From nobody Thu Oct 6 08:56:52 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8641296FC for ; Thu, 6 Oct 2016 08:56:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yEJFCUsxA-vZ for ; Thu, 6 Oct 2016 08:56:49 -0700 (PDT) Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com [IPv6:2607:f8b0:400c:c08::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFCE2129701 for ; Thu, 6 Oct 2016 08:56:46 -0700 (PDT) Received: by mail-ua0-x230.google.com with SMTP id p102so21694260uap.0 for ; Thu, 06 Oct 2016 08:56:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=C3pqvqib2x9d0QrqhsnU3PXYNMJl6ZW0y5LXvbjYmPI=; b=Xwr+DXvkkdCFoJDl5JZljruY75RdSTXZfnyHmPh8V56nX6r1knRuE5pl2/QFg+G/bS fcXYgpfv1K0kTf/lgImb3deJxqsbOqTHGY4d7I5ZHcIvu93iRXwYre0n0tF2mDvQSYC/ 525sXZVX35NegbYXZgWApOgDBoEaXInMjfjzFES0Glx4DBS0bDr5Mu6ISEaji+f3CSrz LOzNG4S4w7G5urxE7K/usfiBa56aU0+ETXt/gq0R3Nifvlbo77HxxPVL3nQFJwU0Z1N8 7Hu7ha6gNYJdmpIPG5Wr/hNfLy+hOgkMdD+sa5TCjn9OAyUKExDA4q+tFy/9rM2x3Jft 1cJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=C3pqvqib2x9d0QrqhsnU3PXYNMJl6ZW0y5LXvbjYmPI=; b=kSr9bkxRwGdoH2Lihsh1iQtwR6RwsKl3DTvPh0xswyM0W6kXfO3dgRBhNoYElTUCWV AgDF52oHF9CJsPGEKy2I6nqfYe0EjG3B6GMbBlotPuIqjoUAsGroHhKHS+MvC2F5BaMX dIrNZHyjPUICBPsIrJeUaSn3kpG+TRMhJXHmAiEVvu+8n624pEZjtDRcjY6pZV9AtkAC HouCDwkq3Y7R3R3RuTLxA5dYV4LQB5Nq7QD8KmAOUgiDob6hZ9A2ZGNCrzwifTDaflwG puVF9qv3s07kDPwtdE3eWc1+H5h5U6Enm96tVU9xkVB2pVvQ1SAGi4kL1l4VuAHUKY9N Ow3g== X-Gm-Message-State: AA6/9RkOwqNGVl2TSjhRvA+hGBjhHDiDLdRAc67T8KR31svEFezWG4FQUJvXI6G4sO0EI+nsIk4WCZr61gIorQ== X-Received: by 10.176.82.161 with SMTP id v30mr11342576uav.28.1475769405894; Thu, 06 Oct 2016 08:56:45 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.37.41 with HTTP; Thu, 6 Oct 2016 08:56:45 -0700 (PDT) From: Watson Ladd Date: Thu, 6 Oct 2016 08:56:45 -0700 Message-ID: To: "saag@ietf.org" Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 15:56:50 -0000 https://tools.ietf.org/html/rfc5114 Let's review some publicly known facts: 1) BBN is a defense contractor 2) The NSA subverts crypto standards 3) It is possible to design primes so the discrete log problem is easy 4) The primes in RFC 5114 are not generated in verifiable manner: it is possible they are hidden SNFS primes. At minimum we should obsolete RFC 5114 in favor of primes generated in a verifiable manner. The fact that there already were primes for IKE use makes me wonder why this was even needed in the first place. Sincerely, Watson From nobody Thu Oct 6 09:20:10 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BE91129555 for ; Thu, 6 Oct 2016 09:20:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x8MuIYoLPO04 for ; Thu, 6 Oct 2016 09:20:08 -0700 (PDT) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90A5212959D for ; Thu, 6 Oct 2016 09:10:41 -0700 (PDT) Received: by mail-io0-x22f.google.com with SMTP id j37so20260629ioo.3 for ; Thu, 06 Oct 2016 09:10:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=INaRvN3I2zOmDegQHXrxVTDgiEjZGNiAqOfJSJINh9c=; b=Ovl90iFC0OSpZIWN9MGu1k4qdPoBVmhZo+3Lzj5HcDl6dxGYFqdRe/9r4GDWcib88b c44TvCNY7Zm8d8RPq9driVR31TPwLN0UD1zcWZ62d8tkwZDmchtCocV7acTwpahDg07D IzwCS2XzLF0ZegZV4XbyYd8GQ13eLgAwuKNNL/3SQFdHYt31/wp1UHcx/gIVtwldb66h +JB8002xTRPPtzdbkAk+3thjV4QS9mtQYA+5/Rb3Zz+jnB3ICOSqeE62welrDphY53jo sugOOwLgiyuTEOuYzXDoWoiPFYwpVOpZUKRPm/CNl1OdFZJEwMGgm4EGtHXRHhg4amRb AKuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=INaRvN3I2zOmDegQHXrxVTDgiEjZGNiAqOfJSJINh9c=; b=h0zxmOkvSXpGLBZY04ieB88GBukd7orh+yUpN0QisICEbesErsWdg7eOq+9Wmim02+ 091vuf/7kW2LafS6nRmY7hSALmw8k8GN34FrRgPTWcGpehzavoRbegIrGwcBRPfPoOjQ Ac9Kicd4XDQ7/KzuvwNwFHhWsr7LQ9P/ot0JhrwNyYnz3qHc8xhMQhpN5SrC57bzk93w vdkpFLgMQ/Z5xRzBONaVnPm6elO7gMdDQIGiuNpBu+USm8yIzC43D2l6ejt76ahq+zal wiglwHUu5/N0/POBsFnwOqvqrxSqg6gRImZbw7vJVfIzt+8AmePrEoyUXcL+WUovGMVo yXoA== X-Gm-Message-State: AA6/9RndCX/1AtB9oTidQf2d53jVM7BUEVLY070tPNZyCCHPo5SKioPuQytmslfvztofEP70TqjyFwp0tpDlHA== X-Received: by 10.107.148.211 with SMTP id w202mr15743850iod.135.1475770240929; Thu, 06 Oct 2016 09:10:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.36.194 with HTTP; Thu, 6 Oct 2016 09:10:40 -0700 (PDT) In-Reply-To: References: From: Jeffrey Walton Date: Thu, 6 Oct 2016 12:10:40 -0400 Message-ID: To: Watson Ladd Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: noloader@gmail.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 16:20:09 -0000 On Thu, Oct 6, 2016 at 11:56 AM, Watson Ladd wrote: > https://tools.ietf.org/html/rfc5114 > > Let's review some publicly known facts: > > 1) BBN is a defense contractor > > 2) The NSA subverts crypto standards > > 3) It is possible to design primes so the discrete log problem is easy > > 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they > are hidden SNFS primes. > > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. That gives me a sinking feeling because I have used them in production. I want to say, "Oh f**k...". If they are of special form, then how can it be tested or exposed. I'm happy to purchase some Amazon compute time and run some extended tests. Jeff From nobody Thu Oct 6 09:29:07 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C727F12971F for ; Thu, 6 Oct 2016 09:29:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6okLIeYKSsn for ; Thu, 6 Oct 2016 09:29:04 -0700 (PDT) Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBBBC1296CF for ; Thu, 6 Oct 2016 09:29:03 -0700 (PDT) Received: by mail-wm0-x22a.google.com with SMTP id b201so58190209wmb.0 for ; Thu, 06 Oct 2016 09:29:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VC9gcTZRQhab4narhMGWRHIHO4KvLGpa+MHzL4VVJQQ=; b=vfyJTfcCUB8rd04PX7yYykvSO48QvvQJhi1bMxyUl83Bk3nnUeNQXkKiTw8Scb2s0M aqSjoo7uGvNFPNcwh6QjQFOGlbyIGUjWTk8kj2nlPQkBH0WHnqhuv4k/o1+AGuh8G1Sa UEPfCgFL+SbXutVAunUFay3Z/YKweDVpHS4j39f1Is3WkAKUjVqbNPpH9ESQJqpYFFnz Znl6LLcNC6Tl4TNNFkG8as54NtCTMTVZpee5NdKWJ0zlv1n710t2HPy+em0y8Fj2r6iI fVEKyP7AmpHTPrVWXcBoiF9rh7xzbw68uih6dWBN0qMt+UZG/1aqkKCPkfOhhkLIJlQt MOtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VC9gcTZRQhab4narhMGWRHIHO4KvLGpa+MHzL4VVJQQ=; b=DM5Sf7piCGODl+Lx46RPYh/XhGs4S+nDiruc1MCqaqCs7sHKKYp3qEB9fbmHGZRC8I uRWTdpqq1qEhOZXTm9Vs5GL77Ctjfxbu89F60adLBmFKPfRCs3kxQnek9urvnO5NiJIV ZG3EnG6b9+DqaLohTBd/BhalgZmeTzxWVgyaDqQ9Pt1SmX5jrF6y6CWMX5HOund7KZDN m/wyTMX2cuQTaJa3XuJ2WIFIphk/x1L7v6/NbCz0hDTZHu9MsSJaj3Val0PclF7DtdUN V1T+c0t9c3a6Ki1X0E9b2+5LHDG9+TmMU3g3uB2e66qLM8W0cnZPE600QHhxYioo589C eUYQ== X-Gm-Message-State: AA6/9Rn+SmT6Nyt8egeylEpMhUnkr0BZ+uWl+8nvlJlaN2jxqJ9SRjE7AnSlbPa8VlZQ5w== X-Received: by 10.28.232.84 with SMTP id f81mr16608266wmh.39.1475771341584; Thu, 06 Oct 2016 09:29:01 -0700 (PDT) Received: from [172.24.248.104] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id e1sm36075821wma.9.2016.10.06.09.29.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Oct 2016 09:29:01 -0700 (PDT) From: Yoav Nir Message-Id: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_AE24CD56-AF7D-40F3-957D-66328E53D8EF" Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Date: Thu, 6 Oct 2016 19:28:57 +0300 In-Reply-To: To: Watson Ladd References: X-Mailer: Apple Mail (2.3226) Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 16:29:06 -0000 --Apple-Mail=_AE24CD56-AF7D-40F3-957D-66328E53D8EF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi, Watson. On 6 Oct 2016, at 18:56, Watson Ladd wrote: > https://tools.ietf.org/html/rfc5114 >=20 > Let's review some publicly known facts: >=20 > 1) BBN is a defense contractor >=20 > 2) The NSA subverts crypto standards >=20 > 3) It is possible to design primes so the discrete log problem is easy >=20 > 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they > are hidden SNFS primes. >=20 > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. >=20 RFC 5114 is an Informational document published by two employees (at the = time) of BBN as individuals. As the boilerplate says, =E2=80=9Cit does = not specify an Internet standard of any kind=E2=80=9D. IANA numbers have been assigned to them for IKE, but they have not seen = widespread use. In TLS they are all but unknown, and recent work is = deprecating the use of DHE with explicit parameters anyway. The soon-to-be published successor to RFC 4307 (algorithm guidance for = IKE - [1]) makes them =E2=80=9CSHOULD NOT=E2=80=9D. It has never been explained in what way a 2048-bit MODP Group with = 224-bit Prime Order Subgroup is better than a 2048-bit MODP Group = without one. Consequently everyone uses the regular 2048-bit MODP from = RFC 3526 ([2]) if they=E2=80=99re not using ECDHE groups. The RFC is effectively not in use. I don=E2=80=99t see any value in = obsoleting it by writing a new RFC with more MODP groups that nobody = wants. We could move it to Historic. Yoav =20 [1] https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-14 = [2] https://tools.ietf.org/html/rfc3526 = --Apple-Mail=_AE24CD56-AF7D-40F3-957D-66328E53D8EF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi, Watson.

On 6 Oct 2016, at 18:56, Watson Ladd <watsonbladd@gmail.com> wrote:

https://tools.ietf.org/html/rfc5114

Let's review some publicly known facts:

1) BBN is a defense contractor

2) = The NSA subverts crypto standards

3) It is = possible to design primes so the discrete log problem is easy

4) The primes in RFC 5114 are not generated in = verifiable manner: it
is possible they
are = hidden SNFS primes.

At minimum we should = obsolete RFC 5114 in favor of primes generated in
a = verifiable manner. The fact that there already were primes for IKE
use makes me wonder why this was even needed in the first = place.


RFC 5114 is an Informational document published by = two employees (at the time) of BBN as individuals. As the boilerplate = says, =E2=80=9Cit does not specify an Internet standard of any = kind=E2=80=9D.

IANA numbers have = been assigned to them for IKE, but they have not seen widespread use. =  In TLS they are all but unknown, and recent work is deprecating = the use of DHE with explicit parameters anyway.

The soon-to-be published successor to RFC 4307 = (algorithm guidance for IKE - [1]) makes them =E2=80=9CSHOULD = NOT=E2=80=9D.

It has never been = explained in what way a 2048-bit MODP Group with 224-bit Prime Order = Subgroup is better than a 2048-bit MODP Group without one. =  Consequently everyone uses the regular 2048-bit MODP from RFC 3526 = ([2]) if they=E2=80=99re not using ECDHE groups.

The RFC is effectively not in use. I don=E2=80=99t = see any value in obsoleting it by writing a new RFC with more MODP = groups that nobody wants. We could move it to Historic.

