4ZFjXO/xIMIsQBzwgaWCqUbkWefjDI2YyongDPSNT3I8EUn4icic8CiR5AOrJC+J jhvaFpYpdqn30JQ8ix5YyZRR+8wqFSzAzoiv8RmXdba/n3ME8bALHgQLeZyLCEbYL6uAJEL9miJp n3zH63sqoaoZTmXfo5QCUWffG3gORSnU7tcNpd2u69BEwmRft9Z+qpqUH2XaUdVXU+4BcGk39bpf FYN9rAEA65zAuvtYAwDWPYFV1bazwQCA9c5hDQBY/xzWAIDtn8MaALCDc1gDAHZ4DlsDTvUQVhIw 7JrlhT2lNFW3VHXQU3Xf6ObBh9lSF+4FbTzjYZ5FRPA1Fy3odW9dQD+Pk7I9u26IC9in+arE9Gtr vKsK8xL6ZHmSHWPuVdXMNWo2V6nelzIdEIx9M6qeNczUBIGEYxTETCwtnAEgcDqReqgpydEXM13x SnzVrR9NN+o6Hq37/GnkH4w31x/Snv9igSMpK9/rI0aSRTjtqEtl2mJ1h0OhzuaeptEDnVIzUWHR iUreGiozo1vxHejpkUY2fEPqql1JK74DbTzS0YaPOn3qtyUc/kBrDd/AHiipb2XgAd+RHjd8tj2A ec/hO9Jsw9d39di63L4jXW/4FFnrhBz4e6T9hs/3+s/Lx/9jPqCzzWlCHzDUMff75yrPKNENk/xA ibR2vlSJIvmNDtH6tKCeNk4KEXr8yYOT5yGtAvrsusTDkXrA+Wvq3tLrnj/sODdTt+M6vtcZOreD zo17++6de+36k6Hzt9Wc9SO4KpOUT5PHVcnvV1IrzPkjMDRFby3H/a5N8UBI/acBClOU9rzunPBN dqZ5rk7b+5PCU7PtpflZyrJO0B8rVmKHZlbQM6fhS3L0uhHpm4jMRBJxcrdKF0dx8V8jLnjhAOqT oTkzRy8Jza58qT10MGJpZ4BHho5LvUHn+mbodqbXE6c/xaVPh7vyrZTnGaxT9XZJ1X798s8vX7/8 +wo1q4WlfumAS/WOQpeiKD+w4n6thzBeyqCeJvpWgdcwiIuCPkEUh3mtM/4PAAD//wMAUEsDBBQA BgAIAAAAIQAeep2hqwQAAIwRAAAhAAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDkueG1s rFjbktpGEH1PVf5hSnmWYdAV1YLLwJKX9S4V8AcM0gAq65bRgMGpVPm3ks/xl6R7pAG0ZrMs1gsI 0XNmuvv06Zbu3u/ThOy4KOM8Gxj0XdcgPAvzKM7WA+PTYmr6BiklyyKW5BkfGAdeGu+Hv/5yVwRl Ej2wQ76VBDCyMmADYyNlEXQ6ZbjhKSvf5QXP4L9VLlIm4adYdyLBvgB2mnR63a7bSVmcGfV6cc36 fLWKQz7Jw23KM1mBCJ4wCecvN3FRarTiGrRC8BJg1OrmkeShAG+LOFzsDaLMxA5uUGMInofzJCIZ S+HGLA7lVnDyJZYbMmYFnkPZlMVCcI7W2e53UcyLmVBLH3czQeIIoWoIo1P/UZupnxmYwUXn2fK1 RmLBfiXS4R0LICJkPzAgcQf8hEUs4HtJwupmeLobbp4u2Iab+wvWHb0BnOC4KeS8qDz60Z2edmcR y4QTevSqMmWw9CEPP5cky8FPdL9yL3zcaTD0GeGLDanCLxGqtqv+VPHQ9qWKqT7oMRLU6/d6PvAW PLd9YFn3WVQc23dtuEkwNo7repavNtFIsEkFXQRyP8qjA4Z0Cd+QOZaFmxyYusQVLEhKOZeHBPIM 17uEwokIS9ZQSgmwgAURX/0Bt8qvAwP4DlsutedHe0hyEwdCzAIIBHzA0oRhJfLM/DSHSkzlOOEM 4GuX5HCcxOFnInPCo1iSj6yUXBAVOKhbOBmiS7WHguRZNGOC4aHOkTEXLICdwXftswoD5uPlpFs6 6boMZgkL+SZPIjhED0MExaITfBMFoAINKBfgsibMbURwac/znCppujoaPLApRbJcS4QXs58y8aCq Mc4ikBa8xFQut4+gn2rVGScsIEW9Y80etIXLHhKpgrIdD63INXi9kwc1SI1nnfD61FbkvwoPLStu AB6C1Hj2CY9aHsUSu+6AWARHQESpAZ0zQB+q9zZARKkB3RMgqAEc8KYTIkoN6J0BerbK3A0uI0oN 6J8AEe36pDRiiCg1YP8M0HW8G5OCKJc1qV3tsLV2LLAez4XDQob8rHCgXoNggvBuWLKqNURJkuoh ykdsrnPlrlZ83QIuNhPHglZR9YpTi22IiN+F1lJtopH+p5koNbjUQd6kIbRRo9iBajrcqCG0oUkI UuPdqCG0QdcWNKTfsoQ08FpQkAZeCwLSwGtBPxp4LchHA+9l9QAiEWgix9FF0er2CQdFQw04ZWPC uWWKcbQSTZjkDSWy21CiSP6gQ7Rqgqg/F4VI6Z+ew/Ts2ZAL9UNNiit4FsHnib+m9j0ddd2+aU2m tmlbrmP2rXvfnNj3Hz7YI9sd962/jXq0jsBVGad8Gq/h8eVpKw2s8tfTAVlUW8uh1+lReP6i7in+ cBREabdPuDo70zzH2fa8U6iB7mc7xUqKKkF/bpmAHfS8+crA+ZYctRsRT0dknsQRJ4/bdPksLm4b vIXne4C+GJpX+uhbQnOkL+31LWpb1PQp9UybOr45mvRtczoaW94ULl3aP9K3RM8zON1bWfv92z+/ ff/2bwucVY29esaHS3wloIaWRHxkxdNOqRu8AwE+jdWtAt56QFzQ9GSCGPotyvA/AAAA//8DAFBL AwQUAAYACAAAACEA1dGS8b4AAAA3AQAALAAAAHBwdC9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVM YXlvdXQ1LnhtbC5yZWxzhI/BCsIwEETvgv8Q9m7SehCRpl5E8OBF9AOWZNsG2yRko+jfm2MFwePs MG92mv1rGsWTErvgNdSyAkHeBOt8r+F2Pa62IDijtzgGTxrexLBvl4vmQiPmEuLBRRaF4lnDkHPc KcVmoAlZhki+OF1IE+YiU68imjv2pNZVtVFpzoD2iylOVkM62RrE9R1L83926Dpn6BDMYyKff1Qo Hp2lM3KmVLCYesoapJzfeS5qWd4H1Tbqa277AQAA//8DAFBLAwQUAAYACAAAACEA+c8JOYMGAABc GwAAFAAAAHBwdC90aGVtZS90aGVtZTEueG1s7FlPb9s2FL8P2HcgdG9jJ3YaB3WK2LGbrU0bxG6H HmmJllhTokDSSX0b2uOAAcO6YZcBu+0wbCvQArt0nyZbh60D+hX2SEqyGMtI0gbbsMWHRCJ/fP/f 4yN1/cajmKFDIiTlSdurX615iCQ+D2gStr17w/6VDQ9JhZMAM56Qtjcj0rux9f571/GmikhMEKxP 5CZue5FS6ebKivRhGMurPCUJzI25iLGCVxGuBAIfAd2YrazWausrMaaJhxIcA9m74zH1CRpqkt5W TrzH4DVRUg/4TAw0aeKsMNhgUtcIOZNdJtAhZm0P+AT8aEgeKQ8xLBVMtL2a+XkrW9dX8Ga2iKkl a0vr+uaXrcsWBJNVw1OEo4Jpvd9oXdsp6BsAU4u4Xq/X7dULegaAfR80tbKUaTb6G/VOTrMEso+L tLu1Zq3h4kv01xZkbnU6nWYrk8USNSD72FjAb9TWG9urDt6ALL65gG90trvddQdvQBa/voDvX2ut N1y8AUWMJpMFtHZov59RLyBjznYr4RsA36hl8DkKoqGILs1izBO1LNZi/JCLPgA0kGFFE6RmKRlj H6K4ixkdCaoZ4E2CSzN2yJcLQ5oXkr6gqWp7H6YYMmJO783L79+8fI7evHx2/PjF8eOfjp88OX78 o6XlLNzFSVhe+Prbz/78+mP0x/NvXj/9ohovy/hff/jkl58/rwZCBs0levXls99ePHv11ae/f/e0 Ar4t8KgMH9KYSHSHHKEDHoNuxjCu5GQkzrdiGGFaXrGdhBInWHOpoN9TkYO+M8MMV+A6xLXgfQEV pAp4c/rQEXgQianKXO5odiuKHeAe56zDRaUVbmleJTMPp0lYzVxMy7gDjA+reHdx4vi3N02hdNIq kt2IOGLuM5woHJKEKKTn+ISQCns9oNSx6x71BZd8rNADijqYVppkSEdONM0X7dIY/DKrEhD87dhm 7z7qcFal9Q45dJGQFZhVCD8kzDHjTTxVOK4iOcQxKxv8NlZRlZCDmfDLuJ5U4OmQMI56AZGyas1d AfqWnH4Lqke12/fYLHaRQtFJFc3bmPMycodPuhGO0yrsgCZRGfuBnECIYrTPVRV8j7sZot/BDzhZ 6u77lDjuPr0a3KOhI9I8QPTMVGhfQrV2inBMk8uKfOaKvC1oZUrsnqjDy3Anq2+Xi4D++4vvDp4m +wTifXEHuqy9l7XX+8/X3mX5fNaKOy+yUH91n2MbZNMux0u75TFlbKBmjNyWpmGWsGEEfRjU68xJ kRSnpzSCx6zAO7hQYLMGCa4+oioaRDiFZrvuaSKhzEiHEqVcwiHPDFfS1nho2JU9Ijb14cHWA4nV Hg/s8Joezs8IBRmz7YTmIJozWtMEzsps7VpGFNR+G2Z1LdSZudWNaKbUOdwKlcGHi6rBYGFN6EQQ 9C9g5XU4q2vWcEjBjATa7nYTzt1ivHCRLpIRDkjmI633oo/qxkl5rJhbAYidCh/pA98pVitxa2my 78DtLE4qs2ssYZd77128lEfw3Es6b0+kI0vKyckSdNT2Ws3Vpod8nLa9MZxv4TFOwetSN3+YhXBJ 5Cthw/7UZDZZPvdmK1fMTYI6XFlYuy8o7NSBVEi1g2VkQ8NMZSHAEs3Jyr/aBLNelAI20t9CirUN CIZ/TAqwo+taMh4TX5WdXRrRtrOvWSnlU0XEIAqO0IhNxQEG9+tQBX0CKuGawlQE/QJ3atraZsot zlnSlW+yDM6OY5ZGOCu3OkXzTLZwk8eFDOatJB7oVim7Ue78qpiUvyBVymH8P1NF7ydwZbAWaA/4 cKUrMNL52va4UBGHKpRG1O8LaBxM7YBogXtZmIaggotl81+QQ/3f5pylYdIaTn7qgIZIUNiPVCQI 2YeyZKLvFGL1bO+yJFlGyERUSVyZWrFH5JCwoa6B63pv91AEoW6qSVYGDO5k/LnvWQaNQt3klPPN qSHF3mtz4O/ufGwyg1JuHTYNTW7/QsSKXdWuN8vzvbesiJ6Yt1mNPCuAWWkraGVp/5YinHOrtRVr QePVZi4ceHFRYxgsGqIULn6Q/gP7HxU+s18p9IY65AdQWxF8dNDEIGwgqq/YxgPpAmkHR9A42UEb TJqUNW3WOmmr5Zv1BXe6Bd8TxtaSncXf5zR20Zy57JxcvEhjZxZ2bG3HlpoaPHsyRWFonB9kjGPM 563yFyg+egiO3oG7/ilT0gQTfF8SGFrPgckDSH7L0Szd+gsAAP//AwBQSwMECgAAAAAAAAAhAJ/c UOFu8AAAbvAAABcAAABkb2NQcm9wcy90aHVtYm5haWwuanBlZ//Y/+AAEEpGSUYAAQEBAHgAeAAA /9sAQwABAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB AQEBAQEBAQEBAQEB/9sAQwEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEB/8AAEQgAwAEAAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEB AAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQci cRQygZGhCCNCscEVUtHwJDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpj ZGVmZ2hpanN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfI ycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEBAQEAAAAAAAABAgME BQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUhMQYSQVEHYXETIjKBCBRCkaGxwQkj M1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2 d3h5eoKDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ 2uLj5OXm5+jp6vLz9PX29/j5+v/aAAwDAQACEQMRAD8A/v4ooooAKK/J34mf8FF/izoWlftd6r8M v2bPhtr+j/sa/tFeI/hH8WfH/wAaf2q9P+Avwk8M/DHwn+yt8O/2k9Y+Mvi/xanwZ+JvizR7i71L 4j6T8MNA8A+Ffhz4/W41GM+K/EXjTwrojzw2fxp8Tf8Ag4c+Gfwu8UXHhvxL+zd408Pp4i/4JleF f+Cg/wAJtS8aeN4PCtv4w8a+K/hz8R/itpv7J/jCRPBOtWHw7+I2p+CPhh4s1bw1r0epeMP+En/4 R3xVb2HhNJ9CgTV85VaccPLFSlajHA5Zmbk1LmeCznh3MuKsrrxp29rP69keT5liaFOMJVZYjCyy x01mtSlgqmqo1HiIYVRXtp4vGYGMeaHKsXgM+y7hnG0Z1eb2VN4bOc2y7DVZVJxhGjiqeYc39nKe Lj/RbRX5G+M/+CouoeFv2uv2d/2YB8Gvh9ptl8cvhz8BvH8Pir4oftM+GPgz4v8AE5+N+teKNC1L Q/2Y/AXjzwDZeGP2odY+Cc2i6Bqfxi8M6F8WPA3xI03RfG/hufwV8PfHGqXkOj3HIfsh/wDBWqX9 qX4nfGXwvN4W/ZN8L+H/AII+MP2nfD/i74ceA/2zPF/x1/b0g8Pfs3fEHxT8O5PGy/sJeBP2R4PF l3pnjnUvD+m6no2laB8TfEGuNpvinQbfQbLxXruo6bo2o9MqFSNSvTkoxlh6ufUq3NOnGMJcM16G FzyXtJSUJUsBicRChKvCUqNerGvTw1StLC4lUeWNenONKcHKoq8cinS9nTqVJTXE2FrY3JIqEIyk qmNwuHqV3RlFVcND2f1yGHdaiqn7Q0V8CfHv/goJ8Mf2bfjJoHgr4s6ZdeFfhJN+xx+0F+2T45+M +pJ4r+2/D/wb8AfGHwP8N6to1/8ACfTfA2p+M9TutT074ySa3dNbyW2v6FL4Xk0VvCWqXuqtJpPh nxC/4LQfsfeEtb+Eug+GW+Lnje9+In7Tejfsz+LIn+AP7Qngi/8Ag/qur/Ci6+NNt458e+HPGfwj 0rxZD4I1f4ef2Z4o8F+JLPQJfC/jnwxe6v420DxJN4E8C/EHxR4XydlHCyk1FYysqNHnahKM3xHW 4S5sRGVpYOguIsPVyyWJxioYeFSKrTqxws4V5atO9dJc31fDVsXNx99ToYfI8NxLWlh5RusXOnkm MwuPlRwrrVlCvTo+z+sS9ifrdRX5223/AAVb/YQufhd4m+MbfGDxNY+CPCes/B7RtSGs/AT9ozQf GmoJ+0J4gh8K/AnxN4R+F2tfCXT/AIn+Pfh18YvEUsukfDP4peBvB/iL4beNbzTtbj8PeK78aBrb af4J4Z/4LF/DTUPjX+1h4V8W/BL9oHwf8B/2Vx8OtL1j4v2/7Lv7fHjH4jat4m8d/C7Rvi7eSeJ/ gH4Y/YlvLv4VeA/C3hS/1FtX8YeNPiLDrMEtjpOp6h4I0rwr4x8K+JNTmUownUhUapOjTrVa0qr9 lToQw+HwuKq+3q1OWlRksNjsFWhTqzhUq08XhpUozVenzVGMpWUIynKSpShTgnOrUjXxH1WnKlSj epVi66nCUqcJRgqVec3GnQrTh+xtFfE1/wD8FFv2N9P8afCTwFJ8YftmtfG3w18IvF/gTU9G+H3x T8QeBYfD/wC0DqF9pHwHu/iB8T9C8Eaj8Nvg9cfGrW9Nv9A+E+l/F7xZ4G1X4ieIrWXw/wCEbHV9 ZAsT1nwd/bc/Zk+PfxL8VfCL4WfES91/xz4Ti8X3TWmpfD34neDtA8Z6b8PfGP8Awrz4ha58HvHP jbwZ4c8C/Hbw38P/AB29r4Q8eeJfgt4k8faB4M8R6pomkeJdS0u913Rob7Z0qqnOk6dRVKdXMMPU puElOFfKYU6ma0ZwtzRq5ZCrSnmFOSU8FCpTliY0lOLeXtafIqntIezdLL66qc8eR0c2v/ZVZTvy ulmVn/Z9RPkxln9WdSzPq2ivyC+Gf/BbD9jrxn4c8d+IvGFr8dfhrJ4N+Lf7RXw8i8N3X7MP7UXj rxde+Dv2ZvFOn+E/iR8a9Y8O/D34I+ItQ8IfCvQNR1bSI/GHjHXI08K/DXUdY03wn8RPEfhvxwdR 8L6b2v8AwUV/4Kj/AA6/4J4+E/2Ufif4k8C3/wAVvhF+0f8AHDRfhp4j8feCfEavB8LPhrqHw68X fEvWPjwmn2Hh/wAQxeOfBnhHwx4UuPEfiSC11Tw7BZ+DE1XxVFrk0ekLp2oY05Rq0sBXpyUqGZPJ lhK11GlN8QLDvKfbVJWhhfrKxVFz+tuh9UXtnjfq6w2I9lpVTo1cbRqpwrZes5li6TT9pCPD7rrN 5U4K8sRHCPD1VzYZVVXvS+rOt9Yoe0/UiivyW+Fv/BYv9lnxF4O1XxX8XtVk+Exh+Nv7Tvw10iPw 1pfxJ+Ougp8Nf2aPjNJ8HtZ/aL+I3jH4YfC6+8P/AAT+C+p3lzoGr6x8R/irceGvhb4MXXFstQ+J GowWF1qgvaf/AMFi/wBkOy/aB/an+AXxN1Lx18Hbr9l7Utfsr/x54/8AhZ8XtP8AAPj+18BfA+0+ P3xP1Hwp4zj+HT+CGk8JeAZ7rW9H8NP4tuPG/wARPDel3vjfwN4X1jwZc6HrmsJ1IKjSxMpRhQrZ ZLOYVajVOH9m06GCxNfFVJT5VRWEo5jg542nV5K2BdbkxlOhOnVjCvZzdaph1GUq1LMKmVSpwTnK WYU8TXwjw9Lk5lWdTEYarTw86LqUsVaEsNUqwq0pT/Vuivz2X/gqj+wrd6FoXiDw78Yte8fw+KrH 4S3/AIR0X4U/A/8AaB+Lvjbxivxv+G/iL4xfDuw8G/Dv4YfCvxb498W67efCrwnr/wAQ/E/hvw54 b1PxB8OvB9gNe+I2meE9OvLGe58i+PH/AAWP/ZL+G3wf+LPj34R6xrv7Qfjz4dfsl3f7YelfDzwx 4B+NWieHdX+F8+ieOtU8Lz+OPjEnwf8AEngH4MS+JdR+HHi7wt9j+Is+neJtH8W6TL4T1HwsPFVx Y6FebSpVI1atCVOca9CvPC16MoSVWjiaeHrYuph6tNrnp14YXDYjEzoziqkcPQrVpRVOlOUZoWxL wyozpzWMp4ethp+1pxpVqGLxdHAYXEQrSlGk8NXxuIoYSliOf2E8RWp0VU9pOMX+s1FeK/Aj9oP4 U/tJ+D9R8efBzxJL4w8I6V4s8ReBp/E9toHinTPDGreJfCF5/ZXidfBPiTxBoWjaP8R/DWk62l5o Q8d+AbrxF4I1DWtL1nSdO8QXWo6Nq1rZfnP8CP8AgrZ4R+IvxM/a18O/F/wf8L/gL8PP2Ubb4yar 4x1bU/2jtC8T/H7wjoHwb+J118P31j46fsl3fgHwZ8WPhbYfFTQzo3xL+CmueBpPjh4N8feEPEOj WJ8W6R4w1jw/4Z1vNOLrxw3NFVZZfjM1TlKMaSy3A4elisTjpYiTWHjho0a+HlTqyqqOIliMPTwz q1cRRhPKnVhVwdPHUm6mGq43A5dTlCE5VZ47MatWjhMIsMovE+3lVoV4VYexvhXRq/WvYqnJr9gq K+Dr7/gpf+xvp3w0tPild/EDx6um3fxL1P4Nr4Ai/Z0/aVuv2hbX4o6L4Ou/iRq/gjVP2WLX4Qzf tMaNrml/DKyl+KN/b6v8JbJLT4XS2XxJnkTwPqWn69dbOsf8FF/2L9D8P+JPFl38cdJu/C/hT4f/ ALNPxU1jxFoPhbx94o0T/hX37YXjPUfh9+zh4p0nU/DXhTVrPxFp3xM8W6VfabaDw7Nqtz4egiTV /F9v4f0W5ttRm0VKpJyjGnOUoVcBRmlCTca2aUvb5ZRkkrxq5jR/fYCm7TxlL95h1UhqU5RiouUo pTjVnBtpKcKGOhldecW370aOZ1aeXVZK6p46pDCTaxE4039sUV+Zeof8FVv2ZNS17whp/wANfEGp eNNI1L47fFT4A+KNT1T4T/tW+F7m78efBrwL8avFnj/wj8C/sv7Mnifwp8e/iF4a1H4HeKtI1nwv pXjTwloVraRC5tvG1/4k1fwF4N8ec5+yX/wWI/ZA/aq+D/gf4lxax43+FfibxlqvwE8Pt8J/H/wq +MmleNLLXv2ofFPiLwl8BrbRF1L4aaRbfEbw9471Pwr4ijHxJ+Go8WfCnRl8N+LL7U/HMOg+F9X1 yCaKeIdqCdZueW04xppzlUnnLpRyiNKKu6v9pzr0IYB01JYupXoU6DnOtSjN1pRw3O8Q1RVOnjKt WVVqEaUMvqYijj3WlK0aLwVTCYqOLjUcZYf6vWdZQjTk1+q9Ffj38f8A/gqPqvwm/b1uP2GNC8Pf sYaFrUXw0+B3xA0jxV+1j+3rc/ssa/8AEzU/jb42+IPgux8BfBH4b2f7L3xru/ih4u0C58BxSXWn W3ifRbi+vPFXh3TIbe3ku1uG+i/GH/BT/wDYZ8BeEbTx34t+OK6R4UvtJ/as1211Zvht8XrxZNK/ Yj8US+DP2n7trPT/AABd6hEvwx8SQy6cYprSOfxkE+2/D6LxXp5W7KjaeHp4uLX1erUzClTqNqPN PKnVWY+7JqajhFQrVKtSUVTVGlUrxlKjFzV8k/rTwShOWJTwEVShCU3OeaYSWOwFKnKClCrXxOEh OvChTlKsoU6nPCMqc1H75or88D/wVV/YcHhnxB4lX4m+P5p/DXxNsvhDqHgC3/Zp/aiuvjdd+OdS +Gknxn0238O/s+2/wZl+Oni/w3qXwhgu/ifp3j/wn8O9a8AX3gDT9U8W2niebQtK1G+tfBviJ/wW X/Z88NfHvR/gd4MsbjxPp/iH4c/sjfFLw38b9e0f446Z8CPGHhn9sD4x6Z8Lvh5b+EPiN8M/2fvj PpV9qup2OqWuq+Eb7X/+EZ8CeL/FV0ngS48c+GD4f+JHiT4f1ShOvisJgqMJVMVjsVg8FhaUYv8A eYrMcBiM0y+jKdvZ0p5hl+Fr4rAe2nTjjaUYvDOrKpTU85zhTwtbGzlFYWhgquZVKvMmngKGOw+W 4jGUopudfD4fHYqhhsRUoRqRw9Sb9s4RhUlD9iKK/PbXP+CqP7Cvhm4+Kq+IfjHrmi6X8G/Dnxm8 VeLvGOp/BH4/2fw31jSP2dtUGifHVfhT8UZ/hanw6+O+sfCfVxPpvjrw18D/ABR8RPEnh+8sNVgv tJifSNUFpW/4er/sOtot9q0HxI+I97qdj8XdJ+BY+HGnfswftVan8ctV+Jev/DaT4xeH9K8M/s96 f8FLn46eLtD8QfCmC4+Img+O/C3w81jwDrXg+1u9f0zxPdadaXM8URlGcYThJThUo0MTCUWpRnh8 TjIZfhsRCSupUcRj6tLA0Kqbp1cZUhhqcpVpxg9JRlGc4SjKM6VTGUakJJqdOtl1FYnMKU4uzhUw OHlHEYyEkpYWjJVa6hTakfolRWfpOp22taVpms2ceoQ2mrafZanaw6tpOq6BqsVtf20d1BHqeha7 Zadrei6hHFKq3uk6zp9hqunXIks9QsrW7hmgj0KuUZQlKE4yhOEnGcJJxlGUW1KMotJxlFppppNN NNXM4yjOMZwlGcJRUoyi1KMoyV4yjJXTi00002mndaBRRXg3jj9qf9mH4Y+JL3wb8Sv2jvgN8PfF +mR2kuo+FPHHxf8Ah94T8SafFqFpDf2Et7oWveIdP1S0jvbG4t720ee1jW5tJ4bmEvDKjtpQw+Ix M3Tw1CtiKii5uFClOrNQTScnGnGUlFOUU5NWTaV7tEVa1GhFTr1aVGDkoqdWpGnFyabUVKbScmk2 le7SfY+FP2jP+CQXwU/aQt/iNY618dP2kfAejfFj9rXw/wDtmeP/AAv4OuP2e/EXgnxb8UvCPws+ GPwp8JeHfFvgL40/s8/FvwT44+Fnhyx+E/hnxhY+AfHfh/xPp114+e48Q6vPqcWn+GNO8PQ/tMf8 Eav2Xv2w/Dfxy0P9o/xl8aviXqv7QPwH/Z5+B3jfxrd6p8K/D3ijTrj9mjxH4+8WeAfjH4Oi8IfC Pw/4U8L/ABc1LX/iR4ku/FU9j4XPw3v7OWPQtK+G2ieHp9T0nUfsT/hub9ib/o8P9ln/AMSC+Ev/ AM11fSukavpPiHSdL1/QNU07XNC1zTrLV9F1rSL221LSdX0nUraK907VNL1Gylns9Q07ULOeG7sr 20mmtrq2minglkikRyYnL8Rh8LTwmLwWIo4XmwvsKeJoVacac8Bk+DyHCywsqsVKhVw+T5fl+DjU w8oVOTA4KpKTrYXD1adUcfSr4ipiMPi6NbEONRVqlCrTnOcK2cVc/nGv7Nv2lOecV8Rj+SqpQ9ti MQoxVOvVhP4C+Lf/AATg+HPxn8S/Ci88X/HD9pQfDP4W337Puuyfs+WnjXwNefBfxx4u/Zh8SDxb 8I/Gmtad4k+Gmv8AjvwH4ksddh0258WT/AXx/wDBzT/iLBo2k2Hj7TfEdham2k9p+Bf7KPhT9nD4 K+PPgr8JfH3xK0G18cfED4//ABQh8f3k/gDXPHng3xt+0N8RfGXxS8R6v4VTWPh/e+Apk8I+LPG1 /N4H07xh4E8W6ZDY6dpVl4us/GCJqLal9S0VNSrVqLFqdWo3jsRj8Xi5qco1a+KzOWAljsROrFqr 7Wv/AGXlsedTUqVPA4WlRdOlQpwiU6dOksKoU6ahgqeApYWm4RlSo08so4+hgacaMk6ThQpZpmMe WUJKq8biZ1lUnVlJ/BH7Uf8AwTv+D37Xc+r3vxW8bfFq31HXv2Rvjn+xpq+o+E9X8DaPPefDn9oP Wfhdr3jvxYYbz4fatYW/xFt9R+Evh9/D+oWlnb+EdPj1HXYrvwXqK3Gm/wBleTfGL/gkX+zv8afi R4z+KmufEL45+H/FPjv49fCb4/66vhrWvhfJpDa18KP2bda/ZSXwRBpfiz4S+K4B4A8e/CLxFrVj 46tro3Xi461fvrHgvxj4LkgtYYP1QorKrGFalToVadOdCl7T2dB06fsYKrnn+slSEaSiqapzzz/h RdPl9n7fTl9n7htCpUpzdSFSpGrLD18LKsqk/bOjisswOTYiLrOTqc1XLMtwODlU5/aezw1Jqamn N/j/APA//gid+yJ8AfhYvwl8D3niS10a3+Mv7NHxlsvE2j/C39j/AOGHxCa7/ZR+JPh74p/CzwV4 p8c/Av8AZc+FGvfFTwq/iXw5br4n1n4y3PxF+KOr2upa7c2/xH07XdYvNZfY/am/4I5fs3ftba/8 WNe+IfxD+Nelx/Gr4veGfjH4/wDC2lr8CPGXw+1bXPC/7Puifs3afpD/AA7+NnwI+LXgmaxh8EaD Z69ovifUNCvvij4B8fy3fiv4X/ELwNPP9mT9aKKMQli6NShim8RSqznUrQrylV9tUqRyWNWdZzbl WnX/ANXsleIlUcniJ4ClOs6k5VZVFQk8NV9vhrUKqofVoyoxjT5MOq2Mrwo04xSjSp0auPxbw8Kc Yxw8aqp0FTp06UYfmf4I/wCCX3w1+GWv/CPWfht+0L+1Z8PrP4c/CP8AZm+C3jrw94L8e/D3w3Yf tGeD/wBkeTVJfgwfjTrelfCi28daffWY1vVrLxrD8C/F/wAFNC+JmgX8/hD4gaJ4i8HiPQI7f7Iv /BK/9lz9ij4y/FD41fBjRraLXviXd+M7iG01f4Rfst2Ws+Brf4geNrnx94q0fw98bPBH7Pngz9qD xXoF/rdxHBDonxl+O/xU07TtI0/RtM063tYNE0n7H+ktFbyr1p4qpjZ1Z1MVVqZrVq15yc6lSpnT ovM5Tcr831j2FGKTTjh4U4wwyowXKYRoUoUI4WFOMMPCOWxhRguSEI5RSdDLuVRtyvD0X7K6s6tN RjXdVQil+PNx/wAEY/g3b694+8ReDv2mv2uvhxf/ABI8TftS3viJPB2ufs7vA3w4/bI8aaZ8Rfjt 8C7ceK/2bvFNw/w21zxtpUPiHw5r2oXGofGvwPdXF7B4R+Luj2F09oPsP4o/sM/AX4sW37Kmi67p mtaZ4L/Y+1+81f4X/D/R7zTJ/B+r6RefAzx1+zwfA/jy08S6N4i1PxB4Oi+HPxA1i2Wys9W0fVrj UbTTLi/1m8s0v9P1D7DormhSpwwtLAxpw+p0aWAw9PCyjGdCOHyv2zy/DezmpRlhsHUxONr0MNJO hDFZjmmLVP6zmuY1cTvOc6mJxGMnKTxWKeYyr4hScatSebxhDM6rnFpxrY6lSw1DE1o8tWphsFl2 GlP2GXYGnh/wW8N/8G5//BPnwd4Q+Cvgnw5b+M59D+BWt/Fq58J2/wASvAf7Jv7RNrqHg34w/Eqx +KWufDHWND/aa/Zh+M/hez8M6BrtkdN8I+K/COg+FfjJpfh2/wBW0y8+KWqSare3c3vHx0/4Iyfs w/tB+L/jH4m8bePfjtp+jfGr42/BD4/658PfCmt/CzRfBvhrx78FPhlp3wUe28I3EnwhvvG9t4M+ LXwesZ/hn8YPA+v+M/EXhnxD4R1nXLHw7p3hOfUZLpP1xorSnKVL6qoynbBODwynKVSNN08RgsZB ONRyVSMcbl2Dx6jUU4vH0frzTxdSrWqRJKf1u6V8fSxFHFuKUZVqeLjXp4lOUUnF18Pia2DqTg4z lgJrL3L6jCGHj+R/gj/gjT+zX8IvCNnofwI+JX7QPwN8Z6D+1P8AEP8Aa08D/GPwJ4g+FerfEXwD 40+JfgnU/hhrXgDw9YfE34P/ABB+Fuo/BzS/hbqf/CuvC/gTxp8NfFg8P+G9N0aWz1UeINLtdcTo NP8A+CQP7LWkfCP9on4K6Pr/AMYtM8H/ALTv7KngX9kj4jyw+KfCl3rUPgvwTqnxt1+fx3oF9qng S/htvif418S/tAfEHxF4z1XWLPW/CVzqk2lroHgvw9p9pcWF7+qFFKKUaLw9uaj7DC4VU6n71Rw2 Dy+jlWHw8HV53ChDL8PRw0qUHGnVjShOrGdRKZalKNf6zF8lb2ntXOFoc1T+11n0ZyjC0Zyp5vH6 9Rcov2FVyjR5KU505fNX7MH7KXwr/ZA8I+K/ht8DodT8M/CfXPHmuePvCnwlhi8NWPw7+D1x4pis 7rxT4W+EWheH/DehyeFfA2veLI9a8fS+Fru81mx0fxX4t8SL4ZOheGptL8OaV8c/ED/gkH+z98Zf EHxa1j47/Fv9pT476d8Svg98Z/gR4X8M/Ffxz4F8RWPwQ+Gvx28e6H8TPGuhfDbxPbfDDTPiV4oj sPF/hfwtd+CV/aA8d/G+28D6V4d0zwz4attP8Mm90i8/VuilVXt5xqVXKpOGCxGXxlKcuaOExeXT yjEU00179XLKtbAyxH+8fV6+IgqqWIre0milh6fsqMY06f1qhjXGMY+9isNjY5lRqzbTc3HMIQxk oSbhVxNOnVqxnOnBx/KPwf8A8Eh/gL8NPhT8Nfh/8JPiP8Q/gn46+Enxd8TfGjwN+0B8CvhJ+w78 EPidYeLPGXw71v4S+JYdW8EfCj9j/wAIfsyeKrDVfhxr994WmvPFX7PeteJ44LfRtVt/EcPiDw/o er6fT+Mv/BH74LfGnUbe71j9ob9rzQLPU/hn+zJ8Lvippun/ABL8A+Mp/jzpn7IvxPv/AIvfBXxH 8XPGHxj+E3xQ+JGoeM9L8a6vrN54h17wf428F/8ACW22q3dvr9peslpLa/rRRWvtavtoYjnk61PE 4HF05t83JXy3DSwuBnFO8VHDUZN06aXsvbv61KEsV++I9nBUnRUUqUqMsPKCulKjLMI5rySs02o5 hCOIpttypO9Ok4UpSpv89NC/4JqfAfQdN/Z80q38T/Fe6s/2bv2nv2iv2r/BS3uveEi+tfEL9pu4 +PNz4/0HxdJa+B7Rr3wRpjftD+NY/Cen6H/wj3iDT49M8L/2t4m1x7LVZNa+Mvgb/wAEbdJ+Cv7W v7G3j228T6l4y+An7CHwC8YfD74R638QPiTFrHxl+IXi/VtR1W0+FGl/En4d/Dv4GfBv4PxeD/2Z PCfxA+Ntp8KfGd/rPxB+Imr6p8V9Ru9ZXSr3TZNY1f8AdiipoyeHxVLGUny1qVWdeDsmlXllWMye liEn8GJwuBx+IhhMRTcK2Hc5ezmoVK0KulaUq9LF0aknKOOhKlitE3WoVc0qZxisNUunGeGxuPrV 62Mw04yo15VeeUPa0cLUofO/hn9mfwJ4V/ag+LH7Wenat4tm+I3xj+Enwj+DXifRb2/0aTwVY+F/ gx4g+JfiTwvf6Dp0Gg2+u2uvX998U/EEWv3WoeJNU0+6tLPRo9O0vS5re9n1H84fG3/BDX9m/wAf 3HjWz8Q/Hj9q+TwJ4m0D9tTw54X+Ftv4q+CUfgv4TWP7fWujxV+0LJ8Pb6X4BzeP7q61LxUZfEHh aT4k+OPiHF4bvJ5bOGG50UppSftNRSg3TnRqQbjOhRxmHotN2p0swlVnjIxi7xvXdeupTadSMa9a EJRhVqRlaq1I1PaqTVVYvA472i0l9byzCLAYCvffnw2DSw8F8LppKUZNJn5lePf+CWfwh8XfF/x7 +0H4W+M37Q/we+OvjT4q+A/i9pPxS+Gus/CC41v4ceI/A/7OFx+ytPpvgjQ/iZ8GPiP4GuvDnjT4 TXt5b+LdO+IHhPx3cp4knh8TeEr/AMKalpejPpvLfE3/AIJCfA34q/EbwF8SfEPxy/aqXUvBnw// AGU/AGtadc/EPwJ4zHxTj/Y5+OZ/aD+EPi74oeMfih8LPHvxU1rxtceOp9Sg8bazonxB8N23ivQ9 WvoLnTrfVI9P1ix/V6inRlKhXwmJpSca+AxWAxmBq3cp4TEZXgqmXYCph3Pm9ksNg6tWjTpwtSft J1JQlVnKbxcIvC1MFypYSrlryerQStTq5a8RTxf1SpFW9pTjiKVOrCU71INNQnGMpRf5CeLf+CL/ AOzj458P/E7wJ4o+Ln7SWq/CvxtoP7UWi/Dv4Vy+J/hPH4T/AGbrr9sXUNR1H47+IfgjqcPwZj8e 3GreIJNb1+20Gz+NPjT4yeGfBWna9qmneEvD2j2csMNv1nx6/wCCSPwA/aAf9ohvEvjv4h6bH+07 8R/hB8TPiVp998Ov2QPjPoEGsfBT4K2/wM8I2XhPwp+1F+y18e/CfhyCXwzaW+t3+vwaHN49tPFC y3Hhrxj4e0O8vdAuf1PorCdGlUoRw1SEZ0Y4alg+SfvOphqOKw2Mp0q05XqYhLE4PC1HKvKpKaoU qc5SpRUDanVqUq8sTSm6daVXH11ONlyVc0hQhj6lKKXJRlivqtCVT2UYL2tP20VGrKc5ecfB34W+ Gfgd8JPhh8F/Bc2t3Hg/4SfD7wb8NPCs/iXWLvxD4im8OeBvD2neGdFk1zXb4m71fVn03TLZtQ1G fa93dGWYpGHCL6PRRXViK9bFV62JxFSVbEYirUr16s3edWtWnKpVqTfWU5ylKT6ts5qFGlhqNHD0 IRpUKFKnRo0oq0adKlBQpwiukYQiopdkgr8wf+Eg0Dwp8Rf+CgfiLxT4m03wX4d0j46eG7zV/Fmr 6hBpWm+HrKP9ij9k4Satd6jcz20NpHZ7hKsrTxHzFRUcSMtfp9X5hrpNhr/xD/4KE6Hqt7q2maXr Hxq0fS9R1HQdf8U+FNcsLG//AGHv2VLW7vdH8UeB9X8P+NPDmqWsEsk9hrvhHXtF8TaTdJFfaFq2 napBa3cPbg3y5dxLLmpxtw/iXzVXKNKNsbl75qkoTpTjTW83CpTko3cZwdpLx88tzZPzc/L/AGzh 7+yhGpUt9Vxt/ZwlGUZzt8EJRlGUrJxabR8jf8Eh0+K9z+yLp/iT4s+LPiZ4/n8a+M9c8X/Dr4hf EP4h+KPiXYfEH4MazYaNL8IvG/gLX/iP4x8R/F6Pw14l8BJoep6zafFnwt8HfGMnxCn8a6l/wp7w domoaQ+p/ox+y5oniTxD+wB+x5pnhPV/7D1n/hnr9kfUBqH2+/0z/iU6L4Z+GOteI7H7XpsU91/x NvDun6rpP2by/s1/9t+wXzxWNzcyp+Tv/BFIeC7z9nj4u+KfBVlfWsHjj4+3nirxBc63oPj3R/Ef iLxldfCH4Q2HjLxxqmp/FK91b4n+OtP+IninTtY8f+D/AIg/FbWdU+MPiPwV4m8PR/F9tM+JGm+J dD0v9Vv2cNB8d+Kf+Cc37L3h34a+Nrr4b+Mta/ZU/Zu0/S/HunWnhy+1fwlbXPw68Bx65rugWfjH wl498I3PiWw0A6pN4ah8VeDPE3ht9eXThrmjXul/aoj7vEMnSyupONKvNweSVFh5Kn9cUlk2Kn9V rNxw1CeOpv8A2fEVKdPDYWpio1KlGnh8PKEIeXw/FPOsTByp04P+0YwqJynh40XmVFUqtBweIqPA ulyVMJaVep9UdK8qs7yl85ad+yp+3XbWnjG+s/jFb+EW1fxh8Thpvw7039rb9or4i6RJ4D8TeOfG fibwpfaN8W/i78MfFvjn4b/EKy07/hArRol8NfEv4feDzqXxE8O+EvCsnw9s/hv4O8KV/hb+yD+3 X4L+EPje61j48+G5vjpffA/4LeBPh3oyftBftnePvBnhXx98MNZsPEGua7rvxM+MXxB8dWXiey8Y 3FqNK8SeLrv9mBPij42jbW5vH3ijxF4G8R6X8JPA3Yj4H/8ABTu3v/hn4cT9rvS9S8Kw+GvFem/F T4mXLfBLTfiSNZ8U/YLuHWvDfgK2/YSvvAXibWfAd3LqOm/CbUpNd+GvhnQdC02A/GL4d/tDa14j OqeEOKsf2e/+Cq3hTXIb3w5+1N4W8S2Ou+PtC8U+J7Pxh4+8Nf2DomlyaNr9p4u0Tw74d1T9iHx1 4mv/AA7f61dWniJPCOlfFT4bxnVbrQLXwX4n+FPgb4ca18PvjX8R9WjTwLwdKrWjTrYbBxoVqFWV HFYeeIwmK4ZnGjU/dPB1qWErYjH4ydaNOlhnilmGEcJ1Kvs/tZ1efMHjZwpzqrMZRr0Z0oywNSMK eGzxYqVO0lXwzxGU4HBRhS5p4jEOeGxSnUnav23j34N/8FN5/BHwdvfh9+0V4ai+KumfAX4T+Dvj Pa6n47+HWg+CNd+NPhvxDpGrfEj4iaNfXH7AHxGGrR+NLeTV9OvJtJ8AfCPS7zwnYXXhPw94D+G/ inxp4f8Ai18Fcv8Aa4+D3/BV3xj8YtU8VfseftF/Bv4V+BINJ+E2leHNH+JmpQ65oP2S0+KHgHxH 8bPt3wwtv2YvEepReK/Evgbw94q8MaN461X47eMbNtH8RWvhvwb4B+CXiKPxD8W/Enmnxo+E3/BV b4UeG9F/4Ul8c/in8fP7d+Lnhvw1r9hoviH9kDRviD4V+GWp+ONP17xD8bZdV+O/7PGk+Cb7X4tO vvFlj4++FnhuW28KT+F7LwX4M/Z/8J/CO9k1HxnoX2j+2P4R/bp8U3fwNn/Yo+JPws+HsXh7xx4q 1T46WnxSvIILPx14En+G/inSvCvhXQk/4UX8YL+11OH4k6h4V8Sz69p2q+CpNI03w/dwXMHjW01S bw+OnEYnkVDMY0VWlhuJsZWeDw1H2bnUxVfDVZwqYSboQrcL0YZr7TCUYfuI4XD4zBSpvEYHE4Gn zQwyrVMZhHXq0o4jI6WGhjKtWUb0Mvp4vLqFajXiqlbD8QYyjk1N1q1ZLE8+NwWLVeNPGQxkvkTx R+yd/wAFRPBfwo+Iui/s6ftyRH4p6r4Q8VP4J179oDU9G+J3h5/in458JarJf+KvEsutfs9eJNV8 PaP8O/iDD4fHwj8KfD+10n4d6b4Qu/EJ8c/DTxxew6Tpo+ufiF4N/bs1G4/Ydf4e/FT4UaKPBXjb w/qP7eT30Edtp3xc8EQfDW/0jxT4f+FOiXvwj8Y6nZ32pfEy7svFeg3kHjP4Rz6NpWkLp+oahrlt qdxpVr8IeFPhH/wXda5+Fkup/tKfs6aTY+HfH/haT4wW/ja/8IfEG++JHgnRfg/4l8K+LI/Bn/Cv f2J/gxbeCbTxN8WJfDPjzT7W/utS8Ral9kuvEn9tfCzw3dzfs22/0Z8Jvg//AMFJvDfxk+CXiH4h ftAaN4p+EK2GjXf7Q3hHWviV8M/FWs3Gr6X8FvE3hKXSPAzeFP8Agnd8Dk8R2Oq/Fqbw18RfEXiT Tda+Aiat5EcGh+BvBmkaJrnhP4m3Cl7OrXtVp1Pq+Z5JUjKcnOlilgp1s+pzoKpG8stxVTNK2V53 hqypSxEMvo5Ti8OsNg8ApzUqe0SXsa1PnyzPKTjSiqaot0KGSVqScZJf2lCGUxzLIsTTdSmq2Nr5 jl+JdfMKil5F8QvgZ/wWb8W/tA+OtU8N/tZfBbwF+y7qGufF+88JeCPD134aPxctNIlk+El58C7D TfGOt/sYa7p3gp7Sfwp8R7Pxv/wkafHFdLt/iFq9w8vxPtpfCWifDT6g+InwY/bG8f8A7VPh7Xbf 473Pgb9kbw1qPwv8Xnwd4G8daHonjXxT4h8A302t6l4U8QaBH+zU3iRPCXjPXBBB8Q7k/tNanoXj jwVFpfg3TPhj8PZtP8VeJPiOvg74Mfti6n+1pr3xN+LPx1uIf2dfCHirxZrnwf8AhN4E8daIbLxD Z+I/Bj+DdM074neFrD9mv4dazDoHha2vb7xDYeF/EXxt+OM9z8TV/wCFg2/i7R9E/wCEY+GXgXwX QP2b/wDgpn8MvEXhqy8A/tS6P468FW2j+KvEHiu9+NvxDt/FGs+IviLrNpZ68mi6poc37KetaqfA snjGO58N+FLj4cfFb4M2Hws+HN1qpufht8W9fvvDA+H+NFulSyCMIzqSy/D4bEUJVnGVepWoYPF5 jQlnVepUX1nH0aqpQl7epJSzOGBwtT2kac4LStFVp5/zv2dLMK2LwdX2XtFSp0sXiMJlVeeTUadO UsLg50faV4OlCLo4H65jKEIVa7c6/j/9nz/gqZ8T/ip8R9E1P9p/QPhx+zd4z+JfjZNCk+EnxO8L aB8VPBfwQv4PAcPhjStDhm/YPHii0+Iu7Q/FU9rrVt+0NE3ga48TeJJLzXfizFrvge3+Cs/jP4J/ 8FcNM+DvjPwT8JP2pfhVe/EOfwH480z4e/Ev4pXvha48SaP8QNV/t238EeItduNG/Y7vvCWoeHvD c2neEddTRrv4b6zqK2Pifxr4H13V/G174b8MfEzVvoH4s+Cv+Cgup/s6fD3w78Iviv8ACPRP2lLL 4oeFb74iePNduLay8Gaj8K9I8R6lca7YadaT/APx7DqeteJfDlvoNrrWi2vgrwHPNLf+I7Pwv8R/ AlzBoviWH5z+E/w0/wCCzfhT4VaTbfFb43fs4fFr432vwx+G/hvVtas/Gth8PPhXq3juOPxzpvxK 8cReGtJ/YK1bxbpviGy/trwd4u03UI/Fdz4D+Id14TtPA1p8GvgPay+IPHPi2Y0I4jDLL1Wq0fqr w/D9LGyqVqWJxkK+VV6jzp4iUXzKjFRweIzTF06FeGauhWVOVRTxqqVWVDEYjMHR9p9ao4zOKmDh ClVo0Xg8dTo08ooYeL5qFXGvmxeCwWHn7J4GpWjiK+GjFYan658OvhZ/wUx0b9pX4KeMPiD+0t8J fFn7NEfw++J8f7RHwoTwtoUPiO4+KOpad4Q0z4Vz/BzXNH+C/hTWYfBGgy+H9a8Sa8PGfjU60dd8 a+LrNofEfh6TwHpXw11vj18Bv21fF/jrx/r/AMEf2ntT+F3g/Wrnw9e+H/BdhrPg+P7RPZeEdJtd ZM2tfEP9nb46XHgC5fxL4P0G10NfB1vf+Dv7I8afEzxJ4z+H3jXxLc6JbW/C6d8Bv+ChXgr4o6n4 8s/2ntT+I3hzxkfDOn6/4G8Qa18OU8O+E5/EGuaBoni/xJ4O8Ln9nPRhZw/DHwxrfiDxD4AtdL8c 6HFr8Pwu8NaP8S/C3xR8bfFPxj8QdD9G/aw8J/8ABQHxX8RNKi/ZO8c+E/Anw+t/hH4utNeu/E3j rwJ4Slv/AIk6y+pW/hyTQ7fxB+yF+1JqsWvaLHa6XdaV411JrbwB4Fe8ub3xL8Dv2lF1BfDPg/Wp iHUo4TEuio8lXPIqhTpRhVjLDvNsfKOKopxdelWpVo4fJKk1VpVHLK8DQqfWMG44eVRVOrmVCNac 4c2SuOJlOU4VPbTyTDx/s9TjKVKFCrFSzZSpwX1aObY3FpKtikvn/wAEfs0f8FUvEnh+OX9or9tX QW8S+Efjd8Q/H/hDRf2dW8J/DLwt44+HqeMfE3i74LeAfivr2sfsx674uW08LQ2Hw88I+I9P8MMu j+IPBl9470r4hxfGHUU03W9V4uD4L/8ABc9Pgj4X0Rv2rv2aB+0JYaT+zFa+KfiDejQtU+F+vT+E fHl5qn7S8ln8OrD9ijwx4g0vxF8SfBn2TRdN8WR+O38L6hZSjRPCfwh+AniPS5viv4i7XSf2c/8A gqBazeIjf/tGeDJj4k0K58TI6/FvxHc6Dovxig1b4Y6jpYvfDdz+zGvinVPh1HF4U8R2cXh34YfF f4AeCYLXW/Edp4r+EvxGtPH0UXw39w/YI8Af8FIvA2matB/wUK+NPwe+MmtJ8LfgxoWjar8HTYWG kXfxL0KPxw3xk8YXvhyP9nn4Q32jt4sk1PwRBZvH4t8R+Hr9fD1zeaH8PfhSZr7T9cMNS+rqnSjV Uo5dXyXFqNeXt447EZbHNssnKrUnGbx0cTHLMLiM8hiJRp5vSxHD9ecMRSliaeHjEtYirjKnJWh9 Zo5rlynQvQ9jhK+Oy3E0a+Fg5KWFqp5xiJZZOjF1sup4XPKcZUXhsNOti+Jfh5/wU7vP2Q/B3hfw p8avg5ov7ZcXx403xJ40+Ierato+tfDN/gXH8etU8Uax4G0zyf2TdMXV7y6+Arab8N9Nsx8K/Bvi Ox1hv7Tufi/qGs6XP4z8Tavgj4Pft9aX+0F8JPEHxA/aG0vx38BvDeqfEnxJ4+0KPxB4L8K6zqV7 4t+H8uneGfCEvg3wl+yboM3jzwl4C8catqH/AAr+9uvjV8Or/wAPeFdKstU+JmnfH3x3f6Lrnw/8 v+NH7Of/AAU1n/4aE8R/s7/tiRaB4u8TRfFKx+A/h/4ja18Nr/4a+GU8Z6T4g1D4e6zr2mT/ALGP jfWvDlx8G/GN14etNB0a2v8A4iv4y8Kp4uXx/wCJ9fXUfh9oHws9e0b4Wft6aL8HP7DvPjho/ij4 wah+0F4O8Z654obxj4H8Oada/BaY+FdR8f8AgDwLfX37GnjvTfDVjbapD4m0vR/Dfib4cfEHxP4j 8LG4t9O+Ofwk1nxboWq/B2cE+apCbTpSqYfDYyVPGe/Spy4g+pZLLBN3qRjVyWngaOdYmKknlksV jMVRqVauKzDDR0xz5ZYuEOarCOY4vDU54NcjqUMnWK4hhjqLlyzhh80rYl8PYSlKUnjqdKjhMSqN LDYbES8F+LfwI/4K1eJ/jx4r1z4V/tP/AA7+HnwS8T/FSxhfTb/xj4f8QatovwCtPhh8VtCXSvAf gG5/Ymz4K+Iq/EXxf8P/ABjPqWr/ABt+IWp6rqfgO/v9R+ITeB9Z8P8AwY8Fev8AwN+E3/BRyx8I /tI+Gvjx+0b4SmvfF+ufCuz/AGaPGXg278AeMfiH8IfBll4D8GaB8YL/AMRa3e/sh/CT4c+J/HWq eMLDxr428ES+Ifgz4y8OR3+tWFlrOnW/h6BPDmn2/wBmP4W/8FG9B8T6br37VX7RngLxdommfE74 23R8CfD2z8GXmj658H/GWueOdR+D+l+KNfb9mj4W+Jrrx98JdKHw08P2eoeE7zwRomtWR8eXfjWH x7q7eHdSi87/AGe/g/8A8FWvBv7QfwwvvjF+0R8GvFP7KHhyy+P1h8QvAdzqsXxB+MPi6fX7jwxN 8AdW03x5a/sxfBJrG08GGx8SRXmganqWp63omhasNG8ZfET9onxI1p8Q9EzwsFKnDDt1YLOclhWr VMVOSqZU8JlWX2w9SvBueDzrFPL6dN/UpV4yzXMMyqe2owxeOrQrFycazrfxHlGbV8PQhhoRdHMF meY161XE0qM4qGKynCrEqUXi1SlRy7L8FhVRqSw2Gw86Hir4Lf8ABWLTtG8LaJ4H/al8HeMLiz+H vxBsvFXjDxh4l+EXw88Tat478S2Fve6BPb2Gg/8ABOj4keFI5fCOtyXOifDTxra6JpOh+BvDVimq fF34HftV67rPk+HfNfhr+z9/wWl8PeLfD83j79qr4D+KfAehfGP4Dmx0zSdfv7DxZbfs56D4U+FF l8fPDfiPW9b/AGV9f0v4l/ELxr4l8HeNLvR9Z13RtD8RTweNdf1Dw/8AFH4RNrWl6J4G63wz+zJ/ wVa8c+CNe8LftEftweG9EutZ+K3xKha//ZmsfC3gC+X9n/xd4+1jWvCOn23ijWf2dbjxn4f+K/w8 8EWnhjwj4X1jwrrui2q2WreLj4w1vx94psvDvj9e50X4Rf8ABUhra5v/ABN+0Z4SF/bfF+0urLwv 4a8a/Ci207WPg7qPxB0nXvEH27xrrP8AwTl1O80DWtE8L6RJ4d8CeAbXwN4gvE8FeJvFfgfxl8fP E/xKfwf+014L6MJUcq2WVXGMJ4rB5NWqQxVOHsMK8LnOBzWnRzSlTUqCxtSrXjlubxoRrwq5LSzD B1an1J4ypUyxUNM096o44TFZhTgsLOaljfrOUYjLnUyzao8JTpqeNy6VaeHlQzerh8VyU8RRwio+ r/tVfBn9sPxV4xHxI/ZZ+Olz4K1my8FeEfA+mfD3xD480Twl8NJPO+I0ni34h+NdUstZ/Zq/aNs7 zxbdaLongzwtpl1deFb6+uvBEvxD8GeE9d+DviTxlbfFvQ9zxZ8Pf21rfw38ErDwR8adG1rxJpOt /EfW/jbrvibVPAXhK31p/EPh7xNceAfDmkabpn7KvjmDxR8NvAfizVdK0q38NaV/wo/4nan4b0Lw 3rviP47+JtV0jxh4f+KXz9+zr8Hv+CrelfFz4a67+1f+0T8G/iB8NfDHxP8A2lfEfiTR/hDqkPge 31f4e+MG8V2f7PXhLxB4Im/ZhtdW8e6l8P8ASNa0SI3tv8bfhnpfhmXRrq68W6Z+0Z4puPD/AI28 Keq+Cfh/+3p4Y/aF8bX+v/Evw54h/Zw8YfGafU/DWizeLfD3ijxP4C+GVxpmq+L7x7LT779nzwBr fhyG48S+HvD/AMLYfAl/8UvjzcQaX8R/GHj/AEHx54J07w74N+HnhTCjT9tg8vw6nUw9PE0nm/NU ly4nLXi80wU8RlWNl784TpYivicZVweH+tP6tLMng6lalKjBbVans8Zj8SqcatWji6OWOEKa+q42 GByTG0qWb4OPuqrSq0cPhcIquI9j7bHTwM69CFajKR5BoXwE/wCCpVz4b+H2peLP2uNLs/Gegzac fFHhHSdf+D+seF9ZTRtVQWN9rfxBsv8Agn98PdS8W6nruj65r3/CyLbR/hb8K/DHiRfCXgjSvh54 b+DWrap4k8eQ4fiH9mf/AIKea54o1RZf2rdK1Dwt4U8WeGtT+Gmtar8SIPDviLxLpWi6TpEd5ceP /CfwP/ZO+CXhrT/7Z1bRLTUfEngvXNZ+M/h7W9a1HxfqOh6n4F8A+JtN+DfhL0LVPg9/wUd8Y/GT 4leLYv2iYPhN8M9J+Il7cfBjwvpms/C/xgdc8B3Fxpuh6lpfjfwbefsswxaF4fk0K2ufF3hmxuvi x8SfibJ49s9P1GT4q/DzwH4p8UfBvTOHufhP/wAFYvE3xU0z4iXXxi+Hng/wLPo/wVlPwp0H4r+H tEvPDEuqa7YeK/2ivDokvv2IPix4Z1WfTGhsvAPg7xD4lu/iRqnizwHoF9Z+ENd/Zw8a+O9f+KUW tJqtCraKorHYrCVJU6jlTnglnc8Bj6VSlUcnPD0MsnGtgsVTo1Z18qhDGYfE0o0Xlc5RNOkpXlLE f2bgcwwE5RUZPMqeAePy2dPllGl9bqY769UxmCrwhToY2KoY6FV8lVy9Q/Za0b9vvw3+1N8X/Cf7 R/iP4hePP2dfCHws8LaZ8H/ixrOq/sof8It8W/F+oeJLy+1bXNU8GfCn4UfDT4y+D/id4Z8OJp+j +KLzUrfTvgv4rlv7weCvAfhi58NQ+IPG+j8Vvhb/AMFG/FP7RXxU1X4aftGeAvhn+zFqfwx+GVr8 KfDlnZ+DNb+Juh/GDwte+MtZ8d6pqqeLP2aPFWm2HgH4jPceA/B2v6fe+MviDrdv4Y03xNrXgWb4 b+KdR0+4tNX9mb4b/t+eF/CfxwvP2n/i98OfiF8SPEF78Tofgg3gzXzBoPhPwxeeO/iLrvwe0nxL dRfALwJ4aGv+GfCHiDwZ4W8SeMrb4Q+ILzUz4cFzq+m+MWs0fVfmRP2ff+Cxl/8As7+F/D/iv9sD 4c6t8fb/AOHPhXwX8TtQ8F6v4F+GXgxvEul33h+fxD8SvAPjVP2F/GninSfEniqC58X2Pi3Tz4G0 zRb/AMO6f4b0n4WWvwG8barefFjw4sNN1amTzkvZTpzw2KbxMIxpe04lfEGMlQzilTi6VeGQTxMc FiqCpVMNlTWQUqH1nC4OeJozXiqEc6w8XUr0/YVMLTq0ZOdWtHI8BkFOWJyirUcalCvm9SlVrYer UnRqZjiY53KccM8XTwk/vb9k3wT+0p4K8L/E4ftReO9M8e+NfFHxo8X+KvCd1ovi+08XaRoHw0u9 I8L6X4V8M6WLD4G/AKz8LafZTaPqt9Z+Cx4Y8Y6l4et9Tjt/Evxh+L/iqTXPH+ufVNFFC0p0Ke6o YbC4WMn8c44TDUsNGrVl9uvVjSVTEVXZ1a06lRpObRdveqyu/wB7XxFe32YPEV6ld0qa+xRo+09l Qp6+zowp07vluyvyd8YX8ela5/wUi1abw94v8WQ6T8X9I1WXw14B8eab8L/GWtx6b+xF+yjevp3h 34i6x49+F2keCtSuVgKQ+JNV+IvgzTdKBa7vvEOnW0cs6/rFX4g/HXxB4Auvil+3T+zv8X/hr+11 Lo/x/wDiL4Zk0fxX8J/2LP2tfi74LvvCuu/sl/s5eBz4g0X4ufDf9nz4m/BZL7RPFnhHxDYXNh4i 1u/tNN1jQZbLxXoM1hK9leerlyc8NndGM1CticnqYfD2jQqTnXqY/L/ZwpUcS1Qr1dHKNGr+7nyt VP3fO14meRlJZZNUpVYUc0pVqyXt1GNGGExnPKrPDRlWpUtVGVWnFzhzJwvPlT+bf+CMq+KtX+Ff xS8XWfjDxRcfBXUfiFfQ/DTwVe+AvhxpfgIajrtnp3xH8a+M/hv8WfCfgWz8TftA2lr4o8d6t8H/ ABj8ffEvx7/a60/9oLxx8Jdc+O2h/tA68/xD1PSdM/Wv9mq1+I93/wAE6v2W0+EV/wCHdP8AiRb/ ALKn7N+oeFP+Euknt/Cmp6hpfw48C6jJ4d8TX9noniTUdJ0DxRZ2tz4b1bXNI0LVda0Kx1WfWNFs bjVLG0jPwL+zZ46+GnwG1H4leC5L3/go78ZvGfxH+It/8TvGHj74s/8ABM/9pTwnb3niKfwf4S8M XK2Wu/Av9gL4EfBSaCbS/COmXE19HpV74i1rWp9Ql1LXdUuWht7T2n4A/Gbxt43/AGCdC+BHwI0L 9oX4S/tQ/Bv9kj4YeG7m++NP7KX7Uf7Pfh/QfGXg3wV4W8L+J7DwZ8T/AI4/sd/EX4aeMfFFld6f q9r4cufBPwx/aNtGvVsfEkXww+InhqKTTNT9LiCpTjkMlGlUaoLLKTw2HrYmpiHiMHlWK+u4ajia 81ja9WhiqnsFOrVlVhGdCkpxo+xiuDh2FaefV69SMYPFPEVva4ilClhpwrY3DRoYmrQhCOFowxVK l9ZrwoUadGpVeJqqlzzqt9lqvwC/4KIeGPE6eN/AX7T8PjhdE8SeN7rTPg1478Y+EfBvwt8aaJqp m8Q6Rc+N/FQ/ZD+MXxT0XWdZ8Q3F74YvtH8G69aeDvhp4Yfw1qvw50hrbwprXgD4hyfBL4O/8FK2 17473n7THx2+F2t+H/EfhTWNF+A2i/DfxPqlvd+A9S174P8Aw28P6ld+ItX8PfAT4LG9W3+L3h/x 54z8NapdWXivxP4T0XxVFYabrUwUabYfE3wZ8Zft9/Ev4S/E7xFqv7UP7S/wu8HfCCw+FbHXLD9j z41SfHLxFBpnhHRNB8f2vgz4TftS/wDBILwj8SfiLFf20HiXxUkfgrwz+0T428RfFy00fxBdeK/h /wCAPFE/wH0G3pnxD/4KB+IvDvxh/aT8T/tBfFvwr8G4Pia2i/BHwx4I/Yq/a0uPj14c8OP8Pvhn b3vh/wAT/st+Kv8AgnFY/E7xR4W8T/Grwtqd/eeOL/4LfEfU/Avwq8deM7DwP8adM1aJdT0n5udK FXEZhRqSpTp1MBhsI3UjFYSVDF4zLatStg6dOLhDF0o4lwxicVWw+BwGZYTDUvZyp0cZ9TRrypSo Y+mqrqLM8fmUqcoXqSxGFpZhWhQr0aqjfB4mpTn9Tp07UsVi8XgZYycpqnLD+0eN/wBi3/goL4p8 USaba/tK6cnhS4+FPxA+Gx+IeqftHftZ6HrFq+reIvBS+CvEY+BnwN1D4F6dd+PG8LeG76X4g/E+ 1/aF0TxUt7falovwRg+CN74r174gJ9kfBTwl+2r4V0b9pLwl8S/FXw91yefWdcuf2TvHI8W6l4ts PDfhI+BtH8MeA/DPjnw9qPwv8M+Oxd6R4q8P6j458aXfjX4m/HnxVqUnjH7DF8WPFawNa6B80ftY fH349fbvgL8Xvg542/aD+G37NPxF8LeKPDXi6z8Ifsa/tM+Pf2htB8R39zci38WXv7MQ/wCCcH7Q 3xW8Ma7oum6eJvAus/FrV/gn4A0TVBfQeNfhp8cLXxh4XXwbQ+N3xm/ah8GftD+MXm+KPxk8Ofsy /Hz9n34O6R+zhZ/CT9ir9pD46fF34S/Fw+Mw/wAW/if49/4Qv9gT4meD/gzqWpeAfEOn2PhvwP8A tHeJPGFhYeLPDn9r638P/C+iL4n0yz5JRf1SNHmxUljMlzHJ6jjVccTCngJ5rj8PjJ1eeDwmcVa+ CrYbKMyoSpVqs87oQxM44fMcZWp3ShTw9ROPs5vBZjluOpupCVWDlXo5LgKuGUZwaxuXRwuIp1c1 wtaOIpxWS42pRTxeEwUa/Naf8Cv+C29r8B/hZbaj+2Z8B9X/AGlrK1+EGk/FvU4tA8F6N8GNRh8J fEXwRr3xO8VeHLJf2PtV8Zal4n+J3w9X4k+BNa00v4G8L29xN4G8ReA7D4XanaeIJb7f8I/sx/8A BT+G/l1DxF+1pYaFc6MfHWj+F73TPiPYfEa7ufCx1qLxP4Dtdf0fxL+yR4O+HN42p6jptj4U1++8 QfD7xr8XPBnww1PWdA0v4++OvHAX4m3vz58SfFf/AAU+0b46+GfgRc/GvxM2t658Rvg74i0bxN4U +B37Q3iH4OPoOn+Hyutaf4z+L/wy/wCCT+qfB7wr4N1vxbo8N344+FXiT9qbQfEup6leXPinUf2h /hT8LtRX9mrVfu/9iD47fGnTvDXgL9lv9szUvG/xH/bO8EeGf7O+Lfxp8A/smftW+Ev2aPiF4i0z TV1jUtf8PfHXxD+y78Jf2aw81rcw6db23hHxYmm+IdWs7gaHpWlaldS+EtI7lLnnjcRejF08weKp U/ZqMKjzulgs0n9SouC/2HKp4J5fLAYmMMPl7x+MwFGhWo168MNzOPLRp5fbEOFbArCVMRzqdSEc kxdXC0atbEubksbmM6sMbDF0earjqeX4fGYmpCXJLF9H+xlL+21rP7M/xBu/2oNO8SeCP2kdX8df GNvBGi/E/wAQfs/eL7HwroJuJ7H4UvZ63+zR4V0XwleeAbhbe18R2GmeJNI134n+HbHVLrwr4z8R eOtQ0WDxRrnyzqv7PX/BYC08b/BLxd8Pv2pvhJpGnib4fwftNeHfij4uu/izP4t0Tw18LPF+h67Z eBLjw/8AsrfB34Z6TrWsfEzWtG8U33ibwF8EvgLN4ji0bTLjVdNs9L0m68C+Jf0W+Hv7Unwz+Jvi Tx/4U8N+GP2jNN1T4bWeq33iK6+IX7Hv7W3wk8N6jBo1/Jpt4ngHxl8Vvgj4L8IfFe8muImk0rTv hbrvjHUNesDHquh22o6XNDePl+Cf2u/hT4/+H/xB+JeheE/2n7Dw58MreK58R6b42/Yi/bQ+GnxA 1KOW3mukX4ffCb4jfALwr8U/i3cCOB1ltPhV4N8Z3UNw0NpNDHd3EEMvMoJRw0XKb+q08jhGTnJT rPJKLoqpiZRcZVqmbJ8+euT5czqe9VjFOUX1SlzLFR5YqGLqZnUlBLSlHMsww2YRpYdu86VPLKmE pUMotJ1MDhZVaUKknVnN/M/w2+CP/BRnwT8fvh1qniv9qS0+LP7P9v4j1q7+Ktr4v1n4VaP4z13w 1p/gDx94X8Eabo3gvwN+xL4Y05NW1DxRc/D3x58RL/w/8Wvhtp99rljeW/hfSdC8P6Nq/h/4pd58 Rfhh+3Of2kdJ8ZfCr41aRH8AdU+Jfwp1zxb8PvE3i/wZpP8AY3w/0Lw5c6F8SfDfhzw7N+yB8SPE utR+IrlF8Rtp0Xx5+H+r654o1HQ7/SviF8MPD3gXxP4Q+N/rkP7Xfwpn+DV38dk8J/tPr4JsvEC+ GZtDm/Yi/bQtvjK+ovPbW4ubT9nS4+AUX7Qd/wCHxJdxM3iyx+GFz4VSBLm6fWVtrK8mgPFf7Xfw p8G/DHwN8XNX8J/tP3nhX4h3E1toGk+FP2Iv20PHfxO0+SBbtnbxz8EvA/wC8Q/Gb4YW7CymEN38 SvAPhK1uWe0S3mlfULBbnVy5qlOq1G9PEU8Q4qKjTqezxFKv7CpTjaDw9RUlQqU4qLlh6lWmpRdS UngqVqTpKpVd8G8G6jnzVfgrwjilNptYyHtoyVdWcp4ehKpGbVT2v56/Gv4W/wDBbbxB4x/aJt/g V8f/AIE+AdC8Qf8AC5J/2dNe8X+JfBWveFvAmn+IPCmj6J8GrDxH4CX9hfUfHOq+KvCvijRtR8W6 tdar8VfEPhjwmfEd5/aQ/aM07VdL8D/Cj0D/AIZl/wCCjHxA1Hwhf/FP9rCbwVfeD/HkHiqe++CP xA03T/DnijTNL+H3gSfSvDb/AA2b9mDwX9k8G3vxk8K3mreMPB/xC+I/xm1zxD4a1LxFaaN8UPBv gvxzqXwc0D7W+In7Vvwv+F8vw6h8S+Fv2k9Tf4o6XZ6v4ab4d/sZ/tg/F6LTLS+awSCH4i3Hwm+B fjWD4Qaoh1K3N5ofxak8E61pyx376hp9qmlao1nqeJ/2lvh14R+MHh74Har4c/aAu/Gnif8Asn+z db8MfsnftT+Nvg/bf209xHZ/8JD+0N4M+Dev/AHwj5LW0h1b/hK/iZov9gI1vJrv9nR3dq82NODp UaVKFSp7Shg8qwtLFTcauJhWybGzx2DzPmqxqU55nOpKFPHYmpTnHMqNGjTzCliXDme1a1eriKkk oRxNXM5zw9L93h40s2y2OW4rCQpxtbBwgqmKwdGcp/UMZXq1MHKjS9nRp8prfhn9qPxn8BfAtpYf EGw+EXx3v207xX4/v9HTwZr2n+H7+aw1jxJP8LdGvvEPw18ceHtX8KWHiibw98OtV8SnwhB4o1X4 dWOt67ouuaR46u9P1uP86PiJ8G/+C6WueJm8UfDX9oj9lH4b6P4l+HPxZi8VfDRvFus+Mf8AhGvi t4h1Lwha/CTUfh/8T/GP7GWu2kegfDfwvpGuRS3N98GdP0vxBrWpX9/4u+G3jLUddg1vwl+oWj/t LfDrXPjTqnwEsvDn7QEHjnR/tv2vXdY/ZO/an8PfBab+z9Oi1Wf+y/2kdf8Ag3pn7O2ueZbTJFZf 2L8UtQ/tPUhLo+nfa9XgmsY6fw5/ak+GfxT8X+N/BHhnwx+0Zpms/D+z1e+169+I37Hv7W3wd8IX 8GiamukXieCPiD8XPgj4I8BfEy8mu3Eukad8OPEvivUPEGmB9b0G21LRke/XZyXt514wjBSxNbEQ w6c50KXt8BjMunQhGrOpOeGjSxca9GlWqVfq2PwmDzHDypY2nUr1Zt7uGi22sNRp0d+WVdUsxwWZ KpiZw5Z1a054GODqVOaLqZdicbgZXo4qon+c/wANvgT/AMFodK1zwrr3xX/a1+C/i+V/jzJdeMtE 8F3vhfwX4QtP2Zbb4/Q+NbPw9peiav8AsT+MdX8S/Fa9+C91ffDG71GLxV8OLay03T7axfxVrXjT VIPjT4W+qv2qvgz+2H4q8Yj4kfss/HS58FazZeCvCPgfTPh74h8eaJ4S+GknnfEaTxb8Q/GuqWWs /s1ftG2d54tutF0TwZ4W0y6uvCt9fXXgiX4h+DPCeu/B3xJ4ytvi3ofrXgP9rv4U/EbwP8RviF4f 8J/tP6doHwt0+PU/E2n+PP2Iv20PhZ451O2ktL69WP4c/DH4nfALwh8SvjDqAh064STSfhJ4T8b6 rFdyWNhLZJf6ppltdll+138Kb/4Nat8doPCf7T8fgnRfEEfhm80O9/Yi/bQ074yzajLPplutzpP7 OmofAK1/aD1/w+JNWtWk8WaF8MNR8KwwRandTayltousTWE0P9npZbSj77yvEvEUq1VuriMRz4Kj l9ahjq0m54vDV8LSqxrUqrfNWxuOxSksXiqlcirTVV5k5ynfNKFChWs0o0HhsTDF4evgoJcmFxFK rSoRhVpRVqGHw+GcXQpQprxz4ofs/wD7YHjPwh8G9F8N/ta+OPCHifTb/wAcyfGXxj4YvPhL4avr qHxjqdjrug3HhDTbz9mDxn4f8Q2/whls5PDnw28Pa5ovhM6xpEun3/xn8TfFmG18W+GviF5B8Gfg P/wVOX40654j/aJ/a1+GmpfCaz+IPhe+8BaT8INL07SvFdr8L7PwL8N28b+DvF+keIPghD4F8QX/ AI4+KHgnWWutdurG98XeGPBfjjxs/wAM/HHw6vdd0TQ/BX2F4l/a7+FPhT4U+CvjLqnhP9p+68I+ PtQn0zQtH8NfsRftoeM/itYXNudUEknjX4EeD/gFrvxw+G2nsdHu/I1b4i/DzwtpV0JtLNtezDXN FOoWPiL+1l8Lfhda/De88S+Ff2l9Th+Kmjwa54YT4dfsW/tjfGC60uyuY9Kljg+JFj8JfgR42vfg 3rCrrFoJ/D3xet/A+v2skOqw3WmQzaFraaeUv3VadZe+50aNFwq/vKMfYY6hj4VYUp3hCtOph1h6 1RK+IwNWvgq6qYetKmXNe0hyNuP7zEVVOm/ZzTxODxmDnDmhbmpU1jJYnD0pqUMNjMPg69BQeFpJ fJvx58Df8FUdW/aU1nVfgF8UvhT4c/Z3vv8AhXr+ENJ8R+LfCMKeHv7A8OeIoPiPN498JX37Hvjn x34k/wCEv8Sa9osui+GPCPx20D+0LXwlY6wPiR8JYtL1rwR8YPHfCX7LH/BWD4gfCTwb8P8A9qH9 sXRbHxvB4a+DFj4++Kn7MfxDsfhjNqWtaRceOLH42al4X8Mad+yB4W1rTfEfi3w7ruiQ2HibUfiR eeBLy9sdOvvCXwJ+CXirwlB458U/pZ4v/aW+HXgj4ueF/gnrPhz9oC98ZeL/AOxP7J1nwh+yd+1P 8QfhHaf2/fXOn2P/AAlH7QHgL4N+JfgP4I8ie0lk1v8A4TT4kaB/wjVi9tqfiP8AsrTb2zu5zT/2 lvh1qfxtvf2f7bw5+0BH470/7T5+vah+yd+1PpPwSk+y6GniGX7F+0vqvwbs/wBnDU99hItvbf2d 8Vrv7ZrgfwxZ+f4ljk0lFRXsJSkm6jlisNin7Z+0SnhcLisNTpQi/dp4ec8XLGV6NNRhiMZQwlSu p08LRpQMRFYmNWEr04VcuxWWzhQbpL2WNjhoYivePvPFyp4b2VPEScpYeGJxiw6pPE1W/Ffgt8J/ 2vdB+Efx78BfFr4wQ6j4v12w1LQPgF460Xx7YeLrjwVpT/Dm08PaHq8j6x+zp4K8VaHr+neLUm1/ V5viJ4w/af1TXtbF54qg8U6HoerWHwo8K+AeGv2fv+Cm3w78Qap4c8GftMeFvEnwo0Lwfpnh7wHf /F7x3D4/8c6xex61PYXXiDxv/aX7K0vi6Lx3b+GNRvPE174xl+N/jTwX4p8SaJ4O8IWXwU8AaVa+ MfGnjj7h+H37T/w2+JnjTx34C8OeGv2iNN1z4c2+tXPiC++IP7If7WPwl8F6hHoGrDRr5fAnxI+K vwU8GfDv4pXE94wm0W0+GPinxfd+JNJzr3h2HVNDVtRGP4D/AGu/hT8RvA/xG+IXh/wn+0/p2gfC 3T49T8Taf48/Yi/bQ+FnjnU7aS0vr1Y/hz8Mfid8AvCHxK+MOoCHTrhJNJ+EnhPxvqsV3JY2Etkl /qmmW12qcXSlGUJyT+r4LDVeblqLExwGFxWFoVcRGpGcZ15PGV8VWqxjCVbFyjWnf2dOMXXSxFON OorRp43HY6m6blSnTnmE6cq9CnUg4zhho06UcPhqSl/stBuNCVOdqi4b4LeAv21JPhR+0X4f/aK+ LPg4fE/xz4o8aL8C/Ffws1LStV0z4WeCtX+GnhfQvCqWqXvwF+Gc1rrHh/4hW/ivxULTxXYfF66x f2jz+MtT017Xwl4f+eof2dv+ClWieAfEtron7Yuo6l4wv/Dl3rmiad4g8R/BW4OnfES8sNU8PXXh O3+KOpfsCeJU0/wFJZXtr8QrDxZefBHxNe6H8YbK2Nh8M5PgPbyfAW9+vrL9rv4U3/wa1b47QeE/ 2n4/BOi+II/DN5od7+xF+2hp3xlm1GWfTLdbnSf2dNQ+AVr+0Hr/AIfEmrWrSeLNC+GGo+FYYItT uptZS20XWJrA8S/td/Cnwp8KfBXxl1Twn+0/deEfH2oT6ZoWj+Gv2Iv20PGfxWsLm3OqCSTxr8CP B/wC1344fDbT2Oj3fkat8Rfh54W0q6E2lm2vZhrminUCUU6danBype1y3LssU4SlKpSpZdR9lTxN OdV1H/aGKahWx+Pqe0xWNrw9pXqS9pXVVtuTwzqWqLDZhmOZRjKMYwqVszhKnXo1IU1CP1OjTlKG BwtJU6WAjy/VFSdOk4fnR8RPD3/BZWfxl8EvAh1DQLn4f+INTn0H4o/Fn4C/Fj4IxT+HtPh8E+JN QuPFPxZ8O/GL9mXwB4ztvDWr+Mtc0bwFZaV+zDfXHxHttO8J2fxet/EfhG6k1D4SeIvrf4s/C/8A b5tv2WvAnw++Af7QnhS8/aY8OfFbwJN4k+N/xih8GWsHjH4LaD8WDqvi+08T6R4R/Zy1XwhfeOfG Xwbt4vCl/a+Dfhj8MbK38Wajda1oHizwymnQXGoe0fEX9rL4W/C61+G954l8K/tL6nD8VNHg1zww nw6/Yt/bG+MF1pdlcx6VLHB8SLH4S/Ajxte/BvWFXWLQT+Hvi9b+B9ftZIdVhutMhm0LW00/Y8X/ ALS3w68EfFzwv8E9Z8OftAXvjLxf/Yn9k6z4Q/ZO/an+IPwjtP7fvrnT7H/hKP2gPAXwb8S/AfwR 5E9pLJrf/CafEjQP+EasXttT8R/2Vpt7Z3c+ilZyajG8s0wOaSvFNOeAp4GFPA8rvGOV13g51Mbg IRjRxdTH5h7ZShXhClk6fN7PmqVG6WCzTBRfNbXNsRXxFfGWilFY3D+1o0MBWioxwWHwOCp0KcXS qSq+/wBFeb+FPip4Y8Z+N/iR8P8ASNL+JFnr3wruPDlt4nv/ABX8G/i94D8EapJ4psb3UNMb4b/E zxz4H8O/Dj4x29rb2E8fiO7+EXivxxaeDr6Sy0zxdNoepalp1pdekVJoFfl78ZPhB8Jvi5+2p8TY Piv8L/h38ToPDf7Lv7MUvh2H4heCfDXjSLQJdc+LH7Yia1LosfiTTNSTS5NXTRdHTVHsRA2oLpOm rdmYWFqIv1Cr+cb/AIKbf8FFz+wV+3RHYt4H+Dni5PjH+zR+zjpUN18Uv2qfBXwAutK1TSPjZ+1H o+iafoPgq88H/Eb4qfE6TxXrHjKy0Ial8OPh94g8OfD3UpdN1r4za78NPhtd6p8Q9C97h6rOli68 aNSdPE4jDQw2FdOUqc5Yitj8FGFKNSLXJKquanHmlFTlKNJNzqRhLwOIqPt8DTi405whiHWqKpKm oezo4XE1JN+0ajJxUbxgrzlJJQjKbSf3z/wxv+yH/wBGrfs3/wDhjvhj/wDMvW58APEPiL4QfsJf EHUvg38NL3xt4s8FfFT9tDQPg98JvBehadJDqfiC0/a8+Ofhf4aeC9N0ibXvBPhzQ/ClnqDaFpd3 PqnizwP4O8I+FLW51DWvFPhLw1pN5rOm/N3/AAUP/al+If7Kvwi8G+OPh3ffDbTPEXiTxvD4ZksP iR4A+K/xQfU1l8M6/rMeh+D/AAp8H9Q0nVdW8ZahqGl2umaNBquvaJ4du7q6S3v9a0q3mbVLP6N+ C3j34ifDz9iDx74/+FfgbS/ib460P9oP9rjUdL8GXl542ttO1qzuP26fjLB4ikjm+Hvw/wDih49u Dpvhy51fWLGz8K/Djxf4g1O4sILGw8PX9zcpbnvzrEYnH8P4+nVxmMnGlnOAwcqsa0q1WhWqZbmF aUsPz+3jGrGjiKU6dV0qlJTalKFSMJQficNU6WEzjA4iNChCOKyvMMRShUpKlCpTwuOymNRYiMo0 +WKlUjGpSqONSMX78aanBy5Pwz+29+1f48+Bnij4iaL+xP4u8BfEDwh+0DZ/BTUvh58V9G+PWl65 e+HY/h3ouo6/8U9D0PQ/gHqM/inRrH4q6xN4G0C++HutePfgh4m0fR5fF8v7SGgeHLjVtZ8K4Gg/ t/ftl3fxO8X/AAk13/gmb8SrDVfAvwu8JeOdS+JWm+OvHd58DvGXidvFvxA0r4lfD74W+P8AU/2d NFvvFOtaL4U8D2fiL4aHVvDfhqf4ha14v8N+HfFtj8JdD1TR/HWsemR/tyfGt/Hnw08F3H7Enxj0 i18XfFnQPht4t8S6ponxovND8K6bqJu9K1nxZpWr+Dv2d/F/hq+0zRfEem6pdQ+IPiL4j+EXwo1H 4eWMHi24+LOk+JfE3gj4eeKvGviH/wAFDf2sfDnxd8e+D/Cf7CXxL8ReBPCvx70v4QaB4iPw6/am udQ8beFNAEWq+OviR4d1LS/2brjwHJH4osLwaJ8OLjW/FXh74E2I0DWfFGt/tKaz4o1Pw58Fb/4z EVlOMpRmqEuVVq0qNJzpw9hk+UZTWjGhJValOU874gyvP6uCpueJVWssvoUoZdgsxhD7xQUW5crl TwcI4VU51HerLMc+xGLweInWThHFQwuW5djsmljHJUFg6NfF16/9pVMLOXqM/wC3l8e4P2D/AIDf tbSfsB/HeH4yfFrxN8IdB8ZfsbSWXxCu/i98KLT4gfEK28HeM9Z1s6F8F9b1tLL4b+HWv/iHdXHj XwJ8ONMvvD1lDaeINW8EapqFvbjS8Bftk/tSeNPi18efhFrH7B/jrwAfh1+zVB8cPhX8W9X8T+Ld S+EHxa8ca9rnjCz8MfA1tevfg54SudD+IVp4f03wbrHj3SdHj8Xaj4S1rXPFHhyOw1bSfDvhbxr8 ROi8F/tbftHeP/2IvhH+0xpX7E3jPwf8efiRoFtrfiH9kn4s+K/GXgfxP8NZrW28Ral4i0nxR4l0 z4IeL/FsGorpnhqaPwba6h8HdGu/E/iDX/CGga1a+C5NaubzSvln4p/8FP8A9sL4W+MNd8Ej/gkp +0v8Sr3wz4a/ZvvtQ8V/CbVfF3iv4b614q+Lfxbvfhz8W9B8D+K774GaDfeJtE+CPh60HxCi8R3X h3QtQ8UaFPFc+N/Cnwa8OTWvi266sZSm8xrYGCjhcRic+zPLMLh4SValQr43JKtHL8BTxUpzp1sJ k+OoVM5p5rUxDw+JxXs8tx+MqYerSw9TDC4iFHL8NjqsniqOGyjKs3xFepRlGvicLg83UsbiauCh