Yoav
 




= --Apple-Mail=_AE24CD56-AF7D-40F3-957D-66328E53D8EF-- From nobody Thu Oct 6 10:07:02 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5EA3129721 for ; Thu, 6 Oct 2016 10:07:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9VzVG_Eje7I6 for ; Thu, 6 Oct 2016 10:06:56 -0700 (PDT) Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3948F129650 for ; Thu, 6 Oct 2016 10:06:56 -0700 (PDT) Received: by mail-it0-x22d.google.com with SMTP id o19so35953838ito.1 for ; Thu, 06 Oct 2016 10:06:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=DRLG7QXDKXFQxcYX7XVFz0uFpbRE8KZfrpeXANoQpKI=; b=ihIM6mjlXWNyiCt0ocu4DZtLaJHOK0SO+rJaMxbNJqITzIIfqQBxI1CFXEbXOhKDhk Fo8GzJnmIlkvxo2GJOLQjZ8v5+nxtl4ea6KF4IeTjc/f+KMmLnT2i7IX20WIXnPZOQc6 tDHuhOlbvmFNFCbLjqeslJAaVEIUxJgeMRAngfGlBfN6keKkp1Qtb468DZBYf8ux2K1M 3Yw4E24WXrUKkGEAIxaKf4NakvGcA1tUy4V9uQzgzAqM55DJrrmXINuoAEkqlS5TlGgf iEaHaYP598Ek/JrbulrRLGNXDlcX/CUFZ48Q8hIuT46oPU96CcPj69KQYnMu3VYXP5aM Tg7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=DRLG7QXDKXFQxcYX7XVFz0uFpbRE8KZfrpeXANoQpKI=; b=TLOquePAbp9K4y92yBRFTZB+DZItEo5S8McrdQ6cAizrPKF7D53OAleY9DYbZxUyQK Pvz4QfuhmaT8otD1dRHszoLIiFjJRAnigqfacQLSvp4HEa2PVEkxAHPslpCXEWQJAt0o ytxixXLcV7Y35ZQRKPqA0Yw2KcLG0KtC1iMyHnIf2jxQmzS93z6SoetIdX1Xw3Fvi0G/ kJm2RVkJJ6KDVRlroRRv/rqgF96F3sTsK+1dcgqfdF8oXMK2FnlkLZbHFENbyhSA68X9 gBhnto6kjjDfBtJbmmu8i091igacbuYbGPuQfRRFiMyaIylATWVASdLJgEvXcw7VIHF4 klLA== X-Gm-Message-State: AA6/9Rnn5VuIxkz5hc/eyOBDdQ1Ldx4bHnqeIu5wRmu7Bv0qjsIm8q7G6j88jgac6eWTyjm7R1PPGK84ZpRJKw== X-Received: by 10.36.43.82 with SMTP id h79mr17038932ita.60.1475773615298; Thu, 06 Oct 2016 10:06:55 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.36.194 with HTTP; Thu, 6 Oct 2016 10:06:54 -0700 (PDT) In-Reply-To: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> References: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> From: Jeffrey Walton Date: Thu, 6 Oct 2016 13:06:54 -0400 Message-ID: To: Yoav Nir Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: noloader@gmail.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 17:07:02 -0000 > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. > > RFC 5114 is an Informational document published by two employees (at the > time) of BBN as individuals. As the boilerplate says, =E2=80=9Cit does no= t specify > an Internet standard of any kind=E2=80=9D. They were published by the IETF which established provenance and provided attestation. If the IETF is going to back pedal on 5114, then there are other "Additional Group" documents it has published which may need to be back pedaled too, like 3526. (3526 is what I happened to use in the past due to the larger field sizes; not 5114). Jeff From nobody Thu Oct 6 10:11:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 541E81295DC for ; Thu, 6 Oct 2016 10:11:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wfDT4eg2ipi for ; Thu, 6 Oct 2016 10:11:53 -0700 (PDT) Received: from mail-vk0-x22a.google.com (mail-vk0-x22a.google.com [IPv6:2607:f8b0:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329B5129650 for ; Thu, 6 Oct 2016 10:11:52 -0700 (PDT) Received: by mail-vk0-x22a.google.com with SMTP id y190so23888177vkd.3 for ; Thu, 06 Oct 2016 10:11:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=577oK/7kO/UFg+uJYgd1kn2IFf2bEZlrfgSPUa30et0=; b=ZTVCnfIODJbv2h3JUokzzGL0IPBiHjRHuZAe8tD8cW5/GBjVx9lLZGtb8Sb1VauFUF C4I4uJ7xvzqwl1zvigGTqjJmJDFZ90hW0e+ubbGrK5QqwrFMDBPXLKYUeEmbl7uoNlpw 8PCq0+vVOIuk1Mt+EQP+6SecSgwBehs3YZeGf++lhTsjQqFucXvhKfYDTBA5zLB5pQUg Rd0TthPEHoITgRbhlRTWDDIntlB0dcCA3sVB3P6H0E164jLclAArxfjCZKxEqWsooKI7 IV1ACqYXGZoAD/8tOXe9LKDwSO9jRMdQpC7x3I8oVoQFr2/DE+KSduaca3eGOXf8UlfE Ko5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=577oK/7kO/UFg+uJYgd1kn2IFf2bEZlrfgSPUa30et0=; b=PfiNB4eghuoKizuzV5/yyxdzNq6Z4hI7iKtb/BsCRxeU3tt6V39NMHOqoVpMiyOE22 uIAmkTrSOssP6kOeVCUBV5G7Yh/hElEJSLVuX9QzvlImFRw3BVwUldJpDybnP0ui6Jqo 9SAZBe5y5Z+TIQLHfTWK5ZvywwHm/ApMotwXmDVHHT74tYdYlzTbS9WGKMOkPLJ11eIr jDAKmemdPwNtttx6J44inOrmJQyFKUd8Zx0VzTyzPIfQDZGc20OCmNxNjFachhqadWnp KijNuznN5f4bjfhct2QW5zt3fTWjWAodU7BVva3eaNnjYCv5o5XFk+QgQp70s9ozBpGB 0cdw== X-Gm-Message-State: AA6/9RnGge2LVTSk3VKvtSxBsPgsWjfC2MkMikpFPyYGGi52nBsWFZjL8Prl0ZHeR7UfqZzFAW3fHmQAf/uDoA== X-Received: by 10.31.151.78 with SMTP id z75mr12035403vkd.41.1475773911199; Thu, 06 Oct 2016 10:11:51 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.37.41 with HTTP; Thu, 6 Oct 2016 10:11:50 -0700 (PDT) In-Reply-To: References: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> From: Watson Ladd Date: Thu, 6 Oct 2016 10:11:50 -0700 Message-ID: To: noloader@gmail.com Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 17:11:54 -0000 On Thu, Oct 6, 2016 at 10:06 AM, Jeffrey Walton wrote: >> At minimum we should obsolete RFC 5114 in favor of primes generated in >> a verifiable manner. The fact that there already were primes for IKE >> use makes me wonder why this was even needed in the first place. >> >> RFC 5114 is an Informational document published by two employees (at the >> time) of BBN as individuals. As the boilerplate says, =E2=80=9Cit does n= ot specify >> an Internet standard of any kind=E2=80=9D. > > They were published by the IETF which established provenance and > provided attestation. > > If the IETF is going to back pedal on 5114, then there are other > "Additional Group" documents it has published which may need to be > back pedaled too, like 3526. > > (3526 is what I happened to use in the past due to the larger field > sizes; not 5114). What in 3526 needs backpeddling? None of the primes there could be backdoored without real surprises: they are generated by taking big chunks of pi, and then adjusting the last digits to make them prime. The backdoor requires two small polynomials whose resultant is the prime, which is hard to do with the deterministic generation of 3526. Sincerely, Watson > > Jeff --=20 "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Thu Oct 6 10:15:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4153A129740 for ; Thu, 6 Oct 2016 10:15:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbuVCEIkoHhy for ; Thu, 6 Oct 2016 10:15:31 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6BCD12972E for ; Thu, 6 Oct 2016 10:15:30 -0700 (PDT) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D4906284E5A; Thu, 6 Oct 2016 17:15:29 +0000 (UTC) Date: Thu, 6 Oct 2016 17:15:29 +0000 From: Viktor Dukhovni To: saag@ietf.org Message-ID: <20161006171529.GF4670@mournblade.imrryr.org> References: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: saag@ietf.org List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 17:15:33 -0000 On Thu, Oct 06, 2016 at 07:28:57PM +0300, Yoav Nir wrote: > > At minimum we should obsolete RFC 5114 in favor of primes generated in > > a verifiable manner. The fact that there already were primes for IKE > > use makes me wonder why this was even needed in the first place. > > > > RFC 5114 is an Informational document published by two employees (at the > time) of BBN as individuals. As the boilerplate says, �it does not specify > an Internet standard of any kind�. > > IANA numbers have been assigned to them for IKE, but they have not seen > widespread use. In TLS they are all but unknown, and recent work is > deprecating the use of DHE with explicit parameters anyway. Sadly, their use was facilitated by support for these groups being added in OpenSSL 1.0.2, making it easier for users to stumble into using them. Thus, for example, these are in use in Exim, likely because it seemed more convenient to use "standard" groups, than to ask users to generate their own DH parameters, and "they're in an RFC, so they must be better than just random...". http://www.exim.org/exim-html-current/doc/html/spec_html/ch-main_configuration.html#SECTalomo [ scroll down to the entry for tls_dhparams ] If Exim is using OpenSSL and this option is empty or unset, then Exim will load a default DH prime; the default is the 2048 bit prime described in section 2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which in IKE is assigned number 23. Otherwise, the option must expand to the name used by Exim for any of a number of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses "ike" followed by the number used by IKE, of "default" which corresponds to "ike23". The available primes are: ike1, ike2, ike5, ike14, ike15, ike16, ike17, ike18, ike22, ike23 (aka default) and ike24. Fortunately for some, the Postfix compiled-in default DHE parameters use SG primes (that I generated in the usual way), but users are encouraged to use their own. http://www.postfix.org/FORWARD_SECRECY_README.html > The RFC is effectively not in use. I don�t see any value in obsoleting it > by writing a new RFC with more MODP groups that nobody wants. We could > move it to Historic. Well, it is not in wide use, but it may be a stretch to say "effectively not in use". -- Viktor. P.S. What is the most effective known way to "cook" FFDHE parameters (other than reduced prime size) to make DLP easier? From nobody Thu Oct 6 19:42:57 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C421294F3 for ; Thu, 6 Oct 2016 19:42:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Lfo3Wu7zXBo for ; Thu, 6 Oct 2016 19:42:54 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E32FB129440 for ; Thu, 6 Oct 2016 19:42:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1475808174; x=1507344174; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=KrX169UlMphaYxS5PjvKCEWL16hz/hBH2ndbVUAnjc0=; b=M6s4czzKjdQqp+U6XQHLOM/U0ldrG1b4f3U/aKALYBWF44E99j3Pru++ 7HuT8Cyuvof/H1b243m/KpItfD4CX3Ew6h+ZmPs5AQcDV1vP1xVmFbKJr pSAMtfCt9ExTPJb7WbDiyFhQE9lJpszNa5wgBHBJbBtLr7ZkEFndtn5Z7 kJivo7iiGDAimDYIEUkwYR3Spx3jJk7CajcF7K5nCSC2c2PlXScyrIiL/ XtASJgs+mB77S6cF/O8Xi6UB4RkbqMWfDs2hrECUZAfpD2OzC87b+htaA 1eIUjfMQL9VASHeoKzN8NS5R+ph/T6t9eIQLTmEDeG0bKC9kfe/csR7K4 Q==; X-IronPort-AV: E=Sophos;i="5.31,454,1473076800"; d="scan'208";a="109195751" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 07 Oct 2016 15:42:52 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 7 Oct 2016 15:42:51 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::8081:99e3:dee2:203]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::8081:99e3:dee2:203%14]) with mapi id 15.00.1178.000; Fri, 7 Oct 2016 15:42:51 +1300 From: Peter Gutmann To: Yoav Nir , Watson Ladd Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSH+pGdiEUPpjwN0um+EbCY1rdIKCaw7aAgAGFUck= Date: Fri, 7 Oct 2016 02:42:50 +0000 Message-ID: <1475808167003.84186@cs.auckland.ac.nz> References: , <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> In-Reply-To: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 02:42:57 -0000 Yoav Nir writes:=0A= =0A= >It has never been explained in what way a 2048-bit MODP Group with 224-bit= =0A= >Prime Order Subgroup is better than a 2048-bit MODP Group without one.=0A= >Consequently everyone uses the regular 2048-bit MODP from RFC 3526 ([2]) i= f=0A= >they=92re not using ECDHE groups.=0A= =0A= My thoughts exactly.=A0 Given that with sizeof( p ) =3D=3D sizeof( g ) thes= e are=0A= probably the least efficient DH parameters ever published, the whole RFC ju= st=0A= screams "don't use me".=A0 Does it even need to be actively deprecated?=0A= =0A= Peter.=0A= =0A= = From nobody Fri Oct 7 01:48:23 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2B1812953C for ; Fri, 7 Oct 2016 01:48:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.896 X-Spam-Level: X-Spam-Status: No, score=-4.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDYaCQphQfDP for ; Fri, 7 Oct 2016 01:48:20 -0700 (PDT) Received: from wizmail.org (wizmail.org [IPv6:2a00:1940:107::2:0:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7546A129544 for ; Fri, 7 Oct 2016 01:48:20 -0700 (PDT) Received: from [2a00:b900:109e:0:c5d6:c61b:f5e0:b51f] (helo=lap.dom.ain) by wizmail.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87_RC118) id 1bsQpF-0003qp-IA for saag@ietf.org (return-path ); Fri, 07 Oct 2016 08:48:17 +0000 To: saag@ietf.org References: <37739375-AD0C-4CF2-B8B9-F61B89692135@gmail.com> <1475808167003.84186@cs.auckland.ac.nz> From: Jeremy Harris Message-ID: Date: Fri, 7 Oct 2016 09:48:14 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1475808167003.84186@cs.auckland.ac.nz> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Pcms-Received-Sender: [2a00:b900:109e:0:c5d6:c61b:f5e0:b51f] (helo=lap.dom.ain) with esmtpsa Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 08:48:22 -0000 On 07/10/16 03:42, Peter Gutmann wrote: > Given that with sizeof( p ) == sizeof( g ) these are > probably the least efficient DH parameters ever published, the whole RFC just > screams "don't use me". Does it even need to be actively deprecated? For people who are not number-theoreticians, and have no clue on what effect sizeof(random letter) might have, but nonetheless expect active standards to be useful? -- Jeremy From nobody Fri Oct 7 04:45:37 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43BF6129557 for ; Fri, 7 Oct 2016 04:45:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWxTNmPLr0E4 for ; Fri, 7 Oct 2016 04:45:35 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 089611294D0 for ; Fri, 7 Oct 2016 04:45:35 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B7195BE8A; Fri, 7 Oct 2016 12:45:32 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKgg3ridHAJH; Fri, 7 Oct 2016 12:45:31 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id F35BFBE83; Fri, 7 Oct 2016 12:45:30 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1475840731; bh=r9oe2L1qHdbk3frRbTmmYr1ncITka6ZBStfDU+PZ6v8=; h=Subject:To:References:From:Date:In-Reply-To:From; b=fM+KgNvuy+iBzkQo+STQ5CgTNlVFWUjbwuZcFJCo+jM6AJbpKHPsB/anuaNq0YXfn dLHTtDkn4m7YET6MlfW1Ob/ZLqK+lruIgoU7Op3jXJACLQawpBGl8ZovFufutejeNt +xjwlpvZ6MBeTfr4n508e5ncDMWWl9SIYA3dygdI= To: Watson Ladd , "saag@ietf.org" References: From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Fri, 7 Oct 2016 12:45:31 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030108010808040601090202" Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 11:45:36 -0000 This is a cryptographically signed message in MIME format. --------------ms030108010808040601090202 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable So I'm not seeing anyone so far argue to not deprecate these somehow. We could just make 5114 historic as Yoav suggests, or, if someone writes an I-D to explain why, we could obsolete 5114. (Such an I-D would presumably also say something about codepoints that point at 5114 from other registries.) Assuming nobody shows up saying these are in fact in widespread use I'd be supportive of us getting rid of cruft. So, someone wanna volunteer to write an I-D that'd obsolete 5114? If so, say so here. Or, if you want me to start the "mark it historic" process (which doesn't need an I-D), please say so here. (Note that even though this doesn't need an I-D the status-change does get an IETF last call.) Or, if you wanna argue that none of the above are right, then please do that. Cheers, S. --------------ms030108010808040601090202 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMDcx MTQ1MzFaMC8GCSqGSIb3DQEJBDEiBCBknyITgSwWm5Tp158buWS1rWw3ruV5vbmEF4Umqrna LTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCQnZkiBQq3u5cgpwxqOT8TJWK8p/CzF+fHkZX3yqsly6mOV2+yw0XP 0Lo3nLKNrgXI+HP+k+Blc+cY8jya3VZp+NRNp7thl2RDk+oiK9Ejd51X+Ui7cvbFZcdlFljw k0EkXXKnXXGvPElBBaPCaPSvFeaAT4N0h3g1wtd6m424Se07VBOfBqofZhChIZfFi6MzNHu2 CWLpLDHhQtd9xSPx2rojIU/dkPx5lgZGKwqLqLnSQL++zWiH698m9mLAUfMUXsQ/dZrAL2i2 KA5qZS/jNis+LzRef/Mc5XnYcgE+4HL+Ih3nBMSym0UtZCWv1VGjs7ObujCVJb0rUmxMsDMJ AAAAAAAA --------------ms030108010808040601090202-- From nobody Fri Oct 7 06:59:51 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ECA51295FC for ; Fri, 7 Oct 2016 06:59:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eUzKYHCtgFmG for ; Fri, 7 Oct 2016 06:59:47 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C1461295EB for ; Fri, 7 Oct 2016 06:59:44 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u97DxW4d006174 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 7 Oct 2016 16:59:32 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u97DxWpO020729; Fri, 7 Oct 2016 16:59:32 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22519.43588.421250.807948@fireball.acr.fi> Date: Fri, 7 Oct 2016 16:59:32 +0300 From: Tero Kivinen To: Stephen Farrell In-Reply-To: References: X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 12 min X-Total-Time: 11 min Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 13:59:49 -0000 Stephen Farrell writes: > > So I'm not seeing anyone so far argue to not > deprecate these somehow. > > We could just make 5114 historic as Yoav suggests, > or, if someone writes an I-D to explain why, we > could obsolete 5114. (Such an I-D would presumably > also say something about codepoints that point at > 5114 from other registries.) > > Assuming nobody shows up saying these are in > fact in widespread use I'd be supportive of us > getting rid of cruft. I think the NIST ECP groups are quite widely supported, and used. RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and 3 MODP groups. In IPsec, ECP groups are widely used, those MODP groups with subgroup are not. On the other hand I think only those 192, 256 and 521 bit groups are really used, and those are defined also in RFC5903 (which obsoleted original 4753 which had serious bug in it). > So, someone wanna volunteer to write an I-D that'd > obsolete 5114? If so, say so here. Or parts of it or something. > Or, if you want me to start the "mark it historic" > process (which doesn't need an I-D), please say > so here. (Note that even though this doesn't need > an I-D the status-change does get an IETF last > call.) Marking NIST ECP groups as historic might be preferrable for some people, but it might be good idea to wait before we have curve25519 etc published as rfc for all protocols that 5114 covers before we go that far. In IPsec the curve25519 etc are now in the IESG, I do not know what is the status for other protocls (X.509, TLS, SSH, SMIME). > Or, if you wanna argue that none of the above are > right, then please do that. I have no idea why we would want to mark the document as historic, or obsolete it, especially as it does define things that are in use (ECP groups). It does not give any recommendations for using those groups, for example in IPsec we do have separate documents which gives those recommendations and for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined in the 5114 we are saying SHOULD NOT. That is much better way to define the recommendations and how those groups should or should not be used. -- kivinen@iki.fi From nobody Fri Oct 7 08:56:20 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC8D129529 for ; Fri, 7 Oct 2016 08:56:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEr3Co1dD7bo for ; Fri, 7 Oct 2016 08:56:17 -0700 (PDT) Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D85212966F for ; Fri, 7 Oct 2016 08:56:17 -0700 (PDT) Received: by mail-wm0-x233.google.com with SMTP id b201so48127492wmb.0 for ; Fri, 07 Oct 2016 08:56:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rm8Kjy/AqZ9rJ76DtFL1+vxP/N1XDey1p+GCAQkF72Q=; b=n7n+KZ2k5dnGhpZg6b83lf2XgxsBO3EnbqawG4zWripODUGRN87/fFXdnlgdW08eXg 1iXJXIRKT+RZ0Nf5eClf2IGZh/ZMlUA9MEhMOEByCVbciWJ+xqKCvo+9AS1soi9zm0oM e2VEfrETPZXeYCh1YOj5vtL2+e/6x2rW2/EU7lPvMXoUdwwy31o5ixtZnjLO+AmDU/U9 OY8Kt/wBJ02Ca+SCeJX4bjkNgcMUE7r59NDjtVNxGP1FtvCjmpAYoi8NQxd7fz1OvQU0 CrsvBuHfvMoqC9+RKtf/2CP/Az9vCeYEopgZcVqKqRQLXMgQqS1G3a7WoG9owa5DIzq4 sNvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rm8Kjy/AqZ9rJ76DtFL1+vxP/N1XDey1p+GCAQkF72Q=; b=DJzkSqrxCreWn0+iFDFI5tSttOOr/1YNxe/vnyx4Q5SiLFF0TwLVL8+ejxTRZ66UTi 6Rky0BNGqYvi6BKULfr5amVV0M5d3qSH1eASaM8bclpouE10djx6UXMFxArYWUff9vKl Dn/3M0WAHWBXN0DCvrhfy2Stn3/ryYu25vfyoTO7Pmrh0FCZ07JN+2kzonL1wY8OUOh4 g0Ws9OJYqpcNzOpgRoonHWi9vOFIF0T49uQw562TNGAFjll4ILYatYse0RzWXBUJLF97 vUzUpl9W9japlraD6YGp9ekV5PDZPexdjuuwqgFUAuc4dX8LP1kR3g8nUSbUy0II4MD8 qTKQ== X-Gm-Message-State: AA6/9RlBxrbDb5uGXJYwtmIkukPA4GxovWmqoWmVa9dMcOsHZ/A4xaVl9uMaMJKjEUxhVA== X-Received: by 10.194.24.199 with SMTP id w7mr17681503wjf.197.1475855775969; Fri, 07 Oct 2016 08:56:15 -0700 (PDT) Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id b8sm20338226wjq.40.2016.10.07.08.56.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Oct 2016 08:56:14 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) From: Yoav Nir In-Reply-To: <22519.43588.421250.807948@fireball.acr.fi> Date: Fri, 7 Oct 2016 18:56:12 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <22519.43588.421250.807948@fireball.acr.fi> To: Tero Kivinen X-Mailer: Apple Mail (2.3226) Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 15:56:19 -0000 > On 7 Oct 2016, at 16:59, Tero Kivinen wrote: >=20 > Stephen Farrell writes: >>=20 >> So I'm not seeing anyone so far argue to not >> deprecate these somehow. >>=20 >> We could just make 5114 historic as Yoav suggests, >> or, if someone writes an I-D to explain why, we >> could obsolete 5114. (Such an I-D would presumably >> also say something about codepoints that point at >> 5114 from other registries.) >>=20 >> Assuming nobody shows up saying these are in >> fact in widespread use I'd be supportive of us >> getting rid of cruft. >=20 > I think the NIST ECP groups are quite widely supportd, and used. > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and > 3 MODP groups. >=20 > In IPsec, ECP groups are widely used, those MODP groups with subgroup > are not. On the other hand I think only those 192, 256 and 521 bit > groups are really used, and those are defined also in RFC5903 (which > obsoleted original 4753 which had serious bug in it). First, I think you meant 256, 384 and 521 bit, not the 192. Second, 5114 did not fix the bug in 4753. It just referenced 4753 for = formatting. You know this better than I do, but I don=E2=80=99t think = the IANA registry ever referenced 5114 for these ECP groups. So for the three useful groups in 5114 you didn=E2=80=99t need it (as = 4753) already existed, and you don=E2=80=99t need it now, as 5903 = exists. I don=E2=80=99t see anything standing in the way of moving to = historic or obsoleting it. Yoav From nobody Fri Oct 7 12:47:36 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 068A012941A for ; Fri, 7 Oct 2016 12:47:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 39s_xPi5dukk for ; Fri, 7 Oct 2016 12:47:33 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C46B1293F0 for ; Fri, 7 Oct 2016 12:47:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A336ABE4C for ; Fri, 7 Oct 2016 20:47:31 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nj6Q_jaZbWAQ for ; Fri, 7 Oct 2016 20:47:30 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E757FBE47 for ; Fri, 7 Oct 2016 20:47:29 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1475869650; bh=w4HpAubY16xT754OeG4wBmon47C4r284BpGVq2ItpGI=; h=Subject:References:To:From:Date:In-Reply-To:From; b=LZMe67cY8pgJd36HhgIfdlO5hlU+fHJIWpdpILE6CGse7ebcq1x/zqQZmYfIp0EU3 9wQrex0n0qHtQT1wrRKJ1QPZ/xMYPdfyK4SqyUX/FvCLVLkxJUBgKJbtKJOh5UsP2Y Cju5nrCLJowHK7R4G11XrujGwqzAyBk5lzvY5m+o= References: To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= X-Forwarded-Message-Id: Message-ID: Date: Fri, 7 Oct 2016 20:47:30 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080804030203040507040701" Archived-At: Subject: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 19:47:35 -0000 This is a cryptographically signed message in MIME format. --------------ms080804030203040507040701 Content-Type: multipart/mixed; boundary="------------D54A25A558E556891847E192" This is a multi-part message in MIME format. --------------D54A25A558E556891847E192 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, I hope this is of interest to some folks here. If so, please join the iotsu@iab.org list and/or discuss here. Do folks think this'd be a good topic on which to spend some time at the saag session at IETF97? Cheers, S. -------- Forwarded Message -------- Subject: [Iotsu] Initial version of the IoTSU workshop report submitted Date: Fri, 7 Oct 2016 19:44:03 +0000 From: Hannes Tschofenig To: iotsu@iab.org Hi all, I have just submitted the initial version of the report: https://tools.ietf.org/html/draft-farrell-iotsu-workshop-00 We tried to capture the received comments as best as we could but I am sure there is room for improvement. Feedback is welcome! Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. --------------D54A25A558E556891847E192 Content-Type: text/plain; charset=UTF-8; name="Attached Message Part" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Attached Message Part" X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KSW90c3Ug bWFpbGluZyBsaXN0CklvdHN1QGlhYi5vcmcKaHR0cHM6Ly93d3cuaWFiLm9yZy9tYWlsbWFu L2xpc3RpbmZvL2lvdHN1Cgo= --------------D54A25A558E556891847E192-- --------------ms080804030203040507040701 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMDcx OTQ3MzBaMC8GCSqGSIb3DQEJBDEiBCBMv61vMaVzb2QSNUOPv7SWUhmClgdMaxZxIERRC+tZ OjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCu9a3fKtd0TfaA2QyxMtLEZZw6OK1PbV8GLDsMqvTdmMr8R9wVIcuq yOuqAcMuZiEXSVClkR3bQRr+PphAZIDKsMlvSIi0YMKu6OvdTsYTfAxwXlmR6mcH2Pc11uad E3i2SfZvYSD2RamjrmU1dUN5cAey2zdE3vmrhASVkmpfq3k7xmN0cCKj9OVu0AUPYmNuuU+i mYPaRZEZ3XLhQmtJforAiV6SMoq/aQnpdhc7bQkbKomMomzHWz7TlgOA/ONipfgyPiKDuciH LXyUaIQ2OmiwAmweAXajF+930o5Vg2vvs76sSiJNzVmFkgULTMHP/EgV12GOIMghUFxENpOP AAAAAAAA --------------ms080804030203040507040701-- From nobody Fri Oct 7 14:12:25 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4142412971B for ; Fri, 7 Oct 2016 14:12:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.517 X-Spam-Level: X-Spam-Status: No, score=-17.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jgjr_PDhmFis for ; Fri, 7 Oct 2016 14:12:22 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F09581296C2 for ; Fri, 7 Oct 2016 14:12:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3352; q=dns/txt; s=iport; t=1475874741; x=1477084341; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RmaioDVsE9ybv8n/267UAqXq6vn9esqkmfkliR7XVAY=; b=eYFTKIEjdP2UFgzFqHKmEPXtiGAf9zO9wBBzp/3QXCZHUy/AEMCx//Jz uqWN6mxetHy+evfRj1r8PrrIFMcPkDVkjh/HPaLOr4r35f7lno/U8EgM3 wTKY7u3+2FF8loqT2WT83R3DveRiVjCGm0TBh6VSZk12DRR2g0D24FVvW k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AYAQA/D/hX/49dJa1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBgz0BAQEBAR5XfAeNLJZ/lCyCCxsLhXoCgX84FAECAQEBAQEBAV4?= =?us-ascii?q?nhGEBAQEDAQEBATc0CwUHBAIBCBEEAQEfCQcnCxQJCAIEAQ0FCIhACA7AGAEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBARgFhjyEVYE8iGoFmX8Bj3OBdYRniR+Md4N+AR4?= =?us-ascii?q?2S4JrHIFTcocPgQABAQE?= X-IronPort-AV: E=Sophos;i="5.31,456,1473120000"; d="scan'208";a="155679075" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Oct 2016 21:12:21 +0000 Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id u97LCKnC000720 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 7 Oct 2016 21:12:21 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 7 Oct 2016 16:12:20 -0500 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Fri, 7 Oct 2016 16:12:20 -0500 From: "Panos Kampanakis (pkampana)" To: Tero Kivinen , Stephen Farrell Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSIKMXG3N0BgRdDE+CK2NUlU6XTKCdfB8A Date: Fri, 7 Oct 2016 21:12:20 +0000 Message-ID: <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com> References: <22519.43588.421250.807948@fireball.acr.fi> In-Reply-To: <22519.43588.421250.807948@fireball.acr.fi> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.116.108.7] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 21:12:24 -0000 > I have no idea why we would want to mark the document as historic, or obs= olete it, especially as it does define things that are in use (ECP groups). > It does not give any recommendations for using those groups, for example = in IPsec we do have separate documents which gives those recommendations an= d for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined= in the 5114 we are saying SHOULD NOT. > That is much better way to define the recommendations and how those group= s should or should not be used. Agreed. The ECP groups are widely used in IKE. "Historifying" will not add = value especially before a 25519 group is defined. Panos -----Original Message----- From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Tero Kivinen Sent: Friday, October 07, 2016 10:00 AM To: Stephen Farrell Cc: saag@ietf.org Subject: Re: [saag] Possible backdoor in RFC 5114 Stephen Farrell writes: >=20 > So I'm not seeing anyone so far argue to not deprecate these somehow. >=20 > We could just make 5114 historic as Yoav suggests, or, if someone=20 > writes an I-D to explain why, we could obsolete 5114. (Such an I-D=20 > would presumably also say something about codepoints that point at > 5114 from other registries.) >=20 > Assuming nobody shows up saying these are in fact in widespread use=20 > I'd be supportive of us getting rid of cruft. I think the NIST ECP groups are quite widely supported, and used. RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and 3 MODP groups. In IPsec, ECP groups are widely used, those MODP groups with subgroup are n= ot. On the other hand I think only those 192, 256 and 521 bit groups are re= ally used, and those are defined also in RFC5903 (which obsoleted original = 4753 which had serious bug in it). > So, someone wanna volunteer to write an I-D that'd obsolete 5114? If=20 > so, say so here. Or parts of it or something.=20 > Or, if you want me to start the "mark it historic" > process (which doesn't need an I-D), please say so here. (Note that=20 > even though this doesn't need an I-D the status-change does get an=20 > IETF last > call.) Marking NIST ECP groups as historic might be preferrable for some people, b= ut it might be good idea to wait before we have curve25519 etc published as= rfc for all protocols that 5114 covers before we go that far. In IPsec the= curve25519 etc are now in the IESG, I do not know what is the status for o= ther protocls (X.509, TLS, SSH, SMIME).=20 > Or, if you wanna argue that none of the above are right, then please=20 > do that. I have no idea why we would want to mark the document as historic, or obsol= ete it, especially as it does define things that are in use (ECP groups). It does not give any recommendations for using those groups, for example in= IPsec we do have separate documents which gives those recommendations and = for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined i= n the 5114 we are saying SHOULD NOT. That is much better way to define the recommendations and how those groups = should or should not be used. -- kivinen@iki.fi _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From nobody Fri Oct 7 14:50:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF3D1293F3 for ; Fri, 7 Oct 2016 14:50:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKj2Y334dXHA for ; Fri, 7 Oct 2016 14:50:08 -0700 (PDT) Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338581293DF for ; Fri, 7 Oct 2016 14:50:08 -0700 (PDT) Received: by mail-ua0-x233.google.com with SMTP id p102so55167549uap.0 for ; Fri, 07 Oct 2016 14:50:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OKv+/M7pOghnf861EfLJocpk7SEqdBgssz2ChPC7j+0=; b=TjIBSxSY9z6uZIpmsLXMUwu6gAwMfEL7wMHj6SRNOxzTWbjqmCl3axbsqmyJizlbuq GLxig0dHSVl5XcJqoE66BBiknQwDcTaC/si9+jk7rHBlhaIDlXWqwg+eUZH3X8mA9i7j QFU17UIGEv+650F++/uPsyCW0hMscSEiteAs4t5UYpe9kcjDDlAHGm5tVffOrBxr0NOW 5Z/z/fLVjviihrEa/PMFgVJ93aqIBp6HcgyJmm7bJy6Ox8RJKDdHpISuHURh43XMgydf g0WFBgWztsT/3mMjZTu3Dpy8nOtB2tNS7XGRGpfpvQBYNFkhszOjXGuI1RPOEcvGAjw5 l8AQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OKv+/M7pOghnf861EfLJocpk7SEqdBgssz2ChPC7j+0=; b=guP505xg/L4h7LOAUl4XquspOQ4oLMpRGfa52yBj9DA337Prx+EkBvIJ8eZoO3T0on 8MlCoIAnSejqZ8riL6uyjjEhYltMJXNLVSg45LuWcwUTX3/bgPzd6TIVyK7p8FQajiCE 1dqbqRGLPRnzTP8JCxwwujAKYVvf5GEP3xkJ4qqTbolHp3satYPZewgCoh6armREKZMN o1bSGzsc/qE5BIDSnFkNCl/Aj6KwHVb2Ued21oNy9X5hvXqpQHIwB3OG1XJU7ZRLEPeB Xi8gh6yn2Bw7zqJfYaPtFlrERlK5T+birtZM5T/5cCnWIePTV9dSNqVAETW1A/8YEiO+ q+cQ== X-Gm-Message-State: AA6/9RkB4IUP7+9cHyQ5VcsEKOAaqNqF4cwjrdIaHK9/3iB+jWJg/eEGuY4STPYj0vC7YSX35zUn8/H9nTFmqQ== X-Received: by 10.159.40.137 with SMTP id d9mr9387761uad.115.1475877007301; Fri, 07 Oct 2016 14:50:07 -0700 (PDT) MIME-Version: 1.0 Received: by 10.159.37.41 with HTTP; Fri, 7 Oct 2016 14:50:06 -0700 (PDT) In-Reply-To: <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com> References: <22519.43588.421250.807948@fireball.acr.fi> <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com> From: Watson Ladd Date: Fri, 7 Oct 2016 14:50:06 -0700 Message-ID: To: "Panos Kampanakis (pkampana)" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "saag@ietf.org" , Tero Kivinen Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Oct 2016 21:50:11 -0000 On Fri, Oct 7, 2016 at 2:12 PM, Panos Kampanakis (pkampana) wrote: >> I have no idea why we would want to mark the document as historic, or ob= solete it, especially as it does define things that are in use (ECP groups)= . >> It does not give any recommendations for using those groups, for example= in IPsec we do have separate documents which gives those recommendations a= nd for the 256-bit ECP we are saying SHOULD, and for the MODP groups define= d in the 5114 we are saying SHOULD NOT. >> That is much better way to define the recommendations and how those grou= ps should or should not be used. The IANA registry cites 5903, not 5114, for these groups, so historifying 5114 would have no effect. I'm not entirely sure what historifying does to registries in terms of marking DO NOT USE: maybe a separate draft is required. I am not a process expert. Furthermore in at least some cases the IKE registries get used by people hunting for DH parameters. Do we need a draft here? What should that look like? It's not SHOULD NOT. It's "using these groups even outside of IKE will result in pwnage". Do you agree we need a stronger warning about known bad cryptographic constructions? What do you think that should look like? > > Agreed. The ECP groups are widely used in IKE. "Historifying" will not ad= d value especially before a 25519 group is defined. > Panos > > > > -----Original Message----- > From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Tero Kivinen > Sent: Friday, October 07, 2016 10:00 AM > To: Stephen Farrell > Cc: saag@ietf.org > Subject: Re: [saag] Possible backdoor in RFC 5114 > > Stephen Farrell writes: >> >> So I'm not seeing anyone so far argue to not deprecate these somehow. >> >> We could just make 5114 historic as Yoav suggests, or, if someone >> writes an I-D to explain why, we could obsolete 5114. (Such an I-D >> would presumably also say something about codepoints that point at >> 5114 from other registries.) >> >> Assuming nobody shows up saying these are in fact in widespread use >> I'd be supportive of us getting rid of cruft. > > I think the NIST ECP groups are quite widely supported, and used. > RFC5114 includes both Nist ECP Groups (192, 224, 256, 384 and 521) and > 3 MODP groups. > > In IPsec, ECP groups are widely used, those MODP groups with subgroup are= not. On the other hand I think only those 192, 256 and 521 bit groups are = really used, and those are defined also in RFC5903 (which obsoleted origina= l 4753 which had serious bug in it). > >> So, someone wanna volunteer to write an I-D that'd obsolete 5114? If >> so, say so here. > > Or parts of it or something. > >> Or, if you want me to start the "mark it historic" >> process (which doesn't need an I-D), please say so here. (Note that >> even though this doesn't need an I-D the status-change does get an >> IETF last >> call.) > > Marking NIST ECP groups as historic might be preferrable for some people,= but it might be good idea to wait before we have curve25519 etc published = as rfc for all protocols that 5114 covers before we go that far. In IPsec t= he curve25519 etc are now in the IESG, I do not know what is the status for= other protocls (X.509, TLS, SSH, SMIME). > >> Or, if you wanna argue that none of the above are right, then please >> do that. > > I have no idea why we would want to mark the document as historic, or obs= olete it, especially as it does define things that are in use (ECP groups). > > It does not give any recommendations for using those groups, for example = in IPsec we do have separate documents which gives those recommendations an= d for the 256-bit ECP we are saying SHOULD, and for the MODP groups defined= in the 5114 we are saying SHOULD NOT. > > That is much better way to define the recommendations and how those group= s should or should not be used. > -- > kivinen@iki.fi > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --=20 "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Sat Oct 8 05:30:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4589712948D for ; Sat, 8 Oct 2016 05:30:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aXL0uUccdYmY for ; Sat, 8 Oct 2016 05:30:30 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0101.outbound.protection.outlook.com [23.103.200.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 180DE1293EE for ; Sat, 8 Oct 2016 05:30:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=d4AV4hT8v5l+kTCCt+L9yTXpMY9RczZF9HiVUBwM/qs=; b=GwZocaW2D+WiecL6Nq3GyTmrecsD7nQhYdxRzljhmxB04OMYavAyKlowc1oukAT82m/jaX+l+D9iRjiJiukLWUvdE1tpOXRnODO/rto5y+4E7tp/eyoT1yJiJknBDee/me7PcNGnKowA8CP3X2ODZnd5nOlg6j6gh4ZYpUYVbNQ= Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1462.namprd09.prod.outlook.com (10.173.191.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Sat, 8 Oct 2016 12:30:27 +0000 Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0649.027; Sat, 8 Oct 2016 12:30:27 +0000 From: "Dang, Quynh (Fed)" To: Watson Ladd , "saag@ietf.org" Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSH+pIM2MogzBmCUCWoaV9y3sEjKCeftTt Date: Sat, 8 Oct 2016 12:30:27 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [129.6.222.136] x-ms-office365-filtering-correlation-id: 1aa92693-ed35-4e26-8566-08d3ef76e2c2 x-microsoft-exchange-diagnostics: 1; CY4PR09MB1462; 7:9+Ka5P7MX9wV/4ayS9Bljr4qi5GA6Svx/JdSrCOeC/ougWFI9hxweJCc3Q+5AKJ1kMC2o+/n9h9XQljaBUpy8jt9LTlscmGVW+dSL2ltsgG+YAdgPaKZvuR/JnkP++0aNpiIUHUfJxzbiZOVKxK1ASilnI/sz5nPP4HgiDwXHjgU8y5sZA33M3SWp5Eaj7y0xyWZ7MSIawXjufQNcF57FgTkWlNHf71E+7D8ZDO7b2roFBXdjoMf+eL6vO+JNVFMtQRQm9QphN1iipjtfy+XMGvpkcxrVRsvPmTWdgDxLVlcC86kCX7kMnMv5g40RpvJ8GbeS9iqnYQO6keCAboV2g== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR09MB1462; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(157189615257929)(266576461109395); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415321)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY4PR09MB1462; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1462; x-forefront-prvs: 008960E8EC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(377454003)(97736004)(2950100002)(5001770100001)(107886002)(189998001)(101416001)(8676002)(81156014)(66066001)(81166006)(122556002)(50986999)(76176999)(54356999)(6116002)(3846002)(102836003)(99936001)(2906002)(106116001)(105586002)(99286002)(68736007)(9686002)(106356001)(19580405001)(19580395003)(586003)(8936002)(86362001)(7696004)(5002640100001)(76576001)(5660300001)(77096005)(2501003)(3900700001)(3660700001)(7736002)(7846002)(3280700002)(33656002)(15975445007)(74316002)(305945005)(10400500002)(87936001)(92566002)(2900100001)(11100500001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1462; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/mixed; boundary="_002_CY4PR09MB14647B46781F1AB1E6B00043F3D90CY4PR09MB1464namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2016 12:30:27.8569 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1462 Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Oct 2016 12:30:33 -0000 --_002_CY4PR09MB14647B46781F1AB1E6B00043F3D90CY4PR09MB1464namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Watson and all, This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmeneze= /publications/pqc.pdf. Quynh.=20 ________________________________________ From: saag on behalf of Watson Ladd Sent: Thursday, October 6, 2016 11:56 AM To: saag@ietf.org Subject: [saag] Possible backdoor in RFC 5114 https://tools.ietf.org/html/rfc5114 Let's review some publicly known facts: 1) BBN is a defense contractor 2) The NSA subverts crypto standards 3) It is possible to design primes so the discrete log problem is easy 4) The primes in RFC 5114 are not generated in verifiable manner: it is possible they are hidden SNFS primes. At minimum we should obsolete RFC 5114 in favor of primes generated in a verifiable manner. The fact that there already were primes for IKE use makes me wonder why this was even needed in the first place. Sincerely, Watson _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag --_002_CY4PR09MB14647B46781F1AB1E6B00043F3D90CY4PR09MB1464namp_ Content-Type: application/pdf; name="pqc.pdf" Content-Description: pqc.pdf Content-Disposition: attachment; filename="pqc.pdf"; size=222462; creation-date="Sat, 08 Oct 2016 12:29:31 GMT"; modification-date="Sat, 08 Oct 2016 12:29:31 GMT" Content-Transfer-Encoding: base64 JVBERi0xLjQKJcfsj6IKNSAwIG9iago8PC9MZW5ndGggNiAwIFIvRmlsdGVyIC9GbGF0ZURlY29k ZT4+CnN0cmVhbQp4nMVcW3Mdx3F+R1L5Dai85CBFbOZ+sZ90sxzHkS2LrlRZ0gNFQBQjEiAJQgxU +fHpy+xu9+zO4ZFlOcUHbi3m9PT0fH2d2X59biZ7bvBf+//py7N/+1M+f3Z3Zs6fnb0+s/TH8/bf 05fnHz6GAQVeTNVUe/742zP+oT23JU4puvPkw2RNOH/88uzLwwcXl6GWqYTDny4uYRIXvUuHf8fn 4KKz7vAxPleXoo3zc8nRH36Pzz5U6+zhE6RSJ2Pq4b/wdXGxmKRIfoDPMZroy+GP+OxcMj6o50/w ORsTisWpkKSDWRs3OcTDZ8yuz2Um6HJO8rWk8Rk+m5xMNUlS+ZT4qtXC+P+k17lU5yWPXz/+HcgR xFqmmpIvKEjnpuK9O790dSoFhXsFEqRJSq4hV5482ehTI9beg6x8sFOq8fAfF65MsDPp8IcPiVVb ircszWAMCA45tZMvJcXDYxqSvSvl8Bck4qYUiqLN8xfnDO0VDrE19dMvxH9DazQphMr7A3tlnJtZ dykwFQuit4ffTfjsYZ89SyraDH+To+X84vVfGB6AA6fE8gUuznqXm4SdlPBliFMN0YOIyxRTTCzi D/A3Jlhg+RvaugS7GA93vNXVG3t4SzAyxdVyeEPPsI0w9ZMLZ6dcUj08FSPa6JpiPUwMBhNr3dv0 iDMXUCDiRGzNDUgmRxCIEvU9Ly+CvJ6RstgMhOfXLjPTTYpvmQTMfXCsWcbDVhjxQyveRx7uXeQF BNBEHw/fLbSvcUCarC2HPwueaIUmRR+KkD++RnIhWYXhJ2JGOc1zSeVWsHizUJQ/fcG8gH0QU15f gNhrMCnzdmQDcwrhvGFwWlBfPd/bC5cBQaCvD41rp+X+TEwtZll5E/PNJGCSrw68QmPB0kkkrzx/ IN5+dbEOR7BcNnRcormNvlmEtgqflxW7DAboBS/IV0Sj4FFKraED9qTIIVfAcbFTzAFH+1wnH93h JSO35FTwdSzAcHGH/6bXObjk2j4x7Tf8y2r94dUF2jAXwObe6j1DDuGHsdvvJj1wCJnEV0AKNvRg XiQ5wpBYkmRebZhLIMpEv8NpAD+SxRt+C1wd04EKXieIzRcT8KMFy8RSBVpgUL/9q2Umd0xydEkm JoPtPry+39WQttRSlejuLxBYsAGTKXk2Oy+ZDdgXiWOpLQ+vljnWmQmiMynCaHINo21KG7JeTjNa pYJVkDiWjK9TfUdLAKsOmAjJTThyVimSwh9Xh/D5R+zLEixTKRIaopDCVMCMPxZj1j19LnF5x6Od D50059Hrk1zY/c7fJapPhWZJBPWQIjqQwzvBsGLzhVSfF8xzrh4d2Ayja36LruwJP6YYlCWTOzyw GDMvIQ61UWnyS7SkFTlcJaJ4Va6KJA0zSnK3jNAMUaRzM0LlgO929I6h2H6joXjVDSdj+QOGSaDE Xq5b8XkrkLoicrt3RI73LkHUJXX0EahVzOBLTjJkK26udvVZbtbVGgYoVPy4au8T4UJ/ip9FmsR4 gnh3pANo2iJAK1QFcqkQUlIDxMsVCbujVtT5/JV1tY4fBRN/zcJxtSFqV/AtvvYUYdwwJCGxMXVG pFjHO5YGbuhRW1yD72yxgpUzFifr7SvPyiGAyzy59ApPBFCln0FPFR0kTVENUUKU5lgCvu1MNJAX PJdxxb5TlPsrWUPLC1khxLOH34pg6hZthIXRIDl48iB4Ic0flgxmCxXyFY8a+Eb2VY6V/EpgKDDc tJ2O0glvY0maRwTg43BmpLZdzDnAppj5jpcK8tsyjOp3LErBvXdCxDruYEBbSE3tjOir3iEuk7XX z5AqJG4+HTMLIMiQjzmII1BnfrT9PsJM8vBrjVzUWogUoqkqBmmiCYZlAyNMSL94fAn8FS8d1hNC fjV+dkArO6ANq5tZLYO0bMK6K+x1MSfMGvvgvbNExXOaAhMjNPZhLwHzat+ZE/Ngn0o/iUQETAIh hAo8lIlnUdjSCZIoh+yUPveh2rJ9sxgj7iSHuBlS/AXctw0uxbUQBegJMT8lLQEMrZvVolumoiEp bVyTnU9px2SkmOsoEJJGWUJ1z0/RIBCJo4QwDZ3ue2NPKcubE/TdhTqV4MdmBgck0HeZ4n+x2kiZ Qz/C0WWqOQyDrj0Pz3v9aqU5NC1PUUBuSvsm2+nVSwVEtpK36ldy7MNg9m1ms7X5o8yGDTB6nRmi D8gIIjPoJIfLW6YiOluSUwDz6lklPLOgj2mlxDhzoSOM44GM09b1frWuze5k2NvZvFdTdQQsHXEX sWA2mVL4u+4EGURIkx8uCla/wNli3IIFITCofxAO/w3zF5LfNdWSz2YVQHGH2fyy2g7Fd/gewtGi nfstvy511z2REE5wVSvfby/IuKGBHUyjYrKIfqvLiQd53ZNmf0GsNuwlcNc8NZqNJhCQU9xmDy1K 6LO8Rlib5D4GCOh0jsYAwUNsXMYjdv3gMJrrgjYgXkwZmM1u/5DXXE4IE4JF1dMpfld4WnxnwBqm DCkkOmX2M/svF48gVVYKZ22YhHlule0gz4XArsAcDlIXDz7Um7ZRX30F1AzIBAMPOjRphzwoCQfx iKXoHPwcuBZKJ/Bt5cTOY7UdLMsbdivRBCcHXxFq+LCnPQNtKpbMQ66ZXnAFIuPl9EjSeyL4e8VE fK4kStgLII7VVbTIORawBFdMEEcITm6Y15qjZJsij1wr2ppLyzKGaXxsQI05WornVvKSM4zYQKgx uW6qhUdJcSCXRQBerfSGXyNo5fQ34peNoMsYy62/ZFWNDk0oUQTUZH/4NRJMENd6PlRpRO75uTi2 O7geUOJFuDHM01tf8rz67ErzmN74yZolqhvtVUONKXkWbPbVo4YtQ3aEjNOI2cnaeBthRR6sDYAw 1rLkJBKg4EDxqOcJP2J+9D3utIklqHnAwwDAXaWa5Ezgn9c14IzWohdu81nH8/0vjqlYzLV8Agp/ Aq2e+eDgcIF7QwGQV7C6pc0xoLy83T7AIIgiUAuCM+QKMyKgzrtEOyYRyGFyrm4WZQ8MoWniETN2 HycbysGKHavi2a/IqU2MMJrjoMZ/p14wBOSj2JOy/pZhCfbZDhVqB+mEjafi/TVPZVPshEkCNCmr 11Is7ZeAGoyIl9e3XN+AcPMHNAJCeJKdt0wfgHj4M4om+xJdUlwKedxqTV6GQFhImAItAx9Ax57Z 52aJ5VaseFzOTeURP6wiWHFICRKsdLp585Z8Q8ZT4zcXqHLeNEfSZE+2J4JOgIe7f0qjKxaE3q6P zwUj8qdcdtv4FQv+xCU8FatT8KYKrhj05P8CAAiPqVF2oWabFKilAbsfqg57UXtwYrQRWiQlGMUz 4h0ieQh3j4IDqEdwu3J/pxUNEjNTW5GrinOCkjWB4gS0N3XsPKQlfznQjRsyAFjrl2z/izZ2wDVe APhMcC3NsPxlj1DWb8mJ/OULJm68V2uXDErFvBc4H8QDdKwbsiF/S7RtbpCwCXhRwrzmsLVCDrAc jN0Ib/VU+KWZnF8sFPmXzwTpLwR7ckrO1PgH7GEMmFTXW/yRmdKhzPJaylFguA2B2JYCIvSexVEC 5g1Y/5wUFPCQN0LS4gsf8rbX0m/ggaVJEAFa6bJv9S7ODArTJjcOhWficiyyEwDt4InkK1f8HgwT QZym+Hr4cuUpCNJhxeTXjafgtc+RHMpZrnm8NaWHsFCVJbS9bfIGEyhYsUNW5hGIFVqDC72JR3qQ ehyxL4TmAi7E+w7Om/hHhlxXTRIlKdEvS5iDyQ0RNkG+Kmov9n3Uq1WvOKdrfLIOmCLKbNs45omO Y3YjfrkpUpXkGEy0S50w3vl2DHdXMoTxeQT3EYSp9uGNw4sCryliqwWSIeWEdPyNsLVe76gc/ZLZ LU4pU5cf6DBYb+CCsGcD4exE0zTzd7NKYYWqYK02ay3hY3iXEgTQn9Nic8bq00drhjWbPRo/MZ0a 0+HxOqRzjzgilqgczcioPmqMuaDtD1v0hMW9WQdaZE53ZGhzc8ydFex3xVu3Lr2q7R9lF1z6ovCG Ad6Y0EZ+5KsF8HFlOaJyUN6vc6TeI6zpgDT8rJggVvUzRH+ypLA7NmSjRFguSsB7cMdCGhzizDAI 6Gw2jw5dNoVclTT06c9WHDMuIbOYucPd6YJ0pBZKHO4wwyGkhSHLBTb6Xa67/jHUrX9c1cnhMYP3 SoNkrCItxnc8Z6x2xPfI2t41bGOZaymy9WJa3QWSy9Ep6yBT8W/E+y2g8FGGPwLdTYB49iTt/gP9 EKHY4M98avt+ih0jIG6y2Lawo4asmXBtyFaaemmucl1FziqqAjsqv2wUJHOY2MrF7MRDGATd8TyQ bMvak1QhYaS7yMPVQPcxRgHJTmQss3dXtJ61yBgCwAdmqhTXl4kWes31gaYNa0MSpnfMrUm2D1pw ospXr3adYOepebjWJDnkdolx6npT6BuB6iZ704WIUqdnZmMY2vLeDMJwl4NSiK6StjCwcQONV+0G ZO2mQ5qHHLdsbD++rSpZlUHLi8ULtKzQ6Vzhigng9WX5+p+EVCSanu9nHDLOXvRBmI4HniX4DMzP dSWqYOKZENlY/DsWy16jvt8PJN5ccMzHAiMk6lMYKqHc8R27TM+nVGA3ZZJ0HjHYiXyBn4p/8Rxv D5rZyNENa1diWe5/q2pGmUIEAueX6kfjqIi33h2Jilise5CkARKeUkT32zF7tbAF8sfzL7xKLfSJ wc+fKHRO4N1afxRIWzH8Ap1XwMMnZe7FWEZ5u46A3rcE9uAeCCe1r6OsmhcTKkj8fSZutdNacPSe whdICwGKQmOFlziSOiC/6KI3gYCnQFmy9Q80JQxOtY8+luVJa3bHMuyVSFAfmf4mWzssQgiPJRWL wlZYvhtnSDsA3chZnCfsZHGt+MxOwGJVanYCPw5AO7Plexuz4v2Kt9DEqCz8jjWJ1u2qQX9y0VLB 4NOc7DKv2gkMTO6gurBG+j+KSJ8qzhVQVJVNFaKcs+YjNpXckFyWjPbkZkrWumo7Ha52UcnfOVPF kxZr2u1vTOHVwcnO8YUwO60Y7wPw1C36F0DwXTvaNWlbh1jXTh942agmmos8mHwvF1Pf8Vg84Dta s1hOXRfBy41+vQTw7/HMomRBRORogaKGfOZUI38AcV3oVjWZPi9MyzqC8dpldrEehNBT6dbROQX8 dsfNX1KpMqq0iGUYI/Ql7YylrQiI3KvQj/hYWEULQOdF0eNVzgK+xUXxbgU6HjqUTF9ndSdlyEGX YfZRRU6gr3WUq498/dW+Fo2OAxbhRgV0iZgdJG3C/sZvoRM5zoLBoOalaN+d8tKUJh8pzvNnb7Y/ 1QWxVb4rslj1o7F942Kc4+5EDTLR3KDnmUD9/kkv3tCLeNMrz7F+d+IsB28CmB2FokjBYI1jEynE CiGMNnrdfQv8pYX07ufH89r3tDLqKHgbXHoYWbmR4+8CXayYYEoxEINk4H+6c9wdf0EziyHSij9r VE3pMl3+DqbI6uWo9rgtRGyiFn02gTMG43Ruhht4JLQfSU5Iun2HU3aKnbc6XPCZ6A4VpOGkDIG9 k34ePxHf1DTJOkOgUvVJFAUnp5g/uQE7Xqk/95JY5qpZ8jquf2CxQEK4gR1EMCUe21D8YS5aG6RW 8dWN4vGaBwzm6mZ3bIivYymttM7JJd8+5dq+NJtTowIW6dN9jM+5Q+otEm29j3sOiSzrNZPG0s9n y60ft16UHZ0CdAfVuJg6jnYG5T0JbBGCtKNa5kObeOVtCZWdcTvl+knHpS8VPH3vyEuhb/zacUvE jxzacQvMJG/yPGIKyydQA69fKl2SGCV/41MRZfaRDN6ePha8wpAQwy/lGU7NSirWXf4/zs9WbKuy M2Mbr7HO0Nanxru6PgqXTrgOdMc7kYM2+7JS39jRpvvonZPOMO/cOdlklO+/c0JlWfwifbeQNYcz rqIe2E5NZCq/W+kb5XMdFvDQwul7ovup4gvmJJa9wzgc0M4cs66f62IpU4hDcK1yf8eDEU1yhSMk jrR44DilcuxkZt0lv5nx2l9Jpa2hG9BzimpNH6HPxh532qSTyi3P14q+jMWf8YSeEiJxvrtboBeG X6qbru1CLATijrG7+MlNSnJyefcawHxvDK+o57IJeWKEfHnX7xGir/l7YVPt0fIuUIHd/OUvz8RM t5pl1qmjBVhlTlq1RjdMKETeKSXP50u7Vfifdn1M3jLWdZxlIthiQNGEQv2tEHBTrVLEWndSfq+P OAWMHrVP6WofwkphkLG31BBn1gPpa7Y3uBiW8nmTHC5X1xa22IjjhfQlFZ2teFuc3dwWw4um+KGF PPyUmyqrqfJ5/6C4S234Ku9RM043kYM7HUjb2+KbM9BR/CUt5q+Uxvs0eefxWik8LO2XfoP1lbzU oERIk9Be717w3Bzk6VIS/tJnp2A/qgNJ6rryt+9x75g8kDoasUHyhzc59m+Njs51RycNy5y7lm2z vLc8HDKKbsh6LVpwxcJKiqn+jJSoDQpsb3m1IfZXOTZVjKVehDNWfYAy+HCA71a3VOD3Z4//9cth PDG6tCagoY7nx1Zw3dJoLUBzcyMhWkyv9CVaGTQO5rlmgnid5kMmEt1uCNDdwhnBYjDNkeIsTm8g 4x9c13TrnOKO5CO8lBOn4J223rSWcdHolJPisZdUMSaKqlT1dlCmQbwgSDZIbMD4nmNxvGC0Nahz wQ87NbUPrvERC26DCtizfacpRvyj4HkU+HFMYFLivBQgt1f+aiYZLeIptmQAjmMlX5gZy0H9Rxgk gtIVN9trXQ2ZX5vNlQ5a1ZGbbV1hGFtlmeGN0E05oGW0s+jkVavuayicHIJhcuKfPD77/Awvppy/ OzPnn4KdSRBuxXNLdPz5yzNbUpiiX968OPti2LHRFtl0bmnZ6AvkT/nc0ke9lVs2fozpjlm/UE92 +fbF5eTn5mIecrbdjna2TsnW5TjqVxetw9/chI6/0TT82mGjQvmxb/ct6jK+ffTYdex5w99F4OnG iR3uludf84eXPiTx6Wr7GBI/b9xvwjP4xPaK+QhgxSUfdl5k/HlN/PAD0ehOWmISzztfaKr7Kpfz Vl3iXbDq1YUVCI3z3vbip24eoqNLD7/xxS9hUoDINqe+jUzAeoLuACQbH7R2FJRvBwN6ZTGnpG9e o2qosNNShT5lxSZSBjudbJqrILma6+C727vGGijhKd/TBuPx5PLwvez+hR/pQh4oe3Td8LzJBvRi Kz9RbFdEEtUU0Pmv26rDqLNO34oL11SyZPl2i865SxYKJnVNcFTzBiTn1s5ic/8H3JLcdYEU4hj0 QnzTdsLoj/rlCrSiU2EAsuy89r886VPrbZOrgL2EGrcQDBQ9/lYMElu5+TSaZpIcfLOM6JqeGPVp fftM/ZEYs1z2AyXvujfuGpuuzUeAoDKVPCMLu6dsutXNLS+ob4mhAQFCHmwn0PquZuxFqxpN4gDs q9j3GwjWY+QsFny8aeTcaqYNfoTtEgpeQhn3m6AlxSONRJA351UnqL9ta5BgIwhb95p8f2sQYivZ UXMkKZtB60SxIK1QJBO8irTXd44shdS0uatCwMPZWV9Oai6l+nTherL9m6GfyEHorRqd8pER9+OV TUo+ppoLCai1DHa12LmJIw2f+5iQFrNGgSCMa0fsbfW69cMpGoVuONjyUzWKIpc6t2Cx2ON4XhGS +Ih9s0lbleKmDvlnqBTN7XSDvU69aFWmdE0fcepadfdUiSq1nQLrm2jGu94zLFHOKR1eH/Y7ZcpQ 4FirP5xqOYAPqk8aj9ctuEgYFWUxd+B6YFE4jh7wz3iJVDW2ma8O+ljWb+TmfjDSmKhWfdxcxEuF lz5GOoVNn5il/rv0QqFLJJChzIpIrbNlT2WOwpw5x1ts8CMO3UzA7+lBFbhfwPJFN6QJga8aUwbx +dn/AWBhlVxlbmRzdHJlYW0KZW5kb2JqCjYgMCBvYmoKNTkyNQplbmRvYmoKMjUgMCBvYmoKPDwv TGVuZ3RoIDI2IDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnicvV3Zkx63cX9n+Y/Y 8tO3Ke0Y95E3S7ErchTFljaVKkt+ILk8FJFciktaZv56d+OYaRyN/UhRKT5wdhYDNBqN7l8fwP50 ITZ5IfBf+f/xywe/+8ZfPLt7IC6ePfjpgUy/vCj/PX558fk1NFDiwm/RCykvrp8+yF/KC6nc5ry9 cCFuIdqL65cPvjupyyspvJZbOH0Nj5uI0cXTHy6vxAbfG69Pvz9ef3V5pa3ZjLKn/7hUYYtS2NN/ YVsbgtT29PlX+EMMQkGTL/E5COuUOl2nZ+dCcKe/Yi9qc7rpm4z+b3kY7buxsWetQjj9EZ+1dtGq 0zf4bGR0tiU7daI3BaP8KTeBH9Vpy32r4E//iZ3r4J3OH7oYjOS48Nc0pBAymub9t2n2PkRj/3b9 J+C9NLAaWxQx8V67TSsdLq6Uhnc6XlzfANN/SGMoE8PpFX6vlBPanO7SGBZ+cXqbuzVCu9OTRJy3 AQh9eCk2YaLSVp5uLq+MwqnE2txKa0+3+FpvMsrTa9L5m7QC3gqjmh5LG+2ja3rv2mOXAlj/NDW3 wkGT27Y5EiOlbYh5TigovUThT+/IayAAREk5706PCV2085dkUIZ3z8qsnTr9BC3qCMO0Xl0qvwVt fUMmpedlnomWiuVZWSiQqEjpya9NlErW3r2OejI+EIYtcBwH49AGL47+rhJVMcKmQdmSaotWqovr rx5c/8t3MOPjo8QsK0Cy24UrxDnZCNTzdrYW9YI0DUNoJy35g7j2XKDdkNeZxLRnaCfb0aI8Km/7 twJWFpTIf2MXXgcguPaR1nchk/skuNWmtNCJ0vZ06cnyvL8MCsTE6NNnwETvNqH9SvgtrLwAFfSM IfEWVaoU0N/P0EIqUFeu7w/XyjrfTPNpXcJQKZWg1Sil5JGsyOtLlCqFk3AOLERSTVdZzxntFP72 qv76KkmfCLkVs8awfw20w91Ft3LhN2yMVrD+fpk4ErNqkHKzIjaLQyXsSenbtfJL1+wuNxHSnx6R JlQVFE0CRiRWxQPfNit8k3vxHS2vM4moveiYdDEfHiK+1vBpQm/zOGqtMCXqNNuIOB2esrl2CDu8 E49EOAzE6ddBKSa11cyhai3KzI5r9X3VVU7suuo1IwG3DCfXijdr2LtiyV3PbXwbO6PYsRWb2MAb xU7wpuaXfvsY+aOdTgNh59KEjsP5tY6fwDxpazeAW2eZSwoBaDfMDqZqlS4IaDjtAPS0FoCy5jFR PYsl259Hi6Gi9DMdnITx6nI3gaiEsljxWEBrA3AF9wo86rQnuLUmVra+B+VnQTslnMhaZ24JV/aP SIMGBAwS2O1UpFt3+p0u25vcRLp29enc3qN8UVRH2UisMLff6Fyo9NAt9MNhqh9nDgP7eu12L5ig hNEVeXYQmW0sNjggQbJLO7CWDqRS62yXrpPhNAqU9HOictKO9wjKAd4jhjDRS5exe5nR73MTCR4F geGUKvqcd5iJ6FF0WlBblzBdB8lT5wBOHxW0a02lSgTVcO5dI8nT5eJU1UR74xL1e8MGVjd2ywNN YTKRdSQmpijtHcaMUJElxvJFZoQxn0Q3BsBksVFHE90IONo3m+Rd0i9a2s2aioUm8pn6KxzwKmQj 5MGWSABtCN9w9kxbsmpZhPNgLbJa6/QscQeqf0WEHFc2wE8AkIgE35a3QXdvgVghRY8DUmPreEzS C0iQsP3s7sTZds/cjrokcZuo0Sd5zAgokMBeOuRtHkaCxeMouamE+0bYbyfECgTuiDttbJH920LI 6J5OLSK3DW4Y+3iTx9eu9aE5NPQyNzcCIxzAFqGi2TVWUF4ljYUrq0On4ZMga7sZb6sk5/gGiAaI 4RcHl4/HLJDlo6vd08RvidhQnTqxUOn9i104EUjrCD3pRk67RcEmBmSWKMbb0UbMQBy1ftiLD7LX uvjaHei0ipPRARRJC8fpoIB2jANehF4BHb3UyQGwYOATp5gHPJmVYOlQypas570459ZUQslmIiyn nTxE1SQA4hSXq4g+NrVBncVjMsnKbpBBijRvR04VL6FqVil8Fcj3hVAQ71VECYdxrXw/b7oeNSoO kgU4FpVKB6CSOrEig4PyJOMtH1svltrDZ0zsZaIUdjACXQYxYgREqkZTZUoZwsGr4rIrAD5oQFGX BqlaIDHaUcBMSzsKAEsAjOEsP7dHq2UxgTVlLw5kQqfUAjz0WK3qVNG3hI3jxhiXgBJ26KX3OLuw GTmV/LpGU2zN+YJUxLjIEe3ns0KCMavNh03Q6n1N4l7fEvFHC6DB77R8pLI1tDO9w7m6N4cMPMyP 1vFO1N8RuP0wX9hJr2GP/vRWmA7ABBjbSGLurg8B4EttW/RVo13By6qGqENadp0Pg6/WqfTc/Elm vnKxM79lTWLZZyLEBtEOAbZoMLLSwUCqWDn2UKnvomYYCsf4BsXTVKUbb9rtfEDKzreoPa3sYEpC BFY2BlB/jvtShwZEd0/KIerYqBoi8kTMJ5PFFr8hUxm8kw9y6PfZgR4DRLzhoNdzQPskE+6VYaMp P5dcidLEr5jEtlGySegN6EtSHiOKaZXyNqiTO46k3z6GCrQh7qRuTA3VNi9fHWi0iHIetlXaA0aY KOoU6URl18rfP0goowOXjFfZRpWwT6E63WCk31xgUxZ3+TOnPbs4xCvnwhlEFRbWKV9nGTsPdiJI R/g3N++a4GsT7gkcw5eOT6kVZ5pN15SIr2jVBx9UMDLCYt4TvsfJtPN9ml9b6TofJWFGYTchdmVN HJd/zQNqcOa+/550N2aTyKPodOkyQSIOjzV5W10u7qrSdnZeBFGRkR+RF0lwyp0V7htg7TnxdT7e lyQgJqyuYopetclOo/JOWrjc+KENeimpMMFgIl0DTrU+y2Nq6c5CWS9z54iyOE+PYNFJdLzfyv02 xM5FG2+fBKykOlho2Lk9LiKfgGkV+br+qvV7urBKchZEq5tv8pcoRKOiw3kVKc7DtRq7WAbZaoyJ k19cTi315gFtPZoHgbbscCsw5U18tkNHqWMSbECMjIrYmja0pqXZZOijUsnB1bJFlUiYBmPBEEaf ETQCE0JsJ03ziERWCEuHBOA9CeTKLzX4TTg+JnGZ4oibZr7sQJU9qwwCjG/1R8frU55msIelzfsi xtCB0VWMiS7+bRYGobC4B90akDPTJKvpKM+JBp5MaAjKkU1S5DvT0cr3PfGlmQeovdqkaRUtlwzs 0AR+2jnMT/NbrZaxF2wCO5VdpnNSKZwf8aoq97d5HGddDwP3MSfJicR4Du/flNmJtXNbZjdJUKbe JzuPmOeaecJODB8l7KPVZaZsOBRayC2aBThOq4lPWcxTwG6WL/hhABcimxvsQDk1SQwkvX1OTnfE IpmM81xIGovt4lLNEoJpwNgbbdLpkZlD1Wck0MCEoYylEQSJs+SgUzcL7E9H1tScUwm097Is1kGe KunY0H62M64LbzTbSsQBuz/NY4f/h4QajI4Bmw/LqKX+3xUfErzEI4PwMnfplPyI1NrxfF5KbQ+y fNYmfStNrTpfqHAjHI6WS6sEhsULPghDBmG6BK2LgL2J4Djx5IpcuHAHUw3Rg0xwNMDZWLjrQJVi izi4wblgBxXMhyMQmmTvEo/D2SllIxDAL/deXbVF3BO5EmB73seVNjbCVGpWxGJVqOI+CXcVlH6w jXiKJBKSnBSkrs0MdbEtGkacVewRRbYDGSSvVfHLRGIJs7zMeQXM6RazZ7HM7osDiZPHM2LwXx4I HWatnAE16dlkB30eilHPiKilD0ELKI/hhV+YZ0ZiXRwwrcJU3xqspCbQH5XIc0OEY81rp2Gwcwyt fUnEYlE0OBuIS+R06hYQD4DO0JuktIi2rYfhgGYX+52aFSqKN+1EkIKQdmuyMR60sjOzOOVN4QsM f30ZNDjxscNJqeLOhsYxpvtw4uaLDha0jgs2QfEspkZg2KXbcN+fCFtoKRHZFTRJRfzd7y9RL0wD 6XWnwK8BLLW+1YteaQ11SUzVxCKFZQRgWNNXU0w9aCRJxGVVBRPwmnrZaZJ6c4bX/4O5MKDol3UA 2EQKtzYXGnYWP9BdboIVBKtgFjJDugn4HKoeX2UuB9O6Zlnswe/bjN7F/kdsUHK2oxU/bApMwUfO MmUrUTpuNfaiXng/EnDo5gJsVQ7ZGpcqc850e43x4NP5PuAOndipKSBSPYASLpA8SQpOQnNNMswA 2tcDEE9kBT7K/3Oej5A8XWPQFpPKfQYNOjGTMzrwWvKVzhSHkcATt5ZlraRflj3jmCBPzU6hVofu mus6fRKZDGYX2ndEOgl4n+aJ7jJxzrV+DFXcTCxjD1LiyFyQcqXpPAwb+Trvwds+QNMOrD7Aj54V fRkPDFknMYHIEO0iKoF9WNMnufE7PN4mSXexf87og74GjBe8SYVwi/xkGvH0Z0LSX5Ka8iBZmSQH W50/HERtOReK5IA1lZ11AEv6nOcDHKH2yt0sy1yIsK2jTZJt7OZjmNUE0FgkeZ/FsnzGZ4CoM9qb NYDkXkzjIrvvqvEMhV9VLGOTriwvj+MiNE/7DsvMQehbq5aGFy5OEn6uBZPnFML0h1pgyBCGrCu8 tfOKG5pZrJmlRDabyno9//BxYZpn40Oc10uFpc9aYo+hA9v4UgxsrQjq58TgVBOTESX9mgo3gW4l oKjwC31v2WYiQHrfg5hWQEtnfPCbqrDmYNsVULdF5VPpDzyCPE1Opx7rUtQmVxbXBRh0CJvvzgt8 sqTc3hz0nBMxLROv55AUI6fFmp82xh5iOrTRlSkhl7uC4AVaQ2L13NkuMckpkORqse5yj/K+E23l uSE9Rwgt5ssYvZmI1W16nkuU/jjdKV3mF5nlWweqeGqZjFYPE2llknVU+A/4+xvyltMWpbDL+6wK WuRfa1ZQ/diu7I5zns/w5Dnlm/JpNtVJDbXPeLzA9unEqVE8s5gd5oqV6NxIkyJTH3KpL56JGQA4 vnV84PBJboKrQu3eu/sZV78M+vR5ebSxD7vMZKIUzwtA7H4/EkvgLQn5cUiWRsG7ULZxeN+AmhRl Jmsw4t5MBu/NrUsmKpBQIW3/sUxXAodmCYGyatjARN13Rx2k1LU3C0OVRpHTOr9zYkuHpz6W8fWh JRjJ+cA6jnztEs7CdEWUH554p6AfabHG/TLHkVZGY9mLta2PMBTQ1qI8nI/nUwI3u5A71blzQ5Ur lfL5PuiDmThzNT03UeN61W/chdz11a/tlqyn4u9P3VBJvccqm+SL6ghrrCRXgjIZpx76ig7aLI8s RT8UzvZpyIgXsriPkFjs3Ine+yIe0Swot0wFcuDmJg8Wgv/1jwIkpjrf8GB9/iWFH0hw96YAE0AK dtff/0skgX7XA5YkC63Sbu0LMoKcGuiTsRnxai9lrZ1zY8VVpY1X6l1cAaPgIHYk3sGAspLJ0GFy IcZRcotNvLDrMybN3v/1zpiAdgUtydchfTrb0KpSDatoOaegPcSA7MKjzec4jm0hUoKIzuVlcekE +ll1gtjYafUBma6yCbLkww46Iss15wUTeLSX2+1j2Ga1J5U9qOvoGHMDMMlmJkqH3H0m7RyYThe7 cD6dWHiSi+Ss7pNfWNGmhigCtlVSFiWdsjCkARez6xxhLAqEoZmAwrwyqT0Zk+LpMgxqFa8q4cO1 femSNJvwqyBh4oxpTNJYhITUvailjvITV4fv1YeDL1JLG7vT72ktecQ2K5vUtp7kwXMzdo/a/eNw IbkaE5pQYZR8Xaw2sTNKhNDLm7DKLjnO99gSJkxXovQK/23O0AfX56unGqcNw+QPe3VyGJCPKXXU WNmu2f3B1Bx1zdOdED72nMmXVyAtwGgYXTLHW84oRODvejAOi75dk7Xi0Hc99SVZM5g6jJuKg/8K w4BdPTekCa2lOq9qlMmkdnU3YD3xDr3JMF19/G1ujHuH81/OiW1R/Pc2M0UOkZFEQNCdCsSbVKL+ la5Swbkh7J0uz+rwcD6XrGiZWyYVAdJknYjh68lg/KcShzUYSz0zUcAZe6becuIz1uJ52IGYdyRv x7MCw46eH+U/45jTIgG7K/TPygU3anmeMJUrSTexN2cmJ8659vCcIO95s8MZrQ5jzVS97y8xmx9f wGPii9MLyQzifo+SlNCkm4WibWJ9RICZsyML7UfPlKS1Uct0ZlLxXrH7bl6Gl21lmQx7AQWVzptW aqYbCNkh/BbTwSssGApyli4b7WZ32w52YsNwdA1fS8tfxMVVy3cgRwu3eaNbjI59h/XlDIkqFxeF L8f7rXACLND/pDuVsHSqjt2FsDmlv6iemYGp/2uENY/k+FLwfp9gjfYUtCQA1yF9mJoa4D8MaETN VmgAEdruir6/GgZjrWFIZ6cF7rQVLX+m7/uD3XXAVu1zkspccYpnHCReM+LZGhwm19BfN6DU5sO0 fKjuJq1wFduzH7f5tRiPqabWqapmGuXhHObzyndwzrYp732SR/TdjQWDAO0F8MTxSaS2ia0B89t8 4Dkxe3pD6JAbXhywIvcCNlug8WYK/87M/ZEyhOz9AF+0va9cmawqVyLLBInXZbnUhzLOuOLpZJpa 7d1fzAD2o2NMe7XMlHdd4EjUm7CYnDQn5Nxy3GXCMCTy4dWUydNxUzi4H7grV/bdIz6DnbiPXsd5 +90WybcKDk55uW6Gg0hcuGqyokP075h+UwNdbxFNh5a5y4NaLF3vM1DBjccJs9wJLOt2F6CtN5db KNaV/N03IJjkgm4Ji6f3NMi/Y1vQRw5tSae0dj9N1Nsib8kE3lw6vCEFuPweD6dHh3guX3terWc6 9BZSjObrY5xksAERQ+fpQhdogSfnHr5Kx+jAxYq+BH3yqnxBuiTPs8vHryTYUJvuFomb0SKumNOU kfU8C7RbLDIlkDPP0WI1Stox1gDcyrgGL/UDwJVy6tYKjPW8IU0SW4GrITvR2FyXuFxpncRRemNd UYhWSC3Qohzy3bXH+xfTDclP83Mwtl7YLgyg6cQz75316Tlf+hhKZbc0McKOkDHYZM5LoE3GaLF+ e2+wpTl7IEXOGK/w8NUuVF1dP553M4vAX7JCcnNt4Gl54heFky0DDORZtEKNX6I4rswHkKKMa/wA xjVuw2RNMb2WeE1LZxkGgkuWIvIE02w6KgXnh4M/WLjv9fQ0x54QjxIrnOnBFyYpdZMbw/wP0NzN Hscz/OUxXRoyDR2GCgrsRJsha4qvnRwqy6nbk8nzK386NTEDDMuMalOLrYeMITqs8VzeQJOU4o85 bhpkj3IyefzN07/szGDG9ZhQM6QKKU3MmUZe2iL8qfhSkNXNopJScH0ekA/npHib2zC6Ob+85mHO acd8twaGryQi8/QVSkdrea+sxRKK0CQyu7QedhJ0YPOyRKaf5HGCGOr08XTQ+lIZDDm2N5kuUgjH CrYrDqLig6rX54vknliBf9zjrMFXxzyQf7AZm6KzM3dm4kkfdSqxRTM7adcHU14WDnq/CDmWWbjG iyxVR8bQGxLbKzZ20P3bPclcipANufHwjHRyvp5Yc0Gl8Tr7LGKv6pdjaiddbDxccdjlv/AeEi4X UZCC4G8Q+5S4GTZTHOPjODmtW/f4A0srVxcuu+SCrSw+MmDxF1ua+6TSveSOD+YfDOWyaRPnMnPi TaYWL2S93R1N0Ig0vpjkoBHgw9zvctVdR8Oc757QlJrTMo3+toNKUat/mfD4YcSyukEeb+UynqhK hCzX1h/qmbuxrPU2YQlA5cZzD+Fic7v+6zjYJPK55kn8ohc2+sxX0qqAxnp5KRPn7CKJUrvxsmuu cRwcRoouZ8R+zDV84xnbuzxNY849mJ5vh0ybvAp7ApkebO9wTX9aTL3S83ktVQ3tW82klsYUfY/2 +ZP3dbuUP9SSaW8tAZcCfTTFJcwq0L+QkJGe7jJ878u5TtmEZJKXz4RouEBDly4ySqajAr/0+CfG X/hr7CkxeTubYBYnyxY336RTn6Bu2DqN/XErB35NaI8V/xEVlXcdgHuTW+vuKBlnASeSOdvaeFEB Ikv+So9cKqoBqAVyFYjoKitLfUVX87VC2+/L7OVwuWELtsvQ5934cZTx7xEyzzeY/a01zsEpf4dC mD2HqZvMapuYKzFBdfru2FCa9CwPnfW3owWJxeRgQ54h8uEP1w/+Av/+CQbzbjBlbmRzdHJlYW0K ZW5kb2JqCjI2IDAgb2JqCjYxMDMKZW5kb2JqCjMwIDAgb2JqCjw8L0xlbmd0aCAzMSAwIFIvRmls dGVyIC9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nM09yZIdx3E+jxX+hhe66E0E0K59CZ8oStYSMoOk 4NBB5AHEgABMYAbkgBLh0Mc7s6q6O2vJej0EGVbwgMee6qqsqty3/vYkFnkS+F/599mbq3//3J9e 3F+J04urb69k+uOp/PPszenXT2CAEie/RC+kPD35+iq/KU9K2cWakwtxCdGenry5+uv5o+vHxonF uXj+/PqxWIyMzsbzH/B3ENYpdf7NtViU0k6a8lNYK89/whExCJj0/FucRMK77vwXGCE9TKmr+WAZ uYgYYZlP8TGAZrzOv10MRuIc2+PfZKBMUBUgnxRYq+nKQy9iNcUn+wg6xe/wN27FhvN/4RAdvNNp Phm8XvxZ4xZdhNFfPvkjHKU0cLhLFDEd5ePglihVPD1WGh7qeHpyA6eYltBWKHO+vX6snVmCl+d3 +NR6K609v8TfSpko7fk5DnFL/gX78TYADE9hYWGi0nC43yWQvRVGnV+nncCb4fy+zG30WZLRsf1t 0xEI8vge37QLIAScDDz2OljlCtwAlJLnP2cI4ebM+Ukerp0/vyWPKVh3ZHYYo8KibPDV4/t8KlID AtCd3uTZPaDL07wjJxC3EKGslFqdX+U9K2/PL8iEr/ajoGdLT+51ntvB/dINMRPekiF0Fjr798wB bLfoAX3wSCWglafXRVe662/Xq7DCJdKaiHAqugWuD+g1IVZBG+2jO7/JZxWlP39xzgB6HXU5OBNC NOue03gK1RfX+wu4zGMtwmKcOz2WCg9d5eX+ugOvCMAU2b4EKIBQRNAsfjcnicOND+yQmzxEqvNX GY+cNRW+0N+36+D03nYxdMjfrpWHyaWqnpJ7udtppGAuANJhqFeLlgFggtmCCDFRHywd5ZCyVzBw CDCPiszqW0lTA5eqDoFiYjmQCGT+7OIOOCJr2AYsqUxoEXgbzc3yZtv9V2QPZO761BC1tNRwcH7F 4GaT6fIAg8t7EvjviPMhbZBVXo0X3AdnnC4rZ5wWIQPwJgFuhYPZ6cvlDo3QrrrDO0AJEJ6wZbgH oyOAGykAt+lIFJB9RjQbTIOh6e+xQpIGuXBakIs1cuFDEc4fowRVVgPeLGWk1hUze4ZvwUWoCu5b ckEDbpOunP6GyT0IzqBXTpFx9fXOKd8RJlOf0IZ9lDlSdveyQG5UxdcbQjA6LCj7yene56dGqxXj OuZ8T4TW4Fzh7Kr93663ONpPguR5HmHzlW+PX2V01hL4w4rNdO1nQ0ysMJuuSJ5nbM0TJ2R1ojDg lsbLHl4A4WiUmJs8TlyUk8dfkTFlRicbuoYJ3SIAsyrUTk8RJWYcTvtFwVkl3uBjjBUWMPhDBPDb fnRD4+VktVOdMBlNWBh+0Bk6txggzhcMCdBz+p7c9tuyd1ON+Ho9EZ9UFbwD4Mq/YMiO0U/WM/Ou enPArXE3N3kdUF3P/8irAytjqftdnlu6DV+FXJxyK8KWKxUgDVtOjPsSNb6S6xjfzFsCxuA2yOXt eF4AqrkyJZ7vGZTO96pjOiqQ0QtgxPxerdDWyAof3+ZXQTnF40yzhNDcFD51YEBQKfiq0eMyv+MU RlYi5sXBGHiKPyXIFVcpLgSN6er0N6eY1lxzG/41kXf0VXrizDR31UZVRB3k/PddHjH4/TKPFcE+ eHFOUJFj+V/GRir6MhptgFQF3cl7d712ldD2cTorYYC7VErNBRGT6OMm7xQ1AjrkfVo1MVn6uGxU xV3fWZnvdkhkfKKWdT+1Xp7vwCjhJ3fQ4tTK0T1Y5iFOrVEYgj+zzmoiWmZU4fgoD5Ewy2p5pGmK 9uwbQUwvksL1tNK7t8f3eXYnZQc5TKlrE5Szkt/lSQJgKWNFPGPwiAqBRg1Omxa2kwh4onF4orsV kE90cC2tDfqybNTFAc/FwRTwxhSiZ7ihXX2I295eFPGAXoBNn6H0OjC5EtLfZwA9iC86vCFdtDCk CjMla529iIUMSC0WqHbD8b2HKttaGrDI3PlznC8G48WmiKZ1PspDlGFZOhEAFxjWjCwp2VN7PKv5 iLGqcsggBYBFA0MezFYf4asBiKcWDYwS39DRBldjQsIZmVBfC4WLu4Hv8qsapO7EFMCdGoPSBmhX torffR4QXG0sUm2k/A7AjWDJ7EoBnUtvrpQ7nFlE2Eyx21xseXvGFD1Fc9yKb1w7CDIIFJh4kwNJ yihYLbjM1wswNV/nuOYtQU/Ofi2ob2x18q0vTINmAydPVayCEeisTJopyDPXsV4wTkBTOeBlNOTx ozydlRfsB/SsdProSEyw5tDYsdawclwIbZnkFwYV1KnKup5hI4IY3CHnZ63OoOgR0oSKNO8Gl+Jq NXWgeiLvrxl4etNo2+jsq9ovhF2R/UO097R5VSnyK6iFuh6vtu6qobfyolJpVtBqTl8IXeqO0DXw mbi591YdpXHvFauAdY7Vnmn02TVSYZt7WQ1kBFaC2LaqodIcpVDWgolwwQWOjsSB4tltIhOvNjWh wO6VcYsSnRGKjyXIrYEMWzU0kF8As6vcJgST6H1PWDUTdsD18Z7veu67WVkPiwCkGYOZUOHuk3pU hjs585mmId7OWM8GwLYlxblYCRci5MEx45t8/kZ4VgF6WoRSXOzuT3qX4UCanihOOASZ6ifEo894 +osjFFV+2RkRHMVJt2jtDrmW6AFQk3tgUboa/ZF9SYsW5VQNsElv/gl1eNic2xWbS1iBw6XRvd1C ghUS+I+InJ7N4TynZXXaqk2i5+l6XJJ1hGY/cAjy/E0B3JrKubCKI99rMQ7Eu2uFflm61mVxrHUG Lb/s3gfhtWtVX3xBZs746UQU6KTK8IOU+DVza8WPDazsm01xKvib16glRkEbIaTedqZ5X/cvAYDg ks7IY34IgG5DlX2zjUME06C+1nEkhmolra8tYDi+NyRh+XEcbdOVYIRRra6EskP6MCI6hKl4OJRU ZhQc3Ex6mBsgZ4mKkjpngh+Iq66mToIShC2gxxKCOv+eMPiiQoOiuuv/g5Beo2gQRQQkhAE1o9Fr aja6Yq8QesXe9/l+MYRT396u0RNTIV2GlJwvdkNdXIDX89FIoLfFhTEp72xcAElnN7JDJ9S9jc6e ag3mhqsiATzrgMEmHGQdG309yqqaVnEmlFd7oDUvENJ5HBXmDhINe4DUoAK3o8Zd/rNw7OF1OJ1J lBt+n0FylnMB0ysfXQZv8LTBcIDbc8p3rV1ktd4vLirizSeYl2+5wYPbCufTkOhjo4kMPZ1FWc8L 1qy3M4gHjnaKrzcFNxItbchI2XCyxW0WudouUh9PJ4DhVpkBll8QkAiQCAcFJAxGq5iz4qjC8bqi 5RXhaw0mXUNoyeAn0xkKObVEBht2c3ULD1DWTt3hSfi5EV3Jl2QkfkRUAZAACZdVxEcrLi8bsIVx enRxN4zzye74buWy0QjmGlHrlFbi5XiXR/vIBj4atV4bBXg1Z08wYQARPEvzwFli7eumeEOx9rLn t3HGwdzW6innBQjRrjjCIpkoFDmhLAidrhy5HVBy8TLMRWkkt1ev1kTtqGcvUVKMI1nks885XXCo xf/d5vEG4ljRjsHjjwtMIQycOEnbIHGjDWFN1D8irskl4aS8Hw8cvQ10pcc25Bi0d0uMmrVEByku FNuJU6kkbeQZneu0CQ+HsOcwjKMcoEHqWNnqHFyMs5wR1LcZLDjsisIOhELrGCYXrEXIMUWTqsSc G7Whq6EYpbujBJdiJzGZi41rf+OURQIbZ1qnXMZedCMb4i/YBlBe0giHdDGyThOk6YDUUKNcm8I4 SBnMoNQcupE5VqRkCWqrcUynyzPzUXKGPwoiK5Ng7XzSRReh/mlLfmN0JaJSo4s0SfTeYrJVyew/ okkQNjbE7vsMa5C9go6n483Mi4dvat8rPQAfEO+UGHEL0jyEMbSJNC1jAFgMY5GVDasgyuKYzOQr hskF1AdILi1mfI203AKG3tMmuhQY6pv+akwThWHnVWqG3ejOWriFV0Vxp6Agoz1I9IunBAu5gGo2 Y0JOFsA5QtAdesBjCUKdFVHbTxJdupAmN86+hoXQVfzzhDdGmsR/FAeVb/kFHLeKc02rHDjFa8Z8 pscyDV2V322GPKykbLYsAC6hNOv3oCrO882xa3bPAkcI4wyr7n4AUwGbK+faRawoccYMRs2kP97V 6IvRc4oIFLP3RMJfAke1sIzvYh3GBi4/eqUfLNZQchiNX3lgmhxWH3Meiu9M1KyRhmlJkMCco4vT zciMbZ6pRaW2Tpvm1AfObrsQ160nvF9LX3STMwwPrYocLjGuj94KTczzRd6YM37TuZMYzixa0LRC onxT1j5wRKSZBxQg7Kieo/WITOOKBaS5PqKSa2uQq5uuGDO3qrgHl5zGpR1SCqHM4uV6i8juLVjZ E026k/UaQA2rziENO7gHJF31ICukw74DyXYtUwIx7HycGVBw2NHLVgrhY9f6ivB0jKqVbq4gYeb5 sGaRU3U9YUA0B1P91rwRsGpWVL/JN4J+zlZXSFMrDklHYpS7h6YWiNzglj2CIPGVDRQPj4S68rsm wt0dsaqe9VeDmg/q1sYswIt6R02V7mHqe6kPMoUzrGNxIRNCk7/E5F1zPP518ZLxcTvKILnMDE5O vi9OdM9X2HC6Vo/0fWVDyRbQfKrPNDNee9kug/k9MrjiIlHodRCyyhmXKXI2CUonv7ce2ZV9gPoP ZUUXK8VoEFgGPu775KkCX83pGYWQHhGHUc9zcFIIQ5zSHHssg4NUnMtwEDgnlSAdP5sUsKQQrDNN 1VkJ7c6UZAQQiGxmWeKQyMoPKuCoZ6HsU4UQR2qKqo2ltWLJVD6h+7y6nev5ZQscxyICbho+h7MK oTIWB9ojycjAxEKxh1haT0q5eQ5tC2laNqbTpZ4TvF6Xrtk6dRsOkpbSwWDwzQH9hWG6y2arWrDz QH+Y5XVbtDl5n+T/P9tCCEVQnIqbDW7Q8aTOyhPSjWr0uLxNp3qRWQDJXh3jqhXRDrQO6DE0qt1+ owOFd/fHhMUr3uogljLZGhAQ4DgYyvL8F3yxxG3KmkmZboLECK1xdhjsxowwO9DZqcYycCm2aX5N TJGmzG7DH7XhnLx2zbK7ugO/+GFOVxpBfw8cPl3UkXMu3mSHKJZhHFXBfUz54EN/t54kKcMAJYe5 SZ2L+UAyNmEjM8UcHfXedSiPh7tppA+yUXH7oNwePy1MUrlQFZ0jBdOqaIR35AFuS9Ne7XXGu0Xa p4tgw4o2wRsVCadYtYY5k726eDM3Y6jCSSk3lHhZwBqCE0nxt0nZu1Eq5aYRjZoy/38jzGoQrWs5 YVGks/sFp45NPgPniB90OEh+3UqpQvclloC8z3Nb3xZypQ1bY5oLxMHK8snOrWcFj0TZWQo+DsH6 4A/Z2vNyP0qznkwqKkoZvHMj3pPY37gA8pKwE2l3a2KSdLZxga8BIoBzsa7Gny4Tc5AAQpS6LTsJ V6m5Mu+fBKEKWls8/zdRILZ86aqIZlkHt20vmvBv6OI6P77owYCM8U36Ue2YrQTldioHaIniFuaW aaT9IwlB5PwoqtR15e0sa8AFTxBsnRkjxSHYm+A/rwPWw9phXnunOzOOovWGdR2S4g6Cm/Fv2YgM FjviNPw4UQFm/QWTmnZ8mhgJFtXRAYO08oT6tc6HsMoge79wmw1IAM32YwGtRvs6Q6Tt99JpILfM 2Ta1BPlAQ9MSSGmzoKuFU9YHSfOlPgffjL5OzivpUzpXnqayAY0Rg6kIThOFacYKDgGF9J/YGKDL ILSumwJPApDtkNoziOy3FUh8YD/jPNYQbNXHF0KvnbrNVmpWyJD2qVWV/3gkE219XEggQ1qbmgTV mqRvBxog6GvfIn5RRsbwS3rCbcOquHg3zFTaUgWx/JXXMAdX0O52Xafph/N0K/l7X1aROYcGxlqQ IeMT5a4cTTP0cGtb0dBdmc+1joFGAYb/C4Hd5E2eJTTBrh9KfGItruH0nFn5qwPTp+4oQHGmRBm0 3wqRE5Gk1/zeZYl2RJGYtW54s5JCt+J8Qigz7HlEva/I9YumkhepWfaANxOCzd7voqtpXSU/7zUp L8hYitlcXusaGHacwPipgn0Yc3aurj6dlOGkTIULlZYCCzBmvaj250sJxvswS5MRuTxnEgPCEdb9 /Ow3X0pFxLw2gFChzrF6/Dz2C1wRmK8i3qY4UDu8vTbIa8XFsKlUwCaCuCRtrraPZx7nPoSBtiFE C0jGzWH/JGOM9CX4Yk2EP6eNO7dsXcLgGMNaPCq9dcVUwSwtbHtzS169ya8GW/JHwb5Fpaa8auya Gm2F1CJVHGy33YxP3fjA5M65aNJEbGsmY7SPCQ4pIWzONysDlrQjD3PLURtGGVBbXbf/UcIA9Nek cqW4CFlly3AB3y5z7i6/roBkfrXfCs0Y8dfpQrHB2x/xxeitHyZGIdaQn8mLH1KTGUqAg8yZpmSX 8siubC+gTXqkcmVF1KwKCIVxsEYVmLmRFWiORxOtFVw3KA5cI4dVlvWd3PBNOB7SgjBn8bmIMeVw vdnuX+axqlE8uxqhfWLQaiedLC+YO6kLVfGt6LmkRai8+XkSvnFu1cVqcW/YxOlp/okcoHZxg8qy KCCq8/+Qx22KP8wdm0rYIzSTGtuUCGKIQJybIjzIlkAq4Ho3lGQJt+9UuknEZee1XLYdWbOLJRZI +QKtiUvZiIimSJODA4xJhk604WOYZBZ8wemkZJWDkhTr/SQrlrbzc16lJnY0ixfdJAIUQONZR1ex zPieqozDovXc4X5tKlxN+zJhkl+4lt1MXPZDEmroFhcKrvPTjx63rlcYYjQbJhw2NmB7DOQ+gTDR 3lin0Q7ScrDfiVuz6mRZJqtZNJeD1EdJ+zyQmpsYTG+M8gHx7HJvKtUEWMabd5NnbjqvPtiNvV8a HZ7ARrbfps2mJdkuHx/nAQ9qt7H542A9JAxOaSVhGxomZ6J8XAgL/bugy4o9Sant3cAVMlCP9nqr oeacdUQvVxQErB5eEfVSC4/k/kwSVNNWcDRqUvm+0ZrEbAoyYGs4HLbmrCPXc0vbMil101xSGBJ3 p3xnFhLAOkfGusKkuxKTYEKuNHH/iIy5Q0qZi6v5rKf9/CZFUInrC971eqBcdZDYQTUQ1RQbfJe3 JM3FQArp0dg2W0aUlighDeuS/gUBcSpV4qLVynqwYpQqtmvHbO9oZiqevdbT5KWMOaaCgq5ce9Jw NOYQNne8IkdJ0ctgtFp1ql5WiuQZpcJdoBK2X/NDHQc0S5hm5lnsVKjb5vSlGyi1NUX7e20gn9uP wjXTvqV1TXxpt/pBuIKTSBXa8107r3IejroBJo6OjfvkodQcsPMRrPjoum2P2qVvlOYVJvvNcLDs wn34WOusneNBOscFgv41PU727obWaN3FC8kbVfpRWs74kQs+DR7cEVWqSA5qF/Kl3TlWyNjOxb0i 1ZZLkcGPcoYoYNOxTDwspO46lwwVhj4UtzqcOWaTa9b7lsiHmxWMrbrGF4bzCTvo3mDSBxdo4YrN o1H2DhqtXP6GAx5WlB9GnBvovyzAgGLPfCdA7bzjyyqliXiyhh22aCSZi8GnlCqxkK79rTk0iCLS FtgFNeGokpuV06C5Ni6NKxKnwUZd05SecSlW2kaIH8gzTUxp1a1TCB/L2lBiGgV/g7/BMJalSgHe jOEnbb2EJ237wmKLWHIoS51A/l2eD806yt8qHSnzTYul0k0dVjtbmxqOe4+ss42rup2EnFPVWpex /49yKGGQ4FKMtnWftr7xFAi60J1ngOzb+49KrYScthuixlYqVhVsT9Tt1Fozew1N1/X+WMMpeR8E 12uo301yx/2woqv/5+lC3xWHiNRers7kxjOVU9zHk1Kh8QGvBYZSWiZPeRPyXAJMXbGFgEjtx6TJ 58d1iRUFppqbd7YWdUpQ8csVUvFFKFiDLk3lix7oFa7qHpkDCFrRAILHThW7EfzZzrhG4YawOCV3 nkLbpZTJq+FgLOto7AksQO/wQ1t7lGmzF3775OozGGjk6e9X4vS7K6UE1o+cpPP4EYLTmyuFPT5C 2J68vvoz+72vev39e1/IJmFOCwpbcPmDX/+SuD6GLcY7NQEOZt2pJ+hR9fF6lONv6G3onQKt+4LW 7+AFYq4k55q7z0NQbFxuzNgUVSA2YgPw243kKBIe8aZiq1JMvZZ5MqNN3RunVgxxiJc/qjkzFmA3 7Xg+KBa0ycNf5fMzoc7ULj64VF1D3UNMqeXt5pBvs2ClUIu0g7bd64nSbXRfzWkbntKC7RK3l5Wy vhM0wxMGoq8k8eO3uTRbfP3Tt/S+vy6fWBuEpIeWjDNYEfMjvnKTvgHnuqzP9DjwdkpjLruHf62h beVndUho3HYtT9+/U63LvY31k5QSFeANpUeyrW3tMvCfIUGl72W1hhvAAeM5a8WR348K1MZWjyWu 4iOuQyyaEkfKILPVx+9yqBjJadJ5Fb80Zajjps4KTMqUM/QDELcllOyOd0wrIfFpW3MPM7KeyDpJ CD17+kPNF2z3dcwI6GrxsN4ltOgscx0T2fpINCsRgejkCXZgvdC8aNbGgvS1J2lSlTnIY9BMwuK3 B1NxrEbiGKYEzQ6m1AovPYvjN3ixYKP7MMxz0KhD1h+fyrfD+IaPxNDelis0bUJzamy7V6kMiz7R tSoiSeNlxFYrsAcRC5o0QwUB0VSZUqtMgFpi8UQjiWbsfstJr6ytlt/vsqb7NNwbDIWAimRm1ptR ub/pLIkbhjjYNROyog37/kTu/NO8POgwtVbCaGATGqJKfIeuDhOW3J7TOkVQg1rF5qWsaRKBtXOD cz0JzilHxDTnr3meFwqus2ZwcmWnGXLr+gfjADihrjWrHzbnKGuSDbp9tR9q4URb+52QUjSSVbGA DW9bV9peGNCyeIv91Ka9jVq3X0lBxzexKd005jxQW7h02Ps8JQDZykvrUq9Jvr4OX3PHnG7dpwkz Gr2kmTxYo+kk/yWfrjOHA9OpFIbaZMdwVTit0MIj1G6Sg7Hf+bGSCwuUF/r095GOXGVGIeBYllaJ dMJk19gDHPOAqtvetwkz/INT0/E9p0cffN2z1AoMNXZ3HoNxRjnnTE4+dj9UXeZfn6ujVfhZkUFI su8Jl5qnhvrxAbNiNEtUXMfb44kCe68Kk3xMR79GqBfb58ivLXIJVFy+D4GwaSeQIxT6ICTbkDqk kBS2z67+D7jzF4NlbmRzdHJlYW0KZW5kb2JqCjMxIDAgb2JqCjY4ODIKZW5kb2JqCjM5IDAgb2Jq Cjw8L0xlbmd0aCA0MCAwIFIvRmlsdGVyIC9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nL1dW5Mdt3F+ 37jyG065UpWzKe0I90vyJCmWZUdyJHHjB0t6ILm8KCKXlJYUvf8+3Q3MTAODnj1LWik9aHaIARpA X76+AOfng5r0QeF/9f+PX559/G08PLs5U4dnZz+fafrHQ/3f45eHTy+hgVGHOOWotD5cPj0rX+qD NmEK0R9CylPK/nD58uy7ozu/0CpaPaXjX+BxUjmHfPzD+YWa4HsX7fGT9fWX5xfWu8kZf/yvc5Om rJU//je29Slp64+ffol/5KQMNPkTPiflgzHHS3oOIaVw/Bv2YqZgm77Z6P9ZhrGxGxt7tial4+f4 bG3I3hy/xWenc/At2dSJnQyM8ufSBP40x6n0bVI8foWd2xSDLR+GnJyWVuFvNKRSOrvm/QOafUzZ +R8u/wxrrx3sxpRVLmuvJyDycGEsvLL5cHkFa355DttpnFHx+Bw/N8Zl7Y9Pzi+ciRNM5fgKWiiX jfX6+KaM4LX3fXOF+5mA/l/w0zD5kJrmvMl1aRJhyf6CvUebvAllkyx0aHSZizFBWYcbBts8eVjV x6yXt6zJL7Sn0Stnjr+eA+XKadOMeVPGVK7pg0/uuvRnI0z6hkjxsE/5+CPtAkw0Na/flA5Najp5 WqeW/PFhITvA5Pl3nKi5j6ilTn7HJlkm5kMu2xMm4Lpm5g+3s6EPr8pzMtE047yk914FeH6xzvK2 9B5g+GesdSVcA5vOvVOPT86R26wBuTUGpJv4qpIVYXkebhko2myb/hiF2NmFtXaK0R0utAGm1aZ0 Oth9Yr/t7lsQjW73YWOn7HDLQVuo7O28nsn1/GtsngxwwSM2RuWCsKwsveVz41Tclk6cbXeQj1MX 3EQ/z56a3JQvgw5722lsmgJ0IrIH9pHNdrJ5I6zzZF8L4vTjSmflF1B7dYyE7H//CS6y8NHCdEVh tcYC9CUK/QFUpNGqKiwDi2JCcDmPdBwKPij2w0XzDV9IztH03pPuZEJ+vS4vnw7v5DEupo2OlCY1 BtX+mPHzqy1foCiwx447F8UH22BwWa2snLg4V7rV2oRes1mSPBkHg6lQ5Umlsi5cP7+CcWOakl52 q2P7f6K3oLND7lkI52RhsE7JwxolW8yAiSAMoJHr5sNCN21PEWy2Q2+waxdjIDmDroHLuALjXRe+ D3rIm71On4rKBvb+lDWWKGXs81Zg8CdlVaPKvYJHsjUIOZ+iNNBgWUGxLMvqRNl91TN+oVYak1N+ Uyi3sBYDBU4s84YUP/ADIBs/K/6tmAAcO/5E60181ErawtTPKv+p3BiJ56wJLmZCAmeQBHoAJOkz gjAAqAICLdAFDvSTKyAN2vocj1+vzYs4VJpJHIKq5qWTN5CjyQXzgVYHOgnKn2R1oKnVI6PD1oq2 eM/qRMSZ8X2sDgzvYQISKzM7wGl5VsZUJjeteS8cZvBnCRiwkQYqkLq8oOecEcNXjRlDi1VbQANs kZMGInkvEhZiy85k/AXO1E0KJII3bvEcSUQCdyTPAvG8AV/QBXgOMc+rP6PNsvpG5P1urXDJwQYe 3yFb6WB8g6bGZqZwfqGttQMCmzFl/XrMlJIiQYTiDCA44GZUV7hmyJwOPKlWBVwJfFrWXYF/pGl5 oLeUt0oUX4Prwj2HCV8DcAABeyB0LjFhazfKFGDy363ketbarazxQx0TjN33R6YhJdz/pLQ34ASy zg3r3Dedzy2+P2edA3gCfTpFrZtxJKaexzTuJP0vQR/+bdHvwaIzSIwPXKmNnTl/gBLos7qfCnRr y+KkIlXqkCwwjbKhYfC/r+bkNROvLd9Taw6v+POeAzJPpXVAODLi68zNwiPGdG9aXrCAVH3rNDwq ygvBk9QhdGIVoHm/535jCwNwgmk9CT5yBEx61CqjjRO9db51L3GkYqUlZrnDRQcL7kQsh7Pwwfdi