TU6dTOcPNZXWy2nhI4vD0qdTG4GhSqUq1SPpvgb/AIKEftCeIviB4L8DeIf2GviPodp4h+Jnws8C a54ytfDP7ZJ8OaJo/jvwlHqniDxTFfeLP2EPBmhqnhfXme5Fz4n8SeE/hjZeAUL/ABO+L/wp+Pu3 9m9uo+PX7Z37Wvwai/aF8R+H/wBgvVfiz4G+FPgbxr4h+FY8C/EH4x658VPjZ4t8PPrlp4a8Fw/D Dwr+yP4tt/DSeNNS8I+IobbXfD3jX4ktpOna98KNcutGn07x3rsngHwH4of8FN/2mP2c/gx8Svjv +0J+yf4M8H/Dz4bWOo3PivxVqvjf9oXwP4V8HX5gl0nw3bX2p6l+yb4p8SeMvCl94s0LXbfxn4/8 L+Cbd/DJ8RfD3R/hh4L+P1n4i07xpq/29+zX+1V4/wDjr8JfjF8TfEv7PviP4f3Xw31/VNK8G+Gr G6+IHiBfjNpOl/CzwX47j8WfDbXfF/wc+Flr4x8K+JfEviPWvB3gbxT4AtPHXhHxba6Bba7Y+JI9 U1PUvCPhvnr1I16Wbyw9T6tPAZXWxuIqWU44ChifY5Ph8YqVWKeJxGHzbA5jj8NhISqSq0sVGVfC V8so0K1TXC0p4epllCv/ALW8VmOHwlFTbh9dqYalLNcRhHXpz5aVHE5ZmeUUMRjZzSpOivZYmljc ZONLnPh5+118Z/EvjjwX4Z8efsn+JfhlonxR1Pw9pvw71zU/E/i261QXN3o+t+I/FOnfEfQdV+Dn hey8Aa34a8O+APijrltZ23iTxZper2el/DiyvNc8P698U7LRvD3KfGL9or9rPw18SPCXgz4XfDSD X7nxJB8bkj0fXf2bPj3qHgxV8FfFbw14R+HeteIP2k/C/i2bwF8PZvE3hfWbjWIPBviHwFqE/jDR LDxN8QtE8W6BZ+E9L8DfEHy7wD+35+1X8RPANrYab+xR4y0P44ar4b8Z+MBF4p8BfteeDPgt4d8N WfiGe38Jzr4u+KP7J/wx8TeLPFl74cs9dlsvhZq/h34V/EnxNr+gaBD4l8O/Brw58UNF8ReGui+F n/BRbxz4p/bC+Fn7G3xQ+Bfgr4R/ET4j/DXx98Y007V/i98QpvGj/DDw5ZaXc+GPEvhfwZrn7Nnh XQdf1C5vtXtvDfxO8L6l8SPDmpfDzxRb65Y+DJ/jNo3hPxZ4j0TqqwVTHPD0qf1erOefU6NBVVOb ll+X16eNhhp1nOhiHlX1LG4+MqlLEus6WYyoOccFCeXYRqxp4DB16lRV6dWeW491XCUZSwtXMKeH wtPHUcP7LFYSjmdTPMqwseWeFnzYbB1ayjRxVWGN87h/bC/b+8X/ABK1jwd4N/Z38QaJZy3HwJu9 Mg139j74p3Mfg/w/4w8X+KoPij/wl/xR+KP7TX7NXwb8Z+K9C8I6ZpV3JoHwp8WeI9O+HunLdeKd R8RfEjxv4g8Kfs/330X8W/2sv2ivBn7SXiH4P/D39lbUPHvgDwv8M7LxndfEjVYv2iNE0nWdWuL/ AEjUtXtNK8V+EP2XviV8M7v+xvBtv4ttvDvgvwj4z8f/ABZ8c/Em207wz4g8C/CTwrceHfHfjfyH 43/tw/tufBeL9oXxNo37AOqfHjwn8Io/ifbeCfDHwo8Q/GofFT4lap4d0zXvEfwsGhaVqH7Nl74W 8R6Z8Q9G0u3sPF194A8ReMYPhzrWoeG9M0Gb4q+LvEmu+A/h37l+0j+0h+0D4E/Zmh+M/wAKPgZ4 4vPHF9+z3rfxWufhjH8GPF3x0+JHhTxtDB8Nr+w+Hi/Cnwb49+FV9498bWFl4n8YWv8Awry38feB r/xfrnhc6dY+LvDFtBqOpRefKco5Y8TTqOMaNOtnNWo6cVVlhuIaGcPKMNGnjJqpHDYJ5dOvRoVK 069Cnh6TxmIw1PM8HUl1xgv7UqYKXv1r0skgnJvDSx2Syy15lmCqYaEaUpYyObYalOcKdKhWk6jw lOvUwOM5finTv+CkP/BQY/CfSv2iNe/4Jt65ovgrxV8OdJ1PSf2fZ4f2rtQ/aY8L/E2LwKniTXPD Xi3SfBP7IPjy7Ph6/wDEmqWnhvSNXuvhx4Vm0rTvC3ifUdQXU/GeseFvhncfaHj79q/49eAv2idD +Ew/Zd1fxb8NvFnxG+EvhPRfil4Zt/2idX/szwv478NXFx4s8VeI/wDhFv2WvGPww0KTwd4rt7i0 EfjL4veBPC0HhfStc1Px/wCM/hz4nvfhT4O+L/A+AfiR/wAFFJPil8PdL8Ww/DDxx8K/FvxOhh1z XPB/7GPxB+D2t+DPhFF8H/CXjuXUvGk/xe/b8vjoWr6p4z8bxeAV1fwv4V+JPiTw94h8E69pEnwS 8SQ3vifxD8K/IP2X/wBtb9ur4tftB/Cr4f8AxU/Zx1v4d/CjXde/aV0fxh42179kf9pT4dXuvN8P rua3+Geq+F9a8S+M/Efgr4U/DqG40fXLBPHXxy1LQfiH+0jaax8N/Ffwn/Z9+H+l+I/G+nfDH0pq E8xlh4U40Wp18f8AVXKpb6hgKWXZlisIp1I+3nOphsbLLqeIjFzhiKOLc4+0w8KtXghKccup4h1p Tj7ClQeLcabdXE5o8Rh8vxSoqdozo4jB1MTUwi0qYfG4Sl7Gm5c8fpXwR8cv20Jv2qD8OfiD8Dfh 5afs9+JvF3xR03wp8QfD0HxuTxN4X8L+DIvEFt4HvfFupzfDzWvAGq+IviNd+E9W1mW21LU/hd4M 8N+HNW8K2mjeOvH3i7xF4e8Pa/y3jn9rL9sHwZ411rSNO/Y9Txx4C0X4n6/4dHjmx1L4z6Xr+seD 9M8VPYwXejfD3w18BvibBdXF34f8R+BY/Cfi/wD4TseE/GfiCz+I994ntvg94E8KS+LF4X4kf8FH P2ivA3if4ZeHtE/4Jm/tS/EO38YfE+/8AeNta8K6b4ibTvhzpGmeBvGes3PjiW8u/hxFpOv6DdeO vBzeD9Hv21bQvDuq6HrvhzxdH4mh1HxF4c8F613f7HP7a37Rf7RuleCdb+L/AOxN8T/2Wh478LeB PEq+GPifpfxSXX/B+oa9pk6eMfBmq3lr8H206TV/B+sWkF4NS+IMfwVj1TRfE+j2tvpH9s6B4wh0 rjoKeIjhadCq5TwNXAZVXdSEY1Mbi62XSzGj9YjUVOUq1TA4apVxOIw6hTo4pSw+MnDEVJYSp14m pCjWzNVo8kMZLHZtQVL2k6OXYCjTrZTVo4TE0vaUpUaWPx1DEUFOc6tWVClPDQlGnLEwTUP2tf2u vEXwb/Z3+Ifwx/ZK0f8A4TP4wp43sfF/gX4kaj+0/wCDbT4f+I/D2s29j4Rt7641r9kHQvil4X8G eOrSy17UZ/HHxu+CfwYvvCnh4WGtx+CPFfimfQfhn4w6T9n39sH49fHPTP2t4vFP7F/xc/Z31v8A Z/TQLX4VXfxKsvEWqaL+0Je698HrDx7cX/gS1l8I+CdS1TTvDHje4vPAGpWuiyarLfSWtjJLqGhe J77WPB/hf0zwV8c/iHqn7QfxA+FOuaWbjw9pHxR1Hw74YuZfgl8W/hjMPAkfwS8E+OovEemeOvHW p3ngj416doPxBufEfg3xP44+FsNv4ZtNQ8XeCPCl1p2jeIfDOt3fiv5v8SftUftjaX8QItD8MfBS +8ZWVl8IfhT8RvFPhaT9mP48eEI9O1PWk8e33xC8L+DPj3qfjbUfhd8QvHEemeFLNLD4aS+H/Ber +Bdd1vwTo2ueIvGi+P8AUr74YrEYijSqVa3LNYbH4CU8LRi3U/s1ui87eMjVgoVMVOhllCvgpRX1 rD4iMlicLGrL2eJneFp1YRhKo4YmeU4p18beMaazOjhZ1MDXwUqLcvZfWMZVo4iEKf1fGU/YLCVE 6k6tGUutftT/ALYGnfFD4taF4Y+C2ofELwL4C8bWmhxXUv7MXx5+GGr2+lav4H+H91a3Pg3xL4l8 aa94P/aJ0fw/418ZzDxB458AnwUl1pHh34iaJp/gaDUfh3pOv/FDE/Z2/aR/b7+NGtGDWPhNY+FP D9r4U/aI+1eKPF/7JvxT+DPhS7+IPhvxrq+gfA7TrNvjd+074M+NsXg/UdKtLS8uNfX9m/Ubz4tW ttq/iaew/Zt0K98CReN4Pg1+1J+3X8TfjPYeDdT+C95ongHTvjpP4f8AHHie5/ZH+K3gTQ9F+Elt 8K9A18f2b48+Pf7SPwYvPFesN471G70jWvil8NPhN8TPDOlajJZ+B/A3wz+LulaR4z+MvhnjP2jf 27f20Pgf4p+PetfDr9mfxv8AtOaF8JpPFt1pv7PngL9jn9qfwX451TT9B8J65deCbfwr+1rquq+L fgf8drn4tavDoviGSf4K/CbWb74OaU1/8OPE/hvxf8QLiwuA8QvqkquIrVZQhhMoxCnCnTnidKuW cPU/7SjQp08RUxNPDSxjrYOr7KvUeYzx8cRj8aoYaGIyw0JVMK4U37edPFYWp7eo1TeIlgMyzmtX wtSU50qdOvmVDASw+JpKrg8LLCPBRwWDw2KxUKcbHj39uX9s7S5PBl1p37NXxG8JeH9b+K3gTQ5r vT/2L/2gv2ifF2ueEfiR4wsLnw5ocvgnwp8Tfg7p3wiudB+E3iC21/4xfG/4jeO7r4f/AAf8VeB/ GHhW98D+KfGOt+FvAh+m/wBrD40ftTfDDxT4mn+Efgu/v/hb4R/Zq+IfxI1TxTo/7Lfij9p3Xbv4 u6bfS2/gXwNoPg3wL+1R8DPiJ4t1jVoLOeSx+HPw/wDh343uPE8k5fxX8UvgfYW+iX3jCD4TftS/ tPfEX4q/DPQPFP7H958JPhV470281K/8W+LfFPxQ1Dxx4YD+C9Y1jTtG8TeFtO/Z9g8EeE/FUHi3 wp4k0TU9P8QfFCDwnJ4avfBGuaf49l8b+M9C+Fl/5V4+/bN/bB+D/wATf7G1v9jX4k/Gb4f+O/2n /Fvwm8Can8M/hp4o0G88BfBnwl8L9f8AFEfxm8Ta/wCGfFn7QVr440LxF470fTvAtrqPxI8KfscS DUvEKL4H8OfFTQtMtfGPiF46Dw/PhK0lhKkXiFCqpSrU1UzChl3DmGo1qsKlSUsRTzDMo5vCSr4f CYetTxGJhDA4XA1L3hKkK9OOJpJ4iMquFpT50qVWMsurY7PsY/Yyp0adOlicBkmLy2tD6tKvNYuF Gn7eWLwFGnBd/tj/ALZHw3+F/iz4m+O/2TfGfxXu9S+P3ww+GPwv+Hnwz+DvxK8F6zdfDrxJpNk3 jb4nzy6T4i/aM+JWp6NoepR6ybPUvjH8B/2SNL0zVI7Hwx4laz8Lz2vxh1P5v8Hf8FbP2yfHw+FV iv8AwSj/AGlfhZrXjjwr8OvFvjG08e+Av2n9al8AS6roPjPxX8QPBcl3pn7KHh74dX2uadbeFtC8 JeGL/wAQfFjwZdprfjuHUPFvhLQ9b8M2Pw58efd/wE/af/aU+KPjfwPYeM/2Y08H/DvxtoWhaxq/ jPf8ffDF58PdS174V/8ACX2fh6Lw38av2b/hJ4q8a2Nv4t8PeLfDXijxL488Nfs6+JfBl9rPw68P XHwq1vVtY1K9s6/xn/aZ/au+HwvV+Hf7Ktj8TbWz1rxrBe69qet/GDwumn6XpPjnxXZeFJrLwp4B +A3xt1/xdY6l8PvBWra1r2t6BMmtQ69r3w5sfB/w88aR+OUg0batGop4zDNKFfEVZLB1HGLnl9PK 8FPLMRQk6ap4etLE4/D1M0rYjF01PF1bQwM4YTEUY1cYSpwo0cXzueHpunRrRcpctWvn2JjnOWYm aq82Ip0MHlk4ZSqdKooUIV6dTH2xdKpOnc/Zq/bA+Lfxi1DwUfiv+zFr/wADPDfj3w7fQeH9b1A/ H2bVrv4n6LeQTat4VuPAvxa/ZX+AnjPwv4K1Hwrcv4n8F+OfiJpHgbxPraeHvGtj4j+FvgqPw/Za hrvuP7Qfxv8AGXwUt/Cd74Y+Bvj/AONFp4ivNRsNRHw9stY1fUfDU9gun6hHLqelaH4a8RXa6fqO gx+J5bDUZVtbSTxJpOheFZJIrjxZa3+n/BPgj9u79uj4v+H4/EPhr/gnpr3wNsfC/wAbviH4Q+Ic H7RWr/GRPFOo/Cj4beMfEyWfjP4UeCPAP7P+pX/jG7+LXgDwXqk/h2+m1azsPCnjPxP4EstB0v41 aBr1rqt3xlv/AMFT/wBquX4JeF/is3/BKv8AaWl8Za3pX7MV1rPwGs9K+PEfxP8AC978b/Ht54X+ JVxe3niD9lHw78Przw58EdAtDr+pfZfGg+JFxehk+Jvws+CXgK70P4m63NKpSxn1OeGjyfXcxwFP B0akpQq16OfKrmOTU8RGsoSo4eWFjiMFWxVT6lPC0cvlLMlgsQ/rmMJylgpYmnipe1lgssxOJxlT 2UnThPLqk8vzCrQVCV6laNdYfFUsHSlinWqYunLCPF4arHCYb3v4fftpftW/FL9nrVfi/pf7Bvj3 4XfEfw1+0n8TPhXffAj416v418Pa94r+D3w2uvE7L8YPCmv6F8Jta1WB/Hmg6NZal8O7GbwBq/hX xP4uurPwJaeNDoOv6Z8U7fH+AH7en7Rvxv8Ai/8ADDwB4i/Ye+J/wK8J+I/iV+0t4W8Y+M/iL4X/ AGjRBF4L+DVz4x0r4Z+O/DOoax+zL4H8D6FpPxil0nwx4ith8YvGvw111NO8R6bofwx8LfGQ3HiT xT4D9F+Lf7WX7RXgz9pLxD8H/h7+ytqHj3wB4X+Gdl4zuviRqsX7RGiaTrOrXF/pGpavaaV4r8If svfEr4Z3f9jeDbfxbbeHfBfhHxn4/wDiz45+JNtp3hnxB4F+EnhW48O+O/G/x7p3/BSH/goMfhPp X7RGvf8ABNvXNF8FeKvhzpOp6T+z7PD+1dqH7THhf4mxeBU8Sa54a8W6T4J/ZB8eXZ8PX/iTVLTw 3pGr3Xw48KzaVp3hbxPqOoLqfjPWPC3wzuJwjUo0q7axFChhJYLEwqJ0Z18xqUYZXRzFNck4N5lw /nOOjh6MZ4KdbMsVhmo0YZZToVXhU9rTwcJyp4rEVaFbDySp1WsHTx+MzCeFlFJUZTxOBzvKsr9t NRxjp5bg61K9epjnP90KKit5GmghldPLeWGOR48SjYzorMmJ4becbSSuJreCUY/eQxPlFlqmmm09 Gm015rRjhONSEKkHeE4xnF2avGSUouzSaumnZpNdUmFfzyf8FA/Gn7O3hv8A4KMWOl/tNfB6PWvh rrX7JfwSj1n9oPxS/jXw18HfgjpJ+LH7V1pqNj8Yfidpfh//AIVp4O8P+Kr650HWPCtj8X/H3g/R tV+JXgvwVrngqDUfiV4Q8JajoP8AQ3X8vf8AwVa+IWgfBr/goo/xc1af9pTwBfeF/wBgfwbFp37Q Xwh+IGu+APhN8I40+J37UPiOW3+NNz4h+EXxX/Zl1e78f6n4b0TwN8N9L/af0nVvDD+INdurn4fe Edb+JFroeoaL7XD8oxzGHtH+7dObmuVvn5HGrTpqcXTlSdSvTpQVaOIwzpykn7Savh6/kZ5Sq1sF Glh/aKvVxFOlRlSqKnUpyrKdCVWLdLEc3sqdSdSUPquLc4RlFYapJq3b/wDBaW6Nj8C/gFdy/F+3 +EXw+X4/Wtr8Rpo/Gtz8PB45+Heo/B/4q2Gu+A9I8X6z8W/gB8CtH1PXNMuJv7Km/aP+N/w++ELm B0RPHfjpvBXw08Y/od+zd8cP+ET/AOCe3jD4+/CDQo/j/BF8Tv2wvHXw803wVe+KfF+m/EnTdc/b C+Nl34f1fSdU+CHw/wDjh4z8ReGtQ07UbfxDNqvwm+F/xY8Rah4eW4v/AAR4J8aahJpujaj8Mf8A BW/Xb+0+AHwbnOmz2mgav8W9KTxX8TrnXLbwV4a+E1mfh342v9G1z4ufFG68f/B/RfAfwC8a+LIN B+FP7Qv2j4ieCr/4h/Bzx54z+FPgu7u/HXjrwt4f1b7e/Zp0D4neA/8Agnzrfhz9lyDR4fiD4P8A jX+1Np/w9std0+T4k2V1p2h/tv8Axgj1awe38Z/FT4Yy+L9W1Pwpbaxa6bf+LfjB4Vm1PXLq01LX /GVvJJd6g3Vj4Vv7Az6lCapzlxVgVTqu9SdDES4elSnWlCpFUqtO0aElGM4NPD1OanUdeLh5HD9b C1MXwziXCUoz4azGcIRiqVKvglnWCrODUHOvQcZVnGjTjGryqtWcZRlFKomp/t4ftHW/iD4oWGjf sK+Ptf0H4Wazox1HWox+0tot74n8IX+i2n27Uvh9pPiD9jHTbT4keMYPE+oWU1h4P+Heu+LdJb4b ve6/4p8b+DvixouufAnTfCrL/gpf+2T4g8NReMdP/wCCfHxE8LReH/D+ka/4s8H698Of21dX1K9m 8R/CyDxJa6BFq0/7Gngnxhpk3hfx1NJa+Ir34TfBj9qDxDdeC4rSyfwD4e+N95rHwY8LdP4x/as/ 4KV+D7v4IeFb/wDZfI8b/FP9oT41eE7ltP8A2f8AXPHngDTfhN4L8J6b4i+G83jz4gfB79rX4m+G fgBp3j7WLzU/Bfhz4+/ErVNU/wCEi1LSNL1bxT+y/wDB608R6zZfD/vPgd41/wCCs3iz9mnxx4q+ Pnw0+Dvwk/aduvAvwX1/wd8M/BfhHwr498HeHfGAvZoPjb4Si1eX9ru1s/HmoX1jo8t/4e0XWvGP wv8ADXhSbxToenW3xt+IuNdvvB3zFP8A2nDZpUpN0045LhsPKr7lTA42tluGxuKnh4vkjjo2m45r h5qq8qxlSOGdWEamGhX+tqTdGeDw9VSdStTzyrUqUYOUKuE+tYrK8K5yj7Z4Orhqv+15ZiE1/amG wsqtOnVqQrcnk3g//gov+3H4wfUrOT/gnp458Jw+Cdb8GaN4k8Ua74T/AGmY0+JH9q/CL4bfFDxF d/B/wRrX7OvhO+hFlr2q/E/4U3Nz458WaX4R8OeIvCel38fjfxn4m1LTfhh4g+0f2Uv2nvjj+0Bc 6Rd/ET9lzVvgf4U1bwFqOtw+INa1T41WeqHxzoOv6LpureG38C/Gz9mP9nnxpo3hPVdI8RafrXgP xN4z0fwj468TPpPjOx1r4Q+D4fDkGpaz5T8IvG//AAVL039oz4O/Dv4xfCP4JeLf2aNT8IfFrU/i /wDtBeH5dM8EeOfDPiaDTPBOrfBTwraeAIfjT42Or363eo+M/Bnj3xLonhs+H/F+paInjTSdJ+EW jppvhbxP5fpHxs/4K/674S1jR9c/ZM8FeAfHN78Sfiq3hjxxpkXwa8YeFtH+Dvgnxx4rf4dP4s8A 3P7dOlare/E/4vfD9fAdvo2keH/G8vhLTfEL+NLjxx4q+F1s/h+G21pVIYiphZxpezji8sljFRrN 0I0Z5csVlePp42U+RYfH43GYjD5vgsAp0/bUMu5svjisBiZU6uc/aUaNZ1Kjn9VzCjhak6NH2lXE RzV4LHYGthqdN1nVwWXYZVsDmGKhTn9WlialLHfVswwjlH3D4rftk/tD+D/2ivip8C/hz+xH49+J fhz4f/DH4ZfEXQfjZear8UPCPwy8c6j4mvfGVz8Q/hxpXiCz/Z58ZaDc+PvAvhTwrYanoGl+E9f8 a2vi7xP4w8M+DPEt78Mp577VrLlm/a+/aU1/9n/4jfFaD4IeIvhh4z8P/tWaB8IPAvgO5/Zl/av+ OGt+JfhfceIfh7oF74n8QeDV8I/s8fEHSbW4fX/FV54r+NPg7w98Qvgp8MNL0HVNf8FXn7S2g+H9 O1Dx9kWXjP8A4KzaT4g8HeB7r4f/AAZ8S2GrWfiuHWfjNJ8NfDKeGvCranp3h298Faj418O2/wC3 J4X8XX+r/D+7v9X0HxJovw88Carovx4utK1TXtO8QfsvafZaBpPjT3Hw74s/bo8Tfsc6n4q17wD4 S+Gv7YZ1zxVNp/gJ/CnhDxLoFp4b0f4x6lb+GrNPDmn/ALUmpeENe1vxJ8FLLT7mGa6/aR8H2N74 p1ZL7VZPhxm58MaDnhU1QwVao/aylGeIqRqr2Vde1z/DYuhRxFGLVCnUwGXYKvlapOFaGJwmNeNx ccZKUaM9sQ71a3s/3UObD4X2cIyrU4r+w8SqmLhV1rTo43F4ihiqsqNVYnA43BywFJYCVanOLPij +0F8ZdD+AmofErwT4am1DWLX4TfHPxXBqvg74A/E39oxtV8T/DrXNH0v4dTeDfgx8PfiD4G8XeO7 b4q2Eup654V8C2nxC0HWdatLrTvJ8Y6bZ6Zq+pv8weOv2yf25/C2keHph+zvdeZqvxD+HdrHrPhT 9l/9pf4uPr3w+8T+PdL8La5ZaZ4C0jWfA+s+BvHFjY2PinVrzXfjR4k+G/w48GeDdR8L/EPxJrN1 ewXvwy1L6L8KePP+Cg+u/BfxZqusfCP4ceEPjfp3xp8VWHhfw/4q0Tw/D4Z134L6Hp82vaLKtp4I /aq+I8S6n4xvbX/hWfh74jal4+8P6vDNqdh8XfF/7Nng2ztdQ+EMfxV8P/j5/wAF0fEuheCrX4of sX/Cv4aeJNW8JfC628dz+B5vgz4y0fQvGuu6B49HxSu9G8S63+3xBd6FoHhbVV8B3+l3T/Cz4v3e j6pa3XhGz8OfGTQfGd98SvhNnhm1iY4x884UqvD8qmCqx5I1aOPo42vOEVVbpP2NSpRp5tOHNUyy rgYUcbCrhcZSVTStD21GGCjKGGrVVm1SONi3LkjQr0MqUas4KVOHPOpPMMvpzlGvicNCWNwzpU6c nV+xdF+N37aVl+ztpPxI8S/BCHV/izefF3xXFf8Awyg+G0/gvU4/gho48Watptxo+j6B+0B8dHn8 X6t4e0HT4/CWu+M/Evw+uvF+vazouk+MPg/8FtZ1mbQdC8g+DX7Un7dfxN+M9h4N1P4L3mieAdO+ Ok/h/wAceJ7n9kf4reBND0X4SW3wr0DXx/Zvjz49/tI/Bi88V6w3jvUbvSNa+KXw0+E3xM8M6VqM ln4H8DfDP4u6VpHjP4y+GfWfAvxM/wCCkN5+0b8BfCvjn9nP4T6X+zPr3w6+Lkn7QPxPtvGOjf8A Cc+CPij4Rk8P6J8L4fC2gWXxM1k6r4U+Keoad4v8ZWcVt4a1u90jwd4q8J6T4u1HwN4v8G65pvjH yj43+Lf+CvvgyL9oXxP8BPAHwL+Ms+hR/E+z+Afwr8a+EPD/AIIt/GFxcaZr2u/BzVz8R4f2rbCa Sz0C7h0bwj8RbXxl4Z+Hlz491DWLaDw9bfCrSfB2qfEf4iqnP6pGeIn7XE0P7LjjqcPZzq1adThv GYfD1aFWgoyxVbHcQ/2clHAwoQlmVDE1sdRnRw2OqzrZSbxkKc6cZ4Sf17CZdXoS5ac5T4ipY6us ZCcpKhSwWQLNqVHGY2niK2Gy6plmHpWr1MK5LkLv9vz9tr4ZSeGvD/xF/YS+JXxF1nxf8O/2jPik fF/g/wCFvxh8G+DvhzB8OvGOhaN8G/h/430f4OaP+3Zq+rXHxQ8OarqniS31vw7rCftAXuk+Gru7 T9ibQPEWp2PgVE+Pn/BTv4zfsxaZZa78Wv2cfAuh+E/GXxl0D4MfDLx349+JXxm+Dvh7xF408Z+O rDTPDXh3VbW//Zf+IV/odpqHhDxBo6+D/HF+9tZ+N/GOh+OP+E18K/AjwV4c1HxRp/3X+yvf/tb6 vpfifVP2p9J8F+E7m6m02Twv4M8P2ml6nrWjXd++p674lW78e+HPGeoeH/EPhPSTrGj+BfBWly+B PDniuxtPBOoeJPFXirxvd+Mbf+wPz/hsf+CzvxR8V+Krs+NPDn7NPhk+K/FdjomnXfwT/Z68axR+ GJL/AETwl4Yu9Chs/wBpf4oardLo2k694o+JQ8VeK/EVhqXxD1bwL4YbUvg78F7HX9a+D911UqMs NjMFg69Wjio4GlRnjK6nF4bH4XAZlJYrDTxdCTi8yx+W43B4TDYrCRn+9yqtmtSli3Wx2GxGWJrq rgswxGHpV6cp4+pDDRp02sVSrYzDyy7D4jC4XF+zc8owGZzrZziKOKVNywPJhabpUqODrx/Qv47f GH42fDW91gfDD4Hf8LjitNA8Ianp+mvqfi3wnDcz3N78Q7/x5H/wlnh7wH8T1uNU0nwn4P0xfCfh eDwfG+veNfEnhrw9rPiTw3pvie313SfhHQf+Cgv7dHiDxd4++FVt/wAE1PFtj4z8I/CXRvHOj/FD X/Fnxn8O/s7eLPGc/i74k6R4p+HWmeLdT/ZcTxdca/4W8M+CNJ1nTYdL8K6tY+N/E3iay0HS9Y0z wBqngf4xeOMS6+N3/Bc1/hZrHiuy/Y5/Zct/ihpf7QN14S034S3Xjexu4PFn7Pl/8erTTtM+Ktt8 Q4v2iLLRvDeu+Gv2fdP1TUNa8M6jpOpat4p8W+J9E8W6XoPhqXwpqvwQ8T+ifFT4q/8ABXnwv4U+ J0vwy/Z5+CXxO8e2Hwp+KXif4QaYuh+GPC/gfxH8TJovBV98KPhx478T+Iv24NN8R+HbnwumreLd B17VdG8D614W+NWpeG7rWZPF37LWmpoVl4y4HNSwVDFTeLVKVDNMbWoRpThjpUY5BRx9DL5UacPr VHEqeZ4epgo0U8TWzjAYzI61anXwuJwdLv0WZYqjCNDmhLJsNBNt4GnXWZrLa+Oo4uq1hMThcQsF KvmdNTqQw2Ax0M1pxhTnOrCj4I/4KA/tYr4p8TfDf4l/sGeP08Q/DnxrZfD/AFv4leDvD/7TA+Fv xiu9L/Zzs/il4s8V/As3n7LWsJbabffFgax8JfB3/C0PGPhX4R3Y0yS6uP2i5/GF94V8CeLuhj/b 3/aU1X9mf9jj412v7B3xb8F/Er9o7WtHT4rfAbxnoHxv1zxl+z9pNvqSjxNpevD4ffADxDc2fiPU dLgurnwpq3xp074AeBLfTTPqniHxLbeL7fw98KvHHTaf8W/+Cmd3+yT+1N44vv2ZPAGj/teeF7nW YP2V/gu194E1TwX49e3+HXgK50STxP4nt/2prTStY0LUPijf+PbC71zXPGfwE16z8J6VZEeAXv7O z1Lxlnz+PP8AgqNceKvhBb3vwm+GmleDfFvxW+Ed18SpfBvhjwTrGu/C74XJqE8Pxb8M+I9e8Y/t e6Ra6pLeQ6R/b9j8T/h18PPHuuaTpPifTfhvpPwP13W/7T+Nfg70ZQnLE1KFSdBVJ1uCsQ8TRdOn g6VPHunRzGhSUfaUv9pre2x3EUXCtHhqhCFClSow5KOL82jL2WFwdd/Wa1OnR4kwsqNWEpYzE18H F4jBYjExsq1L2VCmsLlNRujRzyvObq1alapTdLyef9ur/goZr3iv4l6D4a/YC0bwjZfATxaNO8fa 7428Q/tP634P+Mvh5vhv8Pdavbz9m/xNo/7IXh/xR4uHhz4heNPEug3ur6V8LfHK+KND+F+ry+Cf D+s654otdN8OfQGg/tsfGTWfhj8D/H91+x/8SdE1f4q+Ofjt4f8AEngTUvD/AO0kniPwB4c+E138 QIPB2pX9iv7Jv9r6X4m+L1p4U0DUvC9r8W9D+DHwlNv4hu7XRfjh4q1NfAFh8T7/AO0P8Tf+CgPh jxh8S7T9n/4FaN468JaRb/Br/hW93d+E/hhrJ8SyavqurSfF24uda8Vft1fAXUpLnSLSDSdCbRNV +Hngm08CaVdv8UfC/iz9pPXGm+AGneC+P/jF/wAFifDXipNK8K/s0fCXx54Zk0e411vFHhbwp8PX SC/1Xxj8PbjRPh/Jpfj7/gon8LtTk1Pwr4O1Dx/4Z8Z+OYrX+xNYu9Lg+LfhPw5JcaPpn7O/xI54 c2LeBoU5LB1cTU+qSr1oONKnVyyGFeNxWK9o5xwuHzeMcRVwVSUnSUqlWjRbqxwlCfT/ALqsXOrf F/VoLH8lLeth8bHF06OCw0YW9viMvrVMEq9Gm44m1J1asamGq4rEYYn/AOCjv7U9n4G+H3jub/gn P8TtT0/xzrHhHw0+m+HF/aqufE+ja1e+MtK0bxvq2peBfE/7CnhD4j+Gfh9pPhLWYPE/gXxf8TvB Xw1vfFmqaZ4h0Dx74Z+Duk6VH4wvuQt/+CjP7Z9w3gbWn/YZ8WWnh3x9rvw8082Unwn/AG35p/B+ mC+1cfFDUX1Bv2SLX4g6m19p+nwXfgQfGH4DfswWeh6V9vv/ABPe6v40n8E/Crx3k678Tv8Agtz4 O1RbXwl8AfCPxWttOm8JW8X/AAmFl+z1Y6Nr9n4r+PvhT/hO9X1Dx34e/a4+GGv2eo/Dv4CnxrD4 S8PWHwIsLKx1Gw8PazrHib44+IPF994V+Gk2vfFv/guNYXPxF8HWf7Nvwf1nRLH4b+BovAHxt8Ma X8Kv+Ev1r4paj8TfGukfEEj4OeMP23tB8LweFtI+HVv4K1TQNf1zx9pt1pkN1dfESfwB8RPEd3d/ su+HCmniqVCNKTwlTMuIMRDC1cSkp5XhKFKpiZ4TMYTX1dZc6UYxwma14XxFVxwqlisXJ0Y51puh HGxmp1/7My2EMRPDU3JZniqOaUaccdlSTdWpUrrDzhVy+nK8sBi3i1Ghh4zlHuPhb/wUE/bK8c/C 7VvjH4y/YE8Y/Ca1tv2f9M+Kml/BjxJo37Tut/FA+Otag8MWp8DeLbnw3+yxe61pMHhfXT41/tLR /hp8KPjV8bda8L6da68vwS8NaiPDXh34jfbn7OHx/wDij8Y7jVR8TP2fPEXwOs7rw94W8UeAZNWn +IeqX2u6ZqkGoWfibTvG1p4p+Dnw1s/ht4u8OeIdLlWx8JXeq+INV13wfq/hrxRcroGq32teEfDl n9rvxp+1N4G+G/hvU/2RPhNoHxi+Jl98UPAmka94d8TXfhuy0bS/hnd6hNJ478RXFz4k+LXweitp rPTLdLGzv9K1nxXrOj3epw61afDXx/Hp1x4cvPgyD46f8FsP+GX/AIdeKJ/2KP2dm/atu7z4Gy/E 74aD4l6BbfD7T9J8V+N9K0n40W/hvW1+O2oCDXPhr4N0Dxb4mZJvE/iHSZl+Inw8h8I6h8UNX8B+ NvDniTalOnisVjZU6X1ajUzPLcpw1GvKpTpYSpjnLErHQrVP3uKy6nSqUcJjMym5YHLZUa/1txrV I1KSqqphsPhFUquvUpYDH5pia2HpKrPE0cFGGEWBdCjzKhmOIxF8XhcDTjLF42M+ehCGDpSS/SL9 orxl8W/AXw/XxF8GvCdh438VjWbbRF8N3mha9rz3U/ijT9U8M+ErwQeHtT0270/RNH+JOreB9Y+I Gu3BuLHQvhfY+ONVnFg1pFrOmfIfwK/be/aH+JPxc+MPw48d/sMfG74d+FfAX7PmnfHPwP8AFnWt A8VaH4Y+I/iPU/EfirSP+FC6bp+teFVlX4k6dpOh6Lr1yLTVL3VnHiC4stQ8D6DbadoWr+NL3wx8 bf8ABS7U/wBp4eEfi58KfhfpP7Mdp4V8G+Kovir4LsPDHh3XLrxdr1z8WJfFfwpvtF1L9on4v+I9 d0vwHocvwdsbrx3Y+Cfhw3ibxpZeLNW0OzTwlqsGiaN5z8Y/iR/wVu0zW/2uNU+BvwW+GOuaZ4J0 W8l/ZY8J+OvBvw7utP8Ai5rGl+G/E1voOj2/irT/ANujwRrMR8W+L9Z8H+IPGXjv4naH8F7Xwn4Z 8J+IPhz4W+E3iDVZrD4y+KuL2jp4evjW68qf1bOMTLD/AFeU8WqeChWyanh8LhowdX61PMcRRz/A U5UqtfM8NlsFRl/ZOIxOHx/dKEZYzD4F+yco1sqUMTTqqng6jxVbE5lP6xipOMIwr4DA1Mox868q dDKJ5pgJVVg80hOth7Ouft4/tieBLv4VaT47/wCCdHirVtY+Inxk8QfDzWx8DvHvxp+L3h7wD4D0 PwT451RPix4h8U6h+x98O9NstN1Hx/4Jh8I2OjeIB4Zt9Q8M+OPAfjXRfEWsanqureBdB8N+M/8A wV8+M37PPiVvCnxt/Ymh+FwuL/4F+CdB+KXjj4r/ABt8O/s7+KvjN8X/AIp/EH4eX3wo8MfGLUP2 Loo9c1HStJ8G6J418MeIdO8L3Gi6zpHjvRJfiM/wb0TTdf8AEmm+pW/i/wD4K+eDPEnhbxHqngPw L8WvDHxH+IXg6+8W/DXw/wDDr4QWF/8As9/D6fx94a0rx3oOmePNb/bV+F3/AAmV5p/wzs9b13wz qh0Px/fXvi/xBqeqahHBpnhLw/8ADPxp+wEbM8aO0bxM6KzRSGMyRMygmNzE8sRdCdrGOSSMsDsd 1wx7403CWGxVSVCpShnkXjMv537Z4DCZZgqGMylVac2lTxGKrVcfh89wtTG4aeYxq0cJPE5XhZYO t58qkqixOEgq1KusrrUKGYexvQnj6uNlXw+b0oVFKL+r0IrATyvExoSqYOSq1IU8c3jI/lJ+zr+3 7+0r8efi58NfAfiz9gb4yfs2+F/EHxP/AGlfCXjHxJ8XvD3xnubi28F/BtvFen/Dbxx4f1fSPgTa fCbRtN+LV1p3hzVA/wATfit4KvDFrNro/wAHtH+O+l3erePfCH6vUUVjD3cPg6U/fr0MJSoYrFP3 ZY7EU+ZTxs6Uf3VCpXTi6lGgoYeM4ydKnThJU47tN18XUUrUa+KqVsNh7JxwWHmocmDhVf7yvClJ TcK1dyryjNRqTm48zK/Iz9of9mj4IfH79t/4h6n8T/AtvqXi7wT+yt+zHH8Pvih4Z1vxN8N/jV8M k8QfFz9sYeJl+Ffxx+GuteEfi/8AC8eLbTSrLSPGI+H/AI38Of8ACX+Hkm8NeJf7V0C8vNNuP1zr 8uvjJ8YvhH8JP21/ie/xW+Kfw4+GS+If2Wv2X10BviF448M+C11xtH+LP7ZB1ZdHPiTVNNGpnSxq ulnURZGc2Q1KwNz5X2y38z3+HqVSrXxsaNOdStHA89JUoSnVU447AtypqCc1KMOZuUdVHm1tc8Di Or7HBUKjqeySxlNOfP7NK9DEJJyurXlZLXV262PN/wBpX9jKD45/FP4JfH/wp8SG+H/xq/Zwt/Eh +El74m+GvgH4r/DtNQ8U/wBnQ6pdeL9L1bTvDvxqhtp7Cxaw1CD4MftB/A6/8UWc40vxvq3inw/E dDl9o+EPj/4g/Cj9hj4ufEr4beCvBvxJ8b+AvjJ+3H4rsvBnjj4ga38JvCviC10H9sr486j4hguv HOg/Df4yav4fuItAt9VvNGji8A+IY9R1iDT9GvrjSLK/udf03E/4bI/ZD/6Op/Zv/wDD4/DH/wCa iu8/ZJ+JOk6F+yWPiHoDad4x0HXf2nv2kI9Dv9I1m2k0jWtG+I37e3xW0DSvEWk61ZRanZ6jpjWH iW317T7izE1prFmkK213FDeJex+jmmCxWD4erYedDFYOhLPcNi4qdKcIvE4ujmtbGVIe3pyjz4ma Uq3KtfiSUlGS8Th7E0q+e0KvNQxE8PktXCxjGUbfVMNisu+r4aboShP2NJSmqS5k6ftarpShKrUc vMbj/gqj4I+H/wAXfgz+z38f/gj8Ufh18Xvjf8f7H9nHwZdeBrrwt8W/hBrXi+60fx/d3Hi/R/Hd tqng/wAcQfDWw8R/DPxb4Gn1Hx58Ivh948k12xGuwfDmT4di58cWy+JP+CmNr4b+IEXgwfDrwN4p aL4Q/Cn4zeI/Dvgn41Xmu/GfwJ4Q+IKePbzWtb8YfCW5+E2lRHQNC0f4f69rfh688HeNvGXiDxTY aRq0WseFPA+o3/w5sfiPk+M/+Cs/gj4f3niDXfGP7PvxW8J/CPwpD4f0/WviP4v+If7MnhGW48We PfFui2Hww03QtH8Q/HXT9Cu9G8efDu71r4p6bc63438N+NpLaw8P/CzR/hzr3xy8ZaR8NI/SG/4K S+EYPEen6Xqf7OH7Ruh+FLzSvEGvXfxT1u//AGX9N8AaFoeiwW97Zatr3n/tMDxrp9j4k0rxD8NN X0uX/hDJTpVh8WPCf/CaL4TuvDvxXtfhv8JWq8+BwuMhiaWGp4nFYtUKzp2hUjDI8NQo4TEYWvN4 mjWjmarZ9CUp4WpmFDG4PLsLTWH9jiMV9/Gm44zM8E4TqV6WFg6VByi62FljsfjMxwuNo1KcY0sy w9LJK2Dy2LownQhXwcswxdaVTFTwVPzD4Nf8FPdU+N3xnsPhH4P+Enw+1V0+Ok/wr8W6l4R+MHxP +K174B8LWvwr0D4iS+KfGz/CL9lvx18O/BXjCe81yPSl8CePfil4P8OeGbA6OnxQ+KPw4+Jfivwx 8JtV7D41f8FI7P4L+I/iN4M1r4Y6Ha6/4Fl1+1OveMPi3Z+BfhZpb6DPqOtajrvxQ+Il/wCCdRHw 28C+F/hRrvwW+MPxG8WxeH/F48F+DvitMYtK1+78IlfEXz94Z/4Lr/s8eKPAPg34yx/CX4m+Hfg5 478H/Dzxf4d8S+N/H37NHgrxRe23xObQYtBhbwr4j+Omn6Vpcem3c/jLSdQuvEXjHQx448TeDW8D /s+QfHPx5rMXhaw/Qzw7+1vofij4MfEH4y6Z8I/i+E8C+KV8Jaf8ObpfhPb/ABB+IV/q0XhK78BX Xgxz8V2+H1lYfEvTvHnhDUvC7fEHx/4EvdGt9aSD4j2XgPUdP1ex07sx0alJ4+Ki8JLL4Y6lXjUh OvLD4jBZfkeHn9ZgnCVadDFYz+0sRh8OsPPE1c0+rYZ4fC5fOisMJUhVWGTnTxCxqw2JozjJUObC 4vG5xUpyoylKVOjh3RpU8udfFKssNLLKc8TU+tY6Tq+G+Hv2+tR8bfCj9i34p+APBHwz8Z6F+1l4 d17xhqnivSPH37Qcnwo+H/hHw/4OfxPdeK7Pxyn7HEviY+E5LmSysh4y+PPw2/Zm8F2NpMz6v4j0 3xRf+E/BvivG/Zn/AOCjifHfwl8QPijrngHwNofwZ+HX7Onhz49X/wAVPht8Sfib8TfBfiZdS0fW vE2saf4K8d+Lf2b/AINfCPVfD1j4Z0mPV7F9W+KOgfGnTkv7UfFj4AfCG0utNvtR5HxV/wAFi/2f PAWjeFr/AOIHwz+LPw+1rxb8PfiD8SLDwZ488cfsheEPEtpoXgewt9a02TUJdd/aosvDS6Z408OX ll4li8dWPiK/+Fvwk0W/0uX9pjx58CrzV9Jsr3zX4a/8F1/2XviR4t8P+B7XwH8T9G8RX3xj+A/7 