jq+Dae0em+iLQlR0IsZjVo8N/VrYKdbkcenaaf1hoQfsJGu0OEVOPIhtmOVk45rNShzn7VycWYp2 b6urifWLvrSoDJgUzEu6eKEzjhotUmeRFjHpnTQg3IOTBt+TxwV8l5RHJ82q2aBY6ir5NPbSKOyV M7ojcdJp5KZxJ/sK42QgJGGWluDFnV79ldrAIVtUJ0CR5rUeTLCSpakztcDfsAlm1Hw2LEhdtKlR t5yFu7ARNkfget9AlCSUv55TFDFsSB9xdGVRm/lSVKAODMpnxmlimKzzTLCPgWmmHQN0dmKAj5bQ DcG2IGU2d0qeJCuj4+5myWpDd0ipB0Wz41/gZmOc8amAEASU2GLNapqKHakEyXaE7ypH7ddCG/jW 6TAl4rE7nQqnwZ0NhoKR8BjBNbh/oAfHc9ne16kAJBYy+DSAdi9XH23DYQXldIzuQDNY9YFaF2ds d/yleWoxijiUy+IgEs4Dmc3ugNJhTie3s0UhWsMVIvoVySxs+9MquiP1GWCtMbZVW4N+djZMwaI7 0C/zRuGPMdKIKKdQpeuOKJzxMLuA0CaOBQ9XRPu4J3iNk2KthumYzksZR2O5mhNCQFySngkaEsgB TsFEzkaRYRTS2V3wBV8mnd9DshYap6UJrsCcqmmUxk6qxoOjEuZkisuALRr9+gl7/6/Lyt2UD53z 3NPjQvaa7VH1skMMo+AmTfNN6RCbcP3ZNccmGZoIIZzPsIUGdnGStd+E4MbODvaSnRONcq8IqHlr xorzqiNazQstxSW6gElZ04Fy3uI7bKrtbsCrbC2CY+YSLX0MFBsKNkdvU8nOoILIaRZPbogZiizC 58Bi+Y73uGuqmGuu2HsAfTZZimI0+B7eevgjjmHaIM5JkE0IRHS6FgdMIJycvoCvQZTzDo8tjzyQ JLnFjG4JYG3IcmD1TaMQTvm0BHdN3jiOsILBNVIlhXlf1tFzM2MJOspuzxCZvqwrntKehCO1qEj/ h9SODmDfQR0RGyqAA3axEv/CvmuDHzQHjGzfDbi2XLU4v8Uf4m5S68tczPS0hmbHDwGQMUXTp4vo LcCPU6TEY3OL4cpOSvCtCm5RtN7t+RAS5xEpNu15KzhQTllkzkqAB/2yAZOmxLi+Z8230G7RXdpN CjaA8eFDYUaVLB3zrumAJja20f9/kJePU7Ogdhitb9lsmHKt2ty4dYqWf/ZL4XSdJmsW8LR6BY1R 5Yp/k6vZ6nW+ekxxFVauA7Z6m8dtn5NygTUkao6/L6UvBrQNi0E6NoRmzz+UEhYYpXdVsRO30fmN 9kJQAEp6E6wmvuLxMiHfIIFtAE1e6Un2L1gfN2UCDrzk+zM+fqmLgA29BE734/bTUcyrApuY0sZw AAoJMMtvkaycXFSmQ3JEC+Y7O1GiRUZnlfqwWbdS+rsxM3Ok8Kb0HQBjPKvaOk3Z+C6cO6j/aEDN XWUfvZIeBD1+32WvZ0JaNc15m2Mw7ie8WHBGJ+7KTRqA9E9DvxkLYBSshDaiqq2hb2UaLC4ll4So LBfz20IU+L2i7u5WFJsnUK9Sk6vaYxLjZn1NFs45tFmLzh2gXqwR8YSUtR4IjkVFQDQa1Eptpsgp P4GrcwKA+/c6S9eZpX0bUdBCYfIINm2JxfJ0Qt0Hk2FPevYpFvye1oJ72xfzwK3C/mx18rrMrm4Y vi3d2LUca2lYhSNc/z1v8nOU3mwHYnOpHo3VG3doRy+aCAo6GZEwKc+0k40oiXI5u/YhGQhK+ls7 woBL7RXVBfhTHUtsrjpv/5/Zp5xaRpXkFmB3yXgOE5/UrHOYjA2DAryKqIDHxMIkKSPKtXIn22Ve p2WsWTc1C11olcuR+ghLiGDml7KGTf0F8xDRjIUwYYBlUL24CQhJmowLjAAbeyAENCIrcvHiWoED na3TUiPrZaJ5Nkxdud5tHUXdZZiADG4W+DayCfyMYsxJ7LNWsI4B1qLJae9BE6AtdQVDnfCURXK1 UsdrbZvwWBWMTXiMu+lfMLeSY48XNQOQp+iXUCpb6B0ex4l6kPrvNttSPbzS4PQI5kxFq9xfFmXb pndXiCKw2ethY8FbH6hQh9nzNeBSo+WpJG8s+oJB1M6DONccDaRwadjmfWq49GF5BCl/j7AokXX/ hENXKYG9MHGvqGy2Ye/WYbq9ponJhVDjsG0PWpsQ7qzh/rSqKcRbDm3NXWlA2vf/ZbzLmYe34f2c prEc1oP4yNMGghf3vDYOwzMA3NeaQ/4wN+/lCqGdCJMa1YoN1Dcvbd+NsJ3gcWAOJSow6+M1gkG5 MxzK/LS3x8/PEwZcOgofCRzPRUiI3d7WIbXbhpOW5wJc8QTFEkvzlSa7yQLj65jtyboLIwlR5U53 DdQ+cV1V+ypw6Cqx8dPtjlKwV+ISvtN92hltjXJ7ga4ZNPAU9AM28dliyZX2UvbvrdBmx/2xIU26 jUz1YRKgBRmQG1XOMMKX81oYrFlGO5WjjLD/AWJHrtHVmH9WC9+uKbPCNbRgzLScFREwKSttl1j3 JUO2LJRR2JiGaJlYCHRxQWM2BKvBqfgscsW9MY8VJHK+OcE4j33SW1Qn1mnSSNaaKeS+YhrfxtYj 7RnJGkqKSE4Js7vc7p9QbPyi2EwM9+2EaZtqMaS2r96nTmDVpFpwvmZscbjU7TEgDgn6qDX7FY3k XfyKTYxu8W47ueJpaQ4xedH5AyYjnzCcyuEIDwA33vU4XvaKHD2l3cJLmxMmm9MMo8Kti5nsC0w0 JJ+3WXW+wLhLeKzSicq8LXrBxt4sERvvVeYW4bPSAqPNzerW5liPtKnjL95Bv0cUObW7+SeT8QPp EB87CCHxORcoqepEiv+S4MIXyu2fUiiz+wLJBb3vdp0mXNvopf6+YtR+Q31HbP3Xlf+Gp6vAB1c+ tKerUCuakH0w49NVCfhKd6erdnciTW4Ns3bZ64Vr2mCxkPzgXwquYXW9UMxSh7xlo0YuWWyjriiu Jiryo3eygXiMJOemfIICdadYUy7ignJ+XEYIJsrhAGygdVuNSzR0kf1h/oTTdlNmrMELbgT0Ewae OP89mKe/y7lzEy7ExX8PKqvQ9D4XtxOZUyEH4RvL7awZpFel76hl32wQBux1rhgFRLKDryEFC74c Hioc5EF+HTJ2q48NID8X739UYx62PaQkWOzGqx8GulAvYT0cqJp3q16W/T0sVkcgsqPQNZUVbQpm 4TVMqPGYOMJKpYmG7eJ+kpDvm8vmbdxEGpBAF3+TMDD2jUff7n8YCr8EdCFV/5WVKNaHHyYJpVLb 2mH8dTEEwBLGnbTiuVn92jmeTpiTHoBRBtV6w6XfFuTj0vtGx3CmliSvroOzwSwpECSjBen7hz6t KVFQgCbWN7EQpoXHh7WfFeck6zTvDjE1jy3ahk9XcM+9Bcw6O1DLvi1iFlhi47YmOtv9Pk5eBvcw Fi8PHVsv+hbX1d3Musv8ldHNSaGt6rNidHDPwkMTzEwIkJ0dn+sOl46QmRTum93n0NYUTeuX3K2v FW8K/JS4FGBwtUkxQA1sKKhvppO5zzuw5DUXTtkZ09j0yt+FhhaK7PvgLuPVIC8XWDKI9p3qYp4e A5vlxwBjYd1an/UNgY4wS7GWOyLGVTUunPC82ERQHGDbEyxRV3ZZRww5iif4BkUWG1D+psxH2e5Q 3g43G4pdJKmGhDPRc4GyuReY0wecSDdhU4dMm2CWgw7Jg48/giSDpenhM29CaAf6WqujhueuUW8G V0Npc0nf2oT5utXXJPJaxS4dsrkp57oT7A2PLL4dc3unFtGr1cE3Nc6bY5LQO1bVDPLau64cV8w8 Q8G0mpDUuy2Egcx/MAsnHFaO6G1yeCccz70pNwcYvYfRcGB0y0/DaGUD7YZp4XXcOVl6b4xWjs+B 0+hZaR3tb5Qz11eVENAEosLB3fItUw8I3cHsvFykHiElMlvlf8o2diccdnaRIn16APwqbDEtbGHR IOMnHe3h8suzy3/7TmjXoKH284+/Tc35FYPXXi3G9rLIio71pALAJfhnqpfE1MZsSbTXyxng2uRH +hI4JlXure+vyqd4PwFF/gC4eVuXX0fn50JyrzQYXUw+LuzWtcdsCODPahK0y3gnkFHKXzDAbpT2 RYnUBlOhC/rWw8Mv0WKiVSivx3poUExiPkev6oS/RoctRzq9JR1H28s3wKCofnZze7OqL43lWo4n pQmej+CYvylrQ0yFO/6utNVr+fsm3TUgeymL0tljTrYzHSd5rMY64Bfe9vlQoJraPfpINyVyOzee wTsqbT8hpX33qcwnZXRMI56Sl5HKVoXijl7hY/S5Sw5uLpXCyZl9rLy9QGqZPO9uP95mXLm+Bs9N hSxG/wahjE1+4I4ZU9Co1IUYfgJGjsEgUXmt490E2+sFPF4K/rDehLJX4TB+jV4WMncvanLRTdZY OTSzPFJeO4BXsXt+zUU8JOp2zo+VITtQxo6EnZKG708qIF0hvocnTOSCW/ppeUSALyT20IBVFPFD aWxTC0Zeldfabs4m4IxhR7drD61duiOXV86IkegY1IjYmSm1U/Amu9Blikq3gO5nT4V4ZgfPYHsH 7U9MPlFFyqxQi83v56WAQoASbcAA36ocpThLv6VYiBvNadoaS3ytKtckgp+MGyMZSHbTSmKveVhN Rqk4TvCmK9eknBqe3LgS2E/IO96UWeJVAo1TKd/AhQOhcO3VzMp3YiH1SscG4bWgvaxe8CcCdezQ mY13iZPy+tSQ3nw6APyDQb2pFFSdT8D0gf7gw4TXvsgnidq4eB34tENb/PmOEo5NFdU2V1KiM1uD pgMlkGzEgE/iIsLpanffYhnzTlSlD/JS37mtcufiLyUqZeayUQMa3z0shkRG2xJ5ypWjQoRvLyS1 pGQt3b2jew2FpODBlxOo3Ylv4py7pPbTuheUmimsrafkzKCGdHzYUDrS1V0kgyNb3QCLt0xlb04N tDdcVN4vlMn3ov4/nhowlGqEWcPYsWMzG0ntnZoCh9ZB7RcO4+WA6aSc+jYwVRKMH1Vis5PG39b/ 1nA+TSfIsvqkdG1JURgq4W658MVYIbNRXm9bd2xWt5kOzpxwumpOCRbiSp693ej5oKJPw1qsvuA3 4h1GmxDP/JpRtJQRYsfyoa2Bkgq6V7RWg4e0lgJvavbXimh+qQqr4qK8Z6T7Gequk93vy0pgGESj u8k3MJGANfcKiLAXJ19RcF178T3Oolkmf3Jihjq5w7lfE7lIt6OKbG3pTuLfBGjhOHhUah9oETdx tbcFWvPFR9hhSK0b9aqWD+K/uO7Q1qkVVRKu2aRv6iiyshVuBmDmf5uUZImu4d0+zk/RjO75oiV/ yqRjp+xuGC067Y5N5zA4knpPz7lyRKJ3G1ygC+z3zptDh0rZDw2E40hYbfC+WZWmVP8iplLd0IB4 4RSxFO+Y56b5PZy9F+nwhw76SuK5fhuEe+bhOwqUUpbUfHvTAe1ed807ix5WEFFGPrXAe7WgHzM8 wJXpF32bBp42CncpGreOEM5ebhmDYyGKMftyYc8HJwmpLvP9s3WMr7hjgyv9h8uzb85gmv7w7kwd /ggeOObw/EEnmzA99vJMg2cIYrW8eXH24L6/pIG3j5t40BFPzKbySxqbS9LVAYx0CJau7MOr+jJe Bo4OBfjdLGgfI55sfI5TAmhEhXYAiwEwk3tZX1KQHjbMYrnR9fKagu5ZpzznLDywSqrFoaAlQEx+ xzrGmguDdbovSnc2YyjwamlxUyoj49KzUbZc842tDYa9qB4Z2piYGM0Pz+mXKxTtXaKoypNCQtYU 8Fn6qlRqpRwbuJCmrfOlhNEDYgzoaM/flTV1ml+DqIGJYAYHYCWF972tMq2SjyHH0UZgkZlJGTeC ffWubETAqzN+5LMlBQDsnyzbokqM5f0aysXpRrXYpPVyg2NDhQb2dZbZ0roOdXVs7Lec+tM5KOf5 Yk3zbUWY/8BfM8HY93XZIVBPY/KXrbGmGbD061SI83AphjTzWPQ5S2zYbyT18cvKTJwBnpbB7Xw6 xmVYdMOoa8ZgHPm64/rSHQZE8WJx47uxFy6rxcHo9r+jLESp2Jvb1gyIxuPsoJ4V8oduuALFsyGq kR6UB2cpiP+KSWNdHKzEbZrflub4MzaPCumu+jLOUNkmadCovNHtuq2rzVswmeZbeT3akKsytFP2 ZH63zkF7w3t5MViJ8kfTUd2t5Ra3us3NOj4uA+Rkmjm9HYoDUywLLTdl2bAu6xVurVHaDBv+UhvO NxN7Ha3TbCTKT7kyZdQqJ+verVa7LbkPPBimltxHr4W3S9lqYYfqyTZjNOJGG0mSdee08S4Au9Ux ROtWx0BfABcWhkz6vqTj4oII+JK/rU1Gt9heGIv5aLCJeAYrZ9PcYwvAZqi/7QQ9Zl0MqTP1o8/P E97mSBflNRaxmJI84i+nhgzmQ89hhm4O3rAB6VgXZvYGD87NWgy5XlCyXJuuO/qM7TN96PDyFcaf nGs7kaaz51sunckrwRuAQXjR0ir19Zl+T+ujMqJZQURvD+rwLujEzQ+fDP+ySBPeVPBcsAxL03mB 6aKqsUDNgMimZhlEtdJrqBmurKvJhbgIa0TMMAvrKvpNVzMdurWrr8oI2tiG/bnubrppEZKnO6rH lnCZ+LyJHoNddecSLAKAfXQCVJx/ewN0NYrs12vz+tsbdKqtM2/cyHdiw3jgwsHHbj6E13DxYoFb RdmgypEBdMFO0W25m9hL0LbPymeB6tW2LLUFLLMwLU1+LUXHEZi+5EgCxWsrgNDl+mqw9ZPzbX+s jzGeekVdqFo0s87JBUe/NzD+qtPtOLvkJJlvbOv1qmXmZQFP7WsSutTBhh67r2sridvV2jtbMd6i /vIAzE7HuEYxV13wH+cX3lg6xclXafYRRjCsiIUqlxFIOA60LLiNEnB8UtbCmXpSTYN9CEb0Plpz Nxqyyk6ZZpEdHbey8/78YfAgUdzzo3y51Q99uWxaxLgMyjDgdek0Gt9YPHHfG7YS5oQBMrDU0cde 7Tk8apZjB2TxRwwNHVFax+ECfsvHWZVH1/fCS/x9jx6XCXJDJAPU2zKToAUQOM8jNAzx96ohvPYC IGeNr8/R5uOvLA7oLstcTQ5wqlp/j6ChEzndw9xMlgEgrv1ym9zA5HRgDjcFr7Bp7Wpv36kX9lpS EafZd2rKeq7iVOZN4oQOc80kb8wPxTGQcjx/Y9Nv4xdRg3qFZ1j9ZY7l0IBx8uZrQ70TvetlIW7r /Z10/uti7HH17EqkKL1VjVmHLaeF1b8iMt4OzYtsBG7LbLwLvRQDGSaMpKy3+vytjJxKf7oPBeDu YnKQCySX/hY5jawgYYNSXuvw191miRJDH0SJtQNgfAekQlrxPAwXLcm4sHF+ftsDpFl/oUziyaif ui0pglKn02K2Exj0unqHVs+QQNkG340UZMFmA3knsVmtVkUEWeW2RWPs0HPU2W9dEowmGFluiG6l Wlnno9wKUQW+C8+EHRkzrxB2ejzHY+K9nbdFQCk2F+gamK823L01i2/K9GOKkvERPCi+mjV0gEd4 r/iOLCO+XUSF/XLAI26EKU7iJSiztRnVJa3rtURyUH4Kb8Fiqc67E8MON4VJMGBRskR1g7fub/ba 8ijFd7xLFjjGX7henn/gBJXMgcses7rbYEUb+qdfzwrKHy4SAsw5gO9OD/ovsYouUosXUildSS4C qhjJir1PNXYIUlGVl1Ng06v2wjBlZbSECaVv/loWU3tdETflJhvuK9EhxiucsbgeZoJXORJ4YBRc bLH3trsFndDEE3fnBD3JGXHREab8WmjUKdlSto9hO+eFWLoQyni7zkqKeAsWbQnjhj1fg5Y3W8FY thPrIaTxi0ogXTufwslr4YiA1CRIuGqsvTAdJdC+Ofs/qL9SO2VuZHN0cmVhbQplbmRvYmoKNDAg MCBvYmoKNzM0MwplbmRvYmoKNDggMCBvYmoKPDwvTGVuZ3RoIDQ5IDAgUi9GaWx0ZXIgL0ZsYXRl RGVjb2RlPj4Kc3RyZWFtCnicvV1Jkx3Hcb5P6Ee88IVvIjTPtS+h0IFaLdmiRREKh0PkAcAMAJrA DIWF0Dj0452ZVd2dWUvPA0g4eECzp7qWrFy+XKre3w/qpA8K/6v/Pn118a9/iYfnby7U4fnF3y80 /fFQ/3n66vCrR9DAqEM85ai0Pjx6dlG+1Adj/Mm7Q0j5lLI/PHp18bfj55dXLqhTCPn4l8srdXI6 B5+Pf8DnpHww5vibS3Uyxgbt6qPyXh//A1vkpKDT42+xEw3fhuN/QQsdoUsr+oNh9EnlDMP8GV/D 1Fy05Tnk5DT2sb7+TZmUS0ZM5Is6V9FdfRlVFl18sbXgXfwen3EpPh3/hE1sisFSfzpFe4pHj0sM GVp/8+iPQErtgLinrDKR8iqFU9YmH66MhZc2Hx5dAxVpCOuVccfbyyur0ymko4GelMvGArUUPntl PaxUs/e2tLYpHN9iHz567f3xBT4b47L2xxtskk/Z1wUG4z0s9ro0AUK74/tLk046KHN8zPp+TeuO XjmDrbETr+3xK/bhbXm2MYfjHXaiEszkPe6h8dYEMcoNjR59AoLhKg0s2SQxDG/yw6WJMBebxduX tC+wslTm6mm36tqjzfb47dbibmtxyybyphAt5oVO9JYvfV1ugNfU2GkjFsNnzb98RW28CvDM3/Pd YTN8WgbSwFrsLe/ke0Zi3uFTRpS3l8hrVqFcJhBV4qk71nhhqiy6e1eek4nm+IS9v6LnnGEvsV/Y KX1K/nClDXCRNqV7thF15oEm5RxwePY4EPCDCV5uPKcbXwJv8z3j3gndmsWtzd/gBOLJKy+aPMPX MBvYuIGYLNyJTYIH0YcPo00e+PcrRpbP2fvPtqm8KR+2rMyHr7Qy0ZdhgK+VWM5teWthI76fMNnd hMnuHmYyzvvPy2yjW7VBCDDzX28iyx5PpbEGvvlPUtcROi+ThbcpC/IMdpDec9msbTRoTVgEMS1y v1+Z9knHNdT2dRkyOQ/6lUillWt3eCFJ4dnab2FalUr3Mx3ZSKq1+RTc8Z40kE+Sgycqsmh7r7i2 h3k6ZeKyuEc0ItiLlMroXilderfBkHL9ggyBAetRiQWjWNDc70sTA/T878sYQB0p1LjUh7aqylVd 2XfYWIO0x2VIYNmMHAGTzWRPX7HmZRygg9HIzPpklI5pZL20iiBDflnP3zYWc4wo8RJpYhLs0DeF lgZU7UzNVz2RtGRl3vxtO9n6KWppC6o5pqlUDzdW7ykB7DHb+FFmrpMD1LsOW2XR5I7WrHRedSBx OdfHXMS5JNwiTyboR8jVm20Lifu1d6dgY+F+sOtlv95sKIMzf1lRDisO0LYlM+hTWEQ8V36wuQtD XbtAEtjYUww7upZaJFjnjo3GJlZHoTPfSdVDU4loo6m1gp19MunwKZIWZFOjAOF3MDFh85dtiy2n Ys85mEbnAlwjCLrDbDgK6pc3TNR588e9maNPOTMN9BEI39KEmKnOC6DQ8X97m0t8ValpQGcU4OVD blQwqWsQIBDsRQMwvnvAOuM8imKuPUjFzFSJRfURTLSW1Ec2J1J1QtXbDMh7F/FCgwgb9RsyW6hn 7cIZ275XPP2yjpKkSWQAh9lvtkrOdTvwLqPS9dys8olwPScITytwdlmB1lbqzZlS5B1yJTLBA99u SxswIQfU2OTpQln09oCC4HnFxmvgulIKj8AvSHFY0/FXbOpsoLeVcLCFvy9TMRmeG93KdG4BwBYa LrzJZGEAxKm7RoxxaRkg/9dHtvpCf5dSlrrlcY/vgLaFxcs8JF7mvlfhBWdUxPa/fXTx5YUDk354 D0757y80+Lyn6A8+Z2AHc3gFb3w4mfXFy4uvpp57Y7Cr5w4dnAI480GBdQdAQq47lw2+m3VLXHRu IT6Iozt+fVk3RQ0VE4nedWni/NzGtiaZtnn4VmkuNZyx74HgU5B5Vz5H69q50MKdJscwQuuUge8R RID8wTL0YgiNXzrLsPt/msr4UPiY88klawJaadEwj5z1FCrxbs5ApNWgBZ8W+nf4hMkIOsUJoI9K kv85z9+K5wLfwWa41R7MPOHG0jQGwYIv0diD1jfK8D9DlloUPjYBjp3Son7qlA3SXx1FFlZfMBz/ WR/z0Nx0cY37MpMkeGimnpdpJ6HkWVijLh3QkYCjLwgDOuOEJZFOIY4Nj+g4OA9cY/UemCijOAHH vhVO64hMi+cLmOp3l8mcot22ulvsczY6B7ocQgxwA/Eaah5chdFesHIDB8sqAuxqgSqgM60esWZv 2uuuc8y7jFKZtHR2pS0AhWD7Pjl3cGaTJovAu48zvNDGbEAhIBrnrVEhpXiKyu/iH/jSuMCjMLxv rkn4M9tzjpK/fQgKFc0ZgN/uixoBVugwG7xWAOX4eJx/K/wGZnpRGiewlI/LakPO58H2ZeyzYPvK m6d1UcXrleFv2HfwCA+g6Kxa9FOJ8gaX89hPRgSbD1fim0Wt0n5xeeYsclPW4GxqMfHAdn1TFwyI 8ZmQfglroEmwnc1GuuYYp+BtIjD39Ejac4L+W2cUgM4pAgGlhn9CsoCgG1kmePLL/0h6MLpg5So4 d9+W5hFU7L+X5n5XRS0ub6OmbQBvUHdBJHwNJpgrwj+wZfJte1QmYkOcdPJCMCE52VaXUA5+RswN LYNy5zG35pHZjsVhN7OaB1HawAkMnIKexrFn3mYL4+tODLTFAuOhBXjxXP3LeMZmCpqI3xi9k2o3 mKcJo0j36zKiB2nnoZUBMPEY0GBD1lB36Vli91b/AmIBpm6Clfg2pzBztCZQ450Ez0OdQHEuB2zc RhhwSO92kQnNqtHyHxBhYM4yaZwmJ8RTKmv3p22OaLiXoZC+GjSpN40meLR6Q33eyoKcrNLRhZqY dLc5FfiwESWurdiHAwhlwNmbeheMu7sMizt52zKAxbXq0BAadZ+OpE1xriHN0T1nnEHkgOKsnSmO MfC+J8zHNlZmn3DSCvynPauikfd2o1vLLnyKqIou8fJfkz4w5DitSQTusjA9UsMrZpsbUJq79wMn mCjGIhDVv0c2bnSENIBWe0pCnZtw0OioDcPYmyz4E+a5r9nrvYiWjoS2JgBQ8Cgyo21AKePGgnCs kQgH/BaXF4r/GUUYwJCzQzikMQidR0h8YmZGQxqN9nrd5C/bCTZjYtgwD9F/YxWJsGMLNYgzjZ2b gSPA812rFoehbPzRRncVSQnLrA4Ahnb9PGyiUxrYKB6v64zxwkQ5T233PAOywDxOFzlxDK8kbfKa unC5jQ+3yVwFS01u5DCuAQEVqSxiFqma5U0bsRtuN1i4EMIpwgw2x3cnWUvTHedD1twzTNcN0p80 9vNeck1JxLYpqtZd47v7vIzidZb2gt4CqGQRi8ZuYoOUo9A3szjvjGYzAFK9M+XT6qg5yl7goDEN c06jOKJTMHdXcHL1T2TaroSrLK500Qosg9fHAdpgVasgcEBjpwG9moUu40lTQbjfwuKmAL210fv5 /Z1iiFG+bwt/sUKLkcYNFEPQjcaF7iYK1xi9kvaXJNbomg3NB2jnmNae0XFHHxt29QFLktDq2+U7 DmtmOpLjiX6TLXL7TGM36hU9Ji0lrRPSAqbOMQdvqpuYhyBhGCkHlaPA2fwkQBEdcGBmEaOYDXRT pg6zYiEKXpXGn7/pvQHKvYAO9RaDlEk42LeV0FGCz3nl09bjz2UWRiOT+XxmBQiuyQFmM37qQTPa DRQy07YdwntZOleBZX6minIOeme8jn0DIBOsPlMbg3Ak6WOLRUkpi+94f9wd6ku/2gnul+aNfCck D7xmDBXmMS9ovOnmThA52w6SM60cVJsbU+rk0zlyP2UchxyOCEBOMztSmKdJnDZZl8Jf9lyXA5s7 k6dhjDaxvsxJ2pomRoEGPnkRdZiEyBAtmgwQyvVeYHUzXpcmsJ+gwUelUvdlRG8+aIMqgqIMhrNE XFwCeHD/rI82Ci38QNap1+UA2aw1BjUGrXFYPLt6sdACHa8fLgGZmtgkUvpQzrrduIC8iw86F8c4 1MjMLPLgSWsM8wmmqB80hnxabLbXdW9KqF/wSAb8lNswBrbdIOyQv/FDHaYZmpm78KZ86psE0LMy KEZHWS+F1a0DZdVw+gPrJ15v9KxJYFH1HP83SpSa23jWSJLSJoF5PQ/vdYndPoV8Uzo0LY7HlzqH Hl6DIhnHIhYex5Wh9eV2bZPAGjjJc4eIS+NMAqu1cX4hJYafGQKfpVRvS2uX+xwDT2AV+MBxz7wC FiliiTvh0WGmDjohvZ4xvL4WOHJPYFJmVQL0MRucP21zchNHin01iW5XEm2BIBKzk8Q1YKlgtW06 5XMa0ji3VU/k488mrM9U/lJ2kBpsWN6GzGoCG6cQB/GhZDGwgMJhSS/MP+acS4HGzOWbcdF9LR7R TvIFTxRlTaH3PX0NXSg62DEtLSzzdaLMoxNj7jEgYrmuo2fXgPQlsSPEpMyCq9YHAg57GZDWLmNa 2EissRS9wERnqZa1wiQsaRTrYbdWL2xSJFIcWYCHcWW6M2ualkImR+FktxUyLS8+vpDJWXMC1P9B hUzOWfg2NNwvMyEV2fyITAiTokGt5bKFDqAl+nKMz6X4cfbAiaO7vnt0AXMP5rw8Ig1uzAcmyQEs AVVPQPlRyUAbbGrOdhDtpb/wtr5Vac/RXJ9nZoWIaU5uDk3aQJFzpGJkkyWt6FMeFBDyMNDLrZh2 y4Wvpa3gQDaaeZb4WQDzXgwTjBNaNeGV88X/A9XsmcdoXLKADvRPVBIiYyPYd9CSMWYBmZvSHFTA 8a9MRW81GCLJjkdQAK4nm///wAmSPUn5OSc5wPfh2zGg4/ShoiYghFFzQ1SqWsEL3bhSAksifAxC zxeK2LZ8m+iIyUDuEHDs1On8OvA8F76X0fIAscz8nFxTNDoMy2NoA3wunUQCeAtfvi1/dyl8kuTN QBFS7OBU6vazMyJyVWeD4fVpIB2ponWc5go49GDxRK7sm6AkjAiAhAfcJnWuChtbGFSWC0xOHbaR EPjSycgjm0cRRh1jX/O48B7OM5EeKiyNA+UR8GiLlHB9UX9omrarQVpGbGuQxvy7FxIBfrO2C18Z jxEk/iEhYE7S8uyyHxfyE8sNwo217H5tTiVAVhnAWjXqEpoqw/s6TeWnnioXi1nZP58LVxmD8Ov5 527XkSj0ApjS7GZAia7z010zd/qmUAArGPiYky3pOf6sLSmFBwBnt8w2L8+qe6PlQcZlb4YW5eMK onYVVq3slvV4ddLycNj47FebK8fSRDMCfT9FjRMWJOYlJkAx8jkmprrH/rVwBGmy5pOUn2BNqjye cN6hHpySlod6UJ1ppSLg4DYCnLC4ug3EIZXGpSLtwjnv78RIZfPVmK1s9cDpHg6gseplO8w7AdB1 HBccob6Ax9ZDqGVgPBQ09kTrGBKVzEC0tJbGa0op70LgrkJsAxxPxj1jAM0bOjvXVKSvrWvwOM7q wGYleY2WAPLQXQFNnBTXlUKkeBY8+nAmg2FjLF+deY0TdEgRTVhwiLElPM3EyuTWTyRz2LWL8aE0 JxM6vLOhATLYifZRILQS+LPoj7NzjbjApO25XiXuTFOH+LayhU7TD68rxSQKLVq6zkgilq+/7vNz XXhvKanIPaNAp1p39crL6wnuGVC8G7NPLKdSK378F+zfSB92EvYVG44Bi6zIT8f5QRdTWG0yRlO6 nOugIJ1og8f8sp3etDBz2HjJQJVcOz+HeV2n3TsY+Nq5jz7bBsQEETvvbNvPK3Ojk5QPg0O7HGHc lL6xnPvH5fWd1eBoZqFt3o0XVFm9zG9aUEkn9zE6ZWYs2keKeqBNZdRgt7eYXudxcu7mSpFvMs+G NqFiPOuvdk58T24jmN0ZUyszdYmM4z0KLs/uVbnr9UKb8bupVMzxwwPf9ZqFwSgLfbAJHnvbKxmG Jeh6qMeidLOEQX8SqOZUaN1JCvGDvmcBI1qeBsYZWpUEeRhEGcTnV5GrVWk8FT+432U9/1tGlpp7 XKs+qFTi6CJQjNEBdujStEPtzGPYnKJSapy3lFbdiyd7T8Vtn+bYAPYedPyEzlldo58qedaaV/3L syujwpXxtVRvyi7hifazzrdh49ScnK99qLRcNQTemIvgvpSQCR75XDOTX5UV5uBntYJViNxam9Hc 53C99KA76LGMJfXxA2hDpz59X4+ndK8doc6fHm1gXYcCD1JmTD/w0AmPHVoFrnLuwz3w2jYGmF4q uuPuas1GzdbFoUTRgSnFmYCj6lIYB8lTm683UbN1JlYGym56qs5uZxqV7mKXzrnZmcR8Ka78UVhL Nq92+JFX/tDlMvNDT62RhZmHneY3pQletVEcJUAja8KY/NXPK0VVbgzAcgDebyU7/GzZ7Oa27Qqf Nn9kwsmbFgfNguzXhdDZz8/5zTJDTHyKOgt9MAY5PxVbDY/JhXPkdTaRt2WuLs/x8m1djpOpvv7o 8dyP7KQ0kkKe3ULCOpno0NelkxhCU1u5pPw7ozUtr1QAfawspds5MEBT3zXQAGROKLNfMEshqxyK 1dCwi8Preu6WjTXnurjLGnZKwHgMWpzqWCYilfAWczyvjAovIsRsQAeYK+Qpls65Wo6mTjHu3xIE /QUloyU7d7zQ8MtVo93FeWvZg8E0ubEHYCzc/8OrC5wqeETrmw+ve4AeTsFn6CEihhV1Dw9FEWHW /gFmqnSYBWcL17rkmiqggcOwuGvQo0t9ESFGX3YLGUY66nXZzBzkdUGzuxl/V3onb/S3df2+q5bB 89JprBFwTHaMhN2eNS/L6i4NUODTmoC3Bpgc6jWvWNI8vxsW7zgJeK5QfMMFvGa9wbS+F2xH7pSz 7ZVDjQcdwcptUZRBQVekEpGdS1Gkn8GUJHypohndKmeofheGTnmXA6EHWOSZlzxE6Nnk8+pXaG4+ fbjLi4Mk3UCLca0XTl4Nb6dqHaFJCUVrfKFD43crNheC7VW5AdVbfX1XXuNldfMysVIbRn8dnZ/k IGiAMOh9H0pnudja9Vln7GeqvomN+BPG4s4oa5+UQX5W3ZIGLpyDc5ipOyeS3YIU9JF0Wpy0poyF lVEWWkqlU28OU/7w/kIbPJHoD0YH4AystUt4RscuL/Zszvi6b9hIsHLxYPBknXXF5nQXn6hDAnYK NtGFpxg0wOsTsFwAfN1FhRG1sot0mTZemp0ClfmAObCm3lIao4OXn+GjCjanQNEHg3eomkQ3h6sQ oirHEOuHj4n2OqEX+xIbY9h7yfhph8+/Ln0HWNxKMiyDAJKB84dVjbBA2ASn0VCDcgUIvr7ZNdRi 5auhxrtfHFAd9H8Ii53GuSfQ4qZcag5uRXS+GLOoE7AxZWNgqVlV2fE62uWiUpdh8qYuFqZmqKap kuC6IUb5e7kOVgEioJgMEcbVK2BBlqxLlvVBrB2VN6A+X/Im7wbD3CAHZIfVi5S+wNaaUk94Q68V 00dPL+OVsYZ/xocTM/oZnxEwOUAeuhB5sEDx3esyuHO53Ilb2zwrr3U9Bo/x02Ip2l4M1rCiSsGr q3VYqG6S9YUHsW9bUxhlNwr3w0ZzHsgw47DGaP5MJsmjr/oLWEM0dI3RlyTB1oU0EiCN53Pt6k5i ZJ1GNxjfJEZOkW4AW2jCV1Mpr1PRIshPIL/iNW++bS7nlro5IK1sy1YMD/MGvY1YzOgVw0cMdwlZ pMONdAkS4zI+9tvagNIqK2P8Y9vrl1wPDDa+/KF27lTLlrUXrDIJQL5gJF+zxo9x/hrc8eMPDTdQ Jxi/en5J53UxCs3XUHkK9Cvv77Y0dlFw0QsmPnQ5M3gpM6as++WCTkKYxPSebNMT78UyhZBQoCws dfYBr7+wkzk+bndKn5asxt56uJ7/apsfQhG8u9pJ1Vai9MbjZVeeVTduaylUhe31QmXweYx2fSSa hrBvYqJJl1TmbIZSCH/E32ZYwc+u4h2qAgSPy40kYNwf/U83SIKJJ7Wu/GdDaZzZAmLsQGnEM2YH PpAB1FAk11vNEBfACrw28cVQkG4rKkqSKVkLthcjMgAugx0z7AQ5ope8niAXBMnAZGk5z3b8ZaGZ 7C+fokmZnxvHM2cJ5vfQjsrT6aeaVAHufLThg4arLcLT9CnMMYK+mlb4ic0xImEQtnZytIu5U1+1 Cy5QQpnctb3g9SWphAN0BPfWiCavy8rQQG0zlSK/zrVhciR2XOpg6lTuKrBPsz7OVBZ0zGVbJm3e ixH9WkxBi6Hb3UBzGsw+vy86C39KIq9cfbunCBB+5O2Q5sOKR3vzY/QOOkUxS4GbgY0r6+kHbKpF 13G9mQ9wkA/FUCSHZyvIDdM5xZCk8dxsPrPFdJcs9mErf5QWz0p3nuqkqAXosJlmKY8mlrDUmNkT oKVsJoaL9/tis0a/KNex+OzONH7J4y/2SObgfaMqztBh0B/O9dh3NBuG6pvaWLURHgXxdgdOYV/e Nt+t3f393QQwTNpflw3yoRNJ2rYs1kpCAeZoK/27KRPSy+0aQ9iADWxYoExDeor4OPz7d6WsNsZy Hf+2fNT9TudWB60UHnBL0mf6E0snpUClrE0C38UbQPs5tH3wCfTdegO+OAPl5zn2DSI6A8oJZ2A1 2HgIweElbeH4bwx23RU0m4cs9UMJX0m8WtfqMar48xJXGjiKwB50d8GM1K2Ikh6m6JvajhwwJopY Lon3aGzdSVRhoyb34XeMPVnsoPzwlzbBIdLExnh8XLPuXFE80YPPpdh7xkxmmQgWDPqI+b4kmEIY GEGSsZk/25BGYI4G9T+ry4ht4171fdaoIvwOuELOkGvs7yvUxntVdAO1O4eofgiegpdYEK1C2Lzj DgTV9977VKcCtFcm9KvHuFSarpPWo9JEJUtgi5de5EU0h8gWuc3hybfYq+dqc6CBwQjeHBFTFwrm NHBxoLvP2dtuc1xBNnxIpoufMzadSMMMgDJJuy4zxCruMziZDS+HwQtPkg4tXy5gbwg4PECtFBp8 4+Jyo1SHb4zd3LCPAzhZZ32eRwGEiDpFhvrXrRnlbEAtu5NBbsKIyxq+DOeHPGEDyjc8zCf4hMxn L9eEc36oZ/hto5/JtAfTKVn6aOvp24lAX5cSf7/c9tsbew6YZ3h4GB2Bbp7XcwpphqduiunVTlhe NFNZ2eN9r26Io4u68VbiB8JaYBWdm3P3eBbjwBeXuBcVIiypwsFCVsrcl410Tvomj5kwt+aC+p4F hWoResDfKloRw9uKonVgMx55mgNucVEiRRwd/AIe3RMqujJGwBBqbWNc5n5cScQoDeqR2dB6oAjQ THCNG8EVHlesY6HvWZC4G2viMv4iWtwQDXcp3m1aWkQM6WgsXmARzwhz3JdBMAzPt4fv5ncFOtXf hoCevaOwJH6Hv6W3YVguYoIHnvBY+NpHA4yoPz/2CDjhvitlr124Br/PbhbX2/F1icpOi30YuzPN jFcSTVxETg/OEp/VySojxnxdJQFr3Fercv/9ZrG4BeRCzUWZI1NOtU0BvRhrzad1Yzx3E3hvjdO1 4p2y4IxXEjMR43MV44yhT2ufrhYySMeD2xbugD+45y3U9xja2xEQOvarTNpV3O1+V8WtCoqnQzRt jmD1zy2dfbFjlMs3dED2nqgDLDrCSXhiPKQlnUJxP2HaPsR+rEsMO8avEvE7rpCRitGJSQyiWTyu 3YLFmzK06r0IeOtSa8SKVOHh5cx9dOzBBCGBvDtunMd+8+0WLOqQLx43N0IguCjddwHIj5Lp1hbV NUqHoBP8xgI0SgqvScZfj5ORMB3pep1N1TPjwzXbGRmqJsVD4/F0EGs6Dtk2zhv9um/54aqrQTT7 rsxecVHcCTXhhdgpTObDG489tO+52cBxMe15O2wqEWapboqFtzWWDEkn5smWcJuLI46X9qJOmn6B e56sKpKisJdFUjrOroNwFXiWiqoIX0ZgeH72VH7FKIbjX2l+yRhlZhifQ7KxuZqMIhPF4wza1UID aXyESJSKhTCzIEIQljy6FdbinIxvyzq9tRMDjW0r2DsTEuLdWWy2RsfiVDQ4HqzFJjmHBr1szT8l aJmrLqqX8YuolNTykr2479V8WQ2n5Ty7Wko95tiSKBJgcMNmr9gwumZPLD8k7sqck7dzp5kqS+CR 1fKI+ddtxgtGeG6KgTLu37DXnf9Ryh5K6YSNXRgUa1KQhT4aHHLJ401a6EdlSl9e/B/reRXKZW5k c3RyZWFtCmVuZG9iago0OSAwIG9iago3NjE5CmVuZG9iago1NSAwIG9iago8PC9MZW5ndGggNTYg MCBSL0ZpbHRlciAvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJy9PduSHbdx7xtXvuGUXnxYxT3C/ZKq VEpSbFmO7Ngin2z5geIulwrJJaUVqVDlj083GphpYNCzh4rs0oOGsxig0ej7Bee7gzrpg8L/6v+f vrr4+Kt4uLm7UIebi+8udPnjof7v6avDp49hgFGHeMpRaX14/OyCvtQHbcIpRH8IKZ9S9ofHry7+ egwPLrWKVp/S8Y/weFI5h3z8zYNLdYLvXbTHT9bXXz64tN6dnPHH/3pg0ilr5Y//jWN9Str646df 4j9yUgaGfIHPSflgzPFxeQ4hpXD8C85iTsF2c7PV/5OWsXFYG2e2JqXjb/HZ2pC9OX6Fz07n4Huw yyT2ZGCV39MQ+Kc5nmhuk+LxDzi5TTFY+jDk5LSEhb+UJZXS2XXvH5Xdx5Sd/9vj3wPutYPTOGWV Cff6BEAeLo2FVzYfHl8Bzh8/gOM0zqh4fI6fG+Oy9sdrAE2FU3QIO0zhYTV7fEsjgrLu+AQ+VF7B BvTxJY02bdvBeK/y8bNlbgTnN48v/nwBB6YPPwLBfH5h4GAA2kMIzp1COLyCNz6flFnevLx4JJLV sLVKVjADvMMZ4P/4JySrugOtLZ4QgKRUVOn4aYE0+gQ4/xw34E/JHr8tKAckpOMdvYQBtFmXjfX6 +MMDE08uOHN8D2OPbwgnNubAP37KZudfv6QhJvrjQ5hfG0Bi9+EtrepCgpXKeXrtfTucFfULNAX1 AZa5ZUNe02sFpP+6Hz2d8ZpB+z19mm1ADACheaDW3H3KAeCrXm3oo9Dl94XhYjSpjUgmmrZpGHT8 ia1fYdHADTgcYbE6NcIKAWYhwgIWCvBY0JUBifwk2JJ8/5fEOc4GgyR5GTOCGw6XcA5AIYZ4gm8V EAnHDdzouyN93R8pbAjwZDsW4ki6oyFemQF3MHfSMSEpmWRPGpjpBVJVf5Yg3gr1/rju+5Y+MNrB W/w78BzMDU8qAyB1vgygjrsBOLQeKG7BGz/xgSgQn14B2f+Ak4AsgUN5UudT7viNQKBPcY8WRDJu rOzR5o5QCkwnpWOHVL4gyEkHQxCmP+KQaJMHFHD43uEqwEm7UN9L+i9XpPDXHCn0DAdsNDKwyaaI vTcPkJ5MjsCJAURRoaO3jNi/YUhmy/QSA3GZjENKhv2a4F3HDYyonwoM84YtWYjd5Ax6rhB7g46I XaUtsTNoXvcsbgLoKR2618/wtYfjyDMJh5O8rB8C2QsfztUFcjV+GFWYMqPvaeVFnU+bQpAB6N7l jiC/XaXuTR0B4u35fERdMdpsifSAcUHTPupodl39VXnvVYDna4IE+fwNG87pUPpUYEhOhyQuDGkG XAfsiG5uiWj5+ycCkxGfBrurGBr59VxApA+qHWiqkj4f8JZtp0oDW6yNcmg+byQlnLx1tlPQbO1+ uikbVHIniAq5B1Vl+yMmoQmYCKKJy+1bYfvfzoUDqsugYSV7/Os6wrMtGfb8t3XIw+WRjLXeUAYS RV4F5gFDr7JqhIlAW7mcZ+YdCAzn4NVl980t2xmRXsg59pYA3w5q3ADKLOc9iYlDFCgkLo4fsXP5 hL3/dW9RAa6iFjmCmUdlGYVGMWnAoteqnM9+ewYgiM2umG9Av5/OIfHFHYGRghmtNNgJGNsfwOgu 6Di1x4qoEQTADa1kVd4zgWAESM6ZYVYmYWYX2T2ovoElelVQRQbA0JiskM0Nm5Q/V+y56Bz/dIey kCXhH7ND2phMKOIyeiD2XDvYZLADQd4Iyuj1apAOLI5ggYUiiWO+5+dksVnLF/ymU9f4FnUYF8Dc cfpXtgqXX4J8qTaiXraochSF/iBJl/X7vZdjACvsGYNksL1wIUTJ1hLZmL/c5HhJugCcevAMmy6o OAG3uKP31wSIC6bTFv2QbhmcxfteA/BPRQ5aZiHFUMHrjX7RElkei7sOyPCL71hIn58temM+nmLy jeWaNz3qZUVm3jKkwh42khmXjGCsMNuf7fNKMBX44UsCSiKcK9qEc1l09G5WehrlsEdJrc8S2TAU gzZ7IhvgyLp3LCcGO6oLhpTKj8mHmf1S9v5kK4RXhAO4gXlVEp5elI05ZNdm/MfgG9XfMrbYEe2+ OJejeVzwH7zIGJKcn5n8CFMv5zlpSmqPj0EV6PLJGnRjUBqplNHDxJc5T+XzEkSCIQFEOBkKDiyP 0BnS3FB42GbMo6aFtzrJhNy7m+WwLB6coF0Ho9G6VJyuM2MjnH3Kp2Axcw+8E8DA5+DTbyIz8FkG ZPav5wQpw93TJDEj93l6Z5ZAjSIn8cnnXNV7JUheYGWevFls/vmh7RgtCJK3ojjn4J06Y/myrdyL cAzuKeCm2MIsNTz5ASdr4QQKIcLBJStbKgWjwLoAMrca+KqrRL+lwR7mOEf+8qM4zzu3DgwlmzYn AG+1HEZke3gq0PgmwrnRzkR3N4IUebK1E8rSguf9lCDSQQ62cWy/ImEUQqeDOZ0yhNSwLUxdJRcF 1FbGJRmekfqYF4vwhLAExzeKdt9OjKnDGI/UcP0whDzbQlWEE0i9CO9OukQFfBQt7/0QwaJdnLdg F4087zx4g1qm3HdIIn3UvNk3stpzHvwVHfdIs0CTzY78QMiSMr9wlJprvzLkDldyxajZmRHB1e48 b7Aa1T71YSy+D8YUvd1Fu45JDFP8SENicjxowinsaRXewGjONFKXeWx97t2S9UAlI3Qk5bZkL7U5 p3O3k2OPbEib3YR+C6n1+qFlurp1frsVpUF38RE5ilkHv3+AcX6dKPQLbkT0o61iYi6BzU+YwfO2 O8F1jbc9lXEiNgmxbrvYkWLPeqVbj4um4nPssBNOaMEgliM2NMsQmzkjOs5YSIo5XtHkxu9aWYg6 TIuew88TqVpWksm1CMnckhcq6E2IG0+OQujN5e25kxREONkcG9dwMJjtffyuoKrQDLduJrkfa7tJ +Gi2l8o+aaIJzlHdhbr7QPo8pLPR3dWW6XV3ReV7lDSYH5VDhcOR4XDtg2wvo6AFdXTPMaLGP88w mkrIK1pnNJfwHUrNXZ2E+etaTVAVZxeUXz7sRf+SteB6RYpjT7wWM4QN+c5A8iWQq8mnAayiknLQ vRFEZ1As26YFYJZGz5KV876iZ01xjuZVRYOxosEzxiDb0nLudTc0iKG3PfOcw14CRzo3utO9ScmV DpNxV/W7NIbSKF2p7EaAlLDayAAlDGJ1HwZpMcJzPBOG5BaYyzwkPiSFEeQQfyk7RChduKPdgqT7 sBiitAzHQ83RGw1q/Tt8BpGqTd4Wn0wEKYlofQrWD0nYJlFRgDvnGseNedX3q+Dmcc0KH0w9QxVx HPuUv96GZAg8OQu71WcuM72I5g56qCaAIp+ZpIWQMYhnQFr5JMXmJQ95zAbhLOcH4XF42rfscUg+ fv21YHESZSdg13nkcDX12iNSJCZqnQbS3xQ8WGNPFnUvPflCVffpZTu4U5z4XuFMQNpKdoompvzq G90XzmOCtGFTsExvKsF7EKRpZskzymbVNnxpLs5fEYqAK8T8ba9LpnL+ozHcXsHr5fyPa1z925mp /bJSeEiLxHV9CGzHb8DjySAQOhobgiM4+b7JbEt2eKzFGag9FBbjev3bTkyOIk44b6sNzYeVPqaT qhz9E1NxN6zPGOQjZBAD/pcb7YSCinkYd0SFZJdN5LEXbTRpkoe0fx9mBTCTtBPRvsFayUb7Q8wT yADzXJyYOb1PjICaxVpY5YrQgzYp1xgTY0wouSHwziq5qZyveoukROkwt+2719swy+DMYnIBBCIA 2dU8vN1SKmPmJQeCK8LoT4fjgQmHXJQYyUOKAbJ/TpMFnUSFv+X/+liW8+Ych5QtPeovhxWfcvKA fVkJ06SUxbwIG86Wf0/rpLwhjbIHkDN7YXDANdD832kOGCOJ+2bfJCz8GUz2Qn4Tgh4zoO1A0Oj7 E4OJe6886MALWcJGshMkvWSXrPaSVkQX27XALdlM59QOTE5g9PYE5hgOCQFwYFhg2XW0ckRPEOKS jX5VU8MgRbno3ikHQUgwAs2TYfuKds1P5pN3acObuL7bidIUfyGGLmA7iS+WBC7g8H8EFTRwMdbG ACa3tFQteLtGhxLDgKupT0DY18dK1mB5+CUeuVPJQlSUay03+CFLJKswwSc1Z56yHGdo6qCSMa28 E2FfMTTJk+EQTn1Sig1BtxbzVoL1Myhga93JWl8sV4vdA+GegsGRcl8tydrRfMWZAfVWiC7G9dC4 LODnKlRX/kCTY9qpt+mLCYc9BFIIZIvMTVz06wcMQX3EFyVRivpwaQxoKOfoDPn++vEffwXiijcQ YM2obsT3GfdvUIjHBIeIB7TIyOfIiTFjLSO1acDuQy0SBasdWL4QYowAlyZe9V55m0godOZPTsi4 T17QQnmp9CKy4cDw5/9YhcusHPBSK3VyEct988kZnbf1jztVrA62lj+o/mcMn+AkSaFDfE5AhIam oZRqmu6+JejQbZVKrCbVL3v9GUKUbZgRQXR5UwJdYAl7Ch5H6CxXBEtpeEEHCRbQe1rIJTtBYs37 zA32nfx7AT3kwWMsgUPtML3ParwQP8m2En0dQHxMakLLe4r/gV2tged6sTvJMW0iehx5k4LEvcT5 BgdrB9PqeHKUJgCyI/GtTqeC2l7cidVFXRQ6oaMkaQAQWBlbeIKpTVobe5sl4AcCcQnO3/p/MIPc 9jPidtClloj1nDzNFaE8p03hP87ubRyIG986nQbnjCLb9hRjnJVj/YrtmEVIdmBahoOh5dGr3AQ7 6yQ1sk1L93bxGCjLMI3Tu1m1PlJaDWSbKUfCKZ+d27talbYRmvhdieiWpbGgdCeFjEOQ8uYu1jMB U4AdByrI2CS5iBuYsIkh7IYeMvbl9e0X3CCs4cLUeaWSCVaWxPK+3g5ZW5AmQaVmNO3lFV0fSMK6 EUwUummlbiHSltHuXgp+3/WaqjELQaM1CYZr9F6M5y3Y69uPxO6sGr5eszNmpGFeFdiQlja8YBNQ mtp0NSZ7SjDg3IZSmCTA47YuF094aSg1CtWyO9hgzSlhE6nWARzx9uJn9JBqfQplAoepxg/pIeVt Q2W7Oh9/xxLu1MkHxCpUl1betXIX20Mi4P00pViumLDZ2ImxjWWI3Af4bq15nS8zkHDBglyBdF69 +iK472jCIfj8msB2upPUUnCPcwJK0wQMsrFwphpx9BsTtpxtDJi+vruoKtXjUApcrzaIlJrZT3SX SU5tErEO5osVwFL1oIrg28mkmgjeDUD1K8EK6tUTjtYxzNyCoAfZM7cNHtY+0bhbutig+qX0As4X QvhH6wVcBqhsjwfxSJzvtazEKLzcWQgISKXucnUeAuD92JGEb5MzS+AdK5vtLFzDTKqFHuxuohhm Dn5iMmzUFePSqqUMOJNuJ76+UxVgowXJHAel1oU4P/7KK64jHMwLaF+NSoA4Ol+KiXBNUGpNNDvQ zCHMPHOj0B9fgg1SpWtNDPVM8GRu9A0FIQAQeJyeLpvIEb7tnDxO4oIVObYpRGydS0P5P+JPtlpe 0mfgEW+6G+C1vadXL5qSuuE+M9+CUOj+M8K2sAmtd4tFachY6LeAUgkb5GsN/oOXovXEsSgjRv2I GAJ0CqWaVYMkawV/Y8kJ2JPNetJ9S2yCN5i4sRV26OWgSyR42Pc1U0NStvGM+sl5cfBoL2OddRxT 8f05YD276XXp/9Yqt1bHIpklm9WwH81JXsprWsz5s2JXVLIuVz+ODojDO0r20604YzS/nM+D3Qer fXS/biuW0kS31cr15o6A3zCrhBzuSCi9FEo2sSZnVvkAD8Hu2mANil4B9E3PVG2V3GDI9mXrO9hb phoMltI2GuQitGk3634FLAKq94t0cUgcmQrfRtXr+onQs2MqpNW4hby5oAGL2YKbmdGt05Ez1Kza ZSgLx/3jFQ3/9AsLmpFaKtbGqk/apx4Oq8lUnwb6LhVg9znQe6ZVxqBnx05CSc39HLIkr/xYXPNB 3SE3TMoPC2EqByXbxhKtw6VOJekiFwbXT8IJTyzUSdix5NHcNvBQ4N1t+MIh6JYL4Xru53/JCPJP WPkfsVt1p9OgiZ/ew3LOFTNzxyp1oBKwOJ+pR8lh5Dp5bEHBhVKfZ2A1m2e6Xg5NvRz38hnOgiAb VWNfx+2w5mvsjBfTOW7bXiOlzrkRONl/VmnP08AhURbBkmi6pi+Bv+7rn9yE8fiFV5zrBx1JWB8L qYqeBXchrI5W26feDfs1sEhHWrzAxg8yQu7ILb0iTkdRmd1RDwVmRM87YJwQ+xMneZTxhq5z0iiC 43NDYA3asTV8xP37DpI+96aRMjTWfsIMlv4ay2vXaym5Y32bgCpRLmk4V4rlLqJYaj94Bd+zit97 mmsALqXsrmmRimMqOt9XtHcfkAsoB+hBtcz6fzl199KroHdJU7ALu8ZKbCEDQxRdF5YTLLe1lnC4 oOBn3b1BXUM4XR4c5g9NVgoOEq+9mji8G9F0RkF9qX7MRQZ/sKajrQaxDI1d/nCGopdo8hVB6OzY J9pqQHfLUTMmHs4yE5kGfF8nh0k0G52759YGHN3SQqA2SF59G6tLFqffcEGg7oU8l9aMzCcBHTUU lW7rlQi68/rAJny0KQSdO+sk4VJi5Y1nX92DJYbZ+tETKwWOKc+i16vvC+I1by5bckis9zjN5mSs /gU9llI/q0Mn4O8lsqta8xn37CMcoZK8HWkPjPW6m4gsmmR+48QVrOVZhUEhw4f0IZYwXS1XmID/ yYo6BkVEpCxUDAwNAQV7SryOaanvPSswsNxmguD1Yp9D+S/l6wjKLXeW8hAKQvchRfnikpGYwWcI Oe/ZQzgEGwHOs4eK+6KTGN1sVXR9eeC80/A1jVUhin6U1HrQ+657NaFlgX23ysKR/DPdKkDVKU47 T5e8lcEaBnnIWjc/tP7D32EP7v+ZwnIBa4N2/CjcgfPn3bI7iWVuep8b5HqkD3yLt9Pu1ErhEL1t Qxf6WefC+6au5PoWbi6/uORoVkwMolitgGUQpmeWVRcEuB2J0nJXdr2fbGiHWfTujrswKxmS2tOZ VhfaRpZUlvGjl8avEWDRAeGmPsnW3AliWmA1vGaVV2XMGaNSTLnzTOpXZnn7e27bWrSExrsVNVaB r9T2BSMfwkBQWfViBIuB8fpsZ+NG7Wn0AvfDQPAlzLPnDiFkOfQePxfSgr07ik6AJen9PrNScNIH iOR2KRqdpWzpqGnwgnGwpj6tDhsgJi819tvuQFxvdKPwG9djh3NJdekUL/mqThot1gvxtQV7DBlp bKncvXEJbDEQmPn4+EECyeniWFZR4sGghKXbXPfqQFcDBQHRqSc2phrPqdyVWQIn3zYwryBe0S4V sPsf5uTwgjvOTrtSc8sSvdJlaJxHePa0od7YnWsZACS9cyH9Nc0RrFzs18c6cLQZ2vCf1dfGdBKZ lQ3DkVBEzJ70koM/1RMrdHEvS8zzrLUeuUx7XjPTHdX226xFx39+Z8339KGalmlPbcUYihMi3huP PQPKjGVavT13T3Zr09lyTeuiYP47PerNnfG4DTNPf61ZfCzFk1M+Lb2tpwp2mrhFpIdRkRZQ7L6Q raD8nJTqVLDWTo2+5IxSqtm0O5aK4WUOk/vg5eTq7B6NIQRQf0pD+cOPFxpMS/CiDsAhGLU9vLoA 4eVO3i5v9koghV9nsQlM1njQePdXjlQCubl9Wh1KmMimUhkDBwAq+nAJkhn0qV1MK4yrpuCpAtRh Cg1LkBX+fABeTnKFI8DyVLE9muL0KCzSzUtlHpw1XrTY/aGU3GSjLF2lWL99SLW33rk22lushr6l Wj+gjEfL2ELyUXlTrnVYZ+NL1hrB7MovwCBdZlduvF+HF3oFTzOaNo0GtzY3oLyrBwjiD/tg53D/ mgPbCh1DqVesI17yEXySGwLRgiVEZlQFnS96jaeXHbqJ1zScmASbm33YbBmfFXaiv1n38G+0vsFi 3OPHbH3+/GNBaSw/jVOfgypB8vX9adgqAhltyyd250GIrAlZp1FWdBnZCjE/jSfsw3tOJukFSUCN XjiZDtwKIghB1w0nflYaeLTDx3nHN0UlNXhp7VRqxwDT/PsDioXgDbERrasSGNOEE804y7Op+PvI ntGIdsaWto3nyxLX9KMHQC4ih5Tt6hyBoNpziqGRmUGP4rbQVmjV/YAYcB2KNYELtnhRPcB1cX6U P+BgzJ56vMphfsR3BKzKoWNsU5RzYhPfsv0tvNCJCPb++wpmDAJobR+lrGT5jKNiPTJxhoXwv+Ws 9RPhPOZu6isu4UoK1ggYvCbQTK4ZLx0d6mm+Nj/WylwBL1PMM+baORvEkO3kxYSKIjZIAiWDVlOG HdInNIPzOxgqRxvLj3mYjP3NrpdkJW8CjuJ6usQddTeFO4KOLUG0Uj5nuhv2nksMRsxclPLnTiG9 qz3WmsPYsT2aa8GebLSMPN6uKpBP/XxUh4seq6/LLwOA3s1JXK/7R0dkTK7z4+uW4lRCOaqIpctP V/p8uwBT8aZVaa8nW4rSUAGrErq5OI7fC4BIApKvw2mFcxvKnVTLGvG3LLzemgJoIqk4Oe6CRA4t e00ZebDgMNvKWAVXKaeL/lM/08ROKLDf1a/85ngR+gg+2LvuvDhDsunvaCspZZkLkeKwZYOj9Bta Ji2rbNXSerYN1ug6bfmGeNIWP3xEXVGQK9EQV1bEEVcavVjFMw3JmfUeE5AG3dKvRMVWW1oVzvOV u4YpMZm+JGG2o9me3tPUAPLxxcp/r1HJgHAtV64COsG87YQ6Nzi2OrJMPBezMr87kwvZPumOshwD /TrT7PjaVmP7ETWN1418xoyzz+oGgqRSNoI/cczN9A+oX5m9uJhboOup7xm9jrGnQ3ynyw8CFE7E hue1HP8Mw5ozSWfXffTgMmoN7kGgBIUDlzrpcePLt6OpEIslMB4c0aOsINscxB11M71Ft2s/LqrM WfBsyk+iMVlVzC/X03c9EK8oq4vfBasnnk2nDcvwgdfWM5EcG4cpLBcEMf1mVB3VSAdUGtQhnfRj ntQN46pRt+KKAWyM794yJl2HyzLU2YD3cfzCFuSyq9G3K8tZL7EHFxaSN/OiHd6W6lY7CJz0xJ10 4wPsf+GXx0UEOGttTVbD0eLd69d0hbTz9vh5waQKOjde8Mk5VGUeK4F8rSmob0uASCe9+Pj0usRZ tI/Z+FnoAH8RKgYzmJ4Ds4wSCDGo2u3g2tt2UUaMKVrHn2swOmFeeFA9otmJtQQRtly9DiL6qtkC bOQMZti6p2100bxh4xZhNjypc5VXyfgnSYNc0wC8UeOPjLUfrWz0CY3QIUjq5uvvRwvVDMbQMplg Lt3RGqn8msqqbWYSkGo8wBnQTtwSV8c4tv5iwLIyP0PBe/9o5aYljvbni/8DR5o03GVuZHN0cmVh bQplbmRvYmoKNTYgMCBvYmoKNzAyNwplbmRvYmoKNjAgMCBvYmoKPDwvTGVuZ3RoIDYxIDAgUi9G aWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCniczV1Jjx1Hcva5PUdffHuAD3oNq2tyXyAYBmc0 I0vQyFra8GE0wJDsJimpm82dJjA/3hGRWVWRW71qybINHfRYnZUZGRnLF5GRWS8PYpIHgf/l/z++ Pfvtt/7w9PWZODw9e3km6Y+H/L/Ht4ffXUIDJQ5+il5Iebh8cpbelAel7GTNwYU4hWgPl7dnfz4+ OL8wTkzOxeO35xdiMjI6G4+f4+8grFPq+Om5mJTSTpr8U1grj19iixgEdHr8A3Yi4V13/E9oIT10 qYv+YBg5iRhhmK/xMZBmvE6/XQxGYh/L408TUSaogpCvMq1Fd/mhF7Ho4qu1Be/iM/yNU7Hh+Cds ooN3mvqTwevJHz1O0UVo/ZfLL4CV0gBzpygisfIihik4Ew4XSsNDHQ+XV8DFO3hJmKg0MObV+YXW +E99fMgePz9XfgrSh+MHGOz4HvmkjBL++AxpUgpYZo7XxBBvvDHYEdDtrTAKn2stJyv13MQGoPuG ZqlMDMfXNDML/6DGCtbYqePf8s9gChqfJBrhxTGNOB7wsmjwmI39Bn9bb6W1xx9WOu6K/mhm2keH 9OGQWofjIxpGhDgPE7Q/fse4wN+7O1dhEiE4YBn14GJN9PriVSbb2OMXJJ8eCOzNQDsQW07qI9bL TKpVo4XNc/c66nn5iFi+NpknYn0zBD8vqlcBGqOEaWknWG9QUJKktIwmSiWL3h6WhMx9PEZWagfS PCKDNWZ948gX89AXUk3RSpUo4OuaO4VXSi5CGxUUvKxgVWB9pAPB5Lx6y15kQnqF7+lJRsneG03z J5wbsM8XLZ6noUFiqrXBp0qYeehGkK5aNeMMIjW7pTZWOOiSyfTz8lUcKQDhjwe9kIK/YENzcSGq Ldmop+2a0vucCS/Y0NxQZOoUiPdjpEhOMSkZyq3UYHL5Om7oy/L74UoYJ4Y34d1PYHfBsiiw+f++ qtpzkmkFVlJZOcv0hrYAK2c2SjDFlfVAM6GtLzpg8jzQiQ/nKB+oQB8vS0jyPpOV5F2ERN0VE1Uu O5wJrSxQ86eg19CX03Gv1mipgQRcVZB+5exYFAuTiq3BFpMC4YjCm+TWsqV4gKN4Haxy6DyxiQcz yQUUOwFMEI0rmJwpgX8MKammsEyTtye6JDgUkz2b1UAKm0PFH+SDlwUlHQ72dJXmBtrPZZE3Gbmo u4GyvU5dKhmqVSY+R1VoYJaPoLwqLPWzLPZmMtrOYt8KDUn90zR7A975CTM3taeBJtb4YpSBGow8 LjMvWfwTeST+TijucGbc0GUjN+YDEX2Dump8mLUP4NJsISTw8LJBO9RZ7sBJpEIF6EEb5hi44M0N jKykeog2Fun4oQFJjX0sHQyZnZCcnJ9csPtkWgWg22wqpkA/K7U6frSab5oZOGKAQwP3w6keTIx5 leeJbARaDQPd5GRDd+na/ORdGDrLJLEGALvO+IWcoVqE/vlAQxit78iva2PTgG6KeohvblMLaxr8 SnME+7kDiiXpz3SWxv8rWh8TPbgxjkAfsOfTLKUpIChjKwipjFUHMykt5k4DhRDOxNgNIVCzgQw/ yTBjLopcAJJaiGISe2wwNexBIA+ShFC15zzy0kSQ0qGxy5GBUHpLCChiAEXbA8kXvRhJzPMcakjJ gWCD+ZLs/oTICS0yDOCFrZQN6fJmgY7K1gKODWBCrMEgWLrJ3ATcTEM2syMlZbObZ6G6nn7FT8zT Q3MbSu/J7T2X22uGgJYoQ26INgUOAsRQulnxvhvg/xEO5WNmuwMhgD9e0O8YYXlzkICRZKj0ZiCD QDxE1pMH4yTZvCU+jhDPN1xaOJl/G6FdFa9hgAM0zqKBHUHMvgVpsQlChA0Rx5QBQtcXgwXkpoub XN6Gw/frNKoOobZTRIwze4j5mpyoFA1qXF4cAsSiOfYnhSmcTwWLkCoFXCxCcXzPbkj4Qqo5/gd1 DV4aIMq0EsKFcMpzF+H4+1WR7pLsgvIZESunUaOWMlhe6W8Xh8W0uecypi2hmAGjHcE4sLhlEzVa AY5GzjIfQmxkXmEgbY+K0S7Ym6LQhfU3xCfGgDhv+2QDS6SEKlIUXEBuViwxUgo+PerRTTrKRlSR L07x6CSZevApA5v6KpGnoxqZhIwMrRn0UPkKJM0DINwAUdjEOb9pAbAXW8pj6tGCFvuUBrReRemL kb5iYn2ZGGIJopHQYmbJL0iHW2QmX0+YLX3DhqmipfnVJLS559LG8vk9GkBwDs25LePixPxeAudK aKa0PVRjNMiujQhrVHQ5yRk3YU0AGOfh7YviHY6jbha0z3Eu17AKnkNUOrmurGcfjg1UlQl6kh/H TYgDf56siwVqYSkVzuIkwA5c0If0HmCzIdoZrDKhb6BKxyatuzRPuM/o2IKjVtGrcUDCAIZW5nym 9X8KxmF/UQ/TLtdpir5Mb9wNnCqHIgxyVCY0RdXQqVwSpCNbOi3p1qxSCi1A5QceIGEIRPzxN0xz uPV4yOTxJnMW1mS0aiPQUAWmOKqPvvIt9NiqMsnWSaPScj0q1RsJC2Is5HW6NqKr2/Tt2KNwKhvB ZG65Ac3Ms1Xmc0RvlfaF8Z2MxSw2eboEBMQ6HecYyTlVAIrfp74x3ixDZnwvajdE0QMGlSEHPgWI XHad0vZhcl0Ac9fr1w6yQVlWYWJG7czDY4AmNKi73BW9fsRzLPiiVFWmC02GsqVsjnKB+Tltn1TW WgszyVhLuBaYrisb8ywrD09ms+HdMICdxwkoJalzFX9xIp4T9yHHGSfzRLeJneAxh8hstJlzlV4N jZmgDoUbza2T7aJEy4/Mn+asTHRgHdQsnzzFznnA9XWQWC897gokiFYfhirFurtaSc2JyERcCXc4 KOBGeE9eOL2bch+j2InJPOdpNVdKC/hFajjgqnOtj/rGrpYRhRk1tTttgDkOu2mnKYMDIcOGndYE WeLO5MacOVGm0V5orUWN7fGpDKM0S7mFhxFWDFKlDSPAlRg9Xq5jVym7NLde5EeyO/a2s02GuJcZ ZaQURL3yDMidYHd7hrlNToekMXbbauXNZHfud66LNb9dxbyUpn+dOlXa1R4Pn5aAnzXI26l+WEGA kNFr6qGGKdAx+N1KDLCxr7Aww9DchpZGjEJKMPI50xlPupsF5gIdEuSnhLnwMIoubmpCoUH2/KoU QqCeUk4jtzLYAhgYmNeJU1gcU8YpZKc9ROLVPimXIjLvsxSFWASoNTbDRbLdxNi8/z3zb2DfB/g1 2WwitE4C8joOh4ZFFn3zrdW02G684ckknJv/DuOd7KhGIhuMjAUjE0KZQUBT4Dz8azvvDU0QpG9s y3UrBeodSoepfTP0MtXOpXZuim4zWzkTtmXxHe6plKnfzk7/Uorj0EG4GooRk0qrMArgBuURT9OE lCn39QeZvKucyQYOhNjZN+Uu9ocuEGn2IAPMKu9Bgon5GMgBofdVGqFTF7Kgk5marQyi1g7cVFeY Foyu/QQhCKf1RO67B7xxIFfteW4gTGxuqNxuFZQNSe1ZtGakZVeRJi1K+D7aha932OFVCbR8f+zb y1GukmU83rbCXHucWg41bhzGnKtOzJjW1jxgmtJ6Iad5/jmhJSz4Ou2q+OAjlufqmOA5Nn+Txpa+ DJ9HsUO/nuv4/XnuJhR6Vwl9WkLdydVi67xP6jvg/Bds2/R2M6lOz4CpUXUxoMHagUIGKCDLBNsK X/MF2OGtt8u7GuxXukbMKAVZF3UWQknkl3Vae/JfrWXLKT6tNZgi0+antsObshhgeZPSbIDmpTLD AHdPrU9VBcbSyFKCyNR5jEHtx3XiqDbDnYOHLaCjN7OdByZ+SH0gNG2qWzGjPo665tHleFsli3Ag YD5XqZaJulSW1VQiYmMXO0kWF5oAC4t6Y1kb8nYsjkSGG6TCcAX+cHn2zZkBsHl4fyYOn51p3AkJ 5mCsV/j0Fp44wPhxeXJz9t2wjLzM8M9l5NDDpKmHAI7VpTpyPoFvkSQhcOfvd2w9P0v06wphcV3l jLzNq7hKaK/GI63iBi5en39UqbOEcMyMctXN4lV1iMlWygiQ21S2silUsZOH+OQd2rEGwVKl93ts ZRC7bFU/YfGOG0KOpjwXLL2uCypX4WWG5kNqbcwmBsUm6xbZIDsMcZNjaYFRSMYGv8qDB7udrEjj 28199JnEewako4Czqpag2Qk3wsZPUwsDZu7duYVA3Ff7+Oy9t4UMp900rbiugRMELocZI/xUCl6t mRHB1bpFsjfjDewKbqOcpioWD1heXRl3bpcHlYS4wljO49q0AtYPR10XUtTxS5MLaYpTO5nCqvyr 5q8Pk8Hdysyxb1bR6PEX/JpUelmNndZrbtMbXxnM+C8Y8Gu0mCZG013eMIEzF0ulDybSJJZhaPCt QYPixoWbYbu6D8sx12iskfh6/xWbS9sYNFxNv5mYVVjBJOXAFPDhK1NAgkLHVmg6brRv0osSmGY1 Ie+4FheHND5s+ZjENlsA60HCd97EtRxX76ljqV2LVLh/KSt1+z/Kkf/Qj2G5fqJH9YhltgEyNDEA y0YJcI65TgVcNKKgutkqOIenTvuR8b3JZBjdgEZPAxF+EYC7vVCdYLctCivYQ50ruVmeMrOBbWMO znaUyH/p+2+JWL1VI0iNo6xOTKQ8OVgfqXublywZ0oAxXF45Ssm0efI0RgmNfg1LX4NvkxD1EEgB JJ68avYS8D1MIw/CRV5cMzKfT/txV6eOp0ZB12l8LA85TdaT9DSILhis9b7nfcAHTNbs9D54OELH xfmdOEo0b2o3Dg8EN5rdDhcDw1BVWjXMvEqL6aQchZB1IbKBIZwrtoQHm3tzWCDiyJJXu6GwIl7p 2YJpX2jjKAvQ0YG5drI4uKTBy6sae40Da4DyU1Bb9QGpSRjbcyyiM4j4yuTcXXpTCjeMLObxZTm9 9qjqnDQ0BhOu/mcUlSQKx3imEhYkS7su15vMY1VGsOxijorsKsRLQ8XxNsHoSMdGfTF/F7tHHrxv HMgpcaOlMap6nMobBVbXVyUD/ABQrS/t+R/vKF03ifm4xMXca+kHRgvWJvarSBkxIoiL8LEufSRt Dc1pKAXz9arYzh/EKby/UT0Wr1QbHZEbna9kWbksFVRKzNV+Q0KArolwfgnFcXZmu6rLoBu0OxM0 C5aYcufADL6ZUG8oJu6WzikRVRdSwUNVnN3Ys+fLh/uI95dqXHAc14vK6qPBMLgF18DzFbx+Jm9J i9CphGwWhtPUHDBNFI1Be6faVSizFLuuqKBUgV1791ipKEsrfpf6DbJbO8QL/2Jl0X/hDjqW15om K7urMFfRXQ5baSYkN5j755mAKCkrNEELDzi62OBJ1cE7qnNfJYKlVPvPEVFZbtyqPkkYXUzGGZbS wfeM3YxTiXd+TzI0Y/Q0RhLXGJZcUyMhLFM5Y44uyIMJ+3UjN2etnPKmB/LAjCu5HgKpMI82kzpc YBQcvU4tNFtmduikUwW8lLWHgjxMeMfFwz0g8qywOiQDlH9fz6XTmdnSSiyLJWZbAyA2zk0we/YV Pp5BFtUcGIVnQb5jPV5m4ZsxhhVSi+xxOgS8O9doqmOWNQnd5SOypMuwCJhGD7Ndyn9/yDQT13CS McIU/nUb3FvccFvONLSFWZvXJSAbrJ3gea/0b21iKF/EMPrGuW/sMDo1Cog7G1drNWdn/PKehFHV Hw4q9XbtDNE1PEKXL+KQpVJyJ9PmVpod2ptSBaR3WE6/EzvtrEQvMjYOM8e6vIyGb8diQkRWQI/e 0qZw8HNfVXUAZ+FmUVoFxarQyuHZkv0VlF5SmcJmPQ2AKZgBdzK8XIjHSpe5ebA9SNzkA7KfkE1i FWehZdxSFBrH7dyRLMEo97/zTQ/KVFoxX80B0jsrPBdhnvuhupkwhShHaTR+tokXq40iNx7NMBVZ LuZAovYVVRa3BtCuvGjubsDTHzLUWAgfYx0ezw3N59s+pO123IMbBW0jlM+KA3YfDtZ0iHVze1qT Sdoro7gPalVHzTpWE/sWtjn/l7g2PusyCtA5v8alL/2oqKkKARQcu6pG0sWiz3yNQJmf4Ybv4wyk FLJ6FvhBxFwYZ2bJkVNWDa8nqItn5sHGle08AKjV3+pml2y0w4syDm4Vr4Th8MemXmAkkOde4c3I +rxOL5oSS9/0AT4aBxsn1HwuWE3ZSwp2O4A8d0gzsLFKMJWKAk1MrO88IE6FMBTUF+2Q9enY6kRs fWhvrgqDriflm1pSJNyN1bfyjLgbHMuInjPlEZPvTnIww4tUKAnTtara5yUTPL6BLXHZl5E3PsTc 5m/Ysg4qy5rMfiaiNNZ7bEZ1tC4bcfhlQMu0dDwi5npS2RSjcWuhuRAEH8u4feo/vzla/Hz/nS7t +CjRc5M6jMMbZjgX35aUFMk8DHWaXSyaTlWpsAt0IDODHF+Q1O5c0mmuzgn4ujitrCsjAkO3rnY5 ho1NtneK05LILOCYQFEhdCqBizvvGo6Q/HIxGZXajQB+RyJqf7JkeJDAUvjbyxybnaznc8Xj2L7P BX82Fon7z1el+I61vkwdCqF+IS6FIV1tHkbRHtHn3Kl9vNElhKPrxHg01Ryd3igxnB3slyuLOgU8 yOgU+7pyFwxcGKux+SN1oqxTOVJ2hh+JxzsHhETXjpvLIZ9vf0mEegV8G1Ru2BDDoXin8mVU/m9p dxcL54Ero6PJg3Mn+YBAUPOLjZEp82A4jNVNLpke26aYsXsRIDccrE13r1ECE8KSyHqZuGygeY9h Fo8fhQWtURiCCYbuRtWyne7SVVCDmoxGDEoCjcF65yUiotpKGDR6P9iZdGFNWrVrKY1skBrRN9zp YKvDVriz0VQ7+sd5ROeKjMIOvEyv6TjMcXNYwHMYnXBxDeKwkEbUuGC9QKR/r1UjPaWOKo0Y9x4q GqW5n4qaCbqDtsU7WGKlI51nyhsklP3EGFGCuQRO/Buz0J3DPUKZHpajKVd1qFgo4cKe1BvzvyO4 xXeWUHnwlLqrTmrita9CnLj5iujCe1r3RrR4l6zaLrjGcUGCR9eejjIHTBO6SWc8o+rcTv0NeJ/f emsWP5DSkz88ZhnX0rs/1tarFcCg+z5ieKV0VwDpOAesQIiNnRZFWWHj0gKzTplckF51X325H7md fdH6HPkWpuwAso20KAq1kHVadHcdtynjNiojw4C/WyuNPrjrNPAa8Gj3Ow1glazqWZqgfiYljo8d bjhh7RE9mOM/1SJSUm6Bebu93a+uLYv4BRXuba6Xd0hbLIwFzuVf8H261KtrLMgiq51oBFgFtC51 1f+MuwASlrK4eSYPYyo9BKi96OHfbdKE9+aq8hDwGnHUJAH+NkpGDpCCB6PdqwU5tXdTlYiV40SQ oRUc/1jtq1XV6oArVJDDKeitKfyIxVMAxYM9/kPFJ1kzVeoFSKrtFcBrOUGRDm7yERd8thFcNdJh GUkpvgN05CcbD7fwBM8R+OXJ1gmZaiXzCRnoEwHfgcqZjUknZF7WxngT+X4CXImofmWqlVdf7jgh +I5vr6CBwM2Dn3PtAe256zpDf8LUxElA8GP+N23NFjQMdMPaPaEhyHXrmatwonjJQ4cyLDbjH0+p vmVb4PcLjqacYNFlYqBzu878Gx2kN71DietpdIEXHnWTFF3Yh8lAp05JQlCgYuL/jdcR9v6SAODW t5KgPES38YTTAbzi0Vct7h935D2eDyKUYSPwYVR6G1aLh7ZeODoU8YttfWm+wcxpsZjvE0ThfZVi XZ3qCpKIJSBmWC7N9qR4qEL1FHHSuomd+Rb8HIb25uCwJkirgsdWydB1ohHzH6thaqcQyRzST0xO ckvbHMHonjAo8aqZjKlzVqPNNH6N82jDoil/72wo4eZFwLLVuFEo3Nue6x6XwhsdwlBAKvAjJoNf xtlnARWs+gqN720BbZB0WfuXpRnbm/xRBNSW4U9WwjtjRrkfHykJ9TDtnDtTZOP+i5iQSojrLU94 0Ut134OoGhZXuOa6YRw7yp8VQGxm8bAQa1WvU3aLuu2l8aur75phNPxxPZb38/zEekpyj5/YDI6t 7kYnu4LjIjrhdbUkssIVl9C21+OX+9osCZdtiserOys8RjlkNeEG1s8Mh7vugQ5+LojmmyXD1VV+ GN4vbRUQpNx65Gs8COaG1iRO0sMQ+mNU5yF/qHuu16RY9o/nsqb9h2esKEwGBgdr+HLNfAMYfogP A16SeoOPc36QCAyRPoRGjjHX/xEBmFg0vmiDeV26pzfvda1biHipgTM5x5JJf1eGARq/r5Qr2PM4 vO/Xa2Ug7/vVOYTPFm9V5vPhBF5notIHnZa53eGLIOx4+ml98SEbndPKKeGdP2Ptb9McMAvyouhm pvCOPX1Ucn8hK80iXfZ8W5uFOqwEVV9NG7cioztHUy09yGc0s+Ohkb5mzSknAcqIVw81+8PsWLXA arU6mbV59yd+dq97QWGTReW3Rq8b7lW+GIGXV+334QSye1yss+e20B2f0xpf34N0mY2yP8aLkzdt cAJHe5enPCB+qGTFjH9NS2107AeBllJbqxk84S61WD+X9ed1NqJJcpRhFd5kvLrLT+BF5/HqkVMI TdOWzCg91VDHi7p5udFf0iqhUo6KW4rzcCRTG6WZGxmIJo2J+SlrK6eEWjg4wO/syuET4VoZlP+V KfXXS+jWHQWr6ng9eyoPURv3XXJHQ8Vv9Ynve93U+5TFAvcQbbwUKqwnPPOE8WM0fdQlgwiD+C9V E8StWuvOJW69IsDtmwy2HHT6nOmy2L+KJ7TpCxK/uifcAjYBy6LDosWb20RN0GXUqtKnD+PyVHBz g5EB5LZ9fWGuarnnNcldtQcwqaLfF6+192awsDzflASu9z3M0OH3Ig540mOCgOIWrT1geb082coB 9z+2C7AdlMgfpAHQFFIKuPkwlDgErKfBv69A9UKjMKjllC+KmDeO2AoSq1USQTwY7jMaijJE8Ox/ TwwGmGYwesAdOeUF7eDn94jTwJRc1I8RpNUm0OY8bv2GkLpW+KHAJLu56yS7QuPJeZJLGQN+KAzh tNF0kxtpEZjGdPkBvqqEViopyTxQ/gcm2mymUeKnwOgsN15cpTGZmcktSHzKulxnlGn0eFqmGOh1 IgyvzfwcW+sQHGIMgO8xzvcogQAGPdNhUIzHxA6JYW+vdHFmXKe5CWEyuszDrhNlFH6Wf+NNGnS2 CKIg/PpLlgONV7ykiDL38nFaMO1KCuf5h5hPlClcVcWTOHnwO8ZCzhUubss6vcoXKLj5egQB+ieL 9c59CDwVx38zPmVpksiSiVGd1KJUKDq9CbjmcAFwR6HBI/qbr5GMdWl5pxAEQOcWj9QqJuWCTUOw 5yq1BkFI9SAeNEWXSlEwn2vO81RuAyOt682Zr/Dux2ip5gKMDmaI3hNosiVbX6e/h1L/6H2FPE0q vKwW8fkqz9Kb5BIk2BWnCrrv2BC3aQg8ZzoSBJqLmO/havWH8J4RQbG3nvcVesNeENGC6pN6b3L6 i7HXDjl5XMD5q9waZmqt0fNQSetfJN2xARH96mpXap9knlk3i5emTxatmvtpaqF8LNThLhf8hbDU /gU9mnG27JHCt64apccRv86RjBx+iIWNl7bx6C5cgJh4D4aSa+UEoGmTrndY5HboK3Kn0qRD3usf 7iqpF0gyFRPNHmzYz7P+tJ+nAEO5bmu8a+06ZemB6dla+mj8omq4nHRiGOzJDCgboa5sF0U0Igwa XJ3nzwiPSOae4dnMhEXWvJ5vr8lS0DGcRN5b7rPTPoRHAJUfrn9+k/6M7qLwXT1Wc5NMoxRv5E0Y QA/NIuSxvn/VISB/cMLgd59M5V2Q/6UnXGSXdrMCCciLLqe5cHOaezYEFp1RVMxq1GXR6EOaOn56 L0tr8NqMefhslsvQ0UGaHheDEQmLrifdzBwk5bRaMrSdxf4up+Bc6WAyD5xdDcxJ3VxlC3uMTo30 iw/0JrcWfvVQrTWyIqPIIDFWpm2SbF5Y44GEPc3JP3hvlYrWXSVbng2XVrawyNxwVb4Q96EdXiuO BtI6utoF6TRab6Mx/M3tS0ZjDi+5+yT3AYz7E9PyYoY/JeecMpOUogXivuDglasJn82jcrEkYriR AyzVhNTSBQz8Z7UcvHeVaEK/34EJJKs1TABCXIXvSpgQcB+iQLArgx+kv6vVJDcdzLQl1cizKP0W X2cuphweXScULAQdiMMloHsdlpl3VJOYk0GpjsHFJVr85uy/AfgL6PRlbmRzdHJlYW0KZW5kb2Jq CjYxIDAgb2JqCjc2NTEKZW5kb2JqCjY5IDAgb2JqCjw8L0xlbmd0aCA3MCAwIFIvRmlsdGVyIC9G bGF0ZURlY29kZT4+CnN0cmVhbQp4nL09Sa8ex3F3Rsg9t4cEQT4CfOPel4MPsi0FchTJtggksOUD qUdRhrhIpDbm16equmemeqn5vsdHCoLAj8Oe7uru2rf5/kot+krhf/XPr57f+81f4tXT1/fU1dN7 39/T9I9X9Y+vnl/97iEMMOoqLjkqra8efn2vvKmvtAlLiP4qpLyk7K8ePr/3t1O6f61VtHpJp8/g 56JyDvn00f1rtcD7LtrTh/vjT+9fW+8WZ/zpv+6btGSt/OlzHOtT0taffvcp/iUnZWDIJ/g7KR+M OT2k3yGkFE5/xVnMEmwzN1v9D2UZG7u1cWZrUjp9jL+tDdmb01/wt9M5+BZsmsQuBlb5YxkCfzWn pcxtUjz9N05uUwy2vBhyclo6hb/Skkrp7JrnX9DuY8rO//3hH+HstYPbWLLK5ez1AkBeXRsLj2y+ engDZ/7wPlyncUbF0zf4ujEua396cv/a5LAkH0/P6bFXwevTIxitvAKo9ekfBJwJ+vQCB/vFA/Df sTle0TlHr5zB+RReeIIxfMI6icvp9Jp25eFo8rq80ub0NRv9Epd32cAonB2HGBjyY1k0KOuaWerk JnoEcRvytLwJu65nbUIw6fR7Ogm4lwA/y/Jw6y2AuM2o3OmHctJee78eG039iAH4Q5kkOnn4espw KF/3p1xn4fvh0/AD7cbQqjDkKZuGD69nYWMOzXN+XxyEZ/sRXNOrOSPp1KtOJuINIMLh6Rggb0Ks OluEk4WRQKAmeNfcYAEbUMXo/cK9tDTfDZ+FgYQwXFsVF41org2guzYNNLQ3dqXSxQCKAkUjkzh9 C6Mb9HmJ3EZrZ08/77QDA2zUi4t5RNhKL69wCNB+bFH95bhdRNifcFkGKb+0pwU6DxznALMQHqB8 Ccf/QDzMaw2M6FMGz58KmEaHDvdxyRwSDDAROBhw2wnoOJbt4lFLsNsV3DBQ/2Mfvq4CXIeP/qY5 /bJ3Fw8RxRNDfCksP2JAtNmu69AZPyeMtsrBXGHF6QeweILhdr17Okn+Gpv5KzwnGzTNi0ca9jui sSOZEy0U1u0VZ93XKyAFq1Uq8BCqpUzy5kdaOXo4IzgMD7xeJYs/QTzACyAQ39CNA8yw9jWNdisH sB5gPv1CmAI045C6PfwuOIwnpLRVyDpg19EDFrDXykPngy6n6YD5BDqKDbhHbI4CkstRh5mUShoG gnRSI+FyPs/pgVOnTDJwzotKLTNmo7lUYlyxgGgbEINdLJD9CuK/0LlGmBIHg5T1OmdQekB4KluG fLdPjmM+enjvz/dAd9FXP4Pu9J/AOI1etL0KDnYfwtVzeJJAQfLbk2f3vhA1LGsaKV81LJgTuBTO CViWctGw6Eh8zoDvs40BXcWg4/HGQLhkwFp5Y9YYQFIY6JADediNBeJegtue3H43MCcy+XY33xMO GgfIMcMkEEYernDdDWhbDqgnAAo8HIiX407lRIgvLvUKgLVLMrlDMxxqgWl9xaQp5z0vkBUk28qb RtxyWfhDmRABZVxG5lm0ejAiK3tShiSVQUGF+ZTJQOBfMPH9IcIK9AhMk2SoUQBZKswmqOaqi2rH KfExe/5s0wkbRrifClcgvsVTURa4FNdCgEvZDKeldfMiP603KBs5OHznL3f2z8UsvXOJMlX5AKj2 Gfm906D8w82N/H6Vs1MQBw7S8nPtQdeJaUXN13hYQFver2w8wA09RhYcs6rwVewYmTQw9AmTJn7M XxzZtDEqn2HTQPGgte3Sor7pnIvNm8/ZDbBFZ2SZE+BF0uve36UUN1nHTorTZcJpRVIuALFynmkl qKY+KQNAMpHSt6jVuNmmq6ofaEwMHdiAQjxg0mk1FdWCVmjhBTDxXu8ilY/YaUrQCVejxgJvArE0 0wlXmw6H5KIsTCXpzQWozS6paBQ56YEjtnCB7hJiOwIZoglJJEPJeNnOSzaZONvg05/BI2T7/8de 7Wy5Db3Z8JbH0+nijX3H9s8X4sMfs1NnJyrZycv9KoLzYNp8vklpPBHjI3IHURT9yBCCw8aQj8MA HNBEQKtoj9DK+ATkHd/C1MA3FTw+A25/TDd1oyR9VtuyAgI6cLMFyZpm99ghGE7twPY/cj34DIzA NxOuZq7KzYR8a4wEPmA7+6qsaUL75tymYnNwRBPU2nVqt52xtimu50rS/1Ux3hNQKeiLlS3/VITz BhC9xbUUVKcMahN5ok5tegciRrNVxm87nWclsMJEswfVw3dM9Kv54UxuGPEYGX7KS7Shub1yqy4D vDPRbPNirNrsj59xdN3cExS3SSnfCMpvtxVn0g5OEfa6TXd8va3edNnt4hYNEAI/G87eOZGXSwUt uHcf2YxmgYbdooALxvdnSgNCKyBadXkjg5aUYT6VY6hL+zwQ29RFeFP2FQa5gnA4wErNwMv976I2 qDJaJ3362z6HZYPTPvjvdWrtTl+e2Fl3TskNwCdlPChqkgLDsftlBQVOioFi2IsIVgJEUQ5BWUd8 eZ/JnaWSKdiDedOePmkUvI2miyfMJRQFnbjgerPknpGxbYpiAinWGS38jTwnyi3B6k5tI2dlMCvm 6YFfm4xelOYiWn/QimGtSmZQzbSyh2/w1MbFB3n4kzIkgNnyFkIOfbxaH7uy0V+QT19+KUgrLgir oMFzlYhpIuhGl8ggZvltCu47ZNz/Wr29oO2onrORnBg5G/4cWRvBMdGtVsGF5+bsgeDaQDonrqpQ KRDLQuVRq9A5jz4P3ykZ+DTblpH9M7taQeC3LnjSf1srtFWsnTcLbPOIRW5XxpGDr96NR8Bd7nRi Wkgdu5Jpx87dlvtLoPMbX2f3jTzk1MEsQYlfXebRp9sEte7dqed4dNaib6Y4iwG98uY9e7EdOBcF QzRt6j+nibVrsPmX3SYlLwrwUxsqp68rt5xeMq1eMAnA1KV/zI+/G209elHjsUYVGh8e2MNJ5c3Z UQKmxgdTXSPB8QhxWALINwd7AWkRUw1TkqsPaB5Uk6nTeHGg4cKq/J0Ddou7CDpIXh2G28WLX4QO BmtznPLl1RNGbMK26P5LdVfhv/nu6F60hIbvWFS/qsfQekkWXxCgE4xW7uB6Uo4CjZ136YeZUd92 Fa9r1PuAnp+UIeFt/TBonAB/X5zSB8ZJFz9dA5FEURiFUrbXnSYuAdpq/e2UDZ0nApEnFX8SpzVU h7JZUna3iC+C5mfDEB3GgFRIU/O8d+NMPZEKA4kb0/qf3f3IfYfc1YfsSSkKjnMziLkXUdQo4Hzo aI8B/kyhGcqdiKRIg6YPFkwNOal2Xr70q5YWtuds7acFOhflJflvGuNyBswsoquS9bds87t3dppV 4SxYqo6HCMmQMIfYDZeGLr8WqRvkwiEpEYT4E5NEuB40YSKkE/ExE+UQdSWKVYNdrCXVsLoxQaaY TleS0jsucb8JhgSeBpCq3TNAOmHEaaO+iJe3vuh05C9y/9Z3jdr26+nJFmjKmffiy8HsBp/iHa19 helSnaX7SJBKN2U/QbkeQ8+xm+0oOvXvWTEfAsgAtxmydz8Ufxc7YT2Sn3aBI7gez2TP4CJ9Ssq6 VVmYTGJoVd00EfSANCjt+FjP7VWaZE/OQhM6An0l/bbiC94kIYXeCJwKbuPIaELQuhu/wAXbGj84 B5xw793Fs4hNKPRGuI2iP6kQJLT5QMDZm7JHA+L3cZkj5QJRRkiRHZezF3kH13U4/jIMX/fSmXHs OPpQz+vN+WPzJmvYv3N75R8Dq2HWt6K7xwyeAJi/HXVcL9tGUU2qCS0+ITrQISk9Yxs8krQ5o1bQ W3nSoi+pvLmNUbwu8R4XUBKSqwcsxepMTC1LGtFijU9MjeZlGy6GVj7Z5QoidgA2o6esbwuEhLTE LGU4cqiqCafRm6xZtG9wZtbfSiAhDNAkyswQo9sHnL11hxU1X8rTQkYCarFJDVm+pJ9KuyShcid8 8BS7c+F4I7j4fxzh7nG9T/EMGApKjYeUu+663wgW2rV/Yo+5k5n7jcN+WHY9f9NkUZw+Y7+/qN4B TDpmfls6CBeOKAj3AKA3e+B5GzX0p010xQ8A2Jt0r7Q9nqtBXK/heb3otzAGzOODdJaGPic6m0R/ E7Mx6P7mcHWARE7O3X5SDMqCtAmYQC0g/GpIo0/NgCA2kl7It8gdlK1AxgVVSCK1zbnvs3qoSvZC 39TNhJYypWjoY0E1el222Snlj3eXsTThD2X91CcSEfICQmnDfb10DGlI4t10qomC2sf/Gr8BSqQI sv3NpoBtGI0Lt3y5cz45jDJu+OK9yhVJyHT+PQ7ICwqWCakRit6UIXEeL6Ahk1Or+LrxgiLAtCWz xwXMtZT15E4XOzf8yboJ8xbxB3oTKPsI82j7sXNEDCBiPrHk1ZUcz+yai9wOXSztptyg3g0VwiBu 1Uo4y3nYN3UXro29caOAIV/JWLcWk7w37wdPIxqyVZwyA3bW13t+y/RGpzEE6UW/uJTLJknuIW7X Ks4Ine5czj13AIjsqLZz8YpDjJed1QeZhtM8OqZdyNGeHmF6w5rDyJkvCIEQLdopVera5E0LS9UX u/QKKeIpmbNCHIDDwo8dkweB59qtpGdWZuIUOhpdd18lvIbOZj9Lk5vo2UNCOUN1porv9+9ZrJ9T XZsPxz2H1ytELS/mol5yCXFPPDc2+5C/xVxL1xIQPVSZ6+Kc0dffmBPwUc1vs/nWWhx7/KAu6ao+ V7CpYFZQWW2Zs4Qfn5Q1g82HDpQy4USNoxGflxEA7q+gw1vMFtbpTjo8p71b2lBYbAdoNuRvTMyf iMNBtY7HqWd20c6cy07u8xSaCE+dxEkULhzsJHazuRAA7tSlHH5dd09ptvgLM58lYSqFmJgT4Ycy i+7idfsyHH8lyiQ/957BSW96d4RueFYuxQaBJcfSy1Y80+yhScfxgonLkmAeVNcHsIS81Vx8cSx1 BonFWdxPFRLQNwRIrATJ6kKp/BCkv+tdGgc6JuYzwHWswNNjCeBOOFE+nPUSwEEEGEPDSXsp0vmy 1kK2YbxLUoJXIyq3QnXCnC50znUewIxOtja3QMr76eTYRoQwhZEDY0KtJjuGGtdOTq/VMk1c22Cq YNq8cWeqURJSjdYT3x2rK5VSE+TwLdVc6inFbl4EQrtw+rcd1WbbiQrjWFuYngSrjT7HON9OSF5v /ow1lLAmcPY5ACDdLMjOLgcgRGekHIBkwzQHIGQfzAwit8A/wNjmneKzzpTY91vidWs5U7/9a+sw INt76W9XY/SgBK71tOR38IZgIM7Dtel8NByHuBAk8/aojtNlyuo8cNbT+mD3tT4ifDF0arZYp0qq dasuks5DO7sg7/NNWQ+1j+/RGOL23VBOmXSNmDMQ3txPmC0DDAD9QdkswOalEi9Jxq6bdlHcNE+t aE702e5ZFxQIxginKcfKLIyWiAm4HEBhXyPeq7l0UG/jAd64VupgzvMH97syoDKill9GrEMmuEqE fKudBtV/kGjbKFYAyiuOnjea6v6cV5/W8Uonx2tVySMciAae7JpiqWBN2aZmDn4C37H5pLJTVO0C qt7VO1F1b1ZjxTMKfmJDePLDmfi/0QCemdlpnXJnLNpPY2qQVBQo6TWCTfqmVCciCUvanjQ7OrGx yYU+NDSozrCr1ehjf7BFdIXfLfiH8Z5k+uAfVv14O/EyS/rFHjXtvQ0fjC+SZrhu0qVz9vYW11qv v4/tvutQVTAZc8OqIUrV0+cSydyZ1hO3d2xsISenkcscpktbUEzSgW3Ar0YMOlvUTZM9qksA3SYM 6Yg2Ax5mfy6CcZgw25l6uB+nfGff0Eqgg4kE+hy3E0GJmoRheofL67IKtoZ5ubUfSGqryfm6QmFm 7r3hIO/mJcLpHXDIKhcKHAXJ8xhXGj0IXRZCn4EC3B1hYRlurbOduvIYnVhdgBSBuqRmcdBNDAhY d0lR76V5LuhB8JeR25DpaCj9eW7HTAZ3qWWF2+lIvJPaDKUhmeyyLRh0Us3B6HwGtIxvM9IOC7I2 SdolWloFhs/u5VxRI+WBovHx+ygyWOeriF7Aabn5JJY1uDvXxKKpiokqzQWusof3k10c9pDBtPwI 9mg6d5Y85405AYszrauhpRnntsYWY4olxYE7bCU0eFVmzPOMiGmQC3NGvOw4+xmH+AWP9qjSbyzu l6q0XhcQJwICNwry+TJsp8EqSjLzLqlruN+UjmozNwYtpa7RDpNfO9YAZiXlJ26GNlbGQ5WUsJUE AVXowljQcvpA15zVM8Tk6ZpDKWC6mF07FahqvfVQ0VN36Bx2KuHfGnTuQt4bV5CyKDs92RkkokPN Z131wviBA6MLQ0D/y4ZzN/jHbCVdth0O8g/eXaQA9xGNFZUorvIIGU88oNpV/bAs5SIIYLGwqTqS as/p5AJLYEWe4Jrl2S4q2y+Lt+z4OAdZyFCaqSQ2YYfB1E2IT828l9xgDLA3UVKDmAhh6Pv2PoJF sFKW+5V1Si/t078XPonFD0mHmSi+Rd4z+YlkAdiJK5vA4kzhKG0CzwerTAXd/kkNXSTMtmR1YXT1 OsyaXAypD4KtIIXjO3OWANRiM4uamlnga5m75EOYqN5DgkzbueLaOex9WboPqZxcVKbPOOtxdDal hSM+EPajFUuVVJNyhF4LZC2D8HIMyhU9KKBox8VDxi96FhE31F2Rl1JnMtNYpJQkRmc39dS8HKSR iox7w4Os8otJBxuyUvFaSWXIi911ki5jBMfqfCcVaD0bLgZ6Hr8C0fL4FwK6YUDIoMMpSOmTQrUq nxCzUDHpL5vea4CPY+kjUUY03X9u10iEcfJnZbrs0h0UaHQGOg8EO82X25yBmCqoevu4tjnrGrLi ScYuqtz7RinjNIiNieYW3rc1+CDezJsCaLR9J6B6A2GG/oOUl3IZn1f2jgGiTXN5vJ5N7lQOeuxN 20XlQJoaymwV7T8ejngzowu++lCRUmFuWT5XYSSe3Ov5TZId7/lhbq/nlzQZc85lOOg4rcuQ8oUu 51TWL75NXqYkGQOI3OqS/0STRN936TkjYPYgGXAp4neYo5QG7y01j9J37eNCAYB43DdwPZKSbuUv DNHZkposNjxakzSC2iLiRwxrjyTSzMk27hrG87us7I4x9mqRIOE7ecGbGDGnzDW1qRzcMh9jfDHi +n0VeQDlypcSzWAWNKc/YKTyy56OyT3yN2U01i3y0UIT066IH99McCNS+VIr+9chs4i8BpsH/u8i 8nucexKRJ8fYLaryMSIP0r2NyD8oDXxjmlruZ52loRDmUW0tDIFDFzNrakWALmgNV6jfT9utFY67 EXTAdj+99Upz57Bxvq5oa/XG5zZxukvVJ/hUapwjAt11+jwnGW01lhV0kqRWYwQTXU80zVW5QkCX dI2fMJMwLT/gdwgjSnaAhSNCzAPFJoVDF6iIeQAr1usfYR5up0NOjisTDlcbj6yusV9Y2V+f7CMk Ucuaj3UOzA7P+0zNEl90Bl3dX5rGlBFn9mYeQr5olZWwvWkV+nC5vEEugh3a2vTB/1COgZ+OhGX8 zIVG3V17FrxF5/3dYhstEcOM3tveouTJWNcGvYCDC+qYLU3bxQ1FBDuxIFPKGkTZlCldHtIAtANz S4xc8+j6QY4szhJJGe9i5bIiMpVjFu2nPrPsUI4JmWW3k2MUk8caqNQ3YcPOHqpT8CQfG/dUvCpn gpXsQ5DZUGrSbcPZFxRQPimLWlka9wpzxva2Q8Ihgph1q2m9owgdTu19eFsHwTTZj7p2mNSR25mc R+weDiZUx/sk/Oc27Cy7gz4wYcOI/7LBNMN/UBAiK827AP/forsSAmJb/B9SXHLrQRG886/LxucZ kpvDHD9AEVLTG+ew8U85y7OW43GyyVBYDZvFjNBOHce1rBssxgCGSRoy/gkw3366gAPGNStJV/uh HIhuWyh3bQbWXOwJ0+ntIilJpGsdg6A7ZzrVs3WqYY/OMCQMSoQhNSTjzFEIJHV0BAi+zG18PiKz TDB+AUc5OVs2hPGA3aMTGFPTHK8gFnC+ajRd8QpDsKkqRrnDmyvpM3rTK2+TwI5y3Bup/7Y0ZchA h2cyvQ1slDVkO8P1hExv3M/lmd7v367ETG+8nqSH5kh0a53/qOc4hC5vb6pRlEMDXIMyADoCfnTs sGHtVvC0/35QAhEpN2Q5cfmTCBywbe71w9yA1LcJlFso2AjGdjhseGGjo9qCgdBqccsFhBYdleL0 lBaxJCvchdJw5jS652lmXbw2uEGbz8W6BqWpD0xF9OiJptidnAgAYfRv0e8JYfIpH2RORvyi0LRr SK+DtQnutFuF9ugat1c7dzjoubiKouPmKITOk9ZIQidOlrlV4Oh7u65FAxxv5b6bk2zFNqAzxGtX 6k+qpId+yPJzqQModocLTWUyr137sAwJWTSNpZKgMd442p7zLpIXfNig6tGx5I3hZxa7/qjr1g6d ePSi9hcnwsBwzMm6NBEGzy39WukpyIt3bylfp/o6rLLDlyq6Suo1KL/efk2tKjPLvVvJ34cVIVp0 lLGYyzX/MmOniaE3sfnUA2fW+1tSPzChlnab+E6eTl5TDDePxVwN1UgZrXV1nS7+KiMOx15vUvp8 3YatWYG0Nz0EQ/GxT+8n2SUoylm87XmuySZ578p9kBBOGxism40GXhc4UjzHL/v4ipTUMnYEK5C2 HPsOioRNCxYd9YqEBfoqXZ8vUyRcmKjs7GtGrS6dwExwu7p7TmVHZTCYeREoQopfW3o6B6+a2ar3 nO548aAcgjtw5lD8MVITL4lvcuy6xBnPl5LcfV2uAe5U29FYBsjCXN/sgf/pfmkhLDbR5nF6BsnU 6or4Cdb0dlfItfOeQyDmmT6BhHYQ09iTpA9ljvVKQz5YL0vgZLBWopMl5+PwW3zXNyWYfSxyXoJJ MZYaxTW8ouN85JkbRar/XXz8/14j405uMCT1cXl0SOakFGHXKUxgryWkytw6Td8k9GLLKqMgbPv0 F8zo9HIZcF+rnhz1szogFBziojtQPPfntRehwS8iT7h3bUg+p2zJdJJ8PTcFNMxJfA+SE0iEMm/u pIngZWB4WIhtrTswrjmUPnsMryj136dirvH1m0s5+ZlWyVNAn5aNZd1K6A37Sh4ZjjDxPF/pelhh d4Bs+9T+u2WjseSOiN+e0lJUYlIbquqXm7AtaZq4BRK1aXw3qiYKzBSRxIs3gOqo7tbXFScJWTbb 1th8FNmZ9GGPPtiMUiuFIwM/UzRaqo+jcufx431Seu1NvUwr9hJp2UJJ/FT49avZJ2LaHk94q/aw rxgOwY93tN6wa4MfdOxwvX6LhT76OLjAKkRygdeYNcRNaTW0U6MMjTSqnZjiM0bJLjIa3uozYG+b bVJMt8uKD3ENm0WMEjqWVI4UBzSn04ihw4WakcO3faYGTujevrkxMTfLlSwtTb3EJByfwTfPU+If zkOUUnrGxA9aFeI2jZW/P74d9yWfDOdQbZ9h/vO9/wfMTYBCZW5kc3RyZWFtCmVuZG9iago3MCAw IG9iago3MDg0CmVuZG9iago3NCAwIG9iago8PC9MZW5ndGggNzUgMCBSL0ZpbHRlciAvRmxhdGVE ZWNvZGU+PgpzdHJlYW0KeJzFPcmSHcdxPiP4A77NTW8iOK2uvergA2WKNhyyQpLhoCMkHUgABBgk ZkACNIW/d2ZWdXfWkv36zSPowAGNRnXWlvv2friZJ3Uz45/y9/M3T377l3Dz6t2T+ebVkx+eKPrP m/LX8zc3v3sGA/R8E6YUZqVunn3zJH+pbrR2k7M3PqYpJnfz7M2Tv54+u72zfp68T6e/3N7Nk1XJ u3R6is9xdl7r0+e386S18cqWx9k5dfoDjkhxBqCn3yMQBd/605cwQgUAaSp4MI2a5pRgmj/ha1ia DSY/+xStQhjr68/zomzU1UL+WNZagSsvw5wqEH/cRnAQ/4bPuBUXT/+JQ0wM3hA8FYOZwinhFn2C 0X9/9h9wlMrC4U5pTnSUdylO0dt4c6cNvDTp5tkLOMVvEKx2s4eD+YmetU3Kne7Z83Paa3AR5nuP zy445dzpW1opjImnB5h7tkkbAAOfWmNgreb0XwzKv+OQYKLTHlaNzzYFOPc7GpNSjP6kGJjp9i5Y gG9C3rsLwSSzTKqDO/3vrQ4wHGC8ZCuk6dXkARxf7Ou8FLhei8Ot0VPy4fSOjtUpA1fNofDnFwUi 7POrep8rxBcZotOGnwqf/10e4U0NhM/Pnx9u72BzhAX8+BlwguIIZd6z8xksPKhYvf5+A/L9dpoM 9Fu2M+HCn+ftKIfrQ3zTyQNRaSBXwquCS1EHffqR0DgEHcuVmfWsFWDx6VOA5fxk4fDq84WxUYV4 +kBfOZ9aPCPyDqlCAFzM3bKaOwXX7JTOi+InySFxxGeHA8dndMTNw5ewAhOBkbxmY/mh5hFe29N3 8JkBXpLUCAHpQ77N9zhLmgKc5A6+4hBkNnwLP7Eh5YzdbPVKF3r5cAYWw+Hx6V/kIQb2+zXgXAQW 4qxICvfLkYTTKwakGTK6lmqFzf4l5MWF2TlUTIqD4Xf4pqwsxiPHeJDs140AM7LW4L+ApyGGmdnC lcUF3Rll3DPMf86wfJnduIUtEuTMFhUw9lDYYn4W2CJh9zJ5xu45dmuA7Rng/c7b099ONRPCbcMg ia573uDV6W+3CE9NLlmRhrjAYNN8W5HTkHIYe2jvH+aEU6rW+pC3BqKjwVd8GxOgVv5/2PpgeQse 4CxArC4fs5m1grX+fAvglEPWCg9zcgY4D0DTwLH8SFLSBXLIA0nZCi1pUZ/iTMDvAK1rCYK7QUmf V4drHrAuAsGY+Yuy7thSdTmlCl+JfUfA7mQXfC6bBc4ZKlbdiy64Tq04vK/Z2TBsepmvMwBX4ifJ 9/JjHpJEKYDACCEZcWR2X1ZPBOHnwu4l9HyZWYVWvsMsmMsCb/uEjeYMp6YfBJKM4W8FMVsLigpH cEodAuEtzf4oHk+iB1AExI52BjQsQQt5vfDvAsClIS3SFB8yYJ9qzeRtwac5idsaaynfZ3jAFt8K m+IXVqZxMYgLFFgYH84X/mmRdMHvqXGLxH9fyAJvRy1k8VqQbfdla9YuqMNZA4mCBXT0/Ko5DXE6 E+RQQfa8ppr757u3GsQl1zS+XZl4UVBmTUhgLEzriabYmDKtxY1s7J8zbpQsoPdFNdSuh8oNTBUu x+l19LTeLO4e+YNr9bpn470jZVhUos9ov14NlF+CMMAwOkmA6+Esr9nWuwwkGss4u4TpZScqpF9F 7YJ1gaEGnBxZ7wziAlmBjSAn0WrdzDiux3yWlwiwURVb+bs0pURJ5VsdY5IsnNoKaZkOSr+v+GG8 ywsDwqoWw7SOh6LRAUrp1oAZ0jGAc7a2VpPwHFrVTVmY1TbEO+BHhH+c8oB9wZECj0mN1No+Jdxw s3G2xg2JUhs8AYYEazomRWwA40/rXRMbwAXrL9G16VPOE2nTbkoqHKMSmtOZgT5OF8nxhfEBTrkv BMR8kYEb5Rvg+FanMyehJ0fOn412Mh2BFJ1XOqLhTzNEC0P+h5kDHKc2jnjy7LXOaKxBXQyrYUKe Ja+9Bzz/1+1iP8fXyQKV2WV2wu7PtlVldC3Qan4rmBFfMfS774+0Ew787pCsopvgspvjNdHiFfTE ViaqCY+Go0forxsQ/uXfC0C3rwPQSmLF654yrOT39Ww71N9sHOhdnifO6vQFO6GnjBSyB1FbkxAe rQoEP19sZM9+44XcZNHLjisq6y5lvM3aH5CBD++kRfl8Jzj7BnsWn8sKLb+TgquAVUG5BVd1fVHL WEB3l4DjzoYftiRAemsSFarCe/N0Mu9tuImOabKg4HNzoOjNlnQ0ndDl6gqiZH/m0404uPvzWQHn hkoDtzQ2P9lAZ0AYSqHpvZiooiKPi7OwuE9qZtQywGIuNuyXECn7kb3mfmRl0Ve1iknCbqMtHFkZ bbkD3wOpJRPgyNHzqcuR/0DTBQ3MfOSqRhtBxXBTfcPl3Df5HKKWTQmmDXCVYrkzsOcfZE409BTw MZ8iGDh/u0deOJFXNTU2GhvuIsRFqcqcfsBoCMl7BCJL4RJH6x7++HroBopIR3k7KWM6f+rIKyoR FH8/cJRYdLJIon1Tvrl2IKrnKwzuRXuPq4X5deVKubPofA3mlyYThVicjpOJT8pmMgGEOEQmFnQK uM6b6huMmhgz4d44It3nfQJZVRQjXZXs9G8ZV+vmkSCSj9+AyuF2FSUDLCv5g4I3X50yZ8y788EN jfplE9wA0D7Ga0gNQYDxuwh6UsE4PnJx51pRz0wGhW4mrxraq/y6kmuV4/S9MObF4nhMPVOItqVI 0H+nSGoFPIJibtX+PnqV5Wu2JsalydMZp0exdFwUHO+lJJzd2sDBwi4fxyEYQenusWzIbPvkGpvN 6wrWDO+qW+TgrkZGCN2VOyL/B1dlKu0yW70OlISVT1k2gOMqd+q27ml+aTSA0QYby70CbbhuWUWt mX0iYOzYM0W3CawPiLbw94YztA4VGJt8q9oOXfm9qcit8+4mXxT/WmeH4pRos+wFqODDqPbcLNv7 39QBH2T7JlQ88ifx2rhGQnOC4fW7DATkvLDuXX0/U4DL4ECZ4eo+RysEEgE3QHmqlfxCoqKXjynW 77OoQG8Qs0W5EnImvJtxB2GAFdmESEgIAQvn2MDBSfrcClAO5DbeMAzOY3yrcSggELvvUChykiOp lFXwsggz71sdmib6OKkBOGG6zju6iM8DmipuBPQnmQllTjcjM144XcOOaMWh8t4L58IdRI2rivmp ydj0qTU27ysUBcsYCCs6UTb/nIfYlCR+NLh1JIU+JEU+/XcZnupQAd/GjXM2TjY+yXfF/JeDXdcg Dth7wMSuxBzcDHL2mvIIi4yq5SVuRaeWA4ipDwB4rl0nTCnhRFdHyWnq4A/E3Foxgtfi8d5yig0K FSvnHHQ+zpcFf/zAf7bvrM5eFzfNqjMkFh24JNrkNdWsmsdQrrcxeHBbsDEM/ItsjJAmEEQtnVkL r8NB9AYLK0Wl0yhnoAsqSs5tZGAOVqZsy90tZqAMffIrd3dqwrM+agXBPMbIJ3eM28KykmvThIY0 g/PpLrFAohnar/MV26wzVdZ91USzaKfKrzz7nKuiE8ewUl/PcYxoardhWUTNyY/EVD5kZUinC1VS Tj7n4uNN8qWEj4tOapNIkAOVqUtwWcCYlqHQ2jXtecTjpDkXvdXWVM2DnA+bcnkgFMxdrptLSMpm RWxOYABau3efMB8oxb6CXSuHSCdoJrHQmWQcIEkk0Gy8Exl/IVIjxq3PB0bZofGVNukQzkT0JokB 25x7A5oMYjKeggVd5e2Y7BvcHPmGltM2+hCbwVNvEkskHfd9Hj67OmtvgNHkvOHWLD/AdyUqAeqN WplOm9qcAumaB4LZJYLmJ+dbPZAHDDg7lxKjz0T9pZw6Keo/sl2M1lNIh6WO0UDvLkgoepUSCCux 6hF5UJUSCEDmpA4Q1v2ydzlhXMq4e7WR2et8JN74hjfQa+N8I946d1MnhyT2wJ2WL4tiaMC0WWMy nZbTpe59t6XS8dyGxoG5Xr2UpVSOOUlitWiIeXE1nz4iPt/kXKOw8YuiUBK/0LWTEkcauNmDmrwh 6+zXVOXB1o+hZlsHNXjaWdjTGGuNA7bmDiYVobvHXpyQd1jhwC3HzpmEUdjwGIPEWkyewVjqkoJt vD6Xm9cgb/ZwxYEYI5QeiDEijT6Zk+mHeR1ijsSBjMmxi4onVDSc286JxN3BJDwcHmB7O9lbOER1 IfCh0XNEsyvphkbG1UYPtHMgFwRXRhjmcAn4OucEG7NtLR5SKWBo9JrYX0VxRNdKmSqFFoW9wqXE XedLZv9HbULYZJpt54mbc2D354LYHgMOC2LvMHH8zjSMuxfC+NgL4U776Y1whuJ5RbUScyaPgcln kzoLWkeMKLfZPvh21oeSfVreADcITPJLnAWoEO+y93gv2hpOE91Q6eeioBioODqFg1gjZH1ztVRS 5iirwE5h3i1h0dGBVrhLypgOj3HRq1R13LXdKfgQAsAvyiXWWnEhyBmjpYszNvnIUJy2Ff3Amies LluJxoj0sJPROlroVk5QUDyvSOTigqIrcfQ9TZskoJKAD9a+pV6jhumaSk1khnYWPWqYd2/cpHIk EM104w86evEz2Qy9SsdHMezs5To+feh5OUxjFKJ/Av5V4erXwpr4p0z9kxx/XFvcCVgt/FFIS69y WYzx8IXnuDDwRXW2niR1KxdADuzF2LAznFKZEb/DvddydhtSUw5iRqrjm1xuv+0/pLxswYwSdOKd SiLYgrVqt5IIhmCxrSSMC1JFUSXhiy0klJKsH0muiQOeGJReTlNq8RcVwZBtFwwIn5VTMvY4yIQi 3od1LiZMXoc9JwUdobdVgstuXGk1BTP+6FaHWS6i1KjAabXpYmMfaMtzvJqcHkaAjisXxiNMDzhJ FQx1CLhxHOGESXXVhAABK4U44H+gAsDZh4QLQqpDS0MuYSnAmcgGBcobjSEvrjOssJmAsy0hHEls xE9dqDf3kF/bZK5kpXSjVH1BW/ZeH/NQ0HfGlPpyjKfG4C+oL8+nZPfrGVrSWGO3OFdG33Te429A rcewxIUSXXrPPX9d+kBRheu8B1xAgruXME9iBEubgVm1ws0CC8G44Re3EV0wAwYLU4bQRm2udmt1 6puUCyVZXFRIC/eXaj7M5Q1XehcdOfg9t4aZ42Rn2UEo+Fhz2qapMkN1gGcdFkR+W3PONskzTpGS O/uYL7I5MMvsHImy4DECx+MJDP/YvHytBkrooo+kIB5MA1uuLnP/ACb56vMeBYXHub0Zey0oFl0J oEVxDgQul/qJPi6seA5yrusyJJ6Nhg1cvpJ6BPqgilWBRL7cpr0NpuQCn8Go36z8VgWhvcecD7c9 BnqUmrsoj8cfbu4qSF2YtdNIeB6lJDY4scg28gr9Td699vqX85oYdPF0CgdNE0QJe5V1onCJvlKO Lsz+pTWbOl2Ir1SqE+Zg2spfZR26LRq6OpC1u1zmKFMdoxMqqSZTHRDNiAUdITSZ6m/x9ODwQhon qmNFme0S1dGdOwMX+sNYap7lo5Px27oJffw8xzSkkDiF2WxBvUbZKz1SdvMyAbp313jKDyS/NPKT +p+oHvENccmPE3pL1OziytAbnLbyR3KU9xBTJT25eEGlkQdYFyFmRH6TXI2YAyQgwuzK2mdcnVRT vGCVsYOIVGtsCc0L8qlh97IBU9gysAKoJl1VW5Vyngu5DWhEZLrDeB0GM7Vv62YQy4i9rhpoUzaa JxlNA5cGmR4NUqLZqrwt/v1SeL7SEzr5pTxcKcZwIMmssfMX0mn9HWBQj3sebByCnMG7BfJwPk73 ATFPXYF2A2JZXnKfd853R+W9b5CD85jQcjkY3LgNvqoYSw4lR9BOfRN7WLUw5yYQz0IZZutmQvsg PcLBsDyX8HFeUCvz6vhJdCAMhmzruNMAgVg7qh2/tiBgAW5c+/qs9pO9u9h3SkDlAfo2QuBDnl2n nbE2ok/no6T0WoyePKZzWX18mHKspHu/uGQo93YB+eLcKM+HMXJJf/sxz558XHktma673gbK2Xhd jtu7Pf9clUS0LLXm8UfYLD2fb2nywDwLFPcEfJljd9xgZ8zWHLbkej8ENybPVGuVYFKes81L274U rBmBq0tW3bs8kXLDsPwFeEpAgrjaZUM7omTHC4GfYmvRo+UlChh+xVx5zO75xu9X77Jk7xQ/qiVl BlcRbe1cfsg4E+zxxLgyc83Xv0Rvk/G+ZoJ9fzpAsd8ylH12i1nuprn3JgSnoyIPvpSczmYZIzW/ yFe3RJRJd6kW65T8IOraZ6qajjkNi+T4+s201OnW+XZCbKqhd1xQ3O/JkofIDPOjmDEYjlbRtdyE mrYZ+4vVj+ZoSQANay2RuF8VSY75hM0B3aWCal4HWXCdmAMrIXZz/xj9RlVbNgyq1IplxTVrv9hX lrsahEYHw2r/ZGqq4KDlRPMlz43kypivH2hAWyvRuEZXl6KMDHsqnY+rqf4v7ejahgO1ypnNDVDZ PTJm3SkPBqOq/Hb3+DZQbhr/kNNnWW7t3QB2DrbMsoB/xtEpuDCs2ccmmiqlQceTPDp4btMuezMY hQghf/NPtBxgH8aNfIqg+UfmMI6rC1HwzMDK7yr4lIWCxXC71g5oMrjtX5mRYEeNPvKYe4G4a7x1 mVD8YRqH3cd5mPw2onGF7Wtia8MIXZS6Uxx0VELpkzSoEW1sHxfm4mC9msxXIW9FKCIsG8W8wTOI Cups9LH2Y//CeGoMKgvVDFOu/Iym7tSU07JmqmakDSSVfsFQEJ5l0HIBV3f0oJnsNr0ggHP6tUlJ T7pT8PG0rB86QrlzmufVWm/9dixX0SDhrj1Kg1XECWtFYmo7Iu/V9Mxgleq0U4hBQ0AgVHl/3Fih itqfyzgTGyV+SUBdB7Rt++i1VqZSaHazS7Ks/S5/ac3Bjni4UePPUbAKbgKau0LS2C1YNe8SM3Yz sbYVO0DM3nnsTdz2rZnN5J2s1dYM0GInCfJL/TouxC5x4fu8Bh1dZXk1ncCH0W1BmtQ5XXgcCOSo maVQZqY2O30H7Q1MAMzuMc3yZ+ysV7X/vjxpEoGoKMfui/VkQk57sJRP8lVZthuklgyTjOA7jEZc nn2INOt90xoVcU5pUYrzJrttrcerZeW1kl4ME/iH6LJ4nyfGuNWZMLN25EKpxTMj133Zq1BQYG5j 9fkFTT27Tgkkt4Erxb2GfrS3pK834bKV5eNkznmRDTbMC+Hi4ryMcjHt57WBdNNqmPB6uPmfwXZx PlzeCh7nTnK6e8OQaLhvS6nwdGY/MiU7Req8Kdl6ZC+2JXE1Jg3EWov6ejKznGGxSaozP5+jzKRn o3oN1GNDX+UPxkTQAgaK2b3AQUb9coGSW3Xgbtzq7zy28GxrNw7WDcERY2s+cXidy5zwV5o0k70c wdscRoDsw35fk2GSiMESCdV5k3Byq452MIHJ1bVdRnC3Ru8kotNxmOPVRrgq3fjvHjIcpfZ/1gQP E/BjL/ZIUFo5lE/taCtrysPERIit/yfPCOP6/vsMOzip20NOtCzADhnGvRd4qW7wiSqXB79fxVvd 9ggrdJ4YlZeeTV9EKg24G9UoB/hShT0xvu5QyINvQlAmqOn/sU4PT1vNbfEqvsVmJ1KLMLXRM/fE YZcZh7qYqtT+9/nc0PpqGChMgyE3sXghO4Ej72nH2XEjROhuas2C52L1KRoz8Y+6cqCNbH9YMPKw O6lJnoyDXniMJjiaF21Y51/2wDZt9CNaVGJkldgpil9py5epvsZWpRU871goz6zjzQgEf96iS1wy xBEPFh/ZyYw7/11ffIQV1Veyf/wVDGMv18VwW8d6U2E3mCgnPUtJLFWpXI7xASnFNci3VqAFMbg9 0MEIy7kVu9d5hKWwFZyseCKvu1sWd7g9AB1Ls/3O2pIi3t2vJQwIgmM7x6eB3sOK2cAS+Dg8eTlB yR7nBFnitN5XCMh1jyonAfshY1Ljh6XUTx/+qTXEYrjMQzlLuejQxk6xode7rbCWdpiSb3TgkCyF /kvDtGhTHQ0sZeMr7tZNhXKENIWG/da9J3XOmW197/jDmkpknHzZ3Hrk4yW/U/XbPZwYuPqB84fG ynvIr7GgiiPh8Y4EeyV8DZfAiayW+1S0jnFtib3tecZhiLZ+t9RZ68l7dTEbRtBeHWHDtAgTxOSu sSAqtjO2vyi4GBLWIw7q+I7UMH+/qR8f8qaTDg3GD5WRwfV23Hs3uxSd8ukxhXwYBw/pXErZI357 CePx3g/73V3afqDt/kuV6+ooW6Mye7/7e3aaftZDn/6bYfBWOVx5l6bSlkC7pv0ZRbPsgSTqyuiR XAUloTCHpKjoXtk2FWrlE8wKb9RE6g4Qm9bWuwcBxrDC1ls59Y5yhUapd8NODV5U0R+fXcqvftD2 dUwNZd01Oez8ehP+wLM7UwrTB17ZY7/IEeunaaLcYurROoKkYx4LMnLvr6W6XrfXFbpgGusKXeVG YXtPiuYGcZ98Tp5eKDfj441kPP5Kk+xnabPrvKIf/Gu6feFVAGPY+/FR/JIFRwruLm0x5q3Yu+Hv BPpi32HGjba+ucpPWKaVfxjna4Z7TSm+QybYatn0GpnWnu+FdzugYGrXXmvw+wP4IxJxtxlWXpH6 OM1eQZXDDIHW+wFTmv2W3ZIxQKsN+kpj1GGSQeeTOb8q3E57ylKbAqGZfJOXgpNGj/0vswaO4ndY TiAFUBnPbTMEeATJYSQu2kof5A7IrDKHpLnjBZf0+2dP/gx//g+3ItNLZW5kc3RyZWFtCmVuZG9i ago3NSAwIG9iago2NTI1CmVuZG9iago4MSAwIG9iago8PC9MZW5ndGggODIgMCBSL0ZpbHRlciAv RmxhdGVEZWNvZGU+PgpzdHJlYW0KeJzVPdtyHbeR79xUvoFve7QlnuB+edjaspNsLutkE4tPSfxA m5KoNUXKpiRHVfn47Qsw08AAwyMru6mUHzwaYhqNRt+7gfPduTrqc4X/lf9/8/rsZ1/G85cPZ+r8 5dl3Z5r+eF7+983r888vYYBR5/GYo9L6/PLFGX+pz7UJxxD9eUj5mLI/v3x99ueDfqKOJgSX80E9 udDKKH3Uh9/D41HlHPLhl08u1BFAuWgPn62vv3hyYb07OuMP//XEpGPWyh/+G8f6lLT1h8+/wH/k pAwM+Q0+J+WDMYdLeg4hpXD4E0Ixx2Ab2GL2X/A0NnZzI2RrUjr8Jz5bG7I3hy/x2ekcfIs2AbFH A7P8lofAP83hyLBNioffIXCbYrD8YcjJTanwJ5pSKZ1d8/4ZrT6m7PxXl7+FbdAONuaYVaZtMBYe bT6//OLs8t/+fLiC2WM6Bnf4nggSvXLm8IqmNC6nwwNN4+Efh2/h7eEDf5BcPLzGPxmvgteHe6S+ BiwP75+YeFQ+ucNzGJqAZWI6fI0vk0qZv8/AAfHwljH12vvDDcEyQdn1O6DI74EvVLTJm8ALMwa+ DrgNCMXB6x9o5gDbe4+DXTYW8Hkn4N3yakz0h2v+LprUzHiFMFS2umKffYv9BfzdBE+4KWTfBHsk n+8KWYCbBPHuBMrfiNES0zuBRyE2MEauYBBr+boQLdrcI4AURmzfMuIpG6ANLMAAlzVYSRA3hSA2 9q8XxJftcEB2ZClrHGID0nx5DbL7UiymYKSBievCkommLp7efyBMlAn68K89n7msjcY5LuokF9oc s9eG55IsN2ZS8SgGDAgOU3kUvjIEJ9UapjJlSpV4ykuioTMqVqrQl5L2UnTgvXEo5a5DEEAcVUBe W1G5HS7hHgfrY0i2GXzHMCJssYAsKfKm8ClIoVywRE/KXAsc2QfULo7ABWRAVYrICew4m1N8KoWg IwStDbRKR8zhcIkBzepJ9VUKAeEE599I3YNL81ZqjbphsKczhTSR6G8LuLARKSE7yFdgIY7AP1Vg WKnpADizSWK2bxTcZcEqhEZ23gmZKoRCXcZay+ZG/jYSpYAkPjN7B1Uk6mqyaST1GjRKkKxJo70C g6UPLwTnyY0CmfJZg0oxO7Jjkz06YAimhctAjkIL3tVngvyXOBzMczAN/0gVLzFnYjjdss8DA7E6 t3s/E2Ke0Y20W1X4UkMOwUjazvT2NU+Fxq41kvAyt/zxmTCGvygjWksnkbpuLapEEIkPTPv5Fm1k JsHtnfrBGY1uLfFdMQkWvnaVw+/ZnqoEtGZKAqJXWx0sEUWeLpqfYbVq+HdMv2BiI4/fsr0GSSI5 hn0Fs0fuVY4u2HbWmQn+WvDmA4MJsRd74+IxarPntcBQEBhD3myFnftnVlVqos2eApTgjwlU1IBe NNE1Y+jdXGEVWuSU6tro9TtB9VtJQ8IcdaWkyosyT3xkzTzPswkbMiugXyRU8ow3kcwe/qLnZqBI 96rr6O3tmGel0L1iVZxBqSa7MuqYJ4XuXLbE2VNcu4KJWn1QUtbXYvgEitA0JAcV1dYDGmzFolNV OuJKf0Hs7yE0aJWkVN63ODxDlFSCCtCGXuXDzxeFjSj88vLsj2cQXenzHyDQ+9WZTiGCZ3Puc4Y9 MOevzzTEEqBKlje3Z8+m4WAbhyzhYEbez+cBIj5wETgclCv4ElFSKqpWYf2qrFfphsVbcQdWsRAH IofTaoNvWO+e/CUF3DZzXWDvrbYQWrkpQ/asx/LdqXur4tHnVpDueQUeXDjAM2bw2uRuMfYRPrph 7INyj/A5ge11Pcwcoz9BhooLmBtoUjeBYXc2Hl3wjVl6y+hpHTqPF1enOsV/M5aDhxbenkvZmSjp HV0VEQc33i0iftu4+BBre2D22FmXbl8c6HoIZqfeMludoBMSEAcnfuwpbOLUN8AoaCrMZX2hVfwv eS6IU1sXxqG9cprj843u1dpiIMhotlalxLXwj2ns/JbB+zBEtipwgm12w3UaknKn/PCt3TcwFfab NQi/nxhPCeWC3isD2uxgxHg1edY8E9LizSbcJ+5q+G+Jg1NcbQlrE5dQyTgXgGrxI7weBtZq+zeC KST3wFzAx8aC6vqfrRvuonONUUIRtQ7UmOnyANaCrwWUkx7QQIVG0qAAAQS93UFSGZ0ncs9jVdhP 8cDUGab+BGfphOj9MxFf3C5SNZO7gRTQ+5etBrOwzz7NweyFFQbZwvaaksI330j7Pb+Gvaxc0Cez riYyO8kifb2FgtM/53ls/NTQG5eW7YYTMN3r/SOZm434SlRma3vLO4GGZ4/PcEh2jW7aibppg3IX dLNZweUt0v4R0Td5EcgyfidPMAzFBMASwmOKMXdKYi+EN5nk+y2iCENMtRzaspiqYwzhIzaeFzRL pz3wjN5M8y/WaghuYq+G4KPoesYgUIDRXbuhvZHtAv1ZtutmAqUVBZkvWBjtgSllQc9JUZxRjRMj Ljltp5h1ZngqmLh9W5HK4ODkqVzUD0Mbz82JwTkqDHGyYG9ccsqflH+iHYTXfzm07vAyZp6VfkQ0 OEIqOJ8eIQXwlIB/ZchzLYawcPg0FSk5GNcXwO8dZqWkxV4pNEpKQUjlYNNmzDTLWUh9Kp8HOaqa NRiy/zVTRfc1GniXYagMuWa8vA2c90sVwiZJDKXH9oUAc9VYGeENN4k5pGMC/+bPK0d5MeJpWSaI TUAgMXibzOGrdTSOiOHIUQe5dxCROt1IxG6ml7jBOfN3TNgyAq1HMylGbZMKNWawTh+R0ee+5Jir 7kW6YBZgIvc4e3TWd+wDL+0j/h8MUbCI34kh27huw2zC59i4ImvialkEGhcH5Gv5ZbZ8mSB7w18G 5SVP6T58YFQ6PnKeSj1d9IrgHARj2/his8q2OLlMI63PAwOM2k0J0ekFprhZ2Ntijr6y9yPqt4+A pDfwlyfiW0wSRAPRcyjZ/+IDDBV6YXNGpNXiP5lwqyhG4N5qh07dpzowFqbGemnnf2igl3WN4Eib O7HbbbkLMdThlD2XHC/HyE2X8tSXN1dHnFZjD3/jJfRuyCz7Q99l7aZCO8sRvFxnv+EF+9aXe8uI bGui+DaBuZ3VMLZUFTl/M/XjPhSHHf6mH+PvLo2G2Kecd9U87mjWJ5bxqgiUlC6h1Cr0R7wHUdOy 2W3cB3CBgjb7ZTxPplzCHjQdnFreA/3msDvHzhllt6wGyIS4VXCrkIKmOWKV58SuCwDo9dzvEaKx 4VkR0cOcOsRGk1aRVXnqkE26TOYliGVIr4ASeB4mbTx9eK26yPhGeBTPeQhAB7SY5zOImRmXN9A+ W982egiVPmAhfP2BqaNSOFWG6pjC8ozR3EfHfCu2bsHjt7J3aKYMcbBTPyrfWljKk8qU2bplFz8w fPCZpiz6pnESqOtGU1+Uw4BJ5VF0vCQzAXaydpYNabmSQFvKqCBo1OOdqCA4vwb1XUVbaMRbBqFI U1Bt1lvR6yQxFuhgGhMiOKOGHLiuCdu5zKkJFsRZhfSRXnLNt/qwZGCkPQevI1pQSgD3VK+jAGt1 sdCFu0FY0ZFdgGVjRH31yd4IgrGpt5URM7HTjejtWAQhMbtJewSIadHTcgSNVOGnWYVPbMfABcXU V+QwCMO88Cn9ebBIP48Deve3rFdSSs79/gm2Ycbsupy96KtbtJ8c0Qai7FqDE2GzYFTEVKfUJkJK FiIEk5r6MEtz6qYRciEHb4NGnrvVt5/oY2A7WJtMKTti+nZPj6W3xneQPkXrvE9LlgDF6jSr+Gzq D8KmbUo/49qqsNUT+zxIudecHBrcYBrSzfxXqR+mVX9arzFT536W3aGdgc1Ww9aaRSehf6RSNz1+ iC0us5ijTaJyfjAcTaosfbXdD1U9GYAc2gT6wCBuukInuQwWSmDoUca0jxF6HV9wnqr41tT1yo6q aIWXtFK+FMOycp0kjHPhs6w1dl5ECCx3Svjl2amlCyjkHLuGBvaVI6YUTvPEP5SJY6vy/4WGR7Da eavmIZA3H6Fg9bFXKrOU+gm1/1nldMKz3OzenjkwhjTXObAQ9l/S/jdHDerjqFMeDGiAcPj8Qn5d cx1Eaex0DIB72PRDROyc3ES7tFl5U+WD10qnWYuQJM8gKdaViWZQKlLWNDSu05u9gLeVKUsc19mX QRsnCtgzIQ+XPFVM+hOtEfCwGcdEG3mkVWPV2m4zm5NgOVoq28tJfyo+lai/Gmqepo8GwbnYKq/b ZldmRrDPrvepwIndGid3KtnCbp4Ad8fHjj2r4/UDk9Lp3EQQ5DJ1bZavmrhjCYqnSptdJsw9LU07 f2N0wO9qIHeZ3WFJ6Xtea8xxRnXx+HSxXcV5Yixa5h5nsmY8V9NaELidmMHABjNYaNsIQdm4YDH+ HsXEs33sekmtjoTJnoNA0/vNKl3XaHTi6RrM/vn+yAzOYUPbPDCLF2R4vX8mqTckvVuFuc+21Pyi JDnVVgmXwTuxO+X9Yn9wqIkl6la2zk8NCbyv7F2UEXBYXMjjN9UHBGbCaYd46odLDACTtX7POKj5 uDa00gxT2nvyjMEHvszQz7dI0NBVjqw/YsfaTAsttGibf4wBBvOmHmuzYrHrwKYRrP3+Z1+m5pSc QU23JI+5HxXmpaa6CzCBOlSB1BEPgDwwf5iSJNNeq1DKON5l1Jq0z546qH6Pr8EPUxhD83k9b2Lk Y20oeL7sqffwiH4idk1gIvD9E4ud7ZzvJFlTqOZWcbhbP+NlWdN03RqPOr6ui0eDbxmH7lMASDr7 c3SilA69/8SfBCc/ARJYpZY44d+7wS38brDtBjc74o7RYp/wRYMMueclhL4SjtKtcGpf3n8vSPyK /wIuQeF7DfO5lt6vmbY5BbY4zhvMWCEc2h6XuDxVht8J8Nfi/SuBhNgX1k0QKGddOchhf2XBOeKW yudX4vmNAFOwj1H5ZkwpOmFLKukhlwP2T74Tn34vnpmlgAkkMqRGdMB+yL6jbrZCUsqAAITjPK9X Gh2v71sZqAIjxQSTiBEQtbbZuPuXEuZ/oOi7lIwbOuuY3FwFdpsEXLKVCjtj5s07p/W6OY362zUO SedV4hAV88SCDlozdo8Szcv7OE/swqUTG3vhSyxvn3Ds7YFHYwNE9xbb6u0QBoX4nTfutKZmga4L GIA4vXsClXDN5pEGeJN1HIScm9iS2LuyTOvszc+dXMyOnK5msssNO/RDu76dF/jaH52LTXT0bkz3 znrilylRV44DZ9zsFGvr6OB2u7IjWts+2drWGGAI9nDJDMmsf6ItjbBvYFs6Xtf128MfhPLetGuz qMkWntC284DqABTMrH+vBCmgkuXO9T1HL5mQVg89vz5U+cC4W9BNLe5cnTBH2AVpzCq4JJ5d64Ik 7LPSTf7gxeoclkoFA77AdgS/SWJJnls7nHt23fQEoTjttsqV9hzZKreeDqondOhwgWzW+gP3G1nf H3PCt2ggr2pDUvpxHTmaMgidRFGjjk3TwH6Q3bOokcWYobeUQVvteEvdiSY0XEl3DcIbRfId7oxc lqDTTuYMdww39hFCDRoyRnnsD7R9OWmTRwtP6O2uSznFTdRx5CZmH8zJbuI6eNdNNN3gbdYOkWj9 xE5JVeM4aW56pH4/uVBgdHCwOXmkAujaKsf50WbVJkeQI7X0/EFII6lMA5sIbqoMbLxQCIE/9bk5 xS1zbrPkVs9+AEWDN7Pj8NicQE/ZJo9hGi1IUELTNyX0sqT0A4NT2m1EPfM5oq7h+dH2jLK9JqnO wNIZC1BMH57Q8XBFN7IEG6iS+/kWGm3zW8bPaNunF/AcZDazhMtI2MBEwjb6f46YrBU2CMqcyXEU lBXGnKTgpOp//Iyf9O6kc/m60DvEbQdEL9Pb2hBZ0za2kSfo1syD1q5eKEG2TyZDnpaMRRieQRmK Mh6jssNoYLG9eDRqGjrsJN8QdOjzVkORrqOdm7phdrUirQND+AFSe7oAUzuPnf/CGLUVZMktfXGp HBebuHvvy4nMba0NvoPgc6NG4LV39mPUiMxIbhi05rAhQq2iwwoFy219qqmVONRnziYqUuWQe/NZ HsEfG97ndGFQT2KRExR0UuVzUYN5y/1brjUBp5x6W73Ja4aRg54JdHt9DdbIsUzZZYGpch46ARuX QHtepdnn57z6ok9KIGN5/Lq5R2NyVm52a8Smo0xGPIXSmIOZnTjVq0zZSqb4/3DIgvoL9dAs1dOo RGLYsy8KL+fjGsxw3cli3lHW7/sjGIk9DdEuLw90ftW5Q0YfwdqSOwS6R+8feB3UkfsmrZLUdvOc c1kl9vxNqvYj+xw83s7SOsMBTGQeOqv/LPa5KHlRUTzdPPe3Os3yNkWFG/TX0KlS7phB/n4t5K/c G5fSpIdxXM/srmio/chdCYu0XjrVHA5TcAvHOApcUV5jq4VmTCrXPuhN7s+AlzCeREx2Q9Z+6OCn xnEWLjfNUTaBPG9TURUIJ8Rge5wxTaLhFHk85Yja4AwFPc9uWNg76DBwmuiELTmdO3c2DDMia7XQ b04SP96ENcwa2HyMH1Vi8aFVF+Yfpy7AaqZOXdC1H3i/R3PHzz2TTKU2Cb5zsMxqiKmsJ0HCUpnP 09O0A/NL+ZpJML65VW5RaDhn52PO+GOWkf8RXYiEH7Ek6CWT+4wq0s2DMR6Y/T5qkdZWhFVcnvEZ wIR5e9vMDHaJOWAAbJyf9bFRWVsf8ZKHL1bYs9G9S4BFEKd/dCtnr4sRka5K3xU1lk+flt1PtrcL WDDZXsEAb31wk5jrlEPluwfJOSO0uU0nYdHu728QaeHh4xb+zdLm6VIaHyBZefH/oHMTPU6j5yev dg+ZFKxPPwjuEgWfsm9NarfPeIhIOAz7fGCIy4NAuGTfBm3BS9eNV3TjR20ILydh2iDaZSBPnHVZ jI8cjoLiDUNaB47MTttoHzc5vDvrRx33Qjrb6e0f0/MuZUYJ+a9dGWcWBGGHJk6LB2Ov+FHlYaDX 2/Wmb62eplLrTVJX/fbgxSLT3r7TU1yqSzMPXOilGFRRIh8tPZZF7vfRuiNeDntKaaJrANqrTFhD tx7Omv6XdNA0ebO5awMiQnvaXRvbkzlk+qX3LUP0gbFYe42njZXbI7YLkP3UjsabrhP1H5MX1jcg t45euW4PXO8fzjS8PkZ/blC1hYRX7aXgjt4ub/au2pvcvG4TXX1mDOoeM7h5HR+TqtUtdZ4w6WJT 0w2NDa02WV4L3XUOFiE61DzonjjMxtKuROCEmOVrsPEBL4vMNSLJhsxcPLKQwEdZp1zZzQMHJbqe EhM3LiTMLADqwYPoWUxE4viIrSuJng2siu50QNh4KPRrmhCTaB/4pXN5hvMd7qS21JG3vCTO9Dri ecASaPqoDz+n9UXwkRe0CQ05nPjIZRhiCkSNF8jc8hIMFnHqP3g992INNJeBubirqbxdUbwuawSu Jy8y6pSoC3cdLOd/JedZoaB6xOsXq3osmN8sA+5xb3ROeDPKuuIH3pBcTQIoGNTxNxKuRIN2urYF LoNJwXo86LQo2OclTnWu4gPc4BtwLNhKu6yX4TY1w5vFXo92lT3pyMdmsf6jkpmgvxJryB9yA1k/ 42X6CtvjAcSS1SrsbOPytQHpqFg7tNAFawi/Qm7+IKl2JURkxaeVNnAtwOL5UF97ozdLwiEO1oye BXhdrmTk8UNO4C6zfM2zYKp8gAgx/YS5BJXI38moN9hI6OiA/xuGRyPhsW2eAq4CQpKtmYW4QEOM uogwyZbYVymVEsyQH+rkrUJohLP5xyspw282FNqKHLbkBY1d3M2uvBuu9D35/b0eInEBw2iVuHAQ eNfgmd7RJ3VROn48RQsPRWxz3Gd6QVApg3TdDvbQhhl7FDrgcUuGBzsFnkalSeLIswx+JUfcrSNe MmOBoW9ofzPAuhxeYQKSdHqr6+EV8i0yHtT4DX4K2i14jAcKFDy64rEfPo62z6nh/pH72hsSkuin RQCVq2oVr1Rt6FRWo/H2P7yewHuyf1JiVlI2+/GBR3Oynx5Nbbwv6l1utdQLPb9bD0FV+6kUe0mJ KVv9pN9vGv6cEVPeNSt6wWR2VMlYKPdTRjfF0ApPM8/QjgsW+/AEz5SC50Rhd3bYc3UpTJrkGMbN hdL6BJ6YE6zI7op1y22zqNhC2/Xj8byga0UDf2AGopsRA6WaWy3fjRUA0QYPlcmhW5/LcLFzbDFb 6zkg2VA9Li9ZhsqCWwvXS7lznk6mNh6bF4blKY/Bs0NBvP6qvHapMXbSH8TORoel6yQQlyt+yzDw Hjdpyl7wd8mlH6EQacbQm6zBVgtzJAfgckOGWDjNPTqm2cypes4DlovCPlKaiaq6FdtO+BbDLOHI 8RKxmYF9KMQPW8eg8sRsfSROWG3zy9H5lxN6S8xXK/qmLDO5kzeqmsplwAPvtfahkRZJkm+5KUSt exL1ifanrI5lR8eB7JT9jPBNZVOnFh3P7qFA/bXQjsKz5Egr6NBYkkF4QO8bBKTIUN+mp47tK24J 1XnsCzVmi4ggd7n5gtJCvsF8tlvPueMTLx+Y8a0E82ZsEht3TRgFac0ktp3nSgTIu54r3sOWfWfj evYi8TjVibbAg+WuuIGmup9gfl/cxIDX+VYZmlGuoZH0T47iD6OsxoUx9JNr5xd4xwhWDPu8hv74 TMJnwgmbqnXpEzUSRkyPhy6wF0vz3U0lsJH8LFc5CL6YFCLkaYJ1FHakrGvM7l8nTCc3t4m4+/XQ xo0ksH6Kd+7H5PcYkJetmyj9hpMt5U4jTKnVktDQtFj0j2zjCz9bCfEZj/CmldsG7ZcCbZ68HAxB qmn+CaCFDJRXUFb6OjCOfvJL6OgZz78RKp84PmJwJfIIUoBxesz1cJ+b9jZYGSkaQUovnkNZcqfi Hsp6XJio/MEWe+/LhbXYUB5dF38UxJxStcgXM/aQGsG50nXCpl4X6cqQwWawiZCGs2yG4yIQXqff MP+73mGmRMI4TqXrVAi5rxmUc6F3CzAvblSbfxiIBuM2kEhya07R2bc8F6gQICGmcdJYww1ybRKF gXuALC9YRI64WUfcl31QQ8u6MYKtV0VXiQDxvn0oe2JLLWjsX2HFJu66fiQHWJBar6zdRHRILT/0 Nzr72fpaKKwhhWFgsg0pMjaBswMSU0ONulQ9k52JTyZedy4r3nKFZye56IOcPU43sPQV6rSRy8Cs OHbt6AiMSpucFhmbv77lAUg3qZkFrj8UED5s3E4CsU3QsXxfSyymGQS8YdeHTuXPCSlyj/RaClK9 SnY5YEAxrxAAK6guU+2O8TC6TRA3wrtlQux/dn3uES/pzW6abSgkDpiLrl5hbT0plN8ai8VDpJt3 k2+gS7WHyoPyLEjULuM8F2cO//mM7OJrtXJt6MzTLLYSrmPHtiQ8teGlTH5fPfA0lZ6FZeWM60KF OdrmHntJYy+Qc25jLxAcY+wtRCdwceM2xa1/hBNI9/bqAefTCClqUqi6wMdpLJamHZ9Km+NyDnvj U22cBrqpeO6BDTWc3JoPvDA/tvqPuWA4e5/vR3DYWLjrwfYx9mNucw/lOU9uwoQkYZYP6GSQBns/ pR8LIwa9qcvFlf0vy02TKRZ8bEulZV8a41a4Y6MpCITTPQmWLweuT18sLGUkvOirN1UdhwpT5YKl q+c3FrxkzJZVvJ/G+s0Wu4ANehu1NGKCWYJhk4etqV/C1Zxgue54bIpmJ24hYLtxS+DQRwqNxPN6 A84SZyAJsOWmVAhNfLRCKH1uggVGxwzSYAA4JSPnmNWNp6nCAR6dG4uzp3iol/dFMOpLfDQXMtz2 mpsZZL7uGv0XLP2Q9lhcmqLOLFf/vvw4pExplYYuRrgNlJZWgU6FW0zoR1mLetdIB5h0aoeTrIrW NOPPPbTQ7vh10O1ryX9bhucxxfZr7ljIWLE5Ubfh4Bznuo1Qwt9mnnM5gsDmyfEc12VV9XT5IIuw iv+I0bB7XztyOEWFrBDL552cNdE+563rueXaTR0LYLuwY1OHNfLWfnJ2AH/wOK/nsnh34rb6BK/x V4bn7lXZh2cjdSULMBvvKmDnSSVHwjMQuJPJGGVGRoGKqMvUxSTwKlqTID2mJkcsldGgs2Zb8JjE QXTGEruY3BKf0pBn65BfCxwkPhiUOaXo52GbOpAVbooTeH7F432Me/yEF1LHPYWvFP32yOOp05Il tKblGslZXSoJQAc3c/me8wBDV4CPWXzgrfGgJmS6W9fT5TuIPH5W75dFmLGT1hWQaT0m17yxxwuS l0NfL8rOR8Hukm0FqTcmTmk8pY4/qrhMlzfP2uFhGstgXFeD6lPsGYKH7LeOKElKobyedqMs7XV/ PPtf+4q3BWVuZHN0cmVhbQplbmRvYmoKODIgMCBvYmoKNzczOAplbmRvYmoKODYgMCBvYmoKPDwv TGVuZ3RoIDg3IDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCniczV1bjx23kX6fzY8Y LDbwGcBz0ryTyEPgTYLEe8kmthZ+sPMgaaSRVtKMbGnkaJEfv3Vhd1exyZ4jWQ4WfvBRi00Wi3X5 6tLU9+fT0ZxP+F/9/+NXZ7/6Kp1fvzmbzq/Pvj8z9Jfn9X+PX53/6wMYYKfzdCxpMub8wdMzftOc WxuOwZ/HXI65hPMHr86+PXxxcenjdIyxHL66uJyO3pQYyuFL/J2nEK09/O5iOlrrovH15xSCOfwH jih5gkkPv8dJDLwbD9/ACJNgSqfmg2XMcSoFlvkzPgbSfHL8O5bsDc6xPP4dE+WzVYT8qdKqpqsP 01TUFH9aR8gp/oC/cSshH/4Th7icoqP5jPPmmA8GtxgLjK4/nXfhrw/+DbhqPPD5WKZCXL0s+Zij z+eX1sFDV84fXAFDHbw0+WId8OhIRFhf8uAxz5vltNYiz/DIaLpviHgb8hQPz/B3CFNw+fCQNhJg lsNb4IBxRzgB+fTRxaWzxwRDb+/EezTYwnnnwxtily8Jju05/rYpwM4PV2L4E/wN5xlg8ks6LBuj zYfHF86g0LgeUcbBid/wc5tSnH9vZnzJlIeSeq/S8CseklNQNN7Q+nYyuCGYz5fi3eEH8eKdWL+z Uzc5c7i9wdk9yIxTBMg55W85ZuXACzxOU0oIaqHfoCb4lKau9Ng04eHMx/wAB9vgbD1l0LdUIjMr ppBj3VxOyRIPgYQjDMftzCL2hp9aOPyX61MxgLYSki0mzb+Tgw2I0XVBA2qBVF/a4o4mpPNLkJkS jGVqr5hEX0w43ArBvhPPH/FvMAQkoW4qR+PcvG4wwK1nYvhDMQ0Nz0d4ZTj8SR1SUNPhTWAlyMXh a8G7L3BIIklvmARPLVPVzk3Uirl/vLD5aKLV26wnESZvZ96BWM5coTk+a1bMQKLpMJpOlvYeyGzJ OQTVN+LxNc4XwfQont1pdnc3druuI7egJMSmo0eVec9HFqLe+g2zr/jczAx8mgqo1I+V65NTInZb Hyd/eHWBkoWT++xm+e9IER3iDRKUbcyrDHk18UhbSBOd99Gr5yTU89os1FNmEnjvBZwE7N0cXl9c wp5sbmf1DkxtTorip/jYgw1IrRwv51B/+8npc3uMq4K2kRWpVJP9BicBRhKEL3aMwyynuGr0Tj1+ vkrkm9amLafRF+b3dR9muD05oxS5x4JJ8ndlnkMVku/K309pnjDFRoxf8rIl3stV2lSHq9ksbOVj i6N9jVRGWw4cbTPuBOUIbePkc0+Eha1+y2vHgpq7jrgl8ZqmoGzuSmmeDShJ9nhvMIWNZrHVSA+J dZyqrW5Y51MEf+t3TVEdLYRxfjFri3zLjxPM981FtgCswDWfZinxPQsYq74Xslr6Bx6QM6E3YJTH Gb7EpwBhQSW+OwgypDA92QrfrPe/+sopF2yCO9opzef3t3a0dtj+mAMoxjza92GeYRJLchtJww2D D/i2jwntapv/uo747kJsE5bJCaEQAeQJ/bEBBCDN5cCsN+6DKMxjoUfDktIRpj/8djU9cj9Ceq54 8JTd/llOoMaP2KbG4NVsA3tOQm0CaEnIja0WovlckSL3gKfpk/fkgYs/ztB2hRCLpLxDnQII36WL +CPnu8L5AsB0PUQyX9q9V2zfLEqzXPRGHJwkveML6TltIwKDXW8p4fVYE0YuVb7bMdXzPHAYMMq2 +o4bNyarNx8ONL5xLSCxJRtb9oANHJMtXVC5AEkgAByjWlTOUg/HFdOTB6JXOpwniymPqczK3TkZ +r0lPFtg0XVly6QdlTT38vl2Fpq8IpZirNKIxbQjfRqGf5gWUPjmJgM+p/qQMvkhBr8Rz28GfAQr 4MAjOpM/APbEAtFRx0Evcntc/ARu3RjYsG3U/wuC/BxmVVMUzTBWGEUo8nxgvA9g4ieLwK/LESnN 8vlIvTvWY47jPHiebBYuGL+F6VpW0Gnu6CrOZ7Pb0wncXSPCr4QavNa4a15TrjM2YwjRXVYb7sgD mXexnyaswD2Uolkr3Mz16h9HAGMQ6coIoe4BNCgtIA78S7Sz5j8WWOzhlkATvdLT260cVKuy8of0 zoLpy+zRHICKCbCF1mXJvMEZtYeeE5gco+R15BdW/7Y9OUuYDmdzZihkcuLROWu7BmAbUOgcUhaQ dhlWpbwNrICCCQSgxU342GjXtrV2m/ivWjtrrN9aOxLzjrLUkHNo7ZAWpPynhyPLVj6/uAwWkHVs xJfOQ/vKhUceaGTZNQDJbS8AmWdYvXCyOtIY6Jler+eQ5JDHfM7An1F8Wd0XE6qtuGTu34RshCYm kTL5FocU4EwXvfYySbYA7khakzjhMrngu15jc/TS9IlkzZgpvdTOS6YlFDt0DSwnIBWSECmbYpXv kWN3A+l/w2zinOXQJyA50RRl/KWij7BwjV2N13ttAgTabO7ikQ1WFW7hWtOL20gF80pLIPKchT97 ONc4C78Q4Zf1rZDUZJJXHb+O+nFV35yP+WcAcpVqbfylbN4K2dQRuC0Qk83ZbH4q4Uw1MpbEmNya +xBctpOOmmEZZiYQ7H2FL5Ts02SHC4xUScrX55jSgzhKp7Gf8k4R0d0OZPcJDwFL1tgrfNrCglF6 Q8AcITzvcRIMsswJyd8O+mhR01XdjdeiUyNh+MNerIOn6HLQgrYmRFkN3DG4RQ2EMN8NRFJM1vCX hKaR8SYUor2Y0Xy7zlhAoJlorQUbNPyxQYnHnEEsP134fQDoMmEtA5k+gVl4X2cPWSkHvfC8K1Av lWQDyT57gDNtojNgTUILqDScDOBik+CS8ifJGYUtAxlt8AihnL1UL3HJJQ6aMO+v0cTMOJP3LAIO waLtuHyzPv98PlMNsZ5VFBQg+Fli9ybDQoyNPUsySykR4tqnLQomzFRPhIJ+oQIV4zAZbVGhj5XZ 4vuCJby50uDHllIo0BDvo1dOGEL5FkI7PI1od7Jfl2YEYNqsUAjHYvezL7iaCwpVPCMF8kDa+9av DCLcxlK7gMAwbeGpyHUtMGseMdL/sQVcCP41LBkzBDBmCxz3s5afCDjW6DRhlXeR7R3DzFzPw+hU 5rw4JMOq++riBojoCbM+mU1OtxNTsB5UkrVtbyUSkETwrhN4RK0b69MRZr6qsxmNhgRIkqN164U7 Rg9EnV9aD2PnDo5+ar/WBKyqIDiA2EurBiXll2T5ym5aP02TzyT5LgE/KYxeVPoZshn4hr6eGldA G6Jnc+isB/WmanbCmrg//Dutwx0JN7cX1gLSA4P0I4+AOEu9KCkhzkbrXVFESUqeiyTdzTWTBS/3 qXWH/yJBmIwBAb8TY94or9P4tGAxCFpmMYdvUAzhR1bU/iB+v6Q9B2syzUGsAB9cWY5tSFuWx5Jh qzMpKKs3n9EYbv5gagFm48kC6o9+aiPUh4/kpHdv68IgR3+R+354I3Z+B0x2Gamyh98KizI4h9eC UslAeT6SEZKxv1l/9xuUwCOBpMGmytGDqZCtJt5OadNRgXATLPfXA5jFVf5MdmOZY+RUsFOgoCm4 Lyu1SOMK4JQB3zWZwvBLSql+gc4wDmGMSCjK+G6Ei94ye6yJQ1DTtrDA7kGTmrwOTeKbeg+H02lb gsEKsWvOoO/TwFBFBzs2ViGnUV1+UKzeL3bQ4+vavuHAg/jZ9LWtHhipbjOo+DgPg+9tnjQg+K4q WTqAauA6dWnbxQgeromh6GmwvaNsBZk1K0xSs0JEbogWPZg5YacJNYiFyQB78ADntrBn4jH1n+VC XZE3F0sr3LXw20QV1mx8YrNRX0W6M+AvsJN/Fj7gtr+omKVnHXI8xjgt0EKUpaX/Kxd4PDaDIxFl aQzckwcvNlYG4jwAazAWpyD8pl8KTqfNeP8Tm27q/hvF41IMl2l0FHLLj20YJ6bmZLmC/i/7mPH1 LErU/OgiiKxNlJvjxoxh1qlWTYLuxJOjBe7kSri3x5zbusFIqZsAY9moxEg7FSpb/EaDGzOOQ0AK cN9UnoTJ5UKjNymtESBobDEhzgdKJOf774Hk/It4MzXS2mnKSDy5T0GBeWERtvG6TXtxArVFGntS 5lQ4mp0SIs5Ymor8/dmqTaYJO5HL4bvvxJt/JrRvSlDyLOvXT5ZKGOD8nkkXVvqewt60RiZzaZxZ Xw5/pMM0ETixk3+dz7jG1EySFvkHFxmcD045krFrkUMdlWR1q93M0H/GhmDw22EEk9aABNONmDoI bQ4SvAMG4Q/57zGTyBYllI2ayfYIfC9F3c00ij2bbDcsE4ruaxiJ2uMBO4aYCiePftPORI/jbg+R xZRN9h9h/4mv0ageYmkapeUegbcGHMFBkn59WbOm6JoW+PKUuY85rZ2onvdj6n5YkJuGYzpwiKbX uFrq3DZqXlpSZ4J0/DFANfIodJwLKncsm54di11jLp/Q/TTA4Y3H6yhD08eDK4KxIh3AxWMemsqO cFLX1IcX1xJ2rsZtYWzX7RKPZFzwimcq8R7Xuu2bGLVgt64VGFKiPfy98sa0cIYGONfWROCp813I Wo34usr7atDT0ayJUdF8NwA2z/uOpeaejX7viqXN5zLUmYGvqKadidOmfZTsH0U9A8yOXHQWjaKe 5sMTgjhLAuntJ8re8AAU77/jT2ytPakKNs/sdw2oOE8ePuVBUaqpJog+W3rPxeb08albM8IDCOzN uAa808OHcCPrtu7GUdPZpLKte/YTkMhXPx6tM/cUnZoMOHyR/Jl9a0FiCVTpc4c4lOB+N0QNT3kN bbF3kvMhHK2DIP9/xDZkf97IM6PzCuaIVm4ndePi0XdDaxkYUcXrtKjZhWM05rSwEBfP07gZQB7Q YEkpwKMq4hsmy3VtYDcD48DGJKPh8F7AikwMaZCckZQ3DqM9T9ld5UMLO3EZhCLj4IEhCmbvliTD uzWk3C+4zsYZV5lAgVXtEh8m8DgStki4Xr/jITuz5LK31VumbPxN2MbUYZo3S6wy6sPsoLm5hVt0 QuCEaccVbORgorT43tHDjPgV6t7HZDDEmNYm4NMAh6ZzdDzYml0Ex8hl9PHCDzyJdS2a46nDMLH5 EZ/iODj1BEbl2w0WQC9ywwMCQPmfjq2cw1yZ6rO8rRlFrCwu4afs1HwtFpSLj9rtBnFpxySR0K+J rfp1GBMyLuTutCdQP7SPHwNYZCUfK1oxtDlYmjyGfRPmMFmqDlgKwRbikTzUo3Nh5ON/oQWMlknp JIj8ig1QjEoUBl1tXJqMsMn39DGJmawOz5c1Ns3hsyGSzeH3QIZqfqhVzfl7M+R0OnMDq+1Clk1I 0wQCuJINvv2uY2QBpExQQ5/bFPepic9rx9pkFozSoE2j5rYIMtrMtqRvC3dMmc3XMG0yAIZMgDhH J9LUWqhrM48hhRYw+k1F9m09iFS8bfBCf2CUEVIyyNETeIRkem0lc+vklBVj++H9qKYiF6/Nyh50 sWJLA6zdfqDaVc02YvHgHvJ90WtbXW8UwvkMshaGGSXZpIhGPUxYgz7ps6RRO57+LIniE0dShLRg qfnDPp7eM67AIbf5vpr5Vj6FiwsEjj9Z/mBYiCOak2sTkLQ/3zaosI8FKkzotZPIwVjeCf6In3OP PkKVbSZtNwYJw+b7DpXYnQnRlnscPPUB4r64MXHED2wVDQ2OWkvZFFCbsTReVeFoeo5OyNQ3HZ9t iD7HWkBfyWEYMEthfCnN1Lod+bWD3mY3ZzxSjo6oc9Ha400An0g1pp228Z+kGtwwlbHoPku4lBaS aosV0ZNatwafTTSFSrBNnkradIoQFR2CWHISv38ptraJqCrVWh02M1WD+0vu1M3kHj+kZbaJBlAJ TRwXwTdXckxUFX3Iy2N24OfP6YITjmD7P4HkAfV4p8/PldTFVheb9WcKvZrivKmUm5QcPnWUX6QQ PGASDowwiNTwo4NBq+Ojil+wwJ8630c84QMMk2tcC0lVKnTv0TxZYMq8RUROVayoC+ODUt62PZbJ 0ZBmkF6SeoP5JXgnF9P96L9t8EO5Np6uzRgUzMSLtzx3NCr0lXpXGgNSKZEcSjhfKiiYe5/ue4dR Qxhd5qFv7XB45VEcp4hOx5f3FvoEcqTNbW7LAVKmprZ/Cs7rtDK0bbADl/iej9Dnzb0fSIv17SVC s90PMQu0TlJQjM66oKvHOxN+5Llc1MZdhgxXzJBiNneG4JuYk3rdv81Aoo+eoUcyT/mOew8wmKNr EMAJ34w+Fcj/no+Ze9+bLptCPfCOMPngo8xRwnehPUrmyXU6lcYW9yyTWGlt9QfUNCKc8gnPCxxr qU2xjQfwho3uhVVLsgVetG5T3Rh8eUQzxjIiaqeEA3sBm9qU1uZE7bslWrUlSPlH4lpIx3ONvyha 3fP9deved274wXU190yPNveNu8lwRuM02Gl3mdg8HfEyv7ZBB5NHeTf3hkNg2yd+WIyjJ7P5Opn2 0NwGJS3lCSo6+KRBDmm70JvrHUNEVHsOYAFQTmU1310YfSl0zQz/7PUBgjEzYNHOL9XrX+qzxW2W qb1tDp9iD8gor9cvLb9gGGGH3Qbv6/GZ8U1m7Te+MBwt8l7+qZ72ToKfjjjmYQl73nHKPYBLmtLJ t8/XOsmIlKbJ7Q1pKrX5+wdnfznzwKfzH8+m8z+cGTjBYwrnlj4Bt+evzkyOHuzW8uTl2dfD+0Dh j/gxS3RZ3gcKcyKx57BVmCjxhaB4xecEp4pfdX1N3aT4sTXVPwx96sUoDPaCkdSPBH5SBFFEvtXR 1OM6RfBRscwxSqQYxVk42Lnxts5R3/NT4krMhC0sf2LtL9jmVcnAD0ZmOlIWy1HXbbETTM4lb0v5 j6tlwBPUgOLxCqJ3ZHwRRIiHL5neAOFcbaets6GXAkMGg+RwWsNRnp+KuSZ5vMrqblmPjjuYVLMw SHHMdCUizUYSucz2VEwh1+bLLPHTDrUBxJXzhHLjN8vqggVyvsryCfsWn60cFVP/wNxHH/V6mU2S wdOZFEqZp7OZUj3kgyIYiayv0kig6CYpOhSzK6d8NNxVDBLp5ss49zbW2Yxm000dS0bE4oWEHvEC imI9ZNyqmbC5giRCvc3rG9CsODMAvxSayTW5BHZzdcuXaFCjNUuste6wTpVLNErqeTWbJloBb3QE fWGrb0rGnhP5ppRlqlBlvu0V35vmm/4qH9XyShWvxYzPLoDXJRnLsT0uX7+A9ZNNA+1az+JaPJ1J CmFejte+4Ylt1I9pPeweVNajDgEtWHrXWbhWSqQUrcr2llePjAeWAWq+dy1d6y7obs7Q6hLxhkMR mNvA0Us9eDjQA7WKVJabVd/ku+qkZi46bPciffLhuN5J1ZiGect9Ts1zUV3o446U4haAIhS7en8E J7WYflK7B3x4OTnfWTm6njEz0+Q1lzpH1h6SpFZyjDWQmUQKGFxVwP5OpY6gKwoZkKMyv6tQratX MxaxX0nqb++sSbFQ6kMBRKaH0Mez9P3LjRBoOBtTJkcBach086a0m6Otz39g6ebDAg/K4QLdnF2E 8/4j+dJs7YQfB61+laPTBPjjMImFfj1/yLAjXIGvlxj4qHftzhdv2HjRSOz8kPOy+wcW5ipuZWBH O5lnUjjliZHiBQcmYWm9WU7OfBhPjVjiKBmCLhzCGrqj7gvemDW5j1fqZgAY+xbnNMfhS8/xbH2/ dviLVn6+0azKBfZtJokLJtSJkwuTZ7X1o6QX9U0IBvNslPLWec8OcVmEvuNxlO3eIiWeeSMFfqri 5XF36r2OgC0wDYbndBpuUfo3lPY9iasUC3n5xSrCCvNoUN1zYRFRk+1ZC15aGtmTrHJf8SU4eVP5 VcwegOWT03pDGgY4WHx8dqJRSuE4Ju4JWy04N0XnLWHuCWgdsfIXPbW7qjYwpV2d599a5/E9m6Ni rphZQMiu4NBf1C2GMN8zIjFn5Z3GnMOAql24quglHBf8TQ+eEmPlfHJMvUvN2cMLOSHeVo2YDmj/ Eld3OXOjEi4zdbbq0fO5LlblP7yoyVo/DNTwLhbsSysDiWgMIFGSRoMrRwC77ISeOMJHNw49cUCy Q1GTHKtmJtGds8iMBFx614lFBj52Xm3+IHmzoy7HG6awtwMeJvXZV51Ljq3nDoDyBS8czSkBU+d8 AfhONjY7JOKMGQd+M2d3jA2LmhvEhh13iOpVXR2xQIPIgaeTyiDPs4WA3gGC2hEVHpA+GJ/zCoKg ea4pfzzkk/Ckm2KsjXbY8u6yG6QY8zTfnK3STfBSLHjhpcM0pa1Fj5VWeYzVdCfOuEDggWmzvORh tDVoMjV1uipyHPHSHPbokmaqts11GXOv+r3noVF7+RfcS0LXoi6vrfQMA8QdoO8xTW+KelyzR9bE cSCM75lR+LwxCDg42TFGln5UxBhj7HPTc6XoGvC+W06yLpI4E+CDPF25M0ULh+SFrB1bLQ9eULTn KcOI7LufTS3t9BoYkG/l8yAmSThJQQuGld51DN5PFTEO7WbZuvLUwIJaHQxY9WkQ9zA4QlE0ccN0 MgrdNOcPdedxkIkU79+w3iTqrKaVsHlimyGouTY8m6yQ+FAuWNli0SOkqG1Uec6PLAtuBVPQERuP +DHJGg8GFb9okRL0lEnPXpiufm5KmozPpBDPhxbiPwCrz5FsiUskS6oIWwBUWbM3TeJ+sYVpEK5s ABiaw0U9gwrJufEbCBuIm9zRwhllRN/1LKt4bYlTcY9jPIzJ3pzBCWh0OOdeqq4E8jg4EI3iKRri 8NagTnQ5I+XLbhpCAoUxtsO58ZuVRwtjMReZASr4kX1vEA7uhFH9nP5+Xw2tIQBBS5jkWyHHRWKT g/+ZokkkMdqy55rpPILKpYR6nL6M4SIOwGtVrBhghI6jxcaOsDbvy70kBri8BKditr5xlzzQua5K vRtmIEQQIOc+iav/u74r0bcMHXsmjgZVXmUTtuFl3b0Gw5valsj0LCgU/20WIgZ/uUnj4565J5j3 eo1WFXQ7LUjHf5XGB6XDXeg2JKVNBOImXNgoRfJYqP1Jph/nwOD+H6FYsIvln+C611AQXSNb9P3d GgIrRDYYXzeKhlWzlksaoPBZtWkh5immtZAsQf7wok2Wc80ZVzBhjLboffxY7/+v4tXqBfNDI74W O/EFwtq7XK1a8+4ioCfzOt0qUqHSE2lgThjPqZzNDV+ADHGGxsFGzO3E7887g8jESuD814v6wf9O TQFXzTarY1KofVgR5PUabcdLhlAFull1aaYld+QcStgrHAgrpUbTIQo5eOEN94TjniczTAfxlVau 6FTKQK9qTTLUG5TAR5vWR7OGYeNbWBvgP5VJoVuxzajg2JgU6vadgk5ySS2ggIHvNR5F3ESbVM43 dV4TWw0hztigRosJB4VNkaeqysis00DyU8G7ngkRof82A6sq942XIg2d/8mVFeXi48nE1g7Q1cRN cL2bn9iG//dQv60y7flYS3cg2hOaTB6tvmdU8XxV95fKMKEys8A2LTj0NPNl3J3OHY00iOVh46iY 5f4+R1PFhDUUpl0zF41W8sVrYVxGutYb269ojDlSGxzkkbWxna3/1NewqigVdaxjOA3e9/qpdXaL XCtjNXIdtqsp/RqUT/pVxrdcuc4uDnDxXqkOE6XlVFfeHrP25DCbod6VAUpattrRnVmsZ/W6Flr3 hOmcQtzA4Egl3L0SHHYx2hPVobWaW7GSasBfVFRROWIJvcA5+5rr5qwibx99DPd6BaXGnE/AJOLA 337OJUu+up4TKNguulwU1t3rx5hVkFNsfPiUuBIJx7PZWFVipCTy0SkJNjpq3xTlNipX2aNdpiyg 8b/wbiDYVnVSoWOdHgE6C7pgCsPnMMK1NKIcTcxtJQZfxBusN7yg7oNBUVQEOp02POmPOokw+oTP +j0ftGktaroz6eZ0H1sflfACJ11xkC5SEdKDU1fcJA9vbgMLfB6HCXhlNt736e6ABB7fRLm0VGM5 dooN3E8KG7au5yhv6smHxFfMgSEAWfv+rotHa+nA68rgnQK3CRFJHuFVqbKrSN2tSZStE9t4q7a/ hhq8/3L2fx9yJHNlbmRzdHJlYW0KZW5kb2JqCjg3IDAgb2JqCjc0OTIKZW5kb2JqCjkxIDAgb2Jq Cjw8L0xlbmd0aCA5MiAwIFIvRmlsdGVyIC9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nM09WY8mt3Hv EyO/YRAE2G8CTZv3gTxJimzIkWMdEwSwlQftzuyRPWa1lzyGf3zqYHcX2WRPb7wGAj2ot4ddLBbr riK/n8/VpM8V/lf+/+jl2a+/j+dP3p6p8ydnP59p+uN5+d+jl+dfXMEAo87jlKPS+vzq8Rl/qc+1 CVOI/jykPKXsz69env3ppC/UZEJwOZ/MxaVWRulJn/4DHieVc8inry4u1QSgXLSnz9fX31xcWu8m Z/zp3y9MmrJW/vQHHOtT0tafvvgG/5GTMjDka3xOygdjTlf0HEJK4fRHhGKmYCvYYvZ/42lsbOZG yNakdPoNPlsbsjen7/HZ6Rx8jTYBsZOBWX7HQ+Cf5jQxbJPi6fcI3KYYLH8YcnJDKvyRplRKZ1e9 /4FWH1N2/r+vfgfboB1szJRVpm0wFh5tPr/65uzqX/50enhxCWQzwbvTDU0ZfYLp3zEQr72vnuWY N4B4MpPS9es/A7qn1wzW59R+AkSPXjlTgX2LoHBUrF4/xWdjgrLu9BNwiHLZWK9Pr3hmnfxw+A0P CT6ebusv5RCc0gZTENCTy/r0CwzXBnYmVABveUQGHqjRgnWqbPXpw4WJk/LZ89x6SgB3QF75/IpH 22xPj8TrDtY25oCYwrZ74J18ei8QeUFcYhxQfLRh14VsMOQhIptUyqc7fpnj6dkKQU54zc/JRDNP WBBB9rIqTsFkkOyra5DjMnXE1ZTNjibBJDCF1SEgt3sQfCDN78VQWqy3UWv5lcT9kmbOGcQVp72c 573UgLvXhqe/5d3wdt6N5Ib899nFpfN5ijrIlT+Gt9YBjXqcBexBFMURQTuQTEA7uowwfhB78TkP idpUM0pMJDuXrTPRy128QyCgLlIacZEY/GwFIUcwFYJOLR8gZAuY1ntOKwe++okHJJCGx7QsrwLg KXF+w6MTaNKfUeAlZwigjxABYG93ei7FQ24IgXEVuQWAl2L+G0YrZlOhJUksUeRPXdBx3TTgO/np 7cLDBrRk4eFlaYGWNillQr3AWhehJFkfK96Xo8USFtbF6Zh1VeJZR7JfVpHRVLwWPPZesOSAdlLZ PSEJU2BpNHG+0VMMZo/JpYJawMyfxooGoJOcwsWEdr8EEFI4oAEGyN6jpRfGVXYKIY5Eot7cil1b MSS9T+tRqEEkLo1p4rXZLaPv8gF9LTX0S4TkJg9Kbn+zGf3OZtOkks0kAu+Il0FFgh8TZ14ui1IN OV4xKi4u0xBooXvl6CdbQuKQraytPD6jQTweVFHPv6B61kHXi5acLFQaWisLVhRs1Csx4rZaMg2x 4DXW/GAtOk/m9D+CnnIaNqLwaAoQA25Z2ONBnMerXA15zK8VGEZplbcK2I29oMYOEDzQlnLz5XDw QrwHXFWo1iahS95qfSyArlPDfbgl+PcPIwXdtV/XTGSgZ+NL4JbZuHHX8DWI7T+L10k8Kxhi8lRr SymSL4qmBt2jF+7eGsBFk7Az8apgCY8PBZ+/Fy7NtXgvGb0sVoM7XonctEzEjA7OTAy+UeZfMzvA MGKSYCBCyfOmEgeOeGC0e5VNHboRNoDDABGQ1FQd7/mAprLBTQrM8v9RU9HzTuCwrP0tk8cb07oX ku1wSLKp0Xe0XIjzJB9sfCxPQZGUz3cMLwaKOmdwnt9q2LK7riSM0JtXoPIcDICpKJoOLMz6jp1g BfOC1bERAOtmX1iBJ4gzFxa/LpsKi3+9qrjb2vguukw+C46RvF97mMW7Yb8EokS7calfsnTX+pPd upg0Og0QuYIvqSXkjiKl7zoC1vPLTQ6TDRslsoC5LpOa2LjuJgWwr7mx5fg2OScju0qzSO8b4YJM V7wr0XguPWoEnK2vhKEjaRAG3OFgVLTx47kLZ8HUhETpll+DDpsV2MZZKqZHm1HMcLuKx2sGh+mX Ds0J9ELzcUKgtqrMzHHyPvaiw6eCJ28YdgTv8IA7MstBY43l7FJ5i/i1uCaMU62xv6UvjEcx/g6f c4QVnr5kzJJeVIgiBXGp5b9HBJG+O21knrS6h8RgTrI/FDYWIXSRhTAByhS64SM6Px+bTRj5/KOM Q1kRWokGPCPTKt2uPDXrrw0WM6ekxfUAL1Ia4HKG3YyQXB5TWkuC7Suw4iHQ6KhqP/xZ8U7Au1dh 5vYmFMLvPGiWbYKD2LSMBr1b6z3hwb8Sbovg9hJU8ty18maNBxFO3IvunEY3uzIwNwPekS5MbXUR iAcrJabcKtnyiGOVbZ12gqDykPdrywUSmpM2eRzwAkAFW7xhfpo9zilWEwLsxJeraRCPEw42UwAO /0Ig0kRjOMTs8h2tDEwG54ts8mbJFxGQz8X7B+ty3jJsBQbtW4FrrZ5oka61OytsyTSdqEuOoWep NW6YrTGVNWDqJr7XMUm5YM6kz2ttuzGYJTPB1tW50NoV6yKIqG0Mu3UgikCdR30u2bGv+KXR3fzH xl+eJ7JxlJgaR2vo+2GFoR9cXTNkG3aYkUYkv3Fh/w7aFNTJZIFNfzwJ8DsZFRzfalbK/ovpCpkM hvHStg+2CT1jr6ewZWgiVMQAY03Z+ZkrZ80F/ouM55pdXNR14x7gOjTg1w8nm1wBAjFZR5HK85ss dJMjgCjFjUPpjZ0uwiA5bCx2lVfcGjsXneNQHVCoPYL3A57tu42S+X68uGCh1puUcBWzwZwaNLvk yU3yxpFUNwqasNVuT6PilwkkX2rOUXAx0m7kxT1Yvf+3PHPwtbY4AnYja2V8nSyIDlg0nV8aWHXA ahwyix8O//X3wFCicqftlJ2eWf5KTPmU8IpKuYRCurLKG/H8rF1HGY/Ljhk4FPyOh/Lj9+/4Lzqh mZurLzQZvrbJcmkSaBcc2zNrHGw/F0lNBMweELwI25N5IuCt7LjQqaOjvV9nFLMwtiDQUZ8+NOgi l5mkXK+8eRkhKiLvPk/O6MzE+sNqMqXE4Eow3NY9Vtt4SqN88h1DCRAI/hUfIbwIhw0LOK2wzF1W RwydHmWDBvmyxhVCrLBitWMsaA1A+TV1MVqw5HZReNpMmXAHNtoQMEmpW15rVzx2eojIphtJfQKn Z+OUF7XLzhAE40u5c8frAXMVnNn443MCvCmfWIyYNCa44BFdnTxM8zVxLn7pdNyQGV4rFYZQ7nGy 20Ki1P/yeVSpacYTNnnDUfg6mDqSGyYolnle389+96CCRfzW5iRsVRm3HxClM5YTq/lHJH3Hw7UP o405MBGHC8AuoJrrcIE4EYKKuEabfy2c45YcMnHwpm0Clpl7fQk4uqQBGW7tsY/4hasQnOI4UoVo 3F8Ddhwck4E+G3k910JDi09/EjZjNGcVRGI+FttxphIDI2kBJY+e+ijd2i+6N34FwrD6kMve8UtF 7mgUaBkCaCymO0NdgcGX2dXB5tdCZ8hGhSvegZxNK5oIRYGe2oDWZtcxw5UnrRvenXOBdlWdC6Vt 42zjWxT5ERcPGkRknCLrOy/W/Mk49T3jVmtruamjes1jwf97fTcWtHRwRxpUrAW9QUkgelSgqwaJ GYlTVf/C0QoiSJ6ZlcImKAEPTqUjXoWcEiUlwAcuA+90+6RueLE73UwdCafwUIiTFIoRVW94EdEN dZMUv0JCTDGPqrz7xRPZZFWsI65T7wTIzPXgtYcgyjm99HYpEqk0qFE0KUjiC+PabAigk2yonJzX qyQURmd0auXe0aehSnCXraRw8v2GZDSkk35fkzcBdGv9uoSZwOcjjka32oEy8b7ayK0utHZckpD7 23Hy6PlfuQFTG7sXq3YV3o73C2t2tk0kECXsMPtRlEly2nLWCWIZW/sktwW0D6K3aqdPcuTiYkJN x7hN6VBJYTzlyJskXk9YyE0zrw/MrvSvm9ol7rdOsRoi2w+3LTqYiekICo1+svYBoNpKlvSgNIVi dCnm8wJqMyAXKiWlLzXH25voQyxcgEJNOR5M1huniVW3IQHLB6dQbdi0/PGHmyqiwy7oUQZ1kDes i66L9rtjcManXQ8B8PCxTnpLlSXzLR1dMztTQKgJzPbJVF0k67NeUffzMv3f3SNbAJZ9zcrOpVDg LafMLBxPBaMuRHE7Lj8vAULEQf3oQN77ngopTrSIAaJaG4k2kkCVaXPVFjD7KSlVwtEhbtdHAogZ 0Lm/dVeYnU3fD+34gt/YV20TMd5TbXuQ27heAe7lMxGITiMg/0CvI6xhY/XwYEAOplFlNGXo9Rli yuGukMzWno4A8aSiSIsSjvjVwEJsZyytm9ZDCADeX7/BpSAUmv5czthDsOWXjH3jENJKV2ev1yGA xHWgwCXKQhY6afo1GVPmHqfpm6yg9HdDxmK2n8WxNCFCwJior2xN6dzwy+yjZNCn1Wd91VZ3PSIQ r47pqibn4DTWwEedLo0o0Dx6V1fTekIYFrhG6nFTPll8N4So9bha2oglLSiOHTCB47i4ynulmt5o Utoh9dQ9aUXpSlzXrCg0J7G2ATc1LZn5nYoZLke7XTaf6cmMWyDXbbSDzhNZSN3vSNm3YVyVyRsf EF6jEhi3lZAznga1zjuGgMcZ9uqFnbwRUUlEXndcp3ExjM7qCHjLelpJQBDJ5x2Fv7yuyzJag4i3 xvG/KJcUQmbfmstaI6VCa37H7q6zeUCPTrQ8znYiKOydkNI2irnn4cYfahH6iD7jzdGHncgcUTD1 UktSEv4x1JRzVOT3CwhleR/fb0FYqVpOOoFgafpZviwsH3KlHURE09h1eAte3tw2pOELlXpNcjOE bMbFkFkCisKACKbtAhq1UY7a6iXB5ZhRAC3b3Do9IaGOYGtpMlQ/TPNxxH41tGrUbYukqTrdaPDk ZVMk9RjoEot4l+HPZDWwddPQIU9Vn+HyYHtBi6HZKL2gtG6vtFXoGF3K4gcPcZwkKl++4Wdw9IpC 1xFiZ119+pw/RQf6W0Ft2lj4zgNzfMnPznKCei6j9oqeGs+PrqWAbbVzsZV4+nOn7eVgudMZR+cl Pl548cvg9u05DIm0M6NQaH3fNEsZbAf/dMJbNdjpGLA/tBGtJr1jgjxrsAl+hOFuYx+D7a+bRkoE mPu9ZUsBG93PXH8pU5ajvFzd84EMhI7jKFQbZzIQRWxrPhpn0XETM9yjtlGfGqj8Jzh6tcxGJ0kh IsBCxpHM8X4r0OYYVpWTxDMtsSmZrqWHcoQWG4xBdTb6nzJbI9ftLXOMCm7oSg7oXg+Zs85dESi5 AEaudneOHWtGt9ul8bmXTlO3bxhsxL3X7Etbs9uChEMgOPzoQyz31/gOpjQWiHjO0IE6b2Wje3ic 0E56WH8ahHQHSkN4sFdj0jjcF6VgMuJIoXvQ6idxGeM4F0jceqRrlKMapLdkkXCg3jfdv8CUOR2V myqPMOM6dq/aHjiI3yI87h1gNOhB3HckdHv+d0CQQ3VvUtoQKB5unN2mgD8rNsv0vMulpYjMV2q9 X5w828OxCgzH5rT9fphtcegtk9+mpqF1dJyhHKcAHfi0rM2ndiIy8KaKK0QZ9HtKBdmYTv8pfBRq lyQ5T0PtywkyyoyI6gmtnNwsTgSs2aT2mP3IMHV8OL6OoT74VWaudfymb8WCvfHSh6lPhG2EcmMS NtXC+YDkwuDNUWCcsz1MKhm8PDu1+KLc/FEqYwkbyi9LfxXmV7f+FS7KHjuJJTIQz/qiMl+IYu2B w7QDF6NOYneLH3iFBigiZOxvcRqHd96MphmkRV7XsJEOet8txyHYf7mTZsMh2Oj8sCh2g5q5qQa2 ynxAyvniiqo9ab2lJRx2e5Kj/tWtyRRKnfEc935sOtGxwzPMiWgZSi+KD5vVU7c/cS4dEhTfaZ4f KHnJuXWnBELKygHNGh/5RaV2u0HewJTLAKJ/VLJP0NE9JHPp228zIUCF/VZP+A4h0znUmHNXaWdi dKb6OP5rjbO7r1S2kc7GigLyML4U+LDIAPF8U+DrBCsLnn1SfI8GRZnsFvmiFLQIe5eaBk5Xp4Zb Tw5vLQCb8BWTl043frmWmcUjOqjWgITvnrrFIX5zh8qadp6ntEfDQQSY0jgQG+1JrSZxzqiOpTXu 5oXqqobVK7AJ/PbyFTAEc/qj+zo6/UPbwIKB1IH+LS8Me2SeLl14o2Mb5Rnb4pclNonZW9Fk1Ft4 qdMZB4NEvxLv+Y6INglI+rx2JQ4ULDonlzbpk04PurjNg8DvpOpnzf45Ld44zkfhfUIqDEPUgfvS yXLy5uHFQTvcfzPfYLR3wQc178X7vKi5nxm3p3FsHpdN6x4Jkt1XR8+G92xBe9YSlqXSsZbXv+2U mqMqUt4NYAGZnNPeqUmUtza3g5+5tLllgnRAxCVwth4pa9YTAHyXlvOVpzJoWN25fMHg+d32UqgD gjM6noReIvZhOlNClN3Gos19G3hPUduZi29zrvfvll8HtVcYXJXh33je3AZPx75aNx4wQG9/z30N nu6LGGSuNveDYHGq9t86RxA2NS6J1/aofvCpQouuAXF07cFeEE2L29UpvDi3k1Sd60zOyDqTDRCJ uyqJ0gnE6Uj6CLTY3OUSEbdpoftEGcDOpXkza9Lh/67cLTydsfYeO7mY5cQADkFukCb7ngaqJRup 8C+b5mKEiCHRjz9W3LDRua3DPOKHf+LTUc7VGfRR+9qgt6BK1dXF8l4GbRML8egXQ78YFo1535Hf 1yh3Ip21R67+eFg8bcTSNrdAqUYBNvnyZeOwpcdBlA67IntBH5fNCv4IBYsLznjUOnvvUkiNfdtx qLNlPuMtpyrDfvWHU8V511B8GqtrNNUPHspTMeyquGHDW6NhaT166+QiVWyqZh81fj4tef+dDiJB lU/mZMl7RiiP7+yRQxkjAZCc/pbRdS42fMecDhy53ubXxDHLFRgPupL4Yq3AjHRFuW/BVs5L4W2e udbjgs1GJ9VR00YLcmTu6Qjbc2rKLUtqmD/8rOTutGkVNE5u7LFrYO54+F4TEP3dtocx8K1Wu61z MxEOpq1txBvJ0ibritNHvDqaLqnU1gyroC9mZN3gMgnc16+uzr47c5PT57+cqfPfnlnY8Sn5cw2e 8ZT1+Ut44wGv5cWLsx+G93s3TQjlfm8AAIQCAGBudeDrvSX+nN9QEcgnL1X5rWD+aaX79pTRxpht 96PbPgqelk17HdZ1fsVgksa1SfG9tCDeWlAzrMznyStzgu6l82RjWv8eo6Xmj/GNH9+UM/KghbMx SNq1p1iw5y/5/+epRZkZvy/6rxr18EwINvUcvl95PcRER6E+SDU1Azua+UqOLNB+OSrxdeM4mFNz NA0G7qNAe3RQcXSqQfSI35WJvK+PfdJLt98ojHl2u9dxx/SJro256e7x0Os5axlNfFgukzbD/bor B37A2drLEwDWdm2H6qkNXpidQyjcE7V4nqM+zY2jaPHG87Z36HjOkz3UXmgxvrmiZTeFV1D5pl1d 4c8h1J0Ko8j9QSWV+GVU7Q1eO5KzezM5hWb+eFM4rWX3rD6tTJtdflTE+HsqfQ7qpM7a3TWWo+fl S5i/b4nbO8bwxy68qzrbttf5U0OQPDZULi8Hx9yHpcw2Okn1tEwTDjefF1dBeXAVNKxgiuAmAGsB J4OboBOmiOzyZtdPUOfUom9T73dAtMWbF9hPoBbJrFMORH+NB24UHVDCKp3h85QK69DWcUoE33su 8K3v8RQ5oOX5lg+EYiJfNJONssYsH2Zzei5HGDwUabCv/JJ6LwNZRIRljJ7fBqWJnuWrG6CyyU7N ba5A8GR9f8Cbgliq0Vleuz18cUHDKejveDyMNAZIB16g8n4Z8HB54h9SiJEzu+Ult6wqcELredfP XjB9DRaRyoo0Jj1fMiUXw1dQu+XXeNFFn2rPJLxi6zJfJ4s7zYc11h19dYGtJHEOhsssfCULn59c lPITgX+H9LGc2NbRweSF43g0aYKoYnbzLApD3manqBVYKVcj+Jf128LEYK/DDMd737DurRhELIZR i6vgC+SvF7qtWyqw5ZHZz7eU8vazG1uIc4meetBRuLERDKiOFQVQ5xkzhcyJUryGZG7KNdTnXMA7 VNy3QlhfyLV94AqLD80SsD83UupsefuPtBU5YehTkAo+5plWNify1JbxzAc+1YJQMWfpT8beC7m0 dzy/CpWEbAmho8+5Xo+Yn86D+Sk4uvBqlVQEDdvMXkBZj+QbSbd3TE7lKtXw59dMcK99w7aLZMol v+VVqpRbQWEyaztWFbSZsMW/6qmoauXzpulQKQuWujR5Z9bUxAJBile9EpxYK91KFxOvEly5cyvL 16JNOSk8wbXRYyQ+kvzyw4GIlR0CdvbyuQgRr5WFyOil97uiO/b+eGCMn1eEa9lC1s1mYV0w825e HFq5l9zdEoyt2FKuo7BXdGrZEPxynVDueaVii13BXPQTRtVyX2Lf2tBPHSlMuJK8Bb6OAXtv7A5j 4QBtahtUYfEXsa4bRkPbau7HDMVTmWmee10f30aOPzRS6aeuuFC3kKJfJblH4xM+jfm6j1/Kjyn5 MLcXlk+LuaNfBduYO+aVR0WAAthhJ/pFaOGeyvMRQ7sKjfetKV4klD6LrqezyCTIBV+XLq35p19W ISSWoBMA/OjTrMdbD2ahxt1FkQ5eCEmHt3q9knO7P1IPlmefW30vlWj1h0aLtpzOgx5d0B1bGI1u FINXqbZbT7YOZyMMcs7WyVyYHHs8F2JibjIH2smHHbtN0uWpMCu5VVqfI34kdrZlv5FQPiMt+fqA MZFzb7VaJHapjHBPIbcfbrEeYDL48AlLiTVTTEtXbF/qXwmnCBsiBdEkL0lBkHz8XO7xvHvWVSbh fT2FzdGyyAZSAT/VHEMb7K300aTDN9rTnp55te/wsQQWItX2SZqZisaSJtQHZ+jqu3HwZZ2lNiQp LY1vtcxEAK3wLa5XUFs3g0W2CeoM/rSbpR/MwLp2Cnz+rQxYYtPvzv4XlHv1gGVuZHN0cmVhbQpl bmRvYmoKOTIgMCBvYmoKNjY2OAplbmRvYmoKOTYgMCBvYmoKPDwvTGVuZ3RoIDk3IDAgUi9GaWx0 ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCniczV1Jcx1Hcr4zFPMbcPODQ2jXvhy1jG1NyPKMjAkf ZnwgBRKSSQASIVKCf70zs6q7s9b3QJAOxxzmqVldlVWdy5db4Zczscgzgf/L///DzbN/+t6fXd8/ E2fXz355Jukfz/L//XBz9uUlDFDizC/RCynPLl89S2/KM6XsYs2ZC3EJ0Z5d3jz72+GL8wvjxOJc PHx/fiEWI6Oz8fAN/g7COqUOX5+LRSntpMk/hbXy8C2OiEHApIc/4iQS3nWH/4QR0sOUupgPlpGL iBGW+TM+BtKM1+m3i8FInGN7/HUiygRVEPJdprWYLj/0IhZTfLeP4FP8C/7Grdhw+DccooN3muaT 2sglHCRu0UUYfdD0Uxtt/+vyT3Cq0sA5L1FEOtWLGJbgTDi7UBoe6nh2eQUH+h28JLyJHg7jP3A1 peAwDC6hFfyTOtzQUyscnOJPRKYyMRyu8UUTlYbHP54rvwSp9eHX9JoDcl6cX6gABFlzeAlPZVyi xX8Xi/VWWgtv7cu9TO/5UL8Hc3kbYM/3dBRWavg86yq+nOQ5I+kHJEmHIA+v8ZewsDif7i2dsrfC KJwayXOq2OBtWkSrcArVv50D0dIBd90xKvgqb9LUCoi+YnN8jnPoxYk4XIYRdZ9WNLY8Sr6ztHM4 JT7FbfqtfXR8uh/Ye/z03qRlVPT53E2UcDrv2Cw/nyOXqRgXGzTIK3FTpkMCm65793B+bMXO6VQj fkX6QZbk4SFT4c16YrTyHTGIkFEV6zFCkbKLlbQLqYDzpEoU5oOAYeWXgtM0Qi1ab5wG1BTnyn/f pNFCyeIz3OFjuXjQD3z077C54ee6ZV/pKk8rTDutWqxzhTA+L8nH4V5HvX53OquKaHxXhRDTu5ZU D391xhpp9JtES5Cqtz6RyycciSQcyH2aScpYfIjbvID2qAm6ss1ZsqQY3zQ21rxc6Ky0j7uW+cTk HG+I27UALWHsyu2cDhBjsB2LFqFYnMtd/rpoPU74XMTD64KJh0U4qrOVlYu1Pp0wZ6070k/SaNBU YPKUUYJEBvgB9Jfv6R6SkXw2rjz1BXcbFgOS+Q17/CoREKKeqUxl9SKNytvQwaptG3QI2zbCULvf pyHRhsIucD7ikvIy7ROUPOeXq4Gc9BaKpmZSnNA5WZBIhyyilnDIeUVXSzJtzfmnSQ8eIWKCBEgU mNtw+AshHA/THL6iT2w1HOznmVKNKoV4WMH6Iaw8PFIWt/lTal3qZppNyVAZpULzrksQ1zqRNS+T w52psnH2pXplQ8kGAIsCv4xYtDpJtKYRDm+AI17RmybC6QxNNdl1s4hQaI+7gVxfJxItyNbP/TX5 mz+zN9nkLxPh8LwY/Y5xF98/5/oxS+Mm4gRYrPv0biaMSBcych/icApLiEOwRtZCvErIew7LiAoX Rpr9JmMNAJlCrpzL/p2d4/PykyINBvTh48W+0HUmySzXdZkDgvIqw41EXamqfx7wKec2/nUGBrhz yJ3N4owa/oswpQnAH2OhwUM34F/B1+QLcboe0IZwduWq6W43pdeDfT1vuZ42UHEgrq2Rq2pIbtwi gFE4s71KVEsRa/A24m++M5zR6ljYxZEariFr2ip/cyXRmMPfDwPR5N8tKXDvCJjjLmKFoe7z5mDJ 7/Ex+Jke/K93ifmDXrzqQo+B0DxP07lqlQqRECEAWpjJ4Cah9IdWhs+AUHspD38/37kiCUKmtMTd WXlI3VMexJFvChHV8LYIgYPxFfcLXatiLSWo9NblBCguy0/8ohUk1FY0GpjPhdpc0ySxMTKPM9e0 Ge0KKeDc/tNOyftzaxYV3HjFldbQRZqrH0FLutJNTxhQgJ16f9Qn5tNVUIphBHT7laFTwAUNwJB3 pYhsojB1vjGwoWvnGz8qhRRWRzNGP4AtuDjo3MNfyYoBmxmPenudjRs09hjVpLRI4ExCKi2fyPgg LQ/OJfxXo9C0WbQbI/CX6cVo4wT478//oQwWwOTGyVEQh3+gAaQotR9SYnUdkYCHzsZGdOCxSqCo y/WcIxJDGql6DJYCPrCT7iF1QiTbPpZNsPDrSfQYVKWYLnd3aOj3oJ4POtbbpqduFlLQBnYVdHMy 8KapTEVGRhnyGgyBjMNlNeSF4VFOnS4cIv3U6SKqpJw5XTiL87VnmfejPgBlkQVVpjXybvHWVa4H N7F0+EavLpdd/VqyYLeJUltFArJ5QITUMUIrxKHDFKf4VktyqLRapDWrZvr3fShTJMkvMgbUr6uU x0zuQwQJcgVCK00fyocuD6eBYFZoa2QF7QI6pylsgTEJoaaR4BCIHUfSO9LzI12YjKPTU7RWWAgg QAR/kiuBZ5aCRz1XrPJxceIgSknkh8mtGY/aPtBXjkGq2MFINOQ6zW71mJPSwTpfLP9A0zUhl0yV itJXUb0UmSKBYfAQp46gs14xzV/5u3hUGEUYBRUze0nFaMphqbRaqUkf0mcI5iQeqINnXmIeo2eI SRoweAbiE6WpfH9iArXyQFocR1pVWh6G9kaw6T69KaOpvik+FX6aB6Altao0Yx/BXdDWhQKz00SH EOCaMtZAwwF4hOAKHhzYPD5j+zVFoBEG1SccFueOSg9usJbLQKUBDHgP2tl6F8YA0JFufP6EQwOZ Ojy4YBDLrjAvmE2ZrmcffBkO2IleIy4x9qI5fk/eNAg9gwtVRMA3kIdElOzNt86XqoI4zqF4ly7h SMWPpuRuUZlng/nh6ODDcW39Dfv6XHNf7qYKvTR81YpaXwH0BDGcYwcY4qM/kcv6CpOlEPiuB/z8 PwMFcpKHvh5RjSlwo+CP/YJhDc7rHZVn/dAKcObjglxiuWJl5jwlHsf0xpYzy8a9zpkxM/Dz7oQU ZoBvsBOEwVk6MRja849syjbmhLRkSUiklohlll3ZXM0+8Nhhdd6IQb/4x8H5VmG49OYQyf8zghqv WzuHoTnhkAfhp6VY5ouBFO70VTFjFQHiKsnw5vuuueOTvUdOY749H/dbokUZXfMprSSnQS0cUoOZ 36vFOsLKU3xqx6crWsFZpRnmhDtucS22A4Hny1ewEdcEx2ECUujjAVJkoXU+YqSTuGj+wsDaO8b4 2eR4UIvB7SaH1TLUNjDnAoGohDo+vuwyY58lEF7RoZLAI2FWYutclGFsRvsiEtCicIOOPLBW4WOK NjhVRBW4Jc9fIso6GtRo/jqE+HteXuo8efJDSy8dyxsUVgJ9++zyH/92sGx7LHajuo9T4UvgdS9K YVHPljW4TJwmfXYmrInwz7gRqz04DlShUzlC1gr4BOgI4Rins4xYIbVAGdk58BaHgGyKrGHym2/T b+V9doalN9bJ4tXXaXZjQqpEyoa7ImCbZqF9eCBA9qp9QAQAx25MzU+by3EHoU5LCN5i9VKg8qtT Yu6j/BrCPrDGsUzMIPwG9GQmk1dYAGnRLs5Ix3XA9cp4KUUGq7gHDaneHCSDSCSBdxYn6wB3o8Ky 9ePYoXJolFOLJVQKP+HQYLM3CaSXEDBnDgIBQHoplH4dd/NHCrH6jKCbFutCCQYJEFcxcP4eV1TN fCBn4Eg3ZG3x8H146S30WYSZqSNgsLZqdZ4eTjYqMwUtuSRkTkodhBqBFsy4e7Bqwc+AMZ4/bIkl VVdrFOE/dWWNfOnGoOF0GIgtjdTdykdxpIA5oBoFlbipGyDJDh/skDFvoDRYnJ0HlqcO+aAdMCU0 aPylzPM351RzIH1ZbTGKhFU+/0rM4DsfzwROAkAKk0p2vom9YGXdBE//dYoyQ5UtuMuPc0lpjjSx QOVXeQAYtLJcJj2eRDaa2gq5mH610F5QIBcnXGFyRnqDpxQ5lHrIRyFl8ThJCOZ6vGURAhpqSozG GT0TZaMdGopZMUtablxFWKF6DYjWVznXT+EkacTFvk0t4PKuLDEtq0P7EscDmhzs/ZqmtJHQCs0+ zhVdH5WPz9ihjx0NsoEuReMBaSulhkmkqrQGgamtcmwn1FrU+WQ8W6uaCAL5kbYqAzlmNDtZVWL4 PRig9wLabce+4NWBHv4DUytcUAAcAkql4htO6/Yt6wReVTebKGpSnL1wOt/cqCaLOyVU9BkBedjC Zo4k4WUaDv/14eVjRmAQ/uRcmgEUjTUTs1gvDolmlktDqqWc+dI4wpiyImGUX2G+9Ou0vARlNrES tLweb6KmReKX6FqBvdyDHxFYAW0rg4lrgldVKmy+zJosA6i4svuLPtYY5Q9eV2mIPFlZZ5htoMVQ 51d7cpf9BPHQWHlsVvEg81+B865+57/rIn5gMwR0Iz/gbVq0ztbV1lNIUH1mZMi/Ji1tJX7bb5kO /nN609u2NAY3GsjHwBFY0jgKHowc+Bqk0IzxlGIWXnHOj45nND4bGKqqHAho13ZYE1dG3VgpAZ1K 1DMPsdZliQET0gB/XPdKTuostkBY1Ek5khR0EM+eEk5LlLq2LCigwDVmn/pQ9br9glUBw2fs6RGb 68nsUKJA+0JxtzbXxeglN/mnZIfv03aM9x+ShgjUozOqEOkZ9rqq11Fsj1ql1q2LQaotpTNNFQqu 60thQhnLmokTgrCTwAhlLzoVEfBYCTtG+Kzie8UVXmz1Uqw44iT27+vw9eu58HiB2mbcQAaSV8Lq 45ldik0Gd2p2H6uVZJ3gvrB2UUDJ4b8nqhrgUy4if6R1Hgfuj2T7ss9YZPu4P0OlXKGRG9yimWYL 8MUg40cL9eB8cquk//8T6kllsnZxW9iTZ7wYM/LXXjCY82bvA+r0TdE+y1DzhfIa2DhUbMxABTZM GIwr1w0Tyjhqo8DYn7FUYspzUoULSDMYzesDOEC5SrNhzdKJGJcmtNMYLg7RLRpnBXvjdFOFkpA4 4QuIyl31QdhlpcGZw5dpDivdyKt+w3mCigsUV3nreQ/1vt9FWNXmICeRuCZg+94+j5zhcVzdCVvg XZ6JWmtcgcYQV+4d9ZuU7o2iQjhfFBlxM8a3HNhvs//ONT0BdzFJ9VYAWYMK8VZVaKUKF+GnsCtt BMk5bfysLVPALs2OJWez8iUYYv0k6MUK9YgUxDQUQoOPAfrwkzADroP5vWkID7ZmXeUAk2gLWfoV 7/qfvaqxxgmxdH0cI9kr5UqpHUWJ8qTCNb2ZAy6k41Wa2tHX0SqD6Ig5z5WpQ32imRVeTDXCGvWm nTYV1OspZkSd1itV8iDm3PEnRiUBe2uyz4VL4AcBYW1gPDMxfz6IEDOqyIHW5Fjx3s3sgFHvplZV jSu+gNnIT2CIqzg2tR/bJzYtlrkprPlT4MyCfm/B6bQedIC9cj9xBMlqdGEWW72PLlVh2uDu8mTE kBAFffJdKZMsga19vyf553XPa3c6dTuD/8JlJBby8hTRKGN4mehSmdcuhUWMqz6FbGiA2BgMebps bPc9WCpOOVk2cDwq+Q8IpMCx2KoS9Ym8DvbHSkKfnfLwDabDmWHUYsrqnaqXqvgNP6rzpUythZ8P 6Vxs0EW8kiOR4osm/S3QzLMbHnAKBYb/y7SaqxysU+4IKcot1xVKjX1CwHmw6hpDBz5rTHzmP3+6 2HE4vs0eFxwxs/EwRMleapClp9q4wEC1XaUduRDalARYO+2KDbka8aVJmjjHcSwDk2Pd3An7LMpd B/q8qDNEWYmCirlpD3LcHVfCl8eo3FQZj40vK/uOdS+dsNnP4xgSAaJddeVAA0XS0qUS/hTa1ktK JXw0JIITBqX+D4AFriQ/qq6lSmePdzPYyuXWHvRMVHUABZ46PU9pA5GVFnhc2m8UDV2PuqkBpS8a S0/6D7k+BLwuYariYRrAyONiME6yU1VgqiWzqNNBj/wrpbRSmdTdVqa/F6nwiVNgTsfiIQuzfF7H ShLlpZpvFFfm2VBr7kdpaCPsgkzb0Vw0+os0RMg69Y9PjfQFmzbXBGGI6QgkLUMUqsxfPqRJFOVT 0IuOsdsqHimnagQhH843xaUUhH+8bz/SVrEHa8VJaL1JTNJ6n8Q7Tt9FTSyK4P27SIqItgJNdHZx gyegtc2oLxiH+ipycCRyXXFxRihpkVKTj/LdnUTiliTUoJhioYWpA1iSne242nsHcLqbanRJBdPf nWaFJgF3nxaVk4t66sofrbHjfx5nxixYnLaYakmFcZO8OB0G8PjjI+/45iy587S4Duaa5TTIpzXh 2EmQL5+irzyYdC0PfkvH60DwOIV8SmCvVsHrIqUKnjSgbieNKEOkvtjZt8Mhe2q8imSPvmKFJnAS 49yM03om721KwTs5uNzglOx2XYIosOu07WsX2ARdtkNxoeMxhE4H3Boxw3oBFT8gVkHrd5rKM1l/ ZeK3V9YXzLrkT6XkU++HIMZer+cBXatl7yrAotVOU22KmZXr9TKI94lmdbwrhV3WkCgaJxl71WMJ PuH1ZtGOb2VoSmLAHZje4UATOncqLsThwTb+Hj4GpphXJ6WFHnsjJV1fd+IFHvdpGSys/zQ4AXfv 5iVOQK6Q9kmeJ21ZNk0I0lMNzvNEhyrv9VrVtYKzNY+4jmfgVrZlbbt751IpbFHylNctkQgXYjZL roQJTV7cKEvCP2NX5bDl4FjpbmMoRsVFb9KUoJeqhlmWUaSMg2zKgIha2fhI9NgNo0CjPghO4IjV kQORmCbbng5uWJ71Vdqk6V+5tJoeOod+td0mw/n0T3TAidjYNZnd+j0YjtduonRJoaJBnJbANHiB gnUNpe00njQ+Fabg9E6GnrG3KNK1GVOntUrlfLz/hRrITJ09E6Py0dTMZvitl4OGxcx1dBVZZaph DuxKOkUzXmUKx/ilwbtpP8ezmOtNWzRjWYhQ9MOuWoF5TSgu4O0La4+1fTRBp0G86nMMaYMhV73+ aexXeUhL4rd8aqsYTiPL5NP8Kpe1ch1U3yLDFEri5CaEaS1vkIDUhjeKDEK81/lF1xBeA8LcGkyU xAbW0STafUCpLL4ZQyXmu1L4Ii1p64sk8DWttm4LA47nfu9W0x1hkXvjONu6Wk4Rh5i/cwmcK3va BsV92WKIrWtVdi4YwqqpOObBUS/xVmumPoDvcFEX65tTi+uLiKwhZzA0NAMI2Aj6kFVIVf3D7t/6 EE8a76DTs3YinS5ZrUsy4LHWfn53kgi1+sJWLy2Otfzq7uOntPwqZ/KlWBdi1PIL8g4CgDf6aryl jop/dzbJnXhxrUCVJmKo7Uc2x0+0vLd4u80te07F7DLGxNPdIddpebf2kXfaifOr2AecTCLYQ7wy ihP5dkDNG/b7IS2Fd9/cvUonYwBcXd+d4/VWQaK0afyOa9d3bmHmc98yuhItJgoRivG3eIxOJauA q2AG+h2bhIQQeDiuarazEB+TG6GBpX2vERp9QKl2Vjh2yyV+UC2oFoC3ZnajblsFt9Xx9Eu9lAYF Ekrxo8sbeLl1pQc7QcFOyoTaxPZ4C0dFt2ldZ+XcWQCdXcN8OCLMdIAaYWlknMzGJu5JY+HoZld7 w5valE5pp4+pNq2VL0ELCX1K6Qjb+vP0It4LN4JBXEFm2+VVU3rWdXHq6kXs5tehjaU0WZkyHJWS ltj9uLUeYH+1jmB2HN1ek1OgPIDSRhLaW8PG/W7daRhVOZuZaDo5eGgMMk7dqjoMcRsDH8mMGf4q zairaxEH90KNe3Jxktp+v0qP53XUROD4tqPRvQqdCwCa9sdOuXETs29awVc/wOPleMDSrXLrXMSC m7Cu0wC4V2V5cMzm/W/5w87uVMAhoNn3jq0hn/2WG8PwcBWLf3eTNIOi8NwOlqYY5turlvGNVwgJ eOohTsHTBAS2G4eK1OGCgwP9LYFp7HRyL9Cj79ZF6vC2tiM9+HWH0ZHs8HYHj3P0RymYLh1feUB7 32OHDJbWDV9lRK9b4nKVFnexzAjRxeMv9mbe0TmOfPCOc8Hdpn4thVMJAwE5GnM4qfYPr/bcCrJ5 Mofr7MF1CHXJCB6diWrIz1fpQ1vVa2852km20lqq534mZnCFfKOouzeHbqXUp/tFtDwVR0fKkJWx m7XKoC5Obu5SwAWauwbxsQbUMvFVYFUMQPWu5OMKptO8hZO7WPdu4FMvw7jGTmODbl1ngol+U8TC ebhc7lparJs6LQf2kHao7dGmf+KheeFUFssUDMQuX9/TyHfr1+hdftpoHhYDHEkQWz2D6rR2qcpn 1RxSUz1FFa7FuxtkOfhd+7E7rSdGmgV8lC8TXcYbk/7Cj6ZLPkelmK/x99FbYZEq4x7RkI5/r82d FH2stCO+6kJ3xgA6dxCIL2uqy6SUpp6AUbbzlL8EUfEoHbRo7jOh70nF9em4SovTuVMWY2EjPfw2 TYJ1kjdbsl0Kvdd0180XTe6+bb5o8pb8DyGs2EGslYB5wZOuHq+EW2lHf/Cir8rRaGi8hHXWh4Mj XHDsjzD0Y7a/ptWsHGueSbwMX8U/WviJUArG1BrtjztD7Mvz7NU9tjhkWt43qCbA92I8rZDvyP1J +dLrPt5f96arv7bRKzBkO87XRQXsrWPXRWVumOQTaDXsoS3/mt/O6ydcJToouc1AJJFU8vqskYwy INNsZNnUixcY1tn4WbNw3U+vDZVbNRmkjlNXG1qKtJqR5sx/WwrAtF6rfULQ0x426qX1dD0Dhmu1 OwWcdRty7cdUy9QzLGpIuIWUT7kbnwdo/3j57C/wv/8FMYabVGVuZHN0cmVhbQplbmRvYmoKOTcg MCBvYmoKNjQ1MwplbmRvYmoKMTAxIDAgb2JqCjw8L0xlbmd0aCAxMDIgMCBSL0ZpbHRlciAvRmxh dGVEZWNvZGU+PgpzdHJlYW0KeJy9PduSHcdt71v+iFN5ydmUdtL3yyMl2bEdWbEkulJlyQ8Ud0k6 XnIpkaLEVD4+QKNnDvqC2bO0pNKDZoc9aDQad6D7fHdQiz4o/K/+/+nLi3//Mh6ev7lQh+cX313o 8o+H+r+nLw8fP4YBRh3ikqPS+vD42QV9qQ/ahCVEfwgpLyn7w+OXF18f9aVaTAgu56O7vNLKKL3o 4+fwuKicQz7+9vJKLQDKRXt8dHr92eWV9W5xxh//89KkJWvlj/+FY31K2vrjx5/hHzkpA0P+gM9J +WDM8XF5DiGlcPwrQjFLsA1sNvunNI2N3dwI2ZqUjr/DZ2tD9ub4JT47nYNv0S5A7GJglj/SEPjT HBeCbVI8/gmB2xSDpQ9DTk6kwl/LlErp7Jr3X5XVx5Sd/9vjP8I2aAcbs2SVaRv0AkgeroyFVzYf Hl8D+f+7LMVrDfi8wGdjXNb+eFOwiD4BRm8Jrtfei2O+h7Uk2Lmcjnewo8plY72m14AsEOoV+5KG hJyjRug4JCU/mygo645/L3SAT9PxDY0OaYpWP7rOaWMOx3/Aa+nfnhNUA1BfltdeBcD+CVvJPy5N RJx1s2xEJwI3u4yPsFAPW5ubIa8YajQGSGAKGJxTp3x8xuYcqAdETeb4F3wdbfImIN/gIkz0tOUV +EIAvU2wnhOQO5QOrZw9vitL8HnYOaB+NEm5FddkomkIUcdr4FAYA1ASEA42ANnMKvjTO5DwwlCc ZhyNFsRpmqfsPdsdPpxRDSe8shoorsLhShtkXUMTd0zi7OJdy9NPWtLiqr2CMdc03NnQ8NQdvQZJ XPcWoAMQICfIZDq+v0wGxDBrpLyLHrjcHT9mlP2BcdhbAhZB5zBEy1u3BKU/gO/KChv2qhhrHz+I GwGTqHr5KZSBdUvSdkNDUkzrVpZ57gRav768AvrBxg+cvg3hq+ezrjOB1vux8HQwXgRye5KRa8Zt 607Bjjyq2+uRBwsja9gfl1dG5pDr5gCvRVzBtqsc1ZNcvC9zKwN79q8NU3ZcTNMRF6tEszJO49v2 dGSrwtJ8yQ1fAS4uJmTSK5sdKIV4/JZ99wPbwWv2fiKxqwmw2S8xhHOVNIz2Dmkx0zmdJCKGDjiP g+ND3tCQAMLTsvucUSZYIR/wT58Thnoi8vhap5Uqm1zB/CYD44HGNmC8ezHmkxeCwyrZ4GFlvljs lawuSuDq0qNOvbhu6rHlDVLJQCxjV06uTAIqfsIjMRCPgFAEs/JIYe4fmNxcN8ZyrtUr2tFmSwxe sSgMHlRV01zPMWw40BdFkrQt9HE+LQ7M67ekOIIvguF8XKINna7Ctyab4lOuwDy9VvpMXtzEiWtQ UBtJBzQ25EnWXdimbFX29ShchXDCFrPXd40+OUH5CCYCp9npuKeHkVQefMUnAhTu8fCZfhDGcMbi FKtbCN5vb1vKvsVE+5ZBze/KNOJrVOrxLSQNjULhTPOSWNyCbAW/sjhHQyD5xKzAxkX+KbFthdzq Ze698sk4305mcOrEpGAOyAOzpszqShikpXW+FjwXvitI5wx/6dyzDr42sBMUTUCABcL/yUkffULT 5xOHrky0weZ27pazaPF/VDEteuYlMl4Ajcn5FcQIVgNaN0MQNtWNN4R5hH2RJOrupD5fs9fnSRRQ E7R76zY8ozmtEqn1Kb7OLqHr8RXTio+Iih281u0rzOoAfE4rs3JFzlDlfDswZYXQurzDKjDC86Lc cu3GyUUGSUEsqhmvVmplzX2S6r4FlUX3RBA5xkJsxP8KqF5XDm6VGd9vgT0ZbI5Ua3NXM8W9A0n1 op7KZkGafXNsDfNmHrgCfYqMbyOo4Rf4JfjoyQyKrwB0xz8zdrvlZEPvFiPyImJ8pmHbJu7PPvdn g4oKmcpAaGlP/i7X/NeEY/RtQDMasKJBJb9fCLa/uSToBjbgheBM987yimurlFufYMpIGMFYD0Fc 5mzc6zOtwbEld80ZFdHeWgt+h+89DGvDkmxod2vuP3RuEn4JNrHhYelTdAttBKSTtMSBtye6pwsB CwLO9koDJwqhnb+LNDcorYu/6TAuURPfY+ZLFGSCG5xveI2hCglR0rL70GZvOkqjgbJAOjRBCnb+ fV2mMg2uL0gMQEajNcyTwLHm5FgX53aiR9GfnigTUDPH3zAjwaFMRJZ/KriAuEiSgopqawUm+1+c BiltJ4XM97unHV84r5cAHNXoxU9OUvSo5KxcjrplRlQA2/ji2hpwFYIUL93hTKgwoygwN4QMOhaS MiKHxLZrm3gspkYdoLjVmfEeTg2rPH6J0+XkIvAZT8w9qgswWZKm5yfz9EpgeD4ntzfnyC34XTHn JcDqPy97ogPMtWYGQcv8WBMgAXyZTRJaUWl8E1wO5gI4tK/YkEen9zXXQZBb9T2R58KgY6ZYjFPK mP04xWXMtU/ilFCCKWM8KAlpp1ka6RbHgvzBZ8/nRq7mV1WZDXBbgBh78VoZ4gL3NB+xNO8bGgF/ AaXK3B6Yk+eKubafOHd85wb3/nuC7jrD8hN6HJNs08yirPjv5GRwSCcwd+taWr9p9SxjaLx9SWPe VN3t4EU+g2N7H0aRBikkCE2KuTeQG7UpYeJB0E/px4lCQrPA0iJVcROereIejJ8Fchrup3B1/npC rCBr8+JDuGUtHQGyqM+YdqagxivMjLTaaqg0AHPjMtYCUrOIP9EiAsb6Ei5oU1WCAEZOMErx9ZAY rnHK7RanMFeMMvIGuBMdOEATMxSdA6fAr7J5TywJVStakjYZcdWnQizyBUf7vOCIEDNi4r4L+xnj tKlUQN5ncxbykivKfSvZ+uNMKshObKWk03sSNQh0cli+YDEJwkCdKyWvOIwJ/3VJTylO5/LfMNSa ya9iDGZM9VEIz5//fcaWkhm/Y/zMKQezGueAB5svayQAf8xWsXp8+GFM9yWVBs+BsjpYEX/HyqST rDnC125wgaYmhuHwPX2JaT3OmSW+rQvzcy97yMXeUxYZjOGQ8g6mKgoNlvqjRsP1nQsGVJ726YCm XK373XQsrI9Cwd1qaw9XzedSdvaaSORMapZ7t9LcnueiFMYx9+WA+tjlyejRqBN+JY5pxaLM4xMz hbwUwMaeo4gGc2nM4qIe4pwrB6H8WN9G9lHKp/UR+fO6DD7+z+gtFUlhNlaIdX4jOJgfkHWBcBL+ 2qvyuxIO582u+9aWShmg1yfJkdJXsiTjnDbGjh/XDP57GhB076RNo26pfNvllhGiiW2/w5M5JRqr XQKzMLiRZQUh7QYqOKPHGakuhsXxsFoXXuDi+Sz+fu7UlYgK+4aUnWSy5xncOndrO6r4aLlgPrEu LKG2babLi8+9ocW3KU2Lo6ujhUMcuG6fM6+vjeQItu2L3afpf+WyElCg0wBSCNbkKmARfbVXslsv aTgY5qE0hQT15oMjppXardMCr8HH8b6pANxVwsfcSF3Dj1QIM5jWWHlaaKeZ1I4LrrcnXd/5Oitc OWSRWmu6io8UQKwi8IeTKi7tJnqJ0d+X1mC1CMxDTLRfr+ZvCDZ2og1NPnrx83zZqcPFgAnXx+9w r/n+Sg7Ljtvs0GVo/eDWE2tsJCKXFKrJ8mVI7ldpsynNiELDWOe0TGWfT/QRtRYZe08TEZFYTikV tFw0XbC+NjxE5TrF3gtMn4NGcEr3gdhMZNjStnxW8H0H2n4tVMV4psMwDYTRPcx2yXoau86E0GS/ qHyeyntP0FMcHbqBt29orHfn1jJmS5YU5hmFFebwbmjLebYP6wZFqH125VndAfch7ZUFcy45LbNQ 7GshWj6FviwdjfkjTLD8Ms2VuCoUPcmPEnJwtTBXkD6vWaLn5xQWrzY1k4YEZRMRp1hIcHu/2HDK XJX3OWNoK2X++UwvaSYb9EOCTh5Pl0Zaqc+qrMLHtmTSy21KQJZGFPj0RC3Qj70hR3K6iK0VuCeu 9QZfE1ztQpPsk9Ylmd+3NE2yuVf3uDKELqYsStuIl8QEa0IIAoXu7ZYKSnrT6TsMSQTLXQvtWtt4 X1euc8P3P52aNNs01FySmKGrfE/YtRZAqNZS45kz0zCtsOx1Dbc6hdk76xjNBDHu7OzPOlooq3Um vUwPrpSUIZq0IJVMp1DGFJovbrewcnClxjjU+latc2F7WePqJFf8pLwXB3OOSnhDeYcc7DnV+J0c xxqMPmGygOc/ovK1JcPqiPXvlefHLE9vF3m/ZqsvEGUHSv3/TkXJ6rrQFC3jSsc6uMXq3SejwFOf +nQrGGs0hMjhXHuAw/UY5uNEqms8ljhzbG8faq17PthWgkVU8iRUAFSA43jfzhf4nCOMwaY6PJqQ Q7tHbwgcJj76xB4mq1Rfpy6zWBslIGckiSZLR3fpW0YdwbpggzzEGRE+/D1LCfBS8Szh96664R5b TLqmzDKAueEYD2DZDVa4d/AFiJCzb9xwri5qiwgAYZahZloIi9YnEbJ/O0JvQ1rA0d9l8ADxvFuz J9Tp0FX+bcDjMVnKOMr1zRNe5/RY2ohHieS4+QHFrMk8pxXxjN5Go7aSKzBf334PX8ZRem3Xv/zz 91K31gh3EPuMhPa74qqEvOZalAEiO9ZXj6tIYz8pvj51wFAwy3tLv6IhyN9C/apyMs3X6mreGDzW cLJpSjhBNxnEkoOyS2zMLyMLFaN2zW+BU1Jkbsk23pep+Zkbx7Zn7BuKuvRpndWksy1UbtWFJfml 9CHNyvv3c1wXQyKhk97P++MBJB1/Bmdom6EEPBbi0YBKjJokNDakzg7oVdTKuaYbWr/tWr95Mlzw Nka3r6h8HnrRKTbrWqsxlFcJUfFElNS0PFFQ9x34m9mCZW1FG3KSHqx+z6KsUmIdeqJynUiKJEtm DBSo303SIHQdjVgF+tlMCMyjUi+s1oVyeIYrYqbVz7E3ElLXRFqVh6MThMo+UQJqkfv6SQrb3mxi EPLkTFTfiIG7nfw/JwSE3rRmsjZYrwA31g99fxBXFt9u/NZpd95EMFrhpqMhlCQ/7NoSh/N6+FbF 3KW21PxcAMu0wIduCcMpOgTnUn/urdgnq9sUQBlaIiCClXXjpzJeW2eLSYp6pYRkx40mhgWPl7W6 G2Hvp0sLqtqJMTLDlSK7FOTSyLZ0e1amaafnZ5t/qYmTuMA/rZzOD6w9q6vMcrLvhshj7F53J+2D D2JWZuDvihMxeB6qn3PVKkXnqDiw93ggC8hdxkO1++VBl2r+H1tinehuvsNnMF/aZCmzsUJx8gHU XrMB3ugZzn0M1LdelVTDvQXwczz0gWh48YXoGbeJdRwcs92N0XyBLh24bc90noZwx+ADk6zU1kXc jhE3a1ouLT7kXJT16nuuQwhtXpBN8NDbEDaBqixPiLU6/eFh6DrkI2rotPq8Czne03CTk9BkwDFh duy6TnOW7saRaXI8b2LxbqjBld2mULMgp+Gney3KxmK+P+XD488uHv/b10c/DkR03fQ1dWMl3oyF LUU6b+WVx7SfOtb8gXfZUYbYY0xvyiUwXVDvvcLmo0c4BoK3UBIq1oDCsbUSrKPz1PsHwKM31MiC z1ZZ3Yx5d2kxb2Rt8/YNzb8Fhtrl7KqCrtM/ad1AHG5zprtnahTUYYvPBgsQRfCCcTYfrYqG1uHI um8IbyhEYHqrF290dYAqxKf4NiRVeM+X+LlaYRAO7Ae/+56NvqFZPHhUGOWA8nPKVHguqGDqgtYT 1Qh7EyewPJgc5bPXicBvdut6MKSufWO0x63IddggrQEj4kKQMois+vVv7wkJr+doVlE0eJZNxWYw 56knJxl+RcU2ZK+SDogKjJHGxCHmUoOP27MDYeHrOxofLoubaJxueOAVW14tEru11tHwGmDevH1F qKNeeCgyNrnlxNez3kfjUHj8SdykGgREnyVH/LAQuLgtfDTW7TxGKm0Mes4lHmMmtC8QjS2kVJNs gte64DZ47evHWFr0ZmLcu+iea/LnzA3vT3AkbFbVY0NdHf5QB5IZb34y955ja5Pjs2WhejgRsBYJ hWCSG4Yzq5E8sMTKJFZVhBIxO2QlJQbOSB+xArGU7ZLv3ul8hT6BJHSi3JKjAwFFOjk6taypQPXv nODHQkGyZ5U1SxQIK3M7RrzrAS7zD0XNQh4zPYU07YxcFzaUUjf35BR8csIJFQypE6A/tKdSuXep b5nE13a/ZVLlBQ8jSg2wUoLxNUH3HcUmiSm+k8NxElC8AYyu6e5QWM+6Spl4zJcCN9iw2+gmiVxZ 804ZQWjhwbK2iuVAQnd/C8IjZwYHeLUX9CPVrBaPVDyvMLo5qJ6K3YSpDQ6iNUIVqy+JA5LOns3H 62StBTizVl8u5Uv8DPpOSRZH48G9D0/ibzV0Q5cg/Ro1dIMnE6KYJF3X1R33uBt1IuVXShhCbdn4 HdjePcZ25SSl3r/hg65B/IzN/ucK3JpeyyFAMDhNLZgHtoYN57FLIIg6TAvX2+0LSIkQVjbG3si0 sXG9RSZLWr3eGELftFq1YlvOAnJsLUMlMSZy9Vji0Am9seYaL85TIFuhFEO/Lm8tS0MZHcyZnSsU ru42l7ZRMbC82WNDnN5b8ZTCuSfxAC2dqHMXSWhbKiv2HE+eCWebWsoxoBAk7VhPeeL1YA9KGElp c5b9WLbWcPHs5+9Z2bvmVWJg6Yaxbc0Z+ZAXJjgUYKv7Mp7JmBLTXDnK558gQsJbLiSXcQgz2kNq bZMrDHK+ayu7gnjFQFjeHC3q3Vy83yXvZRZL20+eHrvkvTa278N9Q2hF2xce8W0AA8KVNDkFeHnj cI8MY6GnPXiNxm73mFqlsVRvEZKvr2q+rhTTZj0iAiPudenigmZtWQUer24KR0PZ8FqHQYr1Udw/ Xyy30ZdAe9/O0lUFEzs73Oexc48t1jbCrnqLeERUDLYmQQiyyQ19iKmmh11iMZ6pG+r6Y6jf93uN h7x1qdeWZJ1Ls2uMp6YClx6mPZbTZD3sWpZHvGY8P16MVa3yejzBnS7W4KU5VHoQtloV+0iEWCaL 6QzhlJpwS+R2I6MbtLjkEwweTGX4kofCjN5wcx93CnBIyuZDPI4V+lnnXXEa2EXJWPej8xL8xohD AU8qsWNnAJpzG/cu+N2ihGLJsPm2L+7g/ErtXwoCQ6x1Ihez9qXruqDu7M0zokp/M9cvcNa68t5a XdenK0eljFnZLhMEFSweUxOu2aAeQNzQFwSaQsppsmors2vTtwaih+aBjsFMbT3AHGz96dS+DZh9 lbuQP+RUVoV+XmMbop71NDzbbp4OuiRqhPTWR9SliC78N98w4GOnkEtOy/0c39NMNsu+eK9gC2IS Xu3lyUho1e2FdNSSrVnc3HlKcyeYLTsd3KCnA9ZJfb2XlLjQzy6R7qphjWDWRPO/VGSt/1l9GkKp vYd3cllVUd38+pdBX1fGHGKX+mywAdrjPRJ9ExG89co3ST0pZUatYmGw3RsPFWWcS6fjoxJqGFcY DieJRjbuNzQEf1hBaKEeQqjq1eFxP+/EC8p6J0PjVfCTzEAN5exJgyc2uavEa2OSQjy8+to0IeA9 xBsvfSekuoNJRDLpOnUxp0eZNQOk2NqpWm4t61ChgUAExdrf3Kzv+i11Mjmzhq0fEFiYzmXuzv8m utqbk2Y/4z//mQu8y2xyq9J6sW6ZJpghHwCvrck7t8Sh4IEDqQL9lAM4EEA33r7zlqAo05/txrdB 797EhUNSMJOWNfSNiG98bBV6m+7Hol/YOSfd63ZYQMj74ph8uX9fukT5NQ3Bu/UEdfjAjC5CgyAB ArrCw+WQx/TU8IOLj6thIX6tgFs/W6poFceMN3VLzZ3cwxZKRdWW6O33SJpbhqnBwGm8i3C4CBQs O16AUVLyWpfQY/DRN1W1abDzclQIO8Eu/mN69u894RR2kw4FvdJRWQZjmvgXSafhPGh97kP1nOCk 4DyUPuB7vLVkUj7q3eF6KEx1RQzCMZku0jy55JIW7xqyCnodW49HEHhRY2XlMzqXar4vmjWhq8em aHwdQuQp0m8FHmczdqoP4jLc6b02NQzd2mnOkcUhrGNHxM65/KZNxU357enaFJXE0POeKxsGJ5xl YShTggPazqjfPr744sLBqMOPF+rwHxcafJQl+oPGW5aDO7y80Cngb4Zsb24vvnrob33ZBNYxHrTO izeTn/rCx6Rs7R1RB2yoCjYhjIQ3AOHZWos7myxPU2gHnnJt6VE2kiVU6PJYbOt8d+njojFZXFpk sk55rRoD3bClp7ZsYkWnMEFU3mj0pXG4UVi4Lupc5+hUKdrivbJOxQqRhryi16fpDboCABz9ZY3n HGorJyyx+bBirpWqbewJ9TKDxxF5Wxta17ikLuHFNnhdjGk+OwG75bSpDZFWHE3Yw6ojNf4nmBkV 3VXpB4INZjPXXltjzf7yELkkL29bE73X0QNziLvLB/2wgSyS43W0To8LRhyzqU4rqGvgIM2SFKfB zZdPRixh+S3d+FJB0sC5w2MSGJxEPCB//N0lHhE3MfRfFcKmwMn905Oe/QzacL2yX7+V7NOP2HsK 96JD7gaNjRlRq5mzDBAd/STHytM3FNxga9hfSNFkvEJgIaA2p5DRSV2Ho1+q6QaDT1HPgPLGGJuh M8gLSSDfUr7tXNQIionlwLDBVh7K1OKMlOM60egZ4W3pV+8qiThgaQdvCF7KiTEzH/yGIIeaOtDU YnMrsWHlbPypo+cEWmvHQDc8VjnVBZ0mzD9jK4KY4rh4/JEBPxfe52xsg3iDzHO2CvbxCWJVj1im qido8A4tMxefV0Qra9KOqqqcJiuMDYtK+nJ36HTXGXLv0b8CMfeuEQwOuRIeeNHzIRUIrMsxfVI/ DHiFRrPGEmwEchNqzx8RpIhaMFXU6G6PKmt8yxmDF90IHhU4cV/zKTSTmcSey0kxC8bcYJ5gex0Y cf7GZZauWK+bwKV5s/9fXPw/taQ0UmVuZHN0cmVhbQplbmRvYmoKMTAyIDAgb2JqCjY2NzMKZW5k b2JqCjEwNiAwIG9iago8PC9MZW5ndGggMTA3IDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3Ry ZWFtCnictT1Lkx63cfdNyr9hyxd/W6Wd4P3IJWVbiqKUrbItunyIcqC4EsmIuytySUlblR+fbgAz XzeAnh3RTvHA4RDTaDQajX5/by/Voi8V/ml/v7i9+Je/xMuXDxfq8uXF2wtd/vOy/fXi9vJ3z2CA UZdxyVFpffnsu4v6pb40xi/eXYaUl5T95bPbi/86/fbq2gW1hJBPf7m6VovTOfh8+gKfk/LBmNOn V2oxxgbt2qPyXp/+gCNyUgD09BkC0fBtOP0NRugIIC2DB9PoReUM0/wJXwNqLtr6HHJyGmFsrz+t SLlkGCJfNlwZuPYyqsxAfHkeQUF8js+4FJ9Of8QhNsVgCzxtnV7SSeMSQ4bRJ18erbP+v5/9J1BV O6DzklUuVL3OaUnBpctrY+GlzZfPboCg+JFy2Vig0VKQMC4n4XWFmyhYY5BmuGUF3DNE2Hgd4+kV PnqX4b9P38Kqo4eVOFwpgI4uRyD/V2WMV96msrXRLdn60+sCJXpY2OmhfqpVPH0gox8K8SoUOvyO jHnZPs2n5xV2BJLekAH0wx+vLDJISIhsYQof9OndgSnv7+o80Qc25n2B43J2lsF5XjbVawuMRsfQ eV8+NowdG06nvS3M6LJSHOWbRkdn2qcua6NxJnztramcrg08hglNvc7esec2a/SwB8/rWj3sEoVO yV4pDFweDDLM9coi19os2WtTOeX3ZYLonTeNVcY9uRuoVmdb6phgU5qxOhwM4ECz8mRhMgP8q31d rjFw3t3pB/Ienk0CkM6d7gnrP5BJgcY2Ad2Ah8uueaCO9xX3BvE5+RTG2JgX4+ThCDEmoCWKBTwU NsGyV3zh64CHAocEZU7fVBSDd3W7Q/QJZMGb86F9XR+BeGzEj1cmLiroxN4+IOS4APSjy9nGfAKf ZpSViQ0hmEgQC219kXh0J14SKK8q3WI9tYhi0pHCplOWY5ViNInBaOvUIC1P12WenFMKbDtfEFoI q/i2zh9Pb6+QzUz2SzZ5ZasPZJsogDvyvkxulbPtKFgbF+dCOwoqVUiUWh8IU8IJxw9CtgxbyqBF CMBoPNY/EIpSMBQ85YB3CD4BeqmB8SoAyNdnAvB9MbgV1hbOBrRAZk3YzNnM3t6Vz0yeLXJgMkL7 N2defmxkUL47A/gWdv6bcd2F+K8HaD1rIiNbOKPZ0MFtfTrl009Xm6AcoSFubxpuMPUUt0o1BaAk fm/EAg7xFM3Hujnt8ty4+ecyQhmQ8z80pgSin+9fOrYxYjLRMM4nK1lFg2Mfgnh13qFwPv37VTJL tNHSozYyYOGcKuwbPoXDQWxVtPAkhwT3rxY5mWJYZCdQHnCprz2gy3aucI1X1rvtwBXK3owyPTg+ EVl+ZU5rfZ0RKZt7TkA8QjzGCQHkFmx1xwnwFnSyTrBQObxd7w91tDYzgXI+LVWAEnh0eZS36Ht6 Mto8OfDjcF9fe7iRf0vuI7LIDi0crVQArS9ZkGucyRvDeOUMvZnuhHPwm/NyCCvU690rpnKiQWDi yvLfXHlQJLKJiD/cSrAqeL6t64oWhGcZkYDNK+EtKC85zhQHa+HMbnrDewLilSzskUOC92w4IXyV +6Bza5V35P4rwrioLaOABdXhj3VIMNHNeKIMH67sdi4o+OHsnOGAxF70atuYEOCA060DonqPYsSe /ofcEpSF6ZF+X3FXiitS7/B1QhrsaUPrqin3tVOcImfz+VVxjzDCYrNmtyFfT3dW6mmiQ56P8s0k ONefoO1mlzSQkIofXIMLvhMj+DaBINoVI+2xQrCdGMG3SD4GAZnL6rzALfYU1zKxVzYD9BJxNNne ysBtEq7DSzoU1azp+2/I+3H5QXdE29jktSg6rTWglLBN/Q7fOrA1I3tNt6lXLhzwVyiXFEoAG5hQ prqRrKyUKU1uV0p/4d/i25jBKha0+KKL+XL/DGuxYEzZ8RaYKOavuyuhsjb9simkRhvHFinJB0l3 fKj4Wq33zkIhihOVoKK/pABSxxL9BT9KapMqRSPpRMmqiAhWGxkxWUvh9UYp1V2Sksq0bMOrkgOG NGDWifOmK53v2sLnVLDsiD7KCU4DTYKmug+FSCXbquMEP1Gm6tZ+WwEiJxw09JwG3XVXTiM8v2u1 Ou2BFqJ636hikuKrp8NvyKSPFSL6xyTEHype2vojqNNTLVHufR1uQTb8eAUKsYlWFAGSNfgNec81 QKeBz01i9uLzJtGBdnM9pD/hE5tTQJDYwU0libhBnUQnLCfd8BJzM9kNwF1MxYxxKqML8whoCq6N cbFzoOA2K1ATdDp0xUsCrNNZpmNuKvJwHGAbVxFWOBFtE3d6CyvecQMU28JH0fKlLCjJ5ef8MqDq F2IRFTcgHhEjCveWf9MvufCUoKi/qKtHtfn7Yib6zMlT9jYVc2G1RTXsi1/5lohhwhuCq0Fg8tWp 4JmB+lBnRic6ldJ0K17ghzbZSNWaZqFWLLnw7iQJXOUL3J5NE63+3M+qhuw9TPsV2UdDdG7qNw/k uXgaqn0pqfE3dVabM5N890XCK+DB/v5FFG1md27H+dYW42F2rnrf4WObvbtI7lakwsy9VChN3S9z Z+SLCiTBSRY5qczigigOCmf/QKYdzK2q7Lwc9YBBp6crebX6px7bDsGm04PW6RVIUeVdpxRWoY1C wc+ENmXd+aHoZHbdiXzIAiVjmqZe8eBynZqX/aUZwaTJ0/t+s0ZB3zE6jpdm43rupMHRGkgucZ2k dwqXyVFJHXG9mQ1/PSgcBfjkNuvv56MaNjGjcX4A+PWJDN/hJKSSA32C2HNUVWHHB0WZL5oPfhVA Z6LyR/B5drQqe2hzDbOZJTj5fMhG4epxzJkI+bISFw9x692whDLkA9G7xyWAxI6DRdrQ4Gz+O4xM OOR/oCuITR20nXnBCmOT7UbZmwPQZ3AxZ+R8rn8LigwV2l9fEVqA8RDgQAcY8wW5rSZuy8EYmMAv 9PqkXv9oqu4Fl7IHDcTtBpdytX1/cQAgY7zTiN5cqpDSMaPGTNe/uh4K4p0H62BgymmA75yo3xP5 2yZS2nYO+SLOjVtU2vzq1DAUxPl+IKPesWAgWlMRJSH163UyrpJQ9XJw7u2ql2v0yAW/YEj4I6NH 5fmIZ2BHKiIG5pD33AU0qlO30aj7ZBCTP1LFAaFql/hLSW0ocIMRdBPq3yOvJ9f3dtGgCzCJOu0P Ap/2TlJYgvJmpJdbojbM+fF4jvmswklliQsfKvcqjKDGLipEDZ/yHRW7c8WkWnKhKWANi3+9uo4K OYtxROXkNrHsJxRueUEAjbGPyv7IL14DZly1mEYbJd6gXkoBq96P4s0SuZvyoSKCO0JPDZV/I+Ph Y9OEjRjNf6zzweXXB2nwNfLOEMkyQToTvVsDIBAP07q+PpabRNp1wq4i6pgt8Jqd7ok4JAP6UwAU BVaA01YUDlQYzKZZ70cBdjIE1q3SPYch9laLPsTucmKeOvhSh4kxQo7Eij4X7p1z3wAvd3cIdZZ3 niMc7Ua2MIBacuxDSQenE31fIXaMfeaoYRrYnC5IQyS5oLnTyXmoD9E2AbOSAF5OLirD1Ns6Dxww FZibZNf7U41BSYofNSlgpUnpp1xUg/bH7xGEYm0QgyUU4k0lR456dncUmc3v8lUh18BXk7wUtonO mGKX9YYI4Bccqs5THYE6MOUY7fWKBBf81GXy+6IDwPIifaTpOZJA/kh/nlM29HtUIhIg7OhqhWtf Upp4LLuEZ8xmbhj/hB7YJ2fRGZdtCJIUFNnsTSc2/oG5bKCAWCf6s4mRU9IC0LiVYwJ7mWLRgm6b OpFrQYnCVFwJ4KgCFAb8HlVi4f9eVqgxDg54pAb8Y2YIriouUgPA7FpToJr5zt8qZMKwHRYM/D5X EBEwHHUqU1qmjt9R/M7bK1yAr5u4cKjzreKidz3hxmjT2UnbhPsukqMhiiEWoQLY7HIogrqjXm/B YuTzCLIrTNlocHW9x+EGpKHr/FUzM4YfXPzOBe6B/bljxYlXq5DjAT8Hke6DFPtt0RJ4exYikhPg 7ozMDqviEMyj+Cu5os/Chd2uSwNop0mMq3Fe6Ow0XYEklF+tGK4Sf8+1xdX78qHZjShX0L4oC1oB K3Pf0cOZw/XmohJy36o5YaMu3nmTXPGVdGGG7cNVqCZ+HgRv4/4dgFHnsznVrs+KMpf2XNLhmBim UdzVUYspqkYHUb/gKiAMt3j1dxkHCMR3ayvu99H6HFQiyaCQXK67AcRgmssEdrpcJQoVmH3ObwTY cXkhGZ0f3OAb2tUwsyH1ukOli+V4njGRlk72/7tK8gyn9+uvyfT/QbC9LzIACyh+WpfjJO1yRSoz ybHqhOEcjZj7Xzae2nP5wpAA5Ij0NAsmGDGUNp0wDKGIv5UtxQoeiUv/7eo6YIjXnZ6dFcWO023C 3PoxOaf5B863BCobKWFBzaHAg3Sr0R0laWOPFRN0hcw1wIc6fda5t6PwtbdivibJ9Lypg2PazWyo FAlMut8T/9k1U107HRThWx3ZjUFvbPlSr8TNu6Zjs4sLitvaOhCS0nJbHVoWC6kCEen4kdZB8sBS k2lIZmvAOF8e1SFwDbaPXZsErB566+xI3MEgd8DVRUPB9/2UwCmK8+Y/leGtAEm2JjdOwCsuAy9w 1aNLPp7Kr7abxkq60qEMflyDypl5iKSqiaLl04VMLJ0hBiymGJcdQxNNkNuY7Y5RXZubuBkUFkoN Ms27uipMYfq85bJpNHVWJv2SOC7+VFkE0whEOYF4qq5K5b5+l8KWQ5jzJM8hZjPmOTRsuEqxn4Wu qnLsnMak/0NHAv1nzhbjSWL4iYKAE2G0BjRjB3Jiz0baXDk4DSArExAH2FTK3pxDx5w54lbu3SEA RPkoHgdKE+qOGhi74t32B7SW7ytsXfUAMSzcppds1XVIkvUryerixioyU6oBEtw+pZ+i65rnAGfF uU2z4BdwSRXXLrNU8blbdZPECIxLYlrEcb7ICefQm16w5YbkWgdLGwnfgGwjpunpq86xk1dwtsAr x6BQcR6re1nM9311GKXsdtQFQAT+RdORpaQWyaO7ThPlJN+/S+dBBa45rHCVAejwhwPHhbsPa+q2 FrFqmdlW95K7LK3LjaMUet6iBgkJsPLpePiLwUhKnn/d++1DWLLpHXBfnNmt5DJgJuJwYT/JQO/q pyhj53kK0jVO7waQnzDJorpyISoKJLEwAT8pEqCXKKKLdWJ9MKC8lgs+u0hZTCU4fyQPWkL3sU6a dqHgRNZOzAPuw13jPwgvu10VdhAqlIsmEaKieN5UTPq04Q8tYcxQlfaGwCPZ6ZMph6QKwWexpRaU qn8mYffkYNRwpe2yMQ7Bx6rgkEr+LWJTiqJsmBbKFCjSBSzFUKVQEg3fj0qrjq2Gzy4uZsG91gnU Uga4U8K8DdG/0L8l6d0rQZ1c9XdTh7jIo2SUWFQwUOiCnn4nfIpeFtAbwTyf6GRNiyi46Iyiq2bK GNAkwiw8KyTXrcvJs6J25OLGuRVu5dzc5O9gLjfOnfjNB6lbMmw1NnmYHPUukwaXCQh4W+uCDLBI slu5Ref/HEtKO2gHaz9hwmw5zj+3vFec1nNbdpZBtpcEKBVnflvJEsYyKsAHM6jnxQ+dZoEgurdS svu6VD0WO8FrzMeSsrek8/TYdlb3ZZhtEzGtr+bFAGGs6UKlfdohcdOuLBMaG4BdBNbc23MuzEd1 AWhYyP6HvguAwwYo/v+tC4BzcP/JqYS9aukCVhwRcSpt0W9YZBVX0akz921ydUwnaKRQJWGxs4bL YGYN16G5Exklm175tCXWu8RQWlZ9QPfZmoip2XE/c12n7FlOTM8vzjhf2dWxFMfB8boXuYVPMaDO QnRrzqIPcRb3mEjlPutL8JhNNQqchXPvT2dP7bSyE6NoNi/O7zq6nCppsvxWwO8yT9fqorflOzt4 WPFDo+3knhztlIcKxenDVXJ10l3GrZjv1smVIdkIh4liTvxpN3V2zLiSzEFuEImaf9mTPAh2fI09 sQ6cMkTE6nAw4bYs1/ZsX9VhjQUgk+KhwcqtQTvJUhXc1jxV4Iwf7251vaJxDcuC85l2u2QFEc7H dsnymAkczG6XLG/s4vP66dhT6qEOiaVOvTwC5+HxAYM7YqD3/k2ZvzqPW78lq9Zdad2oaB+mIho8 XMzKspneVIS1j6xVU9mN1o2KPt/U4U4bNtN9RRI+FZtzSW21KDIUA4rwtxW8MRwkBUPBU4QbnUrj q+8q8pjJVawn56LPhjX2ur9tlAc7uWY+5WQAfGt15azdnhOGTJYz6acd2+aNs+SYmGzShCUF6mrY HYxBO9Z4herZXZZLAV2F8yy1YRL27WWZYKAIRYlCokmbszTReahYed9nEeFbZ5+w7KqP/kDB3CiV inNssOyAPikMei7MY3YaiRFUaJolVTZfCtdEr5bHVJI7DBmuWog4YB3OKpM0GeAr4qj1dm15NuJP fIZ9mc4sI6o1JprEB1vEuOIk12bup3Otmq7Fq9wnMaOQYjkk7J99IT0HBu7EeFnbR6WJX/nMxYhK 5Cdkp958Glp4i885J234PTyWG7fqHKncuLSM1EZMaD1aZLnUKghlPFNtJJfdEx00ugzxx0ozFcRS 9jd1hNajxepqt6ZRvQCOAWOAVkTgWJ94gisrfaqb6yLTjP8hnSj6/LcVOdkg3E+qW8vSsIAV25Yd DGWjB96cE9ybRl6CMjHkv5tLfnkp7vm5qx4uAXsnKMkU9veVCFgCslvFqwHefrYnDHFAymMpdGVO 11maiCsY/QeqlO74Me2FJg3DuyrfEDslmeAfGsdjhfymc3b+N0Q4ZWZyNvtUbTUkIa+UAPkkuOok 1bvxdUWBi3NKpbHUPw3avM1Y6K4PaiROqSLjJIdgc2ZFOd/xBVEmNoBOdFkLx1TyWH9Sm4ok7cXG hRjrVkB0I9uiXVxF6dLGUY7gKmxPLLvd1xl1552Z+7PocrC41XlQi9Oa7F86iM15/q5iYr0/XJ+J 1nHX5GFteqWtnliLTaIINW2qc6cIYUHKop9sX26dsHDmY8lDuAaVFpSMNFpCoog0o/8ZjsaAmqhQ 34+yc1IghEB8OhrwwMEx7PFGWYKyovtXTJlE2Nl+VEJ+m1LwZWOcQtsSX98LmuD0s2a4Y5fSMlZr ucBHchxJRkt1kgTrmYyd7AOt2oR/Bz0PWVf8PHNKVtsALDpQUj6tQ5JP47b3tQJDQlybmMtpqWCJ 6tpjgbiKkeoWrHFOuXUsKy6R8oSk6i65OJOKJIdO5TimXmADdflDyXbZNKvjnZ/L6rOU1zTv6TJn zdZ0JHVOum2SI0rMXgMAvN2BVBK9J5bSEOsQfHU3jalL98an2hNu2IYJuL70RDp/naOchxMbHrwx 7TzV6Gb9gQDDlY7yVtsgeLu7nagg/JEcNKEgva+yDbDhKvWNoKb8S+OBUs5l65GkXclNA+A6clNW KsK7bYuzfM69WKXUBo+eRVSNshnSJfoGm40KB48iDvehrz+bJhaMzSmk7I52I6xpHCpO+/5Igp/o Iu8qgoDvmqvtWcVYr1Gvs3Ht48lo9hOGx2Acrg0tu57xbIOzXB0+2WA8QNxFPq1vFJybLAuwtIzU YntEeiVNGm2XhnJC0uAK3BwW9Dg8hWm2zBYEgiHZHc1FMskvIR3K5xTSPKReMk9k/B1sILqSqFvQ kZ4xK612FM0yZKB41wOkmqWFrLYzS6vdiw75MOt9cabvJHjU6rmK1qb54aWmwWjilQ/nrqp284AE Gkqje0bCTjQiHPq4FULxFgF9SLT8WMGTeZ6lRnqnFSmCQUcD9UJPDtVuelrxF40/w1AZd23vbOUK fULxf+ZTYDGVh4X9b6vq2mn9OSF3NmIBZ6NxTrIy1FfC7nccuGmVX5aft/uG+H4oYC1q4zk+a/fc 8y9S/IocyAM9zhoZtAqSSUxXIyW6UOf/vpcSj0+rTChYH26GDkBKpvBOvmEZEi0JcQ0RbWDk1IeE 8K31ckL+3EM9vanlqvSCW95tfG4siFTL3Yo8dR9nTIll5UmCvqyrtmB/Ol5Vam36zHW4mlPYqYYp K1IdTeZq+Er6rq/kdyvt5ax0KbvxfSWXN1umNxYoet+16ip0u6ljdXZMWIsGCz1f29KEAMG8rU+t XE0hjBW+FUs5EXdsYrI5OLH3gJo3cN7cTLw9Aao2gwH/xA9mDK0AwIh2Qwf3Q90UXMmk+RRfw2K1 NaL8WCeymTkQz7m1SL3Pnl38+QJhXv50oS4/B7nn8HdxLrXVsOp8eQtvEnad3N68ufhK/Lk5Hmbf fm4uJbjqPEAogr/+3hxdQa05VxFsD9o+5PN1vTsVNDgAjSveO2LrV/Ex9R3wqfeyUJm1l3C7/f4r A61StjqVemcB4vsRmh+L8QJkMPE66c+jVEW8mlXfS9WX4RJ2+p/EPKP4YwGCFiFFfCWL6abOjpLj cIok1gQLyBZ96AnH/qSMEVHIXVxLKqWfbPNMu0M0lel9GDgR/vyW1IeaF6BbOIk+fJSLF4kEl+j8 2GOmDGKiTO7FP0lCWNs9uGAF+f+Ux4rWXTxUpLAX2G4+3iShvYt7VYy4rO86i4ISFIPYeVOwUCcX ZN+TdIeLt+EYtVEO2Cnt3PIVw7TrPUR7zX7E74clYBrdF3tOez2WoVn0eREN7X3FJ8xbZEyPKVa9 213NrBABgA+93pmYOfvRDjTfwxU5Fp3hmcEJa8pwH9ffAiDu0/uKEVaICm5S7jkocHMX0Z3oQc25 5M8u0l+qohhbchj29XhbWk5NOtuFLWCec2l8AdC85inp9+11SpLT9aHOobTcfFrqYv5EbtMTSRiI VxJT4neyeC3GsPqmw2WVami8Zyw26fOi/f2+wsO4w/M2Gkwb1mhk4u3sm0E8H1emHOfhX2b6/rpZ qpj8vdXGs7BQoZ61/RUyldxS2Z3kJHs6A3jTL/988X8peEG4ZW5kc3RyZWFtCmVuZG9iagoxMDcg MCBvYmoKNjcwMQplbmRvYmoKMTExIDAgb2JqCjw8L0xlbmd0aCAxMTIgMCBSL0ZpbHRlciAvRmxh dGVEZWNvZGU+PgpzdHJlYW0KeJzFPVlvHkdy70R+BJGXfAzE2b4PLPLgPXJsnMM2gQBr7wMlUpQg UpJFKQ4X+fGp6mOm+qjhR0uO4QePhj3d1dV1H/39eCoWeSrwv/L/F3cnv/nWn97cn4jTm5MfT2T6 42n534u7099dwAAlTv0SvZDy9OLlSf5SnkrlFuftqQtxCdGeXtydfH+QZ2JRzpkYD+7sXAol5CIP /w6Pi4jRxcMfz87FAlMZrw9fba+/PjvX1ixG2cO/nqmwRCns4T9wrA1Banv43df4jxiEgiH/gs9B WKfU4SI9OxeCO/wZZ1GL083cZPU/5GW079bGmbUK4fCP+Ky1i1YdvsVnI6OzLdhpEr0oWOVPeQj8 Ux2WPLcK/vBvOLkO3un8oYvBsFj4c1pSCBlN8/67tHsforF/ufgTHIM0cDBLFDEdg9LwqOPpxdcn F3///eF1mlyZGA4f84dWWnu4R6DgI3d4iW+VFc7Kwzs4JWEFgCsPHxL+vBVGHe7ImOsEuLcBNvEh 41Ur0wxP05ioNAy/3da/xtFyUVEeLsmIFRR9eJ/WUU5ofsK7Ht7ynu6ug3Gd5z5DALhrPn2ZX7vo y7EApapw+D0MkQqO0MFjGoEbpaC/JfBeZVwYOK0WRKBaKYCE/hswUY9Dedt8fFPm71Dzigwpe9IO 6JyOuSrA+3j4aQN4PHavo8YJ02Bn+te4jvZAD9d5H1IiSpHAtHQLLAu8fXEFnFzw6QFBE1SkKe4T 5ZoolZwAAufv6et34yxBeYVLn9e1z6VaopUqg0CP+h2Aq4Hp4HSBegDXylnTzEmhoV+ep7ViRAHx YwIH+CsePmUQYLztNqj8AiJHN5PQ0XcIiluEVIcXDAE+IA28J6iip5C5L/H4DVmYfk8BoszyKgGn Ii6gtV2kRqaFdz7GdUtp5At8C0urRAsaZJ5xDb9cMkvfbpT7uuHpRhpotVjZ4pkScUcxCVTf0Qge Z7CRZe4JUwx4nnPCfaJnBXpJ21Dp+TqvGBP/IK8ig9G1P5HjItLsqqDPNdxziVOIKJDdAdGgimIF UoLgR2VQJkj0rbxfjKj0LUIGKakxkIkgbUA0AYkCD0xxkMiubNBlSSpgKavbXacpApA/Jct3zDmX Zw1/adBLv6WgPMNF3aK8PuqU3mYYLfBRZkwLWnJGogGU8asyWERAbNqFgb/T7zip/758CQTwPPGG CJk54KXxe5DiiBhQKwN+vA44xXfkhL/KgGh45DiTCHkKK4VvPRTX6AE65KcMiwTEFvGEZ0ypsZuQ SLlE5xHoT8RK5/sSt8rtBFQn+Z5nuYoEwfEFEWNZbgsw1ZzMdO1EkducVKT7uJpS9vPxLW7kdh3Q iBA4bwMaCs47gHECdhGynbMWtIQBSw5eet1ZDwCOEcDNwrNMQrV6eQbLMDaKme6KzkPAu2yNIyP0 4kTLABzRdKYMfuqd602ZNGP8NVUQYh1MfBQNRoHZLXZFA+I9qpaVCb7uitAGHR/1hJgpAd/k3cPz iBQDisnuWT0ZDt8MOcLYIWZEFukF0lak328inbHIef4Erl7AX2os9cE6Llb7XRku9YzLE/9c5yFo A9Lz4/T+5UYSV2Q4AfemZZK6fm+lmZDQy9nPhPR2Dql1PeBfITTs8mo+I+WuTodbBGcVcmg8Xmdg g2w2TBc/xteg4mIk12HKq4w4CUNahQXwBVltFy0s2JerTKeIuhzNpWRp00WoydsxyAprGqOFAXnW zPNqM80bi6an/wpia7Jz1PUxexvBGBap2RwAJdJYPW/ntEilXidp0TfXYJu/QQHYUh6afWgyE7Px dm7jXjXSZpv/Os/vg9x3EBGE0BFbp8NXwwZHO6ACziumC70gSohSBYMaqrOqUwxq8n/zokK6kTU3 0kpwednTKYi94HYtK0TQpszT60+EqoiwpQR2WShfpWhSoXxqfEw0XS+wJygRGWtIfVHHxn6iqxM6 KFwCND2j+gxeK/Ubvk/q0fqjhAdv2Z1rZUAgmCGAAa9NQDEOj0Bl1jT0WcIQRle/JPDOEz16LvJT tmNsBskuzrSU3zEHtf+nB5etBhWSrWaMArfIFEcob/1l3pjb9wYRDXHPdk8DknVdfb2Jk+/HYBls 0UyUGswmAZWd9sAjipI9UYqbiWBE4r0qRK9BHhFPdSXLq4INpYZYGixuvaSEwDAWIW1CqCNlJxh4 cU5t8y7aJx2YGasAG0IqnSJYEdtZK43Olx5kotqLWuKqQQfORhy+nABDqf4RMYJOXm+vAYzB6v5g VtE+8XsTZJxsp/w4EeLpGb1wJZJ+66IpEn1pz9odnHK7z59K7Qeal3YBjmzE+LjVVZLiLKaP8RDW ytZ9iklWQmcCeXN6fUEoegxMpdf3GWgMzXJW/FUGVEjJcQvF/GjzZ/hb6T86jyZazUfTKdlf9cgt 9D3xGFzLAfSg0aG3DvRby1MZMBejTxOCUlowldKRMWi6JcaWdDl/+DovBEbj8YeHnMMw1I4Vh1B1 AdbLcZl+Esb+n/D2I77YSjDAcGCzLMbZmT1THeuEWhNY1j4urllZROrVAR7OypWwTUKQl+apbizl WhodYPTTaAsYoeiaK18g0K3yoOqg9WORcoQMkhVzxI1GpnZqsSrMzazNzmHIkOZjXOsi3+S5o2ud SyaiQ43pvL7WlqOnv2mFOS6DyooLOhF6Zuj2+ZzfjqG4nZCDw5RKq/y4xFufx0qI24344OyYr3p6 pC1zAiZT9SQftRdxs9rL5vhRY7qY3J6JI1U8jybNNnV/GTefgvJsdTgKU2T4eYuqUwQqmgWM2c+1 52uO6nF7XkWQ/IoNQ3KZAI786Dxo3GOOSKyG+SA2S4bKpJADgmKdz+F/oBptdpLEWXz4x6RHNcIQ r0hWu2kfqjKQC68KTGESvdpYDIeIyAURSpLIu3p4Mdm5CI8OmmrQa4ZD3hNqvC3RfgN/pVkthEFG 10hz6m7/lVDxX8k6t5t/3BmHeAJxaptWG6pJ3laQWquoYFtOkwm9E4GLBnAunZoYMBu2g1uEbn3O 11TQI5JNSMSA02FBB6WcNllGaR551XTe4Ls8iRFtdqeemuCZhSGpp3sYCFawhx8OBKydsBPiB/C/ cohp5RNnS9Hd8bBMfYDbAiNIrSfGmDmmauR5IngfFq9kJfgfzgodqPgzkleZgjQNALZZ3YHegm0z BUycumR5M6itxM9BCgNGeCsLvyLv/67J7WoUgG2IjWKR8lDNasPRDXqbdyU2brF+EJ2Y7TZBchqP Mt8rWiuB33ku5Nnmw3/zLSCH1DKBJy+iUqfnSiHZyoy4VKIFlFgTGF4IhKs8y4L/8vZtkkpW2Yh8 vu3+f85mxVMWQAXHqBLVVySOtKwcwEDq3Cp9f09pvkKgMW7xmrheV2dKgmKPyLsOKMqkwok1QE93 gegPwIwO4xfwVTCgHt+Rg8C4h0elcvjPRmVsI+4JpeRVvDMl3BPwrTl8k57BBwal+OnyLRn16S4D ALDSvX1AuC1mWhPyXQQLQtM9FABSyPTmA4HmspyW8jIeXj1MD+Pcg56Fb4FvMPEvYkUu8qhRwrN5 zcQCnGmym9gs1NEmNhu2YgvLosSiwK7cJSl6UE2NotcRPhyihlOT5W0ebaxizBQKxRt8BsRLFbmU 002eD/QvW5dDZ7yqyw8OAr41gc2QFZ0r28DnbedwZJFPkf0I2MGw5sxz8p6LFGVDCbDoK6fSjNib BLM2tjHwH/LRAiCNb0DcjoetOoPaZUMgVSLdqs4c4qiU+uMPW3UaV8xGsUwFdBIcfunS65SkOecQ k/dYpOtaU/jto2jOaLQqu3qgKrFG4VtcJQYDHN8puzQkuD37BXcgreOLM9fHZ3lwBBael4C1/nSa mKsW4xxYrvxodwNgAIx2xPopl8ctlVCgAN5sNFaP1GJpU84SOPSQK0k/5L9j2QtTNzRmPHRnzdDR hJxKQiAv11oz+758DnxSRqfGypGluzXygz4kAG1hV6RSDs1iH5c4Cy/1ga/PyJZi3A8kkZNqL8KR Al9+YntNTOtkUCKOGuqjX1bXIkZW9POEmPx6UexWmL3j570CNYAKzaku04ivfVesTemFhkPnUd8h lK6FAo0ORL4mA4ScZb0e8hkH91RZTAsZHrEFelqh+qbUODm6zpYAEL2Fz2nVlCIEw8lZptzthpgi 29vhjMuI2zwdWhTzMqObUTLtin5KH/tZ6Uw3KfkUQVBV2R9bPn4oAPpW9HCGGGcLPRK7ir360sA0 1uhdwQxgxSGcvQ3ZKaJbLS3KB0dGV3FV3brvE1+yCJPs7IJks2uCbD+FkaicztfnUFF4Bs1mOZnE KVm0HmiQj6VTgZuKC5w3wBs/nCne5bMqeZNwyyMy0Qjt+Di/0iG5VWRqLnzD0ShKVg162viGK5JD MgllD/Q7ydTQsFSRmLgE5tdYFmttRoyHrLOixgTEe9hy8vGiB6Q3bD7qDJLPGYQC3QkV4HT7l63W aFKFGohBh1k9IW6WCeO14i9zhQIG94Qr8DSdDLPQFSMIZ/GdqRnEpIXv88mAfdOkz9/l1xijeNu8 ni5UWCTv5lzqRQRbvF2uFqKvHdSYAHSdO5FeW+36+hR4a6yv7qlFdw071Py0jJ2YzZPc0yygWZdw pnMdEl0pVkyiIoMDNMZwpv4fEvXaVKzXF/YgC+5EM1O7yYgJMKRDsw+u7yzznevMpLcF9Vp35XAw MZYsogV+vO1NGS3ZLXcZI1a2dQ6TZFkKsbzP/oDSC2B5Vio30Qq9BUWFSB+daxs+QQOAHDkFwlHC 57Vym2e0Th1setRGT7sUU12rDGgxgQvmZaH2iy2204VdYEOL7yrsubYluoVO9RplFyn7kD9OjnG4 Y9qWPuZJUBTvSZkxmv2Z1hYuqhRfQFVxJPkY+jElTvOE80NeX1jdRrKmunHMdg/V21cZWOU9m04g gKyr+/EkzOJ07KynWi9qJM2H4RTWKs7h67Rzprd+5vluiDW4FoPi2q2xs+cNSCzUU8dURlCHoW2a 4nUDzO7V0PGFr21HxUz5/MSqSgjpTEKY0LmnN+txbEythmNCBL9Fq1RiJTdLVNTxr3jXPA2mIWbB elBOHNznWVABYMUlnLiTbePAPC/NmVMTx0blNIrEolLMVtcoJqjwST9M3+6Lhy9CBg70grZMZyJR ASMDD2UPxNYpud4MT+sAf1F3dOCKrv7RyLioNhTZFfFiPFOLdiF6Dsf1L9YQAGPEMEUouSvN5SAG NimhBJ2TSS/4BfbMe1aqf8zzyah72uUEQo3rdsYivvZGdyYSvgVDbK9RYRp5YmxDJtfOofuqhIQw erAW/3NBBN6JTTuOx/jNE+GCLIENhAZ8C9vUpPft6hXO40KjxfxrKYlzgwkr9WEOB6Z2bNRuutAg puLd3gTG19L1NuwvHfCAVcGl6YrpUmx75+w7sahtWLzuW5txaqXcZ5rwiBUxSCB8bXTuqbDIm2wR 3o56wkm882NF7yOfppO1C0qM2s8L0kuvuWnOGCnbiXq32RGHWMu3vTA9NXTI4L8W+Fqrh9or3LYv c5GAmFabrjaSBhlneRO5ZByVZ+2J/ZaudDCtwyMlbER1Tcxtcz7oU/Tg9potwVMAH1Md68nTYBfO Hs3QdYKvrbFHXZfCd9Vtzx8zkNKbIUM7CZZQiUuDP3MhP3cXrgrmzFFscVm2nKuJ+Ds+xvYKElVi 0hIPee82siUqD5mwdGTNxLobtcdxRsMsaUh2T8DR1XJiv/V+iLbJaGMqk5jWqpJwVrBi34lMIxJD e8FuRKIWkFoBVBl4AUjjrpNsps8dmPd5ImzJZxB/THnwNc6iQdr5X6JNktSltZXD1niwoPiAQXcs CWOu9xsAuuE+i2oFisGHwdG6E6IVh9YfzxjDtTxM4cR1XhJwBRPme4Cw6moNK71tqTCNNbZZhBLq pPiuVK+u1aZ9/WhdkPUpuIRY32CM8VkgO0rGo2cyaQHQIfVjX5Y4qnMM8xwTztuNmx+TZBsM56YI ZCgdaBoRtBGpU4VPz2GsOijWsv5S6bl0FHGISiGmwb/9RVLKqaYnrok0vPwj0FIJnZNh1LIhZv3x eeYhvrpjDmNwuBOOZFtjd1mCuRXjbTPAnPaH1HESya8Ygkyl+SJZM/98tpWglk4D70jl9uN2FwUj lUwEmFh1XhnexOTDrt+NRqVw3YczD/yIYOQdrhiA/tT/XwTg6a03uGMzKbrAy4L2a04KqnYThJkH Urt2ZYImb4G1LTbftgQrWtlUVzHhIoboaez3EZT0nnch+wxmK/5pdfQjJze0CjB0US4M0snLNQZD KXEvjZS609XT3PqRfkVLedd53jA2G+Br6WIfloG3wuouhDS32Ne5DVv6w99LmJY3qQPHmOThPb7z udE/rdPYb7UkBmq1wvCAFABBs61McLE542x1y8VtxZ/9VUw4s2TtpC+fPC7JggwTe1/QECgZPEhO 8/Le7MpOfMINr6YTlr8fdLt7q/EZa0b5p21ivqZXYYV3f1cdvItCJRGEf5aWje0QoqXbfpm/9NET eB5PW/X3c9JxP+GUJpUW9ILZu3R/155ghiGq6/Hkkn6coVUupshXK+KEEgi1h/i41HwCx+wJuJVs adPja9J1s9aaXh3BB321BCyPRf87hUM4xEj7hAs900KD3RSTr9dR/Of7v+nWynmM7At2IrTlh/0V a7DCb3PUDH3CHVziEOl8M4S7dIKvQWs2ilPixQC/2gUbK2DPymGY1tHtPJQUOQT++36D15MJn1U8 yoMirwV5/stK+0atjcfDVZ75r6lZRdWCBmquLKvElITk1re5TCI0dznj3txqqeWbn8Hj18UBUUK4 UqDtrMAKEPqc0CC9rZaqtBLtww9kltcJmV5j92QiZ/gS/pFZqZTfvDnTeCOmC3VCg5XXD/nCEWND 8+GHHkSwpWyJVJbXGRYTMbD57qZ8ANoGJch2hvSLV2cac1BgFZMplwy6VS7OCkyA5pdgG8wVoqGp DNpd/kh53pCdYSz+0fskmdZqimM5pNC+E/EbjBPRooIwn+d2pkVjKz+3DgMuqjhBSxXldZZE/zKC lI39VbbEjqFStCyrkq4EULE9ro9sAdOgW9KwUCkLs3gj7HflSykPbT9LdwNvVvk4VLr9iyhhSLT8 fWtdAzaqJht4tze7Fd6mUzN4Zazgm0r6uhb0l/3uPbUVWipuue5dzlHuxqRVQ/iMorUaVEjbdXxr M/X7uIaXXMrmMSVd2Zh0wbRVlZML/IZoeJkqlVfaaPKMO/dIGYlBKceaZK0XlIhuy3fsXMfAm8NG utTVQjCSRZtuek0D/rSAsQQp9RhmghBbouV2DTAVTzTy21ZN4N57AvkZZdFG+gU9ADYkgQP6VhpK DyVjK0NPtvghCkTGleyTKLAdwBjV7xlVzjS/YIG2kvKnGtN90q3oRT7Gcuh/SCWN+CMWs3JIwJgF 0VQRrbrB7algYF3HcHrerIVVBiD1kOouaL6nBmg6792kvtjQtCnTwtnvCoKjPu6nARBNGPKhZpAl z67P/JXGSZ6O2gQxotf2+ag3U4ap9ey55733EXMrel+psn48hojdqruMN6YwKaBxLKPGG91VH4LJ 2Wk+xfSO9Pm2LlnXH4vWqiulYjnjLQlOKd7DFvSYsGxfMv8xT20lf+P4I95nMi+GoBhaZeQnBZgM ekGnHE4h29WeTSuQyA4jFVsNVa1wu1l2X6rFMTt1/K2hx2gs2qLZ2EYV5tYTnfX/PNaei1pMxdmV JWhiPcsDsG6Vm6O9zxS7eKSc2hnrNRLYqWZ8wWIvhcqPTHg2e/4hz+C7Ksu6tpY7JL0i/z6PVoqb 4xcheuWSjX6kyZZOJvTlhziJMY79cN2ZfjKT5FA+5qFX+2i4Khb7POyBax3YGGNeEjpkOqYORr5Z i+bM5vRWgvoZYL40+mdVElQGqF1P6euU0IpLBLnEhznxYkhMefG3saQhYnpz3tARz10gxd16O3G0 6G8K0NCf367zhGM6ziid10w8cv9kLWmhMhhRYHeu8e95AQ1Z49g8wLDOgLy2ISXf3hkamd1WruUC BVjCmC26n2qmFYiEH36YS8DsKwZnSpHPTk30pEqLFNrkhZ/eEb/zw1pP/R0JpxYZG2aYR+snjfeP hNuMA4/JjVVoTqYqwy9ZhQYr9ZfVHptB3W+4uc2T461Nv4SuMG5mwXyBcGitWdBi9tsXk4OCGY80 9tOpprQeHqR7au3fWpqAoH3Gtedk1andTnvhjwmXYYbD4pXVcT7fS8J+dL6/xe/w2vFw3H0guAj2 5e0lfvA6qRAHiZNCFQ9cQgon1nowdfJ65gsEZ8SvUYKE19LiBcy8tEikDlJM2TXgfaTYOKaqAn/d UUsuRkCDqYyTw8VB597FpFem1rX98eLkG/D/hT396USc/tOJBGd98fZUppD16d2JBIW0gJ9cXtye fPfUX+DELmjlYTCGPczwC5y5NTMIXSIT4hR/rcnpkMMYxoHJhJEJ8JVVUWb/dRYs9s6U++01WFU6 x+ujDNEVcWaBUUO++l3hzyok1OMVwKrcVhaV0LmKBa+pxwtN6BzpWD1guN4N64VVsv300zohIN7h j0yV8DecdciBAoFlMBgkrqvjJRA3eUkpSsRUwt6caqb+kHe2Xp5cZny1rli3rnaWTGQiY/Cu4MEs MQf9cIzVGLZYt28wsQzb9A4vHm/muaUfpBs+LDh+7cIFd94CHt+sEUhyQNd40NFg6GI7iBuy5Qas t2Sj63fksRyx9srXHxrwqsXVuwyorGHTMrrU3hmgrTUQ+X5drdkq3VOhAR8J1bUgZ6bEm7EkN2He AJhl7egGNR0hCewQvmzpFd9ba0vKDOR2BG3SkM+GviQcrfTaFC3p8IdrsZIJf+ZU+nqF90b56Mpi VZHjCT9DGVy6Sy6gfnKTTdRmAdgicG+LLLpgAdYI33DgbYZDG03Q+Wkb+3yO42YZuoEcJfQgEzOB SpnEwwo1utmG/Oxa+YzSzsP7jYnp+VDcFIQbDBQ/EOw3H5BlKZPeZxCCUDwzduIA0LOAIt5EESXa fBCxE0vbWLo2QQ+Fmk5HhdV1Pp1U15IYCn8barv/Ysq/dN6F7GnVRN+c/B/2hI1mZW5kc3RyZWFt CmVuZG9iagoxMTIgMCBvYmoKNjgxMwplbmRvYmoKMTE2IDAgb2JqCjw8L0xlbmd0aCAxMTcgMCBS L0ZpbHRlciAvRmxhdGVEZWNvZGU+PgpzdHJlYW0KeJzNXUmTHcdxviMc+g1z84MD06p9CYcPskSJ clA0DcPhg6TDYCFAc4ABiYUB/3pnZlX3y1qy35vBYgYOaDSqa83ly6+y6v10oRZ9ofBP/fvJy3u/ fRgvnr+5py6e3/vpnqb/vKh/PXl58a+PoIBRF3HJUWl98ej7e+VLfWGMX7y7CCkvKfuLRy/v/fXw u/uXLqglhHx4eP9SLU7n4PPhz/iclA/GHP5wXy3G2KBdfVTe68M3WCInBZUevsJKNHwbDv8NJXSE Km1THzSjF5UzNPMdvoauuWjLc8jJaaxje/2H0imXTNORb2tfm+rqy6hyU8W3xxK8ij/hMw7Fp8Nf sIhNMViqT1unl3TQOMSQofQh0qN11v/90b/BrGoH87xklWlWL3NaUnDp4tJYeGnzxaOnMKGP75sI raV8+HD/0tq8GJisl9is8SrA8zMac/QJ2r2CFpRX1sMEvKIyBmbOHd7gp2kJ2h5usIjLxsKn35ca rUrwJTzGxebDNY3UuJxKdS7kHPXhZxp1NEm5w3NWx7NSdbbYCMyF19ZTX9teSj1+i88+RgsV1Ca8 cubwQ+mFif7whBW/pDaU0cYdfsSZUcGGpsIPZSAe1nroUHnhsja6aZh/zzu6gCz4vERtDv9O4hk9 9Of7MmKv2q7xiX1X5t7GHJpR8R7xRh9AlQ4+h1XmRd6xJXyCo7XJxsOLKgcpNQP6QDOmTMBxooBZ pRevE6gqCVIdsMk6igOucuKzOzxlQ7gpr41Oq1TV18cRs+nEti/Xxi+1WbLXpvThRfkaOuxBuEwC jTKH97SOPjnslkl6ydB8rc9r75uvqIiBcVpch63j71iRV+z5yShqVOUPRyHno+A6c8XeXx+lkX35 FjvuUgg499grq0OvXzgen+LhNauZS8dj9p5p3tnib7PrxZ+aBJXmH3IhJFV4zfrAVYG678nkcS3n 3/OJ4cN6QZbKoK7RXCiDcm2yBbmOzVd8mp/WDoc6IJ99NyCUJxMTzu4qy1xmJxXTqPj7zmBNZb++ 12DBoR4aSsA1ppWNzh1+QVdkvDWBC8H18AjTRyqw9rmogEqrPYcKwQ14V0wn2PoUmo7cMCPO570W 165ZWS75L7HbESxf28hUCrid4TIrGeplGyetRwAxjBePvrn36J/Q6cP30YGbCGs5sEKGjWN7Wzxf 4o4PUIQGd7+u7TesY1e9wdZeK/Ck/PkH6nD04GTLxHilrapGXUcPi0hqE4z34NRJ4eDJ29RUT/NR x1A/dR5G8RRnHfx6dE3tP7NqyPLqnMGuvGavSycdWDNQq+f1AxNjqO2WIfIvXtyHloJxaFCyW1y2 NO/r8GaoQXsQ1JDnkzeYZ7J9XN0FO8MX/g3KEtg53+pwJ5lYJKYgSR5TGK6jz8uHCfBFU4JpX++k q35SHcnEVZCdC67Ry+pVjGs+ZNpKljItWmcRF3BDzf0ha4YPkhUhA6ATmD7tOx/YADpDECacZatJ xflC3ggWbjDWVQlbY9341JMmAi25A6gYTLeWUB8st2kql+TkbRmw85KY8Gm4EvBUh6Gw/WhneIG6 0vtGEgonNvSqFNG66yG14myDyCQw93StI3arhbU0rRVMl5Vrusx0klf7vjjCBDHX0RFuXdPrkEjM 66QDWuew8DXTGo4GT8gR1jLx+bQYL1iVTC5YX4orrL1uXSFvF6bbe8TU6fA/owdy6H9PYDkYYNF5 KN4bMAtWEqF7XTLoZOM3K7Y2JDpY1nUwh6qAaQ5uhjppJkYcUI2M9SBGEFfxJZYc7jnvuUJNNLo3 UE/KiLJuJ4VDsB3jA44mJ21y09J5QBonDGP8HeBHU+NzF0YBcMIQYDO5qx5jhbjKrdiQUmT4H7VF OnWJwOLGieUoZp5ry8RRcuc4HVui+OvcaGjtYOsJfkTj/qoRC4MOCexMwZrOKPJ1ZHljGMyJg17E wVRBYUXx1Y6hIbEX3Nj7+95BvapFEJNApVoo7IYOWbSNzJ7xwT4vXdWqX38+0+gq7ebMu9Dg1Rpw 3CWyKzEOjARUDLofDg/xbU4uQtzyn6z07+pE+90QhnxjbkSWjZtPh6RtEitSZzhnRC/FBWBc4VZp l6z3xAmjJf9hC1KaVrj1eFla9Mne0qkQzjZgMVKoZr/0tDX7uxBmEvdMfA+Jb403AZeWgBMQMaLl AEvhYj48OqpQB3acMoBBrGhh+Wq9LcXBaohBp4QYu8WlVm0Y+TURoffyLCF0Nu2Nml4JY+rAilMa YtAvSlFQk+FjPVIx/Rh65o7kOmG+cSmUTp1DIAyQdKMKO2QBjiEcFQqbYfVVs18615r9b1m0zIT0 IRl/G+Lhv4qvswAa/nqs3LAxRPb892MRpBGDXryN3IFMTH5Yx4uMMGEev8TcIucp/hEDvG4lS4WD Km1SvWNKZ2aay8DExOLY/1fozNOKRIzvAhfsYtJW1Izic1wSw6OOIKQhgzHiAFHCbVy9qliBrcxl nv2SYWjCyj+o1C6YJO9XqecFclO49Aoiac9ea2wxZmyfSw/YTq+hi2BF/ogGNdpoZyMAB1Ap3tKJ 1rpfFZbK2MEATqO80Z9bSwYQK0kyZOd1z9EBbQQAkEl53POwi3f212eJsb/WnccG7DG3wsbHqIYT 87bKIY/8S7/Enq/EJAA1JrWOjdkf+9YKHKMUZSLR3o1I/Bq7uNZ2dRSjwvSBwNpq8Cr7ts8SDp8O JCFYbPPr5AgdRL9Ha/E1TbJNvmMjuDd8UYh7rZIY8Er+WqAXJTCO9CKMQ/lddjGDOYJoTnA+c1Qy GvOgWzYQgXvWiwux0yRqMOk2qK4bVmoLR0IhoGCevI8immbdKKxgNLip3IECZuY4ZddhDm80jD7y 0pJhlYzlsH8VE0knVu1Ti2yHcKKo8EjmDjHf21Jhho78hAboXTOPQ4TnW6qMR5IvsSZAzkGMEvkc TTDsQFns0J3YZ/iPXi28AWVyn2FuTgS+MC2NqE33pwoeCOBxt5CwR74ACLVuSPMOu9AMqzhT0gEG czPxoLHgl2s3WkTA92OvhHUTtLkEdla5rqXfPrSGWziLPILfLP+PYI41oih/+Jdjg1PTCNofGY66 NLZIwOMpaOZi9KYUtmHc87UQXgQv+suJmpKQ8BSLUU1j6DZWvV7ShvRpW1IivgUgNptJDTMSc2Iz uQ54Nn1pObqVNg6iqfHpsMPLY5EAsSEHSsx8c3t6PbfqLZ00R3AvynqkySqBLXV6L+Zp3CEuKoDa lR3zvQ6tg393ht5gYglMNGDWGgHy5Vu/xBZ9y1QKiJVX3XMwOsJymZ56ZA5EgLV9dOM8bVRNLMSw h8RRsACgO90H0Au9cUK3ngvQQQLtE53aNtCxIdcC3Br5+yzqj2SpKG0nkZyfs9kq5Ddx+T/HZz0t wwCJ6AlhXKRgMcMOXsNia9s09BuG8J+V0l6nvVgci2QVxG3ll5WDcWBsNw7m9RGkzaNHCu9gBEjd sYDBssL4XC1hx28gZZw6XDbVhMrAlK7t5WCIHEbI4GPjSjgMYv5+ym5dd773SFxik1nrYS2xGb2/ Ab4tMJSF+ICC7KiIcT4HFb1sFx7LWyREuEDyen6Ym5lxiwulCuPskGB20TZeai5w5+0f4KCci41O 9tpfwNXHKn/EFE79Ucpf5N0uwZtV3qUtJjnngdYut6b9dvDviOQGzr12rrX35++QDDANjX+wi1H5 8EIowsw2kokBwWS+a37eLQJH7Je1jRHRrLQ5Ss6DOoiGKksdVRaQz4qNHQoj0Yp9QqrM0nI00XTZ v1MQUP1CT6hjE0rRZhGdPSjCEaCyL0jH08iDFrHVk7rvpNEorWLP0eq4HzTQUzubqSgv2je6c2s2 ftONwQPUXrf6sJP/MZXTbnMXqU+wH30yn8IUYdPEDoKa9D4A6tPd1jbOjEIQnc+FqFRLmibGfmLG piEHFfgkeWPgDik9OOw0ApN1eF84jQHXIEwnlezvq80lJLu5hMnsUqbNXjMoAWsKZ85ZdCur+E2z qI4ZN7VDLfAZMcbRxyQ5ZhRmisv59RYjr1mtMYi7JbU+h/HUTsyKtLNOXowhe/mo7Lkktxz5cLNY bDVheCL4fN078Avi5z10XGhxORmZvLiuvP0kKup5e96rc6iYISfXQOS+m5Pr7kal/x4bjRFkzhAM RUX0dSuu8tK76bYuO71m854i0mE04KTsl2XStypPpttiNL3Ny5+ZXuK+MkXspgEhfD8uHpe6wx7O o+ThEaJN0rkN+arMaMD95tNkd7c7hb3SsCzc9nHNnIQpQbWbZtz+dAS6A10vATA1ZJxrIAA3lY/Z +3EUXd7ghMgImNs35FDNjNeHmtbTbTxKyFPaY7uFm0A27phSQDJ+a14BuxxCvEsilUdtChKVJsVN 3bixlgw+6E9z68Qnpc32Le0HeatcEjf+nttHKaiV6pSkX1i7dvYKtoUB6M5917is5CMek7tmzB5O gG137W2v+GO+BtGAAbzwmnDWJ2/yQI93avD2pftynpWU7s1n4gEGNZZMxastR709XtKI63SlJ6fg 6Ns3aNjd4o1ZGVQ7TVHrybHRoSIL2fHwDnfrkpwE3mEPB9goWy9KEBfu63lXehMLHbAQDN5ec7Av JutO4qUUWC5y2CY4cuFYUjcV2IyPfRizt19ZU/5od0mDiT/uCdySkJ74Dj6EjvpgMLtsKdW2W6t/ tp2ZpBNWkKXV8fwmpZd/PjtDCgBW2qWMOOdOa60wGu6EmtCq1W3+C4liEI+AdcqPFZtkb4MNfLdi e5mFGXfhds/+UZEW1UjMXrfo2PVsG5cn9byeFPY9i1YiN784tbEaYJIhUFs8hB1/YQrCZX4fjLFs aio9SRWi9/+4lzZYuiSflhA29PlGiSCGHbPnbDnswPNqT61/B364fgu1/+3AlvE8e2WJLG+g0IpN YxjTBE+Iy9NSo9VaPGVaOtvlA+7nF1IkyYv/7X6pRqkkmg0pWhTY4jelxqCC6N2elSLZuRMZzSt/ UDIGFM8Jen8k8ATyXwDvtXGVzG1RU4/v1x71p+XmsrvDpfmMQXwj0lyM5qyFsAvKQWmlTzsG6kNt MUQRWH2u8zVpKYf9L++8m0GVRAi2GW5NI1ZdKW+diRL5/VGDb0gnlXZJdF8fmxMJk4tO7mN2hwrC t/BGzzZt2M7kNiX9aaFPQEeXPQa/hGG3Z6uygvnS06II+TSaJ7qtO8Z9Dvj/ubBcamdnh7sOvsAP KkEWjAji16xQACDzBN1OFbCwC04yhPxLvpE92bcc00RY3ICk3S4iqayeZL97oFJkT9jpqBs+PkpV 0LjNgtBkQlVS6V9Kl5SeXnXQ9bql+3HYTplVAzL4keTY0dGplEpnruvyUyzaEo+Xa82XKwX59J5E QPq7EZCExVz0uNFAY6wc3jV1qhz+ly4FeH8ft7d0tpyALARh4SVr4YAIm5OFnFKEmQiYEJsJK1m8 EQJsxA1vn7GIr1gXb8g0gF0w5YA6lreKot9jU9elepN+nbcMgAUASdoiwDFnaZVa+HuJYWrQBzQs mGAh842qNkMWF761Op2KZnkGFt0U0Gfl4gE+mEM5TWpwrYM5legRVgmazaQW3x5kO+YX8phVsgdn JPaRQcBtZBe6+6OigTl0Dc8s4WfpIiIJY3YZ1NiUOnH8N2L2pWlYdJ6q0sFjKh6sxLHNzxhsM97Y 5TdlfmI2JyDJSFus/U7DBmkZTieJBWtH5JuY4cWiWTc3RvDu/YZNsaQx172apOYOqAqpS8NyIImn YTzOG5dSLoVHhMyTe0YSlRKzwNpTahI9urKXmVRLBB4rnMBc9NyFHgw635Ye7BwXjgvxxF1vAaN5 GZN78XWKTspya337Bu/bU97zLK0+8NpOKFOTXSrJblb9HTJpcLeEcszWLdDjdRPW+Rlm+Ll8FXKk NYdHDzHQPzQA5IgYxlB/vYiM1im1XwpoiatLD0FqR1v7Xe1cMLE3ROtJMzSKlLUePhUHMqR2BHBQ 4pms8y+jw1VSED3os2hALJqHDBUx1RFKu6TvRqbNNhIsLIMCY3jmEWtsvz+LybYiz6FdJXaeuy6B zGfgo1HfFTRHF2bnizuYQTPe7uT8kUl6TaGFkcUKjXUABW/Kf318v+FqbPyc3O1JkvQQzU3yJAdp f1bSS5Dc/Bj0Qzk8527IWARxgKCPWXP94WMooDuy7f/vODGl6pgOWcFLPCL0LUsH5EQxX2Z+uwTH Pl/VzJ4wHFXGFsGE8eRF1T+Xodky9Xme11ZvslpBiXPzHc/BP9FVKnxbv2UAt0+l2LH1ij1Ecf2J oceCbE7M0HCHgMHbaHXqZhBvosjBjDNYYQ6fzVgqwRUcEkvLXah5CjVxN9cq2pPjd4nsZGZ0DAXM LV2RldEXh0+1JyPcY/mmjDLrvHdiHYsEI5Liny43G89hYuD+aQ5mvNnAizqeSzjrLKfCG3qFxLqZ qMXuMItw4mEIN2vX5KxUKTVbIL7b8/CIoFOQjf9IUZl2dJssrwnOhcepCc7Bf0yCs8GLjq35AvKd 8UZHsyvfUATPHnzJ61lzQcqfZ7egJALiHXt2dkEQk9pPxm+TGXHihUOrWm3Hu0bIO16nqppQqqhM HVXrKs6lac9Sgk5uJzxtGDjuM217d6vFaSZXihgrhR0yCtOMVl9byUaEX9JWsnSFNceWvJ5+gjBj Nosg7V07zh519aw9L3L7y2fD3XhmgmPOeFDhJkf15jnLb31VCFRV+RajkCY4cXsEzcbOHbPw4eJi +FWyvzrAXCZ7mv0FcWEnOT7pwWeoG9Re656OwSbV/uZ4T8Qebw4Fhdaf0A5iV1LueEZsBQWS75+f yTM2u4IaEIMxPWLoKUhwrWGeCLdtFmaw1mnjUjoCujCPLntrTkXRjHm0ZQMvl4vXesIMXnv76a5v 2DlWl/HXEfoLJkoHXM//tpdfjzeeT0y4ZsMcstZw6vGHAq7Ko+uOVEp4SIpiuwAQK1dW3GNnOHwE nSt0xY5r51pwW/L7kOlkPxRAageLOoC8GQqm6dW6foYqevyMzVHN5istiadSeha6zga/GlDCTZy1 7jKo0XXjLwYId0mtTJOTl0mIf1oBHJznCdIJ7xWPSrz8Yv6jA2ckijwpVXs13W8b8HYFP9r0xhIr 0Sk0pPCJjfziPkJzpYRRIA3HK/qIFLPGQfFa2vEflwkAsqCui0s8jJnMdqQcL2vIcfVP4cLDJ9A8 foLbBUGZCzS0McftLg8YbfIpT30aBhVWg0/DKNBY58pXwknSIAb8zlHAz2kfKQ3jWRFEa6b2ebiW peI4cNri8YuP2E3FtU39/UZTr1TAN10W2B++2DkhOXU/Rz/TZ8Y6sG+tPN/Utz40ropeR8oIOi+R EG/D7ZCKtK/Etxek3VduCN6U6nUYnAH23Njpr5hsKXt0TWmfDDxsUXzeu2+xE3jFAWcqWXYXv0eC XwHxHV0PqJUvKlCu//2O1cEEUN4iLq7H4a8SnaIhrxsPgS1ao88hdNbaqvcpjd3pMggDy6W0eBnE 7Uj5nlG2inagdogKLJK6owSf+1S4xQDlS2c1Wpqk/QAZ/2XkTN7acem2LimAP4dYnKrdP1e2EXHu jGy82WRzDqjWi0T67dVVhR6s5jo3GiSFKHMEWGlH6uPejzK1+y420ImwvaPwNsKI3EpGdAfx1gJJ /MmHXs+gRdwJvCp8Av7mwufhCS1lVe+S31jEBcP78vGX2W2NcR2U+vl9K4b0Q2vyrxlJ6ZI7l9au WsiTdKUgjMlVk/ywnaKwm/R3gAUnEgpL6S7CsQUu68PiBTwkL123wisc70cpPZWRzF12TDEDN3Mn cPd0sZbr+urRvf+AP/8HHx7Bc2VuZHN0cmVhbQplbmRvYmoKMTE3IDAgb2JqCjU4NjAKZW5kb2Jq CjEyMSAwIG9iago8PC9MZW5ndGggMTIyIDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFt Cnic3V3Lbx43kr/7sFhgr3vQadFaWD18P+aW7CSZyWM2sbWvyczBthw7Y1lyLDuBgwH2X996sLuL bPLT5zjOLAIDSavFJovFqvpVFYvUdydq1icK/5X/P3p+5zf34smTmzvq5Mmd7+5o+uVJ+d+j5ycf nkMDo07inKPS+uT8mzv8pT7RJswh+pOQ8pyyPzl/fufrSZ+q2YTgcp7S6ZlWRulZT3+Ex1nlHPL0 0emZmqErF+30wfb689Mz693sjJ8+OzVpzlr56d+xrU9JWz99+Dn+kJMy0OQP+JyUD8ZM5/QcQkph +hP2YuZgq77F6L/jYWxsxsaerUlp+hifrQ3Zm+kePjudg6/Jpk7sbGCUT7kJ/Gimmfs2KU5fYOc2 xWD5w5CTG3LhTzSkUjq76v19mn1M2fm/nH8Ky6AdLMycVaZlMBYebT45//zO+b9+DfNRs4ouRx2Q EhjIBD1FfOsV0KW3t9xbqjrzs3YBV/b8AlbxKyIjegdceE1keOVtmh4QqV4ZN12dWg2MTtMrfKe9 VmFp6zIwbXoO7EjwG5jts1MLQ0Wtp8fUODoPtL2BBjHPCvq4EGN8i88megMf3hAdPCkeBwTL2enl oP1D8b7QbWJcv40RhEq2v74SH8zbL3r8hikCKQuHzoGx2sCyh+kpfWeCsg7nZw2oAwjsDfMKZCPz tEFXEgjEI/H8WnxKc0rRJOWQRlwql5G9Js4OJ4H8Aj4Ca69xVV020Pv0DY+IivMdfLV0CZwNsFxb uyvsB+iKzAwfvfZ+aZ1MNLRgsKYqwnpBW9CulXANskzjw0jY2YUYRNDKU3ZZG72MEm22y9RgbrL1 Q9GJpPqM9cHZYHAdznQMMyj3yZk2c/ba8ALIWYhOr6spn5ngQcDy9OdJNCfpzhF+AluzPv6OHj3o oZ3+fIqfOqR/+nrr3InO/1I6Ny0H8DswIMv0aG3lQkgmSbm4KB2GMF2JT+WEXnETp0J3nr5iSiOW 9GGupVWSVdbIK2eq5b2qu1nJleJ9w93rtBNNoitmNBwmgMFyuZL/672Apul7lr7sq/H41yYfufDd OV4iFQhaGqhA2TIZV3DRadnFc+rCg7jF6cVAUKWIP6iXaX1fKFTwukMh6V1DYWlOol/oY8lXicks 5IAE+WrVZP8PRZvLFQ0kP3mCLiNy3T09AxaCeMTqQ2mdYE4O1jKFWI3ZmXZP+NZRX2I3ARBgxw4H ahO1OdQLEpCTnn5PUGcTWOqq88JrMOFD48tSpDVxCNwMkM8dgevknjBVTruKFVdCBKQwj7oZiYkg twh3WMx91gSPLsRZ61UAJUxQz1UPW5NHe56ghkgxvizib2bn/SL/hcXI+UaNaXEAd7+j3kiWjsYZ mrdsXVRLhVXImQqS8qCKfRetGviE/sGxsIt0kKg+2OsWvf92lX3JFGmCAfXBdwGQiOxwlQ/lkGyQ bB5LSqPC6AZma4emTs5Nrm1nFi3ENibYelgv7RurDoKtstW1JbU+wJipGnwEAOwAuMZkSNVskItm HF0HWmMGr/p3TCnq98XAMnxPzUG9wcSL+Y4U7KY42zGt2E6CVqMrypeFCMS6KIQcSXHANIHsRjBC 1Si/NEGfAIcxGTRylRrf8QRpzQSxJOULGbUtL9IMFmYkzZcbBX1DLsX9ifiw4ZaB5deqMgjoN3g0 qXb6gSbhDDh/osForYqHZuCLytLKxerMAe3UYx4Tmgx7r+2UAHgSa5XQMuqhfZB+gvEQtgbfzLlr vMVA0tZf1CuKTMTY5vAClXlK0a6s/S2+QmvOn+C4DlQT50RmGzwpAItFoltHD2kE/1Pqs3Tj9zac vBDhqAh3fe8xjDiurWWWh9nqhKCxNr6urQw2CbqSEMaBMq3az3+x4fT1Hjx5SQlxXKgMFMmoAYOS 6vfXIiIucqwVuM5lHOj9qHEMBCVap6NM/HP6EB37kRsxMHgj7+qw20s9osZHsI/e7m3MQawZ+ftC zO8iq+JskusJ2QIJay8S+weuSSvu0YJpPehR4uR81kP+S7NUtCaaWa9KQ3MARWn8b8mJCx5Fa1eh yoPaNeqqhLTDI0dJaNkgnJbEPGmVhWdTo0mHX4szYy1EX8ALGTw8Jbl0oIpkUQvLMLlzhDyim2Mx 0s3yw58v0QFdq7TLdOBrCEF+PidiFZJ5Nb4l+WOq5A/YBh3TCdoICzET8/sDJBmIgAFWW/NMiMQV YJaZlc4IsPA6wnuGiTWTReREpVwqWRVvbEgQe5ABCcbZJYDJCX6Yrl5tQ91sytdLWJ1pHZBJICSY H9KZif6v02SAiZzccQF6A9Dv479Y2KfYVs+uSTJcly4aI3uLoaH3z7hHcMY4i8peo2zNXmjwhVJN NuEDEfxJT0HY74HZkvmmB3sFJaKk2aao2M4eCLwvmoy84BIluDbgJAZ58LE+EVBP43tK8+4p3MV5 g6hR+g7S9VwIh3Dyvngt0X5k0K7KooAEfs6LD7oRC7kWM7hX7FSbAL7Y6lRfHGbtQlWZJ/vDNmGz xoLJJJxcl05mUSJh4CQYZpNBj77gBgGsNwqoSfxfUES32loygG9IFZw2DAd5jiBrX/SBtsqJQtgx x6rlCHtG5hMHzPB1HivIxTKjPH2MhMY2Sht9WMa0wfiONu/IQuZEcJTzdA87zMlFZfgtvFS6srYv TzWYGAfQ/0+nNqU5gH36x22MEfBJlfhxEElwWieAix96AY4YHuZQDU/wDhxKZs1lDDIV0hH+sawj CMIhbxWaZNNziqkTuQYXe3f6VhgvVNc+7+OB0MjFF2ZjkB7AXJtXlPSVQj+SIMmDomJOWUIZh7td 6ZCgOg+KBOI2Si48a0KgxuFzXs/Qbpg2FIGVzJdIkuUqXzLJ2oQj/XN6Nimttpt0pwpsVk1vnIak gMXO8V4lY9g3hR92PLykVi7IKG+JJj1pcEEqaRpllJfER4JAMPey2wuF3g1BpIn8cIW8zXt7Qja5 ZDh4vFqWRxGC8C0KdMfQnREJbd83lXh5WSkBubtJ7xW7RH4v2ZfEzckDQcbiNP91IGfSMD4ZCNc+ Ul72TDd5AkmBMCMfUjDyfOsQWGrCQLXaQJE9DtnihmcZbJslYVfbDdlTCwL1EdLQWg2i10EGRirh fNr1x10EFMjFH3fFtb234zs7zSQFDtwBX71+2TYvfviVcOdl+5sVAgpJ6gSwIQSb2N0Gj8YqC/IP cYw1xaP5Gj+CIawDF1CTkdApB0otgp4DwmasRcCOs4tUrLA+30eWaGsiFjw4Dy4X+GX/LRpk0d8s BwriF0Y8kx0ByIGF/ZJmBjaSIvQyzsP16VJ296384RHTguj32WPilLbO035FyfH+GzEToFwXKfCY Y3HTmxdr9yQQICi4U37NBILzlREM4Nkoa8zyqY0mcuVBabP1AhFsgBXQgUe3sIIl9aSjM8GUrtfu nAedz7Ya/ena22OegYMg6GMxdDX5q7X1A9H19vYRy5E3uvlQNr9kDsbkxRIzK51adtjK6N9/W7IX DiLNtBjzMgxoi5Mf3nDHBsLfP3AJijVaUHfBT4k398pLEmuvQUD8whhYuJX9wUFI8+a3p2chob8a ueAmxhStq5hHOgMiXZJ5GBWCLsCkg9FMNdfCaAd+WS1f5QebU8g123YSA5rvdvJonQNFCovguSDn V+YBMQbtLWMSuYCE0/CVgaADO0sKRbfqWQpj9QvJpmZhkRSImsTCDrtsZYmlW8rmbhIkEgvpYG+l 5bgcjdMowaqOvSk1KoE1Ic6Sv8/bLKXFR5vxKDyn6inmJHe4MUASybsopZe72DtFYMUyMo1ZcCPv 3vMzw8KZBmabpBs5q2yuNH9va3NR63D79yibK3+RapsLvCFvlGJqFH+fhmsun8sKgSUD3Cw6H2uV 5zx3hAWYPqQGOiWrK6ksCg6BfZJfXnDchz7Ql5R7S2CzpKxcytHfbNIq25Cro3OKIdXUNmoBngno nX8n1MHViOAmNahDXbsgZbLMOKJkjXT1mEFv2PaC7xt8Evstm3askxeMvVpR6VVJVBtb5C0Z09o+ 1lTtoJeeppL5ZaJAUrDcqEzIexCiihZkBHx4AP8wse63LognrQnHKbAJtxFiGFYtbyJP/mNhTL+V VruIB4LnAyH8O2QMPub6y9aAxjC7PTAa+LQFxr1yEO4K8UDXFLiSclwAMQW/B0R42uGhFB5SxsqT OU0eA7xINgyBEea9adGD/TrSZ6+QHAuWxFUGD8AVCAfnN7WyjcQ7gPD3ItubVXg7ka7sdwKJgtfH zJ11yWBqbtEl0+cC4QibOtldM11kjoURC3O8DXYvb9jHYR+UuqtYI7Vm6/CuaMIKUuZSg4/EGyU6 0rv3eww5FtNsH9Okf4XVyBnos6GDC/yl1KZn6Bhp0J/GD7VZU2FHR6dR1S94FNzO/XQZsZHiCkWk 8IqBWJ10JCbDG9pUkagslHczDOdMngHx215+yVQApwoIM/eVQFu5KgI+8645P0tP4W6ZoyvV4Qk+ pahynYo0RB2gDMr5sZLRJLyzwi6N3IQjBPaGic0Z8yAcRGBtWdwyQpWm0lJD+Csn1g9yLkauAHYR 3OJQMdi9rm2LURqceMH3de8fHJEGbLBGL88QertWKgEj8vTJnndjuJAC3OEjQ1HDRxsTiHOc/kNI gJTgQWT4hAm0ylahhdAJaXnEa2mnOo5VO87QnA/l5BGX3OMuyn6VWcaOWWWwu2BlKrvSxhIWRC2B j3BojXax7sjWd9wiai/nTFgE3nqu3fkHa8WMyevmwFsa/p6DAlPrRtgjdB6Gj69bOCK/7jEPgxUm kibh2q1qg/OqoeJ+2yUJQt8ru+i7bZLLoskNB2y4c38AEDBgJPMM6+G5SFeYR/QTtMrC5+hHFpf7 hdmniAg4DOjuFksCEtXyjJ5LTILRIw/lDcfVxrvKL5HQIb022WYWILcHcW97IO76IC5yGISouAOt K13bqxRyvqtdTWCJvWHVQWfxCupgC3Clpk9obFi/OqwcpeSk2Eut7LBaypQpgI+1PHb66vVGyn4J fRrlRp4XJ8TVYYAcb/H6sOuRZemkHkks5Bza1CNuGWFuzPuIeTXx+7eObpHbOuniidXL+KZscULo kIPYdD8ABDKdRyZlmPl52KH5WAtJIpLybX5CMVYZaxIaYzXyl9rg0hpLeTWZBpTtpdTJ51GQ+kSo ANoOrJGrY0Rc39xEPAPguj2T12FihbetzCPOQDBkkq+y6Z0vYdACCyGnHoW04sLL6CerH/OAWe+9 IOS8tUM6pKfSk/8j+NcCObDecPVK6ePNyL3hrU6DWy92zdBIihCyDBZP6Olf+LGOF47Ozm74D/ww IS6pLAo7JauvyWtVuNO2S9lhfrzS0OPcyXV4jkE5EVSSNDxzVipdHGcZa8qwRqYlJfzcZdS2Xizg i01X5oKtwVU9R9GzF+9FTCXxUjaXKd7DAXAfO+VwAjvZ3Q5R5UI0JmniCDzlxsDOg5OSRsZGxBUj m3K3DBlrpd1l8UlMmq0IjNNqv8MLHnnxfpQq/y1u/uQ5pr4r8AMTp/x4v+MfhN70U8y/x8cS2IkW vc0c/kGqYhNmWIeeoK5U4AVHfLbOQ9RJa+vA/zap2RK5NQB/WfJPKOZ5j6GSijbT85t7OsmtXhDQ 9SAwWwHlsJKYFloFnfF4GRBkUTwvab9bYzkawTygoHampEhgtMCJPnhtwM9juXFhiV6LfXlDfA8e kYn2/TOQkoqAmmgQJ65PsYrGkCezDM71VVFZVTAYpu9sm1t6iV/65BdTF7TexjF+OdlS3hO1EUea /oaPWLqxJPYVBCcZT/DTYRNyZi0dYstFtLkLdql9cm5xr/l92J57W+wRpdslUcO9uPxyY0WGf1IN 75fmYHXtQIWkmsns0WIfncSkF61aH9otfiJGGUT8rGYQW4GX858YOznvhohZKZlUrCct2Wi37TCg kYmu0J/xDhKMQAQ/7Fma+zI1C1qw5Edpv8MM+L2DBPSNtckNzFWQIEsexpAAfhbViP6CkAChDZ5f AQ2BNY3o1xAdBoy/HudQpGQ8uzVzQsOAaxOX+lU2ZGXCeELw02uMvA2FufsAY/1eL9v7pDKFUK3S cOuy76c8xg/13CZ1qtCAKGugUgy47SgM4tnjfEmalq+rFn4op18VHlRdrEm1xzZK49RIRKRuO49k qTdE+YHO3VidhwmHHfqgS1iOdwTcUmpcIAltrzcZq3bFeHF9lXRpWHIQ2yxm8LfNTmnWGSaiSwvU lJMueGIhpeXXsawMv+ShoXNPIRoemnTLUTcdEwuQVxl1ZwE/iz5bB/0s4uYLARcF/bxSC9QzpFwy fTZ5Sd8bHCjNEbzYv/GYSS8VFBAjm7RsbtKWK+VHY4ZF0HzdjIMPwVkTAP3BqfGg2SZUhN87pSw7 dPE/omvJx3MmBND8KFBMh0ERxGoOW+EzirzFSxfibaBIFRv38awAXu5TYZ9EBWmvJW7SQFiS5g9h 4j7dMDIY3bC13SbAQknfui8FLG2vF7LkVXmRzH3twNIKSNtv4cltu6bCYxQ+1Vgp+ZeEEZUxmvC2 3WBJZGTwU7YP41FQabWnO45+yeiJUh6O9xJxeFcPv0VSfKgxD/eu+6iDUYfmK5qGsITj4qPYcp/L