Pmux6zefDXSNHt/iz+0N4U+FHizwXaeCfEviDx3oXh74i+EdLsviZep4h1nStS0/xXeL4Ovr7wF4 C8dWHiXwdca4VKVXE1cZRwMoU6uNnhK+Uwk4YlYXDZ1iMTwzk0U1OisypVeJcVls6WIjOj7apTo4 acoYTMqVZCq0sM8O8Y5OGEVahmCl+4niK2WUaXEOZTbdOSwlT/V7DY6Lgqc4QpSrYulGpXwUqS8v T/g5K/YFfw9rOvv4Y+ONgdD1PSdJudO164/Zt8Lf2hdaz+z3ov7RNm/hrxN4p/aR0XwB4wtBoWv6 Z4KmvPCfjDWrZPGV1baoJH+Ft9p3xKvPsH4Lf8FVPhN8aPFlr8PtD+F/xDuPGdh4y+HHgjx+nhfx f8A/GHh74dXnxHi0ewsfEvidrT4x6d8QdJ8KWXjTXtH8GRWHiP4aeHPip4iXVtH+I3hf4Wax8G9V sviPL6v+0T/wUE+E/wCzh8fvhv8Asy674J+J3j74v/F34S/EP4tfD3w58Oh8LZ/7dtfh74i8I+FW 8ITyeOPil4Fk8P8AibxhrfjPTbPwZqvieDRfhxeyWOurrPj/AEJ9IukXzfwx/wAFTPgl4o8G/tXf Ea28KeIrDwX+yV4O+FnibxlNqvxF/Z00zXtWv/ifpGtavb6Df2V/8bLbw18GToq2Gm2l5rn7SHjH 4NaLLbahN49a6tfg1/wj/wAUPFBPE4WUauOhBwwOEwKxuIjzzlF0MvzXD5ZmWIjUcPaThPH5ZnGX 1KFGM6uG+uqUW5YShXrHssQnhsNKpD61Wx08EpRpW9pVx+CxWZ5fQcHVnDD16eWYvAYnD16s/YYq WX1ZTpTVTFYaj9U/tB/tQ/DX9ma38J3vxNh8SRab4yvNR03SdT0bTrG8sI9R0pdPvL2wvp7zVdON vdr4fn1nxVFEiTG50Hwh4oktzLqVrp+m6n87+Bv26/FnxC/Zr+KPxw8L/s9X2ueOPAfjLRPh/wCH /g9pnxP0C3n8ZeKfEepeD9E0u3k8d+KdB8K6L4Z0+PVvF8H9qX97p19JaaZp93eWlnqN69vpMnx6 /wDwX2/Zks/BPxR8d6j8Jfi8+h/Ajwxc618Zb7RvGX7Md3pWjaxD+zn4P/aSsvC3w/1jXP2gPDVl 8VNc1vw14n1Dwro+heHmtfGB8WeE/EQ1XwlpPh2xn1+H70+IH7dnhHwRL8FJtJ+C/wAcPiToHxp8 JeD/AB1H4q8Dx/Biy0f4c+FvG2n6lr+k6n8QLP4i/GfwB4mlMPhPw5428V39l8O/D3xB1CHS/BGt afBa3PifVPBvh/xTcaVSNaWHlFTqL+zqju0o06ecUq+LyupVqxaowwmLwuVZnUo15yhCVFVqssRF U6UialWFTD0qtOfsYRqYuVStZt1o5dUjl2PwyjVVoVqWY5zkUI04wdeWJeHw9OnWWYxhHw3wt/wW G/ZK8S6tr1lc3l34T0fwk/xNn8ZeL/FfxV/ZSsfDvhLQvhZ4z8GeDvEHifWo9P8A2j9U8R/2NaDx tp/iHxjFpvh7Udc+BOlWN7pP7TWjfBHxxd+H/CGueheBv+Cm/wCzv8Rv2cP2hv2pPCdv4gvfhl+z h4kl8KeLJrrxd8BdKk1vV4/A/wAPPHGdO8R6n8abT4ceCtLW3+JWh6Pfa78bfHfwm0TQbuy1jxD4 k1DRvh9b2XjTUPk/4of8F7v2R/hfomu+J73wd8R/EGheDIv2hNR8aR+F/Gn7MviTxVZ6N+z14Y1L X9Yk8LeB/Df7QWt+JvF+u+JLmHSdNuPDkFjpl38EptV+wftVXHwA8WtonhHxB9l/slf8FEfgl+2D 8Q/ih8L/AABbaroni74XeG/APjTUdP8AEWteCIdQ1Twt8T38UXfhKe38IW/imX4l6Nq9poHh/T9X 8X2nijwHoeiaLN4q0TStE8S+KrqLVn03nw8Z18LN06irTfD2ErU8RCKhKlicdmOLhhs8rUZOUXRx FHLMwwFHLHGilVoVcVKrLljSetepTw9dzqpU6UeIZ4OWHm3JuNHL6FWrk1KpC05ThPG4PG1cySqx jSq0cNywdR1ZUdM/4KH+BvEfwZ+KXxv8LfCD4r6l4V+GmhfDDxfZ/wBq678BvDkHxE8E/ErWJtEb xj4Q8Sal8af+EO0Xw94N1HSPF9r4q1T4peIfhxYxr4P1TXNIudV8F3/h/wAWavxnwi/4KlfCX4lf tGfB39kzxD8Jfjb8Mvjn8Z/CHxa8b+HtN8QaV4G8ReBrXw78JNM8E+IJ9Wu/Hfgjx34ht47Dx94X 8e6J4n8BRXWk2Wuw6bv0z4k6D8N/F13pHhjU/wBOaK3bh9ahVUGsIqWJhUwrlec6lTCeywtaOJsp Qlh8ZGGLqQdOdPEU5V8Ko0VOjWw+XLV9hOn7Ve29tSnSxHs17tKGNhVq0a1LmcKrq5eqmEVSm8PK nipwxyTp05YGp+Y/hT/gpjpXiA3drcfstftDi6t/C1nqmk6v4f1f9nbVfBnxA8ZahqVz4d0v4cfD vUdf+O/g7xm2ta/4v0Pxv4Z0PXvil8PvhN4OW48B61qnifX/AAtoer+DNR8U+VeLv+C2f7NPw91b wJ4X+Ifwn/aF8BeNPiF8F/jD8ddG8NeLrT4C6Np+l+DvhFL4TkEfjL4oS/H5/gj4IuPH2i+NdA8T +GNa8U/E/S/BHhXQbl5fjT4u+E+oqumyfsbRXPy1bOPtVb+z62HU/Zr239oSw2LhQzFy5vYuNLFV 8PiKuCWHVOvRwVLDRqUJVcTiK3RKUW5uNNQ/4UKVemuaTjHL44rDzqZfUTfNUqVcFSq4dY2E6M6e LxVXGKg6MMPgKP4jeC/+C43wQ8SeIB4J1P4N/Em28a6R4M+E/wATvHUPhXxn8FPFfhHwf8OPjJrn jzQ/Cusf8JRffEfwrf654nsrnwZYJqPgCw8MJ4n8T3fjXwhp/wAHrb4rXOuaSuofcvwY/bn+Gv7Q P7E/w+/bn+FXgT4r6/8AD/4peC9J8X+BfhteaR4L8OfF/W7vXvEK+EtF8Hf2f4k8eaT8OtO8Sal4 mkh0i2v9U+JVl4HPnw6tJ4xj8PyDV6+1KK2laVDGU0uSvWrzqYTEQd1gqEqmNccP7GanHE+zo1cv jGrUlGbrYPE1ZqdPHU8PgsbVFjKVZTi8JCnONTBTg37aq61OrTqPEwnTqQjCn7fDypwiuelLDyU4 V6Nativxg+Kf/Ba34NfBDRPBPjj4tfAf47+CvAvjiT4e6RaWckHw/wDFnxU0nxJ8UPilovw98H/2 v4N+HnjXxj4FXwhqWh+JvDnxH/t/Tvi7qHiODw/qT+G7jwNF8RIYvB92/wAH/wDBcD9mLxbLaXf/ AAgXxG0fwxr/AMUJ/hj4H8S33xG/ZFuv+E4ls9Q8daDd+J/DvhfS/wBp2+8Z6tpj+Jvh/rWi6V4Z 0Tw9rPxL1tBqeq6f4Ek034cfGyf4Wfs5RSetNJrlqfWKdSU6d1D6uqeW+2w8adR1ZRc62HzOVGvK pOVGhmVKjUhiKuAjisRTV8RUmnJYWcaKp0PddalKGHxtKtJYjl5ZqvWq4HE8s8O/ZTwdanFujjPZ 4b8YdZ/4Lk/sreF/irN8DfGXw0+Pvgb4tWUHwWTVfCXjaL4AeFrDSdd+NnxZ8X/B3S/Clx8RdY/a BtfhPe6/4R8Q+C9W1Xxb/Ynj3VdHvPD5EvgDV/HWs6dr+iaN+jn7Qvxt1L4M/s8+Nfjf4X8Fn4g6 v4e8NaVrPh/wOL3xXIfEeo65qGlabpWlC6+EPw++Onja/Mtxq8H7n4ZfDL4q+J9V2fZfB3hPxZqd 1p2n3n0FRUyUpYLEUVP2eNq4nHVKGNpxXJhsLWlN4DDRwlR1I1amBhKEamJq1ZfXJU1OVGgpSgyF 44jD1KnLPD08PhYYjDJSg8RiadOhHF11W55To0sTVp1qlLDxjJ4aFf2br4h0oVH+KXgr/gut+yl4 o1LVfC2qeB/i74Y8b+E/iX8Pvg/400XWT8KvD2l2vj3x78HdB+LqW/gXVviD8T/AOpfFWw0iLXov C9xo/gnw5ffFO5urLUvGsXwuT4VaVrHj7Teg8ef8FsP2Yvh74T1P4p3Pg/4mfET4Hf8ACx/hz8Ov DPxk+B83w2+KnhLXrr4p/EHw78LvBWrMmn/EDTL+fTPEXii78a6zo+oeCoPHmiXPgT4f3mo3mtad 478V+CPhtr/6/wCoaZpurQR2uq6fY6nbQ32m6nDb6haW97BFqWi6ja6vo+oRw3Mcscd9pOrWNlqm m3aqLiw1Gztb21kiubeKVL1bKUHUoTlTjy08ZltWvRhKcaeIwdDCYalmuGUpyqVaFTMMXHFYnBV4 zm8rjVo0asM0jSm6uco1fZVowqxVWWFzKlQqzp86pYrEYz2uV4qpTjOmqyy3A3wmIoRnRhmNbkxf Ng1GWGqfkj8UP+CxPwP+CfhTxH46+LXwF/aj8E+D9J+Jfwn+GHh7XW8OfBXxcnxC1H4w+MPDHhjw 74g8J6T8Pfjt4w8Q6f4b0zSfHPgbx3rjeP8AR/A/iD/hGfF2l6PoPh7XviRa674B0f6I+Df7d3gr 4wfGG5+EUnw08ffC+d/D9/rfhzxJ8UfFPwJ0u18by2+qaEmmaf4O8MeGfjF4s8c64/iTwl4s8J+P 9NmtfDLHQNB8Q6do3xIg8BeN7qx8KXv3NVaeys7qWynubS2uJ9NuXvdOmngimlsLySzu9Oe7spJE Z7W5fT7++sXngMcrWd7d2xcwXEyPlh7044X6xbETpPGRxLivYQxVOthcNRwclBOcqGIweIpYnGTq QnKhip4pUZYWlQoQhPTEXqfWvYNYdVaeBeG0dV4TEUMbOvjneckq+Ex+DcMCsPUisThOT6zTx86s mlZooopjCvx5+PXgD4r/ALTH7QnxRGk/Fe7+GGh/s3fEDwx8OPC+l+GfiN+3b4E/4SR9U+Dvwb+N l9rfjfSv2Zf29v2Yvh54zzq3xLm0O1sfGHw78RTw6LpC2dxq15Y6lc2EX7DV+QHjP9oD4b/s8/Gf 9rDxF8WtRuvCXgLxF+1p4R8Oa38UdThgsfhj8Lgn7B/7M+vWfiP4weONQu7LRPhx4O1a90W38G6X 4p8QXEGkXHjnxL4T8NSXEF3r9o9e7kUaTqY+dSnQqyp4GDoqvSpV4qvVzPLsNDlp1oThKpNV5UoL lcnKpyw95o8HP54mFDBxws68J1Ma4z+rynGpKlDA42vNN02p8kfYqpOzslC8vdTHeJ/gX+0p4u+M Hh7446r+0V4YtPGnhj+yf7N0Twx/w8A8E/B+5/sV7iSz/wCEh/Z58Gf8FO9A+APi7zmuZBq3/CV/ DPWv7fRbePXf7RjtLVIfpr9l34YeEPiNovwd/bY1LVvjfZ/Fb41fBv4ffEfxL4R/4av/AGsNe+AG lat8R/hx4f1LWbLwv+zX4r+NuvfALQdOsXvpF0RbD4cQ3Ol3C/2va3MeuTXOpTdijpKiSRuskciq 8ciMHR0cBkdGUlWVlIZWUkMCCCQa8a+BPhf44eMf2F/2EvDnwe+IPhf4aaRrP7O3wE0z4seK73QL 3WPiLo/gC6+BugtNqXwVvJLubwnpPxJTV4dO0zTr3x34Y8UeGtNs9Xu/E8mm6je+GbXwx4o6c2hG WXOpHDYWFeGPweHhKnh6ODjCOIp4xVHXlhqCl7GEqVOpVl7KvVp06c3RpVJv2dTzuH8VWq4yoquJ xFeh9Rr4lp1ZYiUlRlQknh41qqjOrOnKcaNNVaarVJwg5JuMl9GfD39lv4Z/DLxJ4/8AFfhvxP8A tGalqnxJs9VsfEVr8Qv2wv2tvi34b06DWb+TUrx/APg34rfG7xp4Q+FF5DcStHpWo/C3QvB2oaDY CPStDudO0uGGzTL8E/sifCnwB8P/AIg/DTQvFn7T9/4c+JtvFbeI9S8bftu/tofEv4gabHFbzWqN 8Pviz8Rvj74q+KfwkuDHO7S3fwq8ZeDLqa4WG7mmku7eCaL8/NXP/BY34W+Jfj/r/gSw8B/GP4cX vjDx5B8Bvhr45j+Gnj/xx4V8AeFtSsNA+HV3oeoR/EX9kI3eoeLtG8RT+MLvwf8AGz46/FLxB4sl +FFxY+JPj98ENS+MEUHw1+TNW+PX/Byfokun6p4Z/Yn+C/j24bxroLap4X8X+Mv2e/Afh7TfCPjP VdH1Dxhb2eq+HP2qvFniDxrb/C7RrHUdF8FanLcfCnXLK/8AFF7H4l0T4/w+B9K8U+P/AJihKOIq 0qdNVKSr4bJsTCeLp/VlTedYnL8PSwuJblOnQxmWrMFXzun7WdDKqGCzGpXxLjhb1Pra/Nh6dapO KrLD4nMsLU+qS+se0lllLHVJ4jC02qeJxODxs8EqOV14YdSx1TG4FwpQp1qk6P7bQ/sifCmD4NXf wJTxZ+0+3gm98QL4mm1yb9t39tC5+Mqaik9tcC2tP2i7j4+y/tB2Hh8yWkSt4TsfifbeFXge5tX0 Zra9vIZzxX+yJ8KfGXwx8DfCPV/Fn7T9n4V+HlxNc6Bq3hT9t39tDwJ8TtQknW7V18c/G3wP8ffD 3xm+J9uovZjDafErx94ttbZktHt4Yn0+wa28q/ZQ8U/8FDNc8a+Mk/bB8B/BDwt4Cl0mOfwGvwt0 C50jX9M1aPSfAGqz2XiXV7n9on4w2/ieG61HxT428I201h4T8Dpa3fwpufE08txpnxA8PaXpP5t6 h8Tf+C+3gTSJdU+HvwC074zXNz41v9NtfCP7Qlh+yDYa/c+G5/jnpg1LxpqHi34F/tdfB7wz8K/D 1r8DtQ1NPhd8MLLw/wDtPeM4NQ8PRaj8Ufi9rWva0mg2qoSeIrZXRjCVOWa4V4qE67hQo4H/AGin hY4bNK1ScaeAxU6tSMlRrSXJh1UxlaVLCUqteDxElh8NmGKd6sMvnSh7LDxnWxOOVWg8SqmX4aEX WxEKdKMlVvCnOnXisG4fXKlHD1P2F+In7KXwv+KEvw6m8S+Kf2k9Mf4XaXZ6R4aX4d/tmftg/CGL U7SxaweCb4i2/wAJvjp4Kg+L+qOdNtxea58Wo/G2taisl+moahdJquqLeanif9mn4deLvjB4e+OO q+I/2gLTxp4Y/sn+zdE8MftY/tT+Cfg/c/2K9xJZ/wDCQ/s8+DPjJoHwB8Xec1zINW/4Sv4Z61/b 6Lbx67/aMdpapD+Q+ifGb/g4OtvEfi7wZefsr/svar4d8P8Aw1u9T8JfG7xDB4U0qbx98UrDW/iP eyeGpfhF4W/bf1Gfw/4a17RrP4d+GPDer3vjKym083tx4/8AE3lXOs6p8Mfh76HqHxj/AOC6o+LX ibwPpv7K37KY+F2g/DHR7rQPjxcX9vcxfED4raXc+NpfElpafCFf2ttP8T+C/DXjO0sPBNj4a0vW fE+sy/D+51m71bWfG3xBia70Xw4U5e1WGcFK2LxWKwtH2idBxlhFjXOtiVX9k8Dhav1NLC4jHLDU 8W8Xglh3U9tL2dVl7GeMhpV+p4WGL5qLU4YmNSph6cKODloq+K/2mFSeGXLWo04YiVaFN4auqf6a 6P8As0/DrQ/jTqnx7svEf7QE/jnWPtv2vQtY/ax/an8Q/BaH+0NOi0qf+y/2btf+Mmp/s7aH5dtC ktl/Yvwt0/8AszUjLrGnfZNXnmvpKfw9/Zb+Gfwy8SeP/FfhvxP+0ZqWqfEmz1Wx8RWvxC/bC/a2 +LfhvToNZv5NSvH8A+Dfit8bvGnhD4UXkNxK0elaj8LdC8HahoNgI9K0O507S4YbNPmb9hHxx/wU l1/xX8XfC/7eHwr8A+GPCnhfQ/Ar/CL4neC/D/gjwlcfEjxHf698R0+JEOp+GPCn7VP7Rlzpmj6B pFp8Nl8IT6lpngu81ezvtT1fVYYNXvbrwn4T+cv2YvGf/BXc/CL9s9P2jPhB8Q4/in4e+PFj8Q/2 Wbq98TfsOXVx46+BN94106+1v9n/AOHlh8N/Fdj4UtNT8N+CPDGs6J4Y8eftG6n4N13xZqHxK0e6 17xR4Sm0DUL3QavHnrR5vdpZfisxVTkqctWOFx2BwLwlFcntJZhX+vfXMLgpU4VcRgcHjsRBP2Ch UT3933l9ew2BUl7qk8XhK2Lp4vlqck44GmqSw+JxM4RWExdajh8VGjOU+T9EvBP7Inwp8AfD/wCI Pw00LxZ+0/f+HPibbxW3iPUvG37bv7aHxL+IGmxxW81qjfD74s/Eb4++Kvin8JLgxzu0t38KvGXg y6muFhu5ppLu3gmiIf2RPhTB8Grv4Ep4s/afbwTe+IF8TTa5N+27+2hc/GVNRSe2uBbWn7Rdx8fZ f2g7Dw+ZLSJW8J2PxPtvCrwPc2r6M1te3kM/5ieFvjz/AMF1rP8AaL+EPgq//Yj+FWt/sv8Aij4j fDS6+KXxf8dfED4M6P8AFL4a/CfxhL4/1j4k6Ze6P8Ov2kb7SNe8ffCy31L4aeGrSXwd8OfEGg3F z4W8WWumX3xYg8U6d8QtA+g/2tfjF/wVY8F+J/inb/sjfsufDv4t6Jovi39nax+E8fjCP4d6fo3j TwT4hvRL+0b4i13x/rP7afwu8TaF4h8F6cb3T/DHhaX4CQ2Vpd2Gga1p3if4rxeMdc8P/C8jeU8N C3L9ZzWeU802lChUpxwreOxMrtUsqlLFwpwzJ3w1SVLFShOVLC16kIqTUI4qdpzWFyqjmzUITlKv TrRqy+pYWNk6+a0lRl7bLYL63Tk6UHTc61GNT648V/sifCnxl8MfA3wj1fxZ+0/Z+Ffh5cTXOgat 4U/bd/bQ8CfE7UJJ1u1dfHPxt8D/AB98PfGb4n26i9mMNp8SvH3i21tmS0e3hifT7Bra58RP2Uvh f8UJfh1N4l8U/tJ6Y/wu0uz0jw0vw7/bM/bB+EMWp2li1g8E3xFt/hN8dPBUHxf1RzptuLzXPi1H 421rUVkv01DULpNV1Rbz8cPDH7UX/BxZfeODpni3/gnB+zz4e+HsXijwVZTeLtJ8d/CrxF4nn8LX nxt8TWHjvW9O8FS/t4aJYTXulfARvCmq6Np+oeM9Lkm8d2eqX7rfWfiKPwR4K/oM0CbVbjQtFn12 D7Nrc+k6bNrFt9ltrH7PqstnC+oQfYrPXfFFpZ+VdtNH9ltfEviK2t9vlQa7q0SLqFwqD9vhPriv Sj9Ylh1Qr/ucXJwUm6v1Wdq0cO+VctWcYRm5xUOZqahVZqji54N3qShCU3Xop1MI0pRjFQxKXspz nzOUYQcpKMJOooe6peLeJ/2afh14u+MHh7446r4j/aAtPGnhj+yf7N0Twx+1j+1P4J+D9z/Yr3El n/wkP7PPgz4yaB8AfF3nNcyDVv8AhK/hnrX9votvHrv9ox2lqkMel/syfDjR/jXffH608SftCTeO tRkv5bjQdU/a2/as1z4KRtqOkf2JcCx/Zr1v4z6h+znpccdn++sYdM+FdpFper/8T/TEtNe/4mVf QdFMZ88fD79mD4bfDPxp478e+HPEv7RGpa58RrfWrbxBY/EH9rz9rH4teC9Pj1/VhrN83gT4b/FX 41+M/h38LbiC8UQ6Ld/DHwt4Qu/Dek50Hw7Npehs2nHH8B/sifCn4c+B/iN8PfD/AIs/af1HQPil p8emeJtQ8eftu/tofFPxzpltHaX1ksnw5+J3xO+Pvi/4lfB7UDDqNw8mrfCTxZ4I1WW7jsb+W9e/ 0vTLm0+n6KAPmCy/ZE+FNh8GtW+BMHiz9p+TwTrXiCPxNea5e/tu/toaj8ZYdRin0y4W20n9ovUP j7dftB6B4fMmk2qyeE9C+J+neFZoJdTtZtGe21rWIb88S/sifCnxX8KfBXwa1TxZ+0/a+EfAOoT6 noWseGv23f20PBnxWv7m4OqGSPxr8d/B/wAfdC+OHxJ09TrF35Gk/EX4h+KdKtRDpYtrKEaHoo0/ 6fooA+aPiL+yb8Lfija/Dez8S+Kv2l9Mh+FejwaH4Yf4dftpftjfB+61Syto9Kijn+JF98Jfjv4J vfjJrDLo9oZ/EPxeuPHGv3Uk2qzXWpzTa7rb6hseL/2afh143+Lnhf42az4j/aAsvGXhD+xP7J0b wh+1j+1P8PvhHd/2BfXOoWP/AAlH7P8A4C+Mnhr4D+N/Pnu5Y9b/AOE0+G+v/wDCS2KW2meI/wC1 dNsrO0g9/ooA8A0/9mn4daZ8bb39oC28R/tASeO9Q+0+foOoftY/tT6t8Eo/tWhp4el+xfs0ar8Z Lz9nDTNlhGtxbf2d8KbT7HrhfxPZ+R4lkk1Z6/w+/Zg+G3wz8aeO/HvhzxL+0RqWufEa31q28QWP xB/a8/ax+LXgvT49f1YazfN4E+G/xV+NfjP4d/C24gvFEOi3fwx8LeELvw3pOdB8OzaXobNpx+h6 KAPmDwH+yJ8Kfhz4H+I3w98P+LP2n9R0D4pafHpnibUPHn7bv7aHxT8c6ZbR2l9ZLJ8Ofid8Tvj7 4v8AiV8HtQMOo3Dyat8JPFngjVZbuOxv5b17/S9MubQsv2RPhTYfBrVvgTB4s/afk8E614gj8TXm uXv7bv7aGo/GWHUYp9MuFttJ/aL1D4+3X7QegeHzJpNqsnhPQvifp3hWaCXU7WbRntta1iG/+n6K APmDxL+yJ8KfFfwp8FfBrVPFn7T9r4R8A6hPqehax4a/bd/bQ8GfFa/ubg6oZI/Gvx38H/H3Qvjh 8SdPU6xd+RpPxF+IfinSrUQ6WLayhGh6KNPsfEX9k34W/FG1+G9n4l8VftL6ZD8K9Hg0Pww/w6/b S/bG+D91qllbR6VFHP8AEi++Evx38E3vxk1hl0e0M/iH4vXHjjX7qSbVZrrU5ptd1t9Q+l6KAPN4 fhX4Yg+LF38Z01T4kN4vvfA6/D2bR5vjJ8Xrn4TpoKaxba4L+0+Atx44l+Blh44N7aRQN8TbD4dW 3xJfR3ufDz+LG0C9vNMn9IoooAK/ms/bp+Ff7UPxd+NX7Qvh/wCDPw/tPHfwy0r9q7w54k+Ix8L/ ABJtPB/xm0DWLH9hz9lqw8Pa38N/CvifX/hd4I8X+K9Hi1S88R/CfxNe/tC/BDWPgp8eNA+GPxit 9T8aaZ4R1HwTq/8ASnX823/BRP48fFb9n28/ad8V/Cfxp8QvAWq6/wDt0fDPwXf6/wCAPAnwb8ZP I/iD9hD9m6Lwp4e1u++N99F4V8JQeNPHkPhbwRoWs6bovjLxNceLPEmhaXongvxPc3v9kXftZJZV q87z5orLo0YxcVCWIr5/k+Fw3tua37qniK9Ks3FqdOVKFWm/aU4p+NnPtOTBxpeyUpYqtJzqqpJU 6dHK8xxFaUFSUqkpulRnTVOEKkq0ZyoRp1HV5X+yVqhjtreNjOWSCFGN06S3JKxqpNxJGzxyTkj9 88bMjybmRmUgnyD4EftB+A/2fP2Ef2INY8eaB8cNftPEP7NPwF0ywh+CH7Mn7SX7TWq29za/B3wh dSya5oX7N3wn+K+t+GNPaIhbbVvEun6TpV5c5s7S9nuwYB4J+1J+1t4z/ZqvtAg0/wDZ5+Kfxj0r xH8LvHXibSdZ+Gvw3/aK+I91cfE7wpqngqDQfhfreg/s/fs6fHufwHD420TxB4i1Wy8c+P7vwxoV lqXhuDQrW21qK913WPCX0j+zn8cvhd8D/wBgv9i/WPiP4rsNFutb/Ze+ANh4O8KRN/aPjz4i+IV+ EngsW3g/4aeB7Ez+J/iB4z1K4urOy0zwv4U03VNYvby8tYYrU+crV25nUUsnq11ecambUKMVThOV SWIpTzfBzw6oKLrrETxFK1DDypqviKVbCYihTqYfG4SrX8HhmjKliqF4ulSnlUp0p1p0owdG2XVv auup/VpU6UKsYYivCo6FHEUsVh6lSFfCYqnR+Xf2n/23P2vfhV+0v4b8PeAvgx8Y7/8AZ+8b/B/R vE/w+8V+H/8Agn1+0L+0TZ6r4svtR8MazqujeP8AUvhR8TND8b/Cvx9e6ZHqvw90TwR8bPh38APC vw3vddT4l+L/AIgfFK0tNc8BfDXyH4V/tdf8FT9I+LvwP8M/tDfCJtP+JXxV8L+CtL8efs8eGP2R v2iL39m34XeK5vA1zd6l4k1T/goT8HbT9pT4XfD7Ttf8byava6na6ze/GY+FjoHgXwnqmjeFNA8Y +JPjjoP6qSfts/s1aVq3irRvHHxFh+FDeCPEHhLwT4l8T/F3RPEHw1+Eq/EnxnKLLTPhT4U/aB8W aZpv7PvxR+KVjrYn8MeIvAXwl+KXjvxH4b8U2d54e1qxs9Vt5LYb4/a8/ZhuLXwTqGjfHX4beLtN +Inxig/Z+8J6t4B8S2PxE0e++M9xpd3rC/Dy/wBX8DP4h03w/wCIIrCzZ7uHxFdaTb2NzeaRp95c QahrmjWt/wDMUPchCjTnHFfWa9H6tV56eJlVnWx81ClhK1JuGJp4ytnuWYClGDrRlTjklHBunVru eN+0r2nVVSbnhXRoSjVoWlh1HmwilKtiaNaPtaVaOFyzFV2peyjTcMxxLpRqxrVaf4neC/2uf+Cv vxT+P/xP/ZH1H4Wa9+z/AH3hLxxB4H8B/tF337FXxW+I3hDxt8P5Phf4I13XPjFq3xw13xD8Nf2S dP8AEPhzxXF46t9MsvCt74stvFOv6t4f8BaV8IL6y0TVPiDP7bon7XH7cPxT/aM8X+Gfh78Lf2jP A9v4O8IfEu58RTeM/wBmXx1d/sT+FL/S1+GfhPwxNoniX45/s8fsWftP/tM+KF1lviD8Q9L0/wCA /jy10fVtO0nWfBlvpXinR/GHgD4m+C/0N8Qf8FC/2EfDNne3mp/ti/s1SjThfyX1lonxn8AeJtYt bbRtd0Lw14i1CbQfDWu6traaV4T1jxNoNv4z1c6f/ZngyDUoNR8U3ekaast3Hd8Xft8fsReAviDY /Crxp+1r+zv4Y+IV9fSaV/wi+tfF3wRY32na0NZfw7aaB4gkm1lbPwz4i1vxBBf6F4Y8PeIrnS9a 8Waxo3iHTPDNhq174c16DTsP3f1bA3rN0fqVHDUsR7VJ491ctq5NHHTrxa9tisVXbzCM8PKnh1nN GNXC0KVOM8NLSMZqvjZLmdR4urXq0nCMo4DkzOnmP1OFGUXGlh8N7Wnl/JXjUrSy2tDC4urXcqdQ /Lj9m/8Abu/4KK/F2L9o74++Mv2e/HXg34T/AAL0iPwx4f8AgN8Qv2L/ANqj9n3x98SP7S0DQPEW ofGX4Z6drHhX43/Gz9oLxBoOtaF4h8JeE/hB4R+Hvwh03VdP8ZyR+NPEWkav4b0HxD4g09O/4KG/ t6z/ALDN/wDtYXP7LnxfbxnD49+HHgC1+Ao/4JyftG6b+0TFENf1JPiL8QNV/Zsuv2lLnxgfCeva bqHhLR9PHhTxv4u0z4QwWfjD4jw+L/2j/s1l8K4/3gsL+w1WwstU0u9tNS0zUrS2v9O1GwuYbywv 7C8hS4tL2yu7d5Le6tLq3kjntrmCSSGeGRJYnZGVjbrrTnSVGjOC58LUwF3VppVZyy+tVrV6eJ0j 7VZliK1eWYxqRuqcqeBwX1HLsHgcHhcpKFaeKrUpuFLHQxLVOjUc6FKOKw2FoYeeCnUlVrYf6lDC U6uDlSrpVa9XFYjHfXamMxMqv85PxV/4KI/8FPfhh+yV8IPjv4W/Y/8Aix8UfH/jD9oHVfAUnw81 X9jX47WHjK/+A6eOPhxG3xT8d/BT4O6r8YPi18ONYsPAsPxWh8M6946t/g5P4rubTSPGet/s9eFN T1Xw38F9R+nNd/bV/ba+Dt/a3PxV+Cz/ABK0v4s6ZZeIvg/oPwb/AGKP24ZfEHgHQL3TdM1eSx+K Ou/DSx/al8M3fxItLvxZpvgqy8A/GU/sVaTqGqfD/wAY+LfE/wAQPh7oHiOysPBv7NUVy+yfsvZK tWX7utSdXmg6rp1ssy3LUudwaVSlUy55pRxEVHExzTMMyqutLDYmOFpbRk1UlNqMlL2clTlGKpxq 08xx2YKrFRUZe9HGrL6mHlKWDqZdgsDRlhnVoyr1fwm1f9ub/gpF4c8K/AHwL4t/Zd1fSP2sfGXw StLv4v8Aw5+H/wCxr+0H8bvhPoHxy8VR+NI9E/4Rn9pXw78bPC37Ivhzw54Ll8L6BP4i+H3xJ/al 0q18SS/ELSNN1f8AaD+EFj4f1XxPed94D/bs/bOf4keFf2avE/7HPxc1v4v2Xwe8S634u+Juj/BP 4twfAE/ELwR8F/EHiO28P+KPj7488N/A79n3TfHvxT+Jk3gjQtE8IfBbx98cvhDoRj8a6PJ+0NcS /wBj6jY/s3RWuIXt/r6i3ho46nWhGOHtH6jKq80lCtgJ1FVqUqmHlmjdFVZ1qMll+VwxFKvTwahO KS9l9W1dT6tUwc/3r5vrEML/AGV7WjibcrqU8dLK5Sxkly1l/aeaxwlbCU8TThQ/ne/Zf/4KLf8A BV74z+Hv2r9E+IH7BFz8PviF8F/D2jah8O77xD+z9+0p8MrvxvNa/DHwuvjeb4d+A/ihquk/Ar9o rXdN+NT+MrDSPh94e/b1+DdvrHhG00iHwn8TPHOimL4ta5taP/wUn/4KI+NPhn+1h8TPAP7DnxZv NF+C37Q3wR0H4TWXxD/Yu/aH+DnxG+JX7N2ueBdN1r42+PLf4H/Eb4naJ8SfG+v+G/Gdl4j8M6C/ wft/G3ivTdP1Pw/qS/A/x/e2FxpWvf0D0UYhOvVqVYyeG9phsuw/s8OoxpQll+LwmKliqcKsavJi cwjhZ4TMZJ+yr4TG4uFOjRqvD1sOYdewhTjJvEunXzCup4iznNY+hiKMaFR0VRU6GAdeNfL4tc9G vhsPKrUrxVaFb8Tv2Av+Chf7YHxQ+BHiH49ft+fskfF39nvRdE8G/BXRrfwp8P8A9jf9qXW/iRrP xo1t/F8fxnh0P4J6TN8V/wBpbUfAXhyT/hXsel6ndfAPSPCOjPfeIZtO+L3xW0u3vNU8Nfol4r/a 7+FPg34Y+Bvi5q/hP9p+88K/EO4mttA0nwp+xF+2h47+J2nyQLds7eOfgl4H+AXiH4zfDC3YWUwh u/iV4B8JWtyz2iW80r6hYLc/T9FbV6qrValVUqVBVKlSao0IyjSpqpOU/Z01OdSap0+bkpqU5SUI xi5Nq7zo03Spwg6tWs4UsPTdSs4upUdDD0cO6s+SFOHta7o/WMQ4QhGeJq1qkYQU1CPzZ8RP2rfh f8L5fh1D4l8LftJ6m/xR0uz1fw03w7/Yz/bB+L0WmWl81gkEPxFuPhN8C/GsHwg1RDqVubzQ/i1J 4J1rTljv31DT7VNK1RrPQ8WftN/DjwZ8XvDvwQ1jw3+0JeeM/FEmhxaZrXhP9kn9qzx78IbZvENx La2B8RftB+Bvgx4i+AnhCO3lhdtcm8W/ErRIvDNuYrzxI+k2k0M8n0HRWRqeAaf+0t8OtT+Nt7+z /beHP2gI/Hen/afP17UP2Tv2p9J+CUn2XQ08Qy/Yv2l9V+Ddn+zhqe+wkW3tv7O+K139s1wP4Ys/ P8SxyaSlf4fftP8Aw2+JnjTx34C8OeGv2iNN1z4c2+tXPiC++IP7If7WPwl8F6hHoGrDRr5fAnxI +KvwU8GfDv4pXE94wm0W0+GPinxfd+JNJzr3h2HVNDVtRH0PRQB8weA/2u/hT8RvA/xG+IXh/wAJ /tP6doHwt0+PU/E2n+PP2Iv20PhZ451O2ktL69WP4c/DH4nfALwh8SvjDqAh064STSfhJ4T8b6rF dyWNhLZJf6ppltdll+138Kb/AODWrfHaDwn+0/H4J0XxBH4ZvNDvf2Iv20NO+Ms2oyz6Zbrc6T+z pqHwCtf2g9f8PiTVrVpPFmhfDDUfCsMEWp3U2spbaLrE1h9P0UAfMHiX9rv4U+FPhT4K+MuqeE/2 n7rwj4+1CfTNC0fw1+xF+2h4z+K1hc251QSSeNfgR4P+AWu/HD4baex0e78jVviL8PPC2lXQm0s2 17MNc0U6hY+Iv7WXwt+F1r8N7zxL4V/aX1OH4qaPBrnhhPh1+xb+2N8YLrS7K5j0qWOD4kWPwl+B Hja9+DesKusWgn8PfF638D6/ayQ6rDdaZDNoWtpp/wBL0UAeAeL/ANpb4deCPi54X+Ces+HP2gL3 xl4v/sT+ydZ8IfsnftT/ABB+Edp/b99c6fY/8JR+0B4C+DfiX4D+CPIntJZNb/4TT4kaB/wjVi9t qfiP+ytNvbO7nNP/AGlvh1qfxtvf2f7bw5+0BH470/7T5+vah+yd+1PpPwSk+y6GniGX7F+0vqvw bs/2cNT32Ei29t/Z3xWu/tmuB/DFn5/iWOTSU9/ooA+ePh9+0/8ADb4meNPHfgLw54a/aI03XPhz b61c+IL74g/sh/tY/CXwXqEegasNGvl8CfEj4q/BTwZ8O/ilcT3jCbRbT4Y+KfF934k0nOveHYdU 0NW1EY/gP9rv4U/EbwP8RviF4f8ACf7T+naB8LdPj1PxNp/jz9iL9tD4WeOdTtpLS+vVj+HPwx+J 3wC8IfEr4w6gIdOuEk0n4SeE/G+qxXcljYS2SX+qaZbXf0/RQB5P8GvjP4Q+O3hGTxt4J0f4saHo 0WsXuhtZfGX4C/HP9nTxcb2wgs7ieeP4f/tB/Dr4YePJtHkjvoVsvEMPhuTQNRnS8ttP1O6udPv4 rb1iiigAr+R3/gsJ4P0fxr45+Nun3nh7x14b1zT/ANrHU9S0H9oXwL8Hfg78VdR+HVhZf8E4f2ct d8Z+C5dY1Xwn8a/2nPhXpPjbwz4duNd8R+PP2Zv2avi3q0Gl+BlsPGb+HNBuDqC/1xV/K1/wVB+H vxT8T/E/42694EtbbxhpFj+2p4G0u7+GEPh/xv4s8S+JPHEP7Dn7MPiz4aan4S8Ny6T+0R8CtQ1j TvFHhqC0/tL4w/8ABP39qbT/AABBfv8AF6LxB8Brf4aT/F/wl7OSJPEVOa6ivqDdRRc3Sm86yuNC oqNNxr4l/WZUYRwtCcJ4mU1RmqtCdahV8zM5ciwk+anGUa+Ia9rOlRpOH9l5j9YVbFYilXwmCw/1 X28sTjsZhsVhsHhlVxFTD1fZxR69/wAFT/2obn9m/wAHeEL22/aa8Xfs+/2z8MfG6WEen6p+yVoX hD4h3uoTeFvCrvpegftCa/8ABX4heOvHXw/0vxJfePdK8JfAz9qL4EeJ9LsdOj1Py/HmoNo/g3UP 2G/Yp8PeH9c/Yt/Ybv8AWtE0jWb3wt+zb+z74g8MX2q6ZZX934d16T4GaN4ffXNCuLuGabR9Yk0D Xtc0R9S0+S3vW0jWtW01pzZ6jeQzfj7/AMFQdF/4KV3/AIn/AGYNW/4J92Hj+y1HT9X1u1+NXjHw jB8IvFjeEfBN+dCub/Z8Mfjv+2p+zl8Dfif4k1ebTE0XT9N8VfB/xhqmj6PfeI9d8DfGb4Ma5BHp vjn9LPgN+0J4D/Z9/YQ/Ye1nx7oHxw1618Q/s0fATTbGH4IfsyftJftNarb3Vr8HPCF1LJrmhfs2 /Cn4s634X09ozsttW8SWGlaVd3ObO0vri7Uw12YhOWQ4urUv7ZcU16TdW8a7p06eMxGFnSjzSU8v jSxMYYTFRVJVMTTx1OFKNPD0m/CyHljWyuhTcfZ/6spzhDSPNiPqOGxEMVTnF4ihjaqw0li8LicT imqEsPfkqVMTUxND4s/8Eiv+Cfnxy8Y/Efx38Ufgn4h8S6/8WdV8Hax46ii+Pv7R/h/w1qdz4C8e 3/xW8N22m+CPDHxd0bwV4W0WP4qatq3xP1rw74T8P6H4f8V/EfV9W8d+K9M1rxVqd9q1xo+Dv+CU /wCxB4W8HeGvB2tfCrUviqvhHxtqXxO8P+JfjJ8QPHvxI8V6D8UNRsPBGkQfEjwlqeveIpbb4eeM /DGi/DnwhoPw41f4a2Hg7/hU3h/TrzQfhZD4N0fX/EVlq30F8RP2rfhf8L5fh1D4l8LftJ6m/wAU dLs9X8NN8O/2M/2wfi9FplpfNYJBD8Rbj4TfAvxrB8INUQ6lbm80P4tSeCda05Y799Q0+1TStUaz 1PE/7S3w68I/GDw98DtV8OftAXfjTxP/AGT/AGbrfhj9k79qfxt8H7b+2nuI7P8A4SH9obwZ8G9f +APhHyWtpDq3/CV/EzRf7ARreTXf7Oju7V5vmqP+zwoUqH7inhpVJYenR/d08PKtVwVarKjCHLGl KrWy3L6tSUFFzq4DB1JNywtBw+vqpVq2IxFZKtiMUoxxVeqlUrYmMYYunGNerO860Y08fjqaVSUk oY3FxS5cRWU/lvxR/wAEjf8Agn34y8a+F/iH4j+BN3qfi3wT4YvvCHhK7u/i58brnRtC0PU9H8Ia BqMMHgq6+JE/gW9utS0fwB4LsNV1DVvDOoXusWvhvTINXnvoY5I5PPY/+CIv/BOWbXvhf411n4Tf ETWviN8JNL+C1l4W+IqftK/tKeD/ABNJq3wB0ODQ/hx4y1S0+G3xZ8E+E5/Gdl5Mutaxrtn4ZsZP EHiS9vte1aG51C4aYfc2j/tLfDrXPjTqnwEsvDn7QEHjnR/tv2vXdY/ZO/an8PfBab+z9Oi1Wf8A sv8AaR1/4N6Z+ztrnmW0yRWX9i/FLUP7T1IS6Pp32vV4JrGOn8Pf2pPhn8TfEnj/AMKeG/DH7Rmm 6p8NrPVb7xFdfEL9j39rb4SeG9Rg0a/k028TwD4y+K3wR8F+EPiveTXETSaVp3wt13xjqGvWBj1X Q7bUdLmhvHmnCFKEKdOEYQpTwdSjCMUo0J5di8wx+Bnh42th5YXHZrmWNoyoqDji8biMSn7ao5lS lKbqucnJ14VaddybbxFOthsBg6tOvd/v4TwmVZbhXGrzxWGwGEoJKlQpwj9AWFlDpthZadbvdyW9 haW1lBJqF/f6rfyQ2sKQRPe6pqlzeanqV2yRq1zf6jd3V/eTF7i7uZ7iSSVsLxt438F/DXwj4k+I HxG8XeGPAPgPwbo1/wCIvF/jbxpr2leFvCXhXw/pVu93qeu+I/EeuXdjo+iaPp1rHJc32p6leW1l aQI8080calh4R4J/a7+FPj/4f/EH4l6F4T/afsPDnwyt4rnxHpvjb9iL9tD4afEDUo5bea6Rfh98 