Zy5XsZPs4ogddOgDN4V8XUlVI0ovKTEqlRyBXltiddDcG7D3EK/0zP21sEHSjEurW+IL3Or66nSD Tw6EfHChiiio8Fj7mM1qu1HMRWuqN1OYgvu5I6GCTmFZNrazsoen4r0YpWdzNUgD4LCwubUOWkTR JdW5bmfuzGQL3sfkKgcaKKzGodhhZA73GfCdOTwcO9S1eWcHNkP6Jkma07FJwlOvKvySFgkPOmvA 78YrJkJSHV9uJkBq6WtujCdShyaHGnhXRwjgi+NdXPe7Jo82RECW2cf0db1f2TbHPGft4oNu4Myq EEH6lIc2dFeLIvmJKSdjwP3IVdVZp/hw8aRxquDnDrM0t++klh1dD790q926WjkiSRVKMayqlEUJ j5nrcTnXz5nbks+1WhjofnZs20npcIDSvW35JYS1Ph1RqtTxg4y2jUKNtkak+Rhtt+9q6m0pysHz RLeBCBYj4/nishjFcruQ02K6QzT+SDeeTLfLnchi3WeS+Sm21zI/JWILPKoQLJ0X5MwlO+OyF+o7 KFUOlZe3dFzb4zlUv2/tEydt6XKo5HsQ5zFBesH3KYE6fyRglf0DG5ALD0+9wVwmWiN6UqYi40JM kVtg6cYFX6K1HO8to0nuFrjOKvoKGEVgJsm44Q4tJfSIZGck/krelalQvvN+uZNLLYdMquCFQFWL 93Z77gYyAcUoClAFQcYbQZZAxmB1kiwtagIZsdcIDgkS3ACwBBkJXvK9TCNtfv17gm769O+S95Ob CLb99K3zfjIgGVTXyeYyNWjEpz8llpFV92PHAWR3zu/db3AZS00OAD2RAVa+8SbwtH427q1zbFX6 zjrwoV0V6PeBVcrbaxka9YKPA8XkslQNJ6asHdZfyNmU+2gAb5+h4clu7m1+EqtSvdlbH9WCBj66 IzyJepubCyExN7kmuWSp/T7Z2Cb+wOmBMAJTIsM6+pW4F1sFY8m/6sVpw3nWQohiYF08XPHl4+wa fZBrNNgUQ5Is9K7DPkVDcn98BWvE60eFFexv9L9LHcRd4Z/13A08979t4X2AkGzxgg2JnN+vgd8I nR8RnrpdupLPojcZSpCMGW9Qeu8ZSjyx7wPhsKf0Q5WglHgvk5KciTTOvX0mkq4I0D8LgOtMoicB 3PO9kUcCuIOwOXpbbQXtcYNTkRJm9pX5WOQazK88/j6I4bgvGsYYbukeJbtj9L5nMTPZfJ+bHGE4 SAioyCEMHx2NWPA8Js4I4pUFYOMkjF+L5m0VEW71J9MWVKK1iFWZZaePwcbP/kBDp0p1WwS8aT7F Oqyn8YOpsL5f1SWl4QF/CBbtQOKS7JlvNwBpwGSbquiuG/G0hYb9jnYronhnv0r9Y8wVbwYAM8SG upweLyAxru6c0wB0IdhicnoFlrxOg/rPXREm9AexjYzID1TvNJuoN8zsdPgMugWDm7R5y/NJo0LV XWLAz67VtaNjfohDsZjVObTabZGw1Xm2dTG3rBcaHnzvHgAQk6dr5aGbUc6eUvKJKhAHp4c626J9 EWZRoIvmPN4y9IZnheeO+mM3FZnbpKp6xF75rawjGjoyOmKSYfVkPqU8uParzDDqlvQ4VmZKl0P6 MjKlvZxBV7rK4H/D5V/Oh3d0Yt4lP0MeBXtWSUfDR/ct3ktS5RXkPsGWwRffyQYlc+KLKto1y1Vm Nfhs7bfryaCOZicLjYybTXAjneSkg9GI+82mvVQj4XcslW6mchNG9fKzcBk6qNotiJGo2rt4JKbd jp+itPGw4r+EMGAEftjQE02Dgtc5tBZDngnBnmEFPqNREh6Emz75qzCS/ywmPq717VUE1oED7rEZ uiaQxoT+3ovVwCn40fG4n2Y1kNyQQhv9IW+t1uM4GGlJ3hx3XFIFJKw5Lgkj4N1LqYTGYGv9+jcR Otvf5H7Liq4s3qvCd5/3nkDZHByfgthBHx1c2GG0VvR3CH4KRpcYOuP930ei5PhAHAv6c741JtPd iMsuhDycgnc+wcvxaUa8sgWUbZTcOfLY3D7WHuVrbi1vxb3u7c8C/OwBdjSUiGgi7KjnvIaE7zPC jpjv51Q3Pm41PT91TOwm2jAMoWVhT9yeu8CDWwpVBI1nflI6OoIGUUoQA8joTJZ1joovOxF0Amvk Gyz7tUXQ0rrF9tOjIug9o7lnyfRBRc/x5yHeDut7F94sEbTFaxrNO9XU7OB9s0/INroT2rbVMxbr euy7Vc9g/rK5SKuOEiynB+R5/TJnk2kDEP+uXDZ5+t9TLE6VU68waYjSwzM5y6zlPUEchhulgAWb 3twvdEYunoc5qcjhPRbiRL1Pz3by5yvuHQplV+emPr60YHzS6+b5MTl+zlkrNz49SyugKIE92PGW l5YV1idd18A/ZlkBi1N1MkxBtOEvIHuKLbL3T3LJPZ3+ZWFYDoD37jpXiQQfYcbLjNqrc2hTSKbJ qQcAh2QO1waIq5koxYS1AWACjfLtlgaeAUUIetvrAeT1E+3VTDCSfj9+MlKr+gUh8qAmDfm6awP6 NwZWI95ePnJrEZwBW9Utef571cBpTUWK/59q4M4Kl2qPYHACSDKiUw4y8q7MejnV5l3h+SHrh5XS WrwXz93jQ37GO8yr40OaNh+PPj4EEAShskTu0ZEXmUIX7sSv7PiQPjTjo8oI9j2Mjg/tDpRKojr1 h9XpIQeG4NgtiN7tSjE1+wj4p/k0e1X0GPSugcPoZuBrycUYxH3tdoZylDb5GNc2mRgqqzrKqY8K hsdytiVyVnuNU/G5vorkCMM8xKgfB97JO17ItYtj6fKj9b4EcsgcuJAxydjzUZvHTOtM93a/yagu fbzik+X4BxTvUbSclsT3/hQM5yudqVChjOysJEcY44E5i8Boac4U7gKHagdoMzjyxh+ZvinFKBRC chs8tKRHxTsyC9RswpKIptBpvv+0c3vKupAfnd/5Cv79H2uXU2llbmRzdHJlYW0KZW5kb2JqCjEy MiAwIG9iago3MTYyCmVuZG9iagoxMjYgMCBvYmoKPDwvTGVuZ3RoIDEyNyAwIFIvRmlsdGVyIC9G bGF0ZURlY29kZT4+CnN0cmVhbQp4nNVdWY8dx3V+Z4L8hnnzHUDTqn3Rm7wppmJbpug4ge0AEoch BXGTKFKewED+es6pqu7+arv3DoeUEUiAWj11q04tZ/9O9XcXYpEXgv8p/330/N7HD/zFk9f3xMWT e9/dk+mPF+U/j55f/PwhNVDiwi/RCykvHv73vfxLeaGUXay5cCEuIdqLh8/v/fnw6eWVcWJxLh4e XF6JxcjobDz8hp+DsE6pwy8vxaKUdtKUR2GtPPwbt4hBUKeHX3Enkn7rDn+iFtJTl7rqj4aRi4iR hvmCXxNpxuv87GIwkvvYXv8yE2WCqgj5XaG16q689CJWXfxub4FdfMbPPBUbDr/lJjp4p1N/Uhu5 hIPkKbpIrQ8xPWqj7V8f3qdVpUUOS3ROB17Vq2gWZf3FldJLFDpePLym9fwzDyCc1SZo6ovXSIbo 5MHA818vr6ykX/lw+EWimRbMHl5Ci+f8LCMRF6rnb3L3Ogaa2A9pgaMK2q7PNHdzeMx0R+WFo8cr Y/yiY9X7C35rFx8DrxMtjo/Gx8NXqYkSmhYK+/4G51T68TZG7kcuUitf/fRZ6Z1Ow5dbg0yTEc4f HuVtojEPb7a/f88vrZBCmHq8Hy6VX5ykpbrJ/ToToN+b1+mHks5fqIiGAXEBS3NPm334iDr0agl0 gv8Iy4BNHucxtV8XME/xv/m1WQKR8mojZZ/M19vTM5xKNa9H3IWjnnU14A+XfNYUcZN3lrg2HSpc 3X3Nr4erXxbSGROhxes8D+kM055YVNEJf1n/MDWhA1TWkcSHOjyFLcxrEfxKMZ0mO9hZZfatDdJW e5tbRzr+PM8rZXj948WVJDqcknm+uKdPj81Se3pf8URZHiP84QnRGzSdQ1kdft67IJmP6w3ZF/bI Cm2DljPlhLHvxDdMWbQ1z+E5HbPZOiVjJrw3GJ5mYW01jznbUt/B+4YD2u21Svqec3Er8pCJc20k KcScG2ijZdXzTX3u9yOXh6RNtNUyN6xrJQnjEFh2b6xbDrw1+vD2m8xJlhRh2DgJ+xhsbTqiK7X0 +NvxQiSqFCmaOO/lFM/uCwi9ZZ4oJGeekD5TLuAIK+j7Kv3ae1+rGwtNaLFIiZHas4f7b3b+eIZ8 c5PbKBIQCroR0I2EZ+x+gU1PE+CN0U7nCVgtT2hGO9aMqJloCB0lGS8SRP/2MpklwjmyAdYjnXub KUhsAwLjG+5QLVbH+e7xiI4kypA6ffh5YhEZgpYVY9xcqrCIoGfnAiUeqyWhF7JQ/vBmP89fVQJB OVrZUJsA1YnSkQwlIytZhkMjL2Mns+NcybL/gR8PpE9i4oHw2ybNq0ws3arUtLa0nXi4HExbFt2o Fxf0ytHYWOeuSekcfsx2VSDWbe2JSreljespHKnvm9y78cmY4x9q7w7fjdT+dERUnB9Bo6IMDYl2 3yhDPKxlR6wgufcfcAIrFfj2kxmnoQ2K3IxtFuzKQSPfsX/elQDv3/IOkI2gaA0qfv/u6El2RleH EGTabl7thsBfsedVuClXiUVf5BmZH8iqL1knSdKwh7fcQJHA89XvRHXe9vfmbIG3bdxU4LmxwEse lRFCEefTEFZE5vFKuD3m12FhKfHry0AGqPIOFROeYlaRVi2SrNvcRRBeqtwz0Uun+D7uxEsmhNaJ ZNtU+DFJQh3ur9QRn2UPTrLeIGYhISetUYf/uiRRvUgQSbi9iTJ6r/ThIc+CyHR5Z0gLKmJdetJW jgy+JIsqs5ZM3cXQHIEP+wMWyReZisrN5oJjh7Ib1hfFdMXjM1OmXkomJWSpzWvNljTK4e+zfCPj lJTUKt9uXrVrmDrGnUahcoP/U35gLR2j3fCuzJfXmRSjXaUqcLlxqM5WcawvQ1H1yvf2+77UNBEV F2V85TOgSBss78iq35jnzVhQNxJTRVam1aBV85GPli3YV7vQmqq2RzwA+9LuDPv4LZsBMvtS5KGT jemH5yitAK77E3iGebwYa5zJiW0VzscPZMCIhrR0JuN68O6nCIq0mxNkgyHWThMTNsqYZ+akJdHH lNDhIU4W66HPzWlxiWaSw6uKJeOJ7FDW9ooUqCs2ttFBkwj8Cpr8kLlRKdq6p/A+TU67ENbICIdz 6kHLT63Iy0tL5APJgkeXJA+Njroa51kmRUZVgjFGa+2ryd0kDeIs/ctngn+qeXwk8SW8f/bykuSb 0vT6SaKWTyJ0MgonyWShy3X1B3ulqs2ybKuHTUyEzJiO9NCod/IoaH23vf3LAY5zr/56ex/V318u 4cedEaMFm6am0YWvUAqsrLysfomb+hwR3oN4Vh1puYnvDZmdsltqaewLtHRxCYMXSZcaSfqLeP9f wchIr8lIVbFR3htXZjlAmr6KTKAozI2dT8rCSLsIbeeKmalw1ueQKxkFntzllQoRk8JOz9KA//Qo 6dlYxVheJhktRFRTcfltpr2JiO0bjGqEXRlNtr7DUGCnEZR0A42QBCaK1LGJPvKoZ87NJN7zJC+g MfUvq9Y1UTmyEDkuuLLUm7OMfx5HNG5ZG4SjjRJK9wYNWhGxUUmVQcM9eO3fMbyVdP7Oa8UzoZGM btQ82k4zt7tS400MepUD5K8YGxaST1Uw50UWD9wCf/imU8ppoGeouMsxJkOlmuG3pzRgIEVODLPu 6Zeg1B7tagdUyuNNvL+o2rKiUdaDshpJZaLRkbl3C5nvjIp+ba+zzE8JFnyO+/NQ03DcTHS6IK1i kcPJdJ7pAg1tVl2w2vVJnlvXy3sF4t6PnM/UHfqbEZ67IFf/U3RPDbzv1QAdtWjakPNUDYSxGvic +lWG7XlbCfnqvE+t0jrotP9g0oYWVjm3sHBEBvkik2Br8fk3lGEVBbuQmPoxWTGRdMcemT9psTin h3mSFzsj7kK4luPK2MS/JcvlSFbVjNqIqBQMiGEQkaoi4TxkWhNSixY0C/5sFpcCAn+Gg79mav1i iChcwJuvs46ycuS1JHWAi/k4qwYTFi03DjvqF8wyXmR5s8mYzphQlYO59/FPiS+S/OmJg3xLer1v 0naeKm6Keb+CcYffYyYHvciyGYYjKGVluk1fx86ag5qQbd9w2/EQcx8W3iQLmSop9OlUFdDFjd8F ThUH+xi6w+cj9sEamroZb1rFWyhmplYLKsyPq2PNQ3mFgYmb7yBP+rdt7wYB9lUdT0UYGtEgwv69 Nlm1Jpci1vGmKraZnHdV6eKp78obpt2iNUeIgllobiYPYhbubo9e4frsw2G8EE5X6paMViLj05Z6 Q408CINx4nCQTN8MPO7D23Ak+E9LRMo82dN5JjPpMxEVL5AF0wKJKoSGbTGKBUfhWCBiGJR/VugW tgk27UPdvCqRdc+9rWJrHseapA8hVI5RqPaQMDXe9tF/nW29fUF/nUlMqewSHFUccyxb77zF1tkD C4oNsFN23hVLaNnlnT9lt11zOuA60ZYDBG93yw/jBsXgc5b2LRt8W2QrN2aN4uLCsqpYjD4HSnid JXloJ8INmsMar2BEDGtgSKYLN6Thb7KQpxaHv+cxQwzVmA8uPSk8soUO/5lGJBmvQjmOghyEeHiY WzvSFL/P3bG7qIAmAXQIeO/356EN6lKwFyxfsgbIx62j4Bi5RxOCNl0R+7EQxsAE5oowQoDPaST0 Rl+1sh0T2QNPcRsBstS95xSEsZokLEk5Y72aaeeBgYjxvqxnM8mL2Fa+D9UIaO672dJCqZlFrojr oq7TQY3zt+5VzSuoYJAszB+dmw3uzYFOWf0q8wcfjHIqE2bqy91I/g3H8Syf3MOfdtk/BUw9zs2j ZAFMBpcJjdycBie0IjUhQpNXqlaAe2bRHuq90NxhdHfK61LPRmEYB2lG1/5xpjQqW/FOhXTocgud xY2B55l2whxdsplkgnxopRcZ3BF1So01SZnboMRyhsTQ/66yY2A7K8acsNdCUt6b1WnKquFF2R3l +MQwAFArWedmNq2HWKoSUjAyHgs5Mblt7IS8FBlNA+dA63WEExq4gNqYZH0gxqDPBZjad/vn4Q63 phrb1sauTMaWyFjJT4Btc8eIU6w+zOyH6xLhUbWH2Fpu+ZTNczbDhMgkY9KAiNKa0jre33fyBZzG K8aERjcSvH2K+HxMzDjqgFIQpStIwWIRpQhxOb2ck/gChOOXGT3iVBiEMSo9uXpWRrK76eZhDFzK aXCzhZIxgsUib1e/fDI8D7jdYwlY52VpFE4txTNCAHPYZB4OO77OHTvqogqOYRp9H3F/aoNh3Iml M/eBMLYJI8TnIIccIhujq1AcI4umA44Xu1GXebF1a7enpfKu34MjjsNtoas0hBBHNAn4xkoLPhKN ubHjDCoVw3pfiggSB6QoSuIKK9cnZnOjm8vALrRXKFObCMsKSkFk4VcJlOKjzSi8DEppfredBwyL 3gKUIkdBApQ4+HxriaNpMF69cyTOJI33UTYYFPl3yGdTqXGuINKSo3cfWhBpkqFhxAR3FURpZbW7 myDiTpR7j2D/LHGI7+OWgH5WhiF3E87J+5RDBcZS1lp28QN6rf0gIPP+5BAPQTbeeXKIDrO3oVH4 /zg5NAHH3e/9D4+gnRkG6ybbRhzWm9lGvYP67nhhlE56LKk+Y282OCIbwXE9kCvVxXBwJHD2YFUq ncF9XXoj47XJ7fMP+Ug9SHi3SLb94X87vNueXOekIzl91BP7IfzjaNSArq5UZSYVvi20EwucTo9j i5NByaNRj9RzjuUYXcVyouKszSoI0hR0kDSLUeSH00t+z2GCNrge0/G2gmSh/V41m4Bv59mmkmbJ 2HcVAi3oETGxngWUUFVpDDulno7QZBYYEAVfcZKqqRNWabs5dlh5PTN4WDk2KRaEkuwYCnqPL1To PpowGZWNBdEeEkYtCxMrj/Yp+qLUQpIxPV2at6OFAgTcDuRjURbrSPc0gob9pNweZ+RH4YwO41jj U+h3QoVW2aTX0dwO8jdzQitp2IHydFys2YLyPyVaropk+4xzakB89DNiC1OFlbEJjomh7IIidMZV w59BFvYOmIthkFlaWmV7NryCVEYE9IfL3MCQuqx/lFQ6jEfiKMcezq7gdb0h3z8fg9dxvYNwdhrA 5QhFHFjbFVI/SYMSmiYrxmUTxRPZ2jV6FwEPA1BFVyTwLuGNSTFsVduTdCbZc5+hgq7Y/eshw2Hz kcxbBRT3r44Z56kBHdCSwHQhU2UW6VaiWoFx3VJUbCWS31qbZI4Jro5wFVJvUmJXhbUgPMlwY0b1 jTMX5wRvJ/jg13l6TnblgutazbVfZHur0mF3xVhnjB1LFcBRkFW7hFsDrYk2ET6MZqa9CLSdP7Vm VlpygeIUZYtQUtSipwO4aIF+1LB5q5t0IFW0iz12S6XY+tt0h+AomJd6FeMu2ZRbC0TOldZR+Oy4 urBwfrVWL2uyE5O0OxCP/TTHeOdhujaNcp2baBHvmINlSpSJOJvv+aVlLCOO/goUG6pnGGaoVzQn cMJtAILSCbW29/nUJFBg2J/HIy1uoMHOBgVi7vXWoECValNt13XuDjOqHt4Pso5QSydpF6I8BpFB hTSpQa0UkrFuYcjBh1JIxpJsk0dqT5mAoGZUAQ+P6YAGg0BalsalTjXUwQWUhdMYXFvCyh64C0Pc 9+x2i3epJU2rRnb0Wl2ka2O+8v9u9uWcwbKq1Wgj7gxSdlv8y8VUrbnHv/Yf4iINFvIdpH4Kg9NW s/g6Bh6nJrKuNciEEcOIVk9VFHSp4BRuGyGMGBRYCtVTvWCjhAbKmf3AgXa2rrFEdOBba1TnYuoQ U14/B8qEmoG7ZvX3s3qASUBkeqyncctHTCNNyas1rGCgjrGpyjzu7nEUU2/JbQTjFM2SNj0pHjIj hoqn175O21J+QAdHVgh2ZiEuKQ3hw+OR6Bykose/82PkioJ8OY/xzmx30VilrCy2hJN08n9/uTNW IZHTlQm9RBszAi8Z4xNMhEdRYa3wrVBKqVBLwnuzP49R84yCiaCKNdmifCMBQtPyFDLSoKS0tQog BUuNlOHbAhrGQccL3Tl8PwbFdmimluHOKaacMMMAz2SmnDMCvHeeyEeryte3rrze4tnhlDFhJj1P qgqweRMp3356vKDstI0xKftuara4WlUSA8ytjCoHUEevU2mQqLHRyenUKXjZDaXSUAi5w017zgIs ci3Y17tynez8D7k7G4/FUGlqFXRppYH6KkdLztC3MzE8jno3kOE0/Yh5KVT5nddUIoLbTQGVTQAl CE8y+aSfjznGfMERjDHXV9mooOMbbWNUHMe8zH3rck8Hu7NQ/n2dXWIaPwPfGvjafMyZ/7puLW3N NBybzlKI2Uhez9Iw/VYKzjSdhjZ7VldabAswuxiq5GCIvZ/yPQF+EarOpr0or0WXBapft8frZcUk V0P7dRARyD8A7N/rPBCROEtfjNEfTSKO/HzSOfodg9Enq8KdwfsI/lEBaCtZ24c2AG1lJDshvIcA NKuBAVX8OhMV2LxDO6eEFHxUY4wzkRbO992JE7G4D6PPuaBvHn22HNi4XXH37Pmc4u7WcDlV3N3f fVLBWroalaKXk+aZVWQjzXgbzQklfTK5PKn6zhUfJJtVnQ5GaVKKsQIHhM64lXDC5x+t5RqxDCq5 lAyLRCZu29OR9vs+9+C1nqvlNC+nYI5yhpaphNpexD6xCWbJ7LqKLxXSVNCUgu9OWNAH6VoYDuZh 6eEn/DM2S5MBxERLL0cW70hnN4GlxOFf7y2Q0slFeNdFVweiZ9PVd7gIkidA56OU1tc7eJP/zJVX k+j0XW6I6eq8I3FLPIJVBgzFbSLFivoDjMCnl4rvr+CABHiIKLeL/+m4KA6qZ1BVoJZ5niO6ZISX k5TdQbisBBXB16lcRyqJ2olZxdMkhF3LXpIyqXVZqusOZkRq6yoPJTVpah8cOpHsr9CpO7PsJTWP duAg9TFRDc/gOP2kpS/vz1U8nkbNRmlbbpHWNs5dxVyMjmvWX3jWpU5XddGNiM+9GuIbcdW5+dFJ 0Xlb80jH1dj67pE3jRZInFp5jNPa726vtyiDdwsX2zTXiKXhtarqEcbg4SOqjivQnK19Qu0izUvV SVa8c3AM23uSSVLhWAUnNbAkUtqVTCPWqFyUn+Nw4zROOCxIWGdLigqv7stDKnI2zBDL+cm+HlCe 8bdyT7AnE1NvNuNw3GFtfloKSePKqm5yAKBJamKfP+hM3PfZD0fl56UqhtqvRWWbWXYUpFtB9Jqt QBXVuT5woc7oTqwSRIPoACx0sUVSEO/XWaQEIWuI6+iGuZNYuzqnnOtkahbrc0gb/GgL/zfX6iWJ p3Vb/biBPadVLmR/nHcPIgrIu0LOJ3Xp/UYkmHnzbBm8YupKGd0R2iNGq0J9/DEtH+ltNgveP4qb iVWN6k23StTl7dPbh/YqrlmV97kQbusTNPhYDsl6vThTuRy3tmi5DzKTPgdL4Sa/Zavr1vWIWdaZ JdgtQz1D8jUlnJ1z1FNKHK1VQWZzGqJHZpML3iGz266+azVvirWBA1FSZlxyahs7oJek+Uj2OiWp 8+tct2ZEVy2YqumoMVoEg/tjt+KCUnw3uYEAj87tgCOl8i8kN2S913MUfPp+FX1+GoUeXOLcX28O rtExQW8SDuEcwPrAmLsVYB1FzqSkmf1txR4HUfr5LJ47MSsypEy6fA8OA9KNmtzc0QQl04gRVdwv GGPIme3YGWrcWBpTGSyxX5ncHpdM5bsPiPOPpAOoAVnRVedf5NeOnLBwxi6BNRK75psfkOuF/bzm iqffOE9nZqNS10b319LgcU3uOODcPsGT+zF0+PEeV3BudHsQngYUenD8l2YLT0HeMNuff1ugAjWG gVeLbyN+i/TiLQVNrfTWpkJT18mcND70ByGIxoTYFSfU/iMlR242aTRKMhGRwCu+jZj+EGrhB/K2 BqgDF/4Iegyp2W2CUjWu5SQ4j0Kzw3s6X19PhLs/Hm7K9UPygSRe+l89vPeHe4b2/+LHe+Lis3ta CMbbX6gEy9AXz+kNGUhSbm+e3fty+gmiJvBRPkGUUnEq9bnYmD9BNPYON4q0lFxKjGRIrjzydyFD GtZEFRkzGdeItVUq7PQRT1NnSJ8Okqyfu9CnGUxiK/rOKDrL9Fi+X8cgPdaRnnd3ocfyXU6hogdj ozuXhYmkFj3HeTuS2n0Yf7uJIyKGFwzYUm/H5VytZTXVyZMC+yYuwOlYdszbCjDHNyPHw+dnQGun F5BgQIM1CbnynPD43WAotY6UF+ocGxxVD6SB00CM8DtSxJgmHfulSIRMvogCEXZ4i1Ocl7+oIJJX ACbJ7bDjx6JNj/J8zvl4TYUZT98Zi9tVr/wtsVUhj/RLC1+fQcDP8VRWqH+6wUTaxelN7aXPWdT4 AiY0zGIuONzKRX4cJmozAZxTWa9x3kzc6a0lVTghlavFeXXiePlrS5c60amervl0ExtcKmPp+TGG eBa2YqQsp3Xgz8swzefCOh8yH8IiiBzfBIpH4GReXXGt6pY+en/XrbNus6ZNlPNrbe+UHaGzGET8 sNmR4PzF+Wh38it3sEwS6YPrcOH95Dpc47Y0/QD43iuw/g7acfJ8LWGalW6x31Z/WCV0Pff5hwDv T3yiBPDw3nDR0LnqcXIbRKOctJDphqe76kEtOAZzrBSbR2K8cBu3FyIR8AG0EpmdSVg2N1Kv/WFs ZAb+qqIcRKnTPSwoXVPdfJ/t27wiUpk2xMe92PhBPtCW9tLIcbpgjz/CEqwlWoaTbM2lkbM45DFY 3ymBqQwdkgg55PqyxiwA82WNhiUPykWA6nSXNa5FQ7QVoS5S4oga2QRmtXsM2cFbWUD1CQifQWbb eIlftRda7OkOZVu3tsdGGR/WEGCPsYY8eI2N4jKpuH1BdBf5nBGnjSrYKMM3K8+wUfgM2CjUM92X NPjC/BkE7HTFLmLTx/ApyUTfpvZJbboAKp/GlxDw1zDevdrpTlegZ4Dy+MLFKoWBvtQgoUwCPbQG 2lSgTy7NwKDrwkhCtURjRrHY7rO0xZ7kyoLZRywaGDKdxUV4U4X/xzfMoHxDiYJG3fDuvWnVUJXc ph44hnSOLdgIzKthNugZd8nf8xzeT9GXBB3NYeL3HJh7J4Wor/Nu8ZdpBx9ugvj9ZtNyc+GSlmVq udRshp7Ogl0tVm21hHBGc2GLFCWKmoL7N3lViakqckYJx3O2a0xYOkOKMWd3TtcAEQhrRvVc/KD0 8ajGbppUb68u1mYCD1mCBQQH2+HTz3t8s3CedNPg9gjkQhph7wKJ+01uwN9MvnvKepaVOXVlVIuq q2wgkJizK8989/7d888oB8+6hSBFgPRUItZmar1Q+LmS9TMO3i+CfFa8Vm1UnLNHYvhaqDpKnEIx LiYRxI9xAk9B2+rpvhOnLxyhP+8YNXQYUZNPQdvJMlDtRdhRp097tteHRL7srkaAoxmVCihIqiTL f4UMoqlSe6ibo1kuamBD5LZ49VKTwhdbfQnGyl5yB6bXss17fCkIMdktzBdhQvNZ096ZnVw+Eq1U rTFzNvwbIR2dB8vBwjj3YFNQMFRWi+6G6V1YDe+x/fGSbs/xnva6kil3T0q6IYFEI3h2y0L9VS/k XrRgkJ+AqwtzehKcldpqqpQ8XwZqjlR3ezZKbBdrzhSaWfESytVKDtPmeWIdod2dgBxMlZaDr1Hl Ia/HdsoJZMqWs+dFIZ/npyje3mcFerU2uda7pcXmdJTDzh+xr8qoazvMC464HYPU8CbW3575l8zT qbQbP7YySzW+2G7WBpr3+6W7q0CmKM87Yuna3CgsZvl20LCUFBXdLSFNp28A4M92HLkclr9Ax59D m+Ra0WLHVWugpduRB0gTTH4YUz8/K30LC/h4UDnVI9pZjAQ/aMEHYHZByux7FibVdbfl4yYkpM+H /nqmMTFdBsPV4zb1XlJGudz7j2CoPEjGAj3m4vHCtW1QZl2smnMwWtJ+IcOy7dZ8IIOjLLx7P9uj MwGWtTyTNzX8MKfxi49VlditKwJ0KiDsVXAfwlh7r4pw/59XAfQfIe8cpBMF47kKAKPnePvMGQXj drL0nQXjHAkiq44VjKMFMykYR5jXsgaqbWXCoOD5bHIHzI/5p3GLZVQ6oXzVjbx8mrCpAuzrmKSL 8CyOP5IFfnalnZs7MfhmXaXlALhY+TJNHu58MHqLn7vOc9DCfdiLoefZBZoviafzQOciHvPgM2bM kZ2+eQ+3RZ/z1/20zierKjBLcC4MkBQjJ/IHUJpsZ97DGkYn8zqzB12j7yrzCE5Ld8FLAYV5jt6/ w1fkkIdafkxwmT/c+z+2nRH+ZW5kc3RyZWFtCmVuZG9iagoxMjcgMCBvYmoKNzY5MwplbmRvYmoK MTMzIDAgb2JqCjw8L0xlbmd0aCAxMzQgMCBSL0ZpbHRlciAvRmxhdGVEZWNvZGU+PgpzdHJlYW0K eJztXVmPHEdyfif8Iwbwg3sMspT3oReDsldac+XVQdqC93igSJESeIqiJNDwj3dEZlbVl1d3z3Ao G/BiF1CxJysz8or44qwfL8QiLwT/r/z30YtbH33tL57+dEtcPL314y2Z/nhR/vPoxcUnD6iBEhd+ iV5IefHgya38pryQyi3O2wsX4hKivXjw4tafD+pSLMo5E+NBXN6RQgm5yMMf6XERMbp4+N3lHbFQ V8brw939588v72hrFqPs4Q+XKixRCnv4gtvaEKS2h08+53/EIBQ1+Vd+DsI6pQ4P0rNzIbjDn7gX tThd9Q2j/0seRvtmbO5ZqxAOn/Kz1i5adfian42MztZkp070omiUe7kJ/VMdlty3Cv7wb9y5Dt7p /KKLwUxX4U9pSCFkNNXv99PsfYjG/vXBPdoG2hVaGOd04G0wixM+yIs7Si9R6Hjx4DGt/5/5JeGs NkEfdJqYDNHJg4fnv17esZLe8iHPMSjvjeUJKO8WKdMEaGwZvFCHR5kmq+j3PBtpBP3+HIf6If9D x0Cz+44PQTTC+fVlZ331820aKqpFOt4H5e0SaSdf8/pIrfzh5+3p2+1pNFz+BxJ4h59pOrR+z/gc SUmbCgO/4+HCIkz92ps0X6E9DfSu0GGpzdu0v5FOvjq8SiuohCZSf8rrY5wMh3flH17THuMLMOwL HtYvqprRw0mH+T2paUsely0xrhr+Ze5OWl11UpZIOWXt4Sn8ASjZh8c5Yy8/XPJxUzYtMN30dK4e ZUK8qtftFe/jIjRdqMdbx9XmvNx+fpqJjtQWV+n7rQFQiZMtdEohDG1fsHRXpE4niBiPtId7X+ZD aTVdt88zncY6uqZEhReertX9bYw/pvMelBKKZ0mXh/6g4gWxKrpaSubZfgnHHJcJyXoKFwrb5Fko OvPVptKzNmqha4BXDqb8Oi2lUsFMZ/+29OHC4e/5ZxkDPxtonp+lt8SA4S4oaILPt7lHvWjicBJ+ jtCLh9/D4FUT4OLuT0umVTtb9SyhZ6QbaO2b52cHry5wxNI+SuKMtP9lH6U/wQ3DmBveTVtDJ8an IYyJC+8SckPYsZfNyU17/l9wO6AtHgVaOUNnNDiThZf3jm5CHjDQgP7wxbNLy9yC+sOb+QI2/RWs RrlOKpCcpN+NlSQ1TfXqTuvjPEygq3cfdytPVh/+4zKQHKbZTt7HmTQDD1rXPN94swS6/5Mr8Hgg AJDbzBkLE08cADur5MVIeGQ2OWH2hQk6SxJYARM0BC8MDYRkFWID/Yy39Zckf9IapBXXviGq5yb5 Oa+7NLTPa4eOJlhPf8xC0wkhzGWi5I3iZWEBOBFjmQMagnHa5ZtjdeGAA0LzbUG297BngVbQcBUY wDPSEFqOMrPGQPc3qG6HNbF4uhw8Ejeho/N3WxcvxwIHx/suvya1g/dmZ2Q/fbcb7kLQKyD0omUk XrXJxoRG6UabGApAEtKb2D4bQZtBiOfBJUlBa4lvvrlMN3UVv47+anlatDLWkoQqd42Gtapq84in oAnylq1VnuSG5XWgGRBijGXLhj0aQfjH67YJ/+y8qmaDbz4Zd/4GhG/eVE2CcyWX2BA9FxqtEP4I jUZ4IqCwROOI932fG+iQMBzfPE188hX0jKO/S0zFWfr/CC/TNhBb2zZtsMeq2mRCXQQw5Npe55vl SMpk8aik0kENRzKE8s325l8OcPt6Kds/a3j+yyW83NJ8RwtHK2Ea9NKJY1rZLI9JXDu3yuB0bV03 bv49wnORzVFENXg3P6Msv4KgXkmeCmqkAwT1vSXzBqvMaen8cl8FlkGCdUqQfSC8ZyoBdPu2MCvb AWGQfqQZE++TFS9C0YCSFXtZO1/vTHm1Eli1dpAWIbqCazNyub+LtLu5BTeeogEe0Tp5QDWm1+BQ 0jXKQ0Xe20tF3C3SYr7LXRszFdwjeT9TpioNrfRsGXpmZSUSrojrjauGO4lL4BH3aD0qNszgyk70 ROvD7sq86CTbrWtvKjAuipAzEXUX6G8HyUVyC9b8i+RWfgMpDQBNR/sF70tUdLK+zYqG0aahlfmD J+Cg4M4JoA/vPt7RTYkghs0n37r6+OLqANz6GI/NRzAOPteYrDpFPJSjft51pzIteCXbkQ1N7y1i ko+Ah80U/x+RUaPK9PM+SWh/Lvsz3fJ37A9Z3lJgtamtNojZkGicPLIE2kRLAjgSzf+cmpAItod3 5bAwAOkPdrqME8vFUbaRNqhBbXQ8CStZvtzG00E0oWMbhg1FomNl3Jyv1YTAh3mB+BL8mmeW1K2G a1UgldvTXTn8uFP+EPY3n71IWA7f+xnBLdPEgPacszaye9Uo9uTCf5zZYFCLFBvE+aZav3wfiHyh HP+DF5N4Jq0JrXxqwXqKJ5BFJFU8Ii0H/aXiYbgHT9JkvKG1RGL/KbFN6YI1PXRRTi/StYaXh0wM 6S+KtKekAXtTaRmDGRU1A+npjIarWZL4FGGzTavOfb4tnM+rD8C/agPPKeFZmJqvkcOCTaoVmOEI HKB6e2BZSo2ewulG8hvxtLVBGGu7qfdtUIx4aIPvHoeKm3yb8koUT8ArERk1294CrHxMkHMCdMR3 6VhpF0kd0adxJAiDE9yPtKIEbRxhAKcrY9TEmLvjmTIiA4ZkI1U0lSSY6ZYbwqpoaEKLaxpNeDWV CzV7z80Jb+KVbw6Vdn4JId6kLaYW3tpLIjmcgUzRBJMoD/xWYpWEnUhMrazyqvb/p/WUh8B+v++Z rfCaZPu1WvdGL2zXeTjp7FHizEFE2LFqLdL0RLPWj/PZtKqDvrwCVlb3EhBM5spKLkaEhit/0ego jc0v34kiMkhmdLCShG/UU1iJGMfC8+1iQTZxrgztDPODo0DwHMClx0s61bDKU3GeKWdWiJWuIz4j s74OXsQ1/vA8kC02rHzePA+ks0Mn2N0MDzRKL077w6ds2SY1zh3Tv3lOQkaY09BBBUj3bTGpySNK OM9He+z15/GVbqyXTI0izvtJeVSxOi6Va+z1EDyin+DpZtSmEzZifQhyW/blpKvZl1F0mrW8efaV DIGmY1+8hq52ZQF82G3ZITaIAbflFRNFB3gVDdbVblpWktnbOlWSTfTJXXacm/XIiPUrbZLcuhLK rFE+rF6POPO+ZTwvRWXE2RFxxQOPb1007kpbV3U982E+7cjOzyfIxqb/OJl5Xlev7I2h91/zhaF9 2w3BqEOW5xQ5Us2+c5clexYud9W8wO/k8ckn1NEd+wVJGeD+3H7a6L3sbJmlQN/FW55WohZGA8Uj eYGOMyS+ONzn7x7c+uoW3Qt78estcfHZLemdI2B9QfiF+J2+eEG/RLNIu/3y/Nb9aaRSY4hfI5V8 ZKcd90BSReZIJbxYx5mxJP0XJNtGNYEEwlkGSCXNlZ7ce5DK8VI+97CTOrm9uPCIWgib+0BqPJ1y VME7bOFpcsTgzsUWaPL78NjCS7t4/SGwhZdmcc7eDLYIJPml0OdhC56TrHwPZ2ALLzn+Jx4BF552 wrorYwumxhC//SQ/knZwBWwx0IiyBYoOnmjVqpOqUYctAsl6Ye3NY4vctligiCusFqjN8d2cThpj sbReKO4Vq25x0VpVFteBNzyBqkSrESYp3vyitZ3d/6TR5Hbx0yj3N/jwnvDhqkuPbfSkHwVt1GZg IMaw3oQetfYdIgFhMs9iStCm2vDybK1Fa/Jgv3vIUCBMICAwfT4ObTpzcGfIW9eiDs7CSJIMenyQ Q9CDFt7cHhuN7arnhOrNYqvw0uBI50OG1m7/LXKeBB6U8XJx/oJ2kGU1gwcTianE7ZdrgAcTl5h7 IAXKZPDwPmGu1zdz3eEgCGPMwKorw+KsOxd14PNvYNFQJum0H8CiwT2Lm7JosElN6fezBXRbe6YJ gKYiSYZ1XXMgsCGev2sbyZsjo9CN4aBQj0sB64m+iKm+wsspwsZsLQGruMGOczwViQ6d6Lh5A4bi CXb2C/5VVpJA519JXarMi/hi6/PXblG2BS3XNWZcxePfmWaTx///gmW2A758iqbuXViBT9JAMgQt rxVRbCbLA3wKfOnsqA96CQTcvkyQMIjKVF4drZy8IJxrdmzTrlE3ZduSotFpLe7mQdh88PhyoFsA R8Gbjm2pAzqSqj6GT3K/sfHlYB8DNIrHot/bNJRd7PulYtyIKyaHOze+51CHQFcnarAKE9+zLb71 zKfkos0WT4zvvc3rrqU+H+BzxPFZIO+YF7qXW50XOo1ZXdFTXmg+X9j/+2D7wvcU6VAtargq38I1 wcjCPuKwQrIJQQxc0voUeMEISWAKKbrLOS9ijrxn/wTxtCFXwDs/D3CpxZpi6TORrpM0ndntmgec 3CE0kPzU94dYoznbEB6X5kttyjIE4beouWTzeA34YecuSAiOg0KhwlBwhzJY0CDGGw+3UYoaqJmc Pyfloc5SSnPk+L6WhypO31lzfVggv9oAjN4DGJuOuTPh6piqNTLLdv7WYchhLwJIWTC923yUaJAi s4xqQRyDpwpe+TJt4a6CZkynGP4WaAZv6f+n+EWM04botv0J072AIV+H+01STlF14zBu3kw6Uye5 XxXLNVP1ERbtt5l3WMuUmpsix+l8qTXxl5P8bJjyGrz741Di0nktB+sIa5qipkNS5VslIoIeGoPH PdW5VJokolauXc59K6rR9p/vwtVcyfD2PAyTWkfdZZxpzcFA06CgNmovrYfgkJEVFAUdRqAIF7+L AkqkyIGDLW/iJCgRQUYb3dlz8l1acpISHVCvdcvT02wqbXmKrDKw1Ft6TIWZEkN+d7nBHWIaDdxp bdOGE+aL6dOOLJ8l5aHCMG0yEzulrd1ET0m/MS6GNf8mJeh8lwO7pF3DHEy0qojcnIn0a27Bmdz/ ySlOxpo1WadPFXq2d1dG1JxEDNlBmEwEo5SUqCj8MMsnkEAJcjO7bkmqlnEgP8rYx+w1wHiiLSYJ FCJt4xEJZEACHTcxo+W3D/vRcTH+7LCfSTor8zorFes7sxwGMIXNs1Utm1eMbJRZQhZMW2WEQgvT 8bT4BPWqhPU25ZApZ0P3lK3yNAWdQWTjG12Vcj8DoxN/eRsXz9OXYTrRcSx3wzoxgQi9cDxLJ+vg scc4y1No/Viyi2UrLI1TM+YcBOQZ6IyCgDLS4mSvn8eTaTg0r7eRR0NCuYkm7nYGi8QM1nV51Bxq dykxkY5EE//TGkKSMfdNNj7o2mM0ClTNgKMicswrKnsz5woHvzCPvFKcansH0/W53fCHlocHydu8 2T/vcl6ptjmndWO/vyQmuuft9smhj1KOpfG2YbjsmDDSIHdme2bkJAhXrkXm34N8TM0M/DWMiNmg mMv5/BWTrXTg2hXb8O9yyBWLo//OjxxLiqm1/w7i6OtLlazkhy8u92QHJPDrlHwrpSYZtb/2JXT3 II9i4+rVy9RlNp5zUSX87vbnYS4odSWCBHlkJR1RWuzCtYhYWalLhcukmKL72SgUjanMEq57ziaf xr7dOOE8V0PxjUjZRSHkig7yE/KhBmmBPrUJYIeaDqWogBkls/TgHhnM03pOOYfVniVhXfsqBxO7 ebUK7tlXGtLM9Qszw+ZIVIBXr5MEi+J9kgRbl28QIRkcUM43kDl5M1Qyg6Rkb1vnwcDmPi4tqI/G Rp5+phafnRXdXySjE9P80xRHapP561j0bCDKdcUSxwmcz37KefaicQW+yj8bG0G5mbhw26IA60q8 RzKYIK4l4w0mg0U6A0mE8VxTtnAS6pG6FH5lNmN9cg1XFpWx9hWwkYnYf5yHcy7OrLy1UpNiQAg2 PSsqjSdY5mUjmwclTbqUxTVBy0Y0RhUbmvS2kZrZDOSq7p7k62/q4lRDR+sZftTKEzA1ClRXvish IewS7Kb0fnPJ0InkZqyEMyg7RRnLQqcWxJv8BrE5E7IpDcQtlm4zCr1X/aCp6AR0M5JunFASw0DZ Uruyda+/LD6coXpzJpSRbOA8i9kjH+7VqUhkRXWM36KbYJJ1W3KoivqjhVpkVVtqoGUkOxQeRA4B E5p1xyO8N7Vwhz8s+VGGOmxgZvt/VrEx3g2arlIBghMnHgS8hY1LjwngenrA/Walh6rhO1s8Izhs /VPpu4mLrg1ntMas1Y1ryHyXGwRT29P3vir18t3LZgI9763udVNYTQvDkqyZcOK6nrNuN1WqUWAS hVbONDm00U+YUK87ro6UMvtjRYWYbKGHZeIw9Dz/AYVAq1jZUbruACj2kdNV0R+tTeLCvbK4hWex YdPr6f3A1v25HcwQj2udmU8awdLYQ244U1FbtvH/BhqgNDSS3jRAVHmQt6NRbWJgQ4GCxYVQLqGa B7LoBxYuKR42B8YaAm0+VG9ij7V5cSPgilWEoBYSj285x1FVSmGZkY9qLZEUpFegD3+3PeHEUA7C a4M10SBxWSco1LliNraRj1+u51nIwHkheXkyBlaq7i9Ls7LXtRsGxXmhS3G4cDpvwno+z6Uj7/RI mitq5yLqqi2EqSskcRrZduJMZnuBlW+/Pw91Yo5PiV19pMQsBlUIO688qlZrfaTEjzdH3hElL5ck xPBaLEmYuV4QnDKNFT0QgXTaHO2v5uizI5FCiC4meerJMWU4PgQgxY6iTzmHSpQ5PT1LyyBoGfzh m7VTApbfFO8mx760gkRH3p4jgpj6MGqtVWsC111ayjDEYvDnltAV+A3j+1ZSaYJfAW/uISNTPdWv NhkAevkYltVOoTzvcPg9gKt34wKpFWdfF4QWbz28iaiv9kFzl9miw2eU2xNdq3UnhVVPTIrfJ1Sh 6ViovfRgrfZtnnqED8cjkqutjvKYtXZFHlnwR8P1kBvB/4ARpWX2MgOj44KRr/ck8UbqY2BbWiy6 pbV/NiVuai4Q04vKN6UyavBj5w5Aq7OL0azlGKhfRV1UO11UgWSkQyr3wceMyXB5PS4NHWh6kA+O /X1aFoDOPjQemxkmeH7oM367rpGtIm9mG4gH5O1gLvRodi0P9RMAR/US57wItqZsDrrne5J/r+VV /DmhUjTp9WkGzi8kRo+FJyAfnuTKNwYvzcFKTp3gyWM32qAo9up72Jb8dvYr62MV3FJ0UgUHx4e4 gEgzDysdwdte3ensIlBMLPntPi6lanWhj85AE783YUZVnCnPK0TTGupSd1JN/YclTtMc3jUBxyhh UidqZjE8jcdLvKZxhADNEUTUACIiUcjGlZ5AeOtKN1x15fBZBmdORllBwlwYlAYqDhy0+iQQOsGP I7RlHSnGCOo0MRJFwtKtOxfPdIgPippvmm6rLnLRQRsaSHTjleeuY1i3k76ABQDbXUq6wiwnpKAP b5pSzTC/X27nulpsBcD6+SXKeKyc5zM9gURTowuquuyhI0XBhz6Q23C5uHDCJIHV4k6bJLaCFTQk Yc2pAt7XOe4tf9OEqmn5YEP3VIZmMcoChFw+mB+tn4eL4xrtLOF12f6w+c0t1z/axBcIyXz3SLJV NWRJldjuXnaCKtJK5eSDDoqvSmkNWPZEzGmHBI+FBKQlyYGMI5PZIEYxNkaOn3InvN7dwdJ0sCZq RDEjCS543IjoD+WA5wgjMeT2rZcTQ07pNZK3BDa6YtRcDVxEULXGStncJbLTcQaIOysEeZZcMTqN kuRt9O56x/G07Auko22+gP8V+08qJM4n1lZGryf5Zw4jOccuhrEKxXjijKuGv3px69WkNrSHSI4T UVewu4TN7OKyDE5lqbPZZV6WmnOPhGrNLmeXpUabSVuWOlXDs2pqdnF64SuHPnQMVihyGAzPhL69 K35D/n5OGyOOkht7woyL49kbp9HBJPW0RgcpK/990YGQ/KGfYQUHlHQzc/e54WCpWLT/TdwlFefS 7JcOM/sAlKCe+3n4Uy/GfBDIkr4QYIZulKtglowO6Ca77YpNsQsP6dQsZBjXexqKjSg8ddcXzFpr g3fidS8CO8no6sRrqiwwkjUctFwilkMyB9eS/YqidxaAmg0O8kOVh93D21N5WNNervWjO38rD3tm eVjU3Uw39b5NXwXj+oFTyMEnSblfsvXSq1wTSacoTdnnYbTOxtZqw0GCpjJ8VSeud6zehKbD1MZ5 psWbgoDoxeuHK/EYTtsbCVe6gtraygW6QNYQgI+ysleOGH+y75z38YbKFs6c3zEjzMybswR9nYN3 81rr/nWevJez7yw9LkfT1s7ySbLtifzNUZLvOlATYXkU5ROb5xJWskFj6HvMtisu357jeZXTiNGX NRzOllufIXK+qdljiYj6+1z3kT9GczfF9hKnqlzU+AxoHXWO56WeqFldsKkxhifP4P9Sqk6SQvEp Bw571yB7GBEJwbDr6+sK+WM9lj8m0+ozeQnlTekzoH29yZ3L3WFdQsPRy74SvjvO+zBywkLQ79Df zL4Dg1/kyTxVTpwkJeg7sum9/Jwc9ak2lllMHH3ErnIlJwUDBVIak4+Gmaouga269UfsUOwZ6LlT XcoEa0zUGzOrnm5EdZkknrepl7zREfWOQSDYyEGHlSfoAtEeY3BcE6HlUsmLD4Lcif5g9W9hbeSh tHYTlIZjfrtDwEqhAvfJ2p9pvxuUft4uzgeJSBKRtqPNScm+Dg5ji6OMoElwEhPrevMy7zgNU63l CZNY/s5NPitmlmcLLvBTYspzCPweCH0vcT2pVk6bmTH4XjDsB8NxkHc/z8FrarPB5p+fbE6Z4i6n m9ZZKwqbTkmVZSzHdWrPT5HJknGaIrP2MjTkKd7oa4b1yAxZUliPys/8PeRpWI/ownrS/iOon9mX MN7mymE9OXdj9g3TSe7GTFoc/YBZoD8RlzvXyzxJgr+3xvZ6P2G/qHqMrn2XkZN4MZ0OkmWfld6V dJPej3G9HH6sjuDSHJ+Mqs8WED35fuiszgte9duZPSliW1/8Mvp48ywvv08gPJ6NWbVHcD30KGeI rBmIEbx9D7WK1oc4yBE0n6OJHf+xMSEl+8sHxPWKP2ayjon53YMIx2S7r5hn+oqldDscHKK9VHf9 KmyIQK2UTXxh+/3F8px+H41KVyJygEoDnKqYw4EVowvUQw6yMqcNAc2Y05W+u3iUO2FzLB/6vgaS I4njhE4WDn3d+cfAVjxwzbVp1H0+z+3SeaiLFKWKBm5NND11oWuD6VYyfYBUHufhjB7GiPcfS38/ Yw1PgV44aqHZvdI3YRWa4OOKlT3KaxBj9x35tDQqoTImXca5ueHFZiaJYXP0jUyuxYOQw1y46EqL EGkBjB/E3d+QYZqHZX/Dyai/I1H364caj7JNknQOnJ5t3nVGiOlKay90zqG6oxVjwTYR7pcdzw3S s51NWQSsV1vZpmdry5WRtjBxn0Gstqy4uhvAnifSs4n1sY+L07N1CjaKfca1ifTrkYzr9Yu/X3Af JsVb/sNuZohAnt9JGoJQq/lUoE0h1cnRVZgm6sFY1eH+ZSplQ3JnoO/36LW1JGjN5bH6nOpjscSt vM6jgLLYVzvI4enHUqpTRMi0ZgN+bWJdIHHKB5yb+8GMtZzCci1SMv7M7euh59Z2sm5kLcjQ7Yu0 oGhtbSep3PJXt/4Hzj/PQmVuZHN0cmVhbQplbmRvYmoKMTM0IDAgb2JqCjcxNDEKZW5kb2JqCjEz OCAwIG9iago8PC9MZW5ndGggMTM5IDAgUi9GaWx0ZXIgL0ZsYXRlRGVjb2RlPj4Kc3RyZWFtCnic 5VlLcxxFEr5r/8SclpoITVPvBycMZjfWy5qXFkcswUGWhGyQNMKSDHLw4/mysno6q6cHBxcuGzqo piYrK59fZtb8vNKDWWn6a//Pro8+/DqtLu+O9Ory6OcjU79ctX9n16tPTkBg9SoNJWljVic/HPFJ s7I2DMGvYi5DLmF1cn30nXqy3viohxiL+nq90YM3JYai/kXrrEO0Vj1d68FaF41vSx2CUZ8TRcka TNVnxMTgbFQvQGESWLqOH64xgy4F13xJ2xDNJ8frWLI3xGO3/ZSF8tl2gjxvsnbs2mbSpWPxfKKQ LP5Ja1IlZPUfInE5RVf5GefNkJUlFWMBtTJ16bwL3588g1Vh5DyUGF0mq26KH2xIq411Q9GurE7O Yc/v6AIdg/PZqVBtZHKJRhWx/n69CQanUhVCD8HkpK0a1hsXwuCK+oZEM84mdV+NWGx2QV2QPMXr mNTfaNu6bH1p2zbpqG52546JV4Z6uTpNxwgLJb7CDx6Wz35INmbecjBKbJRZJ2PVa6nIt9WEGa7f fWGjDWG8MHinztj6wZokJZ1EeicIttUaVjv4pIkKavWsmQDx0AyT4JVRapeL+rQySRGhrV7tWG/X NlHYqV/E18fNnDmqE7G9Y+YpSKBWKj6Vadt01NMdQqfONndsv2yzOhVaTXqfN53CQaU+WVOAWXjE u4hUrZE0fg8X/ZvvLgiaMSBCQASfkdpe445FMReiIaqvHna7y+JuamillBwJtbERopey2hjQRmtY uCYFUs2rxtDrpK5xj88DyXl2wNvXtDYlkbtvp5MP84ivrDtDi1i75GRKoRT1EQFAGDLA54nw5w2L 4k0mAKBEzzHA0iSVydlVZzifgAyZBLFlsN55ab831VvaJUh1x54DzO2oe2NLfWXSdiq8Xds8GKO7 k8eCogFNlkBjQgSS7eKiwplP0ZfM6sRSUrJVnQQEs149q+BnCMPY9CF7b9nGOhRTWLVogovVrvBI CJTcp4L8ihk62Ji5RGNiTXnaDsED4UM1rGN1EKqAG7YUhA8W28EOxOtUMHhDp3AFxcju1Cviagdw 7mRosqWCKnPeSBpQGe08coNvJlR9W1eerpg2r6QBbsWa45BKgRXk8r77LhHm8G9SlNk6d+LGOTsE Z1vemMRk3xLseuw3k3I9uJIxQnnvgccwn6wfYYaYROJTB2GSZeUCYyECl04i7L6s4JFNjwNjbCOb +kwgbiknFMWJ2Ik0PG4X+ogSOpFoQSKPyvUgKkq1nYGdEZlsu+DMQmmNQle9XFqnIkrGMBHVuggH nIpTNxMQyUSXULRdJr8g1h4e+APwx9XOlq66VokCgq6HJIk4taZZ3de0HtJtDVvue6Kx0feR1H3o yvbtYn/RQdUZSQh0LLmDtgmnpayMa3YyR/Hd96ciCjrbjIC+FQTXzIPy/GZt41B7senea7IL+teo Xh5CbTItGr9LLquhZu2YqIv18QDoS5fKusuGgqzaxq64zdxjAB9+LD/42PTJKPmNHXxqF243Gn6/ WSzUf1IOeVTGA9d2j892Xttv/+jemgudDUkjCul7hhZAZ5daosZPjJskrmS4aR52u1hbuH4/Trf7 oUUBVeEIQRQwkVBsagD6FwxRBAOHIEqL/SjWHx6gSXv0TJP3+PPas5GsNl2zItHweELuyWBT+L+c G7FL711LumszFzvDc7YOJpt52JB0NMfZXkmiJpc8e1i+/rHpBQiynHWYB/VUHvW+vT0mr87Gw154 poLQsrPwPFgGzHIZmE1YIVvqOdSL1zIG91HB6zks0MmIDvog0IeMhC+BB9+MzsEHvhHbmNP+R9uQ Olgv/CkD/j39/HugqWLJbLCKyHDqkv5BZQ8i9dIv1Lr5oPmG5Y+zk/JKeVLSVG1cQUPw013jUubh Vr2Ru17jz5UwynUpzBxMQnZULGY1rEZootKSxghtxo0enpLlLGT4EojRGKSpslWQftwrpXtuaFY2 JMaj/CChXEx4tTMFQgBsu7PvmxM2VOk00oTbJttazm+4pY0hetmmX3Fv7tBUiDa89bxB1+ivBIAn im1jh0wTlkXXAheMXXwY6abpgbt8crmhQaVOcTBRyozQQRdKuzbJe+dc6saRx5o90Zldw84MpWhb utxSUl1OsrNEuKaTQ/b8r8T+I0mSh4SI+41FzXa0VR2FJlU/5e8jSD+YVCmCWZ4uWZwVEOUmGDEr QNMBscSvaF6jOuWulZfPHBDKlwRuuasTQZQb2eJLSB1vYtVanN4utnBLoza2LwW3A33K9GAwdtcm H6Lt8lmCxaUoClXqBLJO37K3ZurS69uXkNHyhzoc0Z2Mc1eMXSWR7OWgIbReaCb25pJ5cUOI2C55 DWK3WBQ7NPXBx/ac+LQeAxVYXNTxPQdNQR0DjamtDtgCFWiwxi66ywbJFm5H917hBBEL1JQsbsRB at0KiltsXaRLTjv1A+3Su1WrobEYetY9rbdEl8Zb6gPvK8Gu3RLHKbtdzgfpcVYerHFnnI6l1cK2 fzfhLXVEJaP2Wh6WduMuGuyEhlT9SgR+SJDU1btjQoUPvPTAFD/tLhPoabfelnBbUP+tu14b15lL ivx2We8a89YjPEZNjIaru6PSCo9Ng7Gh3fPAi7WpY2QYPV5TqxkJQOhHD7QHSn5QzIP3O9i5EQQ1 3eBz3SYRa+gxebxbO5068mqTApsYhkjUepPiqLCLpTk3odg3tSImeE4Sb1xuj4lO061u6TGxResV DcnAUYIsEa0kQIJTgMujJTx10KhO9BZGWUr+a6336Eoz7QqCwLw86mFzMEotJ6gpjpK46ah9cN3+ kyke2jYNX4tvdoYq8OwBg+d0bRKu20xebi9RPmXTVa5WNun3CXqKi2imQuwoznltA4rUudhvldDn hXe5lIyT66V6FXEo+F1r9NE+dvmefojoURq9+mn78ur1/buPH34ZLs4f1ic/7oNdROsF063opSfa kv5isANso7KbWarRuKGDQe2dTZfCTY31y+oymBWTkkxpec8y3AmGjBEQb/xRZRkFSSwUefV3XiKz aJClNsUSCt5OoHMIVqXkvA9G6Mve0SsqgieYJmzIh5kIwaWWx/QGUwYHIPlL0dKmjBHZ9i7kth6t kitj7ErcnPmjIpSAMOkPhiF4OPgOFNs6pOB2qjt3AJ0Z/YBmNvE8W394nTcjMnxFyO5Lw6AoFBbL io+US2NsOPpNtQ97JJ124/y6y6J5DHJobBkjE0aQ55Nb7QStnzNBSUFW1PrzKipDQfE0LBKhs8wo eXufLtP6vFZ257LcfR/M7gz6fwKzpz9eX9xcvLsAzp7eX7y52m6Hs1NC289Ojr7C3++gSqZUZW5k c3RyZWFtCmVuZG9iagoxMzkgMCBvYmoKMjUwNwplbmRvYmoKNCAwIG9iago8PC9UeXBlL1BhZ2Uv TWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUm90YXRlIDAvUGFyZW50IDMgMCBSCi9SZXNvdXJjZXM8 PC9Qcm9jU2V0Wy9QREYgL1RleHRdCi9FeHRHU3RhdGUgMjIgMCBSCi9Gb250IDIzIDAgUgo+Pgov Q29udGVudHMgNSAwIFIKPj4KZW5kb2JqCjI0IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBb MCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRb L1BERiAvVGV4dF0KL0V4dEdTdGF0ZSAyNyAwIFIKL0ZvbnQgMjggMCBSCj4+Ci9Db250ZW50cyAy NSAwIFIKPj4KZW5kb2JqCjI5IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3 OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4 dF0KL0V4dEdTdGF0ZSAzNiAwIFIKL0ZvbnQgMzcgMCBSCj4+Ci9Db250ZW50cyAzMCAwIFIKPj4K ZW5kb2JqCjM4IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3Rh dGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdT dGF0ZSA0NSAwIFIKL0ZvbnQgNDYgMCBSCj4+Ci9Db250ZW50cyAzOSAwIFIKPj4KZW5kb2JqCjQ3 IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJl bnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA1MiAw IFIKL0ZvbnQgNTMgMCBSCj4+Ci9Db250ZW50cyA0OCAwIFIKPj4KZW5kb2JqCjU0IDAgb2JqCjw8 L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIK L1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA1NyAwIFIKL0ZvbnQg NTggMCBSCj4+Ci9Db250ZW50cyA1NSAwIFIKPj4KZW5kb2JqCjU5IDAgb2JqCjw8L1R5cGUvUGFn ZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNl czw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA2NiAwIFIKL0ZvbnQgNjcgMCBSCj4+ Ci9Db250ZW50cyA2MCAwIFIKPj4KZW5kb2JqCjY4IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJv eCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NT ZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA3MSAwIFIKL0ZvbnQgNzIgMCBSCj4+Ci9Db250ZW50 cyA2OSAwIFIKPj4KZW5kb2JqCjczIDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYx MiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAv VGV4dF0KL0V4dEdTdGF0ZSA3OCAwIFIKL0ZvbnQgNzkgMCBSCj4+Ci9Db250ZW50cyA3NCAwIFIK Pj4KZW5kb2JqCjgwIDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9S b3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4 dEdTdGF0ZSA4MyAwIFIKL0ZvbnQgODQgMCBSCj4+Ci9Db250ZW50cyA4MSAwIFIKPj4KZW5kb2Jq Cjg1IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9Q YXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA4 OCAwIFIKL0ZvbnQgODkgMCBSCj4+Ci9Db250ZW50cyA4NiAwIFIKPj4KZW5kb2JqCjkwIDAgb2Jq Cjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAw IFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA5MyAwIFIKL0Zv bnQgOTQgMCBSCj4+Ci9Db250ZW50cyA5MSAwIFIKPj4KZW5kb2JqCjk1IDAgb2JqCjw8L1R5cGUv UGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291 cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdTdGF0ZSA5OCAwIFIKL0ZvbnQgOTkgMCBS Cj4+Ci9Db250ZW50cyA5NiAwIFIKPj4KZW5kb2JqCjEwMCAwIG9iago8PC9UeXBlL1BhZ2UvTWVk aWFCb3ggWzAgMCA2MTIgNzkyXQovUm90YXRlIDAvUGFyZW50IDMgMCBSCi9SZXNvdXJjZXM8PC9Q cm9jU2V0Wy9QREYgL1RleHRdCi9FeHRHU3RhdGUgMTAzIDAgUgovRm9udCAxMDQgMCBSCj4+Ci9D b250ZW50cyAxMDEgMCBSCj4+CmVuZG9iagoxMDUgMCBvYmoKPDwvVHlwZS9QYWdlL01lZGlhQm94 IFswIDAgNjEyIDc5Ml0KL1JvdGF0ZSAwL1BhcmVudCAzIDAgUgovUmVzb3VyY2VzPDwvUHJvY1Nl dFsvUERGIC9UZXh0XQovRXh0R1N0YXRlIDEwOCAwIFIKL0ZvbnQgMTA5IDAgUgo+PgovQ29udGVu dHMgMTA2IDAgUgo+PgplbmRvYmoKMTEwIDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAw IDYxMiA3OTJdCi9Sb3RhdGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BE RiAvVGV4dF0KL0V4dEdTdGF0ZSAxMTMgMCBSCi9Gb250IDExNCAwIFIKPj4KL0NvbnRlbnRzIDEx MSAwIFIKPj4KZW5kb2JqCjExNSAwIG9iago8PC9UeXBlL1BhZ2UvTWVkaWFCb3ggWzAgMCA2MTIg NzkyXQovUm90YXRlIDAvUGFyZW50IDMgMCBSCi9SZXNvdXJjZXM8PC9Qcm9jU2V0Wy9QREYgL1Rl eHRdCi9FeHRHU3RhdGUgMTE4IDAgUgovRm9udCAxMTkgMCBSCj4+Ci9Db250ZW50cyAxMTYgMCBS Cj4+CmVuZG9iagoxMjAgMCBvYmoKPDwvVHlwZS9QYWdlL01lZGlhQm94IFswIDAgNjEyIDc5Ml0K L1JvdGF0ZSAwL1BhcmVudCAzIDAgUgovUmVzb3VyY2VzPDwvUHJvY1NldFsvUERGIC9UZXh0XQov RXh0R1N0YXRlIDEyMyAwIFIKL0ZvbnQgMTI0IDAgUgo+PgovQ29udGVudHMgMTIxIDAgUgo+Pgpl bmRvYmoKMTI1IDAgb2JqCjw8L1R5cGUvUGFnZS9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCi9Sb3Rh dGUgMC9QYXJlbnQgMyAwIFIKL1Jlc291cmNlczw8L1Byb2NTZXRbL1BERiAvVGV4dF0KL0V4dEdT dGF0ZSAxMzAgMCBSCi9Gb250IDEzMSAwIFIKPj4KL0NvbnRlbnRzIDEyNiAwIFIKPj4KZW5kb2Jq CjEzMiAwIG9iago8PC9UeXBlL1BhZ2UvTWVkaWFCb3ggWzAgMCA2MTIgNzkyXQovUm90YXRlIDAv UGFyZW50IDMgMCBSCi9SZXNvdXJjZXM8PC9Qcm9jU2V0Wy9QREYgL1RleHRdCi9FeHRHU3RhdGUg MTM1IDAgUgovRm9udCAxMzYgMCBSCj4+Ci9Db250ZW50cyAxMzMgMCBSCj4+CmVuZG9iagoxMzcg MCBvYmoKPDwvVHlwZS9QYWdlL01lZGlhQm94IFswIDAgNjEyIDc5Ml0KL1JvdGF0ZSAwL1BhcmVu dCAzIDAgUgovUmVzb3VyY2VzPDwvUHJvY1NldFsvUERGIC9UZXh0XQovRXh0R1N0YXRlIDE0MiAw IFIKL0ZvbnQgMTQzIDAgUgo+PgovQ29udGVudHMgMTM4IDAgUgo+PgplbmRvYmoKMyAwIG9iago8 PCAvVHlwZSAvUGFnZXMgL0tpZHMgWwo0IDAgUgoyNCAwIFIKMjkgMCBSCjM4IDAgUgo0NyAwIFIK NTQgMCBSCjU5IDAgUgo2OCAwIFIKNzMgMCBSCjgwIDAgUgo4NSAwIFIKOTAgMCBSCjk1IDAgUgox MDAgMCBSCjEwNSAwIFIKMTEwIDAgUgoxMTUgMCBSCjEyMCAwIFIKMTI1IDAgUgoxMzIgMCBSCjEz NyAwIFIKXSAvQ291bnQgMjEKPj4KZW5kb2JqCjEgMCBvYmoKPDwvVHlwZSAvQ2F0YWxvZyAvUGFn ZXMgMyAwIFIKL01ldGFkYXRhIDE3NCAwIFIKPj4KZW5kb2JqCjcgMCBvYmoKPDwvVHlwZS9FeHRH U3RhdGUKL09QTSAxPj5lbmRvYmoKMjIgMCBvYmoKPDwvUjcKNyAwIFI+PgplbmRvYmoKMjMgMCBv YmoKPDwvUjEyCjEyIDAgUi9SMTAKMTAgMCBSL1I4CjggMCBSL1IyMAoyMCAwIFIvUjE4CjE4IDAg Ui9SMTYKMTYgMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoKMjcgMCBvYmoKPDwvUjcKNyAwIFI+Pgpl bmRvYmoKMjggMCBvYmoKPDwvUjEyCjEyIDAgUi9SOAo4IDAgUi9SMjAKMjAgMCBSL1IxNAoxNCAw IFI+PgplbmRvYmoKMzYgMCBvYmoKPDwvUjcKNyAwIFI+PgplbmRvYmoKMzcgMCBvYmoKPDwvUjgK OCAwIFIvUjM0CjM0IDAgUi9SMzIKMzIgMCBSL1IyMAoyMCAwIFIvUjE0CjE0IDAgUj4+CmVuZG9i ago0NSAwIG9iago8PC9SNwo3IDAgUj4+CmVuZG9iago0NiAwIG9iago8PC9SMTAKMTAgMCBSL1I4 CjggMCBSL1I0Mwo0MyAwIFIvUjQxCjQxIDAgUi9SMzIKMzIgMCBSL1IyMAoyMCAwIFIvUjE2CjE2 IDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjUyIDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5kb2JqCjUz IDAgb2JqCjw8L1IxMAoxMCAwIFIvUjUwCjUwIDAgUi9SNDMKNDMgMCBSL1IzMgozMiAwIFIvUjIw CjIwIDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjU3IDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5kb2Jq CjU4IDAgb2JqCjw8L1IxMgoxMiAwIFIvUjEwCjEwIDAgUi9SNTAKNTAgMCBSL1IyMAoyMCAwIFIv UjE4CjE4IDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjY2IDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5k b2JqCjY3IDAgb2JqCjw8L1IxMAoxMCAwIFIvUjgKOCAwIFIvUjY0CjY0IDAgUi9SNjIKNjIgMCBS L1I1MAo1MCAwIFIvUjM0CjM0IDAgUi9SMzIKMzIgMCBSL1IyMAoyMCAwIFIvUjE0CjE0IDAgUj4+ CmVuZG9iago3MSAwIG9iago8PC9SNwo3IDAgUj4+CmVuZG9iago3MiAwIG9iago8PC9SNjQKNjQg MCBSL1I2Mgo2MiAwIFIvUjUwCjUwIDAgUi9SMzQKMzQgMCBSL1IzMgozMiAwIFIvUjIwCjIwIDAg Ui9SMTQKMTQgMCBSPj4KZW5kb2JqCjc4IDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5kb2JqCjc5IDAg b2JqCjw8L1I3Ngo3NiAwIFIvUjY0CjY0IDAgUi9SNjIKNjIgMCBSL1IzNAozNCAwIFIvUjMyCjMy IDAgUi9SMjAKMjAgMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoKODMgMCBvYmoKPDwvUjcKNyAwIFI+ PgplbmRvYmoKODQgMCBvYmoKPDwvUjEwCjEwIDAgUi9SOAo4IDAgUi9SNjQKNjQgMCBSL1IzMgoz MiAwIFIvUjIwCjIwIDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjg4IDAgb2JqCjw8L1I3CjcgMCBS Pj4KZW5kb2JqCjg5IDAgb2JqCjw8L1IxMgoxMiAwIFIvUjEwCjEwIDAgUi9SOAo4IDAgUi9SNTAK NTAgMCBSL1IzNAozNCAwIFIvUjIwCjIwIDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjkzIDAgb2Jq Cjw8L1I3CjcgMCBSPj4KZW5kb2JqCjk0IDAgb2JqCjw8L1IxMgoxMiAwIFIvUjEwCjEwIDAgUi9S OAo4IDAgUi9SMjAKMjAgMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoKOTggMCBvYmoKPDwvUjcKNyAw IFI+PgplbmRvYmoKOTkgMCBvYmoKPDwvUjgKOCAwIFIvUjIwCjIwIDAgUi9SMTQKMTQgMCBSPj4K ZW5kb2JqCjEwMyAwIG9iago8PC9SNwo3IDAgUj4+CmVuZG9iagoxMDQgMCBvYmoKPDwvUjEwCjEw IDAgUi9SOAo4IDAgUi9SMjAKMjAgMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoKMTA4IDAgb2JqCjw8 L1I3CjcgMCBSPj4KZW5kb2JqCjEwOSAwIG9iago8PC9SOAo4IDAgUi9SNTAKNTAgMCBSL1IyMAoy MCAwIFIvUjE0CjE0IDAgUj4+CmVuZG9iagoxMTMgMCBvYmoKPDwvUjcKNyAwIFI+PgplbmRvYmoK MTE0IDAgb2JqCjw8L1IxMgoxMiAwIFIvUjEwCjEwIDAgUi9SOAo4IDAgUi9SNjQKNjQgMCBSL1Iz MgozMiAwIFIvUjIwCjIwIDAgUi9SMTQKMTQgMCBSPj4KZW5kb2JqCjExOCAwIG9iago8PC9SNwo3 IDAgUj4+CmVuZG9iagoxMTkgMCBvYmoKPDwvUjgKOCAwIFIvUjY0CjY0IDAgUi9SNjIKNjIgMCBS L1IzMgozMiAwIFIvUjIwCjIwIDAgUi9SMTYKMTYgMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoKMTIz IDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5kb2JqCjEyNCAwIG9iago8PC9SMTIKMTIgMCBSL1IxMAox MCAwIFIvUjgKOCAwIFIvUjIwCjIwIDAgUi9SMTgKMTggMCBSL1IxNAoxNCAwIFI+PgplbmRvYmoK MTMwIDAgb2JqCjw8L1I3CjcgMCBSPj4KZW5kb2JqCjEzMSAwIG9iago8PC9SMTI4CjEyOCAwIFIv UjEwCjEwIDAgUi9SNDMKNDMgMCBSL1IyMAoyMCAwIFIvUjE4CjE4IDAgUj4+CmVuZG9iagoxMzUg MCBvYmoKPDwvUjcKNyAwIFI+PgplbmRvYmoKMTM2IDAgb2JqCjw8L1IxMjgKMTI4IDAgUi9SMTAK MTAgMCBSL1I0Mwo0MyAwIFIvUjIwCjIwIDAgUi9SMTgKMTggMCBSPj4KZW5kb2JqCjE0MiAwIG9i ago8PC9SNwo3IDAgUj4+CmVuZG9iagoxNDMgMCBvYmoKPDwvUjE0MAoxNDAgMCBSL1IxMgoxMiAw IFIvUjEwCjEwIDAgUi9SMjAKMjAgMCBSL1IxOAoxOCAwIFI+PgplbmRvYmoKMTQwIDAgb2JqCjw8 L0Jhc2VGb250L0JRVVBQWitDTVRUOS9Gb250RGVzY3JpcHRvciAxNDEgMCBSL1R5cGUvRm9udAov Rmlyc3RDaGFyIDQ2L0xhc3RDaGFyIDEyMi9XaWR0aHNbIDUyNSAwCjAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAKNTI1IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCA1MjUgNTI1IDUyNSA1MjUgNTI1IDAgMCAwIDUyNSA1 MjUgNTI1IDUyNSA1MjUgNTI1IDUyNQowIDAgNTI1IDAgNTI1IDUyNSAwIDUyNSAwIDAgNTI1XQov RW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL1N1YnR5cGUvVHlwZTE+PgplbmRvYmoKMTIgMCBvYmoK PDwvQmFzZUZvbnQvVkJKSlJHK0NNQ1NDMTAvRm9udERlc2NyaXB0b3IgMTMgMCBSL1R5cGUvRm9u dAovRmlyc3RDaGFyIDM4L0xhc3RDaGFyIDEyMi9XaWR0aHNbIDg0NCAzMTkgMCAwIDAgMCAzMTkg Mzc3IDMxOSAwCjU1MiA1NTIgNTUyIDU1MiA1NTIgNTUyIDAgMCA1NTIgNTUyIDMxOSAwIDAgMCAw IDUyMwowIDgxMyA3NzAgNzg2IDgyOSA3NDEgMCA4NTEgODEzIDQwNSAwIDg0MyA2ODMgOTg4IDgx MyA4NDQKNzQxIDg0NCA4MDAgNjExIDc4NiA4MTMgMCAxMTA1IDAgMCAwIDAgMCAwIDAgMAowIDYx MyA1ODAgNTkxIDYyNCA1NTcgNTM1IDY0MSA2MTMgMzAyIDAgNjM1IDUxMyA3NDYgNjEzIDYzNQo1 NTcgMCA2MDIgNDU3IDU5MSA2MTMgNjEzIDgzNSA2MTMgNjEzIDUwMl0KL0VuY29kaW5nIDE2MSAw IFIvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNjEgMCBvYmoKPDwvVHlwZS9FbmNvZGluZy9CYXNl RW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0RpZmZlcmVuY2VzWwozOS9xdW90ZXJpZ2h0XT4+CmVu ZG9iagoxMjggMCBvYmoKPDwvQmFzZUZvbnQvWlRHSUZUK0NNQlg5L0ZvbnREZXNjcmlwdG9yIDEy OSAwIFIvVHlwZS9Gb250Ci9GaXJzdENoYXIgNDkvTGFzdENoYXIgNTcvV2lkdGhzWyA1OTEgNTkx IDU5MSA1OTEgNTkxIDU5MSA1OTEgNTkxIDU5MV0KL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9T dWJ0eXBlL1R5cGUxPj4KZW5kb2JqCjEwIDAgb2JqCjw8L0Jhc2VGb250L1lSUU5ITitDTVI5L0Zv bnREZXNjcmlwdG9yIDExIDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciAxMS9MYXN0Q2hhciAxMjcv V2lkdGhzWyA1OTkgNTcwIDU3MCA4NTYgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCA1MTMgMCAw IDAKMCAwIDUxMyA4NTYgMCAwIDc5OSAyODUgMzk5IDM5OSA1MTMgMCAyODUgMzQyIDI4NSA1MTMK NTEzIDUxMyA1MTMgNTEzIDUxMyA1MTMgNTEzIDUxMyA1MTMgNTEzIDI4NSAyODUgMCA3OTkgMCA0 ODUKMCA3NzAgNzI3IDc0MiA3ODUgNjk5IDY3MCA4MDYgNzcwIDM3MCA1MjggNzk5IDY0MiA5NDEg NzcwIDc5OQo2OTkgNzk5IDc1NiA1NzAgNzQyIDc3MCA3NzAgMTA1NiA3NzAgMCA2MjggMjg1IDUx MyAyODUgNTEzIDAKMCA1MTMgNTcwIDQ1NiA1NzAgNDU3IDMxNCA1MTMgNTcwIDI4NSAzMTQgNTQy IDI4NSA4NTYgNTcwIDUxMwo1NzAgNTQyIDQwMiA0MDUgMzk5IDU3MCA1NDIgNzQyIDU0MiA1NDIg NDU2IDAgMTAyNyAwIDAgNTEzXQovRW5jb2RpbmcgMTYyIDAgUi9TdWJ0eXBlL1R5cGUxPj4KZW5k b2JqCjE2MiAwIG9iago8PC9UeXBlL0VuY29kaW5nL0Jhc2VFbmNvZGluZy9XaW5BbnNpRW5jb2Rp bmcvRGlmZmVyZW5jZXNbCjExL2ZmL2ZpL2ZsL2ZmaQoyOC9vc2xhc2gKMzQvcXVvdGVkYmxyaWdo dAozOS9xdW90ZXJpZ2h0CjkyL3F1b3RlZGJsbGVmdAo5NC9jaXJjdW1mbGV4CjEyNC9lbWRhc2gK MTI3L2RpZXJlc2lzXT4+CmVuZG9iago3NiAwIG9iago8PC9CYXNlRm9udC9ZR1pYUEUrQ01TWTgv Rm9udERlc2NyaXB0b3IgNzcgMCBSL1R5cGUvRm9udAovRmlyc3RDaGFyIDAvTGFzdENoYXIgMC9X aWR0aHNbCjgyNl0KL0VuY29kaW5nIDE2MyAwIFIvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNjMg MCBvYmoKPDwvVHlwZS9FbmNvZGluZy9CYXNlRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0RpZmZl cmVuY2VzWwowL21pbnVzXT4+CmVuZG9iago4IDAgb2JqCjw8L0Jhc2VGb250L05MU0NBRStDTUJY MTAvRm9udERlc2NyaXB0b3IgOSAwIFIvVHlwZS9Gb250Ci9GaXJzdENoYXIgMTIvTGFzdENoYXIg MTIxL1dpZHRoc1sgNjM4IDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAw IDAgMCAwIDAgMCAwIDQ0NyA0NDcgMCAwIDAgMzgzIDMxOSAwCjU3NSA1NzUgNTc1IDU3NSA1NzUg NTc1IDU3NSA1NzUgNTc1IDU3NSAwIDAgMCAwIDAgNTQzCjAgODY5IDAgODMwIDg4MSA3NTUgMCA5 MDQgOTAwIDQzNiAwIDAgNjkxIDEwOTEgOTAwIDAKNzg2IDg2MyA4NjIgNjM4IDgwMCAwIDAgMTE4 OCAwIDAgMCAwIDAgMCAwIDAKMCA1NTkgNjM4IDUxMSA2MzggNTI3IDM1MSA1NzUgNjM4IDMxOSAw IDYwNiAzMTkgOTU4IDYzOCA1NzUKNjM4IDYwNiA0NzMgNDUzIDQ0NyA2MzggNjA2IDgzMCAwIDYw Nl0KL0VuY29kaW5nIDE2NCAwIFIvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNjQgMCBvYmoKPDwv VHlwZS9FbmNvZGluZy9CYXNlRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0RpZmZlcmVuY2VzWwox Mi9maV0+PgplbmRvYmoKNjQgMCBvYmoKPDwvQmFzZUZvbnQvV1BWV1FTK0NNTUk4L0ZvbnREZXNj cmlwdG9yIDY1IDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciA2MS9MYXN0Q2hhciAxMTMvV2lkdGhz WyA1MzEgMCAwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTUzIDAgMCAwIDAKNTM0IDQ3 NF0KL0VuY29kaW5nIDE2NSAwIFIvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNjUgMCBvYmoKPDwv VHlwZS9FbmNvZGluZy9CYXNlRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0RpZmZlcmVuY2VzWwo2 MS9zbGFzaF0+PgplbmRvYmoKNjIgMCBvYmoKPDwvQmFzZUZvbnQvUUZBRkxQK01TQk0xMC9Gb250 RGVzY3JpcHRvciA2MyAwIFIvVHlwZS9Gb250Ci9GaXJzdENoYXIgNzAvTGFzdENoYXIgNzAvV2lk dGhzWyA2MTFdCi9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvU3VidHlwZS9UeXBlMT4+CmVuZG9i ago1MCAwIG9iago8PC9CYXNlRm9udC9aUFBQSkIrQ01USTEwL0ZvbnREZXNjcmlwdG9yIDUxIDAg Ui9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciAxMi9MYXN0Q2hhciAxMjEvV2lkdGhzWyA1NjIgMCAwIDAK MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw IDM1NyAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgNzQzIDAKNjc4IDAgMCAwIDcxNSAwIDAgOTk4IDAgNzQzIDAgMCAwIDAgMCAw CjAgNTExIDQ2MCA0NjAgNTExIDQ2MCAzMDYgNDYwIDUxMSAzMDYgMCA0NjAgMjU1IDgxNyA1NjIg NTExCjUxMSAwIDQyMSA0MDggMzMyIDUzNiA0NjAgNjY0IDQ2MyA0ODVdCi9FbmNvZGluZyAxNjYg MCBSL1N1YnR5cGUvVHlwZTE+PgplbmRvYmoKMTY2IDAgb2JqCjw8L1R5cGUvRW5jb2RpbmcvQmFz ZUVuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9EaWZmZXJlbmNlc1sKMTIvZmldPj4KZW5kb2JqCjQz IDAgb2JqCjw8L0Jhc2VGb250L0FNSVhQSitDTU1JOS9Gb250RGVzY3JpcHRvciA0NCAwIFIvVHlw ZS9Gb250Ci9GaXJzdENoYXIgNTkvTGFzdENoYXIgMTEyL1dpZHRoc1sgMjg1IDAgMCAwIDAKMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAo2NTYgODEwIDAgMCAwIDAgMCAwIDAgMCAwIDAg MCAwIDAgMAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgNTM1IDAgOTA1IDAgMAo1MTVdCi9FbmNvZGlu ZyAxNjcgMCBSL1N1YnR5cGUvVHlwZTE+PgplbmRvYmoKMTY3IDAgb2JqCjw8L1R5cGUvRW5jb2Rp bmcvQmFzZUVuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9EaWZmZXJlbmNlc1sKNTkvY29tbWFdPj4K ZW5kb2JqCjQxIDAgb2JqCjw8L0Jhc2VGb250L0NOQkpLTStDTU1JNi9Gb250RGVzY3JpcHRvciA0 MiAwIFIvVHlwZS9Gb250Ci9GaXJzdENoYXIgMTA5L0xhc3RDaGFyIDEwOS9XaWR0aHNbIDEwOTNd Ci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNjggMCBv YmoKPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAyMDU+PnN0cmVhbQp4nF2QQQ7CIBBF95yC GxTGptSkYaMbFxqjXgDpYFiUEmwX3l6YWmNcfJIH84f5U+0O+0PwE6/OabRXnLjzoU/4HOdkkd/x 4QOTwHtvpw/RaQcTWbU7mnh7ReS5AN3CJzNgdZFNS1dyMdmxx2c0FpMJD2SdELpzTjMM/d+TWgx3 91NZBCBBs07WmgTQ1AW3mgRQtxk3oEkAomBjNEkIZTOq3EYtrUzBVpOEMIomWf8sQ5V4axpu55Qw TLQDylii+YDfNcUxFhfPYm8bwGaOCmVuZHN0cmVhbQplbmRvYmoKMzQgMCBvYmoKPDwvQmFzZUZv bnQvTUdFT0NKK0NNU1kxMC9Gb250RGVzY3JpcHRvciAzNSAwIFIvVG9Vbmljb2RlIDE2OCAwIFIv VHlwZS9Gb250Ci9GaXJzdENoYXIgMC9MYXN0Q2hhciAxMjAvV2lkdGhzWwo3NzcgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCA3NzcgMCAwIDAgMCA3NzcgMCAwIDAgMCAwIDAK MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDAgNjY2IDAgMCAwIDAgMCAwIDAgMCAw IDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMAowIDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAgMCAwCjAgMCAwIDAgMCAwIDAgMCAzODggMzg4IDI3NyAwIDAgMCAwIDAKODMz IDAgMCAwIDAgMCAwIDAgNDQ0XQovRW5jb2RpbmcgMTY5IDAgUi9TdWJ0eXBlL1R5cGUxPj4KZW5k b2JqCjE2OSAwIG9iago8PC9UeXBlL0VuY29kaW5nL0Jhc2VFbmNvZGluZy9XaW5BbnNpRW5jb2Rp bmcvRGlmZmVyZW5jZXNbCjAvbWludXMKMjAvbGVzc2VxdWFsCjI1L2FwcHJveGVxdWFsCjUwL2Vs ZW1lbnQKMTA0L2FuZ2JyYWNrZXRsZWZ0L2FuZ2JyYWNrZXRyaWdodC9iYXIKMTEyL3JhZGljYWwK MTIwL3NlY3Rpb25dPj4KZW5kb2JqCjE3MCAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVu Z3RoIDIzMz4+c3RyZWFtCnicXZAxcsMgEEV7TsENBJIlUjA0TuMinkySCyBYPCqMGCwXvn0+azlF ir/DA/4u/O54ej/lZZPdZ13DN20yLTlWuq33GkjOdFmy0L2MS9h24hquvoju+OHLz6OQxAVKTz77 K3Vf2ije0k9TWCPdig9Ufb6QsEo5m5ITlOO/I7075rRfHWbHUqoPDhgdCwi/PYyOpRQqkBwLSMAR Y0bdECthJ2BTr/XQ8M2xlEIFYsjEg1CBGDJxK6yENfAZbmVaKzMAD4wDf+P13vajls0rChnutVLe OEAOqOWyZPrLuKyluSQkfgGePXTbCmVuZHN0cmVhbQplbmRvYmoKMzIgMCBvYmoKPDwvQmFzZUZv bnQvQ1RaVElJK0NNTUkxMC9Gb250RGVzY3JpcHRvciAzMyAwIFIvVG9Vbmljb2RlIDE3MCAwIFIv VHlwZS9Gb250Ci9GaXJzdENoYXIgNTkvTGFzdENoYXIgMTE2L1dpZHRoc1sgMjc3IDAgNTAwIDAg MAowIDAgMCAwIDAgNzM4IDAgMCAwIDAgMCAwIDAgMCA4MDMgMAo2NDIgNzkwIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMAo0MTYgMCAwIDAgMCAwIDAgMCA1NzYgMCAwIDUyMCAwIDg3OCA2MDAg MAo1MDMgNDQ2IDAgNDY4IDM2MV0KL0VuY29kaW5nIDE3MSAwIFIvU3VidHlwZS9UeXBlMT4+CmVu ZG9iagoxNzEgMCBvYmoKPDwvVHlwZS9FbmNvZGluZy9CYXNlRW5jb2RpbmcvV2luQW5zaUVuY29k aW5nL0RpZmZlcmVuY2VzWwo1OS9jb21tYQo2MS9zbGFzaAo5Ni9sc2NyaXB0XT4+CmVuZG9iagoy MCAwIG9iago8PC9CYXNlRm9udC9KVkFHWkYrQ01SOC9Gb250RGVzY3JpcHRvciAyMSAwIFIvVHlw ZS9Gb250Ci9GaXJzdENoYXIgNDYvTGFzdENoYXIgOTAvV2lkdGhzWyAyOTUgMAo1MzEgNTMxIDUz MSA1MzEgNTMxIDUzMSA1MzEgNTMxIDUzMSA1MzEgMCAwIDAgMCAwIDAKMCA3OTUgNzUyIDAgODEx IDcyMiA2OTMgODMzIDAgMzgyIDU0NSA4MjUgNjYzIDk3MiA3OTUgODI2CjcyMiAwIDc4MSA1OTAg NzY3IDAgMCAxMDkxIDAgMCA2NDldCi9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvU3VidHlwZS9U eXBlMT4+CmVuZG9iagoxOCAwIG9iago8PC9CYXNlRm9udC9ZREVaRkMrQ01USTkvRm9udERlc2Ny aXB0b3IgMTkgMCBSL1R5cGUvRm9udAovRmlyc3RDaGFyIDM5L0xhc3RDaGFyIDEyNC9XaWR0aHNb IDMxNCAwIDAgMCAwIDMxNCAzNjcgMzE0IDAKNTI0IDUyNCA1MjQgNTI0IDUyNCA1MjQgNTI0IDUy NCA1MjQgNTI0IDAgMCAwIDAgMCAwCjAgNzYyIDcyMiA3MzQgNzc1IDY5NiA2NzAgNzk0IDc2MiAz OTUgNTM4IDc4OSAwIDkyMCA3NjIgNzg3CjY5NiA3ODcgNzQ4IDU3NyA3MzQgNzYyIDAgMTAyNSAw IDc2MiAwIDAgMCAwIDAgMAowIDUyNCA0NzIgNDcyIDUyNCA0NzIgMzE0IDQ3MiA1MjQgMzE0IDAg NDcyIDI2MiA4MzkgNTc3IDUyNAo1MjQgMCA0MzIgNDE5IDM0MSA1NTAgNDcyIDY4MiAwIDQ5OCAw IDAgMTA0OV0KL0VuY29kaW5nIDE3MiAwIFIvU3VidHlwZS9UeXBlMT4+CmVuZG9iagoxNzIgMCBv YmoKPDwvVHlwZS9FbmNvZGluZy9CYXNlRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0RpZmZlcmVu Y2VzWwozOS9xdW90ZXJpZ2h0CjEyNC9lbWRhc2hdPj4KZW5kb2JqCjE2IDAgb2JqCjw8L0Jhc2VG b250L1FBS0hTTStDTVI2L0ZvbnREZXNjcmlwdG9yIDE3IDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hh ciA0OS9MYXN0Q2hhciA1MS9XaWR0aHNbIDYxMSA2MTEgNjExXQovRW5jb2RpbmcvV2luQW5zaUVu Y29kaW5nL1N1YnR5cGUvVHlwZTE+PgplbmRvYmoKMTQgMCBvYmoKPDwvQmFzZUZvbnQvWVlWRUtU K0NNUjEwL0ZvbnREZXNjcmlwdG9yIDE1IDAgUi9UeXBlL0ZvbnQKL0ZpcnN0Q2hhciAxMS9MYXN0 Q2hhciAxMjQvV2lkdGhzWyA1ODMgNTU1IDAgODMzIDAKMjc3IDAgMCA1MDAgMCAwIDAgMCAwIDAg MCAwIDAgMCAwIDAKMCAwIDUwMCA4MzMgNTAwIDgzMyAwIDI3NyAzODggMzg4IDAgNzc3IDI3NyAz MzMgMjc3IDUwMAo1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgNTAwIDUwMCA1MDAgMjc3IDI3 NyAwIDc3NyAwIDQ3MgowIDc1MCA3MDggNzIyIDc2MyA2ODAgNjUyIDc4NCA3NTAgMzYxIDUxMyA3 NzcgNjI1IDkxNiA3NTAgNzc3CjY4MCA3NzcgNzM2IDU1NSA3MjIgNzUwIDc1MCAxMDI3IDc1MCAw IDAgMjc3IDUwMCAyNzcgMCAwCjAgNTAwIDU1NSA0NDQgNTU1IDQ0NCAzMDUgNTAwIDU1NSAyNzcg MzA1IDUyNyAyNzcgODMzIDU1NSA1MDAKNTU1IDUyNyAzOTEgMzk0IDM4OCA1NTUgNTI3IDcyMiA1 MjcgNTI3IDQ0NCAwIDEwMDBdCi9FbmNvZGluZyAxNzMgMCBSL1N1YnR5cGUvVHlwZTE+PgplbmRv YmoKMTczIDAgb2JqCjw8L1R5cGUvRW5jb2RpbmcvQmFzZUVuY29kaW5nL1dpbkFuc2lFbmNvZGlu Zy9EaWZmZXJlbmNlc1sKMTEvZmYvZmkKMTQvZmZpCjE2L2RvdGxlc3NpCjE5L2FjdXRlCjM0L3F1 b3RlZGJscmlnaHQKMzkvcXVvdGVyaWdodAo5Mi9xdW90ZWRibGxlZnQKMTI0L2VtZGFzaF0+Pgpl bmRvYmoKMTQxIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQlFVUFBaK0NN VFQ5L0ZvbnRCQm94Wy02IC0yMjcgNTI0IDYxNl0vRmxhZ3MgMzMKL0FzY2VudCA2MTYKL0NhcEhl aWdodCA2MTYKL0Rlc2NlbnQgLTIyNwovSXRhbGljQW5nbGUgMAovU3RlbVYgNzgKL0F2Z1dpZHRo IDUyNQovTWF4V2lkdGggNTI1Ci9NaXNzaW5nV2lkdGggNTI1Ci9YSGVpZ2h0IDQzOQovQ2hhclNl dCgvYS9hdC9iL2MvZC9lL2kvai9rL2wvbS9uL28vcGVyaW9kL3IvdC91L3cveikvRm9udEZpbGUz IDE0NCAwIFI+PgplbmRvYmoKMTQ0IDAgb2JqCjw8L0ZpbHRlci9GbGF0ZURlY29kZQovU3VidHlw ZS9UeXBlMUMvTGVuZ3RoIDE3NjU+PnN0cmVhbQp4nJVUfVRT9xm+IcnNnfLV6uXUftyb1mOHihZ1 06I9CKisUxG0xa0D6gATCIEEwo0BEhCxHYM3xYrUiSAxYSWCiPgFeETbdBM6ySw6I+rcsXrkrLMW Xbez924/d84uAQ39+Gfn5NyT99zffX7P87zP+8ooRRAlk8noVUlvvhkz/u9l8TmZ+HyQ+IL8XWIR D4qPlBAsh2BF+/NM79NY/xTqw3BzOCWXyQzFVauMhaUmXU6uoI7MnqteFBOzLEq9ODo6Rh1foDHp sjMN6qRMIVdTkClIRb76DWO2TiOUqiNfyxWEwuWvvGKxWBZmFhQvNJpyYudGqS06IVe9SVOsMW3T bFUnGg2CekNmgUbtJ7fQ/1xlLCg0CxqTOsm4VWMyUBQ1w2A0CWZLZlZ22VaNLk+fXxC3kKKSqRTq DSqV2kz9nEqgVlGrqTRqDZVIraXWUeupJGoD9SIVRs2UxFMKSqB6ZTNlJtm1IF3Q5/J4ebP8PwqN 4pwyQllNh9DJ9H1Vvuo90RkqOsGLA17Z33yY4pOLCdjHjv2iLyY9oyxPw7lrm7O4lXS5EfR5bbCf 7yWeLYEKl9KNbjjcWQg2fgvG01+NdPX3NxancKRYryo3SKfc46fmTTlFS/f9yosXvbJPfNgi3afD fBbDF4wRJVEuiCThJPzePFSg4t59DOdINolmE5KvjN4d+sPwpQtJixclJyTwE5Q9XhnO88lRwPXs w4u3keLqtO539gHjOtjsbtne9+qm9cWpaXyHqnNng44jCto2QbuJ/zPxrAhUeIBuPCTRM0r0iHyS 34D3a4cM5/v8N5jFIBaXBESQJTfpFnBptSBYuBWvqqyFkKcf9+MWsdGz/5R7+fbwoK+rCCqtlhp9 LVeTlm3WARMPnlb+MfoTt8VZrJ/fNzzW0stit+ti4VAHh07Vd9/vohdcLLrWdeL99h5uV4EDDgAz 8m2PD+LXXlmTWCkX0yX67lboPOznHkI/acxZOoOcUtbS1W3W3+1st31c3aSFHKi2WTdWaivSq01M Lf0WnlKeneJPCG0rlL5uBTd/ntyu1zjBAbN6oO6D5kHXTbvD3sjY6Tpjc9Juc3NyXcVJiZkT6o8x E7IXef/qlX3sQ7MkPBaPsteTrxN1xssQZ3CWtjZ17D7DuesOQAMwN07nbeDJihryTDrMZVYOJ93/ zQgc93CtOg90AjMpxmrbBvUlfPwwCwJsy7bklL0N1cCkZHWe6H94BMPtk24PeTHIb7hd6uVr4h+/ a/gjoC0gdHeDy8F1FBwv7QUG5ffv4dM4/ccPiSI9s8yQy5MZioGB/k+HB37yo8VrX09YvfXmR9yT MF/2Yf4XclGLMvagrcFcUQ7mKu4dW1nmGmCWJg7fOdfxL5zZ3FgLu3hHjb3WXlWna9vRBEybw9F2 dQ6kk/gN5LklJPSrSAzD2R1j+wMh7/dhh2RYBv6XbdwnubOX6RbAwpG7tK5qZy6fpiqZoN7CfYiV KuIl/eUVUAWVs7QucHD4b7qzYc8R/lPVZGJLOA1pUE115ojfGSmK3+MMiaLNLdmuzcAQ+fz55CkS NjoPqb6e5qNH+XwoO8V9I3fxGMGmvr08LjHlszt3vRevDJ79WeqkR+wQhkjNv44fjMjF5biRdTjh GDJrvyQsCY2aQ6aT8H9E4kx8tm+0ddxBSYO5ii/etA4qYSMsO2K5x9iH2Ja/XDj+e7gEJzPq45jH Dt34uwyrpNZ6xfOsW3AZjYJgNLoEt9vlcnMkmUSwgVlXEg8JnbLAPIFsv4TXaL9+CZdYvOJvx4HP fIHRkjeq74X+5Tj0+Dh8OA4d8SiSBitoinKKdAYpkeXwLtjs1vdq7bCn9nhew3ZgzCarPvYBnMA5 x3DaZ7yYoHp8oV8IqqSVRg3K8RTWszgdFcouen+bRK8IrDyJDqysTppEkdlKHJv4/qeBkT7zyJwW qDA6IC/tKn3tiqQ/UqkvltbVIWjkMTgAn0/7WYhmiYI0n/jR4zSQpfRUjWYSMaW+M4VfBP0ksucG kR7/ycUt+AnrBFQs3pEGb2VxNbtKTqdK3uTtNBRVH7JAKTB5E3BO6OKJR5VrnlyloxPIZsjlcbXq 1snTJxz7ypM4UqaqMkw27/L/dcQfw9NedEoPWe/g54O4UuLHiTa2Ys+2BhMwMeuWEDmZNhwzcvbL HowbArSS1eQFEkaeIYlkDYaQZ/HF0Vvn29sLYEfpr6GinC8WcsqygXlp/j9RjT98MPagp7NI28in kEtsRvbA1Zu9HolUStzyLalZ/nnGGTJMwxlyvHGB7c5v02sL8/XajsLD3W0dh7nQyr3iqj0Yt5cm JbtV3mm+6dw0Rakx+Afe4GBfcAhF/Q/qokU/CmVuZHN0cmVhbQplbmRvYmoKMTMgMCBvYmoKPDwv VHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9WQkpKUkcrQ01DU0MxMC9Gb250QkJveFswIC0x OTQgMTA3MiA3MTZdL0ZsYWdzIDEzMTA3OAovQXNjZW50IDcxNgovQ2FwSGVpZ2h0IDcxNgovRGVz Y2VudCAtMTk0Ci9JdGFsaWNBbmdsZSAwCi9TdGVtViAxMDYKL01pc3NpbmdXaWR0aCA1MDAKL1hI ZWlnaHQgNTMxCi9DaGFyU2V0KC9BL0IvQy9EL0UvRy9IL0kvSy9ML00vTi9PL1AvUS9SL1MvVC9V L1cvYS9hbXBlcnNhbmQvYi9jL2NvbG9uL2NvbW1hL2QvZS9laWdodC9mL2ZpdmUvZm91ci9nL2gv aHlwaGVuL2kvay9sL20vbi9uaW5lL28vb25lL3AvcGVyaW9kL3F1ZXN0aW9uL3F1b3RlcmlnaHQv ci9zL3QvdGhyZWUvdHdvL3Uvdi93L3gveS96L3plcm8pL0ZvbnRGaWxlMyAxNDUgMCBSPj4KZW5k b2JqCjE0NSAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1YnR5cGUvVHlwZTFDL0xlbmd0 aCA2MTUwPj5zdHJlYW0KeJyNWAdYFOfWnnVlZyxg1IyCyd3FejU27CViw96VQCx0QUDpvbv03T27 wEoXEBaWtlIs2BJssUXsQRNjotHEcnPzm0RvzJnNR+7zf7uLJjfl5j4jUp6d+c55z3ve854RMT17 MCKRiHNa7eTsNMnB9PMo4Q2R8GYP4W9iIK4/nTV6WUFfMfTt2fimtGmA8Fp/LO2Hbq8xYpEoLDbL KTQsPiLQPyDKfvTWMfaTZs2aMc5+soPDLPsFwX4RgVu9Q+xXe0cF+AV7R9FfguydQ7cG+kXF24+e ExAVFTZ74sTY2NgJ3sGRE0Ij/OeOGWcfGxgVYL/BL9IvIsbP135JaEiU/RrvYD/77vAmdH93Cg0O i47yi7BfHerrFxHCMMzbC0IWhjqFLVocEbk0aln08phY75VxPqvit65O8F3jt3bbOv/1ARsCnd/Z 4RIU/O7UaTNnzR7193njxk9wmDR5CsMMY9Yyw5l1zAhmPTOSGcU4M+8woxkXZgzjyrzFvMtsZBYy 45hNjBMzntnMLGImMFuYxcxEZgnjwCxlJjHLmMnMcmYKs4KZykxjVjHTmdXMGmYmwzODGDtmCPMG wzIcY89YMzZMP6Y/M4AZyLzOzKHQMz0ZtaiPKFN0u8eKHvvFQ8Sqngt7vrBSWj2SAGvFbmQvc3m9 Xu/V0XtXH0mfTX2e9H2n73PrZdYGm/E2u22+7bex3/nXvPvz/Q8OiBlwbmDowM9eV77+b341/2TQ 3sGiwbW2Mtt9to/t2u1+HhI95NCQjiH/eMPvjX1v/v3NNkFhYzwNBnQzCEsqRe8bvcWCk3EFn1Gh yk2ARFBmZqWQ8K6vbdOiEj0mq7ggtkp9UHMQDsFZZbnqeN/hBnZjVG2NFjR5xbL3cZAV7pGcJePz UkAJCrsQZwiXBrGtOTdgPxyGY6pDStMt8exKSC1IrefITHTliUKCNnjPykYwgl7w1YuQrcfP6sXo Iij5tBIlxAFH+kZIaqAeKjO4rv5sFLg6SSNoJEc1lbCbPlZveqyedYJT1TL8iS3ciVe7luXLc0AL dqWwa49MGMxWw6lOqZ6NUXkoYyEJ3NURGnpTBNsJrlEycpy1MRZRGK7o8IBBhNPu4Y/fiYVM/In/ uvzTi3Cbezj6MzJE2mUTVCO5rZH7y7pqWH+lfK40Mkh4S4LSbx5+/cXs26RviYxoMZ9v0ux6T4pv Sp61zXJevM6RWMmIgwTdo/nnxycvWrB2jr2MSCVuyl1NMqylJ/dLrhVSakUnHuC/H4iFu/QBOIb0 wdfIaDKG9Cav0f/HojXpjaPoZY29cayUVJJsfhHpcRY34TqUtF+9hlabyFqyifTYsEhmY6yLNhjH G0Sdz4X8OrHRRujitzev+WAEhXITmUOmEk/ihfQ7bkbHF/gm9imEXSlyyExVydLJSNLrbdITuClk 3UlswvfRe//1H5/NJBOqZZpktaIEuDLIqZJhKlsOu+TZ2bAzXWojnAY9+lVjEi1gr+u484EYP8EU /rsvOj7pnHedsDJSEyG5mpfpI+uSsD5ZmctoBRvUZzU60MEZZaPKXMFlWdo2GU5nFRjAH8zLaZFe l+AAmLfVF+aSATIiktgYb4DBKKIlmvpAmPCd+HOjPf/bethIcBGOxNEUF2cyHB3IEhmtmwTTfhbx ZsyF/aylQFaSM/Bpwrm5R9cVTYV5MCreyc3Fx33lDkfgbIzxlA4XDNjULMLJD9FfLzbyxjl8171X DKh6deJTySEssoqQRJDxkQvIYgry2O7qVj5lvy0NnirTY0WEZGpy8GjpGMyQWE4fLsFJsHdjGRnO 6SU2wrfJlZl6DNdhuH6ACUGXT9wf3NQPHpiAa4QNPOg1hYV5u3LqoAK4W/cV9r5ZTmSQbIoEF6fw NyouHoUPuRuTLxNrKcn4Hc6N6vc19dAAJ5W1v8Z54SN24HE91KoMQVXREAme4Azxe4Mq4g8mHQXu 0u6LlXlQmCJXpWXLMtb4qzIgFtJKMovSyzLrUy6lt6SemN/A2QjuyXohXSc6cQJ3nRALrwtqvgzy UzNVqugkaVZWalJ2pt8+92If4ByWL3V03ru9eKesMbgy+0nM6ZRCZXVMXnZdGHhym3xdloS75LZ4 ST1aFO2qOlV+uloBXApkxMvIG2wipBdq1WrdbmleXuHuXG1D+Mmoy8D938Xbdzp8D4Jatm1/Ys70 ypi8gPxMzabKxAPQyB072H4VB1aQXjtypZoMyCwCrgTy9tDmeBJtwGSDMNLcH+88FBvdjI78L1x+ d25Q47rzQ8GObCGzyXTiTtxxJpmBnnce1J5vkZVEH9xKn1UA+bsphuyRIrgoNbBblP4qL/CByeCf QzEOamG/geRA2UqWWJOJsNOBbDiJzdiK77TfffFsFplYLf11L9kIX1Hx86C8LukUC/uFPL5rpySZ OFrpJQU4oLICxcCdyQEvWRfDbs2mrIuJkBzIOQ8H6XUeDihMVY1h52YXHZQJDHs4B84go0sgAwuk lFpmgb9owGaDmcqdD8VCh8DypBNTJK2aotvSGoMkQLEA/Og1HwLM4dewv2krSUvOLari++FjaDEd Z4hk5yqLWmW4GzvJ7r/6lFDD/sVJVP4pkSJM8t+JB/RiXCus4dvytFepaIeoNiijIRqcNcFqs2hf y830kpFgFiJgmyalYPZnsylAyMGlZ+qbHO5h1QdrdZTCejZC6arKhFAIUYf+Wu53soSbtnFp8Mhi fItK15huTZn8UIwgPONbc4ruSGtNoc6hgfrCnO5Qa9k7Od2gKORzpOGmdO/QZA/Ane50w9k5Cpou TUZeJUTSZJYJK/j0CtBALlfXDOU0mXDVWmUchIOPOswS0gegzSjdjmu6VtlqUzQZJVAKGq22FBcK k23rOo5qdqtpIjHKMFUMhEHoy7taFLti6GiUK9Kz5GQYeWxrY/zEcqYQKKzks0romVquoQX20DOD VZuUEfTTni/v3g9FisLEfHmpJx3UKlBmpxIRuWBL+uH3qtzsAtDaNew3R/u7Ow9DcXZRME7pcrbN leekl0AJ5BTkFuIgQWyLfBeTl2z6ox09XptXiiOFcbZ7TteWtWjMOYTTHKLAXRNvKeMRZUEwJIA8 W65SEAn52NbsAXCEHm9UipqFQ2K8K2j5zLIsrRySLV5kWtckW3lYgscqJRfB6jQNah2UwzFlpUXX vDWKZqCNCZrmhxxuleic82NLAiHTLtQfEqgQ1qnPU8vQDAeUNZYbnCEtL6WFI/2R58laydeYaWVj /OIXOhjFwlf8vubjtRfUnIENV+ygJfCHDRBo5gO7X5UXDWmQliVPTCIPyClbvPlXPP8fOmoBiwNQ gq6kRptemARyuxA/iKM+qsXso1rhkHK/xXq5Qwj4nyAZ+Mj2lXsSxt7gc7NysiAdMrLiQ00w1avP 0TFbAwdVBotRCqFFiCtLLiGTMUxe9gz/Ztty5ED5UbW5YYJUETRJD02spUZlytJ02mYJ6Tsz0ucM tR2HfFox5EGuHZSXFu4x36JaozRR01cdbKHIOcjPrPdFKdlgS1gyMcRve+BypV0Eq9c0qmthLy1X qQX9WI28BCqhPL+oTGdoazy09yCdJ7cpAxJ1dOCKsPcV3H1PLPTHav5a6dmjcI7rWHyJiKSk+bcj Dj9gUXzj2o3LKz+YUSQjm3CxxT98I3m82zHSP3zhcBnpKcG3ovn7dfO8PbYvdZCNkQRk5RyU4Tpq wOb9quI9sYiPkMj/nkwGklXAjbdMcqGRbYbSf0qbDBJ/hQPVeV9w/LPCCvslv5hZ/XUxPsB0nkjR M2tXRiEU2lU2QLFZCJYrEyluW1/idhKKMyvCcR7JtSVD/nR2L83WHpHhIJZanO2tp5tKD2jsTK0V +p/yoFPu2kn9exItm5yC+hXVVrmeOkyhX41YCBP8+Bjd5rb5JqdCeNKHjCO0sNRyjsVBd/71ZcEr M5gxdNraGcBtImPrMBQjcGLN0Zv33yUD98g0GerMwu6Jio6sZeYrU6kT/CmsG83p9cLJz8XGJOMw Xq2y6up8Rfx9OdeoZh6Aq7Dvj4cEcZREgQLS40hS1xVbkiRczajIhBg6kR1f2S8FGwZuI0xtoW7X NEETtCtbLG0xAt6rM5k8tRoLfu6Vm5aXVgh2hZBXkFtAoVBBveBNoRBGi4V1Qiy/qxByqDqXZtAe Iz9K0s1DV4s9jjd/Bxz2k5CLXW4ZqTSaLLskLVRKhR6SYnSnbi/TPmE5GUohHERHbM/uclPjdvae GHt18t3EbGZx6Avk8G8oHYH9yAjZK/KiqGsab+agYMOa2Xpb8gAOu5XG60J13jAKZiV5x+xIjPba NNHkR0+/5Gi9sJpuRwXGSXxqiUodQwNwDJLUw0eQk6Y2iXkS17WbDQb3P8HmWKNM2MMKy7t+zt+Z RzvZtCFVyYSjbCMce06NTIBqs3I7bIfNmgC1WeSeg3uwrGsBa7H4cXr0rTcPaQe9WEgS8vmu9S+7 UdxNWsGdbUBXClECsY7cQl6nITLd3bb6BnurOHYZNcRbIiTLdsYukC7GWRJz9s8kdILXBhQRkckP G+9H1xpn1JocWupzsbEYn/DoTReWaWQ9cSGTyAy6wnjgFDIFN6ALTsJp6CYlz8hXPGGI7GssQAWO vPv9DzhsOskkpWTE5JF0Ku+lCYTQf5YExtEEwk0JLPltAmyT+pRGT6XqorLB0nXzk+C4DOdcZW8V xSy3RL9cHrNAugydLNH/U4I9oGFHIelpjt60PeyvxQ7zpoI3n4uFhXidp4tur0+ffzv0SzJU1iX6 /S75pyMhja5E7Za18nsJzgXSw8MLSE8yV0beoqfxyXqcp8d2U4fjPeogW1/ZcFNL+m7c1uaqe4e2 zxgyiC6U48kY7E9s0KHlVt4HB2QFyY1BrwytFXsgV3uSytN25VZVOB126y0yF1HJfpIr3yqjpisK IrdGRacEZoQAt4aMaMJAqg1j69pvfvE7ZaBlJK7Pr+uxn05o0Is6v8PZOpxwGCV0uz6t5dHq/e+x H+B07ne1dcNJZBq6nDq2G9TSivHlE/4B3L+qcfCpQiiSp6ky5FSc1m8J9wF3CG8IvsYRrwJ+Xu2w B4ABHObg8McvUIyycUQ1OpK8PmyRNPTCjvfWAbcx0McrojguJ0uG0wp5nxg/VQpwrmlHyxqr9x68 UOm6pUhmMSEJdJu1mNF0iudcbOJJOk6X/Jkj/d8225WYTlb+988IEva/nmFjbIvWUXKd0uFJwwAT ufY8Xff8XzWDBxJU4Qsei1mo0xTU5BSoDXS2cl+iLZAx9ou8iJXseQqPfRsuXYFr3P8Rm3tkrJTc /gMStuZ8ZJbnj6D1P0ioxf7sadgbW57IDfx5/zaIWDwEloD/Yd99O86ktQD32Z679VoooqMjLUMl S3f0kceAK2QcjUdOfiNbv2NvjG7HHt8izgY/ePmmp9Pk81fzh/PyPqIZB6reVYZTa/yuJtCS8Ud5 WXTl6cl6ZWUtoog1q09qaqGWzsJmC2KLsvIO03phtMHoUC/qvISPL4lRIczkp1bFXIdW7trZjvso PTVqZKlUkwJZLzdAdDe/ucgAFd32tq0Lq3M/OpY2Bzd5ytCVzR4lSbL3Njdm3Istyy5XlGWfT67M MgRqMxoDwYVb5Ork4L0s//A70hUnFDdVzapdmZqsl2uqG5sAGUW7NDkFWum+C/Uhl72egx32v/v9 i8+2/JP0qDO9lgGDQPaJ8HtqNDyMs/ifB0viSDQdOKU4p7IWJ8EeOuoLlToF7IQojtYkEJKHSbcG SdpynsExej2HNnNNtrLDoLTZNDKhGop1OYWaBnovOkBVeCmZY5agfr8GGcN4jPjvzPpL9krYb+6j HVlamFIcB8l2cZHKdPrhSvUVTQXQxFR1Fne5HWJytp0gCzDFFtfj/Cr14RzqEqOUSWZj+S5de81n Fim1mSCH+ISYxGTTeKM1HGy2YIK1oXsN+wsn3Zclw9CaiHAovkXL/K0Uu1iDZYj5q7YoAyEAtmj8 Xw4xtzAZ+Y4lQ0fNHuVCrBtwHV38Cn+BSAhGV+r70t9OnUzsgVtlmVcCyx7fDR+bMVupDKZGeJPl ib/FTJhIbWRK9+P61AvTLomFC0K82fg4vMS1kk7jFmiBVmXTH3U8sWa7Xc+8rpm2ZL4w66Xrse4e UOTr//7yU+hrMj1ru7x+Y3p+ehRdZRxqEBmrUcyTeUKGKlexi3r4xrNQZ0JLsYTCGwheak+NGa3z UKIoitem6pZDtmlBVKSRv3fNtyWOQqp5scyxazwD9SazoFhsLo2XxseC8wXKwhJf9O/qouuhJr3U sh4W4SKh2BYXdxXTnTHtl/XQXfjctqC2/PAnpu0qmK4ewXSjWakJtzzrtMoQRX/PAmVWCjVu7VT1 hhgE70oRfvGR+DBu5IOwZapFtaJMpvKyWbUudZvKKItqffmjwV7YwlaCNjFVpUpJlZL3uvx5LBFs rLpsqKdpj67HHk9xlQ4H3xOhtQGVD8VojU/5eEgvyVdrigqkbWfOFLbCYagPKwur9tG8C56UWWtD PEK8veN8KCtXt8d05KhyVFRemsr1NTUJ+u1xwXIfh9sTkMV+PzzF/thrxjPCzvfclpgow83sseRm iguH/T9+VKpV5GWolJCVKnOJ3pzlD1vArcCjIi3P5OS4VEhPlJljNPbTi84dxytHxPgY/81/1HLm fbjJPZlwZtyw6QvHT7q07YK/dH3wuM0wlCM9sMeqH9H66b0XRxIuz2mXzjzJb612a4gu9a3x10E7 13Hj4K1Pr21a8PZst4gU6dsbeBwyqzaxPRjW2jnO3DJj0pwL9zvaLj9ok5pP3v/ovk4YQU9/hAWP xMJovMWHskRFOJ918evVLSHSI/kN5YbI3dGJwWm+K055/YNa3YH0azvuJpKPRzl67ti+Q+bhGe0J ThCQu/qUc3PAgcDP4BG03Cms4ciQ2XwceEDA+egDcBxOwBV1W0Nb9d6GquPQCQ0L1YrKTTAbkrn5 24aPldpgJ7zA0BeiFy/EGCDY8A2RNSEhkZEhITWRDQ01NQ1S8mnP3/3N5CUNwhsGLKFZ3DvWgcP0 eFcvNlYITvw2pYvKJEMzLItTELvPkBwqz6ajQRbhFeod4rN9c1R4bNQoZJ3wDTC9yNFotdgT2fwT UM+diPl0yaq5LvazdEv3uEqHD9/qEx4OrnbT7q/84dLF6lOXpOc3fxh2CT6HK+c097kIiWL2oiB3 6qg8D3sePtPRfOrDp00na/Y/VHNdGfl8yF1lB9RwD9+rN3SoR2T7BLvMniH1msvr158e+2zY6s0b kj2Bm7X9y47b9fXXr8ooFoKsCue/EKG3ToxeAvLqTEiDTBi1xjkuPou2DSi5zLwsbdH9T7D3B9HH 3QPiw8LDy8Na60rLtbm0upXw4vMqvP7kqk7U+eQjPTJ0c9mJ/pT6mcUlUFAhbWEBB/54s0nXWFW1 D9q4M1vvkCmEXbF8WWB1cnV9RWXtUW9IkTaduVLcRvncS7PUxzkuNjlZtmaN72yYyl0mHr8vEQ2c uFgC96CBu+3hNZk01lQYs2aNXJ6aTomfbYn77m3sdSa23eNl3LnVsKeUxm2Na8+JanGvGM/hWv4c 2bueNTPDQotTf3AkJbLOaKsTnb2H+ntiIR1v8vA07da2G343FxtWwFJYHLjNKWR90hog1rAkZ/yh uafGPczYSxl5p+K9rw58nPsQOjkSSm7yvrBKF/NNyofwEDqoQ7padLbyuxsVLXRs30ipHlfqSsm6 CFbCzJ3rokhvx4wosCiXsM9whAqX+pYYPza+zteAJkq6efOKpAXABbF6OANn6riuMtO4HysNMFmw x9BGr8fdFiyAHWsa96ZH3cYffvjeILryA0Y9FgsJuJBOLUVC2uoUeUbGfEimu5aLpP3I3Y/zcsvL jrVWlHWcO38antDijLlN+pM+jg6TnI9DTnlLcVttfG2AIpOqu7TqwplDV4F7cmr+lA2RSx1nykgw iU9NpVWJshPelJh1oJOK2Qgd9nn2oV705TP0eC7GWya/yexrvQPnuc8dzo4aMdP57e26uAZDpa7h uBskS+uPXi0/Blz7B2HTU2GZ90ZZcECEclV2PG05kHPyXVAuPS65e2z1cDJocYBr6Pj8az6yfVn1 emjhWsMqQyJ3JHtO+HYlSnDwk3989/mKO4SpktpE64SiUpQWaXUSQ+/OPtLePWdU9u2l1/bt21ne 15ph/h9VcRb6CmVuZHN0cmVhbQplbmRvYmoKMTI5IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0 b3IvRm9udE5hbWUvWlRHSUZUK0NNQlg5L0ZvbnRCQm94WzAgLTEyIDU3NSA2NzZdL0ZsYWdzIDY1 NTY4Ci9Bc2NlbnQgNjc2Ci9DYXBIZWlnaHQgNjc2Ci9EZXNjZW50IC0xMgovSXRhbGljQW5nbGUg MAovU3RlbVYgODYKL01pc3NpbmdXaWR0aCA1MDAKL0NoYXJTZXQoL2VpZ2h0L2ZpdmUvZm91ci9u aW5lL29uZS9zZXZlbi9zaXgvdGhyZWUvdHdvKS9Gb250RmlsZTMgMTQ2IDAgUj4+CmVuZG9iagox NDYgMCBvYmoKPDwvRmlsdGVyL0ZsYXRlRGVjb2RlCi9TdWJ0eXBlL1R5cGUxQy9MZW5ndGggMTMx MT4+c3RyZWFtCnicJZMLTFNXGMfvpaW9sIqgXjcfu70OUBAHoigPmS82DHMoKkLFoFSs8ipFqBR8 ACIS6oelKBSGMF6iaBWVlodYRNC5OTDRaXS+MqdOF3SyzJDvmuOSVcxJvpwvOTnn9z/nd2hK7EDR NC0Ji1yuCP4w8xSm0cJ0B+FzEeQLt98FOYJMBDJx+3RHvwmY5YYJ43G9KyWi6fSswjBNRm5m8vYk Le+V6M37BwcHzuHnzZ0bzC9TqzKTE5XpfKRSm6RSK7X2Jo1fp0lMVmlzea/QJK02I8TPT6fT+SrV Wb6azO2LvefwumRtEr9WlaXKzFZt5cM16Vp+lVKt4sfYfMdqmEadsVOryuQjNVtVmekURTkFLFgY GBTsP28+RbHUZOpT6jNqCjWVmkBNpCZRzvZ0lJiKoobpHPqFg8rhtShIdEocJJS4CM/ANmoTwutp HEZGJGx6J2ZbS4zqLL0+bx9HhPcrHeOwdwaRxknbDCNgtY/ncK6kV+ZumzU6YpslJQwOsmSQGKX2 vfK7ryKPvOUpTqSRvoYa9BRhqADsmQNHoQFOwCDc7W38/kcbtDBlcHS3Xg/FBZwiN7owFiJBUZVQ k2fUgx6YPZC3R04uSnNhb3P1odJqE2ftGTjSDsxfEBAaBl7ELXpjizlT3lHW2ApnGdu2htS0rTkx AY+CcAIuGR5GZ5SEDJM58Qn7dyi5MTJ8Y+1A9piFtqE7rsXJInv5jwV0O2aprG29cPl4P9SBWd+s TSzMU0MmozRrTx8/X9t7fcsQERNPEjyXlMYZZneGcV1LbiW9AAa/GHmM0/r3DUT1yRVdsZWRsBJU 8bvVDFJkkI2CjO6i2jwzPAQD87Zz6NYrCJs1E5Z7jNE0CGU4icY4O4ZwXXjJVphKy+3rWkmONBsI X15g0BkPHtabGIUkiVQ6XpKYntSUl0JN+T2ot58cIvEkTqDPTgsmrrlEAiuYbwb0lcfrjhqNXE0D GOEqIFuF44buMGPZhYf22H9i932R4CNI2NttJy/CFeZV4CUykXiEhXqvb11zYxsXo1maCDMZ4ori OJyCC/94gpLR4J6YkxxJQAe22KBqgDbmxn3TwHObMiI2dduWnRxhfdi23Ieb6/b1q8/mwEbGlzgd UM0Ltz678EPfr9aPV1+PbKcV/7XQD3AyRuMMkeCJZ1mIKPouR5m3IzHmK9gPCZDWcMZU3WI3oyO1 KSVDtWvDiktRyKAc/Z+jsa/kreI+l2xb0+UFDPFwX0SmE7cn/ujd1dnYf0pOpEmsD9x58xoeIf1L 07pCg7wqBaIhmYnPJU4+3JjnQqGty+55MbqIBOqdiG0EU3q+HooKucVredABo4urlzRDv+FKLfPe RNzjpOcNOA66oQfQGaxj0hPPD54DTsJ+nGm22R33xgh0FwmtuJNVSPR7C7/eU5RXvAx22THdJZc7 f+rpbfv92m/98DeDTvxdu0ius6P8Yi1ZbeaOpr7GwnObq7i2E91l9md93LcqKCwhIma9nGSRjIIC OAi6KTnCqo8/6wz6jXYOofs5C/0YPXA++ouwBR+xKAbvDZvAk88PP3Q6Xn6hurIdmpieFHN8wvZ0 xZcjq3Eqrrw38vLB6pvEsZn7p639JvzM3F06SLzJ+EURIZvMGktn6ynr6ZzWxAruyGHryUFgnsK3 qeuyAxYUy0sgRV9wcLceCqCI0ZmgjnPJrxKiKnBzfWWVhMQfltqc0ekTzlkcWC9zslTIZOh0Qjau VOZCUf8DfiaGEAplbmRzdHJlYW0KZW5kb2JqCjExIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0 b3IvRm9udE5hbWUvWVJRTkhOK0NNUjkvRm9udEJCb3hbLTM5IC0yNTAgMTAzNiA3NTBdL0ZsYWdz IDQKL0FzY2VudCA3NTAKL0NhcEhlaWdodCA3NTAKL0Rlc2NlbnQgLTI1MAovSXRhbGljQW5nbGUg MAovU3RlbVYgMTU1Ci9NaXNzaW5nV2lkdGggNTAwCi9DaGFyU2V0KC9BL0IvQy9EL0UvRi9HL0gv SS9KL0svTC9NL04vTy9QL1EvUi9TL1QvVS9WL1cvWC9aL2EvYW1wZXJzYW5kL2FzdGVyaXNrL2Iv YnJhY2tldGxlZnQvYnJhY2tldHJpZ2h0L2MvY2lyY3VtZmxleC9jb2xvbi9jb21tYS9kL2RpZXJl c2lzL2UvZWlnaHQvZW1kYXNoL2VxdWFsL2YvZmYvZmZpL2ZpL2ZpdmUvZmwvZm91ci9nL2gvaHlw aGVuL2kvai9rL2wvbS9uL25pbmUvbnVtYmVyc2lnbi9vL29uZS9vc2xhc2gvcC9wYXJlbmxlZnQv cGFyZW5yaWdodC9wZXJpb2QvcS9xdWVzdGlvbi9xdW90ZWRibGxlZnQvcXVvdGVkYmxyaWdodC9x dW90ZXJpZ2h0L3Ivcy9zZW1pY29sb24vc2V2ZW4vc2l4L3NsYXNoL3QvdGhyZWUvdHdvL3Uvdi93 L3gveS96L3plcm8pL0ZvbnRGaWxlMyAxNDcgMCBSPj4KZW5kb2JqCjE0NyAwIG9iago8PC9GaWx0 ZXIvRmxhdGVEZWNvZGUKL1N1YnR5cGUvVHlwZTFDL0xlbmd0aCA4NTIxPj5zdHJlYW0KeJytegdY VNf2/R1H5t4oYpTcCCa5gw17j73Hgr1gF0URKUrvHYY+M3uGDkORPrRRsAEidiXWRJMYE9vTaDTR WBJi4r54ePn9zwzG5L2XvLz3vv93/Qacuefcs/dZe+21ziBhOndiJBKJ2ewl9pOMv9iK70jEdzuJ 70m3kZSXJW1xZmAuBfPOte8O3d9TdOiBu7vjyjcZqUTi5aeY7eMb5r/dzT3QZpDzYJvRkyZNGGYz ZtSoSTazvFz8tzs7edsscQp0d/FyCqT/8bRZ6eO83SUwzGbQVPfAQN/JI0eGhISMcPIKGOHj7zZ9 8DCbkO2B7jb2LgEu/sEu22zm+XgH2ix18nKxMa5thPFlto+Xb1Cgi7/NEp9tLv7eDMOsneW97gOf 2b4b5vjN9Z8XYBc4P2hB8MIQp0WhWxeHOS8J37bUZZnrcrcV7vbbV+5Y5bHac43X2vfH9R0/YeKk fpOnvGvrOG3gxkEzBg9xiDEf1m3T8BEjR42OHDO2qwXD9GWWMZOYfsxypj+zgpnCDGDsGVtmJTOQ WcUMYlYzg5k1zBBmLTOUWcd8wAxj1jOzmeHMBmYOM4JxYOYyI5l5zCjGjhnNzGfGMAuYscxC5n1m ETOOWcyMZ5YwE5ilzESGZ95mQphejBVjzfRmOjPvMO8ymQzLRDMCwzHbmTcYG6YL05WZysQzXkw3 xpuZzlgw3Zk3mR5MT0bFWDJvSbpIujLr6C7S4SkSa8m3ndw6XZBOkZ7o3LtzXGfRzN3simyW7BEb xZ7k3LiLbwhvZL8hdmnuutL8DfPr3dZ0220x02Jn98ndM9+0ejPnzRc9FvTY11Po+Z1l3lt933rA z+J/eHvl22d6ben1uVUPK5X18t5Wvb3fMX8n5d3+78a91/W9YsFLqBSIPMrG3ibQptHmlz6KPjf6 ru97oN/8fq79dvaf2j94gMWAYQNmDXAakG/by3aLbZDt/YGKQbMHTxCVFm05YEAHg2hXLKlts5eK w9sW8Um5yswIiABVYmIE8Wj/xipmR6D7dDXnye5LqYS9UAel6tOqo+b9DKy9JtwARZClTdOmNSNv hTrZSTI0NVajhCRrr5XgJ3iyTSnH4RA0QQrcVhoHhbNLQJEVW8WRCbiaJwoZdsGbZhbiJTCIZoYo fU/sfBVdr/aybMKlqON//uL4hTO5G5YJJILdpIAFdMZmbZHmMByGXPWJjmWsA39QGzhcxcJtqPap C6xyyV0PI2DLvCgfTi2zvPaEJQMUZp7s5ayEDXJS/KcTLVDAIbkpKW0Sg6SibatUPC7e4Zsu3tSU AEcfpHSFQNgGoRo7LR3gyTaoC/0hFOKUCfEK0pVMtSK9cbUyNSkD0q0hu7CoSUNHbVUuhS2wGVQw IcU4aif7CWTGFHvjCqK3ItNJ0qaF09SBYO3JHkvZD6Wwjyb4o44FbdJGVUE+5KRlpGXgYHSzwvFE kRlLp1JaQ0xQuLNxW5pSTtAMHwQt3HmVYQfwTw02EF+8YmXR5kG3+CM97jX0xH538LPHc5/1shQx RES+VpvRLODbsqf105ZNnz9vuJyMlqFKwT8r/vQCXOW+HnqLWAntnGeZ7JpW4SpvL2VdVYrpQqCn zPInsb8M33l0/+GD9z8nUp2crCM3+I2qjFo5luMKFrn9g5dOXzajv9xCzFZUiUP0kuq7uOeuVAzF 7Tz26vecdCeWtjbkLdLj+SDsjpY//IDdBRJC1vHrwUkfuN+vQW2Mai+06Otrjh3N3wMtUO9RvL3M SbMOnMAVVvhv9tm0KcQJOIu28CBD23CDpKVVTKqUiq3iL7yHwf60LXBkDZlIxhFHshUnkzG4Cif/ iO/hG9mQFRUNCXFqeTwZRsxn9QduPFlwAnfjLlx44vazn2aS8eVybbQmKRe4AkgrkWM0uxOyYhKU yrhEgYKVrDHgML34tiG8queLq1h6t5flRlyA9/naD08VNwB3/exowhCZ3djJji4VdQHy6GK6PUWc XecKv9odHwOHXbHTY+yFPQd/T7qsXh+01UVuufsCSwYZYfpZeuIWebv7X8GUg1rxF4PkM4O4zCAV z7T15jN19Cnp3M54CBXanWQKEmRWJctAy4OXcAR95nhZ+4D2tvgYCp8E67AMKBZEH9lOLDbzkcUT IXQYWU4zNkNm0VbRUQDY957Y75n0QpsN/08AEDkZzsK+OAiXoz2R42gyR06BIsO4v0s6YCDuYU3w eiF7AmfXVbodXJE/GwbBVui7au5au9nBi+m+iftfpbF/laT2LpZelYr98QW/8YZ9ljtdSRciGUp6 EcvWQfhGw7H8U41yMuff50Q87c9uIi08hEFypK//FiePNcDNWvw1miH32e1r1w9NXEXztowWxFkD 7q6VoM0D3FwlFdvapvLtV17jvOh1mF/JGjGHpsefjPSbTWbQRdnIOlBe9JB9qvMcJ6/CQh/ZuBjP wcIIjJd1VFRvGY6CqtUFxIarklmItr8y24vPXnxt5LV5GMbX5+BAlAlqVqWOiIEAzrckvKykLL9m l1eN4zInpyWBgpG4nrOk7x8Q1wltruYYHIBy9QVT9CHsB8qcvTS0MTS0ZgMe6ghtAw3tsTG0D/81 NFlTynlaXwfgG6gzsYYHOypZt1eOqgfskxyP8R2BjVd4DBFGY9qrwHrKcDjoVxYQwRTYYIVeHFUq qT2G0cek+ESczBtrJEkFMdGCShUXl5jkWeqZvp1mzWrHB+s88vzKguS1nvsSjsUdi92pLA3PjteH ggs31haiBvh9dTJGUGar02OAi4L4MDl5iw2HOF26RlNUKKSm5+SmpTVsPaTUUxx3b7xyqSmkMqhM vn23W8asPL+0D3KhhdtV1vANMhkT/bWCJgYSaenmQUYRzUpzkAGjDWJ/E0PYPZC2zWybwv9Wzutm drCF9Wu22IITyPu47tGVPUeq5Dt997hnA5cDWQVynMkeSE27JBjYhUoFrKGtYBy4m0h9F/swJcZV vpglFmQYRE8iy4/g3t/TifB7OrEQ+1FWtDTgxGLJz1exd5UUr4v9eQMZgIt9WPUE9/5DlJz/PVLN ks63Ak9cqrv4mdDis5qd5enmNh++LhSwhu1o3ucNWGsw7faFB1Jxr8jy5AJGyfZqc64JZQaZo3Il bKLXSnA0LbOM/Wcqb0o5TXFwCE5DkwkHgex0FcUS5uEFkvdXd4ml7F88iXKlQh9FC6Dht8Yu2uAU fsz6RbMnJjWeFPAOS4YaQX4NlGPkZAgLC8HpkHt1SH3CATgOR8qqz3KWoZqJMhyUY2Zg7eIyjsgR X40xFYaFKHtFWDYPpBgu/sDv0epuCnqDbKvSjrbeLWAHW02L0rM3tTFuxvDdVDFTBH9PWX3KZWik 12WoNwXmz05R6fbQKfcrSsTeBkmxqJLifERema5KhwyuYg8U0e3fogpUbwZ38AY308RsM9VB+a5o S9AqPSJTmQVZkKnN2Inv4i2rkmN1ujqjEvBSOlLu9QFPjU+HfqhW7YwEP4hVq5IV/UialYWoD9K3 ICOGGiSHUYIj70nFfrRT1+fDOfrUBcoYWA3OMPYV6GrZ74yga3dgR65ds9bZoWifv7A/uawSDFxN ULmHZ0Cw+wefLv32q/vHH+cJmkyqESqM3fJVZG0rpG098B5feq4+tcS4PGelCnaAC0SBc0dQjeo8 XwiBWFWiMmEkSbGyxUoK4RRIsa4waCvogjYpt1Kl6EnT4NExYhcUq3OishS5zqAEVZIC1JNIkNUw zE3Mp60p1bpyvyl9m2j6nOmzvGF7xzjK5CrdduTJz1ZpMSmx+VT0pOakZrfibqsfye7U2FRFPljn Q0p2ajZnlBT6kDp001c/qtP3bLzu8BCnXL1S1cvSQYHfXeHTnKrdGoHTX8i/KT/ts4pVwHo3Nzhc IOBslqqIWsd6190O+euBmzDXaZFnSXhFZVFxRePmNLW8suJwVjVwx1pcxsp3sJYVzGrVzKT5HrPd g9aCMzfpie8lgT7jNuw7lVfFxX3CD5nptXnj5tqjH7d8isPTBYu2A7/hUHwsfs1fOHNes9OYWm/l eog16haNY8fOV6nzo6lyjFfGJyWQu+ScFX7yV6X0HxTtDBYtaLNbRooyFVmRoLD23gZhtGEcTDlK JXgFpftjpvvZxRCV5XGIRONXFHP7TQ1KkifmSPFDDOITskBDL+317zIzDbW15ec6IvCl2+VCW+sr cOSrcuMpOCLiFEmJi6ZaTXuWkKXSQoY16HJ0ZcYRLio/tRHv9rCtY8QnoFUdWv4j4a2C/NYsCPJf v8xeFQxUwVZTY1ENu2CXeldHN/dPUe6EbIq0vPzCckNFjb7mhq1VURCdLBEUsdEBRtnboC3XNFJQ tcD+jpicwQuCqrgOxikRbfTo2kB7LuqpONtNxdkVntaoJqeg9tCRgn205A8EVDhVbNEuBw/YmLjG zznIY6vnGnAEl/KAvVElNAFFXNwq3rD5qM/J3wRbj0E/EHO7je6+AXKq+C69UmwmGmp/WEVJ+e3X EMAHVJZ9hzm8j0xhG0V6Ejvg3u+QD2IVuzdV942wyyBzV46iFb0JlvzZZovVMqNSctIX3BEDadl+ JcWF+DOfmAdpoOUqaqGEFtQGVYjaiZbc61w3QZFK54tj2lkr/+VBa7ztFoK1P4TnKrWZmqpMqOUq QgsC/cMifB0bXI9/1PjhqXIBF4hTcioK6y9qrQ2sh9ITon9PVYdU4AbJoEiOTY63JXEUNhsVVbjn m2qTdtv8UCoy4nt8cHJIFHhzfsUhFRUlOw3n5+4bS94aakN6EP75YOr05LuwW5ZOAbR7qsIThcB5 K/3WAbdo0nEqJUfdbD6be1LlT4XMy1mvsjjAIO65JW1zbBN4jdqs/dLrCjibcolyRDpchQt/3JDI VFkwJEBCGAlsv2hFAsWz8cVqrS/t8lNfq6Ek1hccBtD6OKXN0xyhcjJffbIDgAPgcKVc3MVqNKj+ O5MWnRqnA+scSMtKzaIA2whVooVe0mjAc3SLB4j9+KwcI71x+bEQLpC/UeU9kSrv9NbCvWhGsdNZ RurauTgaM/XFEVlA+/dDKrztqbKMJdLodaQH1UhvyH7tlW+bkEuzqv+MIle0RnOjolVGBns6bgp1 pu3Mudyvwa9RdYaWTHP6iYoDpbvqDSegAQ4EV7roIkANoVzKOT4p3fHENDpxd5vBhCc9vrfFrp83 NZYUUuAuYnHo62YqPv89il/bX7QxiDMNUlS0jeXjdUpKVhxNXZXsMOgTNMC17/mL5OWy4rT2F5kx aRSn1gWQWSQXm9lKONxK4bpaFal2gA0QrVnZga5WcPCVt89gLcRNFFXu5Tjd5BiVl42WIIwvTYOS H1d+R+2i+fB+5E3S66eBlOgsjrwoy0hKj4tVJiSr5dsHjFFFggNsrQys3XFEfRYaOE05n4UjHhRU wSk466Qhb9HudyCoum10tVEJBrZK28LwWx63kJHUVy+j10gygWwmm3EUNYtL6TUKx+BmgXxH7vC2 RP415qAS+9148gT7TSVKkkPkY23lFthxdIFavQTNPnt4X4onTFquK5qx3xxpaszOViVnC7HJVOf7 c35FYfrKwqKKfS67V02btHygQNipnjfIl38h7fEq22Fc9lThBaMze4BnW6k2wEs82rTee/ys/z0i lxPyB179z3pFDKvEox1nAI9lOAlIJ0dH+kImy0l/CsVssrUSF1+4WYkJlZLq0xh5rfa0FHugHa+P MEQeAu67K5dvHPGpjc6TH9jTDDpIoq0MwjhFRmhZXkF2SVGUwdnbUeHmLviWbsujNn3YbLup62rc CiLlKpWPO2W87QVulWHrIpxdYSM355k9voXdfzpxrT70oGu5sLJuBQyj3cUD4rXe6aGVFOkFaflZ uVxrMj8GnpZWamt3lsvziyvzq4B7AEMCA2HIaPkhMp3fhd3Vk+2nOw4fPKv5VEH2x3cpog+QNa2f VmEXvaivkrQ8w7F6PPVMKlZn8C8OtmJ3wEncn4Ggbl9GRrlQOCj//YfAPS/B3seyQBedkJyYpJbH v2+XGEEFWXBj4GmOOOXyQ/bO+hHQjkMNyh88f47yMURLrJz7jFshhBz1PL0QuA1u2zYF5IRq1HIc l8F7R25P9KNvxjYU1JTW7D9R4rQqV95xFGbiAEmHZJbioraF/O87TcG/98G4kP3fz83mwwZ3z5Wc WmbRpgzSKw14TI/HDD2x7z3M+X5J61NDL8twDKM+HbNZqNBmFaVmaXdBCXB30RLI4HGbF5N35SiJ 5L+rvH4GrnPPSLdbhOL8yh9gs5nqEuOS6Os/YDOFtaxFc9kV2OWSmlzjCpEwh65r82GXZtezkAPc nfx75emgi4qGuHi1PGmxZ4AnhYqiOH5nXGnc5cSm+PNxl4i0jrPAfcbabEBzZHreQGYWJdSHuFhc ypP+xmxezEqkvrrk1ww1aUs0B6GAMumRDkmxMDltv9zyhxRxH18TUO7lGejv7V3mb6gpL68xngIF GdpGUUBdxFsXpRgijuenFPtdhIPcpZMX7yB/fKhtnpASqknSmZxoiRxXs8WQGZOgVsckCNFh2bk7 1oYXrz063Ej+E0YNmNbskJYkb9pcmIRdfW6FZql2b9eoa11hOWe3Yeao6YT2zknxgpp2vWiTRw6R k9VsCMTrMjQaXYaQWxgbvfv4+WU3Yo/QlmNx6/sXLcEHA2rkW0455izMp6m4RDWEeK0jF9senkZm Ds3GT+htzMYoYza+NGFLznonD7RT+oEuQNiVDVWQTrVCsa93WIjv2g99Wm5c+OhbwfJh27DOxox4 BQR4eZUH1HRkpC2cZpvslew1YM4DzDYYnfYk/u+sLMR0EpWHk4qrcQhVYdWQrSpM1sRSQqRo2A6R fYVtnrI9KdjJZMbojz2mDdjG9oX8WmNXhwpNVnFqtrYSCoFOUeydRyaZDiGM4lVWg34NkhefSXEe evGiH/uHtXJQq9c0QD3o1U2/q5Uf2Isnn5BeBUGZMRBlHauM8TQBoVyz3yRJqzuAsAMCNG6HSV9c bfX0q0P7L6dQfetO7ZIr1Zx+mtUdTSxfrUugdig0IjounnaaHAqPXiYlSLtDhy/9K4XfhSW22K0P CjjwDr73vYDtbA00/3nHJN+z5N3B4weuIGZ1OF8wwb1N0mDsQ1Jc/O9I4xA0w071kX889w4qaetj NIbeUvQQv+cpcNNBw9Ucg2q6AkflOrpiJ4jUzOlYweeQk5znjkntbVbpkSkJBbRwUtLT8jBSvGNV cqI+rxlMSaIej0qWEM2GjlFH1KWB1PLGU8sbS1a2h1lZtD35/dG/m/FfL8sjptN/ZK4fPXuqcNvc f0djv1Lef3Tz7zjvHlTt2Btc7qzbBLNhg5PPmpgzznsmwBTYsDZ4E2d5S/1U9t98bfCyviN9RS+1 0rY4ZHkyUYxRpyozqO01tEClKYXrqb9YRWXpkg6Vfoyq9JzwrOji+VS0qZWxahXp0z7VikwQI6nR 1lKj/WcjW6AYcl3Qqb3dKi0qLVEHmZCpTS/CaWK6FU5vT0kP1ybkgbUO0oxbska8aZXfVKk/Y/Rl nkoPMNKlj2ZFx5ZcUJd5QSAkqZJVCUZ3TWVGb4PoVCzBc1el1biO98SKcayrUjFTCPKUXUj5FDKo prvySnkHsTONCuVuq2GAuIESXEZojFodFSeQ3e2uPIIoM2uXUV2XHVSFkqe4UI+9bkuO1RUaMPaB 9Dk+5cNAkZeZkpqVLtQ0HC4/DtwLICPcPGGJj6Pc18kpdBssh/l7A65qIF2VAVxxde4eQ1Chb7BP jPOoL0eiFLv9+BTfxG7jnhGJw4YIN3c5rmdr4gxJBuNR4ZX7uVmJqUkqqrzj5BtDN8U7UTA6Zm4q ik1T0ZxzMRAbbvySQnyvBGciI8Feepytl+Io8Sv+ol+Dk3uor69vkW9dbm5qVo6g1Wo0VPtqITFu gddSB0cqZZRKSOKS0hMysr/6As0F3Pj2/zLMlB9Rrr/97QF9z8Zv0Ovhwm96WbZjb7zDQ2tOS+Xx 4vojH16lm34oucyNc40I9fUrDKmqKiqsOe18YhTV932IJaGe9CUpR4v5j1D6/UO0QsuRj4mZYNm+ DLa4+yzj8E1ynbeHHc0x1aFN6ttQwF0yIPO44Ags2SUUuVB6caDXhlBXT/vNCb7GE/rsoBLx/E1J i+ERNXjR4osOo1PCEa2M9ARlrrKI85HtIC6U3VPLMk/n6jLSb0AeTbyrzHh2/zaxiyETwN5aAY6H muFgrnCEBRxYityJK6bZq9q603hP+h3GqsN+J3tZXsOZ4gbeqyiwEvZyH326/+Nr51fPnbtsk3Og oI/gj5Z/fhRucY+Gnxrdd9LMkS55buXews7Q9OQPXTnL+2Odli+d1LvPT/ORQe7p35B5Muuwf4Gg yPQujMngBmzhsee0ssijHrDUeuoUh6nvf3D+9pWjZz/d05H8vd/e0Yt9jMlf+BC9aPJfiN3xMh/E UqEv3WIfuC51t5+QKstU7c+EA1xFWLGPT2iY14ITWx4gTy8r9BEsX2I5Mf94NGEHjDB+cfHtUKTJ f/E5HDhR2MgRfg4fQVPscT50HxzpkD0l+2qO7c/dA5ehcl5qbJ5r6lLYwn2wo99w2kufkDUleKIR xzXiiWJJS1uYVLxL0YBzZHlFUFIaBJFyMlZ2HXen6kxHa7lxWdGRyTExSmEiOWJG7P/8o1BZZBAE BVMCkaOvbDMZZ0bmyKJDIDioFPLlOFY2jdQmG78lSraOzorLzU/V6VKE23jUDO3//KNQWX4plJaE QpSc+MrIShzH48qOyVfKjI2J7ooHLbCvkZHiOrEb/6t88C73p/JBXy2QLztXB+jpe/7ev0kK3EdW myrzLwYHtXfmIUA9ZfHs+Dha18mm2sr64hqa6+HGCs+gAC9jORanp6alC6YDRHG4XlJ7FY9Sdf1/ 4gTepdQ1w5MKsR6DbchbG/On3Vomn0u6lER/Rl1DTG1UE1jjm8++xzefrLrsXCn/BN8I0pmR2nYv 3rU+6RS0QJ3mXNWh2lMndLuA9uDIknCuMJSvdcpYC4tgq2q5x+Ygr21+qyn37ChWZJpsqEF8x4C5 eknj3b2X8L0q/MggFanZ4v22eDu5u8VnEzMUNiF34/6h43Ceawy/98HC6SsJ45U6Y+8wYfBAp80B AbDa+v2vFv1w+UJV8ynhywWX4vbBNfi4RXuXFqVqxhK39bAGttZvam46euB8XUv9Zaua5vrC0xpT W15Es7Qd/DVLOnrA4ZLgIIVKGRshJ5/f5r1vqb+EXO501anDZ7RD4+YNHx4dLThO4CsW1dsX+e1b kxu1f9sO7xXudsBN9v+25VZNzZkWE4vWldw8JcGuWCXFbKP8EMg7hcFo/gN2tS0sMaNho6UR0RTO M6Vt6yicX2O5/cVvqBRfki38azi1//IbOCkeXjP1EkrTrv8jTRvX+i4F1Sza5EZ3MP4u0Z6vDK10 j45OjlMIKpVaTduDCtKzPq45d7hJrtWmpEAal5aYkRA7fiYxX1Th1FBXVFlpZPz/ZZiF2I9oS17a F0t+uCDFRySOhzRlSmIG4bHLNpwPOBtwZA0uxz7YOzVVa5wkIyk1IWb0bCJZLTgMDegPpCvMziKy U6TLGdL94QfUZmSkpWbQfQijxXarBD9+eFHfs+VhOTJ2Vc/u9rIkuAOd+ASIy6N2pFCoYeHx8c+/ OG4orTTAMe7cli/IMCJdNH+Be3lUWUVxUWVBvGGzUNtyOaOGEnonzQJn+7DQ8HD5yOFAzGArZ/nT ZWLH/6sLeB0YxtDIjmEqD3+LwU5rUbocu4/4PAa4WFW8MkmrzEiQf7gWO5F3gewD0s+POJAB5B2V MjmZ7pVSG5+te3AFJSeFw4/Lqa02NzYMvFIi9qYzh5yRinJxMp8bq6VihCvMKcgrjEmLTZOTPhex z0fZabo0KLTOUxSEJSVBXIxAeozKw+HaXLPcmLzw4LgIhaCNzqPh9rgfna2iqso6TBERFaZLyk6S Y59FpM/C2KSYJAizjsqJKExLgyydgD2+iSLDVdFm0bqonSVZBTmCKjcKh5kZGSql8aVtowTNG6WY T1L4xkEvbZ81kr6/RBp1j/hRq+Tn1ietUtwm/h9fFVjm4xMY6ONTFlhVVVZWJaDD2//y3q9/DYM9 HtXoqa/BHVTO3xXn8RFqI7xUahVEUa6ywE6y54/qWsr2JQbohW3JiZ4Qw3mVh5dVlhRVtaxqmjKQ mK+2EYjZP5ww/bH6xy9xHNucHr1VTkr//Z1iJ/Y3VpZQQSfFhQU87IBJM2YnJ0EyqE11lnPrGnb5 xG/vtl9LU5+fr/ktMu2vcYnT2+bwSlBr4lM8dS6aCBqXjDDLbOX/6bJ3/NU94t9ZUk+G809v139a UqJKLBWiEuKMf+EUlRFREMeRCcSL/d0udqO7OJHu4stI0nfLs19sB22hn36HS85LcrBSivtwCX+e VC5hO3raq5Z0kv/X1iVmk5SSlytp7xb7ScW1bQ58SpY21XhKHJMRF5GsiEkWSOsv05VxqmTaTiN1 CVkFqTm6VJMc0bf11EsO3MW8u1LRCz/n4ZLyrvsXmx/NKF8By2BGwOahHvOSJsMMWKgd0ji1efz1 iEPwEVytavi25lL6F3CTI57kU94LZueFolnsGbhLW9RluKE7VXz/YmEtbVEXQopG5KyCabAYlsCE 2OXBRDYr1h865L+4l9rWkGtSbGmz5PVqrb+wZNFI6hk4T7YIzsHJCq49j/qBmBGCh9G136emuh4e vPLsHuwIpc54hq/DDL0EXuqkxt94/S86f2M5wE1sfd5qkBx7jh7fSsWtOJenzSo6fnl0RGLcPAih +z9P9uwRTsS+505AqzWyw26S7oSdNmrU+sakrNKagj01waWeSRQyyUL5Zxd3nQSutW7YvAHTJzqs lZNFZIPCeM4eaC1aykzC7gal+b4V2OX781TcoQTXP5zV2svyF/wQf+If1h38HD7hro0/26/ftOUz dpSGVleXlFTXBeRvFyoazhUfAe52wYKNXokO/i5yT0d3lbfKn1qJeOAs/x6njlcrekdnwk6hWXZv 39xh5C07t3WhQ9KuOsr3JFXpoZbb7V/i7e8V6TTm4TzksMfDB62C5S9wb97VoSU00Y//sRIe3ZeK 10wHx+Zoxj44fKgpRQeJ+f98cLzXrXZF4KZEN2chWO+8cyVw/Qi7su//Ui1/ftRM6rEP/8PdfR/p atURNUKcMiCW7n5sSkhZrDIG4ijLENZYNK+cO/b4rvpVEKaK/uW/Z6ply8NdNwghNc7ly4GzJW+s 6vP/r/7/K2pr//Qp//Oj3ad0DWpvg+CYBC6U0SKyQoviqYA3xhxUKs7eid456aUyslXHGrpc7Sp0 6Tyh2PwNfbq5+dUC824M8/8Amnqp7gplbmRzdHJlYW0KZW5kb2JqCjc3IDAgb2JqCjw8L1R5cGUv Rm9udERlc2NyaXB0b3IvRm9udE5hbWUvWUdaWFBFK0NNU1k4L0ZvbnRCQm94WzAgMCA3MzcgMjcz XS9GbGFncyA0Ci9Bc2NlbnQgMjczCi9DYXBIZWlnaHQgMjczCi9EZXNjZW50IDAKL0l0YWxpY0Fu Z2xlIDAKL1N0ZW1WIDExMAovTWlzc2luZ1dpZHRoIDUwMAovQ2hhclNldCgvbWludXMpL0ZvbnRG aWxlMyAxNDggMCBSPj4KZW5kb2JqCjE0OCAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1 YnR5cGUvVHlwZTFDL0xlbmd0aCAyNjg+PnN0cmVhbQp4nGNkYGFiYGRkZHP2DY60ALFUfkgz/pBh +iHL3N39s/T7UtZuHuZuHpaF3zuEvkcJfg/n/x4iwMDMyJhX3OScX1BZlJmeUaKgkaypYGhpaa6j YGRgYKngmJtalJmcmKfgm1iSkZqbWALk5CgE5ydnppZUKmjYZJSUFFjp65eXl+sl5hbr5Rel22nq KJRnlmQoBKUWpxaVpaYouOXnlSj4JeamKoCdpgcmnfNzC0pLUosUfPNTUovyGBgYGIF4GQMTIyOL 5o8Ovp/nvpfvZHzyU5r5p//3ctHZC7sXLSrtrpb/c5GturS7pGRh92x5vuLFP+0XsP2Wm86+k2sn 9865PDxAzMvAAAC/WVwUCmVuZHN0cmVhbQplbmRvYmoKOSAwIG9iago8PC9UeXBlL0ZvbnREZXNj cmlwdG9yL0ZvbnROYW1lL05MU0NBRStDTUJYMTAvRm9udEJCb3hbMCAtMjQ5IDExNjQgNzUwXS9G bGFncyA2Ci9Bc2NlbnQgNzUwCi9DYXBIZWlnaHQgNjk4Ci9EZXNjZW50IC0yNDkKL0l0YWxpY0Fu Z2xlIDAKL1N0ZW1WIDE1NgovTWlzc2luZ1dpZHRoIDUwMAovWEhlaWdodCA0NTUKL0NoYXJTZXQo L0EvQy9EL0UvRy9IL0kvTC9NL04vUC9RL1IvUy9UL1cvYS9iL2MvZC9lL2VpZ2h0L2YvZmkvZml2 ZS9mb3VyL2cvaC9oeXBoZW4vaS9rL2wvbS9uL25pbmUvby9vbmUvcC9wYXJlbmxlZnQvcGFyZW5y aWdodC9wZXJpb2QvcS9xdWVzdGlvbi9yL3Mvc2V2ZW4vc2l4L3QvdGhyZWUvdHdvL3Uvdi93L3kv emVybykvRm9udEZpbGUzIDE0OSAwIFI+PgplbmRvYmoKMTQ5IDAgb2JqCjw8L0ZpbHRlci9GbGF0 ZURlY29kZQovU3VidHlwZS9UeXBlMUMvTGVuZ3RoIDU3MDM+PnN0cmVhbQp4nKVYB1hU17Y+48ic o1FUxiOiZgYbiopii5pYUazYsIA6ShEERHovItKcmTVDL6JIRxGEkSocsHdNvLHE6Is3ecYSNebG eGPWwU3ee3vAtJfc773vve98OMjZs8ta//+vf20J07MHI5FI2IUr7Zwn2xp/HSMOlYjDeojvS4Ho h/XUdSSYQB8p9OlZP2zoTjOxxwDM6oeb+zNSiSQgLGlhQGBUsI+Xd6jl2O3WlpNnzZoxwXKKre0s ywV+nsE+2938LVe6hXp7+rmF0v/sslwXsN3HMzTKcuxs79DQwA8nTYqIiJjo5hcyMSDYa671BMsI n1BvS0fPEM/gcE8Py8UB/qGWq9z8PC27tzex+2NhgF9gWKhnsOXKAA/PYH+GYWYs8A9YGLgoyD44 ZEno0rBl4RFu7g5R21d6rPLcscZrrbejz7r1vrv8nKZN/2DGzFlj51n3sZloO3nKVIYZwaxm1jCj mLXMaMaRsWLWMeuZscwGxprZyIxjnBhnxo5ZyNgwm5lFzETGnpnELGaWMJOZpcwUZhkzlVnOTGOm Mw7MSmYVM5PhmUGMOTOYsWCGML0YS6Y348eYMv2YAYwZI2cGMjNpsJmeTCzzvWSZ5EqPFT3KpLw0 UHq3Z7yJjUmQyWvZelmurJMt5CZwZdzTXl69Lvd26/3Ve9HvPeqzsE9Z32jTWabl/Vb3K+u/of/R AXMHhJgNMWuTm8qPD1w0sIafzJ8cNHTQoUEd5jrzEvOzg60GBw5+ZKEW1aYdHSCglSAuL5I0dhyW iv4d0/j4ij0QDQGwLzEpiug6/zE4OVadOA+4cJWsTtemr4J6OA/H1Sf7jBRYzTTYr0vN0emUJ7Gv CRbLLhMrkwl0YOoLaIYGeAS1XQPHseS56MujjFSZkEiZaYcZXffVOS+DGcro44oyc3kL/UXkydXF KvaI7rK+jq5zSXNEa/z6YvRkUfKw/VpNcfg8BSn9yyF57I8b6seM3+joHKSQ30OGJfMTTVSsvOVq JngoTcXbyQ2i3CCpxoGYiQOlYj368zhk0isyg8y0HU0sSP9HY/AjnP31K+ynIFnEgSdyQObrFjhV UKMsPN5U3A5N0BRT4l3sA+thCzcNCEPkCtOOW/GC+FaQXEcbUd0u7cjsmMwXQnZUgkaTlKhYtmbl yaWHloAF0RMbYk3ciBvST9TjajTBfsgWJemi4xIgWqtMIkNI31VWMAdmlDldUV3YcxeewPlUZK59 8vEnX+eepruBF/NKiDw1UqcpBa5Cp69Q0liSjQION4iSc9sbzN7QKKbjQHP5AwzEv/NQqNPl5zc0 ns4oAe7G+VXEjAy3d1q+WwVntynj94MOCrk5PZu9T+xtBA7H/fAElWhh+5yMmr9xV1SoUv6ynSX2 xjDSIHoqO3V/FXnW9K0JCOJjQYJjcJhojmOkOKZDznc+JoxKXMjiJhxHD7oTA8k45MlmZaedSobq zse8+Bit2E/gy8h2+1rnrCUwEYhkz0bfbVuWTI1ZBZyp+Prd0fo3RBSZ1dHMpRuR8lKcjSN4iAJ1 bPj2Nc7xfsCtXH0RLXDEZ8Llz9tmb1LmP+G929cdXQ0csRo1hSjJ8FfTUNnekt/QqpQ/IE5/dQzx uTtr2rGPArNWwJwzxsOMwOmCtMMLD/MqWRhRBEwhK+mME7D2nOzbHNcFSgFrVLIFCa7jFOsxByfI cDpU2B0kfTlBtguTTX6WqJDp/JJGocNMZir60an348j152iSmDdoaoS8Cz7h0YQlH76LsYeyiwC1 uhZ9K9TBdTB08WcaLmTl926Wo+n3Cq02Kgb8OffqiMrK6uKGMxsqnRTyFnvYvinUgYZsU7JBHFpt Vtfkdgv30H/MKRe8UOB3ZC7PBYG7+gwK79b5r09X6GJ1KcXAlUF6qfIL1gjYfRqI9FAE7ffO2A6c H6HZMN9eFFgUrWzwrku+t5uTPzYk341bM2T+JAgbHnSneY8iJT8FdgMXAsmhSiJhIyHhUKYeDhQr dFByIFXf6nsaioCrwomAVs0Rtd5HlPJ7HpW+GXP2c6Zvh8ULXsXoIYi9BTMjd8bhiM3t5vLYjuFn +KrAy0GZwOXD/gNK3PqFwHqrp4EHrKUQ2ZBKI6LCUVasXIBI8PcIDYr1TfaF6TC9cvNV13Nxt+Ap YM+ii8fbG07eO/4t/PRn0qAv+3uG2l1cmONEGaolk8gYsp1swdFkEuYq5bHH4LX+5FUa1nXJDfif As4rkrymDOstSF+Lw3lymLX8OuzW5y0X7ijOqJzZJb4hAWvheqkCK6mqEitcp2K1YzaPHavmvChL BlMA1AuYJ3Rj6zMcIe1IokRBRpB5qq3BlT7W4Nl9Pobkkc8wj75j//yui1psXep3VGWb4Tuo60IJ YbAePyP1f/2Ogtss2eB1huru71Q3Ulx+m5/Don2GicCuTIJ6pbxFpNq54jdArmNnOW+0m6suP6vA 5394s5u1fBD2D4U8sgJuQ+t9GqalvwrBCCk2Gc8mE2TudP9b6WMN7t37l9H9y1RsI91jK32+g8bu PcpYSvl9xWJ/QVIhnpKKqWIfPiM/LfM6cAIbrPHXBkMwbNOH64yzsIWV6kStVrMvQUk4kkrkWGFy VpDt1EzWamn52qZ37xp2ncWFnX3ygvfDfrAogJzUnGKOSnb3KuUdxdKOMLpK+v60rEvGVUI1ftoQ CASVPqx7lex2bbxanaxVK0eQbCLDYybnBZmv1knjB27gpo/pGnWJLd4EGtDCPuPI2WT94BGYaxzo rnHXusMucNH7vBuINp29M6PT9paDRTmk5WQWvMG8wW9I3h/+RiN5PtngJ+Dqo2hjMKvGXnNxAE4z Jixc7H2P3wVb/6lokxXlQVlpHMQpV+no6Uo5CuvHiz4m1o7EdN9Ul9rIw1XVxU1HIwvUesWRjGpd HnB3a93mKX0ocxapSWYCGT1kPPaP+lQhD/8ChMaSJi4aJ/MT2PGT4oKdt9eeQAan5J9MVXQhx69Y fN+Aa8/9VmJicac4msfW30qEh7LzpcC2nzeRtydmtW94PBStX3eVFJvnZDSlkx1s8g+J4DLIOR7T 2MO1bZXnaNkxBdLXXgXrgzyU/u5b433BHjzO7j1A07TkNzjhZSrF5l1SnLg4mkwhS4AbRQvIUEHm oiYS2AwuYPVHgog3jXgiKoN4UZCUINsNqMz81G5AhdBU/wFQ+hbYo923V6tVEpZqgRxL/wWgVncO D90StsV3ySKw2A0aXWJqdlppPtRyx0LKfAL8Iz2cBffL9y5evXBYYSpmUd/Rr0FirF52OECKneJ4 PipGEw4J3C8peki4jLVkyQK6LEcsnk/AifjBUeQy83fD3iitJi5FEeSwJdKZ1h4l4JjW84CDkK8t UKv3K03ffv4uRmPPiD/T+cVmHMyTJLEivjwewqioBRvDcVkGYVptgDpEraFH4YKNFu0CrX5NcPod +YLZKIjWRen9U7VUvDlR0LFY3vlddkReSi5YFEHWgbRsrBbJYF1XbGWG1GfQSJ/n70oUYWgyGIEE sWEQD/HBXDdoBFHaBZpfi3es+EEzv5nFFb8Kjvjj7wFEnFh5e/0mp4ydQ4nViKlkOBn8zQQcS8Fz BdrKqso5vNaTpLJxUe7rqSklpoB9b7bB2Yp6ZWWTkFMFF6DBt8Sf61LbbuycEfedkeLZjul8fJ5W F06/FPV/C0kRK6Z0fpmzR6c9CBaHIbtUKd5loUSnO5JalqqHI8CVG4XckRYqN3B6J3bl7CEo0B7S VKp1WgjjOq0pJstoMXE4hh92u9HEF1LRnZrRkhw4XJV8Z9NJ5Q7DxkOL6T6nTRtFBpAh34/D6Til +U3BoUhIidakxCQrw7c4+i6nI4Zr0eKU8lhPfb2uqfhYRUNDXiVgL9ATc503Z4r/pBXntYCBBgn2 QuYx9pNiL3ENP191l7xerJL92Wa8RlYgfV+x2OPz7PL0dNBkKmLjEyMhknOtjaw4Wl3c2OTVMsea MG7EhMrCYTp/ViO2v6NoNdpQ1UdKbnsZZT13m67aY+y/kw+VndN/IaXsLyoTDUI7T4ZgOw6V4TiY t3ARzCXjjZ6dbDXghG9vGTC00az6uT1KcRFK4ZH9Q3P5T/GYhY78VLjR0gI3Hj2Cpdu2wdKpSmK6 l28NOaUpp8oy6tz9m0LwsdiDyqMHi/W5Ok2KJgGSueCCqIqKgsKy0ujarbEqtbeLIirPrXgBjeeo 9XPs3Yvcq6n17WACvJN3hg+B2LTNDb5xartwcOCcz81HFdrfv3TzaOK1pTWKdUdWw3gIosUtReeS GV8HhyAn7UBGFneVbOCxl6wKTWCll8cGMoj02dzaevka5FPH/k+yEW2ONjwxiNoG2jaMwX4GrKW2 WXx8iMeZ15txLKCEw11kNI4gwSSKGtixZAdxxWHUU8SWHNNlNSiOEJOi2c+A+6EWe/8tCw5FxWri krTKZM+V2mgIBT/wuMSRrGM86XdJjRPgPu3GXhy/dfrbhwda4Czcj2j7oG5p6nRYA+uAWI9fFnbM 68xS4Jy3+mxJ1sXrU5Ron8wHx/ulBAK3Pqk673Bl4bEjNfEORcqu5q2b1ZJffISUlnmeAur/07g5 r90eqsAXv9cC047X8YZgAasMWCWYGbsLTMBxlmjz9KS5PAYN+DOPVdibxen6OavWwUwyS4njw3nk jp76GD7hXpEeX5E1is7+v2LPQLFHeziKvV9EC6tY+UmaqHw4AVU+1d7UUdrBMth80+dE2NV9tCn6 af+TgyVUh8O1e+O0yhSVf5gfrIaEWylNmtzET7Xpu2+ur3I9SLl2u6ulfYy2ZvfRlvRGxlz+DEPF jTyxMx7o0q/mvkrXrm+Co3BKY+iKwEpW/ipHvMGf8Kpxc/X2dnWt9W5uMtScMJZd2ln+R7PZ9ZZt L/HTl3NbzOV3RCtxCk9GV23PXlcDVyyaj1z9/otXPmRYqSItBDS/GHpc0WVwqT/aG6/Y5rK2dXn2 FloLJiwcP2L5sa3FYcr2zTVJKAnh5M8eUX9QEn4gtpyimNsStHjkPDKhCK0TFdpDkB72i7lf3mXu s/X6zCxFa+snm58lN4IFzrqKJq+U8juA0g8f2BZSzW+k2Lh/UdIkYBIVhERas0M7ZvA/T5eFk2QT QZaNJjkPcBRw9zrvExuV7GwqpfMl+tCPs90psRHvf87iSMj5KIfIaCdFS3i3ijmdk9DGSUobyb28 uPUPpuMkDetxnaA3wHFoexfWxShnK0uzMoryXxGzwdl7DkaAmkuIgjiFij2q/1qXDgao0dZojGOj WVdQp8UdJHPQazAOepWfm515AywENlAdTNkdCMv1od0eoRRS1VmJ3ekWH1MGcMYthXYs5//7fqp1 bXqjzrVqan7tkx3/cO3h1v1jLm//n64+vm6/WlMSMfdfMeh/MSSPfe3cOMrWadPWIEXEs0mpnjAN HLf5OnDyB79dlbR3s25Yz/LE4g6ZICkb1jNU+vasSPiMAp2+KrVIXwwHjdYpUOut2QaesBK8uooc Ww5tUBlP5neuG0zsxW0m3xoLoQ3tWTxgNnh3jXnINg4nw8iP//o9Jv0syYj51QZnHEQ7ceNgtOvc +Ie/UnNs5JpEEO2LJHjH6HnWoi3/UhgnzpId1qQHhGu1sXsU5IfOZSYqbCQS0tPYDz3tupH6+rcb KRn9EgEZAl4zoVPGN1+h+jLK8AT7m13AITPPUKCNoGVGzMetPLKzn5Gx/hvVvioFDmaPpORqamh9 sfoGTcozNbl71NT6xysdwzYmu8I82FgYlJ1ATYMauN0QH6MkLdRJxJXs16dlZSrqW8/mUF15DFM/ Usrf2sEY0ifEIf2Cm8KgryyDRu6M64GQWKeEVR/c/wD7K+Q/4bTvnqCpsmuH+NrQhv0r6s3aUIGr cIAlDjOXd6IDvuALWUBZcXPmgTLhrOEKrUM16tJQr5SoQPDjfEoD6uvLKuquul0zpmDWdJKukL+F 2dkfNS4W5n0ecpMeRfnt33EIWlrdIX2V8s4wWhbc5nE/kmu8EwTWJx6MqYY7cIjDAWeFcy9g/hgr WGClMO6pWMzAAZLrwt+NeWgRn/E5uaCnVpi4ykKBjEnfnRaeps3W5HAqmTfJpBKQ8/n+/Wn63IwH UECXnSNbv3w86bmQDAUy1sL+PGQcFNI/UbSy0Jbalilk3yi+VNvIdR1efEDP/XDDXSy4u+Gh8Vpj ixjCx2QHFEANd/NJZsNXJ92XbA7ycfFXnAjmbxqqTsBF7gfbFiIjSvvZ410OOdx3Ucgfz9jh4rhg COmLjDPyOO3BI+yBzAxh8xEFmbeEr40SAs/tOhF8PBy2cDNsYhytHU/dv3+mubao67DNxTig3YBv jAkYZklbstX4vhEiQ/ACH8aCXcKaWJ9oD9dtiyEKvPR+RXmpx/OhhasJPeLhERLkueSUI3Uwg3Dy V5hNE3ADMI/sJSPGfkiGEMU/5mM/mu5aEDLrbnJE6s5PgLvffwdf/HSpdOPeNGXeTlgLPpxD0OgZ dC/riL74rSPFP/NSKvYjYbz/4eVX3HBg0L/t+QYeAW46hZPpyaQHDuh0kM7l7k1NjHbbER2lILZk UihxgOFABhwjPYSZnxD26dJC4LJyUnPT1Wmgo1BrALS9WYwHsH+Vwew6DtiDtlbCLWPPR6jJM/Dw +tmVupKivLbDcI1DniyGHUS52mHFluMx5dVVJY2C636NTlFR2JjXCtw3Og+VS2JMRIRy5fKAubCc 86QtQkppGWSUKeRvzpLFfLN3resvla+5trb59+dLfinFp5jKAw7YiT1UXy5D1vZGJHCJe9XxKaAp iFGiGRlYQ+yBTAayyZlMJj2INDaW9mwpXHyOOqug6XjBIQXa4qRSdIA3XPfl82tBdeE6ygsNxss4 XIHmI40F+6SoEIfzZRngrSR/+ysNF8ezZFEynVsLGgv5l2TMd7Kv/lb3TWVxSlypIjo5MBq2cx6V QYbjleWNp12u0630J6M8SC/FmHee+89T4mvaEcjR7qVkP16U4i2041+Si+NYY4lBW8kDtJXi3vt/ FaPb8QbxqUHSQu1zpPFGuwJv8y+1mEiSSbKWJFiP1ZEYTMYkPUZ/ryApROC9YF1J3J2E0/BPOAe3 4eOs03mPb+aU0arZGFnoUrCDomIWZb5tktPuiQ67/aBbasVk4QTNxB58T4o/dUj5EsgJitdAUoJi ruMooA1VhKpIdhDO6S4Vcp35RKliT6S+gXb6vIET3UXdkjXORAlzAYfXCZILOAoXo0JKtTWYNvTq iIQVu5Pik+dDDPXgY2RC/enmlmMo++q6AC84ZEd+RtvAvjYrJ69piy2rbig5edrtYGyaorKsLtcA 3MPWJfMXey6xX6QkW4lb3B7QQIRFlLiA7WIs7UnQpP42vl9nJK0NJb6Sauf79NOGopnBH/FH/tPi OxfgIXdv3lW6zntzVnzkWhVY11Jeffzihtx9OkXtkRNZVcB9mbpiZ5yWmI9MVrprNNoU7V6tZi/t JuSd8VE5cEhxQoYSsHZWweiRQU5pR7coj2WXl1NBb/GtcnHzDnSe/HI1VZwld75/qqALwzn/h9TG cabxueKabNxWnJMrI1szWaE3yt5T9O45o6hPr4bMPn1QdqRPX10fU4b5L7RbsbwKZW5kc3RyZWFt CmVuZG9iago2NSAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL1dQVldRUytD TU1JOC9Gb250QkJveFstMjQgLTI1MCA1MzMgNzUwXS9GbGFncyA0Ci9Bc2NlbnQgNzUwCi9DYXBI ZWlnaHQgNzUwCi9EZXNjZW50IC0yNTAKL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDc5Ci9NaXNzaW5n V2lkdGggNTAwCi9YSGVpZ2h0IDQ0MQovQ2hhclNldCgvay9wL3Evc2xhc2gpL0ZvbnRGaWxlMyAx NTAgMCBSPj4KZW5kb2JqCjE1MCAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1YnR5cGUv VHlwZTFDL0xlbmd0aCA4NjU+PnN0cmVhbQp4nE2QX0wbBRzH72iHt62yudgYot5d9idhkTD0ZUM3 E0OiM65slOBQcKyDE8jo/+NPKW3p37vr79rrH669AmUUha5MMkwoq846N+efB+Vhi1FifDI+mfim d3jGWPeiL998v0/fz/eLIto6BEXR+naD4fVT/7pjytOo8kyd8qzGqcaV0m5gD+g0oNOWdn8+JA8+ IfcekLsPIhoUtTgD7VabyzEyNEyTTQPHyefb2k42ky+0traRr5gpx8iAyUIaTPQwZTbRtTBKdlkH RijaRTadHqZp24snTkxMTLSYzM4Wq2Po5ePN5MQIPUwaKSflGKcGyVetFprsMJkp8hFbyyNtt5pt YzTlIA3WQcphQRBEa7NfPYMgnYgROYccRPbU5iBapIr2152qsytsg7KmvvmB/FxRIYqo0rGjuaM+ rg9e5YIDgHl8MBmYjSQIEYT4d/AQltgUVHVHhDlYzHnA1wvJ2VT+QUneS0j02tBdwOQD8pPyYfnY b29889L53itmCzH+4Cz4YQgctHuUvjTTAywWSDFpiRdWUrj0af7+JmDvp2inn3FyQeKhW59YgNhc /sPK1vJNwKqLb196d4w0XyDs3b39fYC95t5JxWIZPk40KJb/wLd2NIpNadXzAp+EBJZk0gHflUGr G58pmCsGwNT96lMqoTYd2T7/Q3Xz+kqJiLKj6iFmaroToueimM8Lk+FEUJSWY7xEfFb/I+TZNGD/ H8pDQpgjvHJMz0wDOzV5saM/OA7YO3T5zserfxRuEde//qT8EWDbC2dCDBeKRmqEVX9R3vplrihT FVS+//3nv2rkym6zno/FJeCxBDPrY0ZZjsa7mDHOHwVXoycH2dsQDrDARVy4evivb2tlYYg2TuU8 i+vpGzkBF8srv2fK98Lbk2CECEQ4P+vlPBDBLty6/EV5ZW1Rwt/bmP8KkpgYjId8XNjF4N4++9na efZwYVXis4llgheEecjAT0fzPamNwvp6Vrp3t7JxGyTIsml/dwj6IIqNLUwXVkuFzXXnzbc6L/Yb jXin0THjDmENSlGNL/3ZdQ39UmnVKNRujz6ZgxjEMckvet2Mz8/gqvr36bAHOGAbvaJfmheyooA3 jC8p7WImI9uW6tXL4mM39u3sx/dpT17T7S0KOh2C/APG3o+zCmVuZHN0cmVhbQplbmRvYmoKNjMg MCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9RRkFGTFArTVNCTTEwL0ZvbnRC Qm94WzAgMCA1ODMgNjg1XS9GbGFncyA2NTU2OAovQXNjZW50IDY4NQovQ2FwSGVpZ2h0IDY4NQov RGVzY2VudCAwCi9JdGFsaWNBbmdsZSAwCi9TdGVtViA4NwovTWlzc2luZ1dpZHRoIDUwMAovQ2hh clNldCgvRikvRm9udEZpbGUzIDE1MSAwIFI+PgplbmRvYmoKMTUxIDAgb2JqCjw8L0ZpbHRlci9G bGF0ZURlY29kZQovU3VidHlwZS9UeXBlMUMvTGVuZ3RoIDQ2MD4+c3RyZWFtCnicY2RgYWJgZGRk 9w128jU0ADFVfkgz/pBh+iHL3N394/ZPR9ZuHuZuHpYVP6yFvgcLfg/g/+4rwMDMyJhfWuWcX1BZ lJmeUaKgkaypYGhpaa6jYGRgYKngmJtalJmcmKfgm1iSkZqbWALk5CgE5ydnppZUKmjYZJSUFFjp 65eXl+sl5hbr5Rel22nqKJRnlmQoBKUWpxaVpaYouOXnlSj4JeamKkDcpgehXEtzUosYGBgY3RgY 1BmYGBlZHv/o4PvxvXvd94Prvq9ex/hx3aN13zXXfVnH/H369yeiW7rfd07+zdJT31M3u5tjTvfM ufLfF7PP7p5dVdfe2NAl1/qbw7XcqYPjezr7uXndi+V2sX0X6T7jNtGtp7mnBqxj9hz572Lsqzp7 c+T+dLFVVndXVs3rnnykvzlK/k8ne0xHY1hNVXdV5ezuuXLft7LNndU9d05Vd51d+6QD8t+3/tgv GsNeO6tqbslMDtPfD0Vr5hXOqp8wb8r82TPncPxe/D1StHt695LmuRxf2RpKurO6mzj+NLB313QX T63gUGKbPLd7Sfd0Dr7y+T8d57H9TprOvplrM7ccF4v5fB7OdRN4eICYl4EBAEiAuHIKZW5kc3Ry ZWFtCmVuZG9iago1MSAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL1pQUFBK QitDTVRJMTAvRm9udEJCb3hbLTI1IC0yMDUgMTEyNCA3MDVdL0ZsYWdzIDQKL0FzY2VudCA3MDUK L0NhcEhlaWdodCA2ODMKL0Rlc2NlbnQgLTIwNQovSXRhbGljQW5nbGUgMAovU3RlbVYgMTY4Ci9N aXNzaW5nV2lkdGggNTAwCi9YSGVpZ2h0IDQ0MgovQ2hhclNldCgvTi9QL1QvVy9ZL2EvYi9jL2Qv ZS9mL2ZpL2cvaC9oeXBoZW4vaS9rL2wvbS9uL28vcC9yL3MvdC91L3Yvdy94L3kpL0ZvbnRGaWxl MyAxNTIgMCBSPj4KZW5kb2JqCjE1MiAwIG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1YnR5 cGUvVHlwZTFDL0xlbmd0aCAzODU3Pj5zdHJlYW0KeJytWHl0k2W6TwiUj8Wq1AgR7/fVZbA4gDI6 Ki4zIhcRtBSQrRWB7k2XNE3TNG2aNGn2PNn3pG2W7g0tdKH7QpGtiMPiqHhFBPU6R50z3nG7b8rX Oee+XRRn9JyrM3PyR5Jzvvd9n/d5fs/v93s+JmPuHAaTyZy/IXHn5rUPT/1cEV3OjN49J/ofLAGd eiM6sWseLGbB4rmtd9/x3BLUezsquxUl38ZgMZmFJaoNhfwyATc7RxifkL4yfu26dY+viv/Nww+v i19fkCngpqfy4hNThTmZBalC/Cc//uXCdG6msCw+4ekcoZD/5EMPlZaWrkktKF5TKMj+3cpV8aVc YU78jsziTIEoMyP++UKeMH5rakFm/Ex0a2a+NhQW8EuEmYL4xMKMTAGPwWCQvMJkvqBYWCIqTRWn laVnbM3M2padw92Zl1+wZ/FqBiOJsY3xJGM742XGTsYuxm7GHsZexnOMZMYGRgrjPxkbGQ8xnmds YqxlvMDYzNjC+C3jJUYiYyvjCUYBI5ZB4QQx5jJ6mYuZV+c4WLeybHNj5nbOe3DeFzHW+YnzrxAm 4q8LWhamLXx90cFFXy623/LCLVdj626V3PqX2z6+/cKS5iUfRHWx0dPycHR1mImyx1HiOAuVow1s a9gWsoa9o2CsafHV979zGYg+035R4gF6kTSdknF1VSAiDjRnD33ajlZaXUpQyUBfoSWVfP7K7UCI DH5fg6vRUU8Fx46iuXCKuLoznLLulSSxjFQNc1sPQjaUCiUF4nTZNtATChdYvUZj2ErWXgoMR4Bo BJ5cohNrJdSz9JhebdCAjiN3VAQ9NfaAnYyNOmYjnnMJeS6xojYUYX++7eKj9G00m76XXnH/64kf oNsQG92LHiBpGx1kZ2RF/jjSiFiHjlMd40OtXUAMNx/YdrDk/rwkirdz7/4UIGInJBCZYEaYaP/E o6yJrOh59uDJztCQxWl0AQQII7gqyWLg6wSQD3nmAhhZfJ+6EsRyp8FG1Rh8apBAuZCv19GFdHDZ KjSmdYEJjJy6XqPX7YaARwFaMhPSdRnAhSxz7vR6GYgrXeAbdKmEdupb+iOTxqQGLQc0afQjGrFs p0G33kBI5fgpN5ipTug2d0IX9Og6p1bbvHhXJYjz+VDj8AzZWyjPkLPN1WOtAZPdQeA00bsjaNV0 qqJJ51mf0HewlflKXYaBqMKBq6waO9UELeZmOATtusj3WypAuhdsLpu90VJNHUEr7OUNaceAg5ho EUpAK/83aTgp5WA2l0dVntrvEfyMUuLUqAqp00K2o/3se68B0e/akZfKpxfxXqQqBQc37gViu+K6 w2w0mxxUbHSdPIQuvufHMa+8xkJudJRtNPcj9odghWYISnPkujzQEDKnuLE24us6tsWd+3x2comE lI9lBHL/SWC12lscJgysVfLwyStozYWR8JLL11Un0JKT+95aGncDAUpm9yn6FbCLyOM/dX/Jduuo hBy1Qg+YiIDMKxIWlu/feir7TfRgJ4od+OiZ2jQnGfdtoS3b0XtXfejClaYORYabzNMq+aAg5Lby +ppGT+9AWtdmekHar/eQcTfgd29Im9VELLqOoc2JoA1BnO0zLOSN3s++HlMzhZ8qkFBPxXSgBIsP A8vKCZVbFQKFCHddBv3IvMdiyqdg4oRq6krMBrrboNVKQMpJbks/9tfR2R6tBEOZkix7Jf3ZHUDw oaHaDtX2Zpzyttl+emgcrR1nRV3R5WyTzWgFM+FW+ksLVDylnnyO7teUgb5KxhEX8goOALG/qq9t vO2ThguUI2T14Q4ZyY0cXJNDJ6hn0m7yWUhHpOnzU0C43bqiYgVfmkEVbSxaD3uIR0/xjo+1t7bW k7W7etUB6IBQgz9S2+k5hRM6HarBUKImpS+LX+ICUQRNvu9CPTgb6sPjvhNo7TArqoguZh+ujPCE AqFQZlfZVGR9kTkP01PhPtpCz98lH2k7deijpj+S1mqb/2dGmf9YaRLsIx4+xzuNnh5Af2skYydW zR68dhytGUd5+OTb0NNsVaFBBFJCnv/E7o3wtvd449uRq6Q9YP25JyXTd0MR8IHr4DYWHyrs19Xg ZjzsbR31Z3XzT8MZ6Dna+mbrhS60BsaIn7ompOfdW55Wsicv7VUgkiVHe5zGencf1YOetoVd3WDh TFWQp+LjCs7w5vKgPrwEMS6g348vjXsXfXma7U7pEB3+2SW4gBp+AMA8FVdjIOP6e8V51XnLaRa9 kF5Fr3hsYOM7VNy7R6Av1D1MHEd29j56uzIv8cmdwNmnPN06EkELanuohvGBkaNYWRr2pOoNGr0a lzddHvZdQUVXfGHm2DU0co0V5UUfZKcrIAsM3/f86HYPb2duilhBlpxJcQiAeGAXvVQ4nWUwVlup pg+PdXUD0RIQphdXplRlUfI0g1b+qmSL6Kkk0EExlPtaHc4G8BONIptMIBDlZvQIB4baOltryOCO YXkjEF+NoruCs1mQaCj+b5MzUoEo5XuO1bt7He2Uu8d/1tHmO9b02iCYoQGqpcR32ERZPUw0/yTi n2ehExNr2VO0hlPqVJuVOoXBoCMTlJUGuQHEHDmm/iGTSqHTycBAJkxSBp0iDTI5j/dsegvNRQvQ g+iBKbbN5IryuKRuMpYtyA290+c83IJiKHs9mPzBlu7O9s6fYtTYaBmd6h+7MhCO3h+Uh5d8cZ03 7j+xNO5bNNHIzqTXrT+QDMQr0k6r0Wi0G6mI1dME1URI4i6rzFC/vOco97Wv//TVFw3kX6Kk0WbC VMD5IRUMzov7M0+VnrRt+b/KApgmByBS7/XO5A91vtc/I+yp11nRTdFb2MlqSMNULnFL6prqw53D Bzte/E7nE05v/hjd8cH/+K1Kt1JrMCiU5PrVv9GWA7FL0H9qrOmbxiHqyBsjh/vBDf16fxrxnXOY LtF0C7Cix39BibbTsooIvykVOD9E+pG+0HA39fO7yG+rp7bVYyne+tROIH7UDw6oM9QWuiQuHohB Z9Dq1Te9ydmJCGtCGH2fXX3uhLnFSJg9xhqH1lpF5UMulsU84Jrzp3RcI5s2Jk7qmN5RikmiSq/S K+k5ky8uo5OiNepqg1GE73B7jGRKMxwQsB8HpQH0OgVFL5tsku7Mkr2q5yjlhrIqm85OtUK7OTLF S7MmwQO1HpWxktph0jeCH+PfZqlG7KhnGcqb/MxaYdT7gOMGi9EamC0qP4yewlWNuYg0nSykRBJ2 K5w3DwXeOwRvgJ0YyOp68V76vhX0xrVDj33+0xXdIn+zq9PVb2+ibGF2L3riK7MLiO46Pvceeh3k UrHoNJ0aDlyJiiNo9X+FwkzBNXQW24dWrJ9XY2pcUOtVQjn1TIzvbXOt/5Kjwz12BGc6pPdKCjTS YiglSmoV1Q0NwcO9aXVpKwX0nVwVKaLnzNs8laNSDAM/dTbmuckFlYmKNLWIo+TK9mSDAsRmub/V 6quHIBEuc0kEgtKc/b2ijq+Poqwj2KlOPAkR1NmIXo8wJ+78mIXOo4ts9FAMWoKWf4kWXNt0jmZS 9Nj3ZYg0QbkO9FopRS+f7FZy1cpNwJHctH9HzV3QDUd1XVNlsOMyeFVQuh0cTguYLD4KcaL9bOcR O7QB8WHMpdGiF0srVmYeoHIyksVJQNBLYnA5cJo8734WjsaGsQ6MXeNfWBr3DfrTGFv0eGWyWlTI 5aTvS4cKkGGXy3cHHZ4Q1BDeqkBRWb40I72j7No3l/9wOUAiZnSLxY9lwDItA5VCJU9Lxn3eIuU3 H1xOz6Xn0wn0PY8NbsIy8M0o9B71eIg3kI+9n96izNv6DJaBXfrL7qFWtCA0SDUc7+vHjvyM83El 9Xcdev1E7fgv41A6YfIjg95QBXqO3FkRCHlr3GbS4j+E7rQ3z8w0ziNGU+2h4KHe1y/9O2aaF3Jy CvJJjL6ZqDnvL0F3nBh8LfXq0rgouobuY/9gHx7/13gfpdTY1Oht83ZQ59DvXS34XgHOa5kNWau5 9ErNTc50tjV+Os2ZGmGxnKcSUwVPyHIr8YcjzdRiRBIZ9WnHPmtDD1rIuP/WRIXshlKHVMQvLRQE lb5gc6AFg+8ARKJ0B3NC3sGKDkcR297qMDmMDlMT1ADxdZ00EU8Bim2UXg56zLCyqbNN5loz2Yo2 GS3Ybls4U6aTnHTFlGLZVJdtozctw8wy9bDcA2aLBcxm0mQyGl2Ng+ie5hBiA9EeUwdalUpfheWc vmuyvSqnSvEIBvGMPfWAlRqFMfMoHIPjutEpGDs9EHQroIKqiJFAvkkHhWaNBXyYVTCkZ/mD13Tp fe8MJgbPnb7+L2Gi1d7sNJGj6ECH5pwItnNABVqdFFOMClvzDYOCjr5wW8BNhjt949j/3qRw2V7x Jux6+fq6YJ292WilrCEwghcubGx6yVnnC4WaIsdOdw2MQADscqMhVaXJAeW0ZQk313Y2lrXv330w NZ1L7tgskeSUY6ePgT7B7mF+duYXXuf2SSwKmlKo4Ow+kjXUGWxq8JI1h33nZqPVqEGjI1WC8o3i 1ELg3JSc2IlTNwf9reNo99/P+sNg8oRaRnpPXQRiAPZW8FU8fRW1hfb+aP7uRo/OrOH8aNE/30zX tgf3bUw+cKCAVF7cE9gPSZCSy3313/Cy4EZ5SWjiHjzWZ9xIYN2Q47G+/Wx99ZDFZbQ4wTUz1guh SFeM1TMHO+rZsRyrpx2P9e1qzIOVmiq1nLZNZi0ricoNxmnWgxpb4A0j4cDodSpNaioLMnRZ01tM C7BWOk3arh6LusJEGbXmRDCAEvRqBS2dfBbvIzWEDA3njRzf1GgnB91PboAL3w/KYiPVPPk3o8ik 9QMHy63V4UfNUVgWntQYxaCuAY4DS5mrFjfLjAi+NT1C3nelZVoGPz0zhoWwBQsh2veDyXAKPB2h hoif/P89/2V0ctoEmjhuFZSTtDKm9tPgn72vo1jgNMOgrkFwoAoyZh36FNzfoReCgCbWZ9D38Mmy 1fO23JxOz8Y8T08oUuQplSkcVZFsdzbmk2KQ1f6Diu7rEx/+pA+tQL9qxvQ6gZJOMD9ENhY6iZLY AcxNZo/JZguDhZimKHoPpig9aGV6tUY89XbAAbVkbEk4usGNik3V4Rg61T0/svDCInLh3MeDixeE nYsXMxj/B9aAKnoKZW5kc3RyZWFtCmVuZG9iago0NCAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlw dG9yL0ZvbnROYW1lL0FNSVhQSitDTU1JOS9Gb250QkJveFstMjkgLTE5NCA4NzUgNzA1XS9GbGFn cyA0Ci9Bc2NlbnQgNzA1Ci9DYXBIZWlnaHQgNzA1Ci9EZXNjZW50IC0xOTQKL0l0YWxpY0FuZ2xl IDAKL1N0ZW1WIDEzMQovTWlzc2luZ1dpZHRoIDUwMAovWEhlaWdodCA0NDIKL0NoYXJTZXQoL1Av US9jb21tYS9rL20vcCkvRm9udEZpbGUzIDE1MyAwIFI+PgplbmRvYmoKMTUzIDAgb2JqCjw8L0Zp bHRlci9GbGF0ZURlY29kZQovU3VidHlwZS9UeXBlMUMvTGVuZ3RoIDEyNTY+PnN0cmVhbQp4nI1T e0xTdxS+tVB/KOt0WTOI0nvVbepEBIwP5mJQyFAnRDSgIDgKFujoA9rSUqCl9N2eXuiL8irPXd44 QPExNhHnNqdbZub0D9niskdM3BKz/WF+Zddkq+y/JUuWk5ycc5Lz5fvOg0NErSA4HA4vIzv7cNrz 6PXwOk54/YpwAlfO5i/9tZQXDbFciI0aWx+9/SVctRafeRHnryG4HI5cZcpQVOuUkopKNbWlbCuV kpa2J5FKTU5Oow7IxEpJmUhOZYvUlWKZSB1JpNQJRZlErNZRW96qVKur39yxQ6vVJolkqiSFsmL/ 1kRKK1FXUsfFKrFSIz5Lva2Qq6kckUxMLZNLWvYZCll1rVqspLIVZ8VKOUEQvOpjuVWyfQSRS6QQ qcRRIod4gVgZUUVEEbc5mhXJ3OiomKjMsIMfbmfzx3EiE97McMLp97kfsmsFFrnTVALI2AQ6O20K kpfoaK97EDohBCFXCK7GbuqGkLMLkLcDejqaob4IfAGvb7i1m5zGW9s0I6WfQjyOwS/jDfiNP47e TNcU2LJyyMYbxSEJiEAj1VfXV+qPgx2ZfA5fkPb0eYS9i/3T5wCNQVWj2dXoNJNfSQWePqA7uobP XZm5Amiut6jojIJdI80nJcdFsnJARxoWfV7a4/aQ/KVXYRxPjeDb45ylPb9y8S38tQDv4+HdOA5z ny5m3mNfIdmHPF1EkSEA/a094OwmQ06fE4xgc9kdRnbds6k4U4XTlA6ozgg6o9/p62Xc7l5yzE3D RMRoGHP1uYZcvYB8/8jW2HVAN5C1La5WCEAL0J4ehOPCM4LAFN1yEdDvvAe3VAc1xu0nT5O12mLZ LkDsazz+0jyb/+TeCF7FhJkRztVHmGDCCY+44eRSgdMIemhCp/1Zi3j1PM7q8tq8ZrPTYnEI1Vm5 ynIohsbR5rtY/vhnXAA4AeHUDZjHprBqtoatZ+vYvTh6I942OxvwhITsziFBcc+ha4AFsBDCuzCB Bde++OHGj4CefHeQpTYXsho2fRtpul638A6gE4WnTplpfYuFxLv8Ar31rL4UkEECs9PTFy5/7s57 l+SHJ4wMXvipm8HlFzn447ufPebiC0tbBK2dkem0ooDVY9LvNDu1wmaX0QX1yBCE7jmwmOzgtOmE 7KZn39r14ARHfEOHoWfSNxpZ+xzOvWOdr4aCeLCC3dEY2YUejOjYrOiTmfcHR3uEzEznzQi2x+Fr NkZQbELDKeWhIkByx9AA4x1y0yTtpduhHb45OLw/MNY70D8xMT9/8dJCpNTh8JvO2I3loEd1nfXM 4ETP5UnVZFFOYWGJSHi6SKUqb0D8PxOMy8e/tPHLtjtcnItTBMG53ntuP+1lPpr6YHR4pvs8oOuQ X98E+qZCUp1axQrMUrDFGwINA51dgXafsMXrn/D0Df4S9x+dOUUs3yglm6T2ZqhDebOyK7+dx5uC y6JcNoNdqNwtElcAsuhggmkb8g+QffMXnsIN9Mvh/vzEk5lKnbD5YVaHCJKg8HCDxnq9dLLgfzyS xiy11pCWmuYSe1MZuzfOono+ffRv3oiPZ9i8fpyOCQ4+wnDxkW4BvAdpBzKtVnBFwC0+mzf4/QMc c6v2colEW6NQ9NWc6+ryBNuE/NqBcEYwGMSKAR4rCq4cX3V/tXBV1J6+2BjGGxtLEH8DANZ+zQpl bmRzdHJlYW0KZW5kb2JqCjQyIDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUv Q05CSktNK0NNTUk2L0ZvbnRCQm94WzAgLTEwIDEwMzIgNDQxXS9GbGFncyAxMzExMDQKL0FzY2Vu dCA0NDEKL0NhcEhlaWdodCA0NDEKL0Rlc2NlbnQgLTEwCi9JdGFsaWNBbmdsZSAwCi9TdGVtViAx NTQKL01pc3NpbmdXaWR0aCA1MDAKL1hIZWlnaHQgNDQxCi9DaGFyU2V0KC9tKS9Gb250RmlsZTMg MTU0IDAgUj4+CmVuZG9iagoxNTQgMCBvYmoKPDwvRmlsdGVyL0ZsYXRlRGVjb2RlCi9TdWJ0eXBl L1R5cGUxQy9MZW5ndGggNDcwPj5zdHJlYW0KeJxjZGBhYmBkZGRz9vX1NAOxVH5IM/6QYfohy9zd +GvOD1/Wbh7mbh6WlT8yhL5HCX4P5/8eIsDAzMiYV9zknF9QWZSZnlGioJGsqWBoaWmuo2BkYGCp 4JibWpSZnJin4JtYkpGam1gC5OQoBOcnZ6aWVCpo2GSUlBRY6euXl5frJeYW6+UXpdtp6iiUZ5Zk KASlFqcWlaWmKLjl55Uo+CXmpiqAnaYHJp3zcwtKS1KLFHzzU1KL8hgYGBhzGRj8GJiAnmBgYWT7 0cH362bj6h/iqxl/vrrJ/CP3oWhbWVNGdwtH6ZyGuXPnTJ81Wa534pR1E+YvfCoxaWn/3ImLpqxd d2DDhvnztq082M1xujuiIiBBoTJOvrWqpbq7iiNiZ/qhD3u/Syzs7ZpeWdvVVtEqVxmYEBbbzVFb O3Hl/ElzpyyQn7Z8z3fe7qMcd33X2od4lpt5ybVeDVjl1B3Z7V3tbdN23XVeandqd2FJZXZhYkNY dwdHw5T2KbN7Js2eIDf/1uI1q7s51vZmVFc3Jrfky7cUNCa1lbYUtRa2FLXk10d2t5Lg8uLG5OZs eb6yBT+cp06b9r1gAdvvhKns67gecMtxsZjP5+Fc18/Dw8AAACN+zhoKZW5kc3RyZWFtCmVuZG9i agozNSAwIG9iago8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL01HRU9DSitDTVNZMTAv Rm9udEJCb3hbMCAtOTYwIDg1MyA3NTBdL0ZsYWdzIDQKL0FzY2VudCA3NTAKL0NhcEhlaWdodCA3 NTAKL0Rlc2NlbnQgLTk2MAovSXRhbGljQW5nbGUgMAovU3RlbVYgMTI3Ci9NaXNzaW5nV2lkdGgg NTAwCi9DaGFyU2V0KC9hbmdicmFja2V0bGVmdC9hbmdicmFja2V0cmlnaHQvYXBwcm94ZXF1YWwv YmFyL2VsZW1lbnQvbGVzc2VxdWFsL21pbnVzL3JhZGljYWwvc2VjdGlvbikvRm9udEZpbGUzIDE1 NSAwIFI+PgplbmRvYmoKMTU1IDAgb2JqCjw8L0ZpbHRlci9GbGF0ZURlY29kZQovU3VidHlwZS9U eXBlMUMvTGVuZ3RoIDEwNjY+PnN0cmVhbQp4nJ1RbUxbZRS+l5ZSoOJH7EI31t5liRsJFsZIFgzK ZoEfOKYMiOI23AUutLOlXXuhtDDa9RM40g9oLxQohZChNWZkdjP4gQsWopn7gXNoNE4Tl/hFjP/2 3u52xBYyp39N3pPzPu8553mfcw6O8TMwHMezFHUNzYdK0tdn2D04W5DB7uXBVmPi94QtE0Q8EPGj Bfypp9AnT6Lo42jmCSwbx7XdDmDCC1fjCq3OpFd1KmniYFshcai8/EgRUVpSUk4c01B6VRvZRdSR tJLSkHQKqIkGbZuKok3EwQolTeueKy42Go1yUmOQa/WdLxQWEUYVrSROUgZK30O1EzXaLpo4QWoo YkejfMcptBpdN03piTptO6XvotSUhuqiSZ1Or+2lzneTaj3Znv5NTRkM25js6mzVk21vUrSa6qAf oW3hGIZll/ZKMN3T55QqDB/GOnDAFvC38BHsDO7BvVhOakwYH+vEHuAh/NOM/Rm+jCVeLu8UO5iX kLfFkDl98B+v8tglZBZPhyESMYFZlqwQjKPdKGsT7QMhKhH8E+BKBVwlV8Dt4sq4MpTyqFKGSv8V LxFw+4DL2rSg3cI89hWOnEvcm8PXV1HDKg+FNsVfRT64AV/CX8RH5ExNVLMGceFnb3+zPr928eS8 9NzgeYdpoj8yFQ4sfPHy2vOHa1+sOH7t1C1KVm08exxeggP3Tl/rXddE66FB2Kg9WmOoD64apO95 Lo2GByaNfSab7sTn9d/dvXn7+xvkx1VXZKpp8YWyD//8dmllKfTzmcLKlqYWWV4iHI/fib+fMjye eJaX6GBfE886Ag63zU0PS9011a21UA/N7756uWmxabEWhPJjVcXdY3Z/0Dvjlfl+uhO9DmuwrL6u XOlc6bwJwt82bv0q4wb471hGhtw2V/f/Ivnj6427aW3b+2ARL3HgPwu5IjCbwGgMw3QqaWOrcfZ+ QwS/nZjlsZIHm2KuipU4plwwCJJhcIHVXqTIH7iYgoNCl8c56p8OjTFSv2+SYcZQc7I6f7TPBwGY BI9/NMS+fv9o/mgIvDAiDNqDFrvD1WeXppRwe2NIPstejuzoOcL+ImZ8Yz4YFzL2gMVlcw+5pcll LmS2DzrALgGb3xFyssvcRP6EYwQ8IGQCASbg9pvHZMkIGs5k/UnjTkc90C9LLgr6ex52hKKcZ7sj lBvjocOJFnEYwkYjmEzSrbIsE5giEQiHpXls/sO8DKTnoR8Sp8U+BkbAJ2RsAavN4TI5pJwi+Ubm kHPQCc7UAIZ8lmXRfpR681p9AyGQpEV5YMTFyLhqtj3zEWU8zXgJXRD7xiEtP500nqrlFOxZ57TT bwWJ1WazpimtMlSdbOeqk60uKwyBS2IN2JgJbzDoleYZ5hOVcwJuD5MVy4nlSnP4uzosouzYlEiU sscw7G/ZwDYHCmVuZHN0cmVhbQplbmRvYmoKMzMgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRv ci9Gb250TmFtZS9DVFpUSUkrQ01NSTEwL0ZvbnRCQm94Wy0zMiAtMjUwIDg4MSA3NTBdL0ZsYWdz IDQKL0FzY2VudCA3NTAKL0NhcEhlaWdodCA3NTAKL0Rlc2NlbnQgLTI1MAovSXRhbGljQW5nbGUg MAovU3RlbVYgMTMyCi9NaXNzaW5nV2lkdGggNTAwCi9DaGFyU2V0KC9FL04vUC9RL2NvbW1hL2gv ay9sc2NyaXB0L20vbi9wL3Evcy9zbGFzaC90KS9Gb250RmlsZTMgMTU2IDAgUj4+CmVuZG9iagox NTYgMCBvYmoKPDwvRmlsdGVyL0ZsYXRlRGVjb2RlCi9TdWJ0eXBlL1R5cGUxQy9MZW5ndGggMjMz Mz4+c3RyZWFtCnicnVZ7cBT1Hd/jwrFADNrpaYJ293whzIiIVikIIkZtEQLhFYHIIyaX3F1ILrlc cnnf+25vv3t7t/cMySWXS448jjwgMTFALaFEsYrW0ag4WqcOQweso+O0nd+GH+10k7RTZ+ofrX/s 7O7s7M7n+/28VkakLSBkMtmi7JycrWsfnb1cId4tE+9ZIP5MXor5mwtnbAshXQ7paf33LEn+BAl3 IMMyVHA7kSaT6asdkK2vqDNoSzRG1crCVaq169eve1j12KOPrldtKVMbtIUF5aqcAqNGXVZglG6O qfboC7VqY51q5UaN0VixYc0ak8n0SEFZ1SN6Q8nTqx5WmbRGjWq3ukptqFEXqV7QlxtVOwrK1Kp5 eI/Mn7L1ZRXVRrVBlaMvUhvKj1UVGrQVRoIglpVXVD5fZdyRu0tTWvbUpqMEsZPYRewmVhB7iX3E GmIt8RixldhO7CBuI26XscTt0uxEGnFGVrUgfcFXcq380zT/wtULv1K0LDKQWnKYvL7YLjIZ4teW hLg6IUM3L7W+I7/6ppJpdBrBRdYdt7VG24PxAMV5o2eFZOJappAQEv4uXyzYx/laU5N/+grIiVCx Lucg/mnDUdpmZM1gIV8e0py9cQqtCIZtwFiBaXRRpl/q9hwEst4R7kqGukMJumNyDC2AKfK9o6PZ aw9uM9ZTrouvpA7BIagtstY1aJtywU1aw+ANc1xCoGIfxM8NAxmPNOtqGEvzS3SGCDgvhR6eAy4+ +aF8Amco7VqP4wiQZgvU2v3uIN0DfXwvDMAgcxJeT7/f3wLxiBWaDkAgFB1D6wJJuqW8V/MbIBGJ 7kAr0EM3dr+7+UB+SZGOtl442lk8h8ZWV6dt3gnMf6OJHberjYzFXU+/Y1EGenp621uHUn2BGJCj 3ZrcXB1eVKemtc/n64qB3Nr8heAFLx+VkO/+D/LRD+TifjFb6WMEh6WwsLyeqr5Q1FYKJF6Cl+GV +MFVb+ZMj490Dw/TNo0O383Y7Hq7ew9LNlvBxIK1hT4JQ7w0IQwzA9+bsSFfmjHgFbwhGtPoHuVO 95XYuT4ki43RqY/Oj70K5OXjGxzOvVjPuOlG/Z5te4DMmKmBFLqUQgODspn9qEnp9fMB8JIchM02 j9PpoV7EK4t/hTdL6FYomsADTs7KMRwEgQevv/336ETmN4o/Qo3BAWZHGe1xsYy0NpfPGQry/lYf NYWaFwouv0P6mJmhajbXGdcAuVpxCTlDQ5zvNchC9ypQRn/5+irwuCtocLIOSYUu3hGKcEKHl4qj LXyPCwyQdcurMEkLsISg41Qv1LnB46qjceatE9Yij30jZNVLCjBLD2mxTdEFHBdoIzNEjSUxeRWt nD4rKT1rCq2akot3i0uUetZUDdVkU6gxkeiOjUwcfXUzzix+8Mimjxr7nNR563kL7CUrjetwetPT MGmkTruS/dBLdjVEayrLag7vnir8Ej05gm6bGK5NmqNURW+5/0ioJFgYgAmyr/utq8nXHUWtVAb6 u2SyrBTKjsveeVuOXhEfUN5QxMNzbNXRjyuG0X3+OAhkzByuZ/SsxkYV4ccXrp6ds9YchDh9VZGN T7nroY7cd1p94bupWX/ZwW1jGYuLOnp/XpUWyBpry0C3N+CL0Rkzr0FqRpaSzTDix8rwaHvqM570 R7kOic1mWgcaRgda0PC6WdE4zdIuwxCkp9hIDVQD42lkGZx2a1cmrhQ77O0sZ4QsvFxhss3v3P82 2Gi8/NagtbC+dAOT5bSwtY5Zw/2AGMM2zkLv8toTEIcA5+cjKFNMZvqc4PFbkffWl5mBet4TgggA 72+XNHinpMHTJ9DbEvKV1+XoInpfiZ5WoPsQ/ReUdmXrR/guGl9R1M4THG9pZ9ko3eYRGLCAm2UY 8yyszHkZkHMyiALf+wEPvXQnJFjpgISnE8jArE9sUFush3bB6+cEGi0XJ5ShIS8/DuSfFV9MVrxQ ZHqiqIQ+cHinXQoVfK8iYyaF877+OImWJcS+pOz1q39NiHdelYsvCkq05k30EHoB0D4SPXEvIvAq fAxXYBNuwhtQ2gr0QHLQFxmh3DmSa5rJUtj0BVp6Dm2LBBy82+5xSd6qem6XQSMFTmOP9RMS7woq N6W0n8I1eP8Euu8TREx/d+PMNJDfTm/Cyx/aj5vxxtW0a8g6/SyQeQcPvGQSLMDSv7Mom0phfPT0 6NhYR9WORpa1uulKS5lDL7lbnJ5LeVQ8JkNfzgY9Gp3ZrJyVg/FZu6eSsrMWVhKXtNXWc16HlWJM +MFb0+45n2cZ465QW1v0uJ/q+CRxbb4FsrxCcIAT+FDq4mBPoi3VIS1uPKIt2afGsqodtN3okmT1 Q2XQmFf63N7vl0Hb+ARaCm+QlwvHntmef+xQMZUhxiwJdOladB7v+HtvXP+/8ba0hqIC5Q9NoBwh Ocj8oQG2ggPcjNVj9szWVO5o4fn+nrZTCSr5WuS3UtDNIWTdTQxleta4X+K8tjkyHPN1+dpoXwx8 EIbL2/uejKTaT57s6j43eWb81yAAB1426pFC0OllgfV68hlbEZjJhkhtz4m+xEi/ceCw/pD9qWxK qy4qVDeSGTcXzLftzLIf27YGh95eRusxadrsNtm04MqafTclJE8GqeMXpV2HRviWSZSOZPOE7C7A ClMebatyW/5HQjrOjyG51M6zhDyz/0heMcW2MIP6bkNnqd8Aa+Hgtnqja6qg//C/G1LTnPtDDdnW alf/q69RP97XiZ75mwxtTcjREU75rmGkSGcy6CvilQPRFl8oTPFejuOA5Di2aYtmp05HWywSmQwp RYs/8tkVtFiSBYP5zpt74rKL4l1ycdvMy0opY3zAkRFbyOJwME6Gwt/+I8fVDG5gsywhW6SFD8QE 6cWfmxMzTyRk1y+jY93ytm+UHoZhpF8Ml2AX/Dzf20sFA/GOYDC8sW/LNIzCUFdn6/Hw2REIkzwT sjEsa7dR27YXN5YDebjh/KeC9wzvp71S8cXjn38uxdMmQGvIGLyV+4steL3RSuVj2TG8GPBS8vJ7 Sm9kHBmm0OKeC52jJ4EchJIG/BTeiLPzD9AZ1QkxOxJpQWUJBS6ILEot+XAptSRtXTx9cVJITyeI fwLkjEA8CmVuZHN0cmVhbQplbmRvYmoKMjEgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9G b250TmFtZS9KVkFHWkYrQ01SOC9Gb250QkJveFswIC0yMSAxMDcwIDcxNF0vRmxhZ3MgNjU1NzAK L0FzY2VudCA3MTQKL0NhcEhlaWdodCA3MTQKL0Rlc2NlbnQgLTIxCi9JdGFsaWNBbmdsZSAwCi9T dGVtViAxMTEKL01pc3NpbmdXaWR0aCA1MDAKL0NoYXJTZXQoL0EvQi9EL0UvRi9HL0kvSi9LL0wv TS9OL08vUC9SL1MvVC9XL1ovZWlnaHQvZml2ZS9mb3VyL25pbmUvb25lL3BlcmlvZC9zZXZlbi9z aXgvdGhyZWUvdHdvL3plcm8pL0ZvbnRGaWxlMyAxNTcgMCBSPj4KZW5kb2JqCjE1NyAwIG9iago8 PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1YnR5cGUvVHlwZTFDL0xlbmd0aCAzNDA4Pj5zdHJlYW0K eJyFVwlUVGeyvm3LvTeoGPXdCBlzGxfcBhVwV5S4a9S4IxrZVBAQaMRmk0CDEOzuahpkX202aZZG cRQ34q7EqDFm1KgYjRpniBklJi51O3/nzPw0Jm/Oy5v3Tp3Tyzn3r/qq6quv/itjevZgZDKZ3Zyl K6d0/XCR/iSTBvWQ3pND7C9nLX520FsOvXs2Depb3R/398PovrjybUYuk0VsS5mjjEqIDt0SonIe uWmUs/vUqZNdnT3c3KY6z4oIig7dFBjpvDRQFRIUEaiif8KdVyk3hQapEpxHeoaoVFHTxo2Li4sb GxixfawyesvMUa7OcaGqEOeVQduDomODNjvPV0aqnD8MjAhy7oI2tutjjjIiKkYVFO28VLk5KDqS YRhx1uz1c+fNX7Dog8VLln64bPnKVavXTpg4afKUqWPd3D3GM8wQZigznXFhhjMjmJHMaObPjCsz hhnLjGPcGHdmPDOBmchMYQTmHWYg48g4Me8yfZl+TH9mAPNfjIJWhunJ6GQ9ZN6ykz3G9iiTT5GD vKNnec/ndga2P7uFvckV8J58w1tb3zpjH2Qv9drQ63Hv0N7aPnZ9lvc56zBf0jhY9oMZfczSXKNM mm5ZKGQUafJ2QAJo0jKSyHbrQ8fUqNiAqcCHcY2G01AOjVAPn2pO9B5q5vz124xQBzmQmV14HPs5 Yg17jozMVsMu0DpFrAWlGMY9MGTCWThHD16wHdrBLYHUPHUjT1qkQgH7krt2BFgHSzpFcdGETWYZ jnqA3z6Vt1q8hLBK7nZmSrDCWs4Fa1NmijFhkiuL4rPvfvhmZjvpV6xAWdWlL+BL/vGIu+RdkXiT qwKmc02ZOcdEVLCdR2cuX7BsJmEVREYeC77anCYFGtGfe3p+hue0hfNcFA6W92C/9ItZJt2xOAq5 hZAF2Xx5KiSIViWrJnF2DWwujrx2DB2Bx+ms1cP6Kk0NGZDhFJ8He0QpmS3HSrtwNo0oYsaQFcCT eTSXU2CWfqWJjHgseTyXH/vfE3mbxYXogqNxKa4hw3EcWaAgQ34Vu1FKjW+S4Ng7cGXrkXWXvcAZ 1oMPjFoyK2Tj4s0ewDtYgmnNzpuxfr8MXTowuEFuWYhFQji7jYyOnUkWUjSj2O6kS59yncURExQN aAxnJyRFjBRHYwrbHWIIi9OgYlk5eZdvYCMxzs76KKyS7YZb8jvc5zSvRTTeETMe7o7n3yCX/mnx FKzX//g429X2q3AcbsBRW9u3cmOgeJ8CM77nnhWGT+wGMkm9dZQ4FjPfAHFicTLsWVJGBlIgDpab sWZMNEsKs6zthbSuQ27xwfXCwazsr0Qz56NRwkoIgGmw2UDdh+3jfjCogxWLOYiDjd6R65SrQA28 C1n4OVZgNS6+0PEj9pxNptYo9Kn6T4qBL4OcPQpUc6WQn5yu0yXvFH1mBRxb1OIOTmQDmUEmEl/y EU4hU3Dz7YdVbQcV5cqmsHzgC6GgROEg9X/TYZcOOaZKncIBQ367WG1mp2u0MI+aFqbbcFVz7YbU oK62B2lSPcXtYexdWpivqGXCXVthtnOemvwD1GVLrOkU9pBizDL6hRMfyyU36SfhaCFcfpPvKvAH L9ho89vEPenK1+rDjVuzzjvA19igEk36+jI4wO+LMipjQ5MCZt1Y/qTj+WfYQ3SwfPHfcCUvaYKA Pjjri7bT+iq9k5nbTDGvpczSwCKbb86oK99J65imSY7fQb4lxxzxC645s+C2WGlmJ9GHl1HTwiTb w3/gta3zn1HLhAe2BGO4mdqCZgVO51BAFtcSY37y7p2gdlKG0DHrFogTUEslYl+3qmyBUIg8SOn9 539D/U8bsdVDPyZ9yWLgx3bzWqrm9kHxE7HRzPppZsMGWPifgUmHWYdfAt64HN0knb4nxxzLSCHN qDMo6ah4/s7iNG4bfDScQjtqOA57qR1/Q2JuOLTuVUgmTq/HbCvZnZyVUgxORZBdmF2IuRa5o15n Z/3890q008wuUsuE9n+vhFT+WzXJDDYKtJr0BPKx9bKjTYm7E26SFjXJcZfFTUgp1unjKLrpYSa2 HHLBqN2r0esgnqez9n+jzOGkedbOPHWmJh+cyiC/XCEd5fZC63NKJz/NBthGbQP4dbf8OXy0TWH1 4hwsV2PNllENXSO364XckoMdAvqS8XQSvMk64k6m0ukIwMnEDVeiN05AD/QTyStyV6AKO/jvmIVp OPzuz8jgkMlETXLIsPFDFN1C1ViPF22aiLdeyOljVwT8gMW+2Kv95bPBj8kwhVX+ewf+XzZpsFhA Y7dGvmDRC4jMzx9ID+JFo1XGmtLN2GrC4+b+XfEuvvixfuCAZCkSvxfuGP9xHh7ynWTAN2SUSNr/ Q8gL0PYHAgM34CT2Z2+COTgnrW4rxMMCWAIBLcGHg89l1AF/33ivfjcUJSZBSrpOkbEkJEYJa+CT Ywk4gB+QnH4+9Rrp0cQTrlQgfXE3C3v1BdWGPH0jGIH/G10wZASRT99CyyU9oj0YXS9ru4TPLskx SZooLC7ZcBIu8lcvXHqEs6rIpKBsMTNFn14EfKlNyHxsQpam1aSkiyGr1p1dXLKaClmv8e4uXocD 98Qr9m8xpyET/TCuRGMOyU+pCYX1/Hzv2WNoxdjTqPhE1FE/ScAnQlq8gqzlEiG1KFefmZ8jZu3O yjO1XFp1M/kzugL7fdv5+tHKxy7VtMy5lK2vD8rwb13SbJki/CqycbaNWYwzqmpwDOyBBsjV7tml T4Vo3lrGhUDSUDEojG02IAOHqdGvZluJg7ihXdtBKuOgCgorsvIy6+hp6qIqupjM6NoGv9yKrbCI ZtkvflK7UNxSW9Om583cVk0ohNtsTTePz9Rti8oAbUaygoy3biSe0o6MItpIg1PDKaijxO+SLx8I gsDfiH8aSrUFiXnJ5ctBB7pdqaAjo6xzHenJRNvJTKeG07aTE//nyQsUYVEQBltfO2YnZe0shWLY nZdVhHOlXEeca83JSslSl4JTKWTlZRfzDpKJzsBAs+RnlOH1r+WSaPmTYITc2GSdLilVJNetm+zC cN8ULlhDWajqZuF5ar+xUMXN1FAW3n9lHsy9L9kJVjuSw1GvsfUvO3G+CYUHhUbZazNq6UZyltqE ol0HU1u6Onbru5KCdEOGVgsZOxWbP/ZVr4HlsL4kvDA1W0tz5pMhJUFBjnEJoC7NNWTlZouFJQdO PqB6XOubF1+2JdMXNkOwbo3SPz5iU7g3fACLD6muGHS7QQ+8qbK8oTmyKC5ha2qA+x035LDfq6f4 NvKTfyb26zYkhgYpbBglJ9M3HQf3yo48xawnchTxWwHu59zYf7H+xMlDl+gEHNNUhfhpd4VCCh9R taO6vK7gwGd+n7oTBRlMHEk4qcb+C5+2nio6fFQ8+JemFnjE48CRHUQ+J8B3vUpEgXwteENY88cm 1VHtl3QLdp65eftE/baQPWJFMPjRzvmAf9yWbb4hCf7Q1YzYCqntHq0YrngilwzSKyGvgJa6kic5 bDSE66Mz12bp8jSlfDgbSrZQTmeWFFwrzi3I/hpKaFFD2GFEJCxx3U48wNMpFXyPU/UtFFs5wGHV aP/pFVuMeos9Tfk8Xjghxwf4q3Cu9ssTcIf/YfSZsYMnzh4TXBRaEymWxWZpP99M3l4dNRtW8aQH ypegDPt23n91KbQlsUzcUarTTzzDk3FPhMiy7XWwj7907eBf71z2nrfCb/3ySNFrqZClRXZeWUrp zlNbYRk/c9pHUz28Lt77+lzbtUbRhqPh6T2TNIhieYLZ/5BLg7BVIBrCB66IXWtoiBKPZBnMkM/X q8q2J0SmBC04t7ED38N3cBCGYRHhbg0j9oPHkYFEeDoG7f56+OjJapG8u0DwhciKmGZVM7TCSaqX LbWHavY3Go/Te1/dIkNGxXr9DIjjPQNcPUQHbAWUyzpQLkf/s0JTVKUyNCZKGVobY2qqrDXZQJos 9ibZocdYRW8+SXhdgNcpV8Iu+383rXI1kP7gOyZJuWW2diS9qiwyDG+dfmzWzfjTNPLDkhOdzdcN j+EKT1TkihAK80tjX6achydwCq7BVwVnK366k18DTXBth9GtcDW8T2V7ObirV8UOmZ8UBt2TKTWa j1AyqNvleNXST6jV6qPEjZu8t7t2vffUwhm4UMtb8+lwql3FkDD2kOEhHKX2CA7ZhjOEc9UUNndR He7hjy+fmWWnX6LqBznuwwChtKTFXFr8+fm2s/B3HnuNuE36kd6ebh7r/5JeXNFQcuDUOlCLdTeu 1nwK/PetnpOHzvYi9qSPgvQn76hT6IUm2klSsHW4gL5naOLS1qnjP0nzgkR6KZjP2rp7A+V44OcL e2U3f8KNdLfuxkdC+4kVQ0i/ucHeq983ng5R7K+pMjeqqrZGKXdscv1pKb2HOX3f8eP9RbdcKhXt prYv4S5/1/38UOdpK7yCaxL3Nhgr65q3FsfoxZaztw3lwO+9lTZsXmRgUqIiIlyl/XBXvC5NB8l8 Uh6UiQ50luaUoDI/t4IlgQWc2f5WL9G+52Rj77dM2b173yrt3Ydh/gXF7sGsCmVuZHN0cmVhbQpl bmRvYmoKMTkgMCBvYmoKPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9ZREVaRkMrQ01U STkvRm9udEJCb3hbLTI1IC0yMDUgMTE0OCA3MTZdL0ZsYWdzIDYKL0FzY2VudCA3MTYKL0NhcEhl aWdodCA3MTYKL0Rlc2NlbnQgLTIwNQovSXRhbGljQW5nbGUgMAovU3RlbVYgMTExCi9NaXNzaW5n V2lkdGggNTAwCi9YSGVpZ2h0IDQ0MgovQ2hhclNldCgvQS9CL0MvRC9FL0YvRy9IL0kvSi9LL00v Ti9PL1AvUS9SL1MvVC9VL1cvWS9hL2IvYy9jb21tYS9kL2UvZWlnaHQvZW1kYXNoL2YvZml2ZS9m b3VyL2cvaC9oeXBoZW4vaS9rL2wvbS9uL25pbmUvby9vbmUvcC9wZXJpb2QvcXVvdGVyaWdodC9y L3Mvc2V2ZW4vc2l4L3QvdGhyZWUvdHdvL3Uvdi93L3kvemVybykvRm9udEZpbGUzIDE1OCAwIFI+ PgplbmRvYmoKMTU4IDAgb2JqCjw8L0ZpbHRlci9GbGF0ZURlY29kZQovU3VidHlwZS9UeXBlMUMv TGVuZ3RoIDcwMzQ+PnN0cmVhbQp4nL1aB3RU1bo+cWA4AkZURjOWcwIICNIErhTFQigC0kkgQEhC eiO9TMr0/k9vmfQ2aZNeSEKoAkKoAopeRVGxYr/36d0Td9Z7b08SLPfx3vXe9d5brLDIrDln7/39 3//93/9vfKgx91A+Pj7cgI071i3z/mum5zEfz+P3eJ7gpOHwx8fkD4aNhYkcmDim8fHpqx/0THgA 2e5HOydRHB+fA+nSgOQUQVpcTGyG/1MRs/yfWbZsyRz/hQsWLPN/OSkqLS4i/ID/xvCM2Kik8Azy S6L/9uSIuKgMgf9Tz8dmZKQsnz8/Ozt7XnhS+rzktJgXZs3xz47LiPXfFpUelZYVFem/JvlAhv+m 8KQo/+HdzRv+OyA5KSUzIyrNf2NyZFTaAYqinnv5wMrk4ICUVavT1qSvzXglc13W+uzwDfsFERsj N0Vtjt4SszV2W9z2HQmBiUk7F//p2SVLl82cM3fegmfyFy6iqKnUZmoatYVaTj1JbaWmUzOo7dRM agf1FBVIzaKCqNnUTuppahe1kppDBVC7qVXUPGo1NZ9aQy2g1lLPUK9QC6l11CJqPbWY+hP1KvUs tZHaRC2leNTD1COUH8WnHqVo6j7Kl7qfeoB6kNJQD1GTqecJ6tQYqsYnyOf2PS9yOBzxmJVj+seW cR/hfjBuL83Stnsl46ePL5rw2ATLxOCJt+/7yjf9ft79gkmbJ3keaH3w0QczHpr0UPXkpZN/4FU9 LH+E/8gHfuX8jEefeFTzmOjx0CfmP3GV2cH8wGb7T/Tf4G/2H/C/PWXblNenfD21fto2j9p30ABu FOL2rK7wQbvQvbx9K8IVKRqxVqKFPFpuUlgYI9QbjoAbmtUNcHTiNGMRlBWKdWo2RZ9vh0ooNJgL q43Wnjdr+2kk5TrxCyCTZ27X8oVCECgNskK2DToN7dAK7ermOy9wikEUpLHUadjdg7S2TG3KA74U JCDOpnH80Goe2o5u1uKbY30918Uuz0wX4eHZoosc5NfBUxWABpS0oEhS3GSqOOlkTOVFJwxF1uay q+Y6o7P+eE1NcXFz82tAd9jiE7aG4fG5+1hRvEYBWXRgR3L3V+1opqVQCKoCrTpLwUhikpcHAi0T 6upqCpusVWzZ4W7EgdP05YjO1QF7QhNSGenR6NpwiIe0bEFUXmzBdlDRQgeYi8FYYWIqbpS31wNd YpcmZilStSrWdzCaIHrRhdrdPp6/fsJBa97iSWMV8leAzhODgDxZwqJPuGg6Go/G/fXtrSeedbCI dt38AG7Sb2x9A9MMvsLNHf3m6yCXqECjKmCLMPAGkM7WZiWh4KMHue9XbAud+8zC6SzehT/j5RJQ JAawg8lYdBU1+6GV3DMnkpbM+tNMzGF9PZUjKCLOW6j0LY6nDNXzvtr85nz8EH4ET8Ez5r2+8jZ6 GE0mm5rCYAcu4sWG1rzfWfFj50W2+fSxpoNA97bGrI3Nwdx9a9iE3XsTwoEeps6gj9tnMM/zJu/s tSPGcr1dZ9dBCW1WWWSMEjLUu2AfhBi03rArCR1Edq2FLdEWKqAABBnJKhVOw6V+09FhpRP0oOdX demcjkIoM2jtQiYaItVREAfRhnjv8yTuXkgKj1hkWRYWjcOf6jRGMWj5oNyPFylzhDu06pVaOp8g J7WorGw7dBk6oBO61e3ex81OwjoJ5G0Fc6HFUmcsYXvQy2N9B9My3YNz3T7o6VucwTcGn+fpjDoT mGiHCBTMS4vDrr1asgv4OAYn4UxcgBf+iDnoqdvfn/j+CtvcX/IaWOhCCcjlcpCpma14C/YPWQP0 s/NPoRmX6tDij/7GXvv08+7rQH9/eNnUOFUeKFgRoU6RzlhsZEhYcJAbzRkh+K6rnM/xQzxZglwV CbRURJJHL3OwteA21EMztKjd3mOYnMPJk7cXLDbHQbTYVMFWRjXmtgKNuGgCmoVmfBM4EBAUFZ2Y wBacDHUm/2HeXsjiWRsrq6sqm9z1lmKgTxpeFO5MxHR2KJsWuG9POGRCrkNYmV+jbvHGSmfVGQgF SkYpsOcDDlp9F6Kf56KdKBDFoXTk9yIJ2lT2rux+V8cbYTb9I/cvl9ZhbmAKfm71bDZo5fLg+UBj Dve3BCfrvkpy7KwbNbf4DG5CAp7Zyx8d7SRprVSDWsVotKARp2/FT0RuxgvICx753QuuoHq/L7hX LHmpchAq0lmNXCMDNS0sBKPdpCs3MSdQPJEpHRj4zmGlUAmUTM5LWdnPAf0n7gDSWlus0ETS0I+L JhZHv6KBVHUqq1VpyJfpfC/GOnOpnqlGW8YWkWAxQwe4eSSgQrv3zAqx98z5LH50qHUEL/4veHny uFXkJJYy2tezSlzpeZoQY/FNDipBXTy9pRfdfwvMUA+V+UkSZTqI6OxiUXltdZX74N7qwM0RMXHp jLgv1rX/Dwc9AHeP6Cnfq6dF5Wa3lfEdXEjA7XejQy0+6E30Lu9T7hVTXmqBKkdd4D3jHaQIiUuM zEmUrDPpTb8iRTRVsDI95yWgl3IvoMI7SE0iSNn3b1RAmjKe1YrG3g2l8H+M0nBqd0KPoQv6oF/d 680Jy2hOsDJuAFidJtAbi4nmLRG7XruB5l06QnRv/uvokTMcz+MeLi9aDomgoaXmnJqqytL2voju AHxv6LwdKy4XNMqZfkmfBHbSB9Kfwz6p2y39eUy/CboJteoyzGJFqHrL9hP7P0BzO5FvX72kNruS Sa3NMO2zJVliLNBDl5Vcu9XYJoq1ExBbM91I6PY8OaotlwdX8HQGnQUMd7Ql5uyOuvVEW+JwAs7C +XjeD3gcmnvmVtm506xZUBHpBBvozKZSW5u52uK21JVcNTstZUXQpqMdJpuNaKyETYAYdTyEwT5D uBcJuXCURzZuCXm6TONSGzUgBGnOKlV+2mw8JjMY6LmLzyP/c3Xo5a/RPezNrz6tOg70D/1Lp/0X eUK3SdV42I0CiDWYeIGDyjxP8j7mljpGhJR9jksqKckSPRj5pUJHXoo4M1fFROIFY58dyXASR/Y9 7ircCVqlAPL5+9whZ344iabbHUJQC7XqAgWTvDo8cA/Q4lx9p81QRcRsxI+cc6MWIioaz49EFszW S0B7V/VWBTYKItSREAnhhijviRXCv5eSTVg9FndxzyK5tdlsvQj8sj/8KH5sqPPvudZBykjncBnp GNbfol/KiMM4TLTLqGYs6uKuwxX/xKNWPflDONo/WpefuWgb4HgqPA/yhgE10WUF9vwEWaJUw6zC XfKU/a9uBv4u1XHXieorLV+ytmqjAyroI3HN++ZE4+lSUSGYinSmQiNjqa379gzQdocmNU2cJM9h Q/D9kv0QSs+6ln3oYHt5dwtTHNqW1wyHoLLLWlrW7jxNGOm1Q/laVY6KyV0n2BkPdI68xDUaEA87 IvGexzx/41mbjPY3gS63Q5lNbpSxBEx1BOwnkEYM1/iCkbC31kOuFhTe9H1sqF0WL5euA36mBARq ncQ5mr7dcFDd9UtlJum7ESzDkBaRNRNHcVl40TqAFh/jeMBzL+9UijMvKyUrTaJXWqWMQ1ieCXvp pD1Yi8dtUp6uPVx5qfVrxlb1h6HZgZ+CdCIG+RDSkuROPqiqJFV0+TF0u4fsoDXTdfELj9jt89dv OJ4ej4dH2GQ5BHQRYZNVYZKx8RCtjoNQYm/Cfpd6dm4ZWKFCU6s2qEnqDTML00PRfoKAbau3k+XC iyVH6TOG4wZXdmGOLFi9asOx0CtffH79VhVh/wt3Dn7JMvDpRZRIjs5HATytUp4MaZAty85JyU3P EWUCHQBXS/uKj3X+jbXXGu1/8Mj78H2SCIig/W8JDnc1V/TUMnU7zsjc8GfoeqP8kPvNdjQVTtF3 Axoi4zEnP64g4cDmLUC/qh6oarDUW+rYTrTAVGXvADPfS9k8geyAnPnVb95zleORecaPsNpIe2VC mClLJra7IrWNaBEeg+/D0/HT08/suHS293BlOesIbU3r/sPs3FDOk8a9+gIx8DvU14uPNaJ7ijvY 2vOHj/cCPWBbIleCVi0hsDaOctjiWcRDW9Cc+uqrp86Z+bYRu2pRmmWMHOTqrRALMSN206sOIofW yNZoQARKKMjPVyrVGq1Wo1aptVpiXf8d9/m9h679X6uM2dpkKmNbkD96Ck1EY3GLuYCQSs1PitKK ZaRcakBcxJDmytAGjaRHq/+NS5Sy0TqJTeSm7yQUiu7xQeMGUPpVDnp9cDbPUKQjHgecUn2uZprU L9/b9eXSJINL+0EmJaZII2dmDk1TpKuTII+/pHfVn0dd5sxvdpxdHbQvTC5jNEO+vL3C0x0d9vby G6ypwt6mN/Rd660mXu40LFXsSsC0MJGNXbo7Po70DB4lDnehFb9VvXKv6hUP88NLodxcabKcWYl7 JPv37SbeO1h5tO5fVr0pN0XN5a2GpjYmHs9auWM7pEBKkayh36TrIsSqyCsU5MaLg4MOxp1C93yB qC+rmWGoUOuN7pFuKfZDjifrB57KKTUrCAs0Grl028rlmSFAByd2XDpY8X3bBbbh2LGDR6EQejSl kaFKTRSxXAfqVJZyd3Fff1jnWjwZP4yn4umLTqz4/otPjp7rYHx/njPCx5+n/L7CDddVPImbSSIs ysHfD13y2+Q5q67R6lKJUXj4LsYZTx6y523Yq4jW8lUiba7MpLSxjdBiaCKmq3WkZRht2OVsoF5Z BWVgBLOxBPl5XH467qWh7/QCnbwE+MVgspttngmeIfIx9h868/cUHeniCVHVbX/XT/1SzSp/JZk3 8S94GebU6f97him8Z2C24ewROeD/f8nBncZV4rnOKznX6ejR05ZCXalJbZWwiRCvTiAGOtaQ+Evb 6tDa2H6NQ0B6IIVWqZHjMUM7/fAuT4W8TKvLJPueeMfxVJqPgYz0HmQZ7DdU+y+FZrLH4ofShj41 54Om2BsZncFYOpLDKMGFlhBm0teQtpuD8knr8zYct7YVXa23nYJKui+qe+10PHsuXofHnF/30Qjd 7kLetZJ3WokvL7nAml28Q2jxd4Yi0uJXJiU9iRfBeoJQfWbj4DP1Pmj2Z57MjziD/Z6NPDT/aeSD p+AIHEvcqhAv+mE6egLtR7EoG4mZoflDq3kvPn8KzXqrBj19E41hB97/oJ94hRvvbcEsDiI/jXgz 64suEwEofdcjcKN575a6fNJuomukwWkj3vLDEW/pdfLPc8t/srYbiu199kOtRBqqoSQvRqJOBAWd XSIqq6ojxj2kMnJXXLhEzqTGFqwCbSYe57f2lwxhz3NXD1GiDaARrOHLUwoCY0FNoldQ0mY3uME8 nPqZKbnRoQczu273otlososZ6Srb6tF5Qo0Zn3DQNXSZh+ZyifA+hDjI54O1l/E4Fp++Wxr+K84R 8T29d9re29zLZzJXyeSzdu9gxcJ9Yd6elc8lMffK5Ssuz+Mk6GNITkl/X0yz8/JzlIyoOtVNXDSm sC9m8Cz/i3vOdrVX1TeyWUtEu5XZCXH85IREcSzxHqkmodGgcxVBA12Z78gRJBVEhR/Mex9xr197 o5TJQXtI/mx8eTh/3irub0Cc0k628Y3+znagz1ufJYVPrZF52YGDvnyvHo13eVxejnz4lcvD+Yjj cZh4KOjjb1EwoLn0XenSSIplPaNOV4ZDJh1u334Nje9BW8xWuVEhU8uJ283dFRqyi1ThzFLVpzRe V8Rb0p7/LbwG52rQzHfQmItf3zr+DtDXPwrCcxZFYBFeMYVVvH3AvRvoXXuCA6U6sUHBotlWXoE8 piAKaGEydHa2dnW9BhHbfi9QXw7PE/9xERy2sQx+cuit4UZZxc8nfshtdjVamMIe0Nu7HT3O49ZW R3dFR2Pj/9rgcUdoWnQsIaQ4s4pQ8pgLHSPmRfvlkc84nir0BQ+Nqf3mffiEvrn0Ep7E4Mo/yMj/ fiQ2ysiLyDkWcbkfFm9PEGplxL7nb5dEQwr95L+pyj92/+Qo9DZuGrVIzeRsSkw+AHSGuKinzHhQ X8wS/e2DCng9rj24ip5XzPPnXkTFo9PKK9wm6FTW53akEV3Nhf05L4ZG74naLt1HDAG6PBKTR2/4 oIfPdg9w0AeDHF6JqDQrPT0rLbla4XBVVdcwhUMZvLtiV2qudrjZonbQlx5sue1nq3Y0Qvk/8Ajp 8uzcvWzsPIUgL1wt5cuypOmQ/WuMiAe4nukeXECoHXIRJV/kDD78a/OuA7tIrtVKZEzItviTgc4Q ov6TSN2agOmpHyU5VSy6L75S0ZsFAfw5z85Z+OKKlp+qTVWGEgb0hGb64XGhUK0RqJhdOMybTqDh y01Kq0VvsFmYmvqyGqP50PoPlEQT0AOIRpPR5GI4HNfNproFpuVVG8r8Ip2ZbdBDf/j+rU++q10V kKxVqzMY8h5SdbysJU2Ud4LlO5gGbg9u9/Gc9iCepcFisOks+gZSZOivW2VrU+UhWhmrVarzvAOi IjAUGvXlBqYerQG93gY6fpEEcpmhSm4W0U2FYDN+xQ+0KhFoh0c/RhMYDIxBD3pbzVE0zVWBHoVy r0irQeyd2niHNn7SWLn4GaALuHleC0yWYI/CCcMxOAavqY96+Wcd5R+bz82HbF2+LsMgI3YchpvA 0Xp3/oZzJF8Pnbt+czRf/0dLcdd8LSm0282M0Wqp60MbTsqPpMEuUg9V6gJVLshASm84GHeoraaq sZyp7ig+Q9rvXz1GwfbsjWFESPKM7VXkuK2s0btBB7y9tGqn1VVaXXXhKukLjx0mH9nVZkmSUpgO OcNzufLGooOtaXURm8P27NzL7A4SFKSLvUNzQq1H3D5o/9ucEf9xodvW/Rv/kQRxpM4lQNz/4D+e wf/hl4R9p8yaCXTQ1uav6k1u0iN855libTLb/qlmZM7QA8osVRpk8fG491/+C6HbOEK78Q2MLyoW uwYf7PG5feGfgP2BIdXosGdPS9jJvor2chtT1uY88zvbljE/JzXtdzOGwRsj/eLgNK8qe9j/31ue Nbuj9sQystfD6rfCDghODw+SHo/6l4eo/3W7eovrZGd7fW1LYSPQjWXZIQJFklrI+v5sz6wcnEK6 ALvnHK/zaq2z12jXGa1go60Kk5xRQo56569E+KUhtWsPaiAORNI8pRTbh2L8Uj0ybam2/oqOf+fu hI2FSHUMeTbWkDR8d5JP4l4I9i6DQmxgdQrDbkJ7BagVYqwa2kheINFWaOsuk6x3jA52YiFq9AW/ sNB7+dKrk6fo2KYhrMsBRRnwS8FkNTtQs8fkVzuk1mWDnHxoAzvYy+nh641KtNBd4fa8U+GDqvGM kbCq6FynuKTJXHXIQQRnjFlrBTPwGy47S02KQqlGA2oZmyVLV2YT8dAS71v9maGQNdeA3lRqLDbX eq1PgSM/QZ6cpSQtgDS2YEtosU6fY4oqzIV0EJIVhNqTJ04cvfgNug+90o02EES9ZkmQK8pUMMkz ctYcWBe/gR+6cP3Cda+KxJnZMpVYkZQLebTaXGAzlTqtDsZhc5pPQiVRtWaxTV2i6CjwniezHt17 E211IeadQnIi6nMku8ZBRzxXeKXyOjkxScjn8xulRo1FqiV0kLACeXD2RhKrCHNkuciiITuTEdDV BS/i035e5Qc1LTWrrFa93m5lWjqP1RM+DxhX5sTnTI3bxMZu3BYTDGGwrUb7ZZe6tIn0vtV5juwg zbqsF45s+Jjk6RRiTBd+HnRpWVh4QWI4M7xDD+v6+v0OYhfvewPZrnOQCN3mXUUtyL+8GYqhW2OL 3qPShhEhl5ozGopb7Sf74lvWPjXz+SfXMc/hh0R4AUTQwQ7MR7zhG8Gp6KmD6YjGvlv2RoYkMHX4 E17ogdZzP51GO9Cknqa0DRGJ+JGMcFaQELZpLQyDVOmpdvVd80GuQZpnMFtLRq7TVCKNNl/OzMah ChGpKVq+mGRUoU5vNTFvo+lfV7RCKZgVjpzSVEdOI7jAYnSan8EzRDlRLz6PF6XisSChs4qFpBFs brIyA0h4E20hYrWisNR7HTWyAmjFMiYxbN+mYMgGlV3ZpeqS1kZCIOxJSEgeCeDg/S6fb18bOI1e Pu84zPHMQpj3Ycc7l+BD+tqmwyv8pzw9dZMr63gog5euTJ4Bu+llV7d/TmCYgMaicf1ZjVIno7Bo dRtO0lNu8fKdBaXgpq+9d/7t490JWwI2rV8Zw2DfoXG8V0MOXkS+aMaHRYam1PwydiC4tABC6CUL ViwYiVLHu9+4PFNIlJZfR45LHE8QOsXL3ypYFfJKavT2DatBAPsMwuY+k8E7p7Apqg8IEoS79nQm vPX5x298dZF5+28NaC7ZsxvQbPw4fhj7EeP/dFQ1nojuf+vIQHUJ044W8kRLt+BHZ0ABpIKgNrcW Wol+tzSgxxqOVLb0nrwI9FVYrJBoFcQJEB/mebwSvYwoH1SMxnHQD55vefnP79oYHCGRarVEilVG qbUMPYgmovHdguqEmAOJcYlVouqqkkJiBbxtXdDo4+PQWA7aXcjLWbJ7295IhUKr1WrIG9RarV5h UpiBLkOTCDYT3OLGmP1p0cmpZbl1VVaz2TtB4KCNZ30+Rk4OGkAbeRVEF4yFeou5mlDI2xcyeDeX BJaoukauzCKbEjqhxLs4jCzM4aCsC7zq3MrkmKS4pIzSrPq2xpbGYcRJLSNoj7+Mrl7geM57JLxG QNMIaOwqPCMym4lfsxe/CAvooEI8AT305ke9aNxZ5uRP7egFuEHjU0NCXtKeshu33kE9jQNs7yev FzUA3dabEfBsALYIAtkDy3evWTXMfmK6kpsQVeHjiR70HS2atENmUMq0GpGUCVy5NWYdwUTs/e8V Kr20qKbX3tjH4HuH4qSxSvEy4EuH/ZLCIHeyPdBv6IU+OPybey6vX5L+9p7r5xZkISeb8HMA5+dK ZOEVE5ke/ta/+3KJ8xcSB+y9DavMvGZyIbsLNZMvL2tGE11oBlGHhX/mHbt5rbOhBM376PvzgPzo HwMuLcAzFuLtL4e4curf70UT22vETUKFXCHX6DQGOWPJ1xUQ4UqOnrZRoC4uu/IuWoN8O4+nL8bP Yp+XZu9g8EuzUvFsojBip/eWUF9sZArby6uqoRmaskpFzZlNWd1EKscfQS85C0WgJCVaqGKz1ofs CyQ1N9SeZdpUdEAnAwnhjEI7nLauv7yHHnOfc6Ewl8/XH5e1fOS6fr3sgpclf+XlSiCHHLKEbeAW XYIlWtWs4HVs4v6dqXthLwTVqt4+rDN2kZa/IcUo3wnrRev7N3xBMpr3b2ji5YjeiDLmh5aBT+Ed +samU4vwAzP9l8eVJ3S1H245Vi1sEI0cW6XXMCapSQwiOi4+LSVDU130588/++5wR9LWLMlz4XuY PYGBkEHin1nlCXCgDF1JFReHO8a5x1+dwIwfs6Ri4r0u88SJFPWfrmnF6AplbmRzdHJlYW0KZW5k b2JqCjE3IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvUUFLSFNNK0NNUjYv Rm9udEJCb3hbMCAtMjEgNTQ3IDY2NV0vRmxhZ3MgNjU1NjgKL0FzY2VudCA2NjUKL0NhcEhlaWdo dCA2NjUKL0Rlc2NlbnQgLTIxCi9JdGFsaWNBbmdsZSAwCi9TdGVtViA4MgovTWlzc2luZ1dpZHRo IDUwMAovQ2hhclNldCgvb25lL3RocmVlL3R3bykvRm9udEZpbGUzIDE1OSAwIFI+PgplbmRvYmoK MTU5IDAgb2JqCjw8L0ZpbHRlci9GbGF0ZURlY29kZQovU3VidHlwZS9UeXBlMUMvTGVuZ3RoIDU5 Nz4+c3RyZWFtCnicAUoCtf0BAAQCAAEBAQVDTVI2AAEBAST4GwH4HAL4HQOLdvi3+S0FiwwDiwwE rfi6EvddEfdWD/dREAADAQFtcYBDb3B5cmlnaHQgKGMpIDE5OTcsIDIwMDkgQW1lcmljYW4gTWF0 aGVtYXRpY2FsIFNvY2lldHkgKDxodHRwOi8vd3d3LmFtcy5vcmc+KSwgd2l0aCBSZXNlcnZlZCBG b250IE5hbWUgQ01SNi5DTVI2Q29tcHV0ZXIgTW9kZXJuAAAAAzEyMwAAEgATABQABAIAAQAEAE8A wgFR+IgO+PeLsvifsrefAfel4QP3+/kPFamHi20eSUsli2eLCGQHpYvNi8enCPyNB2qLfiQeYGQG wo/Zi8OLw4vZi8KHvQwjsmAHJIuYrB8O+PeL5ffn9wDksgHT9wD3lfAD+K73TxVmBol9gUl8gISF Oot9iwj7Twb3FPOtpuTLqqkZqam0vovSCPcR+wXU+xr7FTE2LVi2hZakqJ2voX6rXx6ivsix0IsI 9MM9OkRcQkVLH/uB+22BgYqKi2wZ+EcGDvj3dq/K9wf3H6z3AfTArAHq9fd/9wMD97r34BXgxFIl +wJJW0JwJJHFXh+yj5uli6YIrXOianBtemEo9wJT9xP3KO7q7tRT2PsLqR7apcvLi90I2y3H+wz7 CTJVOWCsf5+lpp2uqnWdcI8eur/mi5SLCL7LczhUbCsnhR95inCJgouBioCKi3wIe5aLnB4OdqD4 Q5r3b5WToAb7YZYHsgreCx4KBDefDAmrkgwM3pwMDQAAebL7WgplbmRzdHJlYW0KZW5kb2JqCjE1 IDAgb2JqCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvWVlWRUtUK0NNUjEwL0ZvbnRC Qm94Wy00MCAtMjUwIDEwMDkgNzUwXS9GbGFncyA0Ci9Bc2NlbnQgNzUwCi9DYXBIZWlnaHQgNzUw Ci9EZXNjZW50IC0yNTAKL0l0YWxpY0FuZ2xlIDAKL1N0ZW1WIDE1MQovTWlzc2luZ1dpZHRoIDUw MAovQ2hhclNldCgvQS9CL0MvRC9FL0YvRy9IL0kvSi9LL0wvTS9OL08vUC9RL1IvUy9UL1UvVi9X L1gvYS9hY3V0ZS9iL2JyYWNrZXRsZWZ0L2JyYWNrZXRyaWdodC9jL2NvbG9uL2NvbW1hL2QvZG9s bGFyL2RvdGxlc3NpL2UvZWlnaHQvZW1kYXNoL2VxdWFsL2YvZmYvZmZpL2ZpL2ZpdmUvZm91ci9n L2gvaHlwaGVuL2kvai9rL2wvbS9uL25pbmUvbnVtYmVyc2lnbi9vL29uZS9wL3BhcmVubGVmdC9w YXJlbnJpZ2h0L3BlcmNlbnQvcGVyaW9kL3BsdXMvcS9xdWVzdGlvbi9xdW90ZWRibGxlZnQvcXVv dGVkYmxyaWdodC9xdW90ZXJpZ2h0L3Ivcy9zZW1pY29sb24vc2V2ZW4vc2l4L3NsYXNoL3QvdGhy ZWUvdHdvL3Uvdi93L3gveS96L3plcm8pL0ZvbnRGaWxlMyAxNjAgMCBSPj4KZW5kb2JqCjE2MCAw IG9iago8PC9GaWx0ZXIvRmxhdGVEZWNvZGUKL1N1YnR5cGUvVHlwZTFDL0xlbmd0aCA4NDk3Pj5z dHJlYW0KeJy1egl4U+W29g6h2VuGAo1bWsAd5nkeRBBEBpnnGVoKpSN0HkLnNp2TrCSd5yENTQfS 0hZKmYSWUQTkiIgIoigcEI6iKIprl6+e+39JKXr/67me/z73f/o8eZpkD99a633f9a5vR8J07cJI JBLZ/BVrJ020/jdc7C8RB3QRX5e6E8PzlLZEO+ghhR5d9w8Y0+Igbu6D+3vhxt6MVCIJCE2cHxgU GbLL2yds4Ej3UQMnzZgxfezAyRMnzhg4198zZJe7W8DAFW5hPp7+bmH0jd/AdYHuuzzDIgeOnOUT FhY0c8KE8PDw8W7+oeMDQ7zfHjV2YPiuMJ+Baz1DPUP2eHoMXBgYEDZwpZu/50Db4sbbXucH+gcp wzxDBq4I9PAMCWAYZsPcgM3zAucHLQh+N2Rh6KKwxcole5aGuy2L2Lk80n1FlMdKz1Veq73X+Kzd tW73et8Nfhv9N02dNviN6W/O6D1k5tC3hslnj3AZOWeU85geY7eNGz9h4qSYyVO62zPMYGYVM4MZ wqxmhjJrmGHMWmY4s44ZwaxnRjIbmFHMRmY0s4kZw2xm5jFjmS3MfGYcs5VZwIxnnJl3mQnMQmYi s4iZxCxmJjNLmCnMUmYqs4yZxixn3mBWMNOZlcybDM+8xoQzfRlHxonpx2QyXZn+jB0zgJExsYzA cMwu5hVmINONmcX0YPyZnszbjD3Ti+nN9GEcGA0jZ16VdJN0ZzbSEtJTdZJ+kkddfLp8KF0ivd11 ftf37d6y2y8TZFfYQLaZ28q994r9KymvPOhm6v5O9197HOk5t2eR/ST7gl5Teul69+td2ad3H/c+ VxxmyofJ77zqwQ/mY16b9lpB3x596x3HOPo4fu20r593v9P9Q/qTATDgx9ejhF7CckV/xZqBDgOD B80c5DGoatDPg2MH3xyyYUjDkCtDHYeeGdZt2Mhhs4c5D8sZ3nu48/Cg4Q9GpI5cPmqpqLZvSwQL brGIS4yS2ra5UnFw23I+tUCTFQ3RoE5JjSXu7d86Rm52j9mg5fzYvbrD+gawQKumVnuyxxALuyXE XGnQ5er0imPY1w5BdoqM06XpUyDNyX8dBAl+bIPhYzgAh+GYtlljPSWSXQWxWao6jpjEXB7tyC07 opTZi61gEe2alSYH7HIVPa/2lR/FLviYJ+WsqwoW0wvV61r0VVBJ772/496LVXBUgcvZn6+dvXwp b8NagcT+y2M3QQho93G4joW7YPFriC3ZbVwD88BlR+AKTn7zF5YMUtn5sfKjH2cnb1XYstImsUgq 2tZKxeHiazy+jttMtftr7+ucLKyH1kUTAu7gDO4GenU/tklrUkIYJGg0ySoiI7MdCY8bNIbUbEh3 gnxTyWEdZ2F91PPAE/xghc5Lbz2rjD0DZcllgbicWBzJmyQ1Ntx/23BwoinTNevroBHOQIPatvpt uqgqKIUcQ3pWHg5GL0ecTJL0aYY0UDtBvDJqh7U29YbrNNHNLxMdQYPek7HHwtm3baY1vmLCgxYH VNzB84/nPekrFzFE7MKjlq3TZx0XsLfscf0bG5dtnU6kim8S+cdlVy/Dp9y9CV+S14T2Ln4Vspt6 lbeivYKV/+KtUb0thPqJA2To9OD+P+7NuEGk+YoV5HOe9JG5aLLqFFiJq9kfmscvXrBpxlCFvahW mcWJJkn1Hdx3Ryr64m4eXx3xjPQkfUYTCelD+J/H4CvY88fvUS6QYOLC74Dt5UHHQo7AB9AAB+F0 xZGqY8fLm+AIHFZW7qjcAWtoKr1hg3K70nV7wBagMXopLW3jLA5nn4q+9SHmvvJHZ/FbnrjjG2QS rsTp36MCuVzIilNBSoJWSCJDBs4gEuBWks37sUUh/xFbcdP+D1ByfyIZbhT0saAuBK4YDOUKTGBL IEuVlgbxScKWuV4Nm0+OASf5I7KKTCNTyA4aYCvZaMGxJtGpOcTs8OwqFt/pK3+M74g9+CssGWpF 1rWslO0K+RftPp0Q3a9r1VdCFbRo6v8I51lsDpsR3bzhM+Cw+8/fI4/y0T+Qrgr549ngtj1cyRlI EY+hbE3LiZoW4K5/MIXYkZ7vTp/r7mk8FKSILQcdGGk60jsAjMJdUf5EWt82h/erYDtr2FnBLjKc hQKOxNW4lvTHSWSOgrz620DeVkTxQAc0nsguwlVly4LDq3OmwWwg0ohV3lvDg9auGU7TLla8iHy0 OdzosP8OFlPmfiH2/oAni/77SMVzStZzop38cXXczktv9Sfc4NHkNdLn8XDkaJ4+hkOHTTWcAf14 MogF38hAZWhcrG+QC3DzVt5HFrt/fOfT281TN1KuzqLovmDBuv0SHHAft5pxjNlgluKAW3xnnJ/K mjHPLkQWQsaHzSPvAEecXgDV+IB9nOf7hsKMpSGyaSq/0cIkTJZ1UIKX4TioWl9MFJxZFohKu/YL nTywF/t3ytWzK8/u9pXfxLfwax67sERhrbZNReRHfxevg7rj+mpoguPQZKP0HnauJq9BgeMpTe5/ lqUHrV5Qa8PjIZgLLI8xlZrza2v9anYI8pvzwHtx7A5a0YE0zOMWPNYR5nozDjFLxc/bZvHtx17S s7yztLJ6wy1KnEPwzQsN2c2OhYJ6BWrvst/ldgY8PWH3GGEaZr4IuIcMR4N5XTERaMD2oqAyiW+U OdSZQ97DSHPYe33l99EDN/KmtC+jYT632cd99nTvc19HCOoCbXoCcHGQHKkgjmwUJOdl6HRlZYJe D/rSsiNuR7XlFM7ssb99csp/X3y+YnetR7ZbNtXddXmLC873q688dBe7ZEzy0wu6xBzQA1cAGWWK H220S9VAfJygTktITFN7Vu+EGFo9e8/F63yKA6uUCvn92uDqlE9iaX7MSkuiEUMs4jCbCrxx36e+ rzxGfHCJL1A2uecBlwPZRQqcxx5Mz/hQsLBe2vUaf6rib4C3TcVr2QcGlZdiGSs/TroSeWLgUrK1 HluoLmypu/DrN5PIiP9WFnxrN5weCU5kJXmDTCZuxA2nkim4ViGPuQ63K/e/T7niqDLjCCMGWvBN o+Tnq9iPonSuOJTHIRYyBJeHyLQz/AeOSuOUX5MalvR6FN9wrfraZeFcyHqW2jivxfBNidDRsC9a cL/FhoPW+1KxTfyJb9Dn3RQqLDIf9VwqjZ7wDvjYonpBehJHWjGO/YujfpcGip9PaTc5ADeg3oaf UPZtG2CLsJUU/dVRVBBVJmUzJcjLbh4h9v+cn8Ti0Dw7C/tuUtYJSg9Elox4SReykJ3qvGje9LTj rQJ+/eKbW6CerCCj2dkwEccK8oizcKS65iJnj7+90LcB96WotMZvyPtcqLRGNovG5QGzXkRWyX5u eBGZWjVLCLau+XO64oPw+Ys1B7Oz1LY1V6jKxX4WSZkYKxWn4l0+Z2/J4SvWzh2mCdCGQShs00fp bP2+UZsXBhGQqElLUw0j2Y6kK9amFFDg6p0qD0IpBZe/dp0mDILAXedva/bsJUhPKfDDoQQdM2P1 qQVQAOk56bkUFblK03nsKu6xSA5hVxx1V4pncCQ/Ycu6jSmL4Ly30Jq/r7Ih0Bio3BW7fe61Vfd/ uv7xjTyFLpvebj8nrmYPFcIlesftGk+tC7jBFPC0Bd7Afg9xPlQevTrCKrW6u//A+3zpSUtBvTUs JQ1LCQHgqo/oCKtBa4qk71NAkxo3keQ4jsTatHytHjKcqg6Ckd4jQLtZEwr+ENAZVSMUa3LjMlLy /LMippFUx7FoTM2nC0vvPKMjD2mwUefdccZJyFfn+6ID+dUxI9aQZM2DPjOj8EdscPyJNKarrB85 FYChIzdqlSnKgr6mygeTHh4zOTTfdH6I069ep+3d/xTe/YxPd69yOw5c+QeFXyjOhqxj14SkqHan Hc0Q0IWlVuigd6PHwS3FzsDNWOiyxN8YVVldaqzMT63bplNU1Z/IqwXuxDmPyQovVn741Gb1u+rl /u/sCtkE27mZj0MuCfQmV+BYU9lxLhnf5EewY+fvct26s/7kmeY7OCOTUrH0dxCKQ8XpPC7GudnZ p1q+sLrEYLUvBYA3rIVdnS4xMwwSITohISmZXCGtjnjtf4GQ81nkqFNeQsozE3PiIN7J3wPCrRbY 5rvr4cALO8hugD3p/kesLdvauiySfFEnxSaM5/cdOHCiotLScKjouBUWwRp/bTAt8kZ9XAcsyjXZ cXQaiE6IS01ZMdtx9o+JubTEmU5QVJRjtJ2hXaKJhj3gogvqKPLHoNMeX/UD4R3Hke7Oa1Zr9lht baXeoquEGmjWVHT4AKUhuQCKwFRT98Enn41wzFYVRFPwJSbGBFn97D7dWb2J2oaD2n2dAUTqw2o4 m7hQTA8xoVdzp9mKoWarJ48fv3BbNkFpf2RmdbrswqrjnPxEWFHzlk/7d1qqUT8QGVXm2bDDJTqS WqpiHneyUAa6vOKDZ89kV8BRaAiu8KzcaVgLO8FLsyrAdY+f5+4N4AreFaGN1GUZoJT2HDuqxe5G UejQ4q+tDRnz+BCZalgstbULKO46fIa4j90Phd8KdRaZt3oivaQHdVL/otJiqcxqq9xMpV+JSipH X0nFKZS2lZdadMXwUo0iwUWv7KiPRVscRcebBK0mNX440ToSKZrScjXplIWVjVAmdBQo6o9q9B6N tdAHR7dLHFPjYnenxCnXBy5cBql0iIkotaRnm6CYq4woDgtXxvm7NnufvHTo3LkKwV5cTTtY3cNG s9XpbXoYa7aOEa9gAI/Tv2w+lXNJ610v7FSn+EMcF1waXl1pLNn30ZyDb5M+EwhDegvyX8irP4yk cO1Xiz1ycxNATRU0RSMEjF8a7wWcXNw45TBOU9g/H/mCVwOrxYovpJjSNopPNKnp4jgy+6XXUbNB 4DLUNuydoONSHZzo9JdD4XiVQmzQsZjyW5eMuAyKV6c8MGSn56G2raejrv2arJNVjYaPaCs4CH+D xj+ySqzoZCaZLQsG0CZHksD2C440A2AWXzVJms14kVa7nziMz8mzCh5XkASRArkuU5FpdmZZ5k9l jdiFmh6ZjNS290xUgQZSnWKzaDnwjqwEV1E3mki67dlOOBpUN1lnx3SygfqFj44Re5/hl7A44vee eUL8+Y8QJ35sQMOOyg3WawweRXgi/34kWpF9GY7uN9dyWN6VuLEULBpVlL+zq3KHFcCVoQeCD6nP UXPYqL9Qc7TccqDuNBWK5hiLa14UXWck93L+xQHV4oxqKca0TeYT87W6CHqjt/1qZEVg1BZp96p1 Wojg2sv+ohIlbEaqTpueIo5tf+yYE6/TZgFXCFllCvEEWwXHn1KE+mi3anbDbtiq9+kA9VNwCVK0 z2E7MOdfjvNMDnR+TLwSYgNdV8zgM3HUV+b9wD3NJf09FCRxD4+1MpMByn/Y8Jiyj5swlPRRUMz1 +2U0HRjsj6K0LDdJn5qoSUnSCD5DJ0ECbAH3fWGN/u/BFWigUZcqK9umV0qoe9z+VNrmiQ953EHG 0BFyKVlExpGpZCe1dePJRFyIS3EMTkFXgXxN/s6PIf3+joWYj8M/unMPhywgOaSUvD59gsIez9vE Fqd+lW2SYNcrD+9Jcb44n0eO/ft77x0xFEFykRCfFhkHIVxYcXhVTZGxotGrbuO7b2wcJBB2lt/n 5OZfzRA3UGZhO8agA5V4yTr03cfjT6UYjld5nC3DHsh88eT7kX8nryvIsz+M8n/RWtRYwuPejiHw vgynwKCtLkCJPMU60ZOde3Ht+a/2Iux1qG4Nv4HzbtS3bj/fV/6rCkPwHX4qPNlbpastMiuy8/dW NwF3D0aEBWl9Y0IUSfFhge4USJwHD+mwt8R4MPCQugy4R1ev3myMbgzZq2jY35BRSlmVAQatKi1V BfFcVEF8cW5Z1t6S+FqP8O0pO90Etzo3gxK48QsXvr3d5Gneo4iLidwNPpy8jQG/Ak9L+Koo3x3g zs3/YT3aY7efW27Vx7ZsrhY2Vq+BlVQvd0Cyzjd9jwUoTYaSq/zwhS2njh1oPGJQvC+7i11h2oYF W0ZR/1RKNj69asZeJrHG7HD2CR12ccShp09CLH3l/8HgjWJ+g5F0vQ4YxWEBDvzi4WMcMI1kz44n gwbNFpRnfU+uBm6z346dQQUROo0CJ+TyuyJ80+jKNycdK6oprzt42uS2Jk9xKILHbqe+xlcBx3D/ BXauOIZOE0st9Zk5NYL8n6qxRYUTHvX/qQydWnIhT5WoTUrQKlI2uPnvABcI2R96mevYUbPpiaTD hEuxy2f8/7/NtOmwfVWUJ4dP/yhQ9m1hShMF5ikTtlocULiLWrSb8/S7yr7y5xiGz3jMZ2Ev5JsM ufoaMAL3ALumkWELQ2eSkYoncfzjilsfwC3uOyL7iowQyN/+BL0Nhms2Cb/2YtLtNEaZyLLy34qp DazfdcAb/GAxLAX3Q56HvM+k7APuVsmX1ZmQF6eCxGSaugU+kSGwFZJaYh/F3XaMvLy1bn0ZHTP2 2cZ87PnM4cazd6/0lT/Cd8WVPBloDfDDnBSqwKbONNXqTusrqI7Wd6ZpSVrGQYX8x3TxAF8bUh7o pwwKDjIFW6rN5bW0lbYqLW0Tqx3OVgZfxo8ub6QJuY4/iY48edWyosjjNJx3+vj0B7fwLRN50zVT 0KVASt6LuRi32QbPZK02PlnwWetfs/PQZDp4SqdPGfTmqXm3ghR5aS3xH0dx8kdVyfuSq73Kg3Op tHILtsyfHjAn48RGYc1p9WVtgzY3CdSdU7uLbWrP0unzsgTQGQx1pyy7Lnvfpw3sldvfYxeF/Do8 WfLldCNNyXlqTYr/LobasuL+sPWXpVesxfSy5mWsNS83c6zmayDrmjhtWWoYFAQLRenGQqjiKiON gYGR4cGbzgaeu3Hx8jfUELSN71oTWhEQEBoaEFARWlNTUVFDfbUXzfqMcpzbKGkwY/Z9zDZL28a3 zeDbURZBlLS9FuK0ojocA6UUlrma8jRQQRhHMbELYgcL7n6yQ4af4Bj9ewqHbJhwZwdD4X5rW6cY KyxNz6OALqNEg6LdhWSabbejwxVjcLPk2RXps5dEqaOiWwP7oEnbpPmdKE/Zy2duDmpeB5FOEVFp EfS4at37+nJqbmu0NR3HeYESPE8ROS5y1OpTM6lhTL92ITf7UkuzvtxqmgPUcRBIx4MV+tiOjlem zVVBHITHxtPxYBCxdxTD/jOTEili+nY4zTaL1WlG82Tw6LfGupBuZlwriH3+cproyZJByBF6CWQf PEJZiWAwQg40cXidrYOj1kbsrXXW7AIfcNZ7/6ER24jQJqFKIr0ixXfblvJ/9Nkl7MtkndKbwUz7 f+MfVMW68vK2QdTKtjlL2yTil3xhY1XNR9Yk+GncbbPGGn1wx91ateXB1OclqVM0KWRZ+x5Hsk7U pxTaRuuac2C2rlC9kIbmDDs6V/ih1cx6Ykz7c8esiAx1AZSAPiOjkPbzT//zMwXbRsSJ/83HCv9b qhl7b26e68vHEV+8fBxxoqP0z/M7Elj6PFT6fBBNYOm5w7kHrcOAv8ZPS+dxWNaZwL9pjbshAlLU STSBo9t3OpKpYpw2XZNJp/h956HSlsBFNnTs0O/sOOcclEO+t+ldR6Jon0umiSqtgVo0w788/gak p+Z7oUt7m6Mh0ZBQALQ+WekFOEPMcMSZ7ZkdHzp1fGqd4mkD6GcR3YwSPH5TisdxBj/VKt9zhT1W qrZSiW6GUy+o+sLV3HtiGSE6s0bIjE5UW3fYyIX2XTQlaLbwRC1DtfiKHb2yshq7fI/LTdj3jsPJ H5wtGHGfWhBxA27jsfuMJ4Rx3hHt4y3gJtaYUpdM533s9fE3BZnqjGStBtSpivDEreGLwR22ZbmU Jxk01P1yCZAUrSAn2EhIKszSGzLThbzixtNfQCuYt2VHFnvpPWALJ39OObIq1C3Uwyt4Gy3c2lNR 7xto2qhG15WYKyqizLtjfZK3Tbs6Grsq5L8i99N3KLf6JlFRvgdbBz1zqMMeStOn1pe+8n/iOPEu fyH06A6fyKDg4JKgBmNhbiZVfb1OpwNOD7Fpvsnzl69QxMfTFaq55Iy0jLw7n2E3ATe+9j85zZY5 cfDeO980mR2aH6DHw6UP+srb0RG/4CtY2jp7N7RUNKfsMgkx7uDqVxFjKt6Xc/DC9vfeJK+S/nTO CFbInxMjcgseofTbf9Dz5JO/I1JB3r4IvDaHO3PYndzgl4P/hZSiyONwmw7Lt2qfPCg+BissQqkX bKat1hm2RHn7r9pGW4QVI8py8cObkrPmbx9KxSDxGZ9j3Ucq50iajNiDpiCtjAuR7SY7qfgbinMu FeRnZd6CAlpPd5kqehaRKHdPIv13EwUMowV0PXYMjuYKLSycMZzJPp2+t/DukYtcB1z+dg5LaMwn w45g5ZGwk9bnNNPFbfy2fWn7oYT74MPma9cvb5q/1sN5lY9giuE/aTzRCle4h5PPTRwxc+74SL1r s4uQF98YYqYN9umagGnrRvYb9NPiX9Du2zu/NqiOejYLEeXRucuauBFuPPaaXR1x3B9WOs19Z9OM afMv3jlfe/nr4x3pb3j41V5xqDX9Sx+ixwMrbKV4jfdlSdyQbWuiNuj3BwlHsmtKLKFFymj/RI/F p3d+jTy1sgPQl2YfTYT9aPL6rZGuO4SdrmFu8A5H+vx9FHYV5L9+AIea957nSO+3+WjYBn6XIhvh JJyA03C8vLHq5IGCetob63aVuOb7pi+Hbdybu0ZPETrNzguN/3+zOVRrycZyfL8JxzfhBaPkbJuH VCxGJx7DZIVlYDRGQIyCeMvo93Y4R1bU8VGsgkyV3cJmnd6QD+lOeYk5qmh1nEotzCRn7cjqf/1V mCw2AsLDy6BIgd4ydzLejsyRxXR8VKjAqbLZpFmrUcdDmpMqJzGv2FCQZxC+wLN2uPpPvyID8Dve trbVtqtZc/EMA59J7j6T4nrRnv8vJoXc+hPjIqrXlZstyD1Ew8Of9lUZHc7u829BuQXlLf77KM1P YSle5rFHSNZoCIXFzotnJXB+2MKTFnZKhktL3MV0bbY2HbiqsrKq6j2lISnumq2TT03APkkKV8sx 9pec64+opbnj2pKY437EO8c5n5P/Vk5HtK/T3ttetC5Np9ElABccHhnoZ44pNxzWnXi85Drpmqk4 6reNJdKExZNgIixsdC6NOuCxP6kljnvYlfSqTLtLPdGF4xdvZ1v9LtlQju9YQ3e4+yyCStOPfx6+ /FFEu5SnBmb2srnJSb+ryye3kavRfLqhU5Ay9KDTCVm6PH12lrUhrzMhMYEJDaZ7JsnZi7jWjDOt r9K2uW0ufGaO3gCZnLXYCanJySnClkWLg+bBu7DCvL41omRPkS9wcxZMJ6+Qnp/MvHH93H3sWgjH 97QqPvQ6mdoAn0GLJTNdp3Vs3/DbpMQ4SAWNkyo3MTdXn56XLZjF8Xz4kgKciW99WFB+qmXuYMJs mr9JIa5qH/GnX1CyLeKRXX1vwf91T2uhxSxcLcGduFIqdm/rwedkZedBPlcaWRoZo1KlpAmkBxlX EmlHx0d0spKCMmKctG0+3uZfYr/9u99RLH5LNvIvidL+j9/BTGvysmfc7WgXIu78H7YL68KFZ4Ow NdzoQAdZJfb41Ppi7UBmcR1fGVXlHR6bkJIiaDVarRY4DRSm12Z9cumiIt8qxwYuKzU9VfXmHNJt VYXr4frSqkprB/qfnGYvOhJD+fN1RskP56X4FUnmqUPWR5WQPujgi2sAxwHOO4DzsBf2KXhxkTRD SsKkRUS+WthMusQTKTVPs/NIzzPE7gLpdXdpLnCZ6YYs2mX94NkX5Xj1m49MDmcflj9ban58p6+c YDzqeUCHx9fqK6uM5Q3QzJ13v0lGEWbFoqW79sbutT4cOOoGsYLl1PmiZtpbJLDIY3V0ZGSkYsl8 5QRYyblSV5CSXwA5pYL8tyYy7b8S4/e4MJoG1owGHm6psOd6tFuFvaZ9SAmakpaWogZNWaTi+5Hn yBQgnkDmeJEFpDdxiOuoWEp6Wmbug49Q/r7Qgl3yUQpf2chpaHo+tkmC3ZqkmE0MfNPo52MfN5HX /xnDUqC9WY5Hm/CYUSLaNUnFcRhl3Q8rfKm0tVgnK4Sy8HCIiBVIHaljY18KJn0ni4UIoxHKCoUX v8Wx+B1G9n6D9Qk3Ln9oHfJO4h1xKH8sK26nguz97z2/KGWJQ2K01goHJ/kdrUYDsf1JN7ST/XC3 6eK+hoQwo7BTkxII0dzuyriyvXuL972/vnnueNJ9M5EIRPafNr7+/BZ4k+3QKys3yik3XungxnYd fzn0kHsnNYrzM7NzBb3eTqfTxi4LXLndRZGSQleVZqNF/uefIyv8IbXdaWqntCXy5HX3x/8cO9od X5fZ411cdV6Sh6VSrMFV/HlSuoa1dYiO9nDqz1CgfoGCs2JfqbiUaltGgRXgNm2LTUtIUAvkH/+c lxpHR3CNrREVpufmGmzOwNTmaJIcvIPZd6TiDrzOw+3U2z6fbvtuRrEbrIJ5wTvH+y5MnQ1vwTvp kw7NOTzzeri1s39WfuTb2qsZt+BzjniT67wHrDZHfqe6AA/hfbgMV7JPl2H3GzlmqIMrkWUjc9fB HFhOJ8RFqmUxY9f6u0KHURcbLUcodoM+pT697VW+AvRhwoplU4Aqrx914+9DayXXXkRngvhJgq91 6/AeNNG/ey+2Dn3ZSeq8RjqxxGC2SQLPo6XPozGbN/0zWslar38Tf/nlR4vDyV9w+zcdO7nym/yz pzgRhQun4YkTyibdJvbEbu6EyetOgqGkPv9QZWSlT5IGtGph74enG88D983hmTPe2jJr/QoFWU92 q6xb66FO8l9EVlaN8+xCZKn+ydsTYpKTltAJvMP0XUMOh+7Fbj9epHYLu77xE771cM5TKgkMHsZf +C+rzn9M0/bllLNjhs9ZNWe3KaLGYjTVnHSBGMFy4kpBA3CHzignxWvWBG9X+DvvUodok7ShmmRI 0iZrIYGTt6tUWVAiHJF92bhoFBmwMGD7jndK3vdR1KdaTHCAawgyBoT6xm6f+GgJStD+m29+Euit 4cvlt4aU0wXe7th5yDBJKNO8rjy6JxXXW38VwFooYTjZ/feOH/3TfeIGn/3rVm/3TEsVAhrXZQQB N5Zwmwij+DfZg15/ubVMNeMZj3bs4y+bPzxRHQE6QctGacKtGxcpupCqRHUcJEI8R1j2xaxt04yH dTbN8O6UjRaV+PP/g254qLemJYFzmpP8K+bf1Y0pa91jIoWwejfjFuDGkVeoiPzbafD+N4RmCR06 d9NFPLl38P2K+tTAKsFDkxgK4aDMjy5N5eyVJnF+CQbkZZpkZGc+a+l2tbvQret0Y49XTDk9elw1 9ujJMP8HNpSYQQplbmRzdHJlYW0KZW5kb2JqCjE3NCAwIG9iago8PC9UeXBlL01ldGFkYXRhCi9T dWJ0eXBlL1hNTC9MZW5ndGggMTQwOD4+c3RyZWFtCjw/eHBhY2tldCBiZWdpbj0n77u/JyBpZD0n VzVNME1wQ2VoaUh6cmVTek5UY3prYzlkJz8+Cjw/YWRvYmUteGFwLWZpbHRlcnMgZXNjPSJDUkxG Ij8+Cjx4OnhtcG1ldGEgeG1sbnM6eD0nYWRvYmU6bnM6bWV0YS8nIHg6eG1wdGs9J1hNUCB0b29s a2l0IDIuOS4xLTEzLCBmcmFtZXdvcmsgMS42Jz4KPHJkZjpSREYgeG1sbnM6cmRmPSdodHRwOi8v d3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjJyB4bWxuczppWD0naHR0cDovL25z LmFkb2JlLmNvbS9pWC8xLjAvJz4KPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9J3V1aWQ6NGYx NzMwY2QtNjllYS0xMWU2LTAwMDAtMDUwM2M1ZTE5YjI4JyB4bWxuczpwZGY9J2h0dHA6Ly9ucy5h ZG9iZS5jb20vcGRmLzEuMy8nIHBkZjpQcm9kdWNlcj0nTWlLVGVYIEdQTCBHaG9zdHNjcmlwdCA5 LjA1Jy8+CjxyZGY6RGVzY3JpcHRpb24gcmRmOmFib3V0PSd1dWlkOjRmMTczMGNkLTY5ZWEtMTFl Ni0wMDAwLTA1MDNjNWUxOWIyOCcgeG1sbnM6eG1wPSdodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8x LjAvJz48eG1wOk1vZGlmeURhdGU+MjAxNi0wOC0yMVQwNDowMjo1NC0wNzowMDwveG1wOk1vZGlm eURhdGU+Cjx4bXA6Q3JlYXRlRGF0ZT4yMDE2LTA4LTIxVDA0OjAyOjU0LTA3OjAwPC94bXA6Q3Jl YXRlRGF0ZT4KPHhtcDpDcmVhdG9yVG9vbD5kdmlwcyhrKSA1Ljk5NSBDb3B5cmlnaHQgMjAxNSBS YWRpY2FsIEV5ZSBTb2Z0d2FyZTwveG1wOkNyZWF0b3JUb29sPjwvcmRmOkRlc2NyaXB0aW9uPgo8 cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0ndXVpZDo0ZjE3MzBjZC02OWVhLTExZTYtMDAwMC0w NTAzYzVlMTliMjgnIHhtbG5zOnhhcE1NPSdodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvbW0v JyB4YXBNTTpEb2N1bWVudElEPSd1dWlkOjRmMTczMGNkLTY5ZWEtMTFlNi0wMDAwLTA1MDNjNWUx OWIyOCcvPgo8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0ndXVpZDo0ZjE3MzBjZC02OWVhLTEx ZTYtMDAwMC0wNTAzYzVlMTliMjgnIHhtbG5zOmRjPSdodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVu dHMvMS4xLycgZGM6Zm9ybWF0PSdhcHBsaWNhdGlvbi9wZGYnPjxkYzp0aXRsZT48cmRmOkFsdD48 cmRmOmxpIHhtbDpsYW5nPSd4LWRlZmF1bHQnPi8vdWRyaXZlLnV3LmVkdS91ZHJpdmUvbnNhcHFj LmR2aTwvcmRmOmxpPjwvcmRmOkFsdD48L2RjOnRpdGxlPjwvcmRmOkRlc2NyaXB0aW9uPgo8L3Jk ZjpSREY+CjwveDp4bXBtZXRhPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCjw/eHBh Y2tldCBlbmQ9J3cnPz4KZW5kc3RyZWFtCmVuZG9iagoyIDAgb2JqCjw8L1Byb2R1Y2VyKE1pS1Rl WCBHUEwgR2hvc3RzY3JpcHQgOS4wNSkKL0NyZWF0aW9uRGF0ZShEOjIwMTYwODIxMDQwMjU0LTA3 JzAwJykKL01vZERhdGUoRDoyMDE2MDgyMTA0MDI1NC0wNycwMCcpCi9DcmVhdG9yKGR2aXBzXChr XCkgNS45OTUgQ29weXJpZ2h0IDIwMTUgUmFkaWNhbCBFeWUgU29mdHdhcmUpCi9UaXRsZSgvL3Vk cml2ZS51dy5lZHUvdWRyaXZlL25zYXBxYy5kdmkpPj5lbmRvYmoKeHJlZgowIDE3NQowMDAwMDAw MDAwIDY1NTM1IGYgCjAwMDAxNDY2ODkgMDAwMDAgbiAKMDAwMDIxODU3MCAwMDAwMCBuIAowMDAw MTQ2NDgxIDAwMDAwIG4gCjAwMDAxNDMwNDkgMDAwMDAgbiAKMDAwMDAwMDAxNSAwMDAwMCBuIAow MDAwMDA2MDEwIDAwMDAwIG4gCjAwMDAxNDY3NTUgMDAwMDAgbiAKMDAwMDE1MTI0NyAwMDAwMCBu IAowMDAwMTc2ODQ3IDAwMDAwIG4gCjAwMDAxNTAyNzQgMDAwMDAgbiAKMDAwMDE2NzA5NSAwMDAw MCBuIAowMDAwMTQ5NTU5IDAwMDAwIG4gCjAwMDAxNTg3OTAgMDAwMDAgbiAKMDAwMDE1NTkyNSAw MDAwMCBuIAowMDAwMjA3OTM0IDAwMDAwIG4gCjAwMDAxNTU3NjQgMDAwMDAgbiAKMDAwMDIwNzAy OCAwMDAwMCBuIAowMDAwMTU1MjI1IDAwMDAwIG4gCjAwMDAxOTk1MDYgMDAwMDAgbiAKMDAwMDE1 NDkyNSAwMDAwMCBuIAowMDAwMTk1NzA1IDAwMDAwIG4gCjAwMDAxNDY3OTYgMDAwMDAgbiAKMDAw MDE0NjgyNiAwMDAwMCBuIAowMDAwMTQzMjA5IDAwMDAwIG4gCjAwMDAwMDYwMzAgMDAwMDAgbiAK MDAwMDAxMjIwNSAwMDAwMCBuIAowMDAwMTQ2OTIyIDAwMDAwIG4gCjAwMDAxNDY5NTIgMDAwMDAg biAKMDAwMDE0MzM3MSAwMDAwMCBuIAowMDAwMDEyMjI2IDAwMDAwIG4gCjAwMDAwMTkxODAgMDAw MDAgbiAKMDAwMDE1NDUwOSAwMDAwMCBuIAowMDAwMTkzMDI5IDAwMDAwIG4gCjAwMDAxNTM1OTcg MDAwMDAgbiAKMDAwMDE5MTU3OSAwMDAwMCBuIAowMDAwMTQ3MDE1IDAwMDAwIG4gCjAwMDAxNDcw NDUgMDAwMDAgbiAKMDAwMDE0MzUzMyAwMDAwMCBuIAowMDAwMDE5MjAxIDAwMDAwIG4gCjAwMDAw MjY2MTYgMDAwMDAgbiAKMDAwMDE1MzE2NiAwMDAwMCBuIAowMDAwMTkwNzk1IDAwMDAwIG4gCjAw MDAxNTI4MTUgMDAwMDAgbiAKMDAwMDE4OTIxMiAwMDAwMCBuIAowMDAwMTQ3MTE5IDAwMDAwIG4g CjAwMDAxNDcxNDkgMDAwMDAgbiAKMDAwMDE0MzY5NSAwMDAwMCBuIAowMDAwMDI2NjM3IDAwMDAw IG4gCjAwMDAwMzQzMjggMDAwMDAgbiAKMDAwMDE1MjMwNiAwMDAwMCBuIAowMDAwMTg0OTc2IDAw MDAwIG4gCjAwMDAxNDcyNTYgMDAwMDAgbiAKMDAwMDE0NzI4NiAwMDAwMCBuIAowMDAwMTQzODU3 IDAwMDAwIG4gCjAwMDAwMzQzNDkgMDAwMDAgbiAKMDAwMDA0MTQ0OCAwMDAwMCBuIAowMDAwMTQ3 MzczIDAwMDAwIG4gCjAwMDAxNDc0MDMgMDAwMDAgbiAKMDAwMDE0NDAxOSAwMDAwMCBuIAowMDAw MDQxNDY5IDAwMDAwIG4gCjAwMDAwNDkxOTIgMDAwMDAgbiAKMDAwMDE1MjE1MSAwMDAwMCBuIAow MDAwMTg0MjIxIDAwMDAwIG4gCjAwMDAxNTE4MDYgMDAwMDAgbiAKMDAwMDE4MzAzNSAwMDAwMCBu IAowMDAwMTQ3NDkwIDAwMDAwIG4gCjAwMDAxNDc1MjAgMDAwMDAgbiAKMDAwMDE0NDE4MSAwMDAw MCBuIAowMDAwMDQ5MjEzIDAwMDAwIG4gCjAwMDAwNTYzNjkgMDAwMDAgbiAKMDAwMDE0NzYzOCAw MDAwMCBuIAowMDAwMTQ3NjY4IDAwMDAwIG4gCjAwMDAxNDQzNDMgMDAwMDAgbiAKMDAwMDA1NjM5 MCAwMDAwMCBuIAowMDAwMDYyOTg3IDAwMDAwIG4gCjAwMDAxNTEwMTYgMDAwMDAgbiAKMDAwMDE3 NjI4NCAwMDAwMCBuIAowMDAwMTQ3NzY2IDAwMDAwIG4gCjAwMDAxNDc3OTYgMDAwMDAgbiAKMDAw MDE0NDUwNSAwMDAwMCBuIAowMDAwMDYzMDA4IDAwMDAwIG4gCjAwMDAwNzA4MTggMDAwMDAgbiAK MDAwMDE0Nzg5NCAwMDAwMCBuIAowMDAwMTQ3OTI0IDAwMDAwIG4gCjAwMDAxNDQ2NjcgMDAwMDAg biAKMDAwMDA3MDgzOSAwMDAwMCBuIAowMDAwMDc4NDAzIDAwMDAwIG4gCjAwMDAxNDgwMDkgMDAw MDAgbiAKMDAwMDE0ODAzOSAwMDAwMCBuIAowMDAwMTQ0ODI5IDAwMDAwIG4gCjAwMDAwNzg0MjQg MDAwMDAgbiAKMDAwMDA4NTE2NCAwMDAwMCBuIAowMDAwMTQ4MTM1IDAwMDAwIG4gCjAwMDAxNDgx NjUgMDAwMDAgbiAKMDAwMDE0NDk5MSAwMDAwMCBuIAowMDAwMDg1MTg1IDAwMDAwIG4gCjAwMDAw OTE3MTAgMDAwMDAgbiAKMDAwMDE0ODIzOSAwMDAwMCBuIAowMDAwMTQ4MjY5IDAwMDAwIG4gCjAw MDAxNDUxNTMgMDAwMDAgbiAKMDAwMDA5MTczMSAwMDAwMCBuIAowMDAwMDk4NDc4IDAwMDAwIG4g CjAwMDAxNDgzMjEgMDAwMDAgbiAKMDAwMDE0ODM1MiAwMDAwMCBuIAowMDAwMTQ1MzE5IDAwMDAw IG4gCjAwMDAwOTg1MDAgMDAwMDAgbiAKMDAwMDEwNTI3NSAwMDAwMCBuIAowMDAwMTQ4NDE2IDAw MDAwIG4gCjAwMDAxNDg0NDcgMDAwMDAgbiAKMDAwMDE0NTQ4NSAwMDAwMCBuIAowMDAwMTA1Mjk3 IDAwMDAwIG4gCjAwMDAxMTIxODQgMDAwMDAgbiAKMDAwMDE0ODUxMSAwMDAwMCBuIAowMDAwMTQ4 NTQyIDAwMDAwIG4gCjAwMDAxNDU2NTEgMDAwMDAgbiAKMDAwMDExMjIwNiAwMDAwMCBuIAowMDAw MTE4MTQwIDAwMDAwIG4gCjAwMDAxNDg2MzkgMDAwMDAgbiAKMDAwMDE0ODY3MCAwMDAwMCBuIAow MDAwMTQ1ODE3IDAwMDAwIG4gCjAwMDAxMTgxNjIgMDAwMDAgbiAKMDAwMDEyNTM5OCAwMDAwMCBu IAowMDAwMTQ4NzY3IDAwMDAwIG4gCjAwMDAxNDg3OTggMDAwMDAgbiAKMDAwMDE0NTk4MyAwMDAw MCBuIAowMDAwMTI1NDIwIDAwMDAwIG4gCjAwMDAxMzMxODcgMDAwMDAgbiAKMDAwMDE1MDA4NiAw MDAwMCBuIAowMDAwMTY1NDQxIDAwMDAwIG4gCjAwMDAxNDg4ODQgMDAwMDAgbiAKMDAwMDE0ODkx NSAwMDAwMCBuIAowMDAwMTQ2MTQ5IDAwMDAwIG4gCjAwMDAxMzMyMDkgMDAwMDAgbiAKMDAwMDE0 MDQyNCAwMDAwMCBuIAowMDAwMTQ4OTk0IDAwMDAwIG4gCjAwMDAxNDkwMjUgMDAwMDAgbiAKMDAw MDE0NjMxNSAwMDAwMCBuIAowMDAwMTQwNDQ2IDAwMDAwIG4gCjAwMDAxNDMwMjcgMDAwMDAgbiAK MDAwMDE0OTIxNCAwMDAwMCBuIAowMDAwMTU2NjQyIDAwMDAwIG4gCjAwMDAxNDkxMDQgMDAwMDAg biAKMDAwMDE0OTEzNSAwMDAwMCBuIAowMDAwMTU2OTM5IDAwMDAwIG4gCjAwMDAxNTkyMDUgMDAw MDAgbiAKMDAwMDE2NTY5OCAwMDAwMCBuIAowMDAwMTY3Njc3IDAwMDAwIG4gCjAwMDAxNzY0OTQg MDAwMDAgbiAKMDAwMDE3NzI0NiAwMDAwMCBuIAowMDAwMTgzMjcxIDAwMDAwIG4gCjAwMDAxODQ0 MzEgMDAwMDAgbiAKMDAwMDE4NTI2OSAwMDAwMCBuIAowMDAwMTg5NDUzIDAwMDAwIG4gCjAwMDAx OTEwMjQgMDAwMDAgbiAKMDAwMDE5MTg3NyAwMDAwMCBuIAowMDAwMTkzMjg2IDAwMDAwIG4gCjAw MDAxOTYwMTIgMDAwMDAgbiAKMDAwMDE5OTkwOCAwMDAwMCBuIAowMDAwMjA3MjUyIDAwMDAwIG4g CjAwMDAyMDg1MDEgMDAwMDAgbiAKMDAwMDE0OTk5MyAwMDAwMCBuIAowMDAwMTUwODI2IDAwMDAw IG4gCjAwMDAxNTExNjAgMDAwMDAgbiAKMDAwMDE1MTcyMSAwMDAwMCBuIAowMDAwMTUyMDYzIDAw MDAwIG4gCjAwMDAxNTI3MzAgMDAwMDAgbiAKMDAwMDE1MzA3OCAwMDAwMCBuIAowMDAwMTUzMzIz IDAwMDAwIG4gCjAwMDAxNTQwMTggMDAwMDAgbiAKMDAwMDE1NDIwNyAwMDAwMCBuIAowMDAwMTU0 ODE3IDAwMDAwIG4gCjAwMDAxNTU2NjAgMDAwMDAgbiAKMDAwMDE1NjQ2OCAwMDAwMCBuIAowMDAw MjE3MDg0IDAwMDAwIG4gCnRyYWlsZXIKPDwgL1NpemUgMTc1IC9Sb290IDEgMCBSIC9JbmZvIDIg MCBSCi9JRCBbPDVDNTQwMUNGQjEwQTNGMjA2OUIyMEQwREE2NTY2MkZGPjw1QzU0MDFDRkIxMEEz RjIwNjlCMjBEMERBNjU2NjJGRj5dCj4+CnN0YXJ0eHJlZgoyMTg4MDUKJSVFT0YK --_002_CY4PR09MB14647B46781F1AB1E6B00043F3D90CY4PR09MB1464namp_-- From nobody Sat Oct 8 06:38:30 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D70D129572 for ; Sat, 8 Oct 2016 06:38:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.719 X-Spam-Level: X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cj_EN98IhT0t for ; Sat, 8 Oct 2016 06:38:26 -0700 (PDT) Received: from mail-qt0-f180.google.com (mail-qt0-f180.google.com [209.85.216.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C77312956E for ; Sat, 8 Oct 2016 06:38:26 -0700 (PDT) Received: by mail-qt0-f180.google.com with SMTP id q7so32137103qtq.1 for ; Sat, 08 Oct 2016 06:38:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lNtPvBahsCb+loebptoC1BJNhkHBMPMHJM4wN15iYUc=; b=0Zh2EbEMjMokax0kF750JPziPSwcAXNROeTdEZNEgEEpCk26RiKsKNcAOGxd3vQuYD 74dAlaJZW99+S17YXrbJnALABD7prB8qn/sxu7yQb8AdSPKRo0Pq95swMWRTib3uH0JN 0AFL7KLfTrVkZlrXK5wtJbfITtt44sZgIL7DaawyovOshkkbGGpxn2hrANsrazejoXvj tSmKST0FiJKqAdQBhik1iMBXj1OXYQfC3B5En1YH/BFOK3F6ACbD0XXwNDfXG+CROGcO YsL4L6jVlzFcmD6ngdhM0yak4Y0c73WldjKTr0g72LwC2Gvg/ovLGLGotK9PTsjW+82M o9pg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lNtPvBahsCb+loebptoC1BJNhkHBMPMHJM4wN15iYUc=; b=Ur3bbq76erzSbcxQ/2Ze/954gaSadQukgln+45DWQsrfvDC8ui5orWUwmh+5VvH4Jg isvEpsAh4uINg4uldSuS8UusubjG+H0+h8IT+2TLWA0SJHVgWVbrhfBofNu8SZHtQhL+ bYct03yjtAsyu/t3bB4qrZ2s/hry7KLXqkfbwl2cGAfXagEYuUBnvK9MCPHAO8gnDoY5 zpuTTjGRvW2LlryT5Fegr/8wu2XJEdxzjv2bsJy9vlxmjFOpS8qTMnUUqgyVEHd4nIV1 weVU1HAVJCST/MgWYQ5d1U2bNRM38lvRl+6WKb93wLtajviyAYeU2+smoUNeKAVUcuWb GOEA== X-Gm-Message-State: AA6/9RmWxgL4CIHcy/TTyVlraq9EK3IP7iEF/RyYgVjlMxv18XFik2BBPRnHuBGqUlw2SHBUUQyNzq0RcV90Lw== X-Received: by 10.237.44.193 with SMTP id g59mr7686975qtd.144.1475933845708; Sat, 08 Oct 2016 06:37:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 06:37:24 -0700 (PDT) Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 06:37:24 -0700 (PDT) In-Reply-To: References: From: Watson Ladd Date: Sat, 8 Oct 2016 06:37:24 -0700 Message-ID: To: "Dang, Quynh" Content-Type: multipart/alternative; boundary=94eb2c12569295e4a8053e5aa019 Archived-At: Cc: saag@ietf.org Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Oct 2016 13:38:29 -0000 --94eb2c12569295e4a8053e5aa019 Content-Type: text/plain; charset=UTF-8 On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" wrote: > > Watson and all, > > This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmeneze/publications/pqc.pdf. >From which you would have us conclude what? The backdoor of Gordon in Diffie-Hellman is well-known. There is no way to know if these primes are backdoored. > > Quynh. > > ________________________________________ > From: saag on behalf of Watson Ladd < watsonbladd@gmail.com> > Sent: Thursday, October 6, 2016 11:56 AM > To: saag@ietf.org > Subject: [saag] Possible backdoor in RFC 5114 > > https://tools.ietf.org/html/rfc5114 > > Let's review some publicly known facts: > > 1) BBN is a defense contractor > > 2) The NSA subverts crypto standards > > 3) It is possible to design primes so the discrete log problem is easy > > 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they > are hidden SNFS primes. > > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. > > Sincerely, > Watson > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --94eb2c12569295e4a8053e5aa019 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>
> Watson and all,
>
> This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmene= ze/publications/pqc.pdf.