JviN8AvCvxT+LdwI4HWW0+FXg3xndQ3DQ2k0Md3cQQy8J8Rvjp+z98ZP2YfFnjHxn4O/a9f4Ra1q 9r4R1fRvDn7Kn/BQL4Z/tGW+q2uq6Zd6brfhH4X+BPhB4R/a+8PLpOrppuqaT8UPAfhPTLXRLmyO saf4rszplxd2yxEsROnXnSlCeKlCrKlLEObpyxEoycJV5RvUcJVGnVcbzcXJq8rDoxowlShOMoYe MqcZRoqMZRoxaUo0ou0FJQTVNNKKaSehd13/AIKJ/sKeHPC1/wCL9W/az+A8en6Z4Pg8eXuj2fxE 8P6t47h8LXOmeBtZh1AfDPSbu++I0tw2m/E74cXJ0iHwrJrKDx94NifT1n8S6PFed+n7X/7Lb+Ff Anj0/H/4UxfD/wCJk+o2PgT4iXHjPRrX4eeI9W0vxr4f+G9x4es/HtzdReEYvFM/xB8UaJ4I0vwp d6zbeI9b8VXU2g6Npd/qen6lbWnxB4h+Gv8AwTz8B6L+y/8AtPap8CP2t9Sb4feHfEvgL4BRaH+z 1/wU1+J3xF8BaL4i17SvFfic+Ov2ePDPgPxZ8SvCGoa9rfgfQru+8ZfHP4X6brmqrpWjacuvXFld 2FndYX7S/wCzX/wS71vRPhn4T+On7JXxr8eWfxL1vwj8UdB1HwB+yj+318S/EkuseG/EmjeI/Ag+ NXj74F/DXxH4s8Fr4FvJdM0jwr8Pvj/4j8P2fw+8D2l58PtK8MaD8PtJ1Tw5abT9m5Yf2fOoPFU1 inNxlKngv7UcK1TDxioqtinklsRTo1JUKKzRvBSrvCL6+8F7dLFXVKUlQrfUrOcVUxMcA/q/1rSb o0K2acqrOl7eph8BeUFisQ1FfbPgr9uf9kz4m6d8QdX+Fvxs8M/FbTfhYnw9/wCE7vPhVZ+IfibD ol18U9f1bwv4H0pD4F0bxAdX1/Vdd0PU7C98OaGNS17w6YIrjxLp2j2l5ZT3FSf9vr9jDS/CUnjL xd+0n8KPhlY2nhvRvFms6B8ZfE1v8E/iN4V0bxF4h1LwfoJ8cfCX4tr4L+KXgTVdY8Y6Pqvg7TfD 3jLwdofiG88X6bfeFoNLfX7abT08g8UeC/2I/CvxT8JfATX/AIE/G7XfiBqGtf2/4H+IVh+zV+2l 8UPDvw91Pxq1jbTP4Z/bN0L4c+K/AHwIsxZeGNG0W/0vTfjh4C0rwl4X0bw/4cvrLRPDVto+nDzG x/Zv/wCCe3ijxX4J/Y3T4M/taC6+Bl3pl34P1XWvBv8AwUw8PfDG1PgbQfB76VZy/tg67ZaX8J/i ZpEGieDPCOk22h6z8cfF+i+IW0RPDIsNVvV1DTHwkqzklGVOnB1sDFzlCVaUKEnjIZlWVNToKpWp L+z6+Bwzq0oV39cwlfF4f9xjTpo+yuvrHtGuXFyl7FxT508PPAU05p+7JLF4fF1mr03LD4ujh6nJ VwNT7Q1X9tD9kfw54b8AeLPGX7SvwR+HejfFL4Uv8cvAJ+KPxJ8KfC3VfEvwgt9CsPE2o/EWz8O/ EPU/DPiGHwroehanY6j4l1S90u1h8Lw3CJ4hOmTK8a9XL+0x+zfBoHxN8VT/ALQPwRh8L/BS3sLv 4y+JJfit4Dj0D4SWmq6La+JNLuvibrD68NO8BW+peHb6y16wm8VXOlR3mi3drqlu0ljcRTv+YWr/ ALK37CP7WPxw+M13/wAIx+2j4K8MR/Bn4r/DP9oP4B2H7NX7Vn7JX7N3x8tvG2vXMPjn4k6h4q1D 9nX4T6/8b/jnqiPeaFpnjz4N/GzWPF/ifwJqesabaw+IPCPivX/7bXwp+zb/AMEy/ix8Ef2htVv/ ANnz9rfxT4CXwnqXhDxrZ/GX9nX/AIKUeCvi74f+HPiPQNV0XV/h3+yx4N+I3w38G/HTQvC+v+Fb 3U/D3jnQv2Q/D8GofESPUL1vipL4v8S+IdTv9VqrKcqWMnh6caVWWCqzy7D16zqxhmKzHMYUsNj8 RSoU+bBrLYZXUWMwuH9tXrVcZUngsC6dLBPHDqcXgo4ucan+14enmVTC03BfUpZbgqlfF4ClXqSc q8cz/tGh9TxNSnGnR+pcmLxUfb4l/pjZ/tUfsw6j4tsfAOn/ALR3wGvvHep+KtP8Cab4Ks/i/wDD 268W6h431bwk/j/SvBtj4cg8QvrF34q1PwJHJ410/wAPQWcmr3nhJH8SW1nJo6teiC6/as/ZustD 0DX7r41/DuG38WaT4i1nwlpTeJLH/hL/ABda+EdF8ZeIfE1r4T8CLIfG3ibW9C0b4d+Pr7U/Dehe H9Q8RWsfgrxVHJpYn0DVIrX4Vf4cf8E89S+HHwZ/aaf4B/tXr4c/Zj+JWgaj8ItDP7OH/BSzTvil 4Z8eeGl8XaV4d8SP+yt/wr61+M/xA0rRYfin40isfFnin4P+LfCFnZ+ItZuBqiWtnNNZN1z4ffsF /D/wn8N/2gtU+E37Zd9oXijxL8QNT+Hvhzwf+zx/wUj8T+MfCUnxD+Elt8G/HWj+Nv2cvhX8Mrz4 neD/AAvrnhHQtT1C2tfj58NYLCw8c+KNe8deGbmw8YeK4dUuNKnJzYlUeZqNSu8JOqlH21CFDKo4 dYiEHN0MRXxdTOZ1Y05V6OHweFwCjWxGIxNaNC8PbnoPFp+zcIrErDy9+NX22Z80qEqseWVNYeGT NRqRhJ18TmcXNU8FhZ477n8QftWfs/aB8LLP41w/EjTvGnww1DxRc+DLLxX8I9J8SfG2C58S6Zrm q+HPEmnRad8HtG8c6yw8Dap4f8Sr8Sb3+zhp3wzsPCni7WfiBd+G9G8J+I7/AEz034ffEXwr8UdA ufE3g6fWZ9JtPE3jHwfcnX/Cfi3wTqUWveAvFWseC/Etu2heNtD8Pa6bKHX9C1FNJ1pdNOieJ9JF l4k8MajrHhvVtJ1a9/MfXPgn/wAE6v2efhx4A+D9n+z/APtSaT4b+L2paL8RbTW/g38B/wDgpL8S PidrF4l9rEumWXx8+PPwY8GeL/jH4asbax+I3iXwpefDT9ov4iaLpdn8Otf8T/DbVfCkPw6g1vw1 bfU3h34ifAb9m34iwfs5eH/DH7Vlz4h+JXjnVPHn9sf8KJ/bs/aD+Ftt4o+LfiO+1jVZdR/aXvfh /wDE34M/DXw+NbnvLqfwtqfxX8KeDPhpYTRxjRvCWiS20bC5L1r83LzVHh2rX5OTAKlCtHbmc3mk qlSErKEMBCNJupiJ0sI/WPZYbn9iq/PBYxRc3S9nbM/aSwzaU+dv+xlCNWPKl/ablN3wsV9lUV4B p/7S3w61P423v7P9t4c/aAj8d6f9p8/XtQ/ZO/an0n4JSfZdDTxDL9i/aX1X4N2f7OGp77CRbe2/ s74rXf2zXA/hiz8/xLHJpKV/h9+0/wDDb4meNPHfgLw54a/aI03XPhzb61c+IL74g/sh/tY/CXwX qEegasNGvl8CfEj4q/BTwZ8O/ilcT3jCbRbT4Y+KfF934k0nOveHYdU0NW1ESbH0PRXzB4D/AGu/ hT8RvA/xG+IXh/wn+0/p2gfC3T49T8Taf48/Yi/bQ+FnjnU7aS0vr1Y/hz8Mfid8AvCHxK+MOoCH TrhJNJ+EnhPxvqsV3JY2Etkl/qmmW12WX7Xfwpv/AINat8doPCf7T8fgnRfEEfhm80O9/Yi/bQ07 4yzajLPplutzpP7OmofAK1/aD1/w+JNWtWk8WaF8MNR8KwwRandTayltousTWAB9P0V8weJf2u/h T4U+FPgr4y6p4T/afuvCPj7UJ9M0LR/DX7EX7aHjP4rWFzbnVBJJ41+BHg/4Ba78cPhtp7HR7vyN W+Ivw88LaVdCbSzbXsw1zRTqFj4i/tZfC34XWvw3vPEvhX9pfU4fipo8GueGE+HX7Fv7Y3xgutLs rmPSpY4PiRY/CX4EeNr34N6wq6xaCfw98XrfwPr9rJDqsN1pkM2ha2mngH0vRXgHi/8AaW+HXgj4 ueF/gnrPhz9oC98ZeL/7E/snWfCH7J37U/xB+Edp/b99c6fY/wDCUftAeAvg34l+A/gjyJ7SWTW/ +E0+JGgf8I1Yvban4j/srTb2zu5zT/2lvh1qfxtvf2f7bw5+0BH470/7T5+vah+yd+1PpPwSk+y6 GniGX7F+0vqvwbs/2cNT32Ei29t/Z3xWu/tmuB/DFn5/iWOTSUAPf6K+ePh9+0/8NviZ408d+AvD nhr9ojTdc+HNvrVz4gvviD+yH+1j8JfBeoR6Bqw0a+XwJ8SPir8FPBnw7+KVxPeMJtFtPhj4p8X3 fiTSc694dh1TQ1bURj+A/wBrv4U/EbwP8RviF4f8J/tP6doHwt0+PU/E2n+PP2Iv20PhZ451O2kt L69WP4c/DH4nfALwh8SvjDqAh064STSfhJ4T8b6rFdyWNhLZJf6ppltdgH0/RXk/wa+M/hD47eEZ PG3gnR/ixoejRaxe6G1l8ZfgL8c/2dPFxvbCCzuJ54/h/wDtB/Dr4YePJtHkjvoVsvEMPhuTQNRn S8ttP1O6udPv4rb1igAr+T3/AIK6+HdV+Kx/bP8Ahj8P38FXXxJ8CfH7S/2ltR0zxz8AfFP7RNlH 8KPh1+xZ+yJ4Q8WapoHw21a50z9m3xx4rg1vx94bWx8G/tJ3eueEU0ZPEHxB0Dwfc+J/h7pvizwh /WFX49eLv2Yv2a/2jvjr+1wv7Q37PXwO+PK+Dv2lPDsvhEfGf4TeAviiPCsutfsY/sdjWJPDg8ca Brg0OTVhpOljU30z7K1+NN0/7UZfsdv5ft5HBzq4tt2p0sNQxFRxbjVhPDZpl1fB1qLtKDlhsxp4 PE1aNWLhi8NRr4P2mGniIYvD+PnGKWD/ALOxOvNTzFcn7uFanJPBY2NejVozcFOnicK6+F5o1ISw 868MWo4hYd4TEfZGmhhp1gHaFnFlahmt/KFuzCCMM0AhVYfJJyYvKVYthXy1CYFfG/g79sW9/Zc/ ZZ/4JnaAnwuvPiB4f+JH7JWieKPHOu6be+PhqfgLwR8Ef2bvAvjbxBqulaP4L+EXxI0TU9W1WC9j 03S5fin4w+Bnwyt9QNvY6z8WNM1nV/D+j6v9poiRIkcaLHHGqpHGihEREAVERVAVVVQFVVACgAAA Crn7DP8AyZN+x5/2az+z5/6qXwjXXnXtKuVV3RqKjJ5tltTmlTVSLpxjj6lWk4c0bKtSU6LlGSlT VT2kHzxieBwhCnhsZRpV4Srwo5TVoySrShOUo/VaUaiquE25QqctVOdOSm42nFxlJH5z6b/wXf8A 2dde8Y/FH4beGP2dP2sPFHxK+D3xF8GfC7xx4H0OD9lm4vbHxV49i+Htv4ft7XxLcftUWvw/vYx4 n+JvhjwNrMUXjH+0vDviz+17fXtP07SdF1DWIZdM/wCC/X7DGp+Jvi34bGh/tC2SfBnx54N+HHin X734WWQ0O+8S+M/B+k+Po4/D/wBl8XXes31l4e8HTeL/ABJ4kvLrRtPW00L4Y+Oda09dU0g+Dr7x f+3NFfMwSTr87lJToYKFCzjF0MTRpZZDG15Pkkq1LG1cPmlanh2oSwn9pUKca9aOXL639pFVFTop yhKtTxGMnVnyNUq+Fq/XXgqEqSqc8K2DdbBKriadeMcXDBTTw1CeLlUpfhRo/wDwXz/Zu8XafBrf gr4J/HbVvD+mfEnQfh5491rUNV/Z/hsPBNx4p0/WLrw5Jqd94V+N/jXStK1e7n00f8JXpHjzUvAG n/BDT7LxbP8AtJeIfgtq3gzVtBb6U/ao/wCCnnw+/ZU/br/Yt/Yv8a6L4Mt7b9rka/az/EjxL8VD 4S1XwRrs94/hv4VaF4b+G3/CB69N8ULn4m+P1XwbPcWnjDwnbeB5bix1TXnmtdRsY7j9Q6KulKMZ 5fKtTjVjQxlarmNOMp0o4/A1ctjhIYSi+ac8DWw+P9pmtHGc2KUqrpYTEYavg6dSlXVSNSSxypVX SdfA4XD4KThGpLA42ljpYjFZg78scV9awcll8cJUjClhoQjiYyqYhzlP8QPiD/wWk0H4C/tu+NP2 IPj5+zzr8fjq6ubyf4B6j+z/AOPD8WZvidodvbeCtSsW+Idv8UfAP7OXhD4PeJ9d0z4k+EU0vRdN +IfxV8PWes2XjTT/ABT418Nadp3gXXPiTe1n/gt38KrG30q7sP2W/wBpySHU/ir8PPhbp8Gt3H7P Ol3/AIsv/iRonhrWNHl8BRaR8ePE9jdahaxfEb4S3F9Y/EjUvhVo66Z8QFuIfE0ur+FfFGgad9t/ tW/tq+Hv2VPF3wS8Ja18MfiZ47m+Mmv61pVtfeC/CniXV7e3/sXT0uF8MeFm0jw9rEHjz4y+IJLk av4S+DGm3OneJvEPw98KfFf4g2t0mlfDTUbTUvtasKMZzoZfWlU9pSo08bgcbUhCNJ5jjsNjFNYm Kn7T6pKhhKlLB4mnShUw2KxCq4nD/Vf92o7V5RjXx9JQjRq4nCUMZl9G8p/2dTxWD+pUqlS8ubF4 eeZYHH5jh6FWdHEwp1oYetXr4eNCtV/ny8Yf8HHn7F3hHxJb6Vc+A/iw+k28VvDr99feI/2fNE1j Sdc1DQotfs/D0+lan8bYtF8N65a22l+Ora48O/FnxZ8KvGPja98MeHE/Z+8L/HW2+MPwbuvHH1n8 Bv8Agr/+zd+0Xa6be+AfBHxftbLxDq/xHtvCOo+KJfgfomheK/C/wl8Wf8IJ4/8AiFYeKP8Ahd93 4V0bwr4d8Zan4G8L3+neMtb8MePbbxD8T/AOiXHgmHVNR1a00T6S/a7/AG0/h7+x8Pg5D430LUvE F78aviTp/wAPfD9pYeKvhp4W+xxmayl8Q6wsXxD8beEtS8Z3+k6Rdve6f4B+GOl+OviJrzRz6gnh ew8EaH438ceD/wAyfhr/AMFB/wBlL4SeKPiX4M/ZZ/4Jv3fw/wBR/Z68aeJtF/af0/whbfsQ/BD/ AIU8/jrwL8Ifid4x1ePXfCHxhvPhp4qv9Z8T+J/h14e+K6yfELw5YaVrvgLX/EXjPxA+m+BtAvda 1ws4VsTiXOMZ4XDYTGxxEKMpU69HGU8Fw7To14utKUfqeHx2OpYnFSftVyZ/DAqcatDDVqWOMTox w/JUlReKxlH6t9ZUKntcH9YzmrXpurSp0YTxEcNTo4adSNGhTpxy+GLqRofWpQxX7/UV+PXxU/4L NfA34VfGi2+A978HPj/rnjvxH4J8V/EzwPaz+Ck+EcN54D+H6fDJPHGofEST9pe8+BQ+EGp6XL49 1jUtPTxoYvCV74Q8Gv4r1Xxr4ftfF/gy01nc8Xf8FQbjwd8Nfh/438WfBXSfhLrni3WtJtNW8N/t C/E7xP8ACnw1a6f42+K/grwP8KdO+H3xl0r4JfED4QfGD4g/ELwn450jxNP4Y8F+L38JfDPxbc2/ gD4t/EjwPZxa5430CYNVI4aUPejjMT9Twr2VfEf2rVyOVOne3NyZvQq4CrNfu6WIg4VJQTTbdSCn XpOX7zC4f6ziI2d6FH+zsPm8ZVdPclUy3FUMXSpytVrUpv2UJyhUjH9aaK/JPV/+Ct3gL/hcvgT4 B+Ef2ePjf4g+Jviy6v8AxLq+h3mr/BVNQ8NfAvw/qXhm517412Xg3wP8VPiN8WPH9pqnw/8AEkfj r4d/D74e/DbxJ498UzwQ+AfEukeAPH2o2mgtDdf8FjPgbYfHPSv2cLv4I/tJSfF/xda/GHUvh54V tPDPw2tLrxfZfCm8+Hdrp1jq0Hiv4p+FNQ+D/jD4lJ8TfDtz4T8D/HvT/hZ4i8P2+Lv4n2vgDTNf 8Daj4vMK1jYYeeGftY4ujj8RhkvdnVoZZTdXHVY058tT2dCMMRHmcUqtXAZrQoupXynM6eErEuOD qujipRoTVXLKDdSSjT9pnFTEUstSrN+xcMVLDycaqm6VOnXwFatOnSzLLp4r9cqK/Onwx/wUT0Hx Rruo6bN+z78bPAejaPqWoGbxR8RdR+C8WneKfC+mfDnxJ8S7nxF8PtP+GXxZ+Kmu39yPD1r4D1Nd D+ImmfC2dtI+JelMLw+JvDfjDwlonM6f/wAFTvg/qOo+P/DNx8NviP4R8dfC74a6R8UvH/gXxr4l +BD+KvDGjSfFmw+E3irR9R8N/DP4x/FHxUuq+FdTvlvrXxTF4el+DXjqdbnw34B+LPiPxJoPjXTf Cc+0h9XhiuZPD1aNXEU6qu4zpUMNjcZWlGyvJ0aGXY11oJc9Krh54ecY4hwpStwlGvTwsouNetCh UpU5aOrDE42hl1GVNv3ZqeMxWGpPlb5I4ihWny0KsKkv08or8ofg1/wWB/Zx+OOqpp3g7wV8SpbM eG/BerXviOw8Zfsr+PvDmneJviPreseFvh58PJr/AOEH7SvxIlvdc+IPi7SU8IfD7xpotrqvwU+I HifUrfR/BPxW8QXWmeJl0D9Xq3lSnBOUo+6q+LwzkmpRWIwOJqYTF0XKLa9pQxFKUJxvfldOrG9K rSnPGFWnUaUJXbo4bEJNOLdDGUIYnDVkpJN061KacZJNKcalKTVWjVhAooorM0CiiigAooooAKKK KACiiigAooooAK/OvwN/yXf9tz/s5DwV/wCsZfslV+ileCeNv2VP2XviX4m1Hxp8R/2bvgJ8QPGO rizXVvFnjb4PfDzxX4m1RdOsbbS9PXUde13w7f6peix02ys9Osxc3UotbG0trSDZbwRRp62U4zD4 OeM+s+2UMTg/q6lQpwqzhNYvCYlScKlagnFrDyi7VE05J2aTPIznL62YUMPToSpRnRxSrv2spxjK P1fEUWk4QqNSvXUl7tmotXV0cVVr9hn/AJMm/Y8/7NZ/Z8/9VL4Ro/4YZ/Ym/wCjPP2Wf/EffhL/ APMjX0nomiaN4a0bSPDnhzSNM8P+HvD+mWGiaDoOiWFppWjaJo2lWkVhpekaRpdhFBY6bpmm2MEF nYWFnBDaWdpDFb28UcMaIu+YZhg62DeGwzxM5TxNGvKVejSoqKo0sTTUYqnicQ5ubxF23yKKh9rm 93kynKcTgsTPEV50GnQnRjGjOpNtzqUZuTc6VJJR9lZJc1+a+ltdOiiivCPogooooA8D+KPxJ+J2 jeOfAnwv+GPwn13xDqvjmG61e/8Ai3r0NmnwS+Gvhvw7q+jQeLG8YXuna5F4uvvHU+latE/w58Ba fo1jB491aV45PF/hvw9oHjXxJ4X98ooojpTjB+9NTqzdWWk5RqT5qdLljy01ToQShTah7WV5Sq1K jcVBNXm5ptRcKcFSVnCMoJqVSLadTnrN81RSqSppxSpQpxun8LftKft4+CP2b/jV8IvgNd/D7xd8 R/iD8X9A8V+JNB0Hwf4w+COg69dWnh/T9VTStI8N+F/ih8VvAHiPxjrvinxTaaf4ZXUNG03/AIVt 4DGp2uq/F34j/DuLV/Bdp4y+WPh//wAFj/h/8WNXt9X+G/7OPxq8R/BfSviZ4r+C3xC+KieIfgrc 3/hH4oeHPi/4j+EdjpPh74feGPib4p1j4taN4muvBviPXfDM/wALtS8TeMfF7XfgjwT8PvAXjb4k +NrHwdZ/shRU01OFbC1JSjVp0KeK+sYecGqeNrVccquGlWnTnCtSo4XLpVcF7LDVKNSvio4XH1MQ qdLE4HGuslUw2MpUnLD168qP1TFRcak8DCOCpUsRalVjKjialXHUpYylOrFQoUcRiMHOliP9lxOF /FzxH/wWw+DWi/Ff4l/AvSfgP8d/FfxT+GGleHPFut6ZFY+Dvhr4ebwR498X/ETwf4BvJ9d/aA8U fBu90XxvqOoeC9Ds/EPww17QNO8Wab4l8c6Z4F8KQ+PfGeieI9E071Hxb/wU0tfAevfBbQfHXww0 H4cat4/m8LaF478IfFT4g+Nvht8Q9L8e3fgr4keMPH/g74CaL4o+Bdn4O/aYtfAMXw7vGsviJoPx D8EfC74laZ/ab/DvxnrviqDwz4L8ZfqlRRTXJTjCcp1Z/W6dedWXJGTw1HFzqRwVOMIRpwhicFU+ rY6vOFWvPE0aGMwEstprEYPEqrepXq1INUKM6NenSoU1zKjVq4mhXp1/aVnVqVJYWnSq4KjCTVKW FxNSWJjiMbCjjaf5N+EP+Csvgbx78dT8DfDv7Ofx8j1bwN4fj8TftGTSJ8NPH/i34EWmpHxXoWga DP8AB/8AZ18f/Hr4s/EfxXe+PtB0jw7qI8D+Er3wJpvhzX7jx/afEHWNA8L+I0saF9/wV2+HvgBv gfp/x4/Z9+M/wq1v4++P734e+C47HxF8CfHukQavJ4O+InxV0KPUv7I+Lun+NpZJPhF4S8G+KvF1 3ongDWfDPhDxD8XPBnglfE+u3tl4p1LQv1zop1LzlBwapRWKoVKqScnLCRxcauJw1OU21TqVsK6u Eo4mca31d+wxE6OInSrRxRQTh7X6xJ1nPDezh7O1BUcUsHRpLE001WcqbxtKeLlh6rqXpYmvhI1o OOHxGH/JPxH/AMFg/g34C1D4QeHvih+zt+1f8OPGfxy+NmtfAnwB4J1Pwx8EvGeuXninQfCPjHxH e6xf3vwj+PXxH8Laf4cfXfAPin4eWpl8Rt4juPFmmSaunhv/AIVqf+FgD0TxN/wVS/Zj8N+Gfht4 x2eLtV8O/FL4par8KPDV9BffCrQZZtZ0zw9Y+KI9RsNN8cfFHwlqvjOLV9F1vwxqej+EfhpZeOPi nc6P4iXxJP8AD618L+FviBrfg/8ASiinuqqdot4qjUoSpe7KGEp08uhVwtb2jrRrVa88PmNWWKpx w3s55lCNOgqeBpwqkOZSoObUksLUp4qMYuCqYqc8ZKOJwrcpywtOjGtg6dPDV3jrwwV6tarUxNSc fxwuv2v/ANmHSLf47/tC3f7JPhL4U/tK6fNonhX4geLfjd4Q8I+CtLH/AAgF/omp+Arz9qT9sT4V +C/jb4X+D/wr+HN5/Z163xO8c6t4m+Hui+IPB3jXTPgZqvxZ8QfDTXLa0+2Pgh+1Tpnxh+JTfDaS D4baNrM37NfwL/aLs9A0X4uW/iz4jQaZ8XrzxpYalb+Ifh63g/w/daJ4P0S68NaVF4S+IUWsapb+ Pm1m/W48P+DpNFto9d+t6KqDhBKCpxjRSg1QpuUKVKq8Ni44qpQTcnBYrHVsJi5xqOtKNLBvDe0l PE1MVGHGrKFdyqQ+sVcRVqRrxptKnQeY5fWwuGcJ1KjqrCZPhcTklOrUqOc4YuGNl++wdGnIoooq TQKKKKACiiigAooooAKKKKACuf1XxV4f0TWPC+gapqUVrrPjTUNQ0vwzp5juJp9UvNK0PUvEepKg t4ZVtoLPR9Jvbme9vGtrJJRa2X2g3+oafa3XQVWnsrO6ls57m0trifTrh7vT5p4IpZbC7ktLqwku rOSRGe1uJLG9vLJ5oGSRrS7urZmMM8qOAf/ZUEsDBBQABgAIAAAAIQBYm5DCqgAAAB8BAAARAAAA cHB0L3ByZXNQcm9wcy54bWyMjzsOwjAMQHck7hBlpykMCFX9LIiZAQ4QpW4bKXEiO/xuT8RHgq2j Zb3n57q7eyeuQGwDNnJdlFIAmtBbHBt5Ph1WOyk4aey1CwiNfADLrl0u6lhFAgZMOmX0SCKLkCvd yCmlWCnFZgKvuQgRMO+GQF6nPNKoetK3fMA7tSnLrfLaovzwNIcPw2AN7IO5+BzwlhC4VwlPNvLX FufYfv/4S1LtEwAA//8DAFBLAwQUAAYACAAAACEA2P2Nj6wAAAC2AAAAEwAAAHBwdC90YWJsZVN0 eWxlcy54bWwMzEkOgjAYQOG9iXdo/n0tQ1EkFMIgK3fqASqUIelAaKMS491l+fKSL80/SqKXWOxk NAP/4AESujXdpAcGj3uDY0DWcd1xabRgsAoLebbfpTxxT3lzqxRX69CmaJtwBqNzc0KIbUehuD2Y Wejt9WZR3G25DKRb+HvTlSSB5x2J4pMG1ImewTeqgiCitMCny+WIaUgDXHo0xnFU1tW5qf0qLH5A sj8AAAD//wMAUEsDBBQABgAIAAAAIQDyuqEBfQEAADkDAAARAAAAcHB0L3ZpZXdQcm9wcy54bWyM Uj1vwjAQ3Sv1P1jeISGCABGBperEUAna3XIuwVJiW7aBwK/vOSFNoAxsvq93773zalNXJTmBsULJ lE7GISUgucqELFL6vf8cLSixjsmMlUpCSi9g6Wb9/rbSyUnA+csQBJA2YSk9OKeTILD8ABWzY6VB Yi1XpmIOQ1MEmWFnBK7KIArDOKiYkPQ2b16ZV3kuOHwofqxAuhbEQMkckrcHoW2Hpl9B0wYswjTT d5TWKE562uVPI9HH2OuUgWwLuSP2ilbN4iikwbC2V7opLadx3JSC/zi2FBn0sHxXZoOof1rOSliv WGJrgoeZ4V0yXBo2uJi9/M/ittuUTpQRhZCkTuloPl1ScknpfO7ZYhPvtxRHZLO1zqto3gQH0RO0 T5krJVrZlEaTVk3X0iYXi05iD+LBB4I8oXu5Ujmwe6hdT2HA5kGzF/tE9EPaL2m9GqrGSZTcMfzb gc1PKBRGZDvNOH5NwtGy+SKMUB5icO9bF7Xundov8QsAAP//AwBQSwMEFAAGAAgAAAAhACSaedwR AgAAdAQAABAACAFkb2NQcm9wcy9hcHAueG1sIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAApFRNbxoxEL1X6n+w9tRKBQNFSYUGRxVRxCEUJDbp2V3PslaNvbIdSPrrO7tm+WiiHto9 zcfbNzNvbMPN89awHfqgnZ1mw/4gY2gLp7TdTLOH/K73JWMhSqukcRan2QuG7Ea8fwcr72r0UWNg RGHDNKtirCech6LCrQx9SlvKlM5vZSTXb7grS13grSuetmgjHw0GVxyfI1qFqlcfCbPEONnFfyVV rmj6C4/5S00NC8hdlCbXWxTDa+AnD747r4IYXo2BJxO+1rXRhYwkiFjowrvgysiWbets5fboV07b CPwcSHJgoJna3+7akcXS9kLhES1bV27PPownnz8CfwMIK+nlxsu6ajohyMmFtdEKKQz8YME3Fykw AJ4MmGul0B6yFL7wYbGYGV23+M6EdSENzkgfUUoTkKiPAZijbHa/ktoHAbs42WERnWdB/6LtjzP2 QwZsVJ1mO+m1tJHUbWDJaW1Th+hFTseAuCmX/NY8h53betyMSFgy/gpMXO20LNfRYPj/Ek3dNCbV vhQglViWtJL4hh6jcz3a1pIaqcvDmXklxFGSNEYa/FykVnLq5Y/qM7etpX0R8ye5R81yLCrrjNs0 d3Dm+p/uo+oD71Bwr+3P8FDn7lZG7FZ9GYR1JT0qupFd/hSAOW3Zm4ZkVkm7QdVhXieaS/OYHhEx HPUH9LX3o4s1x757LsRvAAAA//8DAFBLAwQUAAYACAAAACEAZgoSV1oBAACVAgAAEQAIAWRvY1By b3BzL2NvcmUueG1sIKIEASigAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAjJJda8MgGIXv B/sPwftEk3ZtkSSFbfSqhUE7NnYn+raVJUbU9ePfT5M2S9kudul7jo/nqPn8VFfRAYyVjSpQmhAU geKNkGpXoNfNIp6hyDqmBKsaBQU6g0Xz8v4u55ryxsCLaTQYJ8FGnqQs5bpAe+c0xdjyPdTMJt6h vLhtTM2cX5od1ox/sh3gjJAJrsExwRzDARjrnoguSMF7pP4yVQsQHEMFNShncZqk+MfrwNT2zw2t MnDW0p2173SJO2QL3om9+2Rlbzwej8lx1Mbw+VP8vlqu26qxVOGuOKAyF5w66Soo15UUEKU57idB 4waYa0y5nI4eyLgVr6NwtRWzbuVfYStBPJ57128lmA0cZHi/0nOGS39OW7k7DETkS9Cu8lV5Gz09 bxaozEg6ick0ztJNSijJKBl/hFA3+0OpblBfov2bmM3oeDIgXgFlm/j2I5XfAAAA//8DAFBLAwQU AAYACAAAACEAFXmpKiABAADKAgAAEwAIAWRvY1Byb3BzL2N1c3RvbS54bWwgogQBKKAAAQAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC0kr1uwyAURvdKfQfETsBOHNuR7aixk7lD2rVCGBxL/FhA 0lpV371YaaJ26NIqG+henfPdC8X6TUlw4tb1RpcwmhEIuGam7XVXwqf9DmUQOE91S6XRvIQjd3Bd 3d8Vj9YM3PqeOxAQ2pXw4P2wwtixA1fUzUJZh4owVlEfrrbDRoie8cawo+La45iQJWZH541CwxUH z7zVyf8V2Ro2pXPP+3EIcaviCz4CoXzflvC9SeqmSUiC4m1eo4hEG5TP8xSRjJB4E9e7/GH7AcEw NccQaKrC6C+W09ZoOQbiya/k8Oq8rQr8/Xwx/dM5vzrZgeqO3964uBrFUUrEjPbWyNt7k4vXCUm7 H75oscxJlsZp9tuO8fTM509YfQIAAP//AwBQSwECLQAUAAYACAAAACEA9iAFoO0BAADDDAAAEwAA AAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAAIQBHvxrQEwEA AHUDAAALAAAAAAAAAAAAAAAAACYEAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAAIQAzDh4EwQAA ADcBAAAgAAAAAAAAAAAAAAAAAGoHAABwcHQvc2xpZGVzL19yZWxzL3NsaWRlMS54bWwucmVsc1BL AQItABQABgAIAAAAIQAbLjUHEwEAANADAAAfAAAAAAAAAAAAAAAAAGkIAABwcHQvX3JlbHMvcHJl c2VudGF0aW9uLnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhAE//W/NNAgAAnAwAABQAAAAAAAAAAAAA AAAAwQoAAHBwdC9wcmVzZW50YXRpb24ueG1sUEsBAi0AFAAGAAgAAAAhAJ7YMY3IDgAATFEAABUA AAAAAAAAAAAAAAAAQA0AAHBwdC9zbGlkZXMvc2xpZGUxLnhtbFBLAQItABQABgAIAAAAIQDV0ZLx vgAAADcBAAAsAAAAAAAAAAAAAAAAADscAABwcHQvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5 b3V0Ni54bWwucmVsc1BLAQItABQABgAIAAAAIQDV0ZLxvgAAADcBAAAsAAAAAAAAAAAAAAAAAEMd AABwcHQvc2xpZGVMYXlvdXRzL19yZWxzL3NsaWRlTGF5b3V0OC54bWwucmVsc1BLAQItABQABgAI AAAAIQDV0ZLxvgAAADcBAAAtAAAAAAAAAAAAAAAAAEseAABwcHQvc2xpZGVMYXlvdXRzL19yZWxz L3NsaWRlTGF5b3V0MTAueG1sLnJlbHNQSwECLQAUAAYACAAAACEA1dGS8b4AAAA3AQAALQAAAAAA AAAAAAAAAABUHwAAcHB0L3NsaWRlTGF5b3V0cy9fcmVscy9zbGlkZUxheW91dDExLnhtbC5yZWxz UEsBAi0AFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAAAAAAAAAAAAAAAAXSAAAHBwdC9zbGlkZUxh eW91dHMvX3JlbHMvc2xpZGVMYXlvdXQ5LnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhAGmiXyEeAQAA xwcAACwAAAAAAAAAAAAAAAAAZSEAAHBwdC9zbGlkZU1hc3RlcnMvX3JlbHMvc2xpZGVNYXN0ZXIx LnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAAAAAAAAAAAAAAAAzSIAAHBw dC9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQxLnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAh ANXRkvG+AAAANwEAACwAAAAAAAAAAAAAAAAA1SMAAHBwdC9zbGlkZUxheW91dHMvX3JlbHMvc2xp ZGVMYXlvdXQyLnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhANXRkvG+AAAANwEAACwAAAAAAAAAAAAA AAAA3SQAAHBwdC9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQzLnhtbC5yZWxzUEsBAi0A FAAGAAgAAAAhANXRkvG+AAAANwEAACwAAAAAAAAAAAAAAAAA5SUAAHBwdC9zbGlkZUxheW91dHMv X3JlbHMvc2xpZGVMYXlvdXQ0LnhtbC5yZWxzUEsBAi0AFAAGAAgAAAAhANXRkvG+AAAANwEAACwA AAAAAAAAAAAAAAAA7SYAAHBwdC9zbGlkZUxheW91dHMvX3JlbHMvc2xpZGVMYXlvdXQ3LnhtbC5y ZWxzUEsBAi0AFAAGAAgAAAAhAF5YjDGuAwAACAwAACIAAAAAAAAAAAAAAAAA9ScAAHBwdC9zbGlk ZUxheW91dHMvc2xpZGVMYXlvdXQxMS54bWxQSwECLQAUAAYACAAAACEAcMCUfWIDAAAoCwAAIgAA AAAAAAAAAAAAAADjKwAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDEwLnhtbFBLAQItABQA BgAIAAAAIQCxNeYhhgQAALQQAAAhAAAAAAAAAAAAAAAAAIUvAABwcHQvc2xpZGVMYXlvdXRzL3Ns aWRlTGF5b3V0My54bWxQSwECLQAUAAYACAAAACEA0Kzf3EsDAADxCgAAIQAAAAAAAAAAAAAAAABK NAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDIueG1sUEsBAi0AFAAGAAgAAAAhAD2Yn/o2 BAAAYBAAACEAAAAAAAAAAAAAAAAA1DcAAHBwdC9zbGlkZUxheW91dHMvc2xpZGVMYXlvdXQxLnht bFBLAQItABQABgAIAAAAIQC7rfDxlwcAADIvAAAhAAAAAAAAAAAAAAAAAEk8AABwcHQvc2xpZGVN YXN0ZXJzL3NsaWRlTWFzdGVyMS54bWxQSwECLQAUAAYACAAAACEAgnJDkREEAADDEQAAIQAAAAAA AAAAAAAAAAAfRAAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDQueG1sUEsBAi0AFAAGAAgA AAAhAH3kPndvBQAAkhsAACEAAAAAAAAAAAAAAAAAb0gAAHBwdC9zbGlkZUxheW91dHMvc2xpZGVM YXlvdXQ1LnhtbFBLAQItABQABgAIAAAAIQDfkysx1gIAABQIAAAhAAAAAAAAAAAAAAAAAB1OAABw cHQvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0Ni54bWxQSwECLQAUAAYACAAAACEAYudSQacCAADC BgAAIQAAAAAAAAAAAAAAAAAyUQAAcHB0L3NsaWRlTGF5b3V0cy9zbGlkZUxheW91dDcueG1sUEsB Ai0AFAAGAAgAAAAhAA2IARHsBAAAHRIAACEAAAAAAAAAAAAAAAAAGFQAAHBwdC9zbGlkZUxheW91 dHMvc2xpZGVMYXlvdXQ4LnhtbFBLAQItABQABgAIAAAAIQAeep2hqwQAAIwRAAAhAAAAAAAAAAAA AAAAAENZAABwcHQvc2xpZGVMYXlvdXRzL3NsaWRlTGF5b3V0OS54bWxQSwECLQAUAAYACAAAACEA 1dGS8b4AAAA3AQAALAAAAAAAAAAAAAAAAAAtXgAAcHB0L3NsaWRlTGF5b3V0cy9fcmVscy9zbGlk ZUxheW91dDUueG1sLnJlbHNQSwECLQAUAAYACAAAACEA+c8JOYMGAABcGwAAFAAAAAAAAAAAAAAA AAA1XwAAcHB0L3RoZW1lL3RoZW1lMS54bWxQSwECLQAKAAAAAAAAACEAn9xQ4W7wAABu8AAAFwAA AAAAAAAAAAAAAADqZQAAZG9jUHJvcHMvdGh1bWJuYWlsLmpwZWdQSwECLQAUAAYACAAAACEAWJuQ wqoAAAAfAQAAEQAAAAAAAAAAAAAAAACNVgEAcHB0L3ByZXNQcm9wcy54bWxQSwECLQAUAAYACAAA ACEA2P2Nj6wAAAC2AAAAEwAAAAAAAAAAAAAAAABmVwEAcHB0L3RhYmxlU3R5bGVzLnhtbFBLAQIt ABQABgAIAAAAIQDyuqEBfQEAADkDAAARAAAAAAAAAAAAAAAAAENYAQBwcHQvdmlld1Byb3BzLnht bFBLAQItABQABgAIAAAAIQAkmnncEQIAAHQEAAAQAAAAAAAAAAAAAAAAAO9ZAQBkb2NQcm9wcy9h cHAueG1sUEsBAi0AFAAGAAgAAAAhAGYKEldaAQAAlQIAABEAAAAAAAAAAAAAAAAANl0BAGRvY1By b3BzL2NvcmUueG1sUEsBAi0AFAAGAAgAAAAhABV5qSogAQAAygIAABMAAAAAAAAAAAAAAAAAx18B AGRvY1Byb3BzL2N1c3RvbS54bWxQSwUGAAAAACYAJgCOCwAAIGIBAAAA --_002_4A95BA014132FF49AE685FAB4B9F17F657F09DAFdfweml501mbb_-- From nobody Thu Jul 21 04:15:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 342BE12DE69 for ; Thu, 21 Jul 2016 04:15:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alibaba-inc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osIpoE19BgAa for ; Thu, 21 Jul 2016 04:15:44 -0700 (PDT) Received: from out4133-2.mail.aliyun.com (out4133-2.mail.aliyun.com [42.120.133.2]) by ietfa.amsl.com (Postfix) with ESMTP id 46DAA12DE66 for ; Thu, 21 Jul 2016 04:12:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1469099546; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=ZxMqxOICR3hKOG4qkY2ou+W82lErw+JUU9HniuGvdpI=; b=EnS9jYBl4jd5dVIfE1tf9TWoXakierPM1GG2XChLg8dJ41c2orONeBp2j2BzLbANtKzggU99FbKwwzw+Gv+ET0GZyw/sdg+1Zzj0Y+Gyg+znC2D0/Nfc8QeZdLSZjmiFKDDlm3c4dmdU3MBZYSxYSof1iUrpV6P5pfBmNiFnXB0= X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R841e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03298; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=4; SR=0; TI=SMTPD_----533iHjM_1469099526; Received: from 30.56.239.226(mailfrom:kepeng.lkp@alibaba-inc.com ip:121.0.29.201) by smtp.aliyun-inc.com(127.0.0.1); Thu, 21 Jul 2016 19:12:16 +0800 User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Thu, 21 Jul 2016 19:12:05 +0800 From: "Kepeng Li" To: Stephen Farrell , "saag@ietf.org" , "kathleen.moriarty.ietf@gmail.com" Message-ID: Thread-Topic: ACE reports to saag Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Archived-At: Subject: [saag] ACE reports to saag X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 11:15:48 -0000 Wednesday, 20 July, 2016, 10:00 - 12:30 Chairs: Kepeng Li, Hannes Tschofenig * Actors (Carsten, 15 min) - http://datatracker.ietf.org/doc/draft-ietf-ace-actors/ Summary: still has a couple of bits of feedback to process, on the Actors draft, but otherwise is close to being ready with it. * Authorization using OAuth 2.0 (Ludwig, 45 min) - https://datatracker.ietf.org/doc/draft-ietf-ace-oauth-authz/ Summary: there are some progress, but still some open issues. Sept is still a valid target date for WGLC, though it would not leave much time for implementation work on top of the document work itself. Several people volunteered to review the document in the next couple of months. * CBOR Web Token (Mike, 15 mins) - https://datatracker.ietf.org/doc/draft-ietf-ace-cbor-web-token/ Summary: We could have a publishable version at the next IETF meeting. Next step is to create better examples and validate them with COSE implementations. * OSCOAP profile of ACE (Ludwig, 15 min) - https://datatracker.ietf.org/doc/draft-seitz-ace-oscoap-profile/ Summary: it has dependency on OSCOAP and EDHOC document, more work is needed. * Group Communication Security (Hannes, 15 min) - https://datatracker.ietf.org/doc/draft-hardjono-ace-fluffy/ - https://datatracker.ietf.org/doc/draft-somaraju-ace-multicast/ Summary: ~20 yes - ~5 no is indicated about the question whether or not the ACE group should work on a solution for securing low latency group communication. Further discussion will go to the mailing list. * Privacy-Enhanced Tokens for Authorization in ACE (Daniel, 15 min) -https://datatracker.ietf.org/doc/draft-cuellar-ace-pat-priv-enhanced-authz - tokens/ Summary: the way forward is to make this as an extension of the OAuth framework that the WG is working on. * Ephemeral Diffie-Hellman Over COSE (Goeran, 15 min) - https://datatracker.ietf.org/doc/draft-selander-ace-cose-ecdhe Summary: the initial feedback is to work on this in ACE. Kind Regards Kepeng From nobody Thu Jul 21 04:41:22 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7C1812DC4D for ; Thu, 21 Jul 2016 04:41:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alibaba-inc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDfOUoMsUDIi for ; Thu, 21 Jul 2016 04:41:19 -0700 (PDT) Received: from out4133-50.mail.aliyun.com (out4133-50.mail.aliyun.com [42.120.133.50]) by ietfa.amsl.com (Postfix) with ESMTP id 6946512D522 for ; Thu, 21 Jul 2016 04:37:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1469101044; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=w/gmx4v95CsSBHnWGg/RbeWT7iudu2bih8tcqhHxJrg=; b=S4FkdSQdH2AJhc39GCM7v0wL0gDdamomsU6+0QcJ3NoKLzJV8Yn8b0KyY5hxyMDw71TwXfwHfBuOhczTFBO/Em1ICVTa4TkJtYWFhdz4TmLBkzsI5ZeJfL1jCmWR6xkFyD5cF5/MuaBthBk25y2QAJHpKZPAGW5nm/WmcQKHeCo= X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R421e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03292; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=4; SR=0; TI=SMTPD_----533iIUz_1469101027; Received: from 30.56.236.70(mailfrom:kepeng.lkp@alibaba-inc.com ip:121.0.29.201) by smtp.aliyun-inc.com(127.0.0.1); Thu, 21 Jul 2016 19:37:19 +0800 User-Agent: Microsoft-MacOutlook/14.4.8.150116 Date: Thu, 21 Jul 2016 19:35:44 +0800 From: "Kepeng Li" To: Stephen Farrell , "saag@ietf.org" , "kathleen.moriarty.ietf@gmail.com" Message-ID: Thread-Topic: COSE reports to saag Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Archived-At: Cc: Justin Richer Subject: [saag] COSE reports to saag X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 11:41:21 -0000 IETF 96 - Berlin Thursday 21 July 2016, 11:30 - 12:30 Chairs: Justin Richer, Kepeng Li * COSE message status and update - 15 min (Jim) - https://datatracker.ietf.org/doc/draft-ietf-cose-msg/ Summary: Feedback is that we need more reviews, more exmaples and more implementations. Next step is to give people time for review and then move on. * CBOR Encoded Message Syntax: Additional Algorithms - 15 min (Jim) - https://datatracker.ietf.org/doc/draft-schaad-cose-alg/ * Using RSA Algorithms with COSE Messages - 15 min (Mike) - https://datatracker.ietf.org/doc/draft-jones-cose-rsa/ Summary: about the additional algrithms, it is not clear about the use cases and the needs. More discussion is needed and a poll will be made in the mailing list. Kind Regards Kepeng From nobody Thu Jul 21 04:42:11 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86A1912DEBD for ; Thu, 21 Jul 2016 04:42:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsALwWOhJvhS for ; Thu, 21 Jul 2016 04:42:07 -0700 (PDT) Received: from ns2.nict.go.jp (ns2.nict.go.jp [IPv6:2001:df0:232:300::2]) by ietfa.amsl.com (Postfix) with ESMTP id 056BF12D5A4 for ; Thu, 21 Jul 2016 04:38:26 -0700 (PDT) Received: from gw2.nict.go.jp (gw2.nict.go.jp [133.243.18.251]) by ns2.nict.go.jp with ESMTP id u6LBcQAR030533 for ; Thu, 21 Jul 2016 20:38:26 +0900 (JST) Received: from DESKTOP2JPR8KD (ssh1.nict.go.jp [133.243.3.49]) by gw2.nict.go.jp with ESMTP id u6LBcOQF030525 for ; Thu, 21 Jul 2016 20:38:25 +0900 (JST) From: "Takeshi Takahashi" To: Date: Thu, 21 Jul 2016 20:38:22 +0900 Message-ID: <01a401d1e344$63cbb1b0$2b631510$@nict.go.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdHjRCIsTIjWRsjGQbK+yZEBs6zu9A== Content-Language: ja X-Virus-Scanned: clamav-milter 0.98.7 at zenith2 X-Virus-Status: Clean Archived-At: Subject: [saag] MILE WG report for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 11:42:09 -0000 MILE met at IETF 96 at 10:00 on Thursday. There were about 45 - 50 attendees in the room and Jabber. [working group drafts] 1. RFC5070-bis will be published as an RFC soon. Update after the WGLC was shared during the session, and the attendee seems to very happy to publish the draft as an RFC. 2. implement draft will be published as an RFC soon. Though no presentation was done this time, we see no problem to proceed. 3. ROLIE draft was refined so that we can pursue submission to IESG by November. The original ROLIE draft will be divided into two documents. One is for general information exchange purpose, while the other is for incident-response specific purposes. 4. Review was requested for xmpp-grid and guidance drafts. The content of the drafts seem to be good, but we need more review. We have seen quite many candidate reviewers for the drafts. [individual draft] 1. the draft on JSON binding of IODEF is considered to be an WG draft. The attendee today seem to be happy to make it as a WG draft, but we will ask consensus on this on the mailing list. Cheers, Take From nobody Thu Jul 21 06:19:03 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA45F12D533 for ; Thu, 21 Jul 2016 06:19:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYQ_KBnMAuoM for ; Thu, 21 Jul 2016 06:18:59 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78E912D0BF for ; Thu, 21 Jul 2016 06:18:29 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 2BAC728B0043 for ; Thu, 21 Jul 2016 09:18:29 -0400 (EDT) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 938881F8056; Thu, 21 Jul 2016 09:18:16 -0400 (EDT) From: Sandra Murphy X-Pgp-Agent: GPGMail Content-Type: multipart/signed; boundary="Apple-Mail=_A6EA7237-C8BC-4AE1-B943-6C402FBDB0E0"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Thu, 21 Jul 2016 09:17:56 -0400 Message-Id: <8BAB8027-01B3-40E7-B67F-1227D83402C0@tislabs.com> To: saag@ietf.org Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) Archived-At: Subject: [saag] SIDR report for IETF 96 Belin, Germany. X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 13:19:02 -0000 --Apple-Mail=_A6EA7237-C8BC-4AE1-B943-6C402FBDB0E0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 SIDR met on Thurs morning. Since IETF95, one SIDR document has been = published as an RFC, one is in RFC Editor queue, and one got to the IESG = but paused to wait for the BGPsec protocol draft. We have requested = publication for five documents, Among those is the set of the BGPsec = protocol, and the update to RFC6485 and RFC6487 to add router certs and = elliptic curve to the RPKI for the BGPsec protocol. We have two documents that just finished wglc, and a third that is = waiting for commenters to agree that their wglc comments were addressed. = So another 1-3 documents should soon be out of the wg and added to the = AD=E2=80=99s queue. We have a redefinition in progress of the validation of certificates. = We are discovering the many places in the existing document set that = will need to be updated because of that change. In this meeting, the = idea of needing a new OID for the certificates was discussed, as a means = of distinguishing the certificates under the new semantics from the old = semantics. There are decisions ahead about parallel duplicate systems, = or a mix of certificates in the same system, or a transition from one = certificate type to another, etc. The Routing AD brought up in Buenos Aires that the remaining work in = SIDR is mostly not about routing. In this meeting we discussed = separation of the SIDR operations oriented work into a new = to-be-chartered wg in the OPS area. =E2=80=94Sandy --Apple-Mail=_A6EA7237-C8BC-4AE1-B943-6C402FBDB0E0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXkMuUAAoJEHplpQeet0IZtNQP/RVd55QpImGiqIbZ19769iK1 Wz1Us82FBjbz6iFz4K0XqzCrqfIbc1WTTvWfaJLbO5LGLRF0Qt36eBalqyKr4Z2x /ol1dAh/1TfX5F1HUY/rhcDa2iZv7LdJCAF3J92qENcLYoQP2cKU0UdFhsawFdp/ YwUGIaSgrTGnW2IctID3d9Weq8x7QEwEzoLYwZ6Ib0Bv1is6vL2CWqOdqP9+FXpW 9FYZXh6QbVEyp9fwukwKLtCgD2AWi4yWnelT7qPE3+RhcAtuUeWJceRG91s8CTzW P+kCCl5OTIxhnVhssZ3en6sTPsb60Mvf/ZX2W/GsRiMqRxpDOfEoz8l5NYoUFcxB FNRodOVMA7sRqcqVrO2O0XTQTKs64AFmXDNdJZxlt6dFayiLUUYf46oGFQoQUj47 rJS2IlM153LmZvP6wXk5RJjDQ/zOGTLMmZeh7gfK2tfU6+Bpkn887g411cvapMFV am7pqv+p0xU6twVjvN2MqfYaPPWSI+EFRtw2ib3tzjaEPflA1Si0tfpUHtF/83Et nn68MI3gitOQCREwWjKWS3/m+F/sDga1McCwxEdZlKOkiaCp8xlo9QoZLYz263Lw 15/9zNYegjznqPRkfEXWRwGmdei3D2C0Iwt9I41OFUmBfnwrGmmgiNwwh75TuqrK cxSGQdMLy/Vyd6GeSBoq =egWl -----END PGP SIGNATURE----- --Apple-Mail=_A6EA7237-C8BC-4AE1-B943-6C402FBDB0E0-- From nobody Thu Jul 21 06:25:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C798D12D590 for ; Thu, 21 Jul 2016 06:25:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cdt.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0upVv6-JP8WT for ; Thu, 21 Jul 2016 06:25:20 -0700 (PDT) Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 163A812B076 for ; Thu, 21 Jul 2016 06:25:20 -0700 (PDT) Received: by mail-vk0-x231.google.com with SMTP id s189so112760097vkh.1 for ; Thu, 21 Jul 2016 06:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cdt.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=mBhJllnocLQxHL13+QR3CVpPnu6UjfoF8QWMfxTKIfY=; b=K/dvebnWma9Tz0cJ0w2PzjA7ot38lvKricbn2eC+YncVLYRn0/qTolx+BUBlQAIynn j/5NAmSAfFHZ8dSrBmSBpNYrg+PfwLLbWkXsSwDqlwZEjunc03GxsizH9sxtGYUuXaQI gGxum0WrqeqepOyqswIvf36JAnw8UrLP+7+O8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=mBhJllnocLQxHL13+QR3CVpPnu6UjfoF8QWMfxTKIfY=; b=KIcazbDFS/hYPfYe2vMWSkbWPF9SdpvIXkchnn4okuRdkTcplx9h82rb30tMAh4NBg Yk+r/2XjHs3+bjzPQ8zTSvqhKMGpEP/vHK1SNARdOguWw5BULI72H0ft+VIeTfWqtkgr r5+QUdnjFDC0Fe/ioC+Wh5dyf+W0Mmh4L3Wjks38kym3cpAHdUxPbSVg9ahZbhMANhsN CD6YMItUZ1qgv8+YxMtknLTCpBWvuBxfaSODMSo9hFsRufa6B8PjX9iL0WTZc7kskZGO YgwGLCaAS6A/X33xsxM6TlCpgHkeRFbKYTIh1l2o+/9aDAWKN7vFvvvHPptxvTSyOCiB i2rQ== X-Gm-Message-State: ALyK8tKz+KC8L7QwRJuokHKVi1MfHK13qh0o18GACd1et7aewlwHb/arMjh8AYKxF7KbFlLWoiCpm4xtX9BchWcZ X-Received: by 10.159.38.199 with SMTP id 65mr14322522uay.116.1469107519071; Thu, 21 Jul 2016 06:25:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.29.71 with HTTP; Thu, 21 Jul 2016 06:24:59 -0700 (PDT) From: Joseph Lorenzo Hall Date: Thu, 21 Jul 2016 15:24:59 +0200 Message-ID: To: saag@ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [saag] Survey of censorship tech... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 13:25:27 -0000 Thanks for the time in SAAG today to update you all on where we are with the censorship examples draft. (Thanks to Rich, especially, for having read it!) We'd love feedback to make sure things are right and that we're not missing anything or going off the rails in terms of things that would be helpful to protocol designers and implementers: https://tools.ietf.org/html/draft-hall-censorship-tech-04 Please feel free to file issues or submit PRs against the draft Markdown in this repo: https://github.com/josephlhall/rfc-censorship-tech Cheers! --Joe -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] 1401 K ST NW STE 200, Washington DC 20005-3497 e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 From nobody Thu Jul 21 07:23:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBC912D63C for ; Thu, 21 Jul 2016 07:23:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.588 X-Spam-Level: X-Spam-Status: No, score=-5.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIfQ11qwOc6U for ; Thu, 21 Jul 2016 07:23:24 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 986EE12D640 for ; Thu, 21 Jul 2016 07:23:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1A66CBE29 for ; Thu, 21 Jul 2016 15:23:09 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JuHfpVg4f3B for ; Thu, 21 Jul 2016 15:23:05 +0100 (IST) Received: from [31.133.152.162] (dhcp-98a2.meeting.ietf.org [31.133.152.162]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9625BBE25 for ; Thu, 21 Jul 2016 15:23:04 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1469110985; bh=0VeXw9bGzDXQS9lhNHthOrf0E/IPAGknAnOig6TPhHE=; h=To:From:Subject:Date:From; b=3FkYja6kq5RKcv6iHaWdpUqqNKtr7ZtFjgpmneTn/Tmt9MvJTaLW3bHFRxQHYddFr jKY5sLvGvkk6mxWYKqf25ADBCiINe76PegmlonreBfFceF3tSiLZm0vX7iI7lH92Ji at36+fnxDQSq2r+OWyTdjmomQcMV3doV7x5aIaD0= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <094ecc58-5616-5dd4-6233-6623e471e1f8@cs.tcd.ie> Date: Thu, 21 Jul 2016 15:23:02 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060207020006020009020503" Archived-At: Subject: [saag] missing pressie uploaded.. X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 14:23:30 -0000 This is a cryptographically signed message in MIME format. --------------ms060207020006020009020503 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, The ITU-T slides that I hadn't uploaded before the saag session are now on the tracker. [1] Apologies for being late with that. Cheers, S. [1] https://www.ietf.org/proceedings/96/slides/slides-96-saag-6.pdf --------------ms060207020006020009020503 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3MjEx NDIzMDJaMC8GCSqGSIb3DQEJBDEiBCC02opfImaK6TfkSOHHZrBprdQgODkANfjLNQ91IPOI BjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAk5S+VJEsUgYVvQ/HHg5pvyznEMK+IqUuqQewz8e38zmXVxkerEGwK TvV9Bai3s7AU6hTpyIyUZ2WuWmtWj1tsfDjTpV3aSph69YAbxQ6qa9HTeHSzkMw46NwjShaP uUJHODAT5nZLzh5xlDvBCmB1qz1Qn0QcC6uhOnYdEnJxzv6vbgEqQx0evjQcqDSr500GW5eg mOgAjldOpBB9AFesoljaAzm+BQEtArn+61YRGrOV8h4IelcPY5gs9zdwmut/pPzbc5yYOZ3A dGgRBlODAzQMHt5sNZ9HkZ0q/YM0uo3JX8FqhLsqSoIpklWZTU87s5aHs8BifwA6RdMhazHq AAAAAAAA --------------ms060207020006020009020503-- From rkarasul@cisco.com Tue Jul 19 01:47:43 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8DD712DC99 for ; Tue, 19 Jul 2016 01:47:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.807 X-Spam-Level: X-Spam-Status: No, score=-15.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Brk9pgX7jrff for ; Tue, 19 Jul 2016 01:47:42 -0700 (PDT) Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C5EF12DB3F for ; Tue, 19 Jul 2016 01:47:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6852; q=dns/txt; s=iport; t=1468918062; x=1470127662; h=from:to:cc:subject:date:message-id:mime-version; bh=7D5PXlIOPjOG1XBOK6/QwsoQuyNgZy+n9PR7pNpgRzM=; b=ByuhTYn/IvDemMRIoBcFMSpbXusvdyLCCmWKXLRZqe55t6vK/NsBQawX Nx4x9LwoY6LLciCKTRZoNWRjvqFF0GocLvrIGLae+D7XlBVMt1LlZs7lF FMaqQGdc3u+BH4mNMMCfw3CaWqdiuaW7YSye5os7u3vmNlYjfJbm4A4Tb 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CLAgDg6I1X/4YNJK1bgnFOVnwGs1uCd?= =?us-ascii?q?YIPgXoahgCBMzgUAQEBAQEBAWUcC4RjLUwSAYEAJgEEDg2IKL1MAQEBAQEBAQM?= =?us-ascii?q?BAQEBAQEBAQEehiqId1SFHQWZJAGBNIReiEiBcogIhUSQHQEeNoNzbocRfwEBA?= =?us-ascii?q?Q?= X-IronPort-AV: E=Sophos;i="5.28,388,1464652800"; d="scan'208,217";a="298810074" Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Jul 2016 08:47:41 +0000 Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u6J8lfqD004837 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for ; Tue, 19 Jul 2016 08:47:41 GMT Received: from xch-rtp-008.cisco.com (64.101.220.148) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Tue, 19 Jul 2016 04:47:40 -0400 Received: from xch-rtp-008.cisco.com ([64.101.220.148]) by XCH-RTP-008.cisco.com ([64.101.220.148]) with mapi id 15.00.1210.000; Tue, 19 Jul 2016 04:47:40 -0400 From: "Raviraj Karasulli (rkarasul)" To: "saag@ietf.org" Thread-Topic: Queries on EAP-NOOB Thread-Index: AdHhmjEJtSKsWpdsQiiG1G7GuO1Mdw== Date: Tue, 19 Jul 2016 08:47:40 +0000 Message-ID: <401a0e3d0e6642988c21f39f08b70896@XCH-RTP-008.cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.142.236.86] Content-Type: multipart/alternative; boundary="_000_401a0e3d0e6642988c21f39f08b70896XCHRTP008ciscocom_" MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Thu, 21 Jul 2016 08:14:05 -0700 Cc: "Raviraj Karasulli \(rkarasul\)" Subject: [saag] Queries on EAP-NOOB X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jul 2016 08:49:33 -0000 --_000_401a0e3d0e6642988c21f39f08b70896XCHRTP008ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi, I read the latest draft for EAP-NOOB and found it to be an interesting prot= ocol. I would like to ask a couple of questions relating to the draft. 1. Is it just for now or all the devices which will take part in auth= entication will be held under the same domain, which is "eap-noob.net" ? 2. Once after the authentication how will the device get associated w= ith the user? Now, it seems like any device can get authenticated with the = Authenticating server. Regards, Raviraj --_000_401a0e3d0e6642988c21f39f08b70896XCHRTP008ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi,<= /p>