From which you would have us conclude what?

The backdoor of Gordon in Diffie-Hellman is well-known.=C2= =A0 There is no way to know if these primes are backdoored.

>
> Quynh.
>
> ________________________________________
> From: saag <saag-bounces@i= etf.org> on behalf of Watson Ladd <watsonbladd@gmail.com>
> Sent: Thursday, October 6, 2016 11:56 AM
> To: saag@ietf.org
> Subject: [saag] Possible backdoor in RFC 5114
>
> https://tools.ietf.org= /html/rfc5114
>
> Let's review some publicly known facts:
>
> 1) BBN is a defense contractor
>
> 2) The NSA subverts crypto standards
>
> 3) It is possible to design primes so the discrete log problem is easy=
>
> 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they
> are hidden SNFS primes.
>
> At minimum we should obsolete RFC 5114 in favor of primes generated in=
> a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place.
>
> Sincerely,
> Watson
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.iet= f.org/mailman/listinfo/saag

--94eb2c12569295e4a8053e5aa019-- From nobody Sat Oct 8 07:40:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEAE91295C6 for ; Sat, 8 Oct 2016 07:40:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH9p6GD8s05g for ; Sat, 8 Oct 2016 07:40:30 -0700 (PDT) Received: from gcc01-dm2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0135.outbound.protection.outlook.com [23.103.201.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D19312958A for ; Sat, 8 Oct 2016 07:40:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=poCF9sOtuDcMtbsC4r7gWhx0Mts0ktEckHnt+MkS2wo=; b=z/uH2khnbCeO42bNdiPzYxdSff6Yvv3jtfzosxeLXg/qcVz2MG/fVkGzdd7KJR12cNkOr66DrAXNR+AitH7z7v1/1tQTXTyuPM1HBOw+W8drdqpfwDJOkxBclTmlBYbHj7V9OloPPgVh7EZ9YSjEOS+CDxTSxEOGJfDsV4J5yjs= Received: from CY4PR09MB1464.namprd09.prod.outlook.com (10.173.191.22) by CY4PR09MB1462.namprd09.prod.outlook.com (10.173.191.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Sat, 8 Oct 2016 14:40:28 +0000 Received: from CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) by CY4PR09MB1464.namprd09.prod.outlook.com ([10.173.191.22]) with mapi id 15.01.0649.027; Sat, 8 Oct 2016 14:40:28 +0000 From: "Dang, Quynh (Fed)" To: Watson Ladd Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSH+pIM2MogzBmCUCWoaV9y3sEjKCeftTtgAATiwCAAAwj3w== Date: Sat, 8 Oct 2016 14:40:28 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [129.6.220.249] x-ms-office365-filtering-correlation-id: e63659e6-da33-4b37-a87a-08d3ef890c64 x-microsoft-exchange-diagnostics: 1; CY4PR09MB1462; 7:olLcU51TzB0HJ173a/730JP27UtEaVjGM9InpK4ZLFttUp65ylAB7oLpHItKju76nq1MFMWmZbcm4LWDOTr/OjXFBAHUY4LGaQkN5Sjy5g2aILvyWursR78lD6Q7QW8F/VoftCBbl02FH6fJu1KrGqFBb3hhQTjHA2dY153y0cDf5qklnkZbEmbFQHNA0RKuEUriaHtekJTN9YyJlDa0YYiBn2KO1FNNFP+OH4YFIe/QWm0JZrdLVhoz7vLD7RqZnVZkCF5WPbHSHMamH/+PwvApUP/QTu6Xk26xDb+HYqPu/bto2BOc9j6zTP+VmVFjBYyWxQxVeReiGDSvuqqYQg== x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY4PR09MB1462; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(65766998875637)(192374486261705)(157189615257929)(266576461109395); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY4PR09MB1462; BCL:0; PCL:0; RULEID:; SRVR:CY4PR09MB1462; x-forefront-prvs: 008960E8EC x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(24454002)(377454003)(189002)(5002640100001)(16297215004)(10400500002)(76576001)(7696004)(16236675004)(110136003)(33656002)(3280700002)(15975445007)(7736002)(7846002)(7906003)(74316002)(2900100001)(11100500001)(87936001)(92566002)(5660300001)(1411001)(77096005)(3660700001)(19617315012)(3900700001)(50986999)(122556002)(3846002)(6116002)(102836003)(76176999)(54356999)(19625215002)(19627405001)(189998001)(2950100002)(97736004)(81156014)(8676002)(81166006)(66066001)(101416001)(586003)(106356001)(19580395003)(86362001)(8936002)(2906002)(68736007)(19580405001)(9686002)(99286002)(106116001)(6916009)(4326007)(105586002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR09MB1462; H:CY4PR09MB1464.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_CY4PR09MB146483906EC10E70A59AD7FDF3D90CY4PR09MB1464namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2016 14:40:28.5452 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR09MB1462 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Oct 2016 14:40:33 -0000 --_000_CY4PR09MB146483906EC10E70A59AD7FDF3D90CY4PR09MB1464namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Assuming the curves generator was a bad guy and he/she could do 2^80 comput= ations (not simple computations: running the specified routine to find prim= es numbers which means he/she got to do more than 2^80 times of the routine= by a factor) at that time in 1997, the class of weak curves must have been= about 2^169 in 1997, only known to the NSA and have never been discovered = by the public from 1997 until now. Also, some of the curves are used for top secret security level information= . If it was the case that the NSA knew the curves were weak curves, would t= hey take that risky action by assuming that the rest of the world would not= find that out for at least 20 years later. Quynh. ________________________________ From: Watson Ladd Sent: Saturday, October 8, 2016 9:37:24 AM To: Dang, Quynh (Fed) Cc: saag@ietf.org Subject: Re: [saag] Possible backdoor in RFC 5114 On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" > wrote: > > Watson and all, > > This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmene= ze/publications/pqc.pdf. >From which you would have us conclude what? The backdoor of Gordon in Diffie-Hellman is well-known. There is no way to= know if these primes are backdoored. > > Quynh. > > ________________________________________ > From: saag > on behal= f of Watson Ladd > > Sent: Thursday, October 6, 2016 11:56 AM > To: saag@ietf.org > Subject: [saag] Possible backdoor in RFC 5114 > > https://tools.ietf.org/html/rfc5114 > > Let's review some publicly known facts: > > 1) BBN is a defense contractor > > 2) The NSA subverts crypto standards > > 3) It is possible to design primes so the discrete log problem is easy > > 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they > are hidden SNFS primes. > > At minimum we should obsolete RFC 5114 in favor of primes generated in > a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place. > > Sincerely, > Watson > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --_000_CY4PR09MB146483906EC10E70A59AD7FDF3D90CY4PR09MB1464namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Assuming the curves generator was a bad guy and he/she could do 2^80 com= putations (not simple computations: running the specified routine to find p= rimes numbers which means he/she got to do more than 2^80 times of the rout= ine by a factor) at that time in 1997, the class of weak curves must have been about 2^169 in 1997, only kn= own to the NSA and have never been discovered by the public from 1997 until= now. 


Also, some of the curves are used for top secret security level informat= ion. If it was the case that the NSA knew the curves were weak curves,= would they take that risky action by assuming that the rest of the world w= ould not find that out for at least 20 years later. 


Quynh.  

From: Watson Ladd <watso= nbladd@gmail.com>
Sent: Saturday, October 8, 2016 9:37:24 AM
To: Dang, Quynh (Fed)
Cc: saag@ietf.org
Subject: Re: [saag] Possible backdoor in RFC 5114
 

On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>
> Watson and all,
>
> This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmeneze/publications/pqc.pdf.

From which you would have us conclude what?

The backdoor of Gordon in Diffie-Hellman is well-known. = ; There is no way to know if these primes are backdoored.

>
> Quynh.
>
> ________________________________________
> From: saag <saag-bounces@i= etf.org> on behalf of Watson Ladd <watsonbladd@gmail.com>
> Sent: Thursday, October 6, 2016 11:56 AM
> To: saag@ietf.org
> Subject: [saag] Possible backdoor in RFC 5114
>
> https://tools.ietf.org= /html/rfc5114
>
> Let's review some publicly known facts:
>
> 1) BBN is a defense contractor
>
> 2) The NSA subverts crypto standards
>
> 3) It is possible to design primes so the discrete log problem is easy=
>
> 4) The primes in RFC 5114 are not generated in verifiable manner: it > is possible they
> are hidden SNFS primes.
>
> At minimum we should obsolete RFC 5114 in favor of primes generated in=
> a verifiable manner. The fact that there already were primes for IKE > use makes me wonder why this was even needed in the first place.
>
> Sincerely,
> Watson
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.iet= f.org/mailman/listinfo/saag

--_000_CY4PR09MB146483906EC10E70A59AD7FDF3D90CY4PR09MB1464namp_-- From nobody Sat Oct 8 09:05:12 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70957129471 for ; Sat, 8 Oct 2016 09:05:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 47wCPgco1G47 for ; Sat, 8 Oct 2016 09:05:08 -0700 (PDT) Received: from mail-qk0-x241.google.com (mail-qk0-x241.google.com [IPv6:2607:f8b0:400d:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B13A51295CA for ; Sat, 8 Oct 2016 08:59:27 -0700 (PDT) Received: by mail-qk0-x241.google.com with SMTP id z190so4156185qkc.3 for ; Sat, 08 Oct 2016 08:59:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tLxFQDCMWPOD/CDhK+HMLlWDtBK0wnZYKsufT4NYlSI=; b=J2SDXvEaNk1pGLxOs6EnkEY4q2q7/MyKv4Xq+i0rh3zQ5Su1fhufERCGN68gOeXs/7 YKAiUMbkAVRO5sm2PsCsP+0EBHZrDIpsEL3hEBOXy4E6kEgxAP9Ny9xHJtZGnGDEaXFM YPinFvutl6KVcPEDbJDPD0XCc9pTPCqbV98YiNOO9BEm28+xy3WvVVUy1tlKfZsNYEaJ vKhLutjzVC8G83aioyB8jtOsMtRtjau+i5rC5v2WJd6PFdjdKsXu/YKugF0EixepDDfb EFGvvruNITt7i/6RxGtuQpQR/Ylw7zGib5845ZdJfByW73iD4Axl3jgpWejxG2XCEu0m TO6Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tLxFQDCMWPOD/CDhK+HMLlWDtBK0wnZYKsufT4NYlSI=; b=H+1/ZQzLdRoA6UxTl/UhQJN9H6ytyZY3z9j7foR2JCCEIDPLxcEvoB7prXsIWyKy2U RoaTAUWhagESoXu7ScWE261m63na7uDHLbzkGbIA/OMJlajgPloKi15FEv2f5lCOrjAh jIU0az0ppHqH7cOXThBeOXPRiCJR+0zsLsnvlwb3hfkybBwA5/L1M9akWuodjgkJD5TM oUGvkLwgkFUjJfOJF7cJ4krVF10tvxq/G0Ky1cm/nbq5iV2VrBJsz36x8egEZ4Lyw2tm DfC0goDTlL/j22waSaPerpaCN4T5UH7mjA9bAwgfoTOh2hIyiKqDzv4yqJTL2bKu6Ai3 3NtQ== X-Gm-Message-State: AA6/9Rn3k2OGe0u5Tk3n+deEmcbuNoT8uOl3TQKMbzLPq0ajm8jKgOk3wC8QMzgxhwPDFtikuN7o3cb4ePFQKw== X-Received: by 10.55.20.155 with SMTP id 27mr26725217qku.179.1475942366668; Sat, 08 Oct 2016 08:59:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 08:59:25 -0700 (PDT) Received: by 10.12.171.87 with HTTP; Sat, 8 Oct 2016 08:59:25 -0700 (PDT) In-Reply-To: References: From: Watson Ladd Date: Sat, 8 Oct 2016 08:59:25 -0700 Message-ID: To: "Dang, Quynh" Content-Type: multipart/alternative; boundary=001a1145effe79705d053e5c9ca9 Archived-At: Cc: saag@ietf.org Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Oct 2016 16:05:10 -0000 --001a1145effe79705d053e5c9ca9 Content-Type: text/plain; charset=UTF-8 On Oct 8, 2016 7:40 AM, "Dang, Quynh (Fed)" wrote: > > Assuming the curves generator was a bad guy and he/she could do 2^80 computations (not simple computations: running the specified routine to find primes numbers which means he/she got to do more than 2^80 times of the routine by a factor) at that time in 1997, the class of weak curves must have been about 2^169 in 1997, only known to the NSA and have never been discovered by the public from 1997 until now. > > > Also, some of the curves are used for top secret security level information. If it was the case that the NSA knew the curves were weak curves, would they take that risky action by assuming that the rest of the world would not find that out for at least 20 years later. Am I discussing ECC? No. > > > Quynh. > > ________________________________ > From: Watson Ladd > Sent: Saturday, October 8, 2016 9:37:24 AM > To: Dang, Quynh (Fed) > Cc: saag@ietf.org > Subject: Re: [saag] Possible backdoor in RFC 5114 > > > On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" wrote: > > > > Watson and all, > > > > This paper would be a good (re)read: http://www.math.uwaterloo.ca/~ajmeneze/publications/pqc.pdf. > > From which you would have us conclude what? > > The backdoor of Gordon in Diffie-Hellman is well-known. There is no way to know if these primes are backdoored. > > > > > Quynh. > > > > ________________________________________ > > From: saag on behalf of Watson Ladd < watsonbladd@gmail.com> > > Sent: Thursday, October 6, 2016 11:56 AM > > To: saag@ietf.org > > Subject: [saag] Possible backdoor in RFC 5114 > > > > https://tools.ietf.org/html/rfc5114 > > > > Let's review some publicly known facts: > > > > 1) BBN is a defense contractor > > > > 2) The NSA subverts crypto standards > > > > 3) It is possible to design primes so the discrete log problem is easy > > > > 4) The primes in RFC 5114 are not generated in verifiable manner: it > > is possible they > > are hidden SNFS primes. > > > > At minimum we should obsolete RFC 5114 in favor of primes generated in > > a verifiable manner. The fact that there already were primes for IKE > > use makes me wonder why this was even needed in the first place. > > > > Sincerely, > > Watson > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag --001a1145effe79705d053e5c9ca9 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Oct 8, 2016 7:40 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
>
> Assuming the curves generator was a bad guy and he/she could do 2^80 c= omputations (not simple computations: running the specified routine to find= primes numbers which means he/she got to do more than 2^80 times of the ro= utine by a factor) at that time in 1997, the class of weak curves must have= been about 2^169 in 1997, only known to the NSA and have never been discov= ered by the public from 1997 until now.=C2=A0
>
>
> Also, some of the curves are used for top secret security level inform= ation. If it was the case that=C2=A0the NSA knew the curves were weak curve= s, would they take that risky action by assuming that the rest of the world= would not find that out for at least 20 years later.=C2=A0

Am I discussing ECC? No.

>
>
> Quynh.=C2=A0=C2=A0
>
> ________________________________
> From: Watson Ladd <watsonb= ladd@gmail.com>
> Sent: Saturday, October 8, 2016 9:37:24 AM
> To: Dang, Quynh (Fed)
> Cc: saag@ietf.org
> Subject: Re: [saag] Possible backdoor in RFC 5114
> =C2=A0
>
> On Oct 8, 2016 5:30 AM, "Dang, Quynh (Fed)" <quynh.dang@nist.gov> wrote:
> >
> > Watson and all,
> >
> > This paper would be a good (re)read: http://www.math.uwaterloo.ca/~a= jmeneze/publications/pqc.pdf.
>
> From which you would have us conclude what?
>
> The backdoor of Gordon in Diffie-Hellman is well-known.=C2=A0 There is= no way to know if these primes are backdoored.
>
> >
> > Quynh.
> >
> > ________________________________________
> > From: saag <saag-boun= ces@ietf.org> on behalf of Watson Ladd <watsonbladd@gmail.com>
> > Sent: Thursday, October 6, 2016 11:56 AM
> > To: saag@ietf.org
> > Subject: [saag] Possible backdoor in RFC 5114
> >
> > https://tools.iet= f.org/html/rfc5114
> >
> > Let's review some publicly known facts:
> >
> > 1) BBN is a defense contractor
> >
> > 2) The NSA subverts crypto standards
> >
> > 3) It is possible to design primes so the discrete log problem is= easy
> >
> > 4) The primes in RFC 5114 are not generated in verifiable manner:= it
> > is possible they
> > are hidden SNFS primes.
> >
> > At minimum we should obsolete RFC 5114 in favor of primes generat= ed in
> > a verifiable manner. The fact that there already were primes for = IKE
> > use makes me wonder why this was even needed in the first place.<= br> > >
> > Sincerely,
> > Watson
> >
> > _______________________________________________
> > saag mailing list
> > saag@ietf.org
> > https://ww= w.ietf.org/mailman/listinfo/saag

--001a1145effe79705d053e5c9ca9-- From nobody Sat Oct 8 19:22:28 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D637129467 for ; Sat, 8 Oct 2016 19:22:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HHv9reQdO48s for ; Sat, 8 Oct 2016 19:22:24 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF42D129442 for ; Sat, 8 Oct 2016 19:22:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1475979743; x=1507515743; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=KxFwGkqECzT5pPWBk1w6w5xMd+kSfJyGfxwMF2Lsw3s=; b=4sb9mhtICheiZyxDQWrd4o0GGIjbea/CCuvUNklgsu2eYALKSNaybAAz utujpAev57DjWy7I6g3X/4ZOMyRVyhIvXNWmRBc3g3rxhVLwthLfR/RMQ vTXC/dUans0VxdpaqEpXPxysNAPmZHW7FKB3mTaOX2zNBmFz+FSZK4nCh YyQXENJ/FEaLjsm83n2ys5WRAcBSO/eY7KY0CmmFv9/jocATzoN4D/kAz T2d6oblvST0CG9jZXakrR+Vz7NE/xvmlD3QFeMXKloVAQsvc8UmQCFPRj JjrsUvq03/kou6d76MFuVhywv9jcXUoG8dWesTD0j/m0OECQ+sQ8DsMwA A==; X-IronPort-AV: E=Sophos;i="5.31,316,1473076800"; d="scan'208";a="109354922" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 09 Oct 2016 15:22:19 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sun, 9 Oct 2016 15:22:19 +1300 Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::8081:99e3:dee2:203]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::8081:99e3:dee2:203%14]) with mapi id 15.00.1178.000; Sun, 9 Oct 2016 15:22:19 +1300 From: Peter Gutmann To: Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) Thread-Index: AQHSINOvzahpTKjrxUmXJ/cn+OGbqaCfZh4y Date: Sun, 9 Oct 2016 02:22:19 +0000 Message-ID: <1475979732739.80385@cs.auckland.ac.nz> References: , In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2016 02:22:26 -0000 Stephen Farrell writes:=0A= =0A= Just had a quick skim through this (I've printed it out for later reading w= hen=0A= I've got more time), but wanted to post my immediate response to one of the= =0A= points I saw:=0A= =0A= >There was a bit of discussion about the importance for IoT devices to know= =0A= >the current time for the purpose of checking certificate validity.=0A= =0A= "And now you have two problems...".=0A= =0A= It'd also be good to have a problem statement of some kind rather than just= a=0A= shopping list of stuff, or some indication of where the authors are coming= =0A= from when they create their list. I've never seen an IoT device that can= =0A= handle differential updates, has dynamic linking (or dynamic anything, ther= e's=0A= usually just a single system image), and a whole pile of other stuff discus= sed=0A= here. Is this just gedanken-experimenting or are there real devices being= =0A= considered? It looks like a lot of the issues being raised simply don't ap= ply=0A= to most IoT devices...=0A= =0A= Peter.= From nobody Sun Oct 9 10:59:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D55212952E for ; Sun, 9 Oct 2016 10:59:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FbXZbBs7SCz for ; Sun, 9 Oct 2016 10:59:30 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852F9129529 for ; Sun, 9 Oct 2016 10:59:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 5943DBE47; Sun, 9 Oct 2016 18:59:26 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fBPbPOTlEwYO; Sun, 9 Oct 2016 18:59:25 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 8D87BBE38; Sun, 9 Oct 2016 18:59:24 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476035965; bh=clLGVTTqJEbQqR1cjFhB+beji3xnPtZZ/zCs5Y+rFog=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Z0XCgUZnzKM1fQBXw4EKBUpYZqqvziMcbSN8iE7nGGdvkrbFnmqZSxr0SpkdtcHDf q5MwZIDpOezy5AvyrK3GJfgBprx3fDn8VsEn1lOoT1pgkpjqixc5A7b7q2WXUFtjUv UX9GB5DQF4VsRwLR/lzOsFITGiGfK1A/EaJjiQ9Q= To: Peter Gutmann , "saag@ietf.org" References: <1475979732739.80385@cs.auckland.ac.nz> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Sun, 9 Oct 2016 18:59:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1475979732739.80385@cs.auckland.ac.nz> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040308020009030609030104" Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2016 17:59:33 -0000 This is a cryptographically signed message in MIME format. --------------ms040308020009030609030104 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Peter, On 09/10/16 03:22, Peter Gutmann wrote: > Stephen Farrell writes: >=20 > Just had a quick skim through this (I've printed it out for later readi= ng when > I've got more time), but wanted to post my immediate response to one of= the > points I saw: >=20 >> There was a bit of discussion about the importance for IoT devices to = know >> the current time for the purpose of checking certificate validity. >=20 > "And now you have two problems...". >=20 > It'd also be good to have a problem statement of some kind rather than = just a > shopping list of stuff, or some indication of where the authors are com= ing > from when they create their list. =20 The authors of the draft are just trying to reflect what happened at the workshop (as it says in the draft). > I've never seen an IoT device that can > handle differential updates, has dynamic linking (or dynamic anything, = there's > usually just a single system image), and a whole pile of other stuff di= scussed > here. Is this just gedanken-experimenting or are there real devices be= ing > considered? It looks like a lot of the issues being raised simply don'= t apply > to most IoT devices... A lot of course depends on what devices one associates with the marketing-term IoT. One of the companies who attended the workshop (electric imp) do updates that were more complex than I had thought were done but iirc the complex update schemes only or mostly applied to bigger devices. I forget if they claimed differential updates or not. I do recall that a colleague of mine who does s/w engineering research was interested in research in that space. If the text of the draft gives the wrong impression about any of that, I'd appreciate pointers to help us fix it. And of course, I'd be even more interested if there are bits of work that could help improve the likelihood that small devices get updated. And, on this list, most especially if there's stuff it'd be worth doing in the IETF. (Personally I think there are things the IETF could do to help, but I'm not sure if the bits of work the IETF could do would really see deployment and there's no point doing paperwork for fun.) S. >=20 > Peter. >=20 --------------ms040308020009030609030104 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMDkx NzU5MjRaMC8GCSqGSIb3DQEJBDEiBCCE2mXsEJdc2IIM04lqCYpTQsME2JkzFykwhXJDDeSL czBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQASrz0JtWEQdBWLb9Zxr1ewSYaMQkpJO1fWAEhv7YNlRKZxcDPzd8ag Iy8G+mTc8UTiiWWZ7kVuKgSbIu+y0fKDrJKUj28/oJZIiwqPiBuJtYHAgSnYfxOmqbAWaf5m SPZbIF5lM4VSM2sGXeGcjaGuvRCsoB7UJ8wycmJGkTx7Dd69usGU+hKhb0mNRmRtMslx2vcQ 8oCi8tWgPdU8HnT2VoVPYHjicoRsikS3lYMALm/fhyxIp7mVMURBN1fWAtN8KP0Jz43gUWmO cIi7wNBCSkuhKMZf2LExrFVkIPWA9W9YqhLSg34/FxJm6oEY1/uO6Krt0lOpJZaywLW7T4fs AAAAAAAA --------------ms040308020009030609030104-- From BATV+c9e2288bcd0534aaf191+4795+infradead.org+dwmw2@bombadil.srs.infradead.org Sun Oct 9 12:02:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 399FF12956A for ; Sun, 9 Oct 2016 12:02:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dS2NGlRKylT5 for ; Sun, 9 Oct 2016 12:02:24 -0700 (PDT) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2001:1868:205::9]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8902512954F for ; Sun, 9 Oct 2016 12:02:24 -0700 (PDT) Received: from [2001:8b0:10b:1:841b:5eff:0:f69] (helo=shinybook.infradead.org) by bombadil.infradead.org with esmtpsa (Exim 4.85_2 #1 (Red Hat Linux)) id 1btJMZ-0002f9-4i; Sun, 09 Oct 2016 19:02:19 +0000 Message-ID: <1476039736.28198.140.camel@infradead.org> From: David Woodhouse To: Peter Gutmann , Stephen Farrell , "saag@ietf.org" Date: Sun, 09 Oct 2016 20:02:16 +0100 In-Reply-To: <1475979732739.80385@cs.auckland.ac.nz> References: , <1475979732739.80385@cs.auckland.ac.nz> Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-bGeBU3wSTgmA86He2BAu" X-Mailer: Evolution 3.18.5.2 (3.18.5.2-1.fc23) Mime-Version: 1.0 X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Archived-At: Subject: Re: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2016 19:05:28 -0000 --=-bGeBU3wSTgmA86He2BAu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2016-10-09 at 02:22 +0000, Peter Gutmann wrote: >=20 > >There was a bit of discussion about the importance for IoT devices to kn= ow > >the current time for the purpose of checking certificate validity. >=20 > "And now you have two problems...". Right. I believe UEFI firmware deliberately *avoids* the time checking, because it is known that even when battery-backed RTC hardware *does* exist, as it does in a PC, you can't rely on it being set to the correct time. I understand that a lot of IoT devices are specifically designed to be unreliable =E2=80=94 requiring Internet connectivity instead of being opera= ble purely over a local network. But requiring the correct time would just be a step too far, surely? --=20 dwmw2 --=-bGeBU3wSTgmA86He2BAu Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCEeAw ggXiMIIDyqADAgECAhBrp4p9CteI1lEK+Vnk57ThMA0GCSqGSIb3DQEBCwUAMH0xCzAJBgNVBAYT AklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0 aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTAeFw0xNTEyMTYwMTAwMDVaFw0zMDEyMTYwMTAwMDVaMHUxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0 eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGllbnQgQ0EwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQC9fdr3w6J9g/Zbgv3bW1+uHht1wLUZr5gkrLtXedg17AkefMyUGwrQdvwO bhajcVmnKVxhrUwkZPXRAwZZosRHfEIi5FH7x6SV/8Sp5lZEuiMnvMFG2MzLA84J6Ws5T4NfXZ0q n4TPgnr3X2vPVS51M7Ua9nIJgn8jvTra4eyyQzxvuA/GZwKg7VQfDCmCS+kICslYYWgXOMt2xlsS slxLce0CGWRsT8EpMyt1iDflSjXZIsE7m1uTyHaKZspMLyIyz6mySu8j8BWWHpChNNeTrFuhVfrO AyDPFJVUvKZCLKBhibTLloyy+LatoWELrjdI4a8StZY8+dIR9t4APXGzAgMBAAGjggFkMIIBYDAO BgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBIGA1UdEwEB/wQI MAYBAf8CAQAwMgYDVR0fBCswKTAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2Eu Y3JsMGYGCCsGAQUFBwEBBFowWDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29t MDAGCCsGAQUFBzAChiRodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwHQYDVR0O BBYEFCSBbDlhvkkPj7cbRivJKLUnSG1oMB8GA1UdIwQYMBaAFE4L7xqkQFulF2mHMMo0aEPQQa7y MD8GA1UdIAQ4MDYwNAYEVR0gADAsMCoGCCsGAQUFBwIBFh5odHRwOi8vd3d3LnN0YXJ0c3NsLmNv bS9wb2xpY3kwDQYJKoZIhvcNAQELBQADggIBAIvj94fsAYuErQ8BAluc4SMnIwS9NPBwAm5SH9uh 2NCXTq7im61g7F1LIiNI/+wq37fUuaMbz4g7VarKQTgf8ubs0p7NZWcIe7Bvem2AWaXBsxsaRTYw 5kG3DN8pd1hSEUuFoTa7DmNeFe8tiK1BrL3rbA/m48jp4AiFXgvxprJrW7izsyetOrRHPbkW4Y07 v29MdhaPv3u1JELyszXqOzjIYo4sWlC8iDQXwgSW/ntvWy2n4LuiaozlCfXl149tKeqvwlvrla2Y klue/quWp9j9ou4T/OY0CXMuY+B8wNK0ohd2D4ShgFlMSjzAFRoHGKF81snTr2d1A7Ew02oF6UQy CkC2aNNsK5cWOojBar5c7HplX9aHYUCZouxIeU28SONJAxnATgR4cJ2jrpmYSz/kliUJ46S6UpVD o/ebn9c6PaM/XtDYCCaM/7XX6wc3s++sbQ7CtCn1Ax7df6ufQbwyO0V+oFa9H0KAsjHMzcwk3EV2 B2NLatidKE/m7G+rB9m+FlVgIiSp0mGlg43QO9Kh1+JqvTCIzv2bJJkmPMLQJNuKKwHNL8F4GGp6 jbAV+WL+LDeGfVcq8DHS3LrD+xyYEXQBiqZEdiPVOMxLDSUCXsDO0uCWpaNQ8j6y6S9p0xE/Ga0p eVLadVHhqf9nXqKaxnr358VgfrxzUIrvOaOjMIIF+TCCBOGgAwIBAgIQaRjuleoVgt0XsPAUByve JDANBgkqhkiG9w0BAQsFADB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEp MCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBMB4XDTE2MDMxMjE2MjEyNVoXDTE3MDMxMjE2MjEyNVowQjEc MBoGA1UEAwwTZHdtdzJAaW5mcmFkZWFkLm9yZzEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFk ZWFkLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANBDAiGnoeOIQJ/Aolutct4z x6Yt3dOUI5d0YnydAMNOiyVLXzHuuuVjUpk/6nRxg1FN3e0i3TWe5MjSTD98760qWoAuF2g5BGU+ tN/GUsyws26ZWOt82w7xhn4dcI8EhmASUtwDTZs5ZXPQzSkuNs6uX5SY0eKPlBNHkAtMf39hNc4m liy6WRDKApZxA1vCbiHsJQZdNEBYO35022bu8PZBe6LSAFKoncoGMHl1xNEkN6kfOJFYnLqBYeXO 2mDA8KZ4h15EnQyyHGSghN92OUTc9stAWEt9a+q6TCtyW5zNgYTaaOtE41t5x2xDAgsnNU7sVM8f wSR3tYeW9IqTgU6eDUllb1a9FK7es3+j9UDg7OxNv9rnXIda6TdXlGWYfFltujF7FMwTofq3UG7t w68Ugk0MMfpZadhPhjYLI/qXiEDgQi8Xr+eWSo5P0ygaLvAz8OPcWAt8RG5Y8Id9hpb5neW1HTAR Q+k8lbpkx2wDPHZEft0ITROOupf76f9CNF4jYcyCKZNnjSsKeJv69VX1TsVaeqT1LJUEudXLa/BK FSb7x5M1KF4z46yImJrnagI19Nk/ufWn1usBXqXh8pY8cVN/I7C+TDPBY5SqIceTq7DaHZp19JQU IIWlyRsm2d4UoVcgIdTjX57Odap4Pjzrfp2RmC6hvkW2hQ5EreIPAgMBAAGjggG2MIIBsjAOBgNV HQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYD VR0OBBYEFBDmK2IjZJ7MKmBK0A7J/tKaSIdoMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUn SG1oMG8GCCsGAQUFBwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29t MDkGCCsGAQUFBzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5j cnQwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEu Y3JsMB4GA1UdEQQXMBWBE2R3bXcyQGluZnJhZGVhZC5vcmcwIwYDVR0SBBwwGoYYaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vMEYGA1UdIAQ/MD0wOwYLKwYBBAGBtTcBAgQwLDAqBggrBgEFBQcCARYe aHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4IBAQAn5wvdgC0V kS226sFKAbqPnmVhc9jgrbsiXUcpdtYEzv6EZonARIeRC1UlIzK7jzZFRe95W5y4/qlcPQDoAeZL cSsbpW3AYPFFWdRgVp/eIR3iy9C5KEcAbkJES2lRUZWyRqAceW1Gur9kfvjM5H0kM6BBwJfCtoqo WragTXfsIXGNsF0F+60mUYYsKFPZzPmyz9J0Dr0xx9Lcp4fbD6UckDWCNJt2AJAiEPt/vPiiBzU8 edaRzkYhzxd9f3pZAzhlzIf2CgTrGtKSL2X1bS/b3siREjQLhVrlGw4qxqllqER3APrDzyijLFuc CWpS8hxjTmYcNZSibv+3Oy6uU+wqMIIF+TCCBOGgAwIBAgIQaRjuleoVgt0XsPAUByveJDANBgkq hkiG9w0BAQsFADB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UE CxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29tIENs YXNzIDEgQ2xpZW50IENBMB4XDTE2MDMxMjE2MjEyNVoXDTE3MDMxMjE2MjEyNVowQjEcMBoGA1UE AwwTZHdtdzJAaW5mcmFkZWFkLm9yZzEiMCAGCSqGSIb3DQEJARYTZHdtdzJAaW5mcmFkZWFkLm9y ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANBDAiGnoeOIQJ/Aolutct4zx6Yt3dOU I5d0YnydAMNOiyVLXzHuuuVjUpk/6nRxg1FN3e0i3TWe5MjSTD98760qWoAuF2g5BGU+tN/GUsyw s26ZWOt82w7xhn4dcI8EhmASUtwDTZs5ZXPQzSkuNs6uX5SY0eKPlBNHkAtMf39hNc4mliy6WRDK ApZxA1vCbiHsJQZdNEBYO35022bu8PZBe6LSAFKoncoGMHl1xNEkN6kfOJFYnLqBYeXO2mDA8KZ4 h15EnQyyHGSghN92OUTc9stAWEt9a+q6TCtyW5zNgYTaaOtE41t5x2xDAgsnNU7sVM8fwSR3tYeW 9IqTgU6eDUllb1a9FK7es3+j9UDg7OxNv9rnXIda6TdXlGWYfFltujF7FMwTofq3UG7tw68Ugk0M MfpZadhPhjYLI/qXiEDgQi8Xr+eWSo5P0ygaLvAz8OPcWAt8RG5Y8Id9hpb5neW1HTARQ+k8lbpk x2wDPHZEft0ITROOupf76f9CNF4jYcyCKZNnjSsKeJv69VX1TsVaeqT1LJUEudXLa/BKFSb7x5M1 KF4z46yImJrnagI19Nk/ufWn1usBXqXh8pY8cVN/I7C+TDPBY5SqIceTq7DaHZp19JQUIIWlyRsm 2d4UoVcgIdTjX57Odap4Pjzrfp2RmC6hvkW2hQ5EreIPAgMBAAGjggG2MIIBsjAOBgNVHQ8BAf8E BAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMAkGA1UdEwQCMAAwHQYDVR0OBBYE FBDmK2IjZJ7MKmBK0A7J/tKaSIdoMB8GA1UdIwQYMBaAFCSBbDlhvkkPj7cbRivJKLUnSG1oMG8G CCsGAQUFBwEBBGMwYTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Auc3RhcnRzc2wuY29tMDkGCCsG AQUFBzAChi1odHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9zY2EuY2xpZW50MS5jcnQwOAYD VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2NhLWNsaWVudDEuY3JsMB4G A1UdEQQXMBWBE2R3bXcyQGluZnJhZGVhZC5vcmcwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFy dHNzbC5jb20vMEYGA1UdIAQ/MD0wOwYLKwYBBAGBtTcBAgQwLDAqBggrBgEFBQcCARYeaHR0cDov L3d3dy5zdGFydHNzbC5jb20vcG9saWN5MA0GCSqGSIb3DQEBCwUAA4IBAQAn5wvdgC0VkS226sFK AbqPnmVhc9jgrbsiXUcpdtYEzv6EZonARIeRC1UlIzK7jzZFRe95W5y4/qlcPQDoAeZLcSsbpW3A YPFFWdRgVp/eIR3iy9C5KEcAbkJES2lRUZWyRqAceW1Gur9kfvjM5H0kM6BBwJfCtoqoWragTXfs IXGNsF0F+60mUYYsKFPZzPmyz9J0Dr0xx9Lcp4fbD6UckDWCNJt2AJAiEPt/vPiiBzU8edaRzkYh zxd9f3pZAzhlzIf2CgTrGtKSL2X1bS/b3siREjQLhVrlGw4qxqllqER3APrDzyijLFucCWpS8hxj TmYcNZSibv+3Oy6uU+wqMYIEXjCCBFoCAQEwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0 YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQaRjuleoVgt0XsPAUByveJDANBglg hkgBZQMEAgEFAKCCAaUwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN MTYxMDA5MTkwMjE2WjAvBgkqhkiG9w0BCQQxIgQgTwHLMOQnJVi89kKnmhD8GvmlsQN0xtgoItQ+ OXdyexowgZoGCSsGAQQBgjcQBDGBjDCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjEpMCcGA1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNV BAMTGlN0YXJ0Q29tIENsYXNzIDEgQ2xpZW50IENBAhBpGO6V6hWC3Rew8BQHK94kMIGcBgsqhkiG 9w0BCRACCzGBjKCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0Q29t IENsYXNzIDEgQ2xpZW50IENBAhBpGO6V6hWC3Rew8BQHK94kMA0GCSqGSIb3DQEBAQUABIICAIbE Ve5kWvJwncGsXuB/FOtx4R+KM2Da+M7/9rkb5nCs7fOaiVK8xTjRT1e/1iqsMM70MYbM87U6Beau yGRwyZE7BMnns1/6CDphXhihUpBzBiypsT301VcXs5plEv2xrnd/HJBMYlEmw4ifoaIbVHkw4NKN GtEYGnbSuCtf4d0kZD24v/mVkEIpxBbT233BdSvkYOcWJSHDpvH9qkyRujh08ihS2cLDHUu+OYJ6 WyQgkQTWs4LmjgsLaeV7vDmb9tuVmHX1LPkC7zn4rYX4u2C6wph1jDY7jbdPHc5h5o9/yU/hz7y4 wlB02vKbzh2JG6KUEeocvrgXulFuPVaRXGGelVIB3b7NKVQLCBbuaEIiLMkSekc2nulvuyZg9OaH Qo7I4LGYE0pgc/X7YMpSnIYVE3BVPxtCiQPuDN0oJ/4Ik2ndolwu14ju+JqskxEttmYKekrbw4Sn wIRKEw5eiis4tD9SO0V1pAP3u6EX0QZafIzEPvbvxiQ9dh1z8evu9yBvsHAwtFSpi7K6CijAduBT 1HANOrV8k+/wXflCpRpDuxhkTbw0G10jfO338MWC3RLtOat69NMJjHuQkScPFgTEsWEuxQhfbx1w w7sb3dg7LgGw623kqfl7v64fx6vBOu/8dKfgB3ovAlslEJ4y4sXbhyS9JOxvTmPRRw0DdaG0AAAA AAAA --=-bGeBU3wSTgmA86He2BAu-- From nobody Sun Oct 9 14:26:19 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7B3E127735; Sun, 9 Oct 2016 14:26:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.996 X-Spam-Level: X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8iosN7fncc_B; Sun, 9 Oct 2016 14:26:11 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1FC2120726; Sun, 9 Oct 2016 14:26:10 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3ssbsW2wbVz37R; Sun, 9 Oct 2016 23:26:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476048367; bh=KCWs2n+3PH62jgm+SZTNK28s2vkQamtEBeKJNebH1FM=; h=Date:From:To:cc:Subject; b=qngpQN8eT+MBlxdTbcmWGkTU651cr50NwVYn+clIBnX5zJsuDht96+ckbHLu4FEmZ qNIk6poa/TsJ5jo5JJOotCChCoTA9cz++pk0WN8vrIP/oUnFEIkBr2+l64w3F/KAh2 dU5Y1u9TkdDMlMwp672OLpponCLe0bs3Tb11ybbw= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id KaP8RvndbxbF; Sun, 9 Oct 2016 23:26:05 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sun, 9 Oct 2016 23:26:05 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 82F505C837; Sun, 9 Oct 2016 17:26:02 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 82F505C837 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6CC0E406A900; Sun, 9 Oct 2016 17:26:02 -0400 (EDT) Date: Sun, 9 Oct 2016 17:26:02 -0400 (EDT) From: Paul Wouters To: "ipsec@ietf.org WG" Message-ID: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=ISO-8859-15 Content-Transfer-Encoding: 8BIT Archived-At: Cc: saag@ietf.org Subject: [saag] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2016 21:26:13 -0000 Released a few days ago: http://eprint.iacr.org/2016/961 A kilobit hidden SNFS discrete logarithm computation Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thom We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Basically, this paper shows how to make a DH group of 1024 modp with a backdoor, in two months of academic computing resources, The paper mentions 5114 a few times: RFC 5114 [33] specifies a number of groups for use with Diffie-Hellman, and states that the parameters were drawn from NIST test data, but neither the NIST test data [39] nor RFC 5114 itself contain the seeds used to generate the finite field parameters And concludes: Both from this perspective, and from our more modern one, dismissing the risk of trapdoored primes in real usage appears to have been a mistake, as the apparent difficulties encountered by the trapdoor designer in 1992 turn out to be easily circumvented. A more conservative design decision for FIPS 186 would have required mandatory seed publication instead of making it optional. As a result, there are opaque, standardized 1024-bit and 2048-bit primes in wide use today that cannot be properly verified. This is the strongest statement yet that I've seen to not trust any of the RFC-5114 groups. The latest 4307bis document has these groups (22-24) as SHOULD NOT, stating: Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup have small subgroups, which means that checks specified in the "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section 2.2 first bullet point MUST be done when these groups are used. These groups are also not safe-primes. The seeds for these groups have not been publicly released, resulting in reduced trust in these groups. These groups were proposed as alternatives for group 2 and 14 but never saw wide deployment. It is expected in the near future to be further downgraded to MUST NOT. I'm proposing it is time to change this to MUST NOT for 4307bis. Possibly, we should do this via SAAG in general, and then follow SAAG's advise in IPSECME. Is there _any_ reason why group 22-24 should not be MUST NOT ? Paul From nobody Mon Oct 10 01:41:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E223B1294AF for ; Mon, 10 Oct 2016 01:41:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.597 X-Spam-Level: X-Spam-Status: No, score=-5.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n_imliJy_Rvi for ; Mon, 10 Oct 2016 01:41:29 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8980E1295F0 for ; Mon, 10 Oct 2016 01:41:28 -0700 (PDT) Received: from [192.168.91.134] ([80.92.121.244]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LsTjw-1arplU3qg4-011yLM; Mon, 10 Oct 2016 10:41:17 +0200 To: Peter Gutmann , Stephen Farrell , "saag@ietf.org" References: <1475979732739.80385@cs.auckland.ac.nz> From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 Message-ID: <41faac53-e452-9e1c-7f94-06873fd7f44b@gmx.net> Date: Mon, 10 Oct 2016 10:41:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1475979732739.80385@cs.auckland.ac.nz> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="hwGoKmt5NKW2WaqXLK6toIRJQD3g73dFB" X-Provags-ID: V03:K0:ON5HfpXE+ftuPHrwyTYsIu60GWkOVa7ShrBg1XcWsxZ7R05R5cI 3EOiGVP5b9hCcDBF50iGr+fMuL7I58xZCCVvW7d+eVb6lkXuyEuFcp+U+iiJargOIWgylmg iQDX3nt2PcgfGGw+0wmLCdfjzACKfSWBZMYLRobFnesjSEXWxsuj7ZIvhoBUm9vkxQZahe6 rqW7vWOwTBV9I11u+zX5Q== X-UI-Out-Filterresults: notjunk:1;V01:K0:GiBgYo1mZD0=:f2QqTvr/hrkDIn6lIzPQp+ 0jf7pd9XmeqwR1VPFy1TVvqJMKndc4qCIBxoVqHSdqH7W9TVtGtLpfPk6wP0a8Yu5hBcba5sJ qfxE82vppmajLTFb7/lm9K/OTf3WpkMG5TM59TXrH3IOzKu8Wbaa9uD2OtjnMYYOeE7hPXHeW 43LXSFpDGjMxGiU3/5NsUI4eoYm08Oh3Q8zNqKemoL9UUa72PB2ktO0CNkL9c5czVFzgzQX8s 5vxSsQ5j+0gabDIkttRC7kScjCcq/3342ycHVIyrWfV24CAtfwHWfotZP1rKDu/7lUbF02RBP dDZQbSEU+sesAH2m1tO23dI4CJCG8CtyAN97pwy7Y1OIgQ7cfmvcl6Utb5sTIOqzizxlHP/93 34R/gu45hOA28qehWkCCrYErdCh2E7NEE97ht5vG1GTbzB4yRvp6q04s9k5A4nvAowxnG/EtA nTrRprBBRMht4d4Zd2UVHQrov1qe3Oxgb7mJjhxQ8BO/a6HJA4IyxrHHoifxABPzt7BkpR5e5 9Cxny8QnhOKKBjeuyejZau1rzNxE5hmMBALsqx61y9ZBUGq4T+BBkA2EOFoo/QQ3HZp0opFSi hqX+Mm1gciIVO256XOzuN1DHHiMlr2mgTvIfo+/NGd0/eOBA+xYzbXg9ek8DoFNrQom/i+X5X UWunNH4KZ2fTiKhYU3QgrzHXMwNheMrph8YOWHwYdEo9i8HWyt35U2LGqguoXX93p2v57ZKXR 8yhxBUF7ZEuN7l9ETmuhGoGmgLwW7xtWPtJ5yWLA0DvwU1WlPpdFC4P85HM= Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 08:41:31 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --hwGoKmt5NKW2WaqXLK6toIRJQD3g73dFB Content-Type: multipart/mixed; boundary="prCt6AfDxUOI3wB80KP3GGMS6AwLPuiCT"; protected-headers="v1" From: Hannes Tschofenig To: Peter Gutmann , Stephen Farrell , "saag@ietf.org" Message-ID: <41faac53-e452-9e1c-7f94-06873fd7f44b@gmx.net> Subject: Re: [saag] software update for teeny-weeny devices References: <1475979732739.80385@cs.auckland.ac.nz> In-Reply-To: <1475979732739.80385@cs.auckland.ac.nz> --prCt6AfDxUOI3wB80KP3GGMS6AwLPuiCT Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi Peter, On 10/09/2016 04:22 AM, Peter Gutmann wrote: > Stephen Farrell writes: >=20 > Just had a quick skim through this (I've printed it out for later readi= ng when > I've got more time), but wanted to post my immediate response to one of= the > points I saw: >=20 >> There was a bit of discussion about the importance for IoT devices to = know >> the current time for the purpose of checking certificate validity. >=20 > "And now you have two problems...". >=20 > It'd also be good to have a problem statement of some kind rather than = just a > shopping list of stuff, or some indication of where the authors are com= ing > from when they create their list. I've never seen an IoT device that c= an > handle differential updates, has dynamic linking (or dynamic anything, = there's > usually just a single system image), and a whole pile of other stuff di= scussed > here. Is this just gedanken-experimenting or are there real devices be= ing > considered? It looks like a lot of the issues being raised simply don'= t apply > to most IoT devices... We tried to derive a list of features everyone agreed to but that wasn't as easy as you might think. I have been talking to companies who had implemented and deployed differential updates for IoT devices. I agree that dynamic linking is less common in IoT devices but there are OSs that support this type of functionality. Many systems are indeed only shipping entire firmware images and reboot the device afterwards. This is easier to implement and works in most cases just fine. Of course, with many IoT devices companies are re-writing everything from scratch and while they may have great plans at the start of the project they may find out (after some time) that all implementing all these features (particularly the security stuff) takes some time. Ciao Hannes Ciao Hannes >=20 > Peter. > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >=20 --prCt6AfDxUOI3wB80KP3GGMS6AwLPuiCT-- --hwGoKmt5NKW2WaqXLK6toIRJQD3g73dFB Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJX+1QqAAoJEGhJURNOOiAtyiAH/iIjASL6p5auIo7rhG8OpWTw I5UDZBgrqw1/g3rrYOb9Yx+ZjxKUAtmxPA2GyB2bMvC4/qZKU94pWNqg2YYTl+jF uFWF9Mmsl2W41fKdz7v7a0rOjBLzt/BadgEKe+igDUK6MoE5OSvAxd4gcqs4wMDX zbdE4pHkemXNNkSYewehJV8h52MgMPADcNlkQx7liTLaN2uPjeYIkpCKYwgcaBhk AIqegv0i3c54FTXLMmtGnIqsrEdUNJaKwpOEs+z1f74vamCwpOgkVKFz6zW1YGu1 SsVedxVthrUqJgyknRWR8GHJxvjayRbxbN15NDJ/R7xmsfi2Qpl99dafanz9WxQ= =M/u0 -----END PGP SIGNATURE----- --hwGoKmt5NKW2WaqXLK6toIRJQD3g73dFB-- From nobody Mon Oct 10 01:44:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5DD129624 for ; Mon, 10 Oct 2016 01:44:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.597 X-Spam-Level: X-Spam-Status: No, score=-5.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRfXudFz5or9 for ; Mon, 10 Oct 2016 01:44:51 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42A781295F9 for ; Mon, 10 Oct 2016 01:44:51 -0700 (PDT) Received: from [192.168.91.134] ([80.92.121.244]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0LpPg1-1bGrWg12RB-00f991; Mon, 10 Oct 2016 10:44:43 +0200 To: David Woodhouse , Peter Gutmann , Stephen Farrell , "saag@ietf.org" References: <1475979732739.80385@cs.auckland.ac.nz> <1476039736.28198.140.camel@infradead.org> From: Hannes Tschofenig Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9 Message-ID: Date: Mon, 10 Oct 2016 10:44:40 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1476039736.28198.140.camel@infradead.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="OPxn3jC0hPiaUm7fmX98O5f4slwkdDQnh" X-Provags-ID: V03:K0:jm++FXr/PQkZztpD4DC4W43C2dfGMENJK78Y+iP/4zKpPxqbcyk l7xTyZK8tPW92ut0Xf/B20x1W9iBg7Ay7kaiFDEdQcBKlXAjwfeF1gNm8IQeWNwj5KMwiIS edGpUl+koWXyrpfjK87TqorauglLPMJ/8qnB981V49g8O5qz+3T0dY2r83DAs5D6Cl8ugKj DQuiV1KASFA4ZzqcHxgGA== X-UI-Out-Filterresults: notjunk:1;V01:K0:xkPs1qg8+0g=:zBor/6JjDCE63B9L9ftWgt f84dNStRJwRn69WVSL3BbTBCFJyZSaAxkKe6TF2uvZwwIzP4cmOmrYESNHFxPug0FnqhIdyHv ETfHSbFjHkJInO+GEanL5bFDff3+TUhrmE9SVVG6Vd8jHlfnf0v2iCWTSRJV5b+0VjhYNN+WQ PTEHGSJX2QTWy3PnZNhSJ+WeenQMyocgDpoKyilDQdfm6SniRXti11BgXTi6ZFBff1kd1Y6vy xKAxefBlvON5TQpkFiIjM1vYodXI3cESUDQLl9+14Tg0pORKxzj5K/uIq7ay8YefloyIidvKV 3+TxPRRef8OWXHvggEPDTRrncEkN/zjjEL5YtmVtjzKqIZJjwNhSh2RenZoRmTydD457/x3Ho ZufJYdODciBmMwKlZR9TFQGds3GX62KGzCPF7yK1sGKLrYbGm8gwLMbZ77qbq3l52cMk19+OJ 4VuihsfRKQ7cCKlXhKcEebHdnOfr7zOp3kbJoTLWwQOPvZnM/w8qTRYXtjmQUlhMrbfS1UnNO jakvEFVtWS4haOt080RgpYkuSxx8RF7kk8rPSpNMFzvuY0fPU9DofQe6XA+W1k38LZqQJiLlw R3d+HAacJe8UyB7gxFbzZPAApEA1Glla1/x0+KoXOUWd0N969rDbXxz9xG0acq7KhZbcxdpHa eCx+LAmJcdwEi8ANoHTAOXrRHE4gLz7m9firldmtIjXDCJ1sgoZYmWVP7DiRPe9edaq0sZsgg e5YNcL9i/saOZZWB7T/HY82TNA6T/u1XMCAHcSwIuOzjz/fcPJul4XTxZ6M= Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 08:44:53 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --OPxn3jC0hPiaUm7fmX98O5f4slwkdDQnh Content-Type: multipart/mixed; boundary="QKk0Ikg0UiWpDhWOj8tERdL1BDSltmulQ"; protected-headers="v1" From: Hannes Tschofenig To: David Woodhouse , Peter Gutmann , Stephen Farrell , "saag@ietf.org" Message-ID: Subject: Re: [saag] software update for teeny-weeny devices References: <1475979732739.80385@cs.auckland.ac.nz> <1476039736.28198.140.camel@infradead.org> In-Reply-To: <1476039736.28198.140.camel@infradead.org> --QKk0Ikg0UiWpDhWOj8tERdL1BDSltmulQ Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable Hi David, On 10/09/2016 09:02 PM, David Woodhouse wrote: > I understand that a lot of IoT devices are specifically designed to be > unreliable =97 requiring Internet connectivity instead of being operabl= e > purely over a local network. But requiring the correct time would just > be a step too far, surely? Of course there is a certain cost associated with adding a real-time clock and to also configure it with the correct time. Our story for providing time securely to these device isn't that great either since NTP again assumes that you have been configured with the correct time. I believe that while companies make use of certificates for reasons of familiarity with the tools and the technology they are actually just using the SubjectPublicKeyInfo part of it. Ciao Hannes --QKk0Ikg0UiWpDhWOj8tERdL1BDSltmulQ-- --OPxn3jC0hPiaUm7fmX98O5f4slwkdDQnh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJX+1T5AAoJEGhJURNOOiAtgXQIAJsCKzHAfAaSBEoHd4RslPOW yQBjT5lpwUbbOmycrwOO+X9UIjkdxm722ljf7lZ/NBO6rQMNenP+bpt/pXooaxLn oRqKJhqLOZi+Y7LQxfC/UxLVZ/1hZkjYqVaO5N0HHksbwk/+8rl3VnW+wG49ymiW sKRf/Iei+tp7Ux8YC/0+h914YMJpVycYxlLuGNUtF0j5Vv3RK481/ce7KY/+IpMa p1KxaGQIqivkKuBNFddsTYGKBhMMR2q43ypstsgOYxp2LexsLrOQHTkWc2pRsvbZ Im2QecCh995AhqGwfxKAQkZL6R2I1N8a/kcCOYAnS5iKRjZZCOAmGjOMoaQDshA= =PmKE -----END PGP SIGNATURE----- --OPxn3jC0hPiaUm7fmX98O5f4slwkdDQnh-- From nobody Mon Oct 10 04:57:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A91412961A for ; Mon, 10 Oct 2016 04:57:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8XojoMdjyZG for ; Mon, 10 Oct 2016 04:57:36 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A401294DF for ; Mon, 10 Oct 2016 04:57:35 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9ABvKYU017101 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 10 Oct 2016 14:57:20 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9ABvKB4015009; Mon, 10 Oct 2016 14:57:20 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22523.33312.32834.216296@fireball.acr.fi> Date: Mon, 10 Oct 2016 14:57:20 +0300 From: Tero Kivinen To: Yoav Nir In-Reply-To: References: <22519.43588.421250.807948@fireball.acr.fi> X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 5 min X-Total-Time: 16 min Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 11:57:39 -0000 Yoav Nir writes: > > In IPsec, ECP groups are widely used, those MODP groups with subgro= up > > are not. On the other hand I think only those 192, 256 and 521 bit > > groups are really used, and those are defined also in RFC5903 (whic= h > > obsoleted original 4753 which had serious bug in it). >=20 >=20 > First, I think you meant 256, 384 and 521 bit, not the 192. Yes, of course. > So for the three useful groups in 5114 you didn=E2=80=99t need it (as= 4753) > already existed, and you don=E2=80=99t need it now, as 5903 exists. I= don=E2=80=99t > see anything standing in the way of moving to historic or obsoleting > it.=20 This is true for IPsec. I am not sure if it is true for TLS, SSH and S/MIME. RFC4753 and 5903 only covers the IKE and IKEv2 cases, RFC5114 also covers other protocols, and I do not know what if they use 5114 or not, and if the NIST ECP group references in there are to 5114 or to something else. For IPsec I think we are good, because we have separate document specifying the mandatory to implement algorithms, and that some document also specifies MUST NOTs and SHOULD NOTs. --=20 kivinen@iki.fi From nobody Mon Oct 10 05:22:12 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0C2129632 for ; Mon, 10 Oct 2016 05:22:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V9IlITpl4H3m for ; Mon, 10 Oct 2016 05:22:02 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2466B129631 for ; Mon, 10 Oct 2016 05:22:01 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9ACLrAE020860 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 10 Oct 2016 15:21:53 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9ACLrg3010917; Mon, 10 Oct 2016 15:21:53 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22523.34784.950203.387050@fireball.acr.fi> Date: Mon, 10 Oct 2016 15:21:52 +0300 From: Tero Kivinen To: Watson Ladd In-Reply-To: References: <22519.43588.421250.807948@fireball.acr.fi> <75a7525e2d954da192e056ff32c632ca@XCH-ALN-010.cisco.com> X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 21 min X-Total-Time: 24 min Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 12:22:03 -0000 Watson Ladd writes: > The IANA registry cites 5903, not 5114, for these groups, so > historifying 5114 would have no effect. I'm not entirely sure what > historifying does to registries in terms of marking DO NOT USE: maybe > a separate draft is required. Moving document to historic does not change anything in the IANA registries. To make changes to the IANA registries, you need separate document, IESG action, or designated expert agreeing on change, depending on the registry. And the IANA registries do not give recommendations whether algorithm is good to use be used or not, and adding such thing to IANA registries would be bad idea. The IANA IKEv2 registry still includes algorithms like 768-bit MODP Group, and single DES. It does not mean that you are fine using those. IANA registries are not saying that you should or should not implement certiain algorithms, they provide mappings between numbers, identifiers and specifications. > I am not a process expert. Furthermore in at least some cases the > IKE registries get used by people hunting for DH parameters. Do we > need a draft here? What should that look like? IKE registries are supposed to be used for protocols related to IKE. If other people use them for other reasons, there is nothing we can do for that. > It's not SHOULD NOT. It's "using these groups even outside of IKE will > result in pwnage". Do you agree we need a stronger warning about known > bad cryptographic constructions? What do you think that should look > like? In IPsec we do publish warnings and recommendations in the separate documents (rfc4307bis and rfc7321bis, work in progress). And rfc4307bis do contain SHOULD NOT for those groups, and gives reason for that. If you think wider warning is really need, you can write document saying rfc5114-die-die-die, and get that published. That will not still remove RFC5114, at best it could be moved to historic if other people agree with you, but that still does not affect the fact that people still might use that rfc5114 as reference. Regardless what we do we cannot protect people from making mistakes. If they want to make weak crypto, there is nothing we can do. I am pretty sure that even if they use RFC5114 groups, those groups are not the weakest point in their protocol. Btw, can you point me the reference which says that those groups are really backdoored? What I have seen is people saying that as those might be backdoored, they must been backdoored, and I myself do not find that very convincing argument. On the other hand as there is no seed etc published on how those groups are generated, they might be backdoored, and I think that is good reason for SHOULD NOT for IPsec. -- kivinen@iki.fi From nobody Mon Oct 10 06:18:05 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCBEC129695; Mon, 10 Oct 2016 06:18:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8_2Uu8QZIGO; Mon, 10 Oct 2016 06:18:01 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0121.outbound.protection.outlook.com [23.103.200.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0DE1129691; Mon, 10 Oct 2016 06:18:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=baB4jZYdUmXlF5QI+qELhIG8honQOMHPTpXF/p4G94U=; b=0RtdCqB0gVpPD3jh14TDibwkBoU+KgzMBLlmQKmchASq9f5i/zwD2Ktr1If3qykfiQ6IbeeHwbJP0awfoPFtBkV3QtpeeMNxbVNaTuMWlCnb48vlYBnb2p3ppEOSOzfLbFUK3+ZeBYgKYTAAyeb8VWr5YkdzEc8Nd6TMY9G9Gi4= Received: from DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) by DM5PR09MB1467.namprd09.prod.outlook.com (10.173.171.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Mon, 10 Oct 2016 13:18:00 +0000 Received: from DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) by DM5PR09MB1467.namprd09.prod.outlook.com ([10.173.171.21]) with mapi id 15.01.0659.020; Mon, 10 Oct 2016 13:18:00 +0000 From: "Dang, Quynh (Fed)" To: "paul@nohats.ca" , "ipsec@ietf.org WG" Thread-Topic: [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSInPJr2kIoqyUikWZMRu8WhAVkaChpsd0 Date: Mon, 10 Oct 2016 13:18:00 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [129.6.222.157] x-ms-office365-filtering-correlation-id: d0e508ed-f092-4dff-1977-08d3f10fdbdc x-microsoft-exchange-diagnostics: 1; DM5PR09MB1467; 7:fSMgSVHOD2TeoAHiPWDYR9T1R20Y+ObI3kHbSPpZSVdqaNbpnqdJ2gfPWAuWie/FZSo1Q1AOXMbT4Rx1TBbyI5U6RF/q9v18tD7IlnOrFekRNkg0boOxoVg7GSgy3c6VZBdsGiCO6KMp+UiJlU0m28KV2/4+VfdFewQRzPqoDntgSaumeSDqLo7qqQzesPX+ipXS4GXyuayJ1WRkF7C9eR3y5Wx1GjiTIIlJNiz7i3RV/N3WeLEOxAqZ1NAyvRnuwS8RDoqfJmL6yAC2zBWhay8lFwU8WuW1J6+4EEdMhuuK8ANR1RrsFIhgh+L32+bmqy1gKi8td6IBmVWMpdrk8V4B+Irl7U87t5VRh+U9xak= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM5PR09MB1467; x-ld-processed: 2ab5d82f-d8fa-4797-a93e-054655c61dec,ExtAddr x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026); SRVR:DM5PR09MB1467; BCL:0; PCL:0; RULEID:; SRVR:DM5PR09MB1467; x-forefront-prvs: 0091C8F1EB x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(199003)(189002)(377454003)(33656002)(77096005)(2501003)(8676002)(9686002)(16236675004)(2900100001)(15975445007)(101416001)(50986999)(54356999)(99286002)(81166006)(81156014)(189998001)(4326007)(19627405001)(76176999)(106116001)(97736004)(19625215002)(105586002)(106356001)(5001770100001)(74316002)(3900700001)(8936002)(87936001)(7736002)(2906002)(7846002)(10400500002)(7906003)(3660700001)(16297215004)(5002640100001)(19580395003)(68736007)(19580405001)(2950100002)(6116002)(3280700002)(6606003)(586003)(5660300001)(345774005)(86362001)(3846002)(76576001)(92566002)(11100500001)(19617315012)(66066001)(7696004)(102836003)(122556002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR09MB1467; H:DM5PR09MB1467.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_DM5PR09MB146726177114D0FD30F871C2F3DB0DM5PR09MB1467namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Oct 2016 13:18:00.1217 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR09MB1467 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 13:18:05 -0000 --_000_DM5PR09MB146726177114D0FD30F871C2F3DB0DM5PR09MB1467namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi Paul, Thank you for sharing the paper. A conclusion of the paper was "Our results are yet another reminder that 10= 24-bit primes should be considered insecure for the security of cryptosyste= ms based on the hardness of discrete logarithms. The discrete logarithm com= putation for our backdoored prime was only feasible because of the 1024-bit= size, and the most effective protection against any backdoor of this type = has always been to use key sizes for which any computation is infeasible. N= IST recommended transitioning away from 1024-bit key sizes for DSA, RSA, an= d Diffie-Hellman in 2010 [6]." NIST has been urging users to move away from groups with 1024- bit p and 16= 0-bit q for many years now. In our document, we stated that group generators "should" provide their see= ds. The reason for having "should" instead of "shall (must)" was that anyon= e could run our suggested method to generate their own group. A user who ge= nerates his/her own group for her/his own application could have a choice o= f publishing the seed or not. If a user had a contractor/third party to ge= nerate a group for him/her, he or she could ask for all documentation about= the whole process. Quynh. ________________________________ From: IPsec on behalf of Paul Wouters Sent: Sunday, October 9, 2016 5:26 PM To: ipsec@ietf.org WG Cc: saag@ietf.org Subject: [IPsec] trapdoor'ed DH (and RFC-5114 again) Released a few days ago: http://eprint.iacr.org/2016/961 A kilobit hidden SNFS discrete logarithm computation Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel T= hom=E9 We perform a special number field sieve discrete logarithm computation in a 1024-bit prime field. To our knowledge, this is the first kilobit-sized discrete logarithm computation ever reported for prime fields. This computation took a little over two months of calendar time on an academic cluster using the open-source CADO-NFS software. Basically, this paper shows how to make a DH group of 1024 modp with a backdoor, in two months of academic computing resources, The paper mentions 5114 a few times: RFC 5114 [33] specifies a number of groups for use with Diffie-Hellman, and states that the parameters were drawn from NIST test data, but neither the NIST test data [39] nor RFC 5114 itself contain the seeds used to generate the finite field parameters And concludes: Both from this perspective, and from our more modern one, dismissi= ng the risk of trapdoored primes in real usage appears to have been a mis= take, as the apparent difficulties encountered by the trapdoor designer = in 1992 turn out to be easily circumvented. A more conservative design dec= ision for FIPS 186 would have required mandatory seed publication instea= d of making it optional. As a result, there are opaque, standardized 1= 024-bit and 2048-bit primes in wide use today that cannot be properly veri= fied. This is the strongest statement yet that I've seen to not trust any of the RFC-5114 groups. The latest 4307bis document has these groups (22-24) as SHOULD NOT, stating: Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup have small subgroups, which means that checks specified in the "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section 2.2 first bullet point MUST be done when these groups are used. These groups are also not safe-primes. The seeds for these groups have not been publicly released, resulting in reduced trust in these groups. These groups were proposed as alternatives for group 2 and 14 but never saw wide deployment. It is expected in the near future to be further downgraded to MUST NOT. I'm proposing it is time to change this to MUST NOT for 4307bis. Possibly, we should do this via SAAG in general, and then follow SAAG's advise in IPSECME. Is there _any_ reason why group 22-24 should not be MUST NOT ? Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec --_000_DM5PR09MB146726177114D0FD30F871C2F3DB0DM5PR09MB1467namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi Paul, 


Thank you for sharing the paper. 


A conclusion of the paper was "Our results are yet another re= minder that 1024-bit primes should be considered insecure for the security = of cryptosystems based on the hardness of discrete logarithms. The discrete= logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effecti= ve protection against any backdoor of this type has always been to use key = sizes for which any computation is infeasible. NIST recommended transitioni= ng away from 1024-bit key sizes for DSA, RSA, and Diffie-Hellman in 2010 [6]."


NIST has been urging users to move away from groups with 1024- bit= p and 160-bit q  for many years now. 


In our document, we stated that group generators "should"= ; provide their seeds. The reason for having "should" instead of = "shall (must)" was that anyone could run our suggested method to = generate their own group. A user who generates his/her own group for her/his own application could have a choice of publishing the seed or = not.  If a user had a contractor/third party to generate a group for h= im/her, he or she could ask for all documentation about the whole process.&= nbsp;


Quynh. 



From: IPsec <ipsec-bou= nces@ietf.org> on behalf of Paul Wouters <paul@nohats.ca>
Sent: Sunday, October 9, 2016 5:26 PM
To: ipsec@ietf.org WG
Cc: saag@ietf.org
Subject: [IPsec] trapdoor'ed DH (and RFC-5114 again)
 

Released a few days ago:

         http://eprint.iacr.org/2016/961

         A kilobit hidden SNFS disc= rete logarithm computation
         Joshua Fried and Pierrick = Gaudry and Nadia Heninger and Emmanuel Thom=E9

         We perform a special numbe= r field sieve discrete logarithm
         computation in a 1024-bit = prime field. To our knowledge, this
         is the first kilobit-sized= discrete logarithm computation ever
         reported for prime fields.= This computation took a little over
         two months of calendar tim= e on an academic cluster using the
         open-source CADO-NFS softw= are.

Basically, this paper shows how to make a DH group of 1024 modp
with a backdoor, in two months of academic computing resources,

The paper mentions 5114 a few times:

         RFC 5114 [33] specifies a = number of groups for use with
         Diffie-Hellman, and states= that the parameters were drawn
         from NIST test data, but n= either the NIST test data [39] nor
         RFC 5114 itself contain th= e seeds used to generate the finite
         field parameters

And concludes:

         Both from this perspective= , and from our more modern one, dismissing the
         risk of trapdoored primes = in real usage appears to have been a mistake,
         as the apparent difficulti= es encountered by the trapdoor designer in 1992
         turn out to be easily circ= umvented. A more conservative design decision
         for FIPS 186 would have re= quired mandatory seed publication instead of
         making it optional.  = As a result, there are opaque, standardized 1024-bit
         and 2048-bit primes in wid= e use today that cannot be properly verified.

This is the strongest statement yet that I've seen to not trust any
of the RFC-5114 groups.

The latest 4307bis document has these groups (22-24) as SHOULD NOT,
stating:

         Group 22, 23 and 24 or 102= 4-bit MODP Group with 160-bit, and
         2048-bit MODP Group with 2= 24-bit and 256-bit Prime Order Subgroup
         have small subgroups, whic= h means that checks specified in the
         "Additional Diffie-He= llman Test for the IKEv2" [RFC6989] section
         2.2 first bullet point MUS= T be done when these groups are used.
         These groups are also not = safe-primes.  The seeds for these groups
         have not been publicly rel= eased, resulting in reduced trust in
         these groups.  These = groups were proposed as alternatives for
         group 2 and 14 but never s= aw wide deployment.  It is expected
         in the near future to be f= urther downgraded to MUST NOT.

I'm proposing it is time to change this to MUST NOT for 4307bis.

Possibly, we should do this via SAAG in general, and then follow SAAG's
advise in IPSECME.

Is there _any_ reason why group 22-24 should not be MUST NOT ?

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
--_000_DM5PR09MB146726177114D0FD30F871C2F3DB0DM5PR09MB1467namp_-- From nobody Mon Oct 10 08:14:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A1D7129462 for ; Mon, 10 Oct 2016 08:14:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.922 X-Spam-Level: X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WWOnQDuFvdvM for ; Mon, 10 Oct 2016 08:14:51 -0700 (PDT) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0116.outbound.protection.outlook.com [104.47.37.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3E7129708 for ; Mon, 10 Oct 2016 08:14:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=d1Ymf+J3pNJ63XX0+8m75eXwYfnl1Bv0HUL0hiwK/Gc=; b=Na0rezNHzmJaLIfarFX9KsqvrH2UU7Hsx9WHIvBkAm2qysaduK7jYE02gQJY6bLDC++uEVw/nuGOQ0o2VCpqiKsI0/PCaUu6hTtZ0QWmpBJ3H731bKPqt08pQI6oCBcLHlrnrkcfUsxtUcHBwUS/m8mBD/qe12XhbBdeJYqRaI8= Received: from BY1PR0501CA0006.namprd05.prod.outlook.com (10.162.139.16) by SN2PR05MB2733.namprd05.prod.outlook.com (10.167.19.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.5; Mon, 10 Oct 2016 15:14:49 +0000 Received: from BL2FFO11OLC013.protection.gbl (2a01:111:f400:7c09::171) by BY1PR0501CA0006.outlook.office365.com (2a01:111:e400:4821::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.5 via Frontend Transport; Mon, 10 Oct 2016 15:14:49 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.18) smtp.mailfrom=juniper.net; gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.18 as permitted sender) Received: from p-emfe01a-sac.jnpr.net (66.129.239.18) by BL2FFO11OLC013.mail.protection.outlook.com (10.173.160.161) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.629.5 via Frontend Transport; Mon, 10 Oct 2016 15:14:48 +0000 Received: from p-mailhub01.juniper.net (10.160.2.17) by p-emfe01a-sac.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Mon, 10 Oct 2016 08:14:47 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by p-mailhub01.juniper.net (8.14.4/8.11.3) with ESMTP id u9AFEkFo005192; Mon, 10 Oct 2016 08:14:46 -0700 (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id 04DCD1141B; Mon, 10 Oct 2016 08:14:45 -0700 (PDT) To: Tero Kivinen In-Reply-To: <22523.33312.32834.216296@fireball.acr.fi> References: <22519.43588.421250.807948@fireball.acr.fi> <22523.33312.32834.216296@fireball.acr.fi> Comments: In-reply-to: Tero Kivinen message dated "Mon, 10 Oct 2016 14:57:20 +0300." From: "Mark D. Baushke" MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Date: Mon, 10 Oct 2016 08:14:45 -0700 Message-ID: <57973.1476112485@eng-mail01.juniper.net> Sender: X-EOPAttributedMessage: 0 X-MS-Office365-Filtering-HT: Tenant X-Forefront-Antispam-Report: CIP:66.129.239.18; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(8676002)(81166006)(69596002)(68736007)(356003)(47776003)(626004)(8936002)(8746002)(305945005)(6916009)(15975445007)(2950100002)(189998001)(77096005)(97736004)(586003)(81156014)(11100500001)(87936001)(76176999)(105596002)(106466001)(5660300001)(92566002)(50466002)(76506005)(2906002)(53416004)(7696004)(7126002)(117636001)(4326007)(110136003)(2810700001)(93886004)(54356999)(19580405001)(19580395003)(50986999)(86362001)(23676002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR05MB2733; H:p-emfe01a-sac.jnpr.net; FPR:; SPF:SoftFail; PTR:InfoDomainNonexistent; MX:1; A:1; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; BL2FFO11OLC013; 1:vP4z1VwEvlK9TrkQVm246mFdOB4DXCKQDsIQJtYAXowHAAHKm7gaRrA+1GJ5KJCEbfwazx2LUvr039yyILwFtHWQ2hESmZU1J85Cky8IBjgfq2l7/6nDUcG4uemevtY4t7gPskxO7XSYDu3uyN1ZxTm488+qoGMk/U0RxGoPXm5rSPGJoBsBIPb/c0XKhZllb+K+v/h8DmHJk4xtuFsdpeUzNLnlTYtrmT0Offc/QIDgJF5NVh1neb4ZvCwLZkxjA7ljKs7CFdYnNmDSB3Kx8rVSx7ye5GrbotKYUGtT4N3b61vfDCCytpPActM09Ewi6KwaDTlmCadBOyEgoHZvZKKYRX3zJAobb6uRnsddSm0JvGmVzH0rncKcXVlwuz6ANrMgrHO8X75TclvqB4ImKxvI2pSxo82DIsRu+KoBiCRSjm3Ytu5TwE33IvQCLbX2Q5J98Z7dGH/6dSofty7CqP9ESTbDP0d5/DqOSc9Za4Zn6GUG2K9xhEyVRWfiODz+63WlTdAsHImiHj/zvPdBlHf4ezYl29C8Mn+8emaU0n3Aw1deWUv7Yq99AzpeGN7T X-MS-Office365-Filtering-Correlation-Id: 03d8ad3f-ac71-4ae2-82bf-08d3f1202d72 X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 2:rNSKsd+Z/Pzqa6O2GtcJ4/pVwVhHLPGQsxkrYGnIF2rra2K0A5i24duXD7NBI47CJgW8YBE2xS6/pwxI63iZ7AyBOBA5hipPQ+NAPvPQ4tC0qU6TyKtDT8HVlWVKg95H7gMmdfek4NW7QxWCUmurSNK7xRkFGVm9JDsgKozpdTCh9c/L0B5LDSeZlzzTYoqEMgRTM/sytvz+hxCNvJOTtA==; 3:Hz3o+COEEEH9DXaSDt87ifBvBQHsyZ6nXTI0CQs3CvCJQKqRmoKPsDUNVnCMRYL4SYchurmLxi6euzzcjuvv++wnhK6JcNaAsO7EjHfZHWwcENZKVrDa+RB+79maUlc6a1FvBMshOemrrENBuonewJjPAJ4bdriO3E+P/ag8BebALwdTWQ8FFlPt38zh9EsXijnBAmUHqQ17+J5LjKLo//kwEfNn2nY0XPwsEYQgHtoJYyZ1Vx+2cy6KmMkJFQCd X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN2PR05MB2733; X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 25:/yP177lI5BjvE/9qPzWX+8F7zW8tDHAsbRW65K5let2UiYt6b+iXyjQbXq8RR2TVUHIXruyGMbC/BYjhrsRaaDw4nwkg/GYZja4Q29TtXLveZgcdsE4J7VG/xOCur3bW+/e0SSIMawFSFKqDMWLQS1IWWX/bafohwCaZngTCV8rootFtO9xDczJi8vCRuKcYgLXg8gJkxxP2tSWyCrvEQzkl+vIUQKp/8JZNXhdV2qQdCP6FN8HLo8aQqpyluzZwJSmYn1nYnjE7eCkC3lDjJ3ylwVO9WjAn/4+ZbY3ulNxqa/dhuumFG9s1kXRIy2ay5bD/DmHxvkSHwgskj76aDqmgNgaJsYGGERSwFFGdMhrSI/uFs3/ruiZZAytjsYv3hSjeCw68+vWAQvrLhmZ3Uoz/hitNM4m0Uimval1QaV/DUYeqbZAJmlTR1ofrOk99oRvqtPZthF/LIF89OR9zkfCCvpa80TpuGHUC+7ucIGJucX5w/kSO+wNvfUqGtQyF1y9TwJXXaJ4io6bu7tYw242hGyt9C2GrURatjCgkff95pchlhDWCB6l+aZ058hztzXR2NoTnslHc8pjG30kzu17XdNoFNmF3KbvJhXXQcLMKHTEUjZ3sR2YEa5IrBpfzEOYaL34xXCl6WkG+8R3kcGqBMiBQoRyKM0GV/Gy4+nOFAh6PkIfKztJjXx94g8/L9CsjU8QwL9xm17onOR8bIzviLDPQUKVwCpDeH/js4huPhcvPPMmjRud23CMnHvKEy1qxvuwOm4Siv5nZ//7pryxFQV5+7MO6qPKcbV5lYUEQZANA5g411MVJiHDtrj0AZIqQEzR3SJMAN1meDgXpT0wnBBuyQI5riSI4neZeicpW8N+1SUtCIBJz/QGRWps9 X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 31:LGjKMQ/x2CtNTvMbxN3Q1jh5qknTo5fsoH6IuigmPMwYAyaFbrvWo9oUWKAI3cnsnWXl1obPUXH19HiD+ansruLv6ytVCKetIfqX/KmlWsJHOGnoDA1nApuxz1SqcSqrCjy6nQO3+3ui17rKElPBN7ALuojWqKwtc7CuBhx4pObZgEuCyz6OJzPtfK/RdzkfBLlhHPqockz0QMJucu1GkyhAhZbO8tzOGUpEmGF0Nw2bUr6AArrixmkiGuyTYqmgzqtPi17JlJkHpl4kIW+ssw==; 20:jEMhZaCAWRvy9ZujamM0jworOVRT1VhLKeRuOo/8r+o7eqLDAjz0sJ4WFKV8iqgxrXwynzCknWNOfthHmjHsknFDOf8B6jqKgMl9yOyjMT40o6DEzQV6OOg8l58YHCVgsnFU1iBp+rtPDECtJdhiWGIadIe/CZQ4d3EdDpKpNkYL7hLiJgI84AahDP920j+EyKPc3XMcETWl3NX3frzOTi8qHtsA3J3s6I0g8H8TFu8p79SMS9jwcEWdaGM/LEyALhuoIHMVPaH0Y1C+8+dcTTRo5Y42hlHvve+KSChmOC6emEWvDzE4Af+SDCt+W0DpkCkYvpTJUxUsabkV3ydPcgwvOsAOSgHZPYwto/GMrVNF38q3imZty1LQ6YKOaTkTRQ6dgE2Lka5sUEDFQBYBczM536fHKTy4rkhQB6S9V97fi49WKNK8zGP1mpnHdtl+b/EUIsYeZu8Rv84n2nzKE7qX+A/J/yhha+ydVc9oo+OAmVhzlVdqgOoG1AI3w5SO X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(120809045254105)(1591387915157); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(13017025)(13023025)(8121501046)(5005006)(13024025)(13015025)(13018025)(10201501046)(3002001)(6055026); SRVR:SN2PR05MB2733; BCL:0; PCL:0; RULEID:; SRVR:SN2PR05MB2733; X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 4:xdAS8obCeoNnlnsrKLnkO6j0QohTT07HDpPjZ/8PlcjeIItgH/hVImtLSdZdG+UnZ0cir8relz05WrVsRq5zsDIc21IikegIY7rfcMLsvKq+KeSrsHKxmXBZ23FUWl+uVfrDMoBHTntabEgwBdXdU4dAISghMAjObEHmwf1DGc+rEH7Udk5rhE7sjurXScWsjYmuTtWJnSa2vYAWx8rMgLkciomNOrOIOAWSENCi07Nlhf9pAKG92DDgIxXWGQf6T3lgMKDA7aJrv7zDW4JnX+tY2G5Glf3GtaOOdzMDdDKQAiDNVpEq3cAb7FaPtVrwMvcJkK0NYFOSaFtZXuqgjuv/t/pHIwRydci7y3hyemY0r+TFqu8P0aKiLKtgkgNTmS9q/NkDYrfVwMCVyBZAF1ag5lexKK/HPXlJYEs/pYqynuvJ7lCO2OIJpoeL1YShVIkeI1tJEgv8Cmizxbnz5PJv/Uc1Ngk3THLMMMWTMeu+DgLah31PKPkvLEAcsuwAjmKRvTum4vpJlllR/KeqzyujTv91EKt87vuHERgu3CI6yE83/nWJC7tPxJ3PWZYbq20ScyNsCO1mDTRNcNeY1w== X-Forefront-PRVS: 0091C8F1EB X-Microsoft-Exchange-Diagnostics: =?utf-8?B?MTtTTjJQUjA1TUIyNzMzOzIzOjFlUkhQSjBKWFZ0UGdaeGR5R29tYXMyVkdx?= =?utf-8?B?YlJxNC92THB5Y0N2aUEwRlZic25PZjdxbEl1Y1hrRTBFSDRrS3ptcFN4ZGI5?= =?utf-8?B?SDZ2U2Mxd2RQM2Z2SUNiTDA5QzgxaFBLdWlyYnpVUVdNUDBpbEV6RGU4K3lr?= =?utf-8?B?Y3dFZWNhZGY5Ty9abjJkazJKS2kvZ2x1SGMrSjNsMDhhazZITDZGcHF0Z2J2?= =?utf-8?B?RTVoS0pmeCtUeUFDSVpUMDNNQmZkTjB4QnR5WjhMS1RYRkx5dXhsb0pjWVVI?= =?utf-8?B?dUN1WWkvWEZDYUYwRlErMStBUmxpU1Z6RHhZVDhnMkd5TEp4VHZQRWJGY1FV?= =?utf-8?B?MUh0R3pTMTE1ZlVjT2k3TUsvS2haMlJ3c2J3cFErUVZlTC9Iays5Q2hQOTFl?= =?utf-8?B?WkM3YVM0ekx5dTMvQWlld2djV2VSaXFiZmNEMlJNRkZtY1NRczRiVmdoRS9D?= =?utf-8?B?aGIyTGlpdlBZZGlGUWV6eFlNQnpjZEp3L1VHUWpCd29PYTlnanp0NGZqRmRi?= =?utf-8?B?TVRhZHg2b3lkVExvZ1BPYk1YNXBmblNtSiszOUdUSGdPUW0wOStOdHBta2Ji?= =?utf-8?B?dWVlOUlxSWJEUzRpR3VmeEJUdXFMSWc2MzJZN1NhOVFIRHlwZXNxVEVkMVo1?= =?utf-8?B?aWhLZm9WOFpSUUpsb2pRaGRkZEFQLzg0MW1oQUxTaWMyY3VuYUlIUWRlV0FJ?= =?utf-8?B?eTdUdGNIallrRWZSU2g0d0ZzQlVBTWp5ZCtpR0ZlQkxRMXBlNXkwd05lVGk1?= =?utf-8?B?ZjV3V3BGaERjaktwb2QxaVdiOWRPREc3YkpsNkt0VnVvek5vZml2QnJuZHc1?= =?utf-8?B?VEloY3QvZEpvRy9DVWNSenQzK2ZiWllQR1ZEVVYzYm9rV2xnTDBEckNDSnly?= =?utf-8?B?L3BQZUdTWUxIb2pncGRmT1Z4QlJ0S2JmUnd4aWZsZVpaZHA1KzBzZkJ1cFR6?= =?utf-8?B?cWR4bkpJVVFiV09nUFE5bXRWNEJ0d1ZHTjc5UVJzRDh5Z2ZxL21xOHNJUjNS?= =?utf-8?B?N0RVU3Fuai9VRjZSbnYzVndpMVRIbEZDTStCMkwvdUxXeFhCWEJ0YnVuTXR4?= =?utf-8?B?elRaZDRadXV6dURjQWUxSmUxV21EZ2pmK0pkZTY0d2VnQkM3Smx2Y0RmK05L?= =?utf-8?B?NVdZdWdkSXlMQ25YVGo3blRwOUwyZDJBTlRyQkR1d2QyQUlFVkxDWFByRWRD?= =?utf-8?B?cFBYYiswTDQyTmNadEU0SlVtYTJZQ0JoTnJrZW0yL1dKK1p4T2dZVDhYMXNz?= =?utf-8?B?d2pqWkZRdjlZSENRYzRiZVUySytHV2szb294Lysxck1VTzhCckZVOFRCYXpn?= =?utf-8?B?d3FUWE1wTCtncjdLTFJjNDBBR21KM1dkRE1pdEVVOUxUZVZoeExBMWwwc3VG?= =?utf-8?B?elFtTWZrZ29rVXBaUlpJOGNPRnlGN00zRXowRTZ5eVV2NjIxUFZHaDRncjQy?= =?utf-8?B?ajhyYlJDaUQ4MGlEbkEvZk4yKy9oSDcyQWd6dmRGRE0zKzVjOGNhRzhnZy9E?= =?utf-8?B?cmkxQ1JDYW9QK3dDcmJpUUovWmY2TnRyNytaazBSckNtMjZQYzdrOFdXQXpj?= =?utf-8?B?TzNZUmtsZGN1TWpFZW1pcEIxMGplNmc9PQ==?= X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 6:1y0OUjHyVxDFYTS1GQQrOvaUiN0u2PzChpP/hiLeB31gcEh6wdrsT4xG9bIDaW9laN6RjLYjVRSdMDJyQrGok8DicoZ72GAhPtd97IEc+c0S65tdNM3k/+A8tR1RZlnQd4bRDd+DzzJV41Z400H+R3lKB0RdYgpkQ/t69T+vXrg8LO/jEoldRQX/9kYQvVB1cwUAcXfanc5Wm3pUmLu7vkNRat5hZP6tVQs783K2s5PGp/A7InI0WsaVBdoFbjSKwCcxDjZ/tWx8Whc+zJp0avle8V6ZBVIqMaev/Pl6F4+cGQ05a1SFaLovXPjhOHoXoS+pSZQwqkMVUFAKePiVapwnrM9i9Tjt6nQa9p6YL3g=; 5:75hErDJMYNgIKb9LedhwkZtRHa40Fecl7b8VYeMmdwjgSSfeFxCEYIqvjQw/VXnCfI0InPnyQ85KZ2N4H4/Pqq0hOZnzbAYXNT+uoqP1WfH1ca+3z7+TFOkxuJJheyPRZlL2dcJxvgAkP/v0YV2NEA==; 24:LB+bAZqIHILP6Mc9CwWaRwFz/lSqogQoJ3RHO0uRFMjILQtvkI3uhIv6f3FNu1ZNUxqbli6DYhB2xEbDjR8EWyDxCKfT5xQ55GAYY1b+TJ4= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; SN2PR05MB2733; 7:6anpexy244h1Srgfnl0zU6L8HpL4qOTayxycto1ojbb+9qxXwnBx7P2NPme91ooH4Kr2wUbs12qHFhWE8HTIduCkyIpOIXA+BuWOkqA8l3wzOhfgjj6/cHbBg0NB8123U5wAwf/95/PV8Pdx268aRhRabUm/y+oiGgDHjoz4BEhMojTunZZsAhrBW9GRYdAhyaFTc732xjn4R1VcEno0TVaHt2vUxwfRF2/tldMdkNVtFHuM4Kp72Jlqgc5h4WF6CRCxaTXO1RBhQ9J/k/78PSRQMeRpE0R9vW6YmReSAX68dI1ye05AszqYQHBSbWTB0NGcuJ9ERkjUnk27dWGHaOCAem4Y48wHvK9gfhU2Nr4= X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Oct 2016 15:14:48.9510 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4; Ip=[66.129.239.18]; Helo=[p-emfe01a-sac.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR05MB2733 Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 15:14:53 -0000 Tero Kivinen writes: > Yoav Nir writes: > > So for the three useful groups in 5114 you didn=E2=80=99t need it (as 4= 753) > > already existed, and you don=E2=80=99t need it now, as 5903 exists. I d= on=E2=80=99t > > see anything standing in the way of moving to historic or obsoleting > > it.=20 >=20 > This is true for IPsec. I am not sure if it is true for TLS, SSH and > S/MIME. For SSH, the IANA document URL: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml=20 does not have any reference to RFC 5114. To the best of my understanding, SSH has never really supported anything other than safe-primes (Sophie Germain primes at that?) Diffie-Hellman key exchange. Although it is possible to implement Lim-Lee primes with RFC 4419, only g,p are sent over the wire. For ECDH, SSH has RFC 5656, so once more there is no need to keep RFC 5114 for anything SSH uses. I do not know of any other uses of ECP groups for SSH. > RFC4753 and 5903 only covers the IKE and IKEv2 cases, RFC5114 also > covers other protocols, and I do not know what if they use 5114 or > not, and if the NIST ECP group references in there are to 5114 or to > something else. >=20 > For IPsec I think we are good, because we have separate document > specifying the mandatory to implement algorithms, and that some > document also specifies MUST NOTs and SHOULD NOTs. For SSH, I have an IETF draft https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ to cover the 'SHOULD NOT' values for key exchagne. Perhaps we need to have a similar document for TLS and S/MIME as well? -- Mark From nobody Mon Oct 10 08:33:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81D5B12971B; Mon, 10 Oct 2016 08:33:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.996 X-Spam-Level: X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ugvnpKkDGOT; Mon, 10 Oct 2016 08:33:32 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F88D129715; Mon, 10 Oct 2016 08:33:32 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3st40B2Tgbz1HJ; Mon, 10 Oct 2016 17:33:30 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476113610; bh=GyymlYO9vWhfnP2Bu0V2eC91dSAQdNsi3P89VFu+Gf0=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=CYdW3peqO7BzwTq+tB9TyZgJ8zT0cpHoym9GPtRA4PbffKEbUCn+4jkGhOHEhbO5D S0lR96mU6113QMPXpBQw+2IaUOBXVt1NZ2dR8vP/q4rkZOxj/DGzOFGlY9ske3mthq MMxlsoTN0WAKqcWNIpA2LafQnv/jAtV2672y07Po= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id x8nnBCBaOUxx; Mon, 10 Oct 2016 17:33:29 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 10 Oct 2016 17:33:29 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 98E4019C338; Mon, 10 Oct 2016 11:33:26 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 98E4019C338 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 90ACA40D3581; Mon, 10 Oct 2016 11:33:26 -0400 (EDT) Date: Mon, 10 Oct 2016 11:33:26 -0400 (EDT) From: Paul Wouters To: "Dang, Quynh (Fed)" In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Cc: "ipsec@ietf.org WG" , "saag@ietf.org" Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 15:33:34 -0000 On Mon, 10 Oct 2016, Dang, Quynh (Fed) wrote: > A conclusion of the paper was "Our results are yet another reminder that 1024-bit primes should be considered insecure for the security of cryptosystems based on the hardness of discrete > logarithms. The discrete logarithm computation for our backdoored prime was only feasible because of the 1024-bit size, and the most effective protection against any backdoor of this > type has always been to use key sizes for which any computation is infeasible. NIST recommended transitioning away from 1024-bit key sizes for DSA, RSA, and Diffie-Hellman in 2010 [6]." > > NIST has been urging users to move away from groups with 1024- bit p and 160-bit q formany years now. Sure. > In our document, we stated that group generators "should" provide their seeds. The reason for having "should" instead of "shall (must)" was that anyone could run our suggested method to > generate their own group. A user who generates his/her own group for her/his own application could have a choice of publishing the seed or not. If a user had a contractor/third party to > generate a group for him/her, he or she could ask for all documentation about the whole process. But why should I trust the RFC-5114 2048-bit MODP Group with 256-bit Prime Order Subgroup? The problem of not knowing the seed remains the same. We just think the NSA does not have a mathemathical advantage over academia, but that's still a big unknown. And for IKE, you cannot just generate your own groups. Paul From nobody Mon Oct 10 11:52:56 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42949129427 for ; Mon, 10 Oct 2016 11:52:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMD0wBsObCGE for ; Mon, 10 Oct 2016 11:52:53 -0700 (PDT) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE4CB12952E for ; Mon, 10 Oct 2016 11:52:52 -0700 (PDT) Received: by mail-oi0-x22b.google.com with SMTP id t73so22756892oie.1 for ; Mon, 10 Oct 2016 11:52:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:from:date:message-id:subject:to:cc; bh=8Rs9l8x76ft3C6PJdb8WfUZ/DuS1DQpHl8rOwEfNdMo=; b=cZOO5Ntb0DaxudR1MyZNfH+CwBJ8qQcyV0712nRe8XzkTIMXdQxwINrQMcAN3FesHd SfFZ0xx7ReKSP+EsD+p7+ukzftHU2TzGTMcX5zq1oWd3+9HnNFZGXpQSMtRw47svIbWA rdDXhWy+f+ajS+wqpfjgOA5C8FDWHrtvVN4kk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=8Rs9l8x76ft3C6PJdb8WfUZ/DuS1DQpHl8rOwEfNdMo=; b=Cmv1CaZmeNDdZdwCuE4SAzuHqn3bf/gA6nk85RSgfD1+GIibL8SEEeDlLuvwUdfecm Hzz4xuzhYpfTOyN3Ma/M/4wA4zs9O41TsNr4xcn2pRRUU8mRClpjYo1pnPQYgg5cDoyI UZ6xXhYcIF2pJpxhRlGZbL81HtAAakx3zGvxD4ZBsoMLrdin3xGa6Nsj4e1/Z49lqoWZ iomBvxaZNVwknI0MTdcLnJKRTUGKYxkRMPrCxLcLIvGozpdSOeySpNkh+Pu1S+nXB89y AELe7BZ863TxB4nbohaFiB2qzYUq/dDTd4OQkUxoLkm/Oe2alQgZwQF8BB7eAxP2VPxw w6mw== X-Gm-Message-State: AA6/9RlcgxrsGPzhJYRzuWXgO6pyGkbHl8GQQK33tXRlb59q7KoidhtAJUiBCx7fZ/f0buqh3GOhjLkJq6L/Uw== X-Received: by 10.157.41.157 with SMTP id n29mr20789796otb.7.1476125572386; Mon, 10 Oct 2016 11:52:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.81.142 with HTTP; Mon, 10 Oct 2016 11:52:51 -0700 (PDT) From: Adrian Hope-Bailie Date: Mon, 10 Oct 2016 20:52:51 +0200 Message-ID: To: saag@ietf.org Content-Type: multipart/alternative; boundary=001a113dc05e62e814053e8744b3 Archived-At: Cc: Stefan Thomas , Evan Schwartz , Interledger Mailing List - IETF Subject: [saag] Proposed item for SAAG agenda - Crypto-conditions X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2016 18:52:55 -0000 --001a113dc05e62e814053e8744b3 Content-Type: text/plain; charset=UTF-8 Hey saag, (cc: ledger) At IETF 96 my colleagues and I presented a BOF on the Interledger protocol, a project we are working on to develop an open payments protocol inspired by IP. While we have not progressed the protocol work to the point that we are ready for a follow up at IETF 97 we would like to continue work on one of the "sub-projects"; Crypto-Conditions. For a useful background to the problem we are solving Christopher Allen's white paper is very helpful: https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/master/draft-documents/smarter-signatures.md The latest version of the crypto-condtions ID is here: https://datatracker.ietf.org/doc/draft-thomas-crypto-conditions/ (Maintained via GitHub at: https://github.com/interledger/rfcs/blob/master/0002-crypto-conditions/0002-crypto-conditions.md ) We are working on some updates to this draft and wish to hear back from this group if: a) There is a desire to discuss this topic in Seoul b) If there are any suggestions for amendments to the current ID that I can incorporate in my next edit Your help is much appreciated! Adrian --001a113dc05e62e814053e8744b3 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hey saag, (cc: ledger)
At IETF 96 my colleagues and I presented a BOF on the Interledger p= rotocol, a project we are working on to develop an open payments protocol i= nspired by IP.

While we have not progressed the protocol work = to the point that we are ready for a follow up at IETF 97 we would like to = continue work on one of the "sub-projects"; Crypto-Conditions.
For a useful background to the problem we are solving Christophe= r Allen's white paper is very helpful: https://github.com/WebOfTrustInfo/ID2020DesignWorkshop/blob/maste= r/draft-documents/smarter-signatures.md

The latest version= of the crypto-condtions ID is here: https://datatracker.ietf.org/doc/dra= ft-thomas-crypto-conditions/
(Maintained via GitHub at: <= a href=3D"https://github.com/interledger/rfcs/blob/master/0002-crypto-condi= tions/0002-crypto-conditions.md">https://github.com/interledger/rfcs/blob/m= aster/0002-crypto-conditions/0002-crypto-conditions.md)
<= br>
We are working on some updates to this draft and wish to hear back= from this group if:
a) There is a desire to discuss this top= ic in Seoul
b) If there are any suggestions for amendments to= the current ID that I can incorporate in my next edit

Yo= ur help is much appreciated!