 

I read the latest draft for EAP-NOOB and foun= d it to be an interesting protocol.  I would like to ask a couple of q= uestions relating to the draft.

 

1. &nbs= p;     Is it just for= now or all the devices which will take part in authentication will be held= under the same domain, which is  "eap= -noob.net" ?

 

2. &nbs= p;     Once after the= authentication how will the device get associated with the user? Now, it s= eems like any device can get authenticated with the Authenticating server.<= o:p>

 

 

Regards,

Raviraj

 

--_000_401a0e3d0e6642988c21f39f08b70896XCHRTP008ciscocom_-- From nobody Thu Jul 21 10:00:48 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0A912D639 for ; Thu, 21 Jul 2016 10:00:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.508 X-Spam-Level: X-Spam-Status: No, score=-5.508 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k65T6Ry5Rkqi for ; Thu, 21 Jul 2016 10:00:44 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8BC712D7BD for ; Thu, 21 Jul 2016 10:00:42 -0700 (PDT) X-AuditID: 1209190e-5a3ff70000005657-81-5790ffb912c8 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id AF.E4.22103.9BFF0975; Thu, 21 Jul 2016 13:00:41 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u6LH0fNo025273; Thu, 21 Jul 2016 13:00:41 -0400 Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u6LH0c4b009294 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 21 Jul 2016 13:00:40 -0400 From: Justin Richer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Thu, 21 Jul 2016 13:00:37 -0400 Message-Id: To: saag@ietf.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrKIsWRmVeSWpSXmKPExsUixCmqrLvz/4Rwg6Zj5hYLercyW0zp72Ry YPJYsuQnk8feTX3sAUxRXDYpqTmZZalF+nYJXBlbbj1nLfjJUXG85ylbA+M69i5GTg4JAROJ D6vPsHYxcnEICbQxSVw/cJUZwtnIKLFo3UMo5yGTRO+J32wgLWwCqhLzV95iArGZBdQl/sy7 xAxha0ssW/gazBYWkJT4+fMaC4jNAlS/8dxKsDivgJXEhO0/oOqVJWafuQF2hoiAoMSDvkks EDV6EpvWv2WCOE9W4snJRSwTGPlmIVk3C8m6WUhaFjAyr2KUTcmt0s1NzMwpTk3WLU5OzMtL LdI11svNLNFLTSndxAgOPUm+HYyTGrwPMQpwMCrx8J54OiFciDWxrLgy9xCjJAeTkijv28lA Ib6k/JTKjMTijPii0pzU4kOMEhzMSiK8Nb+AcrwpiZVVqUX5MClpDhYlcd7t39rDhQTSE0tS s1NTC1KLYLIyHBxKErz//wI1ChalpqdWpGXmlCCkmTg4QYbzAA2/DFLDW1yQmFucmQ6RP8Wo KCXOK/MPKCEAksgozYPrBaWGhLeHTV8xigO9IszbD1LFA0wrcN2vgAYzAQ2eI9APMrgkESEl 1cAo9E1kXaG0pKjB7Xkyok25fAER/t6yqv+L0io4dbccsSla9btk8rzvG1Zo5fza6qNputr8 Cufa5i+tyyb+W90wrWPh9bUc26vUljclvFDn/SFw6TyX5c/b/L/fe4RUnVGf2tzjeuavIFvI 2rfCvPErTH/UfJhiMDF1jfAzA6uYb/FpM3NrLx5RYinOSDTUYi4qTgQAQzUsBugCAAA= Archived-At: Cc: Leif Johansson Subject: [saag] Vectors of Trust X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Jul 2016 17:00:46 -0000 Hi security area folks, Leif and I have been working on a document called Vectors of Trust that = defines a way to express and convey trust information about an = authentication event across the wire. Similar in goals to the NIST/OMB = Level Of Assurance (LoA) concept, a VoT tells a relying party how = trustworthy the identity provider believes the current authentication = transaction to be. Unlike LoA, which is a single scalar element, VoT = allows differentiation on different aspects of the transaction, like = identity proofing, credential strength, assertion presentation, etc. The = current draft is available here: https://tools.ietf.org/html/draft-richer-vectors-of-trust-03 The discussion list is vot@ietf.org (low traffic, and most of the active = discussion happened months ago) and the GitHub page for the source XML = is: https://github.com/vectorsoftrust/strawman We would appreciate folks reviewing this document so that it can go = forward to eventual publication. We are putting it through as an = AD-sponsored RFC, and Kathleen has agreed to sponsor the draft. Thank you, =E2=80=94 Justin= From nobody Fri Jul 22 05:45:44 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B8D612DA37 for ; Fri, 22 Jul 2016 05:45:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cQ-h8hP0hdD9 for ; Fri, 22 Jul 2016 05:45:34 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D98C912DA8B for ; Fri, 22 Jul 2016 05:45:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 133BEBE33 for ; Fri, 22 Jul 2016 13:45:31 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TDtFfDvAYwg8 for ; Fri, 22 Jul 2016 13:45:29 +0100 (IST) Received: from [31.133.178.21] (dhcp-b215.meeting.ietf.org [31.133.178.21]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 94127BE2D for ; Fri, 22 Jul 2016 13:45:29 +0100 (IST) To: "saag@ietf.org" From: Stephen Farrell Message-ID: <3b85d272-f0b0-25de-56b4-ce3cd16f3707@tolerantnetworks.com> Date: Fri, 22 Jul 2016 13:45:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Subject: [saag] WG status reports in the tracker X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2016 12:45:40 -0000 A bunch of WG chairs also posted their status reports to the tracker. You can see those at [1]. Be interested if folks find that more or less useful than the mail to the list. It's fine to send opinions off list to Kathleen and I, or if there are general things to discuss, to follow up in this thread. Cheers, S. [1] https://datatracker.ietf.org/group/all-status/ From nobody Fri Jul 22 05:57:38 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1F012DB26 for ; Fri, 22 Jul 2016 05:57:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4pqteCQV8aV for ; Fri, 22 Jul 2016 05:57:35 -0700 (PDT) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CFCA12D5E7 for ; Fri, 22 Jul 2016 05:57:35 -0700 (PDT) Received: by mail-wm0-x232.google.com with SMTP id p129so8397557wmp.0 for ; Fri, 22 Jul 2016 05:57:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=Jz726jA9DC5xUfwDZqCnE0cldyxjV+0gUBU4MDBupn0=; b=Z/i8Eoyg0XzVNINH6bM57d4FPVcL/tADW2wFf6jYOBxq8WyrjGXM7Y5QNn29hqGC6n ZgsKwmEBsL/WcYy8swod/iQrvMbBw1tBfl4DMXc5eyKxqxahkJIls5rMZQLZYpAwCsq0 FRj3VjEZyCI05PGM6QOfscu7o1Wc2yNMqWLnY/v8j4jI8Naw1iJQyTUt2cION074N1Mr NiaPhE71wOXTHOBdGofDtb4oLxz6JVQbHBZ7SMPgPKsLlRfvh7etERpO93279gFU2Lf4 vWWGK/pLHcFcdbQHVs/s+ZLs+vPlpWS7LlqG5BbxGBmZBNQ1aXtFsGANQb9ZKKqmVYE6 8xxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=Jz726jA9DC5xUfwDZqCnE0cldyxjV+0gUBU4MDBupn0=; b=mS+/mQULhGWL+P8ja2NLkazgj/Yr1+jHSqZiGDAp8AQZKPjbBV/Z0i3baBlj0WlpSl FiQXgEB78dsYkyMD2xN/81uqy+pNDe6TPqcFEpNkMVgobBB0g80dYO5hZfQoqJ8hh8uT KmTJRyb+Bcow2Ii5smJipzlas+mX5gC/OTCODQYwjEyo4rwRcw99Yo2uPXMpV9HUxX59 bNJT5XjZOGHzDW11eskaVpwzn8VfauuiEzNl4dHcfL5CiEcRt9VjRZWV3W+jiRJ9wz6n Yjr7kiW1Zz7+j8ly9picKyvakGYjfPZDJw1upy0IdGhCJPcFNu5U28YKhIOId+y+ZxzO 4uyw== X-Gm-Message-State: AEkoouulFjOYWGgGV3k6c69Uu+Lnm693yCifFLrQTJ2S/7dQtbO0sUTZz1NOMQLm2IisVw== X-Received: by 10.194.39.3 with SMTP id l3mr977374wjk.133.1469192253498; Fri, 22 Jul 2016 05:57:33 -0700 (PDT) Received: from ?IPv6:2001:67c:370:160:b5f9:5d4c:a99c:7e15? ([2001:67c:370:160:b5f9:5d4c:a99c:7e15]) by smtp.gmail.com with ESMTPSA id d8sm12504319wmi.0.2016.07.22.05.57.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Jul 2016 05:57:32 -0700 (PDT) To: Stephen Farrell , "saag@ietf.org" References: <3b85d272-f0b0-25de-56b4-ce3cd16f3707@tolerantnetworks.com> From: Yaron Sheffer Message-ID: <868d7656-9795-7514-61c7-8b87aacb5048@gmail.com> Date: Fri, 22 Jul 2016 14:57:32 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <3b85d272-f0b0-25de-56b4-ce3cd16f3707@tolerantnetworks.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [saag] WG status reports in the tracker X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2016 12:57:37 -0000 Actually I would like to do it for a BoF, as a kind of archival summary (a.k.a. gravestone :-) I don't think the tracker lets me do that. Thanks, Yaron On 22/07/16 14:45, Stephen Farrell wrote: > > A bunch of WG chairs also posted their status reports to the > tracker. You can see those at [1]. Be interested if folks > find that more or less useful than the mail to the list. It's > fine to send opinions off list to Kathleen and I, or if there > are general things to discuss, to follow up in this thread. > > Cheers, > S. > > [1] https://datatracker.ietf.org/group/all-status/ > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > From nobody Fri Jul 22 07:48:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48E4B12D130 for ; Fri, 22 Jul 2016 07:48:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tXv3sJQoOiz for ; Fri, 22 Jul 2016 07:48:10 -0700 (PDT) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D161712D09F for ; Fri, 22 Jul 2016 07:48:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id AEBB630049F for ; Fri, 22 Jul 2016 10:48:08 -0400 (EDT) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9RuD-6RvjU-F for ; Fri, 22 Jul 2016 10:48:07 -0400 (EDT) Received: from dhcp-8d37.meeting.ietf.org (dhcp-8d37.meeting.ietf.org [31.133.141.55]) by mail.smeinc.net (Postfix) with ESMTPSA id 1F3C0300499 for ; Fri, 22 Jul 2016 10:48:06 -0400 (EDT) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <1F91ADA4-07C4-4ADF-8B72-D5628D6EA33A@vigilsec.com> Date: Fri, 22 Jul 2016 10:48:04 -0400 To: IETF SAAG Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) Archived-At: Subject: [saag] LAMPS Session at IETF96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jul 2016 14:48:12 -0000 This was the first meeting of the LAMPS WG. The group talked about = three topics. First, Jim Schaad give a presentation about adding = authenticated-encryption algorithms with S/MIME. The WG adopted the = document, and once it is published it will obsolete RFC 5751. It was = observed that a corresponding document to obsolete RFC 5750 will also be = needed. Second, Wei Chuang gave a presentation about Email Address = Internationalization (EAI) and Certificates. It suggest carrying = smtputf8Name as an OthererNameeThe WG adopted the document, and once it = is published it update RFC 5280. Third, the CURDLE WG asked this WG for a recommendation regarding CFRG = Elliptic Curve algorithm identification in certificates. Jim Schaad = gave a presentation of the possible ways forward. The people in the = room unanimously recommended that the same object identifiers be used = for SubjectPublicKeyInfo.algorithm and Certificate.signatureAlgorithm = and SignerInfo.signatureAlgorithm, and that this identify the curve, the = operation (signature, pre-hash signature, or key agreement). From nobody Mon Jul 25 04:04:12 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D1712D7AA for ; Mon, 25 Jul 2016 04:04:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.888 X-Spam-Level: X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lr3osHTzhE-X for ; Mon, 25 Jul 2016 04:04:10 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8250412D7AE for ; Mon, 25 Jul 2016 04:04:09 -0700 (PDT) Received: from [192.168.10.131] ([195.149.223.151]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LaoMe-1b3HHL18dU-00kLq9 for ; Mon, 25 Jul 2016 13:04:07 +0200 To: saag From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 Message-ID: <5795F225.1010604@gmx.net> Date: Mon, 25 Jul 2016 13:04:05 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="e2MbLHme2Jkk696mUgv0Cr7Xj0ABh8tgw" X-Provags-ID: V03:K0:b3x8SbZmLyiAKs52j0rG5xRI7xi+1JlaicHYyclbFjR4HpVss3D JB/hZKlhGctlwr7DnfApHBhp1+Ul38e0YFcr4JH4Vxwoi72nkAlRVfieHQ1yTQNEHq8hH2J jZ13Hvy+92h8JXI4SV4MMr2JmdYH4yciwdIZndLX3k9OQKFL2QgoS5NEdESnWmwmq5alqyI 0ZFbBFHHhQuKvZFdq4cjw== X-UI-Out-Filterresults: notjunk:1;V01:K0:QvJcjKEut+c=:TXbnkZy2IoARl7Hh+CwJHf G05AI9tGGPBhYY7MpRHZlbqUYici4vwqfLANhqU8Yl88LSOLMLpOwupvfrovjdUF3GEn5oaN9 xx9NuaZgTF4AGUhdV0XiIpjtcDLgF50CJuLEI5bDfzebgHFaLTWcZNP7IPDyJe6NhTUh0GJA4 p22Kom3JU26s5JUwmNAL+RE1S4bww7d7mr2k+2JX6zqS3bpXr74P5qco0ItRBN3U5pR0E0IfU d4d33w7IxTc+oWLK82NSfMlH+2oMg06dk6vpduEXm7wH1HbTMjnrfmKuLx000hUE/AGCNYX9I FAjRwxczOIm3aTteeeCTKQ2V+oElkrq1Nb4MlSRsGk6yuLPjH/fO5FQkkBCWfJ8ABJklaP9f7 IbyU1KRLIKSQX/NOAFovbQPd71WWLW3NVhul9P9uOiD668QqhDGDymYOQISdT0TPiPj5jUl5e 2TtZYkEFoTxyDj8v4yTKOq96xpVcNivAkH2ALbarg0MZM7P7ZDx2wWlljDvY1BSSNP72OeF61 ExREPThjv2Yuyz1BnmUHVz9Aj0uL3jTYL3KnjbBcVhxunqlM5ScnPRNzzRg6wW/JZoNxGMRTx ktCgjATeNagRrwwsj/L/zELgS3i6Aea2Oe/dhycvFxeZ12N+Y5TUoUs2spBQJqHVEE/j/zXlP 91wF+KA265n50UKIP0TUhkwFlmnZjv56cJGruFbgV5DIE7cguzz65wysKVVwXb1LSQNGc47Nx Z59Zjji9rgCIM7tPY93Ho7KwaPajfkLz5MyZ7OF3BnDWnrOPc3aJdbTTj+s= Archived-At: Subject: [saag] OAuth Security Workshop X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 11:04:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --e2MbLHme2Jkk696mUgv0Cr7Xj0ABh8tgw Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, at the SAAG meeting last week I briefly mentioned that we have held an OAuth Security Workshop on July 14th and 15th 2016 in Trier/Germany. Here is the link to the webpage: https://infsec.uni-trier.de/events/osw2016 Slides and position papers are available for download. This workshop followed a per-invitation only workshop in December 2015 where we discussed attacks against OAuth discovered through the use of formal methods. At this workshop we learned more about the use of formal methods, about the techniques real-world attackers use to break OAuth implementations and about a new OAuth/OpenID Connect security test suite. We organized these two workshop primarily to bring security researchers, and standardization experts closer together. Ciao Hannes --e2MbLHme2Jkk696mUgv0Cr7Xj0ABh8tgw Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJXlfIlAAoJEGhJURNOOiAtawMH/i+OM/B3K1kaJmO2zNKNSyrs rNjGL/cRrfSp26CEVWtcf5JYPvCSlJfjVsqddm3DhyQ5GSTuksTf+0D2RaL8T7em bsuAhRv60kIKQ/ZTQpedqWlkc/ok12pXDohwCkFlo+58Cnj3KQ8EFYZcpQ67qoRt JhGaxF0rBjFT6o2emBaAJrD7GL9esYkP5AZqOFx+ajo1BWJV21DXVrrhtSan6Uoe dnrcCK3MeDBolMVQZzff/xnnIw3TODHemSXbtWbgk7ZiFre8re7PN6+jn5HvYMB5 RX9HJlh0VCh4IEnuRK98YPQFf8lURIQ2diD3tK95UPsqXoPJUcpVlzx9uGUkQnI= =bQpr -----END PGP SIGNATURE----- --e2MbLHme2Jkk696mUgv0Cr7Xj0ABh8tgw-- From nobody Mon Jul 25 04:26:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D332212D7B7 for ; Mon, 25 Jul 2016 04:26:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.888 X-Spam-Level: X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lrewPa532ntT for ; Mon, 25 Jul 2016 04:26:56 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50E5C12D7B5 for ; Mon, 25 Jul 2016 04:26:55 -0700 (PDT) Received: from [192.168.10.131] ([195.149.223.151]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MgYGJ-1bdvQ10pMt-00O09W for ; Mon, 25 Jul 2016 13:26:54 +0200 To: saag From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 Message-ID: <5795F77C.8070803@gmx.net> Date: Mon, 25 Jul 2016 13:26:52 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="wa9dlKJhC24sg9dl80IJxdx35unGPiLV5" X-Provags-ID: V03:K0:xEwnPGF2Yk4YvMMAVGEG3kxpkRsVLNlDLAli01RSWhIlrTg75bS qnH/CekooC/bnDCoT/pF854ErXnp13kOVIFpUqY2Ig1uC8d418BEkQTlp9v1bi96XlAw7Lk 7LMmGBi0Hs5F8vd+pQZPeWb+tgO+8S7XPFusQzJeNq8ey30Rgq6i39uzY6zwgEOJT4+vH5c qGnwdXw+qDLxawKPZTnzg== X-UI-Out-Filterresults: notjunk:1;V01:K0:hFW8DWq/V2M=:wyQGey96lXF+umvfVWbSfn weHZaIk3+DObp8kDpHFlNN4yJ0m01jWZ2sxs2ouliV/zZK0n2L66RKpNUnTZnqq8haaJE8zDr s+NOSmGMnKDPH+hN4X5AQvN1Jos6BGyGIhXeSmbiygb5kfTR3cu/LPl8v2OyyAWh/96jez2/u Z3hvY5wQfuOrG24wJflBzGAu2sWEDKiLybPIS/Nmkw+oQ7NBrlbf3ExYHi4cR/HO+chxisnM5 qLM8eKximoBcsroyhFHugbQIDxFyqhEsgfQBzdUkKV6v0gsOuVesSDkAlLtB6/HZ86L7zfh5D 25TuN2n6DkDPS4/2inZkILBNuOrhvoTGTsD8UL/qPMz94HFNtwn0Q2ioKH2eX9dI4pkMty6y9 H8LNzyODLICKcu5uYN2LGGJXIYIfAWV1FbjyEbF1NRxUDvXIp1ytckXw+ngcrMg5gjC6ijz4s d3I+VMcGwUQ6cWSeCSAMpRQB9URBdGGfXRMrkcQiC9prp4w0OWlJviuChbUo574d0MU+8lrnK aFWiGzrQUa22aS7fA3UC8ylChTgf7dUS31ijVpPtmr/NUVeomsD65vC++rps7Tb5sZX+Diwue K8YcIVNfzfGJRqLnDoSB+cjvPRvGXMaqm+wbBxTZ+ULtgv8noZe+97omy6TPvfZeLx1tUb3ZO FoKEhHE4sFcMiAN0P28bdeA4GDPM5pXx8dVsVxEdkveb2sU5ZEJBmjbnh8EWU+7fXjLRQAgQD I3gMDa3hfHCmozCOXiMcJmDLjQcdd0clnytDadg4xJoyZz+/FGJp8BEBbec= Archived-At: Subject: [saag] OAuth WG report for IETF 96 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 11:26:58 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --wa9dlKJhC24sg9dl80IJxdx35unGPiLV5 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable We had two working group sessions at the Berlin IETF meeting and we managed to progress various specifications * Token exchange, * Best current practices for native apps, * Authentication Method Reference Values (AMR), and * Authorization server meta-data. We also identified new use cases to explore with the device flow document= =2E Working group last calls for the AMR and the native apps BCP was started.= We also did a call for adoption of the OAuth token binding functionality, which fits into our work on proof-of-possession keys with OAuth. There is a proposal for documenting various security threats and mitigations, see https://www.ietf.org/mail-archive/web/oauth/current/msg16540.html Ciao Hannes --wa9dlKJhC24sg9dl80IJxdx35unGPiLV5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJXlfd8AAoJEGhJURNOOiAthi0IAJ/H4mmt2PNJgpkwszA66YHu eiV+nwrewN/ZU/weilkwHtzQyPZVxk2ZrYt+ZSFK0KxqkGm4x1nj/p5JQRKgA3QT TYFf1LLf2pWPXo41DXJxbwqYQSaCDIOXGYRj15bclURRIR/MiVx1mvikjAF7vosq +S6LmeugMFB/YfkJBv2c7p9I5VcZdkLehVz+koF+M7Ijiqz01HyKm5oqw0CFQ1qj /LVcuI/CRh5s0hY6ts7/iqb8uiC/t3T762XLUACyHfdF+Z+HPwXf1BBRoEuAMFQJ VoU5B5AMFbQKTSmIyKyTghagWmMKoRzGBMulCfgyzYW9blq6KLm6mlAfunv1ZVA= =eI1p -----END PGP SIGNATURE----- --wa9dlKJhC24sg9dl80IJxdx35unGPiLV5-- From nobody Mon Jul 25 09:55:23 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F10FB12D1CA for ; Mon, 25 Jul 2016 09:55:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.888 X-Spam-Level: X-Spam-Status: No, score=-3.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wW22R6lGjYgD for ; Mon, 25 Jul 2016 09:55:20 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB14D12D1A9 for ; Mon, 25 Jul 2016 09:55:19 -0700 (PDT) Received: from [192.168.10.131] ([195.149.223.151]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MV6PJ-1bp5YX31Ir-00YS4r for ; Mon, 25 Jul 2016 18:55:16 +0200 References: <578F4F8A.6030402@gmx.net> To: saag From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 X-Forwarded-Message-Id: <578F4F8A.6030402@gmx.net> Message-ID: <57964472.7000902@gmx.net> Date: Mon, 25 Jul 2016 18:55:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <578F4F8A.6030402@gmx.net> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="a72o9cdEQleCRXpMxaOrRgIaGqgcruSGS" X-Provags-ID: V03:K0:NuaaRLd60bHtnhzRlsj4jJ1Qq4rTHNb9drB9GZgGPkvXwHaD4+g zhYzFe01pDeUDn4HJdHTtUHTdwdX8t1x2XcvBB17iFzfFSojNr9AGSMgMz4l1kPynR2iz7D 3s77Ii6eYimWdRSXlr6mt8e5Lo4OQXUavqkAqq7dzKyqqmsOKMXxamIC2/P/jPX55NCZGGL 0gVqmyknDj456rkEPPKrg== X-UI-Out-Filterresults: notjunk:1;V01:K0:SAtVmSE2Hpk=:/HjGeozFvREnK6MMz0yBpY CW3fE+1DxpG/0hwTkL3yXvHZ1I7j12cWlafH9DGcGXset5NjLhGGkjKuJQP6n4tHHzA0ylLWM 2C8i7DP856YEJe1rDjlLNc/uBeWMzEO2o3keyfTJN8NdIkaceiAvqTgnZl7UEQbBvnh7UrFxc s/VlESUCJApizb+08YDOJCGB1aiavThLmShHg8ufD0JfdP6bckfQYpoq8kot/4BeNa01gfwcA rafaP3l1PMIqgHCDj8B1CHSfKsQgg4tcN5iC2qHdJpqlIhTqvN0PkE+4mbFngo7Af0Ay60nXn RWAWsOJamwebZ9bzE0VctC8yhVzjiHNNzNuO+Ny/Iz0MF4fD7DZZLRY/LzwWbdUVAsj7JqT7B sH6u9onPDvOUxh7Yp1YBQznjt5yxZWEtuJMrlZxCtPPf9RWRW4VkPQvrflpLYQPj3mM/ddW2y 8Skb9W+rko9QchHWi5+YnfBeGPsBgKJcQxG8Fgw8+EaS1IzSDim2t73RoXLY2q2eBJqilPLRk v3PtmJTcIjwhv7IVuuD26hoz0bvron6BxQ3EOHBkcD+GSjmJCQE+mLiIMsoU14V0Rr3E1NtCu tTs2COFD4LpedsqxpKSyVgTBcHFbqDOKE7d169aXIiRI1m5G9q6BrxOp+E3+lQjZVs7WaHzWT v14Y4qN0WhlYZ30HKiDGkIjwlxxONkAdiP/auDN6riAd/GTv7axoMiNRhgZSGTwAerAWnxVTG ayV/Qu2FZ68xvykdMEzOUYnDhNI+F6eaJGrjMMlqNSjF/sLcekR4in9ru5g= Archived-At: Subject: [saag] Open Trust Protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 16:55:22 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --a72o9cdEQleCRXpMxaOrRgIaGqgcruSGS Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, FYI: I had planned to talk about the 'Open Trust Protocol' in the T2TRG meeting but unfortunately due to the lack of time this was not possible. Hence, I am sending an email around instead. The Open Trust Protocol (OTrP) allows to install, update, and delete applications and to manage security configuration in a Trusted Execution Environment (TEE). TEEs are used in environments where security functionality should be isolated from a regular operating system (often called rich OS). This form of compartmentalization grants a smaller codebase access to security sensitive services and restricts communication from the rich OS to those security services via mediated access. Here is the draft: https://tools.ietf.org/html/draft-pei-opentrustprotocol-01 Here are my slides: https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IETF93.pd= f Please let me know if you find this work interesting and have further questions. Ciao Hannes --a72o9cdEQleCRXpMxaOrRgIaGqgcruSGS Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJXlkRzAAoJEGhJURNOOiAt8yYH+wdCOTDg6+NPOa5O68WxSc+X iX7KVh7IOgmA6+J+7paMiGcXNCLzB92unVGtEXcT+T+86oKtew5LD0KUXfh0updV G+NZDvDFdow2kMdDj4Nl0K7kYGxJxpOGy76uwrtIRd41Knaku1Nmq1ERjbtTwquO GBh/GjjXoreKk18NBbeMu3YpNUHbDXXy0GC+VteyDF4k4ZHy0coUZ03MOciqyq3k JR89DZWyJQxNSuQKoy0dKcUzVApHscigJf2QEZkfZnCsurKHjci0hZ+GooT+YxFX z5NVSDR9d/LDxxcn+4tTzZoyekbzYxWylWltQmi3rH2uGqv/rUAUWTmEhOeTkig= =Zkuk -----END PGP SIGNATURE----- --a72o9cdEQleCRXpMxaOrRgIaGqgcruSGS-- From nobody Mon Jul 25 10:58:25 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDBE812D993 for ; Mon, 25 Jul 2016 10:58:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JXkgR8KkrK8u for ; Mon, 25 Jul 2016 10:58:21 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C03012D9A5 for ; Mon, 25 Jul 2016 10:58:21 -0700 (PDT) Received: by mail-io0-x233.google.com with SMTP id b62so168455701iod.3 for ; Mon, 25 Jul 2016 10:58:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to:cc; bh=/6MuG3JNiIAfN94E1Wiymqb4Tp7Znvsbw+Yy0JEFrB4=; b=P3WTfQoPqPtsl5bKMkyg1jXlZeXBTobGB0zdgaXE3UjITy8U9F3VrJzGrViiOlgpkk qbPCh+Vf98GazBr88E3lTEQ7NcD2NIHZAEkB4GcaKJNBKuEBMUGpM5wBbzdQ3cmgLjLX T4BTxBhZZtHyO73QiUFGNArBbzSfkXxdOSdM1lxG3rruvEHjmjz5Kbsx+EiwS9bjqkZQ 538/dHXBx4Mz2JPYkqFktKu5Z82ic8I+/2M6DZVk+LMSSVtl/d4ESGqEBICZauwhODc0 b2C3bHyrOuidqmUxmhDxWynftyGHKJlsS9Nmuf6fzw8PvGpbkRsa4LA82SsJwXEtQsOi ffpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=/6MuG3JNiIAfN94E1Wiymqb4Tp7Znvsbw+Yy0JEFrB4=; b=L+8Fiv0zykw6tQA23V7aE2mJuznRfcm1NhvSmf2Ww+dJHvaMgmoZIMsThu2/ZVqiyg tAr4zWpJ3KUZhqIJlhlqIIrIuY0cNXsTenCaELKsGtUv2Gd3MGRtnzjgWbbijBUHmbMn P8WbEeSCMyDKSdq78Y/GPfRSnS4R583r2q3RCVojwkBKLslDLttNaOuUAb/19FiolVX5 VCF6EXEJSlv7Y6BRh1KuAQX0SIr02j00qg9Zuy1eRJaIDz+GQ5pN0LxW3ikUgLwnXn83 4n7kiEpNbdb3wU4H4BvATC/xfMxKs5joyu+b7bxWydJ7XzbmKz0SLUrwii/s3YvCdBf7 Afww== X-Gm-Message-State: AEkoousKLK7s2gIpCfH2yfBX2GBiuE0Jvkl3tuGcFG0J4Xz2/POh5osyw+c+UPHeZaBjFPKiLkNtft8dNSjEVQ== X-Received: by 10.107.12.152 with SMTP id 24mr22344238iom.35.1469469500583; Mon, 25 Jul 2016 10:58:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.132.161 with HTTP; Mon, 25 Jul 2016 10:58:00 -0700 (PDT) From: Ira McDonald Date: Mon, 25 Jul 2016 13:58:00 -0400 Message-ID: To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=001a113ed6089732ce0538798725 Archived-At: Cc: saag Subject: Re: [saag] Open Trust Protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jul 2016 17:58:23 -0000 --001a113ed6089732ce0538798725 Content-Type: text/plain; charset=UTF-8 Hi Hannes, Could you comment on the relationship between this Open Trust Protocol (OTrP) and the Global Platform TEE Management Framework spec (meant to do similar things, I think) that just finished a public review phase on 20 June 2016? I was aware of the GP TMF because the Trusted Computing Group mobile work groups (MPWG and TMS) were asked to write comments. Cheers, - Ira Ira McDonald (Musician / Software Architect) Co-Chair - TCG Trusted Mobility Solutions WG Chair - Linux Foundation Open Printing WG Secretary - IEEE-ISTO Printer Working Group Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG IETF Designated Expert - IPP & Printer MIB Blue Roof Music / High North Inc http://sites.google.com/site/blueroofmusic http://sites.google.com/site/highnorthinc mailto: blueroofmusic@gmail.com Winter 579 Park Place Saline, MI 48176 734-944-0094 Summer PO Box 221 Grand Marais, MI 49839 906-494-2434 On Mon, Jul 25, 2016 at 12:55 PM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > FYI: I had planned to talk about the 'Open Trust Protocol' in the T2TRG > meeting but unfortunately due to the lack of time this was not possible. > Hence, I am sending an email around instead. > > The Open Trust Protocol (OTrP) allows to install, update, and delete > applications and to manage security configuration in a Trusted > Execution Environment (TEE). > > TEEs are used in environments where security functionality should be > isolated from a regular operating system (often called rich OS). > This form of compartmentalization grants a smaller codebase access to > security sensitive services and restricts communication from the rich > OS to those security services via mediated access. > > Here is the draft: > https://tools.ietf.org/html/draft-pei-opentrustprotocol-01 > > Here are my slides: > https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IETF93.pdf > > Please let me know if you find this work interesting and have further > questions. > > Ciao > Hannes > > > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > --001a113ed6089732ce0538798725 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Hannes,
Could you comment on the relationship between this Open
Trust Protocol (OTrP) and the Global Platform TEE Management
Fra= mework spec (meant to do similar things, I think) that just
finish= ed a public review phase on 20 June 2016?

I was aware of the G= P TMF because the Trusted Computing
Group mobile work groups (MPWG= and TMS) were asked to
write comments.

Cheers,
- Ira

<= br clear=3D"all">
Ira M= cDonald (Musician / Software Architect)
Co-Chair - TCG Trusted Mobility = Solutions WG
Chair - Linux Foundation Open Printing WG
Secretary - IE= EE-ISTO Printer Working Group
Co-Chair - IEEE-ISTO PWG Internet Printing= Protocol WG
IETF Designated Expert - IPP & Printer MIB
Blue Roof= Music / High North Inc
http://sites.google= .com/site/blueroofmusic
http://sites.goo= gle.com/site/highnorthinc
mailto: blueroofmusic@gmail.com
Winter=C2=A0 579 = Park Place=C2=A0 Saline, MI=C2=A0 48176=C2=A0 734-944-0094
Summer=C2=A0 = PO Box 221=C2=A0 Grand Marais, MI 49839=C2=A0 906-494-2434


On Mon, Jul 25, 2016 at 12:55 PM, Hannes Tsc= hofenig <hannes.tschofenig@gmx.net> wrote:
Hi all,

FYI: I had planned to talk about the 'Open Trust Protocol' in the T= 2TRG
meeting but unfortunately due to the lack of time this was not possible. Hence, I am sending an email around instead.

=C2=A0 =C2=A0The Open Trust Protocol (OTrP) allows to install, update, and = delete
=C2=A0 =C2=A0applications and to manage security configuration in a Trusted=
=C2=A0 =C2=A0Execution Environment (TEE).

=C2=A0 =C2=A0TEEs are used in environments where security functionality sho= uld be
=C2=A0 =C2=A0isolated from a regular operating system (often called rich OS= ).
=C2=A0 =C2=A0This form of compartmentalization grants a smaller codebase ac= cess to
=C2=A0 =C2=A0security sensitive services and restricts communication from t= he rich
=C2=A0 =C2=A0OS to those security services via mediated access.

Here is the draft:
https://tools.ietf.org/html/draft-pei-open= trustprotocol-01

Here are my slides:
https://github.com/t2trg/2= 016-ietf96/blob/master/slides/70_OTrP-IETF93.pdf

Please let me know if you find this work interesting and have further
questions.

Ciao
Hannes






_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


--001a113ed6089732ce0538798725-- From nobody Tue Jul 26 09:37:38 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98D5612D7D2 for ; Tue, 26 Jul 2016 09:37:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.888 X-Spam-Level: X-Spam-Status: No, score=-2.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKwxxZtDny88 for ; Tue, 26 Jul 2016 09:37:34 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C23212D7DA for ; Tue, 26 Jul 2016 09:37:31 -0700 (PDT) Received: from [192.168.10.131] ([188.23.250.80]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0MNO33-1bPbKB29Gb-006skN; Tue, 26 Jul 2016 18:37:26 +0200 To: Ira McDonald References: From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 X-Enigmail-Draft-Status: N1110 Message-ID: <579791C5.20109@gmx.net> Date: Tue, 26 Jul 2016 18:37:25 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="irGF1Da5wjDuTOTjGUcLjPdwU7K9UmsA9" X-Provags-ID: V03:K0:j6Nrt89rhNC+kgcYiTsQ/1nCeCyv/LOL8teyP/Z6T9ibebaHkzL xHrs5lFUuQVoOQuS5F4hvTH9tWcktuGTKbjzIDFeJFOhDUGBLV0v4r4y/PbiIRmfF8UyQMa 7hPKkl9npX8MaScDHnxIjZ67XMotFxDxZRJGwXqsojkX6EiCsqf+PGwOAsJAsLihPsLTbwE PRII//6cZXGutPK/DUA2A== X-UI-Out-Filterresults: notjunk:1;V01:K0:xa9hQLmbkq8=:2VQUMrLSPxyue7Vlk/bcCu orLAGSGtmX1sjkdq7FVMXdWWtN8lk256zdmrfvt2jrz1Znqqh+6q/oQEQMjY/EMiVxISbgjNf oChKUv1GWy74WG22bM1tztGNFPhdw/gkLQGY5FGVos/qZpgCpfKHJ9ohlkE43zeUKXd1/8ePG 5fDIM10fdDKSZyRMhrCch0o/powwebFFlVdXtkexoMSSFteyeRKVi5jHKmoq1MFZUHXS0nmuQ VkKtFKr91y741aRplr/rpt0RGF0rew1a77Ar8216ypGtCKxPLvaPYrihvL8X+IMeMY96DftjX Z6d8VscpCcilc9RVLH4jOj9Nd4WWrsO7wsZZ+yju9zyROqRZ1M5YGQlUT5UAndLmvEwE5mmU0 F1Le0LWMl60A75AlsHPO96vBFEdtLjn11FZKJxOLbxh4QsFjlXZRFJkTPJJ4JxNw+F0jqn8vk M7YD7nPsUsCm6fV1vZD2W0049nftfEcaMCnNZOdwN8LSmaDma41pIGPrL1IREuWlGs2f1rg19 KUTH6GyVVRhG5+xvyaKtx0Kv7KVExOqScjWHXN69e6swBfs/kCYBWM9eVFPEogdhLRlRxPQvF ycETdXt+td0mEQQy+jWguI67+3dlNwfOD0Qh4n0pBob7DxvtzwmUixIz9nKQ2LP2hVWpyieKa iZmuYdWKf2GKCol7h7ib8YKdhwGTa0q6Y7UbhKjA4bdnUqNFBjA3xl1IsPG8QPmEWD4gKOtc6 H9IDps1ZjOczC4cmLtCsCTuzHiTKNjD2n0NY41Mt906U9MwpqQ5Ah7RTjyA= Archived-At: Cc: Rob.Coombs@arm.com, saag Subject: Re: [saag] Open Trust Protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2016 16:37:36 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --irGF1Da5wjDuTOTjGUcLjPdwU7K9UmsA9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Ira, they were developed independently with OTrP being a combination of PKI based architecture and a simplified design using state-of-the-art IETF protocols (based on work done in the JOSE working group). OTrP may be attractive to IoT use cases that want to use hardware security technology and leans on deployed architectures with a focus on low protocol complexity. OTrP was designed to be compatible with TEE but could be used for other technologies as well. I put my co-worker Rob on CC since he is participates in Global Platform while I don't. Ciao Hannes On 07/25/2016 07:58 PM, Ira McDonald wrote: > Hi Hannes, >=20 > Could you comment on the relationship between this Open > Trust Protocol (OTrP) and the Global Platform TEE Management > Framework spec (meant to do similar things, I think) that just > finished a public review phase on 20 June 2016? >=20 > I was aware of the GP TMF because the Trusted Computing > Group mobile work groups (MPWG and TMS) were asked to > write comments. >=20 > Cheers, > - Ira >=20 >=20 > Ira McDonald (Musician / Software Architect) > Co-Chair - TCG Trusted Mobility Solutions WG > Chair - Linux Foundation Open Printing WG > Secretary - IEEE-ISTO Printer Working Group > Co-Chair - IEEE-ISTO PWG Internet Printing Protocol WG > IETF Designated Expert - IPP & Printer MIB > Blue Roof Music / High North Inc > http://sites.google.com/site/blueroofmusic > http://sites.google.com/site/highnorthinc > mailto: blueroofmusic@gmail.com > Winter 579 Park Place Saline, MI 48176 734-944-0094 > Summer PO Box 221 Grand Marais, MI 49839 906-494-2434 >=20 >=20 > On Mon, Jul 25, 2016 at 12:55 PM, Hannes Tschofenig > > wrote: >=20 > Hi all, >=20 > FYI: I had planned to talk about the 'Open Trust Protocol' in the T= 2TRG > meeting but unfortunately due to the lack of time this was not poss= ible. > Hence, I am sending an email around instead. >=20 > The Open Trust Protocol (OTrP) allows to install, update, and de= lete > applications and to manage security configuration in a Trusted > Execution Environment (TEE). >=20 > TEEs are used in environments where security functionality shoul= d be > isolated from a regular operating system (often called rich OS).= > This form of compartmentalization grants a smaller codebase acce= ss to > security sensitive services and restricts communication from the= rich > OS to those security services via mediated access. >=20 > Here is the draft: > https://tools.ietf.org/html/draft-pei-opentrustprotocol-01 >=20 > Here are my slides: > https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IET= F93.pdf >=20 > Please let me know if you find this work interesting and have furth= er > questions. >=20 > Ciao > Hannes >=20 >=20 >=20 >=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >=20 >=20 --irGF1Da5wjDuTOTjGUcLjPdwU7K9UmsA9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJXl5HFAAoJEGhJURNOOiAtxNUH/3qNu8p62/9eJRzAHEpsEaw1 mnC/sQK32FeMBekeFWGvklx3ZP4+KWZmvOV1eABVEbxzQVfPbojVl8PTa4yKc0Tx XMCUa1eduuEUk3kTuuhI8FEZL+Y1542ztRXPm7EC0BKo0squuwYOgPE8NCUUokNM sgyfAZsEsVX+GWidmx0p2JBUTJ57FhlBiw15nRXbxCYvz059wVaAFYcZYCLxrLE0 TDUIoIOPv4QtBZG+Zqk5PWAZVjXRgxERDBQjUGAKijL5NHLeNwttBhYNqwGrgNfM C+Db1GBCQ36Tnv7u9x3a9yhSsTNthymjYInm8v9JnHRR+oKMm1pKyDhM97u0Dts= =EC/j -----END PGP SIGNATURE----- --irGF1Da5wjDuTOTjGUcLjPdwU7K9UmsA9-- From nobody Tue Jul 26 10:46:10 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B5B4126D74 for ; Tue, 26 Jul 2016 10:46:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eWwTTrXUgcaZ for ; Tue, 26 Jul 2016 10:46:07 -0700 (PDT) Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B9AA12D854 for ; Tue, 26 Jul 2016 10:46:06 -0700 (PDT) Received: by mail-qt0-x229.google.com with SMTP id 52so14288803qtq.3 for ; Tue, 26 Jul 2016 10:46:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=FI1D8WBWw0NQEe1jLGmmU1uABojuUdl3/RrmmhsB6tw=; b=kYryxuHFdqbkkAiY9xLWpH6MTnL/jDga8ByYD8XrjV5aWvBaTV8iez1JS8M0z08Nyd ELf2CPsUH6is7DhcK4LUSK/W0h05qJ7KvXjHrFhNgIJ2FhadwhFDXl3BJ4xUJoYSmUpc PdJnK1IMyYiKJzIJFX56tbFHgwm1BrFKlDCOd5QXjMXlagAiWtwL1Vw95IRq6WG9Cxba SKqRLBOWux0tjt2eBDu1pFJ1eT5tiplhonl2MzVc49RJe5i5rAxJxPcCicFIZn1UvOau zOeZCC9vJfHNx7MO2HXXuKETulvQPWeKszMKmMTqLi+OfYg+ADg0btdFVt9/PPdC80Ez 0B1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=FI1D8WBWw0NQEe1jLGmmU1uABojuUdl3/RrmmhsB6tw=; b=ErZMsp9Jaapes6StO0yl5aeTCar1Ad0gP4b64fWtcZopDUVsyYK1+fhjdmb//IgsZE eVNNV+jIczXFNlP6XqlCWhV2PMX/6hLQvO4pSDlXR99Bzx9B9vQXA18KgDg9HV2ELAzP 20dd6uvz3hs16nI1N+ecn0yF1rqc7QF/IT+fBDQ+kzQQwHdXtnbegvWKetbtTOt3mmrO 94XM1nCoB98EZuf8rsOvyji7N0+dJp8M8AwrfuRnArAFMIVQ28+YECYHDnlV2VZIraYu O2zVcIez+Cui2RUPxmBxtjdVGTcmV7rJgp/xTedQfYdrNtXTAFAlZDmcywxoCI5CFxFb YgVA== X-Gm-Message-State: AEkooutDIp0tPEfQ1myVXefaJbhGPqxToRMQ+zB0lmZKoLi4R7F0Tgb73CM/ddSm56xXH/1xihbI824B3myvAw== MIME-Version: 1.0 X-Received: by 10.31.186.77 with SMTP id k74mr9483413vkf.26.1469555165243; Tue, 26 Jul 2016 10:46:05 -0700 (PDT) Received: by 10.159.39.194 with HTTP; Tue, 26 Jul 2016 10:46:04 -0700 (PDT) Received: by 10.159.39.194 with HTTP; Tue, 26 Jul 2016 10:46:04 -0700 (PDT) In-Reply-To: <57964472.7000902@gmx.net> References: <578F4F8A.6030402@gmx.net> <57964472.7000902@gmx.net> Date: Tue, 26 Jul 2016 10:46:04 -0700 Message-ID: From: Watson Ladd To: Hannes Tschofenig Content-Type: multipart/alternative; boundary=001a1142f0e09a322605388d792c Archived-At: Cc: saag Subject: Re: [saag] Open Trust Protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Jul 2016 17:46:09 -0000 --001a1142f0e09a322605388d792c Content-Type: text/plain; charset=UTF-8 On Mon, Jul 25, 2016 at 9:55 AM, Hannes Tschofenig < hannes.tschofenig@gmx.net> wrote: > Hi all, > > FYI: I had planned to talk about the 'Open Trust Protocol' in the T2TRG > meeting but unfortunately due to the lack of time this was not possible. > Hence, I am sending an email around instead. > > The Open Trust Protocol (OTrP) allows to install, update, and delete > applications and to manage security configuration in a Trusted > Execution Environment (TEE). > > TEEs are used in environments where security functionality should be > isolated from a regular operating system (often called rich OS). > This form of compartmentalization grants a smaller codebase access to > security sensitive services and restricts communication from the rich > OS to those security services via mediated access. Note carefully the evasion of who it is who installs, updates, and deletes applications: not the owner of the device. > > Here is the draft: > https://tools.ietf.org/html/draft-pei-opentrustprotocol-01 > > Here are my slides: > https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IETF93.pdf > > Please let me know if you find this work interesting and have further > questions. > > Ciao > Hannes > > > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > -- "Man is born free, but everywhere he is in chains". --Rousseau. --001a1142f0e09a322605388d792c Content-Type: text/html; charset=UTF-8

On Mon, Jul 25, 2016 at 9:55 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
> Hi all,
>
> FYI: I had planned to talk about the 'Open Trust Protocol' in the T2TRG
> meeting but unfortunately due to the lack of time this was not possible.
> Hence, I am sending an email around instead.
>
> The Open Trust Protocol (OTrP) allows to install, update, and delete
> applications and to manage security configuration in a Trusted
> Execution Environment (TEE).
>
> TEEs are used in environments where security functionality should be
> isolated from a regular operating system (often called rich OS).
> This form of compartmentalization grants a smaller codebase access to
> security sensitive services and restricts communication from the rich
> OS to those security services via mediated access.

Note carefully the evasion of who it is who installs, updates, and deletes applications: not the owner of the device.

>
> Here is the draft:
> https://tools.ietf.org/html/draft-pei-opentrustprotocol-01
>
> Here are my slides:
> https://github.com/t2trg/2016-ietf96/blob/master/slides/70_OTrP-IETF93.pdf
>
> Please let me know if you find this work interesting and have further
> questions.
>
> Ciao
> Hannes
>
>
>
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

--
"Man is born free, but everywhere he is in chains".
--Rousseau.

--001a1142f0e09a322605388d792c-- From nobody Tue Jul 26 19:46:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D86EA12D581 for ; Tue, 26 Jul 2016 19:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TP2wTJ6RKTQ for ; Tue, 26 Jul 2016 19:46:53 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C24212D639 for ; Tue, 26 Jul 2016 19:46:53 -0700 (PDT) Received: from [172.20.23.54] (fleda.faster.cz [81.19.4.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id C205A80912; Wed, 27 Jul 2016 04:46:50 +0200 (CEST) To: "saag@ietf.org" From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: <746fa93b-c5b3-acc1-42cd-4d9dd9668845@si6networks.com> Date: Wed, 27 Jul 2016 04:40:58 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: [saag] Revision of "Unfortunate History of Transient Numeric Identifiers" (draft-gont-numeric-ids-history-01) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 02:46:56 -0000 Folks, We have posted a revision of the aforementioned I-D. It is available at: This revision tries to address *part* of the comments we have received so far. The main changes are: * We have added the timeline for IPv6 Interface Identifiers. * For each of the identifiers, we try to provide a summary wrt how the identifier is specified and where the problem lies. (For all three TCP ISNs, IPv6/IPv4 Frag IDs and IPv6 IIDs: in the specs). If you have any input, it will be very welcome. We have already started working on the next revision, in the hopes of including the timelines for DNS TxIDs and NTFS file handles. Your input on the current rev will help us shape how we discuss the other identifiers we will be incorporating. If you have any other suggestions for the next rev, please do let us know. P.S.: FWIW, draft-gont-numeric-ids-generation is an "accompanying" I-D, with advice wrt generation of transient numeric identifiers. OTOH, draft-gont-numeric-ids-sec-considerations is no longer being pursued, since the plan is to consider the inclusion of the aforementioned requirements directly into rfc3552bis. Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Tue Jul 26 20:22:05 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7155C12DA84 for ; Tue, 26 Jul 2016 20:22:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVIEhpNiWaFc for ; Tue, 26 Jul 2016 20:22:03 -0700 (PDT) Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E775E12D9C6 for ; Tue, 26 Jul 2016 20:22:02 -0700 (PDT) Received: from [172.20.23.54] (fleda.faster.cz [81.19.4.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1678780099; Wed, 27 Jul 2016 05:21:57 +0200 (CEST) To: "saag@ietf.org" References: <746fa93b-c5b3-acc1-42cd-4d9dd9668845@si6networks.com> From: Fernando Gont X-Enigmail-Draft-Status: N1110 Message-ID: Date: Wed, 27 Jul 2016 04:55:53 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <746fa93b-c5b3-acc1-42cd-4d9dd9668845@si6networks.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Archived-At: Cc: "privsec-program@iab.org" , =?UTF-8?Q?Iv=c3=a1n_Arce?= Subject: Re: [saag] Revision of "Unfortunate History of Transient Numeric Identifiers" (draft-gont-numeric-ids-history-01) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 03:22:04 -0000 On 07/27/2016 04:40 AM, Fernando Gont wrote: > Folks, > > We have posted a revision of the aforementioned I-D. It is available at: > > > This revision tries to address *part* of the comments we have received > so far. The main changes are: > > * We have added the timeline for IPv6 Interface Identifiers. > > * For each of the identifiers, we try to provide a summary wrt how the > identifier is specified and where the problem lies. (For all three TCP > ISNs, IPv6/IPv4 Frag IDs and IPv6 IIDs: in the specs). > > > If you have any input, it will be very welcome. > > We have already started working on the next revision, in the hopes of > including the timelines for DNS TxIDs and NTFS file handles. s/NTFS/NFS/ Thanks, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From nobody Wed Jul 27 14:55:52 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCA9C12D967 for ; Wed, 27 Jul 2016 14:55:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.588 X-Spam-Level: X-Spam-Status: No, score=-5.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q-0c_DIYTIC6 for ; Wed, 27 Jul 2016 14:55:48 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A4E412D1AE for ; Wed, 27 Jul 2016 14:55:48 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 1C301BDCC; Wed, 27 Jul 2016 22:55:47 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1X_H9rU-TkMN; Wed, 27 Jul 2016 22:55:44 +0100 (IST) Received: from [192.168.1.5] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 96F0CBE29; Wed, 27 Jul 2016 22:55:43 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1469656544; bh=F1mX2rbrFRcFKEzVjbPzw0od/HvWnvuNPYuPpqZ8IyE=; h=To:Cc:From:Subject:Date:From; b=3YMr713euAFvBJrmFGQZ5PHKkIXahvCtbgkB7R69i1Za09wnFC85vjMHmXSfPLP9b J/mz63CZHs5LyiEeUM3sS92DT3l3VGQaNkoL4S5d38UzMr4gxkSK1nT75wKZDS/E06 rlECdKM87yHd8qxujq54pbWAYJXrq6vF99v6nrHM= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <01371e03-1a10-a464-3f15-4adecea7a0be@cs.tcd.ie> Date: Wed, 27 Jul 2016 22:55:43 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060108050302000003060203" Archived-At: Subject: [saag] opportunistic wireless encryption... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Jul 2016 21:55:50 -0000 This is a cryptographically signed message in MIME format. --------------ms060108050302000003060203 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, We had a thread about a year ago on this topic. [1] The feedback iirc was "go do it right and use D-H." The authors figure they've now gone and done that [2] and have asked me to consider AD sponsoring the work. I've told them I would so long as we don't find any gotchas and it doesn't cause an IETF/IEEE kerfuffle. We're working with IEEE folks to check/ensure that that latter is ok via lots of lovely liaising;-) In the meantime, comments here on the technical meat of this would be appreciated if you have time to review. Cheers, S. [1] https://www.ietf.org/mail-archive/web/saag/current/msg06595.html [2] https://tools.ietf.org/html/draft-harkins-owe --------------ms060108050302000003060203 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA3Mjcy MTU1NDNaMC8GCSqGSIb3DQEJBDEiBCCM8A+vo01q8/onIFCWClSsrsl0AtzBF7nagbwbHeR6 UDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCQNFNawrMhDfvUoIAoFE7/Rt00P1j9CoL4wWROM4BZxLy/CXtx6FNx +p3IZudxXhV9osK0AM/JQiVnuu6xL9q2abEGxq34Z8rw7j+/QxmAQxuur7PfNf8V27pT0zC6 FfR+S0jiJ25gA2fATfyfMGCY3vrRJ3q1+imWWBD0krSnkAz3ZRhOF58C18c5OhF15Z8Z/5eW xGBzYyl3MWwoa7nuxLV8w5gckZUJ7hCHxqTjpIOZWDsp+kTprGDS7ZeFHR1zof7VYzCjpcz+ yI4H9aUln5lzbZ/DgOSN8hwU+iZwp4mT6jYvztGrS2uoPpIwjX3MATYMatgBc9s/c47Ez8cG AAAAAAAA --------------ms060108050302000003060203--