Adrian
--001a113dc05e62e814053e8744b3-- From nobody Mon Oct 10 20:48:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE14612945D for ; Mon, 10 Oct 2016 20:48:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C915p7886Uuy for ; Mon, 10 Oct 2016 20:48:25 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 762A21295C5 for ; Mon, 10 Oct 2016 20:48:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476157705; x=1507693705; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=K4sXwa3QWE57FiJKFSoGxYHl0+KPVjPHLM+Aed6KCQo=; b=TXMo8ZxQ/uCEDz3ASjKT7RQCsSp9NYmDFQoZ5dXfZS22PFieoAhGqi8m xTDm8zRwHOebyX1UeSrf2kM5ORjnz4vnErg+aS61XCj4575iEaxn2khGA 7sFuusz2L8d2bHfwo0KG5CiqjvfJKywmjL3SItmDMohqGczaoaxSiNPjc BIwDSImisvsEKS21prLUQQENbWjtvBEZhpOxAvlHVHJ9BJurZ5/YnMjYP K4ptPD6vHG9BTDLmCQBPysPe7nC/qvG9qHaQsTwCjULaTPLXvL/wlKhi4 rkW7tUfyu7x+VTxEZ/wUtzIRxdoIywT5E5DH4DjE+sm9+MPFJa7R9TZOW g==; X-IronPort-AV: E=Sophos;i="5.31,476,1473076800"; d="scan'208";a="109675807" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing Received: from uxcn13-ogg-d.uoa.auckland.ac.nz ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Oct 2016 16:48:24 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 11 Oct 2016 16:48:23 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 11 Oct 2016 16:48:23 +1300 From: Peter Gutmann To: Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices Thread-Index: AQHSIlbq37mnVrbYmk+x7O/8iCzEkKCin7Nk Date: Tue, 11 Oct 2016 03:48:22 +0000 Message-ID: <1476157701079.16040@cs.auckland.ac.nz> References: <1475979732739.80385@cs.auckland.ac.nz>, In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 03:48:29 -0000 Stephen Farrell writes:=0A= >On 09/10/16 03:22, Peter Gutmann wrote:=0A= >>It'd also be good to have a problem statement of some kind rather than ju= st=0A= >>a shopping list of stuff, or some indication of where the authors are com= ing=0A= >>from when they create their list.=0A= >=0A= >The authors of the draft are just trying to reflect what happened at the= =0A= >workshop (as it says in the draft).=0A= =0A= So were there no requirements given at the workshop, no use cases? At the= =0A= moment it feels like being told the punchline of a joke, "And then the farm= er=0A= said 'You'll have to take the sheep as well'" [0], but without the setup yo= u=0A= can't tell what's going on.=0A= =0A= >If the text of the draft gives the wrong impression about any of that, I'd= =0A= >appreciate pointers to help us fix it.=0A= =0A= It's not really the wrong impression, it's a very incomplete impression. I= t's=0A= like a bunch of people got together and came up with a list of problems,=0A= without really specifying what it was they were trying to do. I know in=0A= general what's being discussed, but without any requirements or use cases I= =0A= can just make a whole pile of the problems discussed go away by saying "wel= l=0A= don't do that, then", the prime example being the one I pointed out, if you= =0A= ignore certificates, or throw away CRLs and use something more functional,= =0A= then you don't have to worry about having a RTC.=0A= =0A= Peter.=0A= =0A= [0] Obviously this is an Australian joke.= From nobody Mon Oct 10 20:56:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E50BF12945D for ; Mon, 10 Oct 2016 20:56:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kbVtdP1F6_fq for ; Mon, 10 Oct 2016 20:56:28 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CD14128B37 for ; Mon, 10 Oct 2016 20:56:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476158188; x=1507694188; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=DN7kcISggYWAlZU9Jh5APVUWItdadZVpYooE6MAvSLI=; b=nyAJnFy0oYXp4iSzsu4zpz7+5L2PdSmUfQc/WycFQsXmpiowPA6qObMm K3EApZh/ZKhswedpObACLyvv3H2VmUW+vKXLaO21jhQ8LCvTa/q7mHU5Q RWlYbFGGL/qlcKRv4vLurmgvQxKRFInJbcHJNy0HsDSGLy9Zd9S40lCuk UQ6m5pLOJ/vfOd1nrE3RkyQ4J9oTPGNezMoooM/fJuwEF9XA8dY8myXjq 7hLejKLVDillWc1Ht6YoRvvOK62xQE8AIbGfdlD/0hpbftpMN/8POSMr8 PmulUs4DWGsgrg99+xYCv3G563cHe/556rR6engZBmo+0kTE4ZKAmXd3g A==; X-IronPort-AV: E=Sophos;i="5.31,476,1473076800"; d="scan'208";a="109676533" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.2 - Outgoing - Outgoing Received: from uxcn13-ogg-a.uoa.auckland.ac.nz ([10.6.2.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Oct 2016 16:56:26 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-a.UoA.auckland.ac.nz (10.6.2.2) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 11 Oct 2016 16:56:26 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 11 Oct 2016 16:56:26 +1300 From: Peter Gutmann To: David Woodhouse , Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) Thread-Index: AQHSINOvzahpTKjrxUmXJ/cn+OGbqaCfZh4ygAA9mQCAAwEJGQ== Date: Tue, 11 Oct 2016 03:56:26 +0000 Message-ID: <1476158184375.58802@cs.auckland.ac.nz> References: , <1475979732739.80385@cs.auckland.ac.nz>, <1476039736.28198.140.camel@infradead.org> In-Reply-To: <1476039736.28198.140.camel@infradead.org> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices (was: Fwd: [Iotsu] Initial version of the IoTSU workshop report submitted) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 03:56:30 -0000 David Woodhouse writes:=0A= =0A= >I understand that a lot of IoT devices are specifically designed to be=0A= >unreliable =97 requiring Internet connectivity instead of being operable p= urely=0A= >over a local network. But requiring the correct time would just be a step = too=0A= >far, surely?=0A= =0A= You don't even need it, it's an artefact of someone's decision to use=0A= certificates because... well who knows, since there's no rationale or=0A= requirements. In fact the doc doesn't even say what needs to be checked fo= r=0A= revocation, a code-signing cert, device certs, what? It's just "certs will= be=0A= used and therefore we need revocation".=0A= =0A= Actually now you have at least three problems, not just two.=0A= =0A= Peter.= From nobody Mon Oct 10 21:05:56 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79F9129424 for ; Mon, 10 Oct 2016 21:05:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1EoFyYy4jHSa for ; Mon, 10 Oct 2016 21:05:43 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0622A128B37 for ; Mon, 10 Oct 2016 21:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476158743; x=1507694743; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=9rM79g0pYUi3goTE4TQe7Zy36PSb3J0MAbH2wTBD6MA=; b=GmgZoKilkp6hAh12y0Bs2kVdUqSe5frbDKdQLDEO7gNJgqJU1amsxo8A oJZf6FTi+8BfO0XGU7p6wqmoQW5xgvYzMKDJojfpKpatjR13i9F7dzh7M 0YPzDTdUtTEbQd5uDmpWhXmurfkkYO+SrnIjRlq99B+EfO18F/v5UyO13 0ZS+GJsq3l+RXsgplqCmc2rV08PHBXLKVq8nQJINvuBTQDYB99guBMp4d cntYNIPyE87OBcdrdVsJIM+ZCsnRlOrTaY9hF820WMtkEHePsd4J84d9w /0d2XtT2AB3usY/IXadZ3Ym+9uHhhDxbbR2qbUST5FZmSGQ090NKJ6MSm g==; X-IronPort-AV: E=Sophos;i="5.31,476,1473076800"; d="scan'208";a="109677821" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.4 - Outgoing - Outgoing Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-c.UoA.auckland.ac.nz) ([10.6.3.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Oct 2016 17:05:41 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-c.UoA.auckland.ac.nz (10.6.3.4) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 11 Oct 2016 17:05:41 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 11 Oct 2016 17:05:40 +1300 From: Peter Gutmann To: Hannes Tschofenig , David Woodhouse , Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices Thread-Index: AQHSItKPh9IAjWZzBECS6DoBAmlKxKCio5oH Date: Tue, 11 Oct 2016 04:05:40 +0000 Message-ID: <1476158738115.29657@cs.auckland.ac.nz> References: <1475979732739.80385@cs.auckland.ac.nz> <1476039736.28198.140.camel@infradead.org>, In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 04:05:54 -0000 Hannes Tschofenig writes:=0A= =0A= >I believe that while companies make use of certificates for reasons of=0A= >familiarity with the tools and the technology they are actually just using= =0A= >the SubjectPublicKeyInfo part of it.=0A= =0A= Yeah, that's quite widespread in SCADA/embedded, you parse through to the S= PKI=0A= and pull out the public key and throw the rest away (my code has a build=0A= option USE_PSEUDOCERTIFICATES for just this use case, you get a pointer to = a=0A= fixed pre-encoded cert in flash and a public-key object in RAM, saving=0A= 100-200kB of code space and tens of kB of RAM). Mind you that does=0A= immediately lead to the follow-up question, why worry about revocation issu= es=0A= when the device isn't even looking at the cert?=0A= =0A= Peter.= From nobody Mon Oct 10 21:14:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4622E129439 for ; Mon, 10 Oct 2016 21:14:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v9XubiGMSu1q for ; Mon, 10 Oct 2016 21:14:31 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45877128B37 for ; Mon, 10 Oct 2016 21:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476159271; x=1507695271; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ExshYG5A52A5TroBGQwXkWwPuJm0H70t+pHYR0/4nL0=; b=MhdFrmufEaxqZQIQj4+TmOtPPqc66W/FRb/V1sehptD5bnnzGsjGo89f +W3Zsoc+Rgvci1p5rak+FEWa/HeRnDh7Dpuk4hRnOWsC0FSGzgycVINF6 5jKJB/LBzAmXt45rjvlv6hG2w/T/AsPgbh+WHEV7Y683ihjYugV37ABO7 j++QnvH0CSEtZKOb3yKTbfRNRZN4BIsA5K1JzAqOGvowIhMsdw9UwhkUg UtRk6NDExsSuiTSVNCAzteZ8kGHmpVn6t7YjM+f84BSM/wtcgJTIPD/qk g5RcreKyI/pgcYhWDAfSSYb2Kwnkl6mlheceGGSipZZH77PaclJ06vOlc w==; X-IronPort-AV: E=Sophos;i="5.31,476,1473076800"; d="scan'208";a="109678556" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.2 - Outgoing - Outgoing Received: from uxcn13-ogg-a.uoa.auckland.ac.nz ([10.6.2.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 11 Oct 2016 17:14:29 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-a.UoA.auckland.ac.nz (10.6.2.2) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 11 Oct 2016 17:14:29 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 11 Oct 2016 17:14:29 +1300 From: Peter Gutmann To: "Mark D. Baushke" , Tero Kivinen Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSH+pGdiEUPpjwN0um+EbCY1rdIKCcBtqAgAAlcQCAACCZAIAEdEEAgAERMy6AANmKwQ== Date: Tue, 11 Oct 2016 04:14:28 +0000 Message-ID: <1476159266964.6087@cs.auckland.ac.nz> References: <22519.43588.421250.807948@fireball.acr.fi> <22523.33312.32834.216296@fireball.acr.fi>, <57973.1476112485@eng-mail01.juniper.net> In-Reply-To: <57973.1476112485@eng-mail01.juniper.net> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 04:14:33 -0000 Mark D. Baushke writes:=0A= =0A= >Perhaps we need to have a similar document for TLS and S/MIME as well?=0A= =0A= The TLS one already exists:=0A= =0A= https://www.ietf.org/id/draft-gutmann-tls-lts-05.txt=0A= =0A= It's just hung up in the TLS WG, which is getting a bit annoying since ther= e=0A= are at least two vendors who have either shipped or are ready to ship=0A= implementations based on it...=0A= =0A= Peter.=0A= From nobody Tue Oct 11 04:43:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17A0A129857 for ; Tue, 11 Oct 2016 04:43:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVnQyF5sflNr for ; Tue, 11 Oct 2016 04:43:37 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CBA8129856 for ; Tue, 11 Oct 2016 04:43:37 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7CCB2BE49; Tue, 11 Oct 2016 12:43:35 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Lg9o7KXnLhU; Tue, 11 Oct 2016 12:43:35 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id D9F3ABDCC; Tue, 11 Oct 2016 12:43:34 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476186215; bh=whNeDYVFbdocFmJBuVFr8novam3I1sMi+dlgiSWw1Jk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=WhLnOEjQq3rpGfeRv1v+rvG7BdG4KCtL2SmnQ2Tf4jRwMe3BzUfADBVVTKJsscr7C vaK1EqHO3kuwS7L85Aekl5VhHXBFv2wojXEioZxpyWh7Pwhe88auFU9J+BpHwwHG0j +kX0LtLdH9N/zC0OHeNt8ERAbJCwIIlk0xmUi048= To: Peter Gutmann , "saag@ietf.org" References: <1475979732739.80385@cs.auckland.ac.nz> <1476157701079.16040@cs.auckland.ac.nz> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <73611303-a4bb-8c6d-bf85-d443948ebd9c@cs.tcd.ie> Date: Tue, 11 Oct 2016 12:43:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1476157701079.16040@cs.auckland.ac.nz> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms050707090102000803040301" Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 11:43:39 -0000 This is a cryptographically signed message in MIME format. --------------ms050707090102000803040301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 11/10/16 04:48, Peter Gutmann wrote: > Stephen Farrell writes: >> On 09/10/16 03:22, Peter Gutmann wrote: >>> It'd also be good to have a problem statement of some kind rather tha= n just >>> a shopping list of stuff, or some indication of where the authors are= coming >> >from when they create their list. >> >> The authors of the draft are just trying to reflect what happened at t= he >> workshop (as it says in the draft). >=20 > So were there no requirements given at the workshop, no use cases?=20 The workshop did not produce the one true list of requirements nor use-cases, no. And nor should it have attempted to do that IMO. > At the > moment it feels like being told the punchline of a joke, "And then the = farmer > said 'You'll have to take the sheep as well'" [0], but without the setu= p you > can't tell what's going on. >=20 >> If the text of the draft gives the wrong impression about any of that,= I'd >> appreciate pointers to help us fix it. >=20 > It's not really the wrong impression, it's a very incomplete impression= =2E It's > like a bunch of people got together and came up with a list of problems= , > without really specifying what it was they were trying to do.=20 Is there a clue in the fact that it was called a workshop? ;-) > I know in > general what's being discussed, but without any requirements or use cas= es I > can just make a whole pile of the problems discussed go away by saying = "well > don't do that, then", the prime example being the one I pointed out, if= you > ignore certificates, or throw away CRLs and use something more function= al, > then you don't have to worry about having a RTC. If you read the text of the report as being a recommendation for strict adherence to x.509 or rfc5280+revocation-checking then we should fix it so it doesn't read that way. But I don't think it does read that way, and it's certainly not intended to be written that way, at least by me. Again, if you can point out text that lead you to think that that'd be great and we can fix it. (That's fine offlist if that's easier.) Cheers, S. >=20 > Peter. >=20 > [0] Obviously this is an Australian joke. >=20 --------------ms050707090102000803040301 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTEx MTQzMzVaMC8GCSqGSIb3DQEJBDEiBCAUrHI/fA/kwIiaenpZ6TWccWTX9uKCspd7X6yAwW0r sDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQBkV/jjY6p8FkibRrlBw1/ttO8bNDfh7Jq/fZuia9DROP3C4lU+ROc9 T+9yne3DlmobhYxUWGR6QwNGV9BWTtIGGPHxOkhPumJnEBZKxDya9/yalQ2QmMd36nd4bEUZ LPPwXGb/9zCcI81RAiah8Lhme3dVaDyzcA+Q7xq2oGOV23M3x5Hk+eKL95DpS30hhykD7vBB pGeX+XfKyfBLnV2FnA/eSOXSnOYME25SWuZeSqYPVmd8cwHoawF+nNtdLYAApCZ/sSW2+gqz F9A3di6yIDoABhJcBi+oMdjgFJ9zGKERRxeAd/bPC2k6Ep3CrF0/ABHuJ31qwUbUSA0Lx2dI AAAAAAAA --------------ms050707090102000803040301-- From nobody Tue Oct 11 07:02:35 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D74B61294CE for ; Tue, 11 Oct 2016 07:02:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TjK6o0Sr-6iX for ; Tue, 11 Oct 2016 07:02:33 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69DC129478 for ; Tue, 11 Oct 2016 07:02:32 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A28F3BE47 for ; Tue, 11 Oct 2016 15:02:29 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nif-p0_aHB4a for ; Tue, 11 Oct 2016 15:02:29 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1182CBE2F for ; Tue, 11 Oct 2016 15:02:29 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476194549; bh=CbF1bfoF8VLlGo/fy6xjw1oR5Tjlg/JEKe9Ljh7DZao=; h=To:From:Subject:Date:From; b=q9gkyMRf4y0CIXlJQQ0Kjz4iZfYoypr+T6iybc5uWyRbLZwTcMJ/Sf4PAwT+e1LkG g3hpDtDU9k9DOTByjHfTwOyDWncTdmcgOZTZbp6e3UxdPmLRgIiw09NwvMMlo7eQS8 XUme64od8KxHrEGIaaPzew+FhVf2hLDtoY4vCS3I= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Tue, 11 Oct 2016 15:02:29 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040709000100020702030600" Archived-At: Subject: [saag] presentation slots for saag @ IETF97 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 14:02:35 -0000 This is a cryptographically signed message in MIME format. --------------ms040709000100020702030600 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, Kathleen and I are starting to sort out the saag agenda for IETF97. If you'd like a presentation slot please send us an offlist mail indicating the topic and roughly how long you'd like. If you already asked, no need to repeat stuff, but if you don't get a mail from me in the next couple of days, please then do repeat stuff as it means I've forgotten about it:-) Cheers, S. --------------ms040709000100020702030600 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTEx NDAyMjlaMC8GCSqGSIb3DQEJBDEiBCBibY71F43IaC7K2kqIqH86FOKH6kUUG0N6rmIgiMXD GjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQB5DSTsDieRVsI2IKtSSaH1MnEefAfuzh6UeTWSUQioV1c8yIEM3ng/ gwH2Ze+/ZR0BpuzON5T6Vh8brYO2Qhb6xH4MbVFrZURnL/SMrCoHljAX1Xdaixqks0i+YsTZ fGZ3nDKawbGZecRl9NricdqTr7fvhiReo7KQ6IkJHOZVIAhi797oGmwiPdnIWhdwg7uij0P0 W/DIFkz/BLxTw7HU1E1xtHJsHwOGc1c41kcgUPMwpTsfL4Ixh6/EXO/DxAfQeT2C9j9JQDSV jOY3MMSwwdHMrArhWXRJfKkvTjxl06i8oG2eVZoXDuFd6sIT2JkGDpGWdr4Ix+ZHNT467SFJ AAAAAAAA --------------ms040709000100020702030600-- From nobody Tue Oct 11 20:48:58 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B1A1296B1 for ; Tue, 11 Oct 2016 20:48:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G2-vGMJ9CmhQ for ; Tue, 11 Oct 2016 20:48:55 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCBE61296CB for ; Tue, 11 Oct 2016 20:48:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476244135; x=1507780135; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=2VtEV+7e94zWXccbKn9TKX8mZMKJ7CGJxLfIRgkKkfc=; b=p1XWQ11FUQ6SRYg16289inHr1HRgnjsYFV24EVz1uH9bkrJKX6pgDZ66 FH3oUp7TEzjsJOjsMi7P1TvAFTAOfnsyDY9bpd1F36OEHs/HE8VCB1z/e HRPNFJcUHO/6brZOkq8E2yAHwMgQwNeVjHFi9pN7Yn0s2ChIxE21yaOE5 pptauPcJtO/nRg3DfmHFA5IfmMQ5dMFUi/+HbuBT+8kElSi+6WG2CFP1e /ERA248gcH1JI0VRDQBZNgFztQeo0/UTYsDcaoeHhCiJ0TrYUTiLCQiQ7 +DjC1pn44wAglyMqObK9SOuEnpOS9TN+MJa226J/9bV8PVKR6GYVuv3mO w==; X-IronPort-AV: E=Sophos;i="5.31,332,1473076800"; d="scan'208";a="109822103" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 12 Oct 2016 16:48:53 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.2) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 12 Oct 2016 16:48:46 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Wed, 12 Oct 2016 16:48:46 +1300 From: Peter Gutmann To: Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices Thread-Index: AQHSIlbq37mnVrbYmk+x7O/8iCzEkKCin7Nk//+rF4CAAedM3w== Date: Wed, 12 Oct 2016 03:48:46 +0000 Message-ID: <1476244125968.29351@cs.auckland.ac.nz> References: <1475979732739.80385@cs.auckland.ac.nz> <1476157701079.16040@cs.auckland.ac.nz>, <73611303-a4bb-8c6d-bf85-d443948ebd9c@cs.tcd.ie> In-Reply-To: <73611303-a4bb-8c6d-bf85-d443948ebd9c@cs.tcd.ie> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 03:48:57 -0000 Stephen Farrell writes:=0A= =0A= >If you read the text of the report as being a recommendation for strict = =0A= >adherence to x.509 or rfc5280+revocation-checking then we should fix it so= =0A= >it doesn't read that way. =0A= =0A= Well, in the absence of any requirements I had to kind of reverse-engineer = =0A= what the report was trying to do from the text, like reverse-engineering a= =0A= joke from its punchline. Since it mentioned certs I assumed they were=0A= required, but without anything indicating what's meant to be achieved I gue= ss =0A= any statement in the report could be right, wrong, or both at the same time= .=0A= It's really hard to tell (insert Bob Morris (?) quote about "the behaviour= =0A= of a program without a specification can never be wrong, only surprising").= =0A= =0A= Peter.=0A= From nobody Tue Oct 11 23:42:44 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E82C129503 for ; Tue, 11 Oct 2016 23:42:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IED7nxJDv27D for ; Tue, 11 Oct 2016 23:42:41 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00ADF129404 for ; Tue, 11 Oct 2016 23:42:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 39F9FBE5D; Wed, 12 Oct 2016 07:42:38 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5gpQJvVRBVVd; Wed, 12 Oct 2016 07:42:36 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 50A77BE3E; Wed, 12 Oct 2016 07:42:36 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476254556; bh=hAuALk8MsSJzUyraptVw6gLX7sfZ5xSS0c6DhS3YZUg=; h=Subject:To:References:From:Date:In-Reply-To:From; b=TqNphX0w9zhSbkJ7ePGMmkv8FnB1g9M3/qWMi2MyZbX68Luwh3d+KAZ6Xvxw+da6z Ix0EUOhrQqFKjo7r9Z4kzWJDmwOh2QbHEQRA76acQEdj9AWJFt72MG7MuptoE8lZ+x tG9jW2I6XRY0M6S1JxrkKEpSVNLH+SymnaJG5tvI= To: Peter Gutmann , "saag@ietf.org" References: <1475979732739.80385@cs.auckland.ac.nz> <1476157701079.16040@cs.auckland.ac.nz> <73611303-a4bb-8c6d-bf85-d443948ebd9c@cs.tcd.ie> <1476244125968.29351@cs.auckland.ac.nz> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <69c6e7bd-cfca-45ce-8821-af33355dd4a3@cs.tcd.ie> Date: Wed, 12 Oct 2016 07:42:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1476244125968.29351@cs.auckland.ac.nz> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010701030606030809010405" Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 06:42:43 -0000 This is a cryptographically signed message in MIME format. --------------ms010701030606030809010405 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Peter, On 12/10/16 04:48, Peter Gutmann wrote: > Stephen Farrell writes: >=20 >> If you read the text of the report as being a recommendation for stric= t=20 >> adherence to x.509 or rfc5280+revocation-checking then we should fix i= t so=20 >> it doesn't read that way.=20 >=20 > Well, in the absence of any requirements I had to kind of reverse-engin= eer=20 > what the report was trying to do from the text, like reverse-engineerin= g a > joke from its punchline. Since it mentioned certs I assumed they were > required, but without anything indicating what's meant to be achieved I= guess=20 > any statement in the report could be right, wrong, or both at the same = time. > It's really hard to tell (insert Bob Morris (?) quote about "the behavi= our > of a program without a specification can never be wrong, only surprisin= g"). I think we're done here. Given that the abstract says: This document provides a summary of the 'Workshop on Internet of Things (IoT) Software Update (IOTSU)' which took place at Trinity College Dublin, Ireland on the 13th and 14th of June, 2016. The main goal of the workshop was to foster a discussion on requirements, challenges and solutions for bringing software and firmware updates to IoT devices. This report summarizes the discussions and lists recommendations to the standards community. I have no clue how the document could be clearer as to its purpose, nor how you seem to confuse "foster a discussion of requirements" with some idea that the draft should set out a consensus-based list of requirements for the one true way to do s/w update. My conclusion so far is that in this case you prefer to carp about x.509 rather than be constructive, which is fine given the imperfection of x.509 but a) shooting those fish in that barrel has been done, and b) suggests that this thread had outlived it's usefulness even before being started. If you or anyone else who has read the draft finds it similarly confusing and is willing to actually point at text that confused them, then I'd still be happy to improve the text. If someone (you included) wants to suggest text along the lines of "here are a few of the many reasons strict adherence to x.509 wouldn't be a good plan for s/w update in this case ..." then that'd be fine too. (But better done on the iotsu list and not this one probably.) S. >=20 > Peter. >=20 --------------ms010701030606030809010405 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTIw NjQyMzZaMC8GCSqGSIb3DQEJBDEiBCDWXq+JyvveIsNW6OurItEFbcpGIUeKumI1NVl2mheF 4jBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCGz2m7P0diI7OOVBpNbt7gkAIb4WYcZ0sjgh+X2N3IhLpaEz7hFU7z F2FlAGUzZMj3RSxVfzYfYsAXJpSGTiilyvG1A346BAmEuCgtAxDbZUtwAvzP4XI8FMlqLBuE GBN8qVZ+S09xBvsgcxGxYuzKI9Ld0Fb4MqKjUJ3tiMdfUqBsn1FonkTf3TkVLG984uKKCrkp h9aUD1kTmH+Ivd3x3knhZAQ/2xhnP9HWy8Y3PZg/0D4+bobtboynX2+/5GDPUv3fKOKAiBJG 3czItY9DhO1HrMymd+RnYrE8vq/1fogKhvWE9iIn8ehYylafOqf0VJyFE8QxhOCEmk55Qimn AAAAAAAA --------------ms010701030606030809010405-- From nobody Wed Oct 12 00:17:22 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 947A41296DF for ; Wed, 12 Oct 2016 00:17:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8I1xDD2RFz_p for ; Wed, 12 Oct 2016 00:17:19 -0700 (PDT) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0055.outbound.protection.outlook.com [104.47.37.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918201296DD for ; Wed, 12 Oct 2016 00:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9c0Zx2C7d+iZUX7EeDx8HI8oxZrSMH834vARWINuGAU=; b=LMrHSGPOmogvnwXj2dMEfCivmqVx3Y1K23l+DfM++lcZJzt+WN/ZH1W3qg9uePZ6OVKJGz6GFnwIxwioBSAMhl/6LkIOKrLRQTDF84KFLu+lp+/CM/ll43B/D2ubTOd0yXzk/TNn0PvB56D4eP/RphcWTKQGR6Hh0MGFkRL5Ess= Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Wed, 12 Oct 2016 07:17:18 +0000 Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0659.020; Wed, 12 Oct 2016 07:17:18 +0000 From: Antonio Sanso To: "saag@ietf.org" Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSJFiqSvl175lGTEyC9BTnWXL4Ig== Date: Wed, 12 Oct 2016 07:17:18 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [192.147.117.11] x-ms-office365-filtering-correlation-id: 4cf9064d-5049-4362-8305-08d3f26fccef x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 7:Z4rPxCPz24hlF39I6U5EFPXDMb2iHj0WJptgWDXK1eVUfA5iHlOVp0HX5PysaOsJquDIg4IUM4XPbseunr+rpEQw3fECKTZjg9CxSKMXMPkAWA1NN9+3k6ZDME8Ib7R8RxRZ6M3eyqg4Uo8oyywFhBMsfnobYTA4CEux0/sMw/Q78K8sCIlWts6TOHOByQIZs9P5HPA43VAWSQUNWgS1e2Ic32i0f29RNZ2TuMjT9yOagLywPQOo7VIXWUWqsNn+28Oyq2JSxfrZc3HoKsnAd5jGRTpZz1LQmhpvKwh9/z1STYgom52ksCFHsdrVbQA2MwES0n9Mo2g2+q8uf4jBlD0FwWLe9OXRl+J0EWfNie8= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1031; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031; x-forefront-prvs: 0093C80C01 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(199003)(2906002)(189998001)(5640700001)(86362001)(5660300001)(110136003)(33656002)(101416001)(122556002)(97736004)(1730700003)(8676002)(54356999)(66066001)(6916009)(81166006)(4326007)(81156014)(2501003)(50986999)(3846002)(6116002)(83716003)(10090500001)(5002640100001)(93376004)(586003)(102836003)(68736007)(305945005)(36756003)(8936002)(2900100001)(15975445007)(7846002)(7736002)(106356001)(87936001)(105586002)(3660700001)(19580395003)(82746002)(99286002)(77096005)(3280700002)(2351001)(10400500002)(11100500001)(92566002)(106116001)(104396002)(15302535012); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2016 07:17:18.1791 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031 Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 07:17:21 -0000 hi Yoav >IANA numbers have been assigned to them for IKE, but they have not seen wi= despread use I would not be too sure about this. For example see [0]. On top Exim and Bo= uncyCastle have RFC 5114 as default for DH.=20 And more to come=85 regards antonio [0] http://blog.intothesymmetry.com/2016/01/openssl-key-recovery-attack-on-= dh-small.html= From nobody Wed Oct 12 02:38:25 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157A51295F7 for ; Wed, 12 Oct 2016 02:38:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJeNrVySfw9z for ; Wed, 12 Oct 2016 02:38:23 -0700 (PDT) Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 901571295F3 for ; Wed, 12 Oct 2016 02:38:22 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from grey.csi.cam.ac.uk ([131.111.57.57]:58449) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1buFzQ-00105p-Kd (Exim 4.86_36-e07b163) (return-path ); Wed, 12 Oct 2016 10:38:20 +0100 Date: Wed, 12 Oct 2016 10:38:20 +0100 From: Tony Finch To: Antonio Sanso In-Reply-To: Message-ID: References: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 09:38:25 -0000 Antonio Sanso wrote: > > >IANA numbers have been assigned to them for IKE, but they have not seen widespread use > > I would not be too sure about this. For example see [0]. On top Exim and > BouncyCastle have RFC 5114 as default for DH. There was an announcement on this topic from the Exim maintainers a few days ago. https://lists.exim.org/lurker/message/20161008.231103.c70b2da8.en.html Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Viking, North Utsire: Variable 3 or 4, becoming southeasterly 4 or 5 later in south. Slight, occasionally moderate. Showers later. Good. From nobody Wed Oct 12 02:48:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50F901295F6 for ; Wed, 12 Oct 2016 02:48:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jED5zvRlpLh2 for ; Wed, 12 Oct 2016 02:48:47 -0700 (PDT) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 708EA1294B6 for ; Wed, 12 Oct 2016 02:48:47 -0700 (PDT) Received: by mail-wm0-x230.google.com with SMTP id o81so20710369wma.1 for ; Wed, 12 Oct 2016 02:48:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=d6ZkP5AHoWt4wEJ0JDodt01gl5G3ukrLAbQ9f/ABQQA=; b=vzmP+nXnlS0Ax4p6QjTs33DMLQcHK1oWSPwinJDbvPuu/KCyFANoC5njnJUmXGtOLX CP7UTEbPdKuYg4M9khDLn9q3lm0cna6xal09MDOaZ9RMv15dZYBpPv/2C54oCMTkIIac xkROSV5X0VTvNVJb/sH05jg+nrBLUSMwG8HZT8oNHJHGcZjBKmVlegMZjgyrza9VwtE/ Oa3GJGb57BaJo1uvz4YAJVlU7YJH9fpC+e5jLlUckrKxXIItWCkPBf8iNtiIm9T7jibk YFtsTz8SZNN+zosvkUQZD11sr0AgFr9UB8AAFNTkPzXGd/mjWztIeTpOCEhxGN08udKs SSog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=d6ZkP5AHoWt4wEJ0JDodt01gl5G3ukrLAbQ9f/ABQQA=; b=iApvRJvTu55Olao5f5Dg6rN9K6dYEcTBv1dxyPmjJvg1xseMn9ou/Y3Gy1yASwhhSG AxNXjxL+Q8dO5b5uQ+8EE0d6koOHfcl3muzo71QtapoPFNtHBf4YBHapKA1kcC6nKiyV 3dntyU7kHNmvx5z/PJLyhG5QDTJO0GLkxLetn+Mb8P8axTYoDHrnXf+FM5GIvKeQuxnc VUHlGDZO6cTCbIyCDtiXbqodTSqXwqV3Xv8MsjBioOYxiaxpiPQoPBZZWXgGPAwa9H1A rlzWR41SmzpYH/BWfS4RrthEPJ7COb1vJMfqeKbpBrVB6NoionfgbEi5izQDKFPEDUJW SzQQ== X-Gm-Message-State: AA6/9Rm6+mD1OZNOvm6tBlhSTRs5KSq97bGpEDejnU8Yb50Z2qgfm0Vcqf8cjf4YPj2xlg== X-Received: by 10.194.158.193 with SMTP id ww1mr216770wjb.176.1476265725946; Wed, 12 Oct 2016 02:48:45 -0700 (PDT) Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id n9sm1971548wmi.13.2016.10.12.02.48.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Oct 2016 02:48:45 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) From: Yoav Nir In-Reply-To: Date: Wed, 12 Oct 2016 12:48:41 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Antonio Sanso X-Mailer: Apple Mail (2.3226) Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 09:48:49 -0000 > On 12 Oct 2016, at 10:17, Antonio Sanso wrote: >=20 > hi Yoav >=20 >> IANA numbers have been assigned to them for IKE, but they have not = seen widespread use >=20 > I would not be too sure about this. For example see [0]. On top Exim = and BouncyCastle have RFC 5114 as default for DH.=20 > And more to come=E2=80=A6 >=20 Hey, if you=E2=80=99re collecting them, it is possible (though annoying) = to configure =E2=80=9Cgroup 24=E2=80=9D on Check Point gateways ([0]). But I don=E2=80=99t know any IKE implementations that use that by = default. Yoav [0] = https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGo= viewsolutiondetails=3D&solutionid=3Dsk27054 From nobody Wed Oct 12 07:20:52 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8417A129535 for ; Wed, 12 Oct 2016 07:20:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.996 X-Spam-Level: X-Spam-Status: No, score=-4.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vc80H3crWPwy for ; Wed, 12 Oct 2016 07:20:44 -0700 (PDT) Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id AA0D7129540 for ; Wed, 12 Oct 2016 07:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1476282043; d=isode.com; s=june2016; i=@isode.com; bh=Uc/h+vfL4q6XA7FrpmrYUimpsQxU9F7snLC3+nJRuq8=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=VQ4wcGJnrCbDccOwjt08diHpnWPam6wWwpn7o34a8rVuFG5ac5PAiiUxnZIZdCK5AXuuz/ 5jfjiQO8BFKhEvitgWmGqRMPDLaI1wWZ+Y/K0+Txh3sLCz6YunQOVBp2JP3+s/sV7JJ1xR W5Jy1A0hj92URId4U5TurHZP1PdVg78=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Wed, 12 Oct 2016 15:20:43 +0100 To: Kent Watsen , Kathleen Moriarty , "saag@ietf.org" References: From: Alexey Melnikov Message-ID: <2545ae45-184d-2c4f-7b2a-ddabaa99ca61@isode.com> Date: Wed, 12 Oct 2016 15:20:28 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------4CD484DF62B9A566E9AD9DF2" Archived-At: Cc: Alexey Melnikov Subject: Re: [saag] SecEvent Charter X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Oct 2016 14:20:51 -0000 --------------4CD484DF62B9A566E9AD9DF2 Content-Type: text/plain; charset=windows-1252; format=flowed Content-transfer-encoding: quoted-printable Hi Kent, On 28/09/2016 01:38, Kent Watsen wrote: > Did anyone consider the overlap between this and event notifications effor= t in the NETCONF working group? > > draft-ietf-netconf-rfc5277bis > draft-ietf-netconf-netconf-event-notifications > draft-ietf-netconf-restconf-notif > draft-ietf-netconf-yang-push > > It may not have the same focus, but it can get the job done, right? > > Thanks, > Kent Copying a reply from the id-event@ mailing list. I think there are some=20 misconceptions about NETCONF/RESTCONF, but the point about reuse of=20 other existing IETF standards stands. ----- Original message ----- From: Phil Hunt > To: Alexey Melnikov > Cc: id-event@ietf.org Subject: Re: [Id-event] Fwd: Re: [saag] SecEvent Charter Date: Thu, 29 Sep 2016 09:54:32 -0700 Alexey, Great question. There are certainly some overlap in requirements and=20 goals around subscription management. Regarding Implementation, The SET Event work so far is a profile of the JWT (RFC7519) for secure=20 event tokens and SCIM (RFC7643/7644) for subscription management so that=20 we can build on existing implementations and stacks for rapid adoption.=20 We have proposed a very simple HTTP POST over TLS for delivery. The=20 key profiling aspect of HTTP POST is to require the subscriber must not=20 respond with acceptance (e.g. HTTP Status 202) unless the receiver was=20 able to validate the message. The OpenID Connect and RISC working groups have been putting events into=20 test and are feeding back into the specs directly. Connect=92s Logout=20 spec has already re-aligned with the SET token. Regarding NETCONF, The community of participants (SCIM, OAuth, RISC, Connect, HEART, =85) are= =20 largely focused on co-ordinating events between HTTPS based systems and=20 endpoints using mostly JSON centric payloads. In contrast, my perception of NETCONF is it is working at a lower layer=20 (network devices) and as such supports transmission using SSH (which is=20 MTI) with largely XML structured data. The current NETCONF MTI=20 requirements would not be workable. My perception of intent by most participants is to establish a=20 contextual web of pub/sub relationships rather than message bus. So,=20 there may not be much to be gained from aligning with NETCONF since the=20 network configuration components are kept distant from the application=20 security components. Phil @independentid www.independentid.com phil.hunt@oracle.com > > > On 9/27/16, 5:00 PM, "saag on behalf of Kathleen Moriarty" wrote: > > Hello, > =20 > A new working group has been proposed, SecEvent, that crosses between > the ART and security areas. This builds off of SCIM work, also > leveraging OAuth, and will incorporate use of JWT from JOSE. The > working group, if approved, will go into the security area and I've > agreed to AD it. Please take a look at the charter under review: > =20 > https://datatracker.ietf.org/doc/charter-ietf-secevent/ > =20 > And join the mailing list for discussion: > https://mailarchive.ietf.org/arch/search/?email_list=3Did-event > =20 > -- > =20 > Best regards, > Kathleen > =20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > =20 > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------4CD484DF62B9A566E9AD9DF2 Content-Type: text/html; charset=windows-1252 Content-transfer-encoding: quoted-printable

Hi Kent,


On 28/09/2016 01:38, Kent Watsen wrote: 
Did anyone consider the overlap between this and event notifications effort =
in the NETCONF working group?

  draft-ietf-netconf-rfc5277bis
  draft-ietf-netconf-netconf-event-notifications
  draft-ietf-netconf-restconf-notif
  draft-ietf-netconf-yang-push

It may not have the same focus, but it can get the job done, right?

Thanks,
Kent

Copying a reply from the id-event@ mailing list. I think there are some misconceptions about NETCONF/RESTCONF, but the point about reuse of other existing IETF standards stands.

----- Original message -----
From: Phil Hunt <phil.hu= nt@oracle.com>
To: Alexey Melnikov <a= amelnikov@fastmail.fm>
Subject: Re: [Id-event] Fwd: Re: [saag] SecEvent Charter
Date: Thu, 29 Sep 2016 09:54:32 -0700

Alexey,

Great question. There are certainly some overlap in requirements and goals around subscription management.

Regarding Implementation,
The SET Event work so far is a profile of the JWT (RFC7519) for secure event tokens and SCIM (RFC7643/7644) for subscription management so that we can build on existing implementations and stacks for rapid adoption. =A0We have proposed a very simple HTTP POST over TLS for delivery. The key profiling aspect of HTTP POST is to require the subscriber must not respond with acceptance (e.g. HTTP Status 202) unless the receiver was able to validate the message.

The OpenID Connect and RISC working groups have been putting events into test and are feeding back into the specs directly. =A0Connect=92s Logout spec has already re-aligned with the SET token.<= br>

Regarding NETCONF,=A0
The community of participants (SCIM, OAuth, RISC, Connect, HEART, =85) are largely focused on co-ordinating events between HTTPS based systems and endpoints using mostly JSON centric payloads.=A0

In contrast, my perception of NETCONF is it is working at a lower layer (network devices) and as such supports transmission using SSH (which is MTI) with largely XML structured data. =A0The current NETCONF MTI requirements would not be workable.

My perception of intent by most participants is to establish a contextual web of pub/sub relationships rather than message bus. So, there may not be much to be gained from aligning with NETCONF since the network configuration components are kept distant from the application security components. =A0





On 9/27/16, 5:00 PM, "saag on behalf of Kathleen Moriarty" <saag-bounces@ietf.org on behalf of kathleen.moriar=
ty.ietf@gmail.com> wrote:

    Hello,
   =20
    A new working group has been proposed, SecEvent, that crosses between
    the ART and security areas.  This builds off of SCIM work, also
    leveraging OAuth, and will incorporate use of JWT from JOSE.  The
    working group, if approved, will go into the security area and I've
    agreed to AD it.  Please take a look at the charter under review:
   =20
    https://datatracker.ietf.org/doc/charter-ietf-se=
cevent/
   =20
    And join the mailing list for discussion:
    https://mailarchive.ietf.org/arch/search=
/?email_list=3Did-event
   =20
    --=20
   =20
    Best regards,
    Kathleen
   =20
    _______________________________________________
    saag mailing list
    saag=
@ietf.org
    https://www.ietf.org/mailman/listinfo/saag
   =20

_______________________________________________
saag mailing list
saag@iet=
f.org
https://www.ietf.org/mailman/listinfo/saag

--------------4CD484DF62B9A566E9AD9DF2-- From nobody Wed Oct 12 22:48:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BEFF12988D for ; Wed, 12 Oct 2016 22:48:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.196 X-Spam-Level: X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LM0DtoDv7vmU for ; Wed, 12 Oct 2016 22:48:54 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17E831295E3 for ; Wed, 12 Oct 2016 22:48:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476337734; x=1507873734; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=lzjmAsk3PRpvgDM6k8S2cfPnVmTkO1eLohwDZbGD6gU=; b=urUAsQK9YdQClgabPJcOtTmZpcJrDk3gJ0fWPm8ZVRUZDIeu0UtMxeQ7 Hx6XwFeW552cbsJsO7y2OTXZG+O+YB1urnlBqTNPpaU9R90pQiOVU0OCM gVm//2rCQw0POx3IolssbICKJ7e53s4AgFPWuGjXXd2AVyRj4RsNwnzoK kYzqaBkVglplGOwov0xd5+sj4erPtBrTVEpsMsXWKsiEgIwDgw+0Hh0fp qrweNGdHUSRJ58c6OXlSrLFYie/eSMVU8r4YylDVKidOJuHDx9dpxk+rR 3QeSQgcbzxOPDgrLEadcLflIscGQnFohK82aX6upC2qKt95eiU8Tz2yog Q==; X-IronPort-AV: E=Sophos;i="5.31,338,1473076800"; d="scan'208";a="110013874" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 13 Oct 2016 18:48:48 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 13 Oct 2016 18:48:48 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Thu, 13 Oct 2016 18:48:48 +1300 From: Peter Gutmann To: Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices Thread-Index: AQHSIlbq37mnVrbYmk+x7O/8iCzEkKCin7Nk//+rF4CAAedM3///VvAAgAJdGiw= Date: Thu, 13 Oct 2016 05:48:47 +0000 Message-ID: <1476337722056.41232@cs.auckland.ac.nz> References: <1475979732739.80385@cs.auckland.ac.nz> <1476157701079.16040@cs.auckland.ac.nz> <73611303-a4bb-8c6d-bf85-d443948ebd9c@cs.tcd.ie> <1476244125968.29351@cs.auckland.ac.nz>, <69c6e7bd-cfca-45ce-8821-af33355dd4a3@cs.tcd.ie> In-Reply-To: <69c6e7bd-cfca-45ce-8821-af33355dd4a3@cs.tcd.ie> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2016 05:48:58 -0000 Stephen Farrell writes:=0A= =0A= >I think we're done here.=0A= =0A= You asked for feedback on the doc, I thought I'd have a look and try and=0A= provide some but since there were no requirements I wasn't able to evaluate= =0A= the doc against anything to see if there were problems. You've indicated t= hat=0A= there are no requirements, in which case I guess we are done, I can't provi= de=0A= useful feedback on something for which the requirements are a null set.=0A= =0A= The X.509 stuff was just the first thing that leaped out at me, there's no= =0A= particular significance attached to it.=0A= =0A= Peter.=0A= From nobody Thu Oct 13 02:01:51 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BD31294A5 for ; Thu, 13 Oct 2016 02:01:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLFcy9OjzSie for ; Thu, 13 Oct 2016 02:01:46 -0700 (PDT) Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C4F8124281 for ; Thu, 13 Oct 2016 02:01:46 -0700 (PDT) Received: by mail-lf0-x230.google.com with SMTP id l131so89038270lfl.2 for ; Thu, 13 Oct 2016 02:01:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=Dz/6ED4HncvYb/gGTqB1V9l5Tenw7uOHyVaYJOr8NTE=; b=nc+4pQGVl7dLqACj401oeVjjPHWvOHLt2cZyPMw6amF7SrWu6bvdBuwkldv6VVLI4c aratrYpOhHnNR5SKrcRmgJIOuH6hoiTHqw1CQLXeJvG4jI6OPmXJOhGCCKmI1ltRBqcM HTwF0KyZ3JVGnb3oUYtxBH2qUtVuUiPyw9vOJbX/z7MrhpsixWqwVEciWv896lEu6ndC dU2bXm2p4zM4gJOR2ZkCiozhLlZKtWAwEfbLYOb6+wfQZkVNq5ynXC0LaJQLcmnIXFLn SlYIau3kxL9lo9DpNQZzmtpE5rQJDlVpDF0q1msAmdFKuMemH4JuZrgs+vxF70DFTSEM X4wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=Dz/6ED4HncvYb/gGTqB1V9l5Tenw7uOHyVaYJOr8NTE=; b=m4BpcS58MxkhS3+Wk8EoXJrNmnOCXqwIIlxKxWbXrsg3MILwF6XNqimBzgZIsEpaKS LGTsIm8+kfHWkJ+AEBj93blFgjFhSocA4SwoFquq/Kmn1aiBKpE1LqYIZTrLnteoPr8u uLisHW4H5giIJbLuGvZfrXOdbvKavIQci8UHQqFEI1WBRuAk7CZMWGaKnD1I7oi41Hdm WR4erd4Zgd0gkkwuTjtKgP2h3JdJ2RqcTioelGzsDrCqOLApymmahWeBtd9kzvReQZBQ Qe80G+t6THIb3EiIV3SGwN0lpRSYUhQPlf+zBYBLWx+fKT5n7yYQS83DHx4f8R3s2YwE dyug== X-Gm-Message-State: AA6/9RmHWXARy8fR+qrNBO/CVjhsU/EBin8v59nn4pzLxhAjxLA68+u4ruS31p7zLdJPFml4g3i0bA+4zW2YEQ== X-Received: by 10.28.174.209 with SMTP id x200mr1374135wme.55.1476349303572; Thu, 13 Oct 2016 02:01:43 -0700 (PDT) MIME-Version: 1.0 Sender: benlaurie@gmail.com Received: by 10.80.163.39 with HTTP; Thu, 13 Oct 2016 02:01:42 -0700 (PDT) In-Reply-To: References: <1475979732739.80385@cs.auckland.ac.nz> <1476039736.28198.140.camel@infradead.org> From: Ben Laurie Date: Thu, 13 Oct 2016 10:01:42 +0100 X-Google-Sender-Auth: vWq7VVKV_qRGjQSJzjIfsDWSiEc Message-ID: To: Hannes Tschofenig Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2016 09:01:51 -0000 On 10 October 2016 at 09:44, Hannes Tschofenig wrote: > Our story for > providing time securely to these device isn't that great either since > NTP again assumes that you have been configured with the correct time. How so? BTW, are you aware of roughtime? https://roughtime.googlesource.com/roughtime From nobody Thu Oct 13 05:28:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C84A1296D6 for ; Thu, 13 Oct 2016 05:28:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id efXvrdLqETav for ; Thu, 13 Oct 2016 05:28:08 -0700 (PDT) Received: from nm20-vm5.bullet.mail.ne1.yahoo.com (nm20-vm5.bullet.mail.ne1.yahoo.com [98.138.91.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 490531294A4 for ; Thu, 13 Oct 2016 05:28:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1476361687; bh=N1bVDE31iORGKloP5yTt+Fsq7ayMDfbKT3T3blOH/J4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=BZHLualiW/5+93k9qzMo/Ef0aSZN/cYoN01XuQOfieXsWh/F3EcLMlQp7Up0wztmbQ5eKi7w9gw2kFxNImK1UFsEjEFAwIXMcIJaOYt/oLuxxoD8U0HPaoKHrk8SPQ/eUD7LFcKL9yO/KPEGEWZDpJ0Zv0ee5g2OEJy9N4pgtgmor2mKg9NExVjiPdCc91QDPZ1oRBfY4semmpRxgboK0LwQIllLxfK1pd0mDQRhDfcKvknKLNgXQ3StABnB+YTdV3nIJ/0xGFN8urIazqTA6ogbKS9J9tpuLYQQFgIXhK7+YXve9ui19OUA/nXqp4Az4a5G5+SgIzouuVjoM7raqw== Received: from [98.138.100.117] by nm20.bullet.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000 Received: from [98.138.89.246] by tm108.bullet.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000 Received: from [127.0.0.1] by omp1060.mail.ne1.yahoo.com with NNFMP; 13 Oct 2016 12:28:07 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 570802.80719.bm@omp1060.mail.ne1.yahoo.com X-YMail-OSG: Co.__xsVM1n1mmNUbvxrsvyQ2HbnFJRh7dbL1pJ1zCbxvTrHUHfjNFNb2dwupCN o.wDo1RjVUUIpuH_aV3Fv8u5vaxIE9r3sTep4_9XEkbV43c4Wr0HVm4vdUK_QabrBVXt8oPNt3_T 16T_2ZxSBN8qXCEsp5cNqjDbiStVloHP0bedn7qQGwH0L1O.pFNZa65x1y2QqLVw4x5clKBPksNf xZjQh0neVSlB8P9Pt7Th7QwEPsyKsEGFm0VY0WgNby.3VhGqjO_zE5t_HVqCbptlMhwP9O12bMr8 8UJlAlxB6U8Q0QBAyfydrvAhA.8mkReqAarmetRT6MYi14YfVhqs7V8kBoyxyHsu0BgKVz4m8wOw Pshmr95O_vQw8T.2xkNQ_LfWayZqf_Pae1dCuZYKPacgD8u4xo_8LAWqImUt8akxb4Jah1s1.IOZ FSnNCO6B_XZmOfINlXLLaZRQWrY8zUl1YMOCLrWEUjAH_EVoQBuWjMAIrAAQACLPXheKeH0aTOwU QuEEyaVJsU66OoMUOvx9JKejMKTxHWXVf5OH5u_V8oEbkcaO.f2k3laJaQ4VWub16itcj9JpLew-- Received: from jws200148.mail.ne1.yahoo.com by sendmailws104.mail.ne1.yahoo.com; Thu, 13 Oct 2016 12:28:07 +0000; 1476361687.140 Date: Thu, 13 Oct 2016 12:28:03 +0000 (UTC) From: To: "saag@ietf.org" Message-ID: <2122275166.97735.1476361683603@mail.yahoo.com> In-Reply-To: <1901933387.417923.1476328888389@mail.yahoo.com> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_97734_1854904787.1476361683597" Archived-At: Cc: "MORTON ALFRED C \(AL\)" Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: nalini.elkins@insidethestack.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Oct 2016 12:28:11 -0000 ------=_Part_97734_1854904787.1476361683597 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Kathleen and Al, The "Effect of Ubiquitous Encryption" draft is an excellent summary of the = impact on operations and network management posed by the changes to the sec= urity environment.=C2=A0=C2=A0 Great work, guys!!! I wanted to comment on a few things as far as they impact private enterpris= es. 1. In the Abstract: we may want to remind the reader that network managemen= t includes troubleshooting because a number of changes will need to be made= in how troubleshooting is done.=C2=A0 I would suggest the following: Old: This draft includes a collection of current security and network manag= ement functions that may be impacted by this shift to increased use of encr= yption.=20 New: This draft includes a collection of current security and network manag= ement (including troubleshooting) functions that may be impacted by this sh= ift to increased use of encryption. 2.=C2=A0 At the end of section 1, we might want to add that private enterpr= ises are also considered. Suggested words: "We will also consider the situation of the private enterprise, where IP pa= cket transport, applications, and infrastructure are privately owned and co= ntained within or interconnect private data centers."=20 =20 3.=C2=A0 Then, I would suggest replacing Sections 4 and 4.1 of the draft in= its entirety with the words below: ******************************************** 4.=C2=A0 Encryption for Enterprise Users Encryption of network traffic within the private enterprise is a growing tr= end, particularly in industries with audit and regulatory requirements. Som= e enterprise internal networks are almost completely TLS and/or IPsec encry= pted. For each type of monitoring, different techniques and parts of the data str= eam may be necessary.=C2=A0 As we transition to an increased use of encrypt= ion that is increasingly harder to break, alternate methods of monitoring f= or operational purposes may be necessary to prevent the need to break encry= ption and thus privacy of users (which may not apply in a corporate setting= by policy). 4.1.=C2=A0 Monitoring Needs of the Enterprise Large corporate enterprises are the owners of the platforms, data, and netw= ork infrastructure that provide critical business services to their user co= mmunities.=C2=A0 As such, these enterprises are responsible for all aspects= of the performance, availability, security, and quality of experience for = all user sessions. These responsibilities break down into three basic areas= : =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1. Security Monitoring and Control =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 2. Application Performance Monitoring an= d Reporting =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 3. Network Diagnostics and Troubleshooti= ng=20 In each of the above areas, technical support teams utilize collection, mon= itoring, and diagnostic systems that in some organizations currently use st= atic RSA private keys to decrypt passively monitored copies of encrypted TLS packet streams. To an enterprise (and the customers that it serves), the cost of network an= d/or application down time can be great.=C2=A0 The focus of enterprises in = their private data centers is to deliver expected levels of service, perfor= mance, protection, and availability. 4.1.1 Security Monitoring in the Enterprise Enterprise Security Monitoring breaks down into the following areas: 1.=C2=A0 Data Loss Prevention - intercept outbound session traffic to monit= or for intellectual property leakage (by users or more likely these days th= rough malware and trojans), 2.=C2=A0 Intrusion Detection/Intrusion Prevention - detect viruses/malware = entering the network via email or web traffic, 3.=C2=A0 Malware Detection - detect malware/Trojans in action, possibly con= necting to remote hosts,=20 4.=C2=A0 Security Analytics - detect attacks (Cross site scripting and othe= r common web related attacks), 5.=C2=A0 Track misuse and abuse by employees, 6.=C2=A0 Restrict the types of protocols permitted to/from the corporate en= vironment, 7.=C2=A0 DDoS Prevention - detect and defend against Internet DDoS attacks,= including both volumetric and layer 7 attacks. A significant portion of malware hides its activity within TLS or other enc= rypted protocols.=C2=A0 This includes lateral movement, Command and Control= , and Data Exfiltration.=C2=A0 These functions are critical to security and= fraud monitoring. To an enterprise (and the customers that it serves), the cost of network an= d/or application down time can be great.=C2=A0 The focus of enterprises in = their private data centers is to deliver expected levels of service, perfor= mance, protection, and availability. AND this can be accomplished using som= e form of traffic analysis sometimes including examination of the payload. 4.1.2 Application Performance Monitoring in the Enterprise 1.=C2=A0 Assess traffic volume on a per-application basis, for billing, cap= acity planning, optimization of geographical location for servers or proxie= s, and other needs,=20 2.=C2=A0 Assess performance in terms of application response time and user = perceived response time, Network-based Application Performance Monitoring tracks application respons= e time by user and by URL, which is the information that the application ow= ners and the lines of business need. Content Delivery Networks (CDNs) add c= omplexity in determining the ultimate endpoint destination.=C2=A0 By their = very nature, such information is obscured by CDNs and encrypted protocols -= - adding a new challenge for troubleshooting network and application proble= ms. URL identification allows the application support team to do granular, = code level troubleshooting at multiple tiers of an application.=20 New methodologies to monitor user perceived response time and to separate n= etwork from server time are evolving.=C2=A0 For example, the IPv6 Destinati= on Option implementation of Performance and Diagnostic Metrics (PDM) will p= rovide this. [draft-ietf-ippm-6man-pdm-option-06] 4.1.3 Enterprise Network Diagnostics and Troubleshooting One primary key to network troubleshooting is the ability to follow a trans= action through the various tiers of an application in order to isolate the = fault domain.=C2=A0 A variety of factors relating to the structure of the m= odern data center and the modern multi-tiered application have made it impo= ssible to follow a transaction in network traces without the ability to exa= mine some of the packet payload. 4.1.3.1 NAT Content Delivery Networks (CDNs) and NATs obscure the ultimate endpoint des= ignation.=C2=A0 Troubleshooting a problem for a specific end user requires = finding information such as the IP address and other identifying informatio= n so that their problem can be resolved in a timely manner. NAT is also frequently used by lower layers of the data center infrastructu= re.=C2=A0 Firewalls, Load Balancers, Web Servers, App Servers, and Middlewa= re servers all regularly NAT the source IP of packets. Combine this with th= e fact that users are often sprayed randomly by load balancers to all these= devices, the network troubleshooter is often left with no option in today'= s environment except to trace all packets at a particular layer, decrypt th= em all, and look at the payload to find a user session. This kind of bulk packet capture and bulk decryption is frequently required= when troubleshooting a large and complex application. Endpoints typically = don't have the capacity to handle this level of network packet capture, so = out-of-band networks of robust packet brokers and network sniffers, which d= epend on static RSA private=C2=A0 keys, have evolved to fill this need. 4.1.3.2 TCP Pipelining/Session Multiplexing When TCP Pipelining/Session Multiplexing is used, usually by Middle boxes t= oday, multiple end user sessions share the same TCP connection.=C2=A0 Today= 's=C2=A0 network troubleshooter often relies upon session decryption to tel= l which packet belongs to which end user. With the advent of HTTP2, session multiplexing will be used ubiquitously, b= oth on the Internet and in the private data center.=20 4.1.3.3 HTTP Service Calls When an application server makes an HTTP service call to back end services = on behalf of a user session, it uses a completely different URL and a compl= etely different TCP connection.=C2=A0 It must be possible=C2=A0 to match up= the user request above with the HTTP service call below.=C2=A0 Today, this= is done by decrypting the TLS packet and inspecting the payload. 4.1.3.4 Application Layer Data Modern applications often use XML structures in the payload of the data to = store application level information.=C2=A0 When the network and application= teams must work together, each has a different view of the transaction fai= lure. It is important to be able to correlate the network packet with the a= ctual problem experienced by an application. =C2=A0=20 Thanks, Nalini Elkins Inside Products, Inc. www.insidethestack.com (831) 659-8360 =20 ------=_Part_97734_1854904787.1476361683597 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Kathleen and Al,

=

The "Effect of Ubiquitous Encryption" draft is an e= xcellent summary of the impact on operations and network management posed b= y the changes to the security environment.  

Gre= at work, guys!!!

I wanted to comment on a few things as far as they = impact private enterprises.


1. In the Abstract: we may want to r= emind the reader that network management includes troubleshooting because a= number of changes will need to be made in how troubleshooting is done.&nbs= p; I would suggest the following:

Old: This draft includes a collect= ion of current security and network management functions that may be impact= ed by this shift to increased use of encryption.


New: This draf= t includes a collection of current security and network management (includi= ng troubleshooting) functions that may be impacted by this shift to increas= ed use of encryption.



2.  At the end of section 1, we m= ight want to add that private enterprises are also considered.

Sugge= sted words:

"We will also consider the situation of the private ente= rprise, where IP packet transport, applications, and infrastructure are pri= vately owned and contained within or interconnect private data centers."


3.  Then, I would suggest replacing Sections 4 and 4.1 = of the draft in its entirety with the words below:

*****************= ***************************

4.  Encryption for Enterprise Users=

Encryption of network traffic within the private enterprise is a gr= owing trend, particularly in industries with audit and regulatory requireme= nts. Some enterprise internal networks are almost completely TLS and/or IPs= ec encrypted.

For each type of monitoring, different techniques and = parts of the data stream may be necessary.  As we transition to an inc= reased use of encryption that is increasingly harder to break, alternate me= thods of monitoring for operational purposes may be necessary to prevent th= e need to break encryption and thus privacy of users (which may not apply i= n a corporate setting by policy).


4.1.  Monitoring Needs of= the Enterprise

Large corporate enterprises are the owners of the pl= atforms, data, and network infrastructure that provide critical business se= rvices to their user communities.  As such, these enterprises are resp= onsible for all aspects of the performance, availability, security, and qua= lity of experience for all user sessions. These responsibilities break down= into three basic areas:

          1. Secur= ity Monitoring and Control
          2. Applica= tion Performance Monitoring and Reporting
        &n= bsp; 3. Network Diagnostics and Troubleshooting

In each of the abov= e areas, technical support teams utilize collection, monitoring, and diagno= stic systems that in some organizations currently use static RSA private ke= ys to decrypt
passively monitored copies of encrypted TLS packet streams= .


To an enterprise (and the customers that it serves), the cost = of network and/or application down time can be great.  The focus of en= terprises in their private data centers is to deliver expected levels of se= rvice, performance, protection, and availability.


4.1.1 Security= Monitoring in the Enterprise

Enterprise Security Monitoring breaks = down into the following areas:

1.  Data Loss Prevention - inter= cept outbound session traffic to monitor for intellectual property leakage = (by users or more likely these days through malware and trojans),

2.=   Intrusion Detection/Intrusion Prevention - detect viruses/malware en= tering the network via email or web traffic,

3.  Malware Detect= ion - detect malware/Trojans in action, possibly connecting to remote hosts= ,

4.  Security Analytics - detect attacks (Cross site scriptin= g and other common web related attacks),

5.  Track misuse and a= buse by employees,

6.  Restrict the types of protocols permitte= d to/from the corporate environment,

7.  DDoS Prevention - dete= ct and defend against Internet DDoS attacks, including both volumetric and = layer 7 attacks.

A significant portion of malware hides its activity= within TLS or other encrypted protocols.  This includes lateral movem= ent, Command and Control, and Data Exfiltration.  These functions are = critical to security and fraud monitoring.

To an enterprise (and the= customers that it serves), the cost of network and/or application down tim= e can be great.  The focus of enterprises in their private data center= s is to deliver expected levels of service, performance, protection, and av= ailability. AND this can be accomplished using some form of traffic analysi= s sometimes including examination of the payload.



4.1.2 Appl= ication Performance Monitoring in the Enterprise

1.  Assess = traffic volume on a per-application basis, for billing, capacity planning, = optimization of geographical location for servers or proxies, and other nee= ds,

2.  Assess performance in terms of application response ti= me and user perceived response time,

Network-based Application Perfo= rmance Monitoring tracks application response time by user and by URL, whic= h is the information that the application owners and the lines of business = need. Content Delivery Networks (CDNs) add complexity in determining the ul= timate endpoint destination.  By their very nature, such information i= s obscured by CDNs and encrypted protocols -- adding a new challenge for tr= oubleshooting network and application problems. URL identification allows t= he application support team to do granular, code level troubleshooting at m= ultiple tiers of an application.

New methodologies to monitor user = perceived response time and to separate network from server time are evolvi= ng.  For example, the IPv6 Destination Option implementation of Perfor= mance and Diagnostic Metrics (PDM) will provide this. [draft-ietf-ippm-6man= -pdm-option-06]



4.1.3 Enterprise Network Diagnostics and Tro= ubleshooting

One primary key to network troubleshooting is the abili= ty to follow a transaction through the various tiers of an application in o= rder to isolate the fault domain.  A variety of factors relating to th= e structure of the modern data center and the modern multi-tiered applicati= on have made it impossible to follow a transaction in network traces withou= t the ability to examine some of the packet payload.


4.1.3.1 NAT=

Content Delivery Networks (CDNs) and NATs obscure the ultimate endp= oint designation.  Troubleshooting a problem for a specific end user r= equires finding information such as the IP address and other identifying in= formation so that their problem can be resolved in a timely manner.

= NAT is also frequently used by lower layers of the data center infrastructu= re.  Firewalls, Load Balancers, Web Servers, App Servers, and Middlewa= re servers all regularly NAT the source IP of packets. Combine this with th= e fact that users are often sprayed randomly by load balancers to all these= devices, the network troubleshooter is often left with no option in today'= s environment except to trace all packets at a particular layer, decrypt th= em all, and look at the payload to find a user session.


This kin= d of bulk packet capture and bulk decryption is frequently required when tr= oubleshooting a large and complex application. Endpoints typically don't ha= ve the capacity to handle this level of network packet capture, so out-of-b= and networks of robust packet brokers and network sniffers, which depend on= static RSA private  keys, have evolved to fill this need.

4.1.= 3.2 TCP Pipelining/Session Multiplexing

When TCP Pipelining/Session = Multiplexing is used, usually by Middle boxes today, multiple end user sess= ions share the same TCP connection.  Today's  network troubleshoo= ter often relies upon session decryption to tell which packet belongs to wh= ich end user.

With the advent of HTTP2, session multiplexing will be= used ubiquitously, both on the Internet and in the private data center.

4.1.3.3 HTTP Service Calls

When an application server make= s an HTTP service call to back end services on behalf of a user session, it= uses a completely different URL and a completely different TCP connection.=   It must be possible  to match up the user request above with t= he HTTP service call below.  Today, this is done by decrypting the TLS= packet and inspecting the payload.


4.1.3.4 Application Layer Da= ta

Modern applications often use XML structures in the payload of th= e data to store application level information.  When the network and = application teams must work together, each has a different view of the tran= saction failure. It is important to be able to correlate the network packet= with the actual problem experienced by an application.
 

=
Thanks,

Nalini Elkins
Inside Products, Inc.
www.insidethes= tack.com
(831) 659-8360


------=_Part_97734_1854904787.1476361683597-- From nobody Fri Oct 14 08:59:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390F112985D for ; Fri, 14 Oct 2016 08:59:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7sKFNRAhYif for ; Fri, 14 Oct 2016 08:59:24 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19C7F129857 for ; Fri, 14 Oct 2016 08:59:22 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 70D9CBE38 for ; Fri, 14 Oct 2016 16:59:20 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id knUnvkcKnqLJ for ; Fri, 14 Oct 2016 16:59:20 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C963FBE32 for ; Fri, 14 Oct 2016 16:59:19 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476460760; bh=pREmAXT43gd8zoYbWRsr1opMx8IGNAp7Hxsw8XLOflg=; h=To:From:Subject:Date:From; b=AlpMXRQjXZmT41s41oz3iNlj1511Ct+G4sdB/6KM+h5qt6js2aWiJ+D2w1qGatZ/R DF8qak8RyA7ZOYnR/RvvCzOmIvz/nEY/6OwBNe9bMjMa7LNdLezUH+yAHRXN7eOeku FXuEx0t9yU1BxHw9LjqgWGfoq7Tlsp/pQbNSMv6s= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> Date: Fri, 14 Oct 2016 16:59:19 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070008050402050405040801" Archived-At: Subject: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Oct 2016 15:59:29 -0000 This is a cryptographically signed message in MIME format. --------------ms070008050402050405040801 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, Ted has written a draft [1] on this topic. Earlier, we wondered whether it'd be good to include the meat of this into the work on 3552bis. [2] Ted's now at the point of thinking his draft is near done so would like to know the plan. If we seem to have consensus to include this in 3552bis then that's straightforward. If we think that's not the best plan, then I'd likely look at AD sponsoring this separately to see if it has IETF consensus. So, what do you think, should we: a) incorporate the meat of [1] into [2] b) look at AD sponsoring [1] separately c) something else... Thanks, S. PS: Note that your answer to the above does not have to mean you think the text in [1] is perfect. An IETF last call will be needed for either (a) or (b) when any changes needed can be identified. [1] https://tools.ietf.org/html/draft-hardie-privsec-metadata-insertion-0= 3 [2] https://tools.ietf.org/html/draft-nir-saag-rfc3552bis-00 --------------ms070008050402050405040801 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTQx NTU5MTlaMC8GCSqGSIb3DQEJBDEiBCClFEf2XRNB3bXQB6xGIImWA3fRgV9hBEaOXNpVJIt2 pjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCPuTTL//2sr0gixZXMyttRMpyB202ehHfI/6iLj7i5uIzC8Wx4SQnX nd45p086nqdBqROXw//f4cXGjYvPFef3HqLCHgvq+j8J7Fy+czRCUGVFIKHxcf6KS/RB7pLe 08yOUSj0kUFNqlZ3qP4NtCSX4bMl/gelDAOtSgMeis47IuWL+lyVGKapTPIhMJkF1k6q6CyZ j1UdSPC99H7/UhKfdZ7c0RosDf5BNHNCFjCt97yv2seb3m5knv5RnNLCgBHS9yKhJr9WbLKy l7AX88tqWI1touvT/EIlFQylza2wMwRqN/SJKaeQPHc8gcmk0Z4IldUIdH/OhgsQ4rJSrFfs AAAAAAAA --------------ms070008050402050405040801-- From nobody Sat Oct 15 00:40:30 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD07912964D for ; Sat, 15 Oct 2016 00:40:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.897 X-Spam-Level: X-Spam-Status: No, score=-9.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ZtACFOgPMxB for ; Sat, 15 Oct 2016 00:40:27 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1C9129594 for ; Sat, 15 Oct 2016 00:40:27 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from ) id 1bvJZw-0000Hn-HC; Sat, 15 Oct 2016 07:40:24 +0000 Date: Sat, 15 Oct 2016 16:40:22 +0900 Message-ID: From: Randy Bush To: Stephen Farrell In-Reply-To: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.5 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2016 07:40:29 -0000 it would be good if ted's draft included example suggestions to ameliorate the the two "Examples of this design pattern include [RFC7239] and [I-D.ietf-dnsop-edns-client-subnet]" randy From nobody Sat Oct 15 00:50:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 755DA1295D9 for ; Sat, 15 Oct 2016 00:50:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pExtgW4dwIKj for ; Sat, 15 Oct 2016 00:50:52 -0700 (PDT) Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31D611295BC for ; Sat, 15 Oct 2016 00:50:52 -0700 (PDT) Received: by mail-wm0-x232.google.com with SMTP id d128so19669328wmf.1 for ; Sat, 15 Oct 2016 00:50:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=fy1YMA9GIeo0Ue+3rv8e9L9CEv6fa3ULAi9qP3KNDLs=; b=hTrWh6qMUcEUOVQ/yF0RiFYRYT1yfJ6hDlk1dRROmz58Q58/8brFjIOlx4FArXINIo lEQNhfYPIRaL0ykQxngEPNPhr6RT5Z88ardf5tpYfJGH0dLbt51C/DL4Pe+oJ/H+x9aq 0pUV4eYWYkJnXmMptWAUafUt1/PFpYaCZtQ6euumWmyPeUcjJanN4CN+Ci3rKih5Zz6g V2xy+41IBOj3WfkRZmezVX7+7+Wt/Jd4zgr6KWRKaKAxCakrkhVhEaaXBXeq0LLRvflK VaoQm9jPXllIQIQA61ZDvru6ZijxLm3xlkfqFHRaVrckhBBynWPRYVpyXtoS1KmU814p NsUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=fy1YMA9GIeo0Ue+3rv8e9L9CEv6fa3ULAi9qP3KNDLs=; b=W3L0IgL5CyHsJ1VpuSXVtt3x2x+Zp9ov6mRnadT+wT1wZ/52Cdar5pPJtxMlWe46Jz ff7KU6qmGkg5PI0Hd7mUkQhgb7EXlFpWY3FJv89cruFJ1MWeshrklHE8u8CFB7qAKL8T PaA8Ra1PEclsyhYT5tYbubwIkJnpPxxl5jF9fZrYb60Y9YyzFnT7uG+qHrayk1XWOJiX Srzmz7jqkexn4zDfZWvFMjtTi/8VWT5Ud6odEbgdDe0vjW3/ylOOn9z4bYMEpdA18zwH CpKvkIqx9XKYAtI+/gLCsmkFoVXQWZ3vD8blLOR5eWu5i23/IwroT5aHmt2H0XRP4VkW IapQ== X-Gm-Message-State: AA6/9RnNXh4fS/f/ci/fQCQcCp10IizzTtwhqItPiyPPNy3CzccOWpEgzXrkjtdVODzfPw== X-Received: by 10.194.192.197 with SMTP id hi5mr4666321wjc.71.1476517850704; Sat, 15 Oct 2016 00:50:50 -0700 (PDT) Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id af4sm26228055wjc.17.2016.10.15.00.50.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 15 Oct 2016 00:50:49 -0700 (PDT) From: Yoav Nir Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_019D189E-603C-4E2B-A15E-C2571D107D31" Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Date: Sat, 15 Oct 2016 10:50:47 +0300 In-Reply-To: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> To: Stephen Farrell References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> X-Mailer: Apple Mail (2.3226) Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2016 07:50:54 -0000 --Apple-Mail=_019D189E-603C-4E2B-A15E-C2571D107D31 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 14 Oct 2016, at 18:59, Stephen Farrell = wrote: >=20 >=20 > Hiya, >=20 > Ted has written a draft [1] on this topic. >=20 > Earlier, we wondered whether it'd be good to include > the meat of this into the work on 3552bis. [2] >=20 > Ted's now at the point of thinking his draft is near > done so would like to know the plan. >=20 > If we seem to have consensus to include this in 3552bis > then that's straightforward. >=20 > If we think that's not the best plan, then I'd likely > look at AD sponsoring this separately to see if it has > IETF consensus. >=20 > So, what do you think, should we: >=20 > a) incorporate the meat of [1] into [2] > b) look at AD sponsoring [1] separately > c) something else=E2=80=A6 Plan (a) is tempting. However, since we published version -00 of 3552bis = there have been zero comments on the list. We are going to try to revive = the discussion, but there=E2=80=99s a real risk that 3552bis will either = expire and go away or take a long, long time to reach publication. I = hope this isn=E2=80=99t the case, but it=E2=80=99s a real possibility. The content in draft-hardie is worth publishing, so I don=E2=80=99t = think it=E2=80=99s a good idea to tie it to 3552bis. Of course we would = link to it from 3552bis if it gets published on its own. But if people prefer (a), just post a PR on [3] and I can merge it into = a -01 version before Seoul. Yoav [3] https://github.com/IETF-SAAG/RFC3552bis = --Apple-Mail=_019D189E-603C-4E2B-A15E-C2571D107D31 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On 14 Oct 2016, at 18:59, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:


Hiya,

Ted has written a draft = [1] on this topic.

Earlier, we wondered = whether it'd be good to include
the meat of this into the = work on 3552bis. [2]

Ted's now at the point = of thinking his draft is near
done so would like to know = the plan.

If we seem to have consensus to = include this in 3552bis
then that's straightforward.

If we think that's not the best plan, then I'd = likely
look at AD sponsoring this separately to see if it = has
IETF consensus.

So, what = do you think, should we:

a) incorporate the = meat of [1] into [2]
b) look at AD sponsoring [1] = separately
c) something = else=E2=80=A6

Plan= (a) is tempting. However, since we published version -00 of 3552bis = there have been zero comments on the list. We are going to try to revive = the discussion, but there=E2=80=99s a real risk that 3552bis will either = expire and go away or take a long, long time to reach publication. =  I hope this isn=E2=80=99t the case, but it=E2=80=99s a real = possibility.

The = content in draft-hardie is worth publishing, so I don=E2=80=99t think = it=E2=80=99s a good idea to tie it to 3552bis.  Of course we would = link to it from 3552bis if it gets published on its own.

But if people prefer = (a), just post a PR on [3] and I can merge it into a -01 version before = Seoul.

Yoav

[3] https://github.com/IETF-SAAG/RFC3552bis

= --Apple-Mail=_019D189E-603C-4E2B-A15E-C2571D107D31-- From nobody Sat Oct 15 05:28:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49FAA12955F for ; Sat, 15 Oct 2016 05:28:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.297 X-Spam-Level: X-Spam-Status: No, score=-7.297 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DATy4GhYb6Sd for ; Sat, 15 Oct 2016 05:28:30 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3D8B129413 for ; Sat, 15 Oct 2016 05:28:30 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id ECCF6BDF9; Sat, 15 Oct 2016 13:28:28 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xP5I9F_hmUwq; Sat, 15 Oct 2016 13:28:24 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CA76DBDCC; Sat, 15 Oct 2016 13:28:23 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476534504; bh=LpARZOCZmJr2VAQUSedivynssAn2MprclpxCSwRk2BI=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=Qiy3qw5JI3SjkrLDSb4qWYgOWlFl7W6Kep3sn0cENo5jTkkZITzwTXxxjglmnkFVo S1xh+g5uz/lmI3jsAG0TzEHdVRPRB3s+XqyWvwZnS/2F8i71ccbmn+oRfU49miNu0m fM+goDmFzMXgdwQtnz5mrap412sN8Zr37X13kUwg= To: Yoav Nir References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Sat, 15 Oct 2016 13:28:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030605040307090507070809" Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2016 12:28:33 -0000 This is a cryptographically signed message in MIME format. --------------ms030605040307090507070809 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 15/10/16 08:50, Yoav Nir wrote: > since we published version -00 of 3552bis there have been zero > comments on the list. We are going to try to revive the discussion, Yeah, hopefully that's just an over-the-summer thing. I'll start a thread on that in a bit if other folks don't. (So please do all feel free to suggest changes to [1] to modernise 3552) S. [1] https://tools.ietf.org/html/draft-nir-saag-rfc3552bis-00 --------------ms030605040307090507070809 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTUx MjI4MjRaMC8GCSqGSIb3DQEJBDEiBCBPSsrwry7NcaXFcgaVpAudEH27wsPorVzhdefEahNN xjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAoS9ZNFjipjIYtkdycSaqXfv9mEuu0QWvsRkpVZ6lrlamOtS4VhNNx /ZjoDTzKDvZkJKfmS7buELUMm6E8q1dOCww5rCUq5eDJOYv+Q80B7eqI3V4/YphKYwIcrdKs ZQrRw5cckuy1WNZ+lGZuffiVdfh/T09GVPzpuTgK52KX1Jn96CKl+RwCmtXxQoq2y5IqVhMa Sag4J23scV2g6K+++xmBnBMTK+bEOCo/D+CwJNSh9EGfDdBMbwqnLrWKi3Fnmq4DuQpTFr7P HMTAM0PkW6vONr0I91zR9URa4rCK2RvjPjiAecGnHaVpunQlJ87zrtOfNQeuum8bMBbtNajy AAAAAAAA --------------ms030605040307090507070809-- From nobody Sat Oct 15 12:27:04 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6A0128E19 for ; Sat, 15 Oct 2016 12:27:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.032 X-Spam-Level: X-Spam-Status: No, score=-2.032 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HsSWeFeL6fdX for ; Sat, 15 Oct 2016 12:27:00 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78E29129496 for ; Sat, 15 Oct 2016 12:27:00 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 2FF53BE2F; Sat, 15 Oct 2016 20:26:58 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bxWIbV2ObCLI; Sat, 15 Oct 2016 20:26:56 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 59259BDCC; Sat, 15 Oct 2016 20:26:56 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476559616; bh=SAvPUVDk204Pt0D6OjYYqJnefePH0Rbk84qSh8KKuQs=; h=To:From:Subject:Date:From; b=DAFfBEm7Blz6hhUKIUHUZzPLC2Q9LY6iD84U6FdlqfUIBciUHl8zTR33t1ZYS+ySN Tl9rQBLTPB5G8eAVIj9QP7hm4M04hEaGgUUusWIthTiVz1qVCWZm6DTg8FgOEYX+IL tJ00D6Hw0Z0m7eUcYYbqNClBSm8QxBSstTdZ+J3g= To: "saag@ietf.org" , "Eggert, Lars" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Sat, 15 Oct 2016 20:26:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060007030901060007030808" Archived-At: Subject: [saag] rfc5405bis security considerations text X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Oct 2016 19:27:02 -0000 This is a cryptographically signed message in MIME format. --------------ms060007030901060007030808 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, RFC 5405 provides guidance to folks developing applications running over UDP. That's being updated now. A lot of that is about congestion control but there's also some security considerations text of course. [1] Some of that security text reads to me like it's fairly outdated (in particular the bit copied below). While it'd be nice to fix that, this draft has been approved by the IESG as the current text, even if outdated, isn't wrong, so it'd be wrong to block the document on that basis. That said, if someone had time to offer updated text, in the next week, that Lars and I were confident would reflect IETF consensus then Lars has said he'd be willing to use that. So if you have the time and interest, please send text to Lars and I. Sending to the list is fine, but there's no point in us having a major debate on this, as in that case, Lars will just reasonably decide to go ahead with the text he has now. Thanks in advance, S. [1] https://tools.ietf.org/html/draft-ietf-tsvwg-rfc5405bis-19#section-6 The bit of [1] that I thought was most outdated was: Many other options for authenticating or encrypting UDP payloads exist. For example, the GSS-API security framework [RFC2743] or Cryptographic Message Syntax (CMS) [RFC5652] could be used to protect UDP payloads. There exist a number of security options for RTP [RFC3550] over UDP, especially to accomplish key-management, see [RFC7201]. These options covers many usages, including point-to- point, centralized group communication as well as multicast. In some applications, a better solution is to protect larger stand-alone objects, such as files or messages, instead of individual UDP payloads. In these situations, CMS [RFC5652], S/MIME [RFC5751] or OpenPGP [RFC4880] could be used. In addition, there are many non- IETF protocols in this area. --------------ms060007030901060007030808 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTUx OTI2NTFaMC8GCSqGSIb3DQEJBDEiBCAZsZR+kctmh96C36349yc+YJitFhOIvTHA8ssomSxR DzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQBwbtFzAL7Onkcasd0uckLYFLJTOb/VpjOK66Wn6ILSk+V6k97+kKPa Bat2J0u6O+6DMRmJYjm5TnDfFI/InGLUqhZ/9UxVSIz+uwDYESJSL5JgVQEDTu5PnKUYIpPa MvuIqR2T71uTTf/EX1Yz8CtfrCxRix0JJv32AiZEtkzfbcjOEOV0IdYxdvY8+nJ6bjVa0mLC Obtwk1a56ezo125re3HwTWUicvVU43S3sbyMMSw5haqeh4K19oKyirnp4MMHh7pwvjH+z/gk Rp314U759P1P6OmluCuUnpRZvavOzM/fs9aJXEybax5iN0DMc3hgb9RtGdXTNqkWKVzz+ysR AAAAAAAA --------------ms060007030901060007030808-- From nobody Sun Oct 16 07:38:00 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDB3512941E for ; Sun, 16 Oct 2016 07:37:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.619 X-Spam-Level: X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcUO-oLRx_F6 for ; Sun, 16 Oct 2016 07:37:54 -0700 (PDT) Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F6B9127A90 for ; Sun, 16 Oct 2016 07:37:54 -0700 (PDT) Received: from pps.filterd (m0049295.ppops.net [127.0.0.1]) by m0049295.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id u9GEZEJU031442; Sun, 16 Oct 2016 10:37:53 -0400 Received: from tlpd255.enaf.dadc.sbc.com (sbcsmtp3.sbc.com [144.160.112.28]) by m0049295.ppops.net-00191d01. with ESMTP id 264b2kgeh6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 16 Oct 2016 10:37:52 -0400 Received: from enaf.dadc.sbc.com (localhost [127.0.0.1]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GEbpfH113420; Sun, 16 Oct 2016 09:37:51 -0500 Received: from dalint01.pst.cso.att.com (dalint01.pst.cso.att.com [135.31.133.159]) by tlpd255.enaf.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GEbkF7113371 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 16 Oct 2016 09:37:46 -0500 Received: from tlpd252.dadc.sbc.com (tlpd252.dadc.sbc.com [135.31.184.157]) by dalint01.pst.cso.att.com (RSA Interceptor); Sun, 16 Oct 2016 14:37:32 GMT Received: from dadc.sbc.com (localhost [127.0.0.1]) by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GEbH7w120045; Sun, 16 Oct 2016 09:37:17 -0500 Received: from mail-azure.research.att.com (mail-azure.research.att.com [135.207.255.18]) by tlpd252.dadc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GEaKLT118770; Sun, 16 Oct 2016 09:36:30 -0500 Received: from exchange.research.att.com (njfpsrvexg0.research.att.com [135.207.255.124]) by mail-azure.research.att.com (Postfix) with ESMTP id 118C1E03B9; Sun, 16 Oct 2016 10:36:14 -0400 (EDT) Received: from NJFPSRVEXG0.research.att.com ([fe80::108a:1006:9f54:fd90]) by NJFPSRVEXG0.research.att.com ([fe80::108a:1006:9f54:fd90%25]) with mapi; Sun, 16 Oct 2016 10:36:13 -0400 From: "MORTON, ALFRED C (AL)" To: "nalini.elkins@insidethestack.com" , "saag@ietf.org" Date: Sun, 16 Oct 2016 10:36:12 -0400 Thread-Topic: draft-mm-wg-effect-encrypt-03 Thread-Index: AdIlTURh/T5LS+0YSL+1C8m+2toTyQCbD70Q Message-ID: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> In-Reply-To: <2122275166.97735.1476361683603@mail.yahoo.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/mixed; boundary="_004_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_" MIME-Version: 1.0 X-RSA-Inspected: yes X-RSA-Classifications: public X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-16_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1610160266 Archived-At: Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 14:37:58 -0000 --_004_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_ Content-Type: multipart/alternative; boundary="_000_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_" --_000_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgTmFsaW5pLA0KDQpUaGFua3MgZm9yIHlvdXIgbWFueSBzdWdnZXN0aW9ucy4NCg0KQXMgYSBm aXJzdCBzdGVwLCBJIGVkaXRlZCB5b3VyIHN1Z2dlc3RlZA0KdGV4dCBmb3Igc2VjdGlvbnMgNCBh bmQgNC4xLCBiZWxvdyBhbmQNCmF0dGFjaGVkLiBTZWUgd2hhdCB5b3UgdGhpbmsuDQoNCkFsDQoN Ci09LT0tPS09LT0tPS09LT0tPS09LT0tPS09LQ0KDQo0LiAgRW5jcnlwdGlvbiBmb3IgRW50ZXJw cmlzZSBVc2Vycw0KDQpFbmNyeXB0aW9uIG9mIG5ldHdvcmsgdHJhZmZpYyB3aXRoaW4gdGhlIHBy aXZhdGUgZW50ZXJwcmlzZSBpcyBhIGdyb3dpbmcgdHJlbmQsIHBhcnRpY3VsYXJseSBpbiBpbmR1 c3RyaWVzIHdpdGggYXVkaXQgYW5kIHJlZ3VsYXRvcnkgcmVxdWlyZW1lbnRzLiBTb21lIGVudGVy cHJpc2UgaW50ZXJuYWwgbmV0d29ya3MgYXJlIGFsbW9zdCBjb21wbGV0ZWx5IFRMUyBhbmQvb3Ig SVBzZWMgZW5jcnlwdGVkLg0KDQpGb3IgZWFjaCB0eXBlIG9mIG1vbml0b3JpbmcsIGRpZmZlcmVu dCB0ZWNobmlxdWVzIGFuZCBhY2Nlc3MgdG8gcGFydHMgb2YgdGhlIGRhdGEgc3RyZWFtIG1heSBi ZSBuZWNlc3NhcnkuICBBcyB3ZSB0cmFuc2l0aW9uIHRvIGFuIGluY3JlYXNlZCB1c2Ugb2YgZW5j cnlwdGlvbiB0aGF0IGlzIGluY3JlYXNpbmdseSBoYXJkZXIgdG8gYnJlYWssIGFsdGVybmF0ZSBt ZXRob2RzIG9mIG1vbml0b3JpbmcgZm9yIG9wZXJhdGlvbmFsIHB1cnBvc2VzIG1heSBiZSBuZWNl c3NhcnkgdG8gcHJldmVudCB0aGUgbmVlZCB0byBicmVhayBlbmNyeXB0aW9uIGFuZCB0aHVzIHBy aXZhY3kgb2YgdXNlcnMgKG90aGVyIHBvbGljaWVzIG1heSBhcHBseSBpbiBzb21lIGVudGVycHJp c2Ugc2V0dGluZ3MpLg0KDQoNCjQuMS4gIE1vbml0b3JpbmcgTmVlZHMgb2YgdGhlIEVudGVycHJp c2UNCg0KTGFyZ2UgY29ycG9yYXRlIGVudGVycHJpc2VzIGFyZSB0aGUgb3duZXJzIG9mIHRoZSBw bGF0Zm9ybXMsIGRhdGEsIGFuZCBuZXR3b3JrIGluZnJhc3RydWN0dXJlIHRoYXQgcHJvdmlkZSBj cml0aWNhbCBidXNpbmVzcyBzZXJ2aWNlcyB0byB0aGVpciB1c2VyIGNvbW11bml0aWVzLiAgQXMg c3VjaCwgdGhlc2UgZW50ZXJwcmlzZXMgYXJlIHJlc3BvbnNpYmxlIGZvciBhbGwgYXNwZWN0cyBv ZiB0aGUgcGVyZm9ybWFuY2UsIGF2YWlsYWJpbGl0eSwgc2VjdXJpdHksIGFuZCBxdWFsaXR5IG9m IGV4cGVyaWVuY2UgZm9yIGFsbCB1c2VyIHNlc3Npb25zLiBUaGVzZSByZXNwb25zaWJpbGl0aWVz IGJyZWFrIGRvd24gaW50byB0aHJlZSBiYXNpYyBhcmVhczoNCg0KICAgICAgICAgIDEuIFNlY3Vy aXR5IE1vbml0b3JpbmcgYW5kIENvbnRyb2wNCiAgICAgICAgICAyLiBBcHBsaWNhdGlvbiBQZXJm b3JtYW5jZSBNb25pdG9yaW5nIGFuZCBSZXBvcnRpbmcNCiAgICAgICAgICAzLiBOZXR3b3JrIERp YWdub3N0aWNzIGFuZCBUcm91Ymxlc2hvb3RpbmcNCg0KSW4gZWFjaCBvZiB0aGUgYWJvdmUgYXJl YXMsIHRlY2huaWNhbCBzdXBwb3J0IHRlYW1zIHV0aWxpemUgY29sbGVjdGlvbiwgbW9uaXRvcmlu ZywgYW5kIGRpYWdub3N0aWMgc3lzdGVtcyB0aGF0IGluIHNvbWUgb3JnYW5pemF0aW9ucyBjdXJy ZW50bHkgdXNlIHN0YXRpYyBSU0EgcHJpdmF0ZSBrZXlzIHRvIGRlY3J5cHQNCnBhc3NpdmVseSBt b25pdG9yZWQgY29waWVzIG9mIGVuY3J5cHRlZCBUTFMgcGFja2V0IHN0cmVhbXMuDQoNCg0KVG8g YW4gZW50ZXJwcmlzZSAoYW5kIHRoZSBjdXN0b21lcnMgdGhhdCBpdCBzZXJ2ZXMpLCB0aGUgY29z dCBvZiBuZXR3b3JrIGFuZC9vciBhcHBsaWNhdGlvbiBkb3duIHRpbWUgY2FuIGJlIGdyZWF0LiAg VGhlIGZvY3VzIG9mIGVudGVycHJpc2VzIGluIHRoZWlyIHByaXZhdGUgZGF0YSBjZW50ZXJzIGlz IHRvIGRlbGl2ZXIgZXhwZWN0ZWQgbGV2ZWxzIG9mIHNlcnZpY2UsIHBlcmZvcm1hbmNlLCBwcm90 ZWN0aW9uLCBhbmQgYXZhaWxhYmlsaXR5Lg0KDQoNCjQuMS4xIFNlY3VyaXR5IE1vbml0b3Jpbmcg aW4gdGhlIEVudGVycHJpc2UNCg0KRW50ZXJwcmlzZSBTZWN1cml0eSBNb25pdG9yaW5nIGJyZWFr cyBkb3duIGludG8gdGhlIGZvbGxvd2luZyBhcmVhczoNCg0KMS4gIERhdGEgTG9zcyBQcmV2ZW50 aW9uIC0gaW50ZXJjZXB0IG91dGJvdW5kIHNlc3Npb24gdHJhZmZpYyB0byBtb25pdG9yIGZvciBp bnRlbGxlY3R1YWwgcHJvcGVydHkgbGVha2FnZSAoYnkgdXNlcnMgb3IgbW9yZSBsaWtlbHkgdGhl c2UgZGF5cyB0aHJvdWdoIG1hbHdhcmUgYW5kIHRyb2phbnMpLA0KDQoyLiAgSW50cnVzaW9uIERl dGVjdGlvbi9JbnRydXNpb24gUHJldmVudGlvbiAtIGRldGVjdCB2aXJ1c2VzL21hbHdhcmUgZW50 ZXJpbmcgdGhlIG5ldHdvcmsgdmlhIGVtYWlsIG9yIHdlYiB0cmFmZmljLA0KDQozLiAgTWFsd2Fy ZSBEZXRlY3Rpb24gLSBkZXRlY3QgbWFsd2FyZS9Ucm9qYW5zIGluIGFjdGlvbiwgcG9zc2libHkg Y29ubmVjdGluZyB0byByZW1vdGUgaG9zdHMsDQoNCjQuICBTZWN1cml0eSBBbmFseXRpY3MgLSBk ZXRlY3QgYXR0YWNrcyAoQ3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgYW5kIG90aGVyIGNvbW1vbiB3ZWIg cmVsYXRlZCBhdHRhY2tzKSwNCg0KNS4gIFRyYWNrIG1pc3VzZSBhbmQgYWJ1c2UgYnkgZW1wbG95 ZWVzLA0KDQo2LiAgUmVzdHJpY3QgdGhlIHR5cGVzIG9mIHByb3RvY29scyBwZXJtaXR0ZWQgdG8v ZnJvbSB0aGUgY29ycG9yYXRlIGVudmlyb25tZW50LA0KDQo3LiAgRERvUyBQcmV2ZW50aW9uIC0g ZGV0ZWN0IGFuZCBkZWZlbmQgYWdhaW5zdCBJbnRlcm5ldCBERG9TIGF0dGFja3MsIGluY2x1ZGlu ZyBib3RoIHZvbHVtZXRyaWMgYW5kIGxheWVyIDcgYXR0YWNrcy4NCg0KQSBzaWduaWZpY2FudCBw b3J0aW9uIG9mIG1hbHdhcmUgaGlkZXMgaXRzIGFjdGl2aXR5IHdpdGhpbiBUTFMgb3Igb3RoZXIg ZW5jcnlwdGVkIHByb3RvY29scy4gIFRoaXMgaW5jbHVkZXMgbGF0ZXJhbCBtb3ZlbWVudCwgQ29t bWFuZCBhbmQgQ29udHJvbCwgYW5kIERhdGEgRXhmaWx0cmF0aW9uLiAgVGhlc2UgZnVuY3Rpb25z IGFyZSBjcml0aWNhbCB0byBzZWN1cml0eSBhbmQgZnJhdWQgbW9uaXRvcmluZy4NCg0KRm9yIGFu IGVudGVycHJpc2UgdG8gYXZvaWQgY29zdGx5IGFwcGxpY2F0aW9uIGRvd24gdGltZSBhbmQgZGVs aXZlciBleHBlY3RlZCBsZXZlbHMgb2YgcGVyZm9ybWFuY2UsIHByb3RlY3Rpb24sIGFuZCBhdmFp bGFiaWxpdHksIHNvbWUgZm9ybSBvZiB0cmFmZmljIGFuYWx5c2lzIHNvbWV0aW1lcyBpbmNsdWRp bmcgZXhhbWluYXRpb24gb2YgcGFja2V0IHBheWxvYWRzIGNhbiBiZSBhIHZhbHVhYmxlIGFzc2V0 Lg0KDQoNCg0KNC4xLjIgQXBwbGljYXRpb24gUGVyZm9ybWFuY2UgTW9uaXRvcmluZyBpbiB0aGUg RW50ZXJwcmlzZQ0KDQpUaGVyZSBhcmUgdHdvIG1haW4gZ29hbHMgb2YgbW9uaXRvcmluZzoNCg0K MS4gIEFzc2VzcyB0cmFmZmljIHZvbHVtZSBvbiBhIHBlci1hcHBsaWNhdGlvbiBiYXNpcywgZm9y IGJpbGxpbmcsIGNhcGFjaXR5IHBsYW5uaW5nLCBvcHRpbWl6YXRpb24gb2YgZ2VvZ3JhcGhpY2Fs IGxvY2F0aW9uIGZvciBzZXJ2ZXJzIG9yIHByb3hpZXMsIGFuZCBvdGhlciBuZWVkcy4NCg0KMi4g IEFzc2VzcyBwZXJmb3JtYW5jZSBpbiB0ZXJtcyBvZiBhcHBsaWNhdGlvbiByZXNwb25zZSB0aW1l IGFuZCB1c2VyIHBlcmNlaXZlZCByZXNwb25zZSB0aW1lDQoNCk5ldHdvcmstYmFzZWQgQXBwbGlj YXRpb24gUGVyZm9ybWFuY2UgTW9uaXRvcmluZyB0cmFja3MgYXBwbGljYXRpb24gcmVzcG9uc2Ug dGltZSBieSB1c2VyIGFuZCBieSBVUkwsIHdoaWNoIGlzIHRoZSBpbmZvcm1hdGlvbiB0aGF0IHRo ZSBhcHBsaWNhdGlvbiBvd25lcnMgYW5kIHRoZSBsaW5lcyBvZiBidXNpbmVzcyBuZWVkLiBDb250 ZW50IERlbGl2ZXJ5IE5ldHdvcmtzIChDRE5zKSBhZGQgY29tcGxleGl0eSBpbiBkZXRlcm1pbmlu ZyB0aGUgdWx0aW1hdGUgZW5kcG9pbnQgZGVzdGluYXRpb24uICBCeSB0aGVpciB2ZXJ5IG5hdHVy ZSwgc3VjaCBpbmZvcm1hdGlvbiBpcyBvYnNjdXJlZCBieSBDRE5zIGFuZCBlbmNyeXB0ZWQgcHJv dG9jb2xzIC0tIGFkZGluZyBhIG5ldyBjaGFsbGVuZ2UgZm9yIHRyb3VibGVzaG9vdGluZyBuZXR3 b3JrIGFuZCBhcHBsaWNhdGlvbiBwcm9ibGVtcy4gVVJMIGlkZW50aWZpY2F0aW9uIGFsbG93cyB0 aGUgYXBwbGljYXRpb24gc3VwcG9ydCB0ZWFtIHRvIGRvIGdyYW51bGFyLCBjb2RlIGxldmVsIHRy b3VibGVzaG9vdGluZyBhdCBtdWx0aXBsZSB0aWVycyBvZiBhbiBhcHBsaWNhdGlvbi4NCg0KTmV3 IG1ldGhvZG9sb2dpZXMgdG8gbW9uaXRvciB1c2VyIHBlcmNlaXZlZCByZXNwb25zZSB0aW1lIGFu ZCB0byBzZXBhcmF0ZSBuZXR3b3JrIGZyb20gc2VydmVyIHRpbWUgYXJlIGV2b2x2aW5nLiAgRm9y IGV4YW1wbGUsIHRoZSBJUHY2IERlc3RpbmF0aW9uIE9wdGlvbiBpbXBsZW1lbnRhdGlvbiBvZiBQ ZXJmb3JtYW5jZSBhbmQgRGlhZ25vc3RpYyBNZXRyaWNzIChQRE0pIHdpbGwgcHJvdmlkZSB0aGlz LiBbZHJhZnQtaWV0Zi1pcHBtLTZtYW4tcGRtLW9wdGlvbi0wNl0NCg0KDQoNCjQuMS4zIEVudGVy cHJpc2UgTmV0d29yayBEaWFnbm9zdGljcyBhbmQgVHJvdWJsZXNob290aW5nDQoNCk9uZSBwcmlt YXJ5IGtleSB0byBuZXR3b3JrIHRyb3VibGVzaG9vdGluZyBpcyB0aGUgYWJpbGl0eSB0byBmb2xs b3cgYSB0cmFuc2FjdGlvbiB0aHJvdWdoIHRoZSB2YXJpb3VzIHRpZXJzIG9mIGFuIGFwcGxpY2F0 aW9uIGluIG9yZGVyIHRvIGlzb2xhdGUgdGhlIGZhdWx0IGRvbWFpbi4gIEEgdmFyaWV0eSBvZiBm YWN0b3JzIHJlbGF0aW5nIHRvIHRoZSBzdHJ1Y3R1cmUgb2YgdGhlIG1vZGVybiBkYXRhIGNlbnRl ciBhbmQgdGhlIG1vZGVybiBtdWx0aS10aWVyZWQgYXBwbGljYXRpb24gaGF2ZSBtYWRlIGl0IGlt cG9zc2libGUgdG8gZm9sbG93IGEgdHJhbnNhY3Rpb24gaW4gbmV0d29yayB0cmFjZXMgd2l0aG91 dCB0aGUgYWJpbGl0eSB0byBleGFtaW5lIHNvbWUgb2YgdGhlIHBhY2tldCBwYXlsb2FkLg0KDQoN CjQuMS4zLjEgTkFUDQoNCkNvbnRlbnQgRGVsaXZlcnkgTmV0d29ya3MgKENETnMpIGFuZCBOQVRz IG9ic2N1cmUgdGhlIHVsdGltYXRlIGVuZHBvaW50IGRlc2lnbmF0aW9uLiAgVHJvdWJsZXNob290 aW5nIGEgcHJvYmxlbSBmb3IgYSBzcGVjaWZpYyBlbmQgdXNlciByZXF1aXJlcyBmaW5kaW5nIGlu Zm9ybWF0aW9uIHN1Y2ggYXMgdGhlIElQIGFkZHJlc3MgYW5kIG90aGVyIGlkZW50aWZ5aW5nIGlu Zm9ybWF0aW9uIHNvIHRoYXQgdGhlaXIgcHJvYmxlbSBjYW4gYmUgcmVzb2x2ZWQgaW4gYSB0aW1l bHkgbWFubmVyLg0KDQpOQVQgaXMgYWxzbyBmcmVxdWVudGx5IHVzZWQgYnkgbG93ZXIgbGF5ZXJz IG9mIHRoZSBkYXRhIGNlbnRlciBpbmZyYXN0cnVjdHVyZS4gIEZpcmV3YWxscywgTG9hZCBCYWxh bmNlcnMsIFdlYiBTZXJ2ZXJzLCBBcHAgU2VydmVycywgYW5kIE1pZGRsZXdhcmUgc2VydmVycyBh bGwgcmVndWxhcmx5IE5BVCB0aGUgc291cmNlIElQIG9mIHBhY2tldHMuIENvbWJpbmUgdGhpcyB3 aXRoIHRoZSBmYWN0IHRoYXQgdXNlcnMgYXJlIG9mdGVuIGFsbG9jYXRlZCByYW5kb21seSBieSBs b2FkIGJhbGFuY2VycyB0byBhbGwgdGhlc2UgZGV2aWNlcywgdGhlIG5ldHdvcmsgdHJvdWJsZXNo b290ZXIgaXMgb2Z0ZW4gbGVmdCB3aXRoIG5vIG9wdGlvbiBpbiB0b2RheSdzIGVudmlyb25tZW50 IGV4Y2VwdCB0byB0cmFjZSBhbGwgcGFja2V0cyBhdCBhIHBhcnRpY3VsYXIgbGF5ZXIsIGRlY3J5 cHQgdGhlbSBhbGwsIGFuZCBsb29rIGF0IHRoZSBwYXlsb2FkIHRvIGZpbmQgYSB1c2VyIHNlc3Np b24uDQoNCg0KVGhpcyBraW5kIG9mIGJ1bGsgcGFja2V0IGNhcHR1cmUgYW5kIGJ1bGsgZGVjcnlw dGlvbiBpcyBmcmVxdWVudGx5IHJlcXVpcmVkIHdoZW4gdHJvdWJsZXNob290aW5nIGEgbGFyZ2Ug YW5kIGNvbXBsZXggYXBwbGljYXRpb24uIEVuZHBvaW50cyB0eXBpY2FsbHkgZG9uJ3QgaGF2ZSB0 aGUgY2FwYWNpdHkgdG8gaGFuZGxlIHRoaXMgbGV2ZWwgb2YgbmV0d29yayBwYWNrZXQgY2FwdHVy ZSwgc28gb3V0LW9mLWJhbmQgbmV0d29ya3Mgb2Ygcm9idXN0IHBhY2tldCBicm9rZXJzIGFuZCBu ZXR3b3JrIHNuaWZmZXJzIHRoYXQgZGVwZW5kIG9uIHN0YXRpYyBSU0EgcHJpdmF0ZSBrZXlzIGhh dmUgZXZvbHZlZCB0byBmaWxsIHRoaXMgbmVlZC4NCg0KNC4xLjMuMiBUQ1AgUGlwZWxpbmluZy9T ZXNzaW9uIE11bHRpcGxleGluZw0KDQpXaGVuIFRDUCBQaXBlbGluaW5nL1Nlc3Npb24gTXVsdGlw bGV4aW5nIGlzIHVzZWQsIHVzdWFsbHkgYnkgTWlkZGxlIGJveGVzIHRvZGF5LCBtdWx0aXBsZSBl bmQgdXNlciBzZXNzaW9ucyBzaGFyZSB0aGUgc2FtZSBUQ1AgY29ubmVjdGlvbi4gIFRvZGF5J3Mg IG5ldHdvcmsgdHJvdWJsZXNob290ZXIgb2Z0ZW4gcmVsaWVzIHVwb24gc2Vzc2lvbiBkZWNyeXB0 aW9uIHRvIHRlbGwgd2hpY2ggcGFja2V0IGJlbG9uZ3MgdG8gd2hpY2ggZW5kIHVzZXIuDQoNCldp dGggdGhlIGFkdmVudCBvZiBIVFRQMiwgc2Vzc2lvbiBtdWx0aXBsZXhpbmcgd2lsbCBiZSB1c2Vk IHViaXF1aXRvdXNseSwgYm90aCBvbiB0aGUgSW50ZXJuZXQgYW5kIGluIHRoZSBwcml2YXRlIGRh dGEgY2VudGVyLg0KDQoNCjQuMS4zLjMgSFRUUCBTZXJ2aWNlIENhbGxzDQoNCldoZW4gYW4gYXBw bGljYXRpb24gc2VydmVyIG1ha2VzIGFuIEhUVFAgc2VydmljZSBjYWxsIHRvIGJhY2sgZW5kIHNl cnZpY2VzIG9uIGJlaGFsZiBvZiBhIHVzZXIgc2Vzc2lvbiwgaXQgdXNlcyBhIGNvbXBsZXRlbHkg ZGlmZmVyZW50IFVSTCBhbmQgYSBjb21wbGV0ZWx5IGRpZmZlcmVudCBUQ1AgY29ubmVjdGlvbi4g IEl0IG11c3QgYmUgcG9zc2libGUgIHRvIG1hdGNoIHVwIHRoZSB1c2VyIHJlcXVlc3QgYWJvdmUg d2l0aCB0aGUgSFRUUCBzZXJ2aWNlIGNhbGwgYmVsb3cuICBUb2RheSwgdGhpcyBpcyBkb25lIGJ5 IGRlY3J5cHRpbmcgdGhlIFRMUyBwYWNrZXQgYW5kIGluc3BlY3RpbmcgdGhlIHBheWxvYWQuDQoN Cg0KNC4xLjMuNCBBcHBsaWNhdGlvbiBMYXllciBEYXRhDQoNCk1vZGVybiBhcHBsaWNhdGlvbnMg b2Z0ZW4gdXNlIFhNTCBzdHJ1Y3R1cmVzIGluIHRoZSBwYXlsb2FkIG9mIHRoZSBkYXRhIHRvIHN0 b3JlIGFwcGxpY2F0aW9uIGxldmVsIGluZm9ybWF0aW9uLiAgV2hlbiB0aGUgbmV0d29yayBhbmQg YXBwbGljYXRpb24gdGVhbXMgbXVzdCB3b3JrIHRvZ2V0aGVyLCBlYWNoIGhhcyBhIGRpZmZlcmVu dCB2aWV3IG9mIHRoZSB0cmFuc2FjdGlvbiBmYWlsdXJlLiBJdCBpcyBpbXBvcnRhbnQgdG8gYmUg YWJsZSB0byBjb3JyZWxhdGUgdGhlIG5ldHdvcmsgcGFja2V0IHdpdGggdGhlIGFjdHVhbCBwcm9i bGVtIGV4cGVyaWVuY2VkIGJ5IGFuIGFwcGxpY2F0aW9uLg0KDQpGcm9tOiBuYWxpbmkuZWxraW5z QGluc2lkZXRoZXN0YWNrLmNvbSBbbWFpbHRvOm5hbGluaS5lbGtpbnNAaW5zaWRldGhlc3RhY2su Y29tXQ0KU2VudDogVGh1cnNkYXksIE9jdG9iZXIgMTMsIDIwMTYgODoyOCBBTQ0KVG86IHNhYWdA aWV0Zi5vcmcNCkNjOiBNT1JUT04sIEFMRlJFRCBDIChBTCk7IEthdGhsZWVuIE1vcmlhcnR5DQpT dWJqZWN0OiBSZTogZHJhZnQtbW0td2ctZWZmZWN0LWVuY3J5cHQtMDMNCg0KS2F0aGxlZW4gYW5k IEFsLA0KDQoNClRoZSAiRWZmZWN0IG9mIFViaXF1aXRvdXMgRW5jcnlwdGlvbiIgZHJhZnQgaXMg YW4gZXhjZWxsZW50IHN1bW1hcnkgb2YgdGhlIGltcGFjdCBvbiBvcGVyYXRpb25zIGFuZCBuZXR3 b3JrIG1hbmFnZW1lbnQgcG9zZWQgYnkgdGhlIGNoYW5nZXMgdG8gdGhlIHNlY3VyaXR5IGVudmly b25tZW50Lg0KDQpHcmVhdCB3b3JrLCBndXlzISEhDQoNCkkgd2FudGVkIHRvIGNvbW1lbnQgb24g YSBmZXcgdGhpbmdzIGFzIGZhciBhcyB0aGV5IGltcGFjdCBwcml2YXRlIGVudGVycHJpc2VzLg0K DQoNCjEuIEluIHRoZSBBYnN0cmFjdDogd2UgbWF5IHdhbnQgdG8gcmVtaW5kIHRoZSByZWFkZXIg dGhhdCBuZXR3b3JrIG1hbmFnZW1lbnQgaW5jbHVkZXMgdHJvdWJsZXNob290aW5nIGJlY2F1c2Ug YSBudW1iZXIgb2YgY2hhbmdlcyB3aWxsIG5lZWQgdG8gYmUgbWFkZSBpbiBob3cgdHJvdWJsZXNo b290aW5nIGlzIGRvbmUuICBJIHdvdWxkIHN1Z2dlc3QgdGhlIGZvbGxvd2luZzoNCg0KT2xkOiBU aGlzIGRyYWZ0IGluY2x1ZGVzIGEgY29sbGVjdGlvbiBvZiBjdXJyZW50IHNlY3VyaXR5IGFuZCBu ZXR3b3JrIG1hbmFnZW1lbnQgZnVuY3Rpb25zIHRoYXQgbWF5IGJlIGltcGFjdGVkIGJ5IHRoaXMg c2hpZnQgdG8gaW5jcmVhc2VkIHVzZSBvZiBlbmNyeXB0aW9uLg0KDQoNCk5ldzogVGhpcyBkcmFm dCBpbmNsdWRlcyBhIGNvbGxlY3Rpb24gb2YgY3VycmVudCBzZWN1cml0eSBhbmQgbmV0d29yayBt YW5hZ2VtZW50IChpbmNsdWRpbmcgdHJvdWJsZXNob290aW5nKSBmdW5jdGlvbnMgdGhhdCBtYXkg YmUgaW1wYWN0ZWQgYnkgdGhpcyBzaGlmdCB0byBpbmNyZWFzZWQgdXNlIG9mIGVuY3J5cHRpb24u DQoNCg0KDQoyLiAgQXQgdGhlIGVuZCBvZiBzZWN0aW9uIDEsIHdlIG1pZ2h0IHdhbnQgdG8gYWRk IHRoYXQgcHJpdmF0ZSBlbnRlcnByaXNlcyBhcmUgYWxzbyBjb25zaWRlcmVkLg0KDQpTdWdnZXN0 ZWQgd29yZHM6DQoNCiJXZSB3aWxsIGFsc28gY29uc2lkZXIgdGhlIHNpdHVhdGlvbiBvZiB0aGUg cHJpdmF0ZSBlbnRlcnByaXNlLCB3aGVyZSBJUCBwYWNrZXQgdHJhbnNwb3J0LCBhcHBsaWNhdGlv bnMsIGFuZCBpbmZyYXN0cnVjdHVyZSBhcmUgcHJpdmF0ZWx5IG93bmVkIGFuZCBjb250YWluZWQg d2l0aGluIG9yIGludGVyY29ubmVjdCBwcml2YXRlIGRhdGEgY2VudGVycy4iDQoNCg0KDQozLiAg VGhlbiwgSSB3b3VsZCBzdWdnZXN0IHJlcGxhY2luZyBTZWN0aW9ucyA0IGFuZCA0LjEgb2YgdGhl IGRyYWZ0IGluIGl0cyBlbnRpcmV0eSB3aXRoIHRoZSB3b3JkcyBiZWxvdzoNCg0KKioqKioqKioq KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioNCg0KNC4gIEVuY3J5cHRpb24gZm9y IEVudGVycHJpc2UgVXNlcnMNCg0KRW5jcnlwdGlvbiBvZiBuZXR3b3JrIHRyYWZmaWMgd2l0aGlu IHRoZSBwcml2YXRlIGVudGVycHJpc2UgaXMgYSBncm93aW5nIHRyZW5kLCBwYXJ0aWN1bGFybHkg aW4gaW5kdXN0cmllcyB3aXRoIGF1ZGl0IGFuZCByZWd1bGF0b3J5IHJlcXVpcmVtZW50cy4gU29t ZSBlbnRlcnByaXNlIGludGVybmFsIG5ldHdvcmtzIGFyZSBhbG1vc3QgY29tcGxldGVseSBUTFMg YW5kL29yIElQc2VjIGVuY3J5cHRlZC4NCg0KRm9yIGVhY2ggdHlwZSBvZiBtb25pdG9yaW5nLCBk aWZmZXJlbnQgdGVjaG5pcXVlcyBhbmQgcGFydHMgb2YgdGhlIGRhdGEgc3RyZWFtIG1heSBiZSBu ZWNlc3NhcnkuICBBcyB3ZSB0cmFuc2l0aW9uIHRvIGFuIGluY3JlYXNlZCB1c2Ugb2YgZW5jcnlw dGlvbiB0aGF0IGlzIGluY3JlYXNpbmdseSBoYXJkZXIgdG8gYnJlYWssIGFsdGVybmF0ZSBtZXRo b2RzIG9mIG1vbml0b3JpbmcgZm9yIG9wZXJhdGlvbmFsIHB1cnBvc2VzIG1heSBiZSBuZWNlc3Nh cnkgdG8gcHJldmVudCB0aGUgbmVlZCB0byBicmVhayBlbmNyeXB0aW9uIGFuZCB0aHVzIHByaXZh Y3kgb2YgdXNlcnMgKHdoaWNoIG1heSBub3QgYXBwbHkgaW4gYSBjb3Jwb3JhdGUgc2V0dGluZyBi eSBwb2xpY3kpLg0KDQoNCjQuMS4gIE1vbml0b3JpbmcgTmVlZHMgb2YgdGhlIEVudGVycHJpc2UN Cg0KTGFyZ2UgY29ycG9yYXRlIGVudGVycHJpc2VzIGFyZSB0aGUgb3duZXJzIG9mIHRoZSBwbGF0 Zm9ybXMsIGRhdGEsIGFuZCBuZXR3b3JrIGluZnJhc3RydWN0dXJlIHRoYXQgcHJvdmlkZSBjcml0 aWNhbCBidXNpbmVzcyBzZXJ2aWNlcyB0byB0aGVpciB1c2VyIGNvbW11bml0aWVzLiAgQXMgc3Vj aCwgdGhlc2UgZW50ZXJwcmlzZXMgYXJlIHJlc3BvbnNpYmxlIGZvciBhbGwgYXNwZWN0cyBvZiB0 aGUgcGVyZm9ybWFuY2UsIGF2YWlsYWJpbGl0eSwgc2VjdXJpdHksIGFuZCBxdWFsaXR5IG9mIGV4 cGVyaWVuY2UgZm9yIGFsbCB1c2VyIHNlc3Npb25zLiBUaGVzZSByZXNwb25zaWJpbGl0aWVzIGJy ZWFrIGRvd24gaW50byB0aHJlZSBiYXNpYyBhcmVhczoNCg0KICAgICAgICAgIDEuIFNlY3VyaXR5 IE1vbml0b3JpbmcgYW5kIENvbnRyb2wNCiAgICAgICAgICAyLiBBcHBsaWNhdGlvbiBQZXJmb3Jt YW5jZSBNb25pdG9yaW5nIGFuZCBSZXBvcnRpbmcNCiAgICAgICAgICAzLiBOZXR3b3JrIERpYWdu b3N0aWNzIGFuZCBUcm91Ymxlc2hvb3RpbmcNCg0KSW4gZWFjaCBvZiB0aGUgYWJvdmUgYXJlYXMs IHRlY2huaWNhbCBzdXBwb3J0IHRlYW1zIHV0aWxpemUgY29sbGVjdGlvbiwgbW9uaXRvcmluZywg YW5kIGRpYWdub3N0aWMgc3lzdGVtcyB0aGF0IGluIHNvbWUgb3JnYW5pemF0aW9ucyBjdXJyZW50 bHkgdXNlIHN0YXRpYyBSU0EgcHJpdmF0ZSBrZXlzIHRvIGRlY3J5cHQNCnBhc3NpdmVseSBtb25p dG9yZWQgY29waWVzIG9mIGVuY3J5cHRlZCBUTFMgcGFja2V0IHN0cmVhbXMuDQoNCg0KVG8gYW4g ZW50ZXJwcmlzZSAoYW5kIHRoZSBjdXN0b21lcnMgdGhhdCBpdCBzZXJ2ZXMpLCB0aGUgY29zdCBv ZiBuZXR3b3JrIGFuZC9vciBhcHBsaWNhdGlvbiBkb3duIHRpbWUgY2FuIGJlIGdyZWF0LiAgVGhl IGZvY3VzIG9mIGVudGVycHJpc2VzIGluIHRoZWlyIHByaXZhdGUgZGF0YSBjZW50ZXJzIGlzIHRv IGRlbGl2ZXIgZXhwZWN0ZWQgbGV2ZWxzIG9mIHNlcnZpY2UsIHBlcmZvcm1hbmNlLCBwcm90ZWN0 aW9uLCBhbmQgYXZhaWxhYmlsaXR5Lg0KDQoNCjQuMS4xIFNlY3VyaXR5IE1vbml0b3JpbmcgaW4g dGhlIEVudGVycHJpc2UNCg0KRW50ZXJwcmlzZSBTZWN1cml0eSBNb25pdG9yaW5nIGJyZWFrcyBk b3duIGludG8gdGhlIGZvbGxvd2luZyBhcmVhczoNCg0KMS4gIERhdGEgTG9zcyBQcmV2ZW50aW9u IC0gaW50ZXJjZXB0IG91dGJvdW5kIHNlc3Npb24gdHJhZmZpYyB0byBtb25pdG9yIGZvciBpbnRl bGxlY3R1YWwgcHJvcGVydHkgbGVha2FnZSAoYnkgdXNlcnMgb3IgbW9yZSBsaWtlbHkgdGhlc2Ug ZGF5cyB0aHJvdWdoIG1hbHdhcmUgYW5kIHRyb2phbnMpLA0KDQoyLiAgSW50cnVzaW9uIERldGVj dGlvbi9JbnRydXNpb24gUHJldmVudGlvbiAtIGRldGVjdCB2aXJ1c2VzL21hbHdhcmUgZW50ZXJp bmcgdGhlIG5ldHdvcmsgdmlhIGVtYWlsIG9yIHdlYiB0cmFmZmljLA0KDQozLiAgTWFsd2FyZSBE ZXRlY3Rpb24gLSBkZXRlY3QgbWFsd2FyZS9Ucm9qYW5zIGluIGFjdGlvbiwgcG9zc2libHkgY29u bmVjdGluZyB0byByZW1vdGUgaG9zdHMsDQoNCjQuICBTZWN1cml0eSBBbmFseXRpY3MgLSBkZXRl Y3QgYXR0YWNrcyAoQ3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgYW5kIG90aGVyIGNvbW1vbiB3ZWIgcmVs YXRlZCBhdHRhY2tzKSwNCg0KNS4gIFRyYWNrIG1pc3VzZSBhbmQgYWJ1c2UgYnkgZW1wbG95ZWVz LA0KDQo2LiAgUmVzdHJpY3QgdGhlIHR5cGVzIG9mIHByb3RvY29scyBwZXJtaXR0ZWQgdG8vZnJv bSB0aGUgY29ycG9yYXRlIGVudmlyb25tZW50LA0KDQo3LiAgRERvUyBQcmV2ZW50aW9uIC0gZGV0 ZWN0IGFuZCBkZWZlbmQgYWdhaW5zdCBJbnRlcm5ldCBERG9TIGF0dGFja3MsIGluY2x1ZGluZyBi b3RoIHZvbHVtZXRyaWMgYW5kIGxheWVyIDcgYXR0YWNrcy4NCg0KQSBzaWduaWZpY2FudCBwb3J0 aW9uIG9mIG1hbHdhcmUgaGlkZXMgaXRzIGFjdGl2aXR5IHdpdGhpbiBUTFMgb3Igb3RoZXIgZW5j cnlwdGVkIHByb3RvY29scy4gIFRoaXMgaW5jbHVkZXMgbGF0ZXJhbCBtb3ZlbWVudCwgQ29tbWFu ZCBhbmQgQ29udHJvbCwgYW5kIERhdGEgRXhmaWx0cmF0aW9uLiAgVGhlc2UgZnVuY3Rpb25zIGFy ZSBjcml0aWNhbCB0byBzZWN1cml0eSBhbmQgZnJhdWQgbW9uaXRvcmluZy4NCg0KVG8gYW4gZW50 ZXJwcmlzZSAoYW5kIHRoZSBjdXN0b21lcnMgdGhhdCBpdCBzZXJ2ZXMpLCB0aGUgY29zdCBvZiBu ZXR3b3JrIGFuZC9vciBhcHBsaWNhdGlvbiBkb3duIHRpbWUgY2FuIGJlIGdyZWF0LiAgVGhlIGZv Y3VzIG9mIGVudGVycHJpc2VzIGluIHRoZWlyIHByaXZhdGUgZGF0YSBjZW50ZXJzIGlzIHRvIGRl bGl2ZXIgZXhwZWN0ZWQgbGV2ZWxzIG9mIHNlcnZpY2UsIHBlcmZvcm1hbmNlLCBwcm90ZWN0aW9u LCBhbmQgYXZhaWxhYmlsaXR5LiBBTkQgdGhpcyBjYW4gYmUgYWNjb21wbGlzaGVkIHVzaW5nIHNv bWUgZm9ybSBvZiB0cmFmZmljIGFuYWx5c2lzIHNvbWV0aW1lcyBpbmNsdWRpbmcgZXhhbWluYXRp b24gb2YgdGhlIHBheWxvYWQuDQoNCg0KDQo0LjEuMiBBcHBsaWNhdGlvbiBQZXJmb3JtYW5jZSBN b25pdG9yaW5nIGluIHRoZSBFbnRlcnByaXNlDQoNCjEuICBBc3Nlc3MgdHJhZmZpYyB2b2x1bWUg b24gYSBwZXItYXBwbGljYXRpb24gYmFzaXMsIGZvciBiaWxsaW5nLCBjYXBhY2l0eSBwbGFubmlu Zywgb3B0aW1pemF0aW9uIG9mIGdlb2dyYXBoaWNhbCBsb2NhdGlvbiBmb3Igc2VydmVycyBvciBw cm94aWVzLCBhbmQgb3RoZXIgbmVlZHMsDQoNCjIuICBBc3Nlc3MgcGVyZm9ybWFuY2UgaW4gdGVy bXMgb2YgYXBwbGljYXRpb24gcmVzcG9uc2UgdGltZSBhbmQgdXNlciBwZXJjZWl2ZWQgcmVzcG9u c2UgdGltZSwNCg0KTmV0d29yay1iYXNlZCBBcHBsaWNhdGlvbiBQZXJmb3JtYW5jZSBNb25pdG9y aW5nIHRyYWNrcyBhcHBsaWNhdGlvbiByZXNwb25zZSB0aW1lIGJ5IHVzZXIgYW5kIGJ5IFVSTCwg d2hpY2ggaXMgdGhlIGluZm9ybWF0aW9uIHRoYXQgdGhlIGFwcGxpY2F0aW9uIG93bmVycyBhbmQg dGhlIGxpbmVzIG9mIGJ1c2luZXNzIG5lZWQuIENvbnRlbnQgRGVsaXZlcnkgTmV0d29ya3MgKENE TnMpIGFkZCBjb21wbGV4aXR5IGluIGRldGVybWluaW5nIHRoZSB1bHRpbWF0ZSBlbmRwb2ludCBk ZXN0aW5hdGlvbi4gIEJ5IHRoZWlyIHZlcnkgbmF0dXJlLCBzdWNoIGluZm9ybWF0aW9uIGlzIG9i c2N1cmVkIGJ5IENETnMgYW5kIGVuY3J5cHRlZCBwcm90b2NvbHMgLS0gYWRkaW5nIGEgbmV3IGNo YWxsZW5nZSBmb3IgdHJvdWJsZXNob290aW5nIG5ldHdvcmsgYW5kIGFwcGxpY2F0aW9uIHByb2Js ZW1zLiBVUkwgaWRlbnRpZmljYXRpb24gYWxsb3dzIHRoZSBhcHBsaWNhdGlvbiBzdXBwb3J0IHRl YW0gdG8gZG8gZ3JhbnVsYXIsIGNvZGUgbGV2ZWwgdHJvdWJsZXNob290aW5nIGF0IG11bHRpcGxl IHRpZXJzIG9mIGFuIGFwcGxpY2F0aW9uLg0KDQpOZXcgbWV0aG9kb2xvZ2llcyB0byBtb25pdG9y IHVzZXIgcGVyY2VpdmVkIHJlc3BvbnNlIHRpbWUgYW5kIHRvIHNlcGFyYXRlIG5ldHdvcmsgZnJv bSBzZXJ2ZXIgdGltZSBhcmUgZXZvbHZpbmcuICBGb3IgZXhhbXBsZSwgdGhlIElQdjYgRGVzdGlu YXRpb24gT3B0aW9uIGltcGxlbWVudGF0aW9uIG9mIFBlcmZvcm1hbmNlIGFuZCBEaWFnbm9zdGlj IE1ldHJpY3MgKFBETSkgd2lsbCBwcm92aWRlIHRoaXMuIFtkcmFmdC1pZXRmLWlwcG0tNm1hbi1w ZG0tb3B0aW9uLTA2XQ0KDQoNCg0KNC4xLjMgRW50ZXJwcmlzZSBOZXR3b3JrIERpYWdub3N0aWNz IGFuZCBUcm91Ymxlc2hvb3RpbmcNCg0KT25lIHByaW1hcnkga2V5IHRvIG5ldHdvcmsgdHJvdWJs ZXNob290aW5nIGlzIHRoZSBhYmlsaXR5IHRvIGZvbGxvdyBhIHRyYW5zYWN0aW9uIHRocm91Z2gg dGhlIHZhcmlvdXMgdGllcnMgb2YgYW4gYXBwbGljYXRpb24gaW4gb3JkZXIgdG8gaXNvbGF0ZSB0 aGUgZmF1bHQgZG9tYWluLiAgQSB2YXJpZXR5IG9mIGZhY3RvcnMgcmVsYXRpbmcgdG8gdGhlIHN0 cnVjdHVyZSBvZiB0aGUgbW9kZXJuIGRhdGEgY2VudGVyIGFuZCB0aGUgbW9kZXJuIG11bHRpLXRp ZXJlZCBhcHBsaWNhdGlvbiBoYXZlIG1hZGUgaXQgaW1wb3NzaWJsZSB0byBmb2xsb3cgYSB0cmFu c2FjdGlvbiBpbiBuZXR3b3JrIHRyYWNlcyB3aXRob3V0IHRoZSBhYmlsaXR5IHRvIGV4YW1pbmUg c29tZSBvZiB0aGUgcGFja2V0IHBheWxvYWQuDQoNCg0KNC4xLjMuMSBOQVQNCg0KQ29udGVudCBE ZWxpdmVyeSBOZXR3b3JrcyAoQ0ROcykgYW5kIE5BVHMgb2JzY3VyZSB0aGUgdWx0aW1hdGUgZW5k cG9pbnQgZGVzaWduYXRpb24uICBUcm91Ymxlc2hvb3RpbmcgYSBwcm9ibGVtIGZvciBhIHNwZWNp ZmljIGVuZCB1c2VyIHJlcXVpcmVzIGZpbmRpbmcgaW5mb3JtYXRpb24gc3VjaCBhcyB0aGUgSVAg YWRkcmVzcyBhbmQgb3RoZXIgaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24gc28gdGhhdCB0aGVpciBw cm9ibGVtIGNhbiBiZSByZXNvbHZlZCBpbiBhIHRpbWVseSBtYW5uZXIuDQoNCk5BVCBpcyBhbHNv IGZyZXF1ZW50bHkgdXNlZCBieSBsb3dlciBsYXllcnMgb2YgdGhlIGRhdGEgY2VudGVyIGluZnJh c3RydWN0dXJlLiAgRmlyZXdhbGxzLCBMb2FkIEJhbGFuY2VycywgV2ViIFNlcnZlcnMsIEFwcCBT ZXJ2ZXJzLCBhbmQgTWlkZGxld2FyZSBzZXJ2ZXJzIGFsbCByZWd1bGFybHkgTkFUIHRoZSBzb3Vy Y2UgSVAgb2YgcGFja2V0cy4gQ29tYmluZSB0aGlzIHdpdGggdGhlIGZhY3QgdGhhdCB1c2VycyBh cmUgb2Z0ZW4gc3ByYXllZCByYW5kb21seSBieSBsb2FkIGJhbGFuY2VycyB0byBhbGwgdGhlc2Ug ZGV2aWNlcywgdGhlIG5ldHdvcmsgdHJvdWJsZXNob290ZXIgaXMgb2Z0ZW4gbGVmdCB3aXRoIG5v IG9wdGlvbiBpbiB0b2RheSdzIGVudmlyb25tZW50IGV4Y2VwdCB0byB0cmFjZSBhbGwgcGFja2V0 cyBhdCBhIHBhcnRpY3VsYXIgbGF5ZXIsIGRlY3J5cHQgdGhlbSBhbGwsIGFuZCBsb29rIGF0IHRo ZSBwYXlsb2FkIHRvIGZpbmQgYSB1c2VyIHNlc3Npb24uDQoNCg0KVGhpcyBraW5kIG9mIGJ1bGsg cGFja2V0IGNhcHR1cmUgYW5kIGJ1bGsgZGVjcnlwdGlvbiBpcyBmcmVxdWVudGx5IHJlcXVpcmVk IHdoZW4gdHJvdWJsZXNob290aW5nIGEgbGFyZ2UgYW5kIGNvbXBsZXggYXBwbGljYXRpb24uIEVu ZHBvaW50cyB0eXBpY2FsbHkgZG9uJ3QgaGF2ZSB0aGUgY2FwYWNpdHkgdG8gaGFuZGxlIHRoaXMg bGV2ZWwgb2YgbmV0d29yayBwYWNrZXQgY2FwdHVyZSwgc28gb3V0LW9mLWJhbmQgbmV0d29ya3Mg b2Ygcm9idXN0IHBhY2tldCBicm9rZXJzIGFuZCBuZXR3b3JrIHNuaWZmZXJzLCB3aGljaCBkZXBl bmQgb24gc3RhdGljIFJTQSBwcml2YXRlICBrZXlzLCBoYXZlIGV2b2x2ZWQgdG8gZmlsbCB0aGlz IG5lZWQuDQoNCjQuMS4zLjIgVENQIFBpcGVsaW5pbmcvU2Vzc2lvbiBNdWx0aXBsZXhpbmcNCg0K V2hlbiBUQ1AgUGlwZWxpbmluZy9TZXNzaW9uIE11bHRpcGxleGluZyBpcyB1c2VkLCB1c3VhbGx5 IGJ5IE1pZGRsZSBib3hlcyB0b2RheSwgbXVsdGlwbGUgZW5kIHVzZXIgc2Vzc2lvbnMgc2hhcmUg dGhlIHNhbWUgVENQIGNvbm5lY3Rpb24uICBUb2RheSdzICBuZXR3b3JrIHRyb3VibGVzaG9vdGVy IG9mdGVuIHJlbGllcyB1cG9uIHNlc3Npb24gZGVjcnlwdGlvbiB0byB0ZWxsIHdoaWNoIHBhY2tl dCBiZWxvbmdzIHRvIHdoaWNoIGVuZCB1c2VyLg0KDQpXaXRoIHRoZSBhZHZlbnQgb2YgSFRUUDIs IHNlc3Npb24gbXVsdGlwbGV4aW5nIHdpbGwgYmUgdXNlZCB1YmlxdWl0b3VzbHksIGJvdGggb24g dGhlIEludGVybmV0IGFuZCBpbiB0aGUgcHJpdmF0ZSBkYXRhIGNlbnRlci4NCg0KDQo0LjEuMy4z IEhUVFAgU2VydmljZSBDYWxscw0KDQpXaGVuIGFuIGFwcGxpY2F0aW9uIHNlcnZlciBtYWtlcyBh biBIVFRQIHNlcnZpY2UgY2FsbCB0byBiYWNrIGVuZCBzZXJ2aWNlcyBvbiBiZWhhbGYgb2YgYSB1 c2VyIHNlc3Npb24sIGl0IHVzZXMgYSBjb21wbGV0ZWx5IGRpZmZlcmVudCBVUkwgYW5kIGEgY29t cGxldGVseSBkaWZmZXJlbnQgVENQIGNvbm5lY3Rpb24uICBJdCBtdXN0IGJlIHBvc3NpYmxlICB0 byBtYXRjaCB1cCB0aGUgdXNlciByZXF1ZXN0IGFib3ZlIHdpdGggdGhlIEhUVFAgc2VydmljZSBj YWxsIGJlbG93LiAgVG9kYXksIHRoaXMgaXMgZG9uZSBieSBkZWNyeXB0aW5nIHRoZSBUTFMgcGFj a2V0IGFuZCBpbnNwZWN0aW5nIHRoZSBwYXlsb2FkLg0KDQoNCjQuMS4zLjQgQXBwbGljYXRpb24g TGF5ZXIgRGF0YQ0KDQpNb2Rlcm4gYXBwbGljYXRpb25zIG9mdGVuIHVzZSBYTUwgc3RydWN0dXJl cyBpbiB0aGUgcGF5bG9hZCBvZiB0aGUgZGF0YSB0byBzdG9yZSBhcHBsaWNhdGlvbiBsZXZlbCBp bmZvcm1hdGlvbi4gIFdoZW4gdGhlIG5ldHdvcmsgYW5kIGFwcGxpY2F0aW9uIHRlYW1zIG11c3Qg d29yayB0b2dldGhlciwgZWFjaCBoYXMgYSBkaWZmZXJlbnQgdmlldyBvZiB0aGUgdHJhbnNhY3Rp b24gZmFpbHVyZS4gSXQgaXMgaW1wb3J0YW50IHRvIGJlIGFibGUgdG8gY29ycmVsYXRlIHRoZSBu ZXR3b3JrIHBhY2tldCB3aXRoIHRoZSBhY3R1YWwgcHJvYmxlbSBleHBlcmllbmNlZCBieSBhbiBh cHBsaWNhdGlvbi4NCg0KDQoNClRoYW5rcywNCg0KTmFsaW5pIEVsa2lucw0KSW5zaWRlIFByb2R1 Y3RzLCBJbmMuDQp3d3cuaW5zaWRldGhlc3RhY2suY29tPGh0dHA6Ly93d3cuaW5zaWRldGhlc3Rh Y2suY29tPg0KKDgzMSkgNjU5LTgzNjANCg0K --_000_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgaHR0cC1lcXVpdj1Db250ZW50LVR5cGUgY29udGVu dD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij48bWV0YSBuYW1lPUdlbmVyYXRvciBjb250ZW50 PSJNaWNyb3NvZnQgV29yZCAxNCAoZmlsdGVyZWQgbWVkaXVtKSI+PHN0eWxlPjwhLS0NCi8qIEZv bnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNhOw0K CXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1p bHk6SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZh Y2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYg NCAzIDUgNCA0IDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxp Lk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9t YW4iLCJzZXJpZiI7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJp b3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6 dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6 OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5F bWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3IjsNCgljb2xvcjpibGFjazt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28t c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5 XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+PC9oZWFk Pjxib2R5IGxhbmc9RU4tVVMgbGluaz1ibHVlIHZsaW5rPXB1cnBsZT48ZGl2IGNsYXNzPVdvcmRT ZWN0aW9uMT48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+SGkgTmFsaW5pLDxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5UaGFua3MgZm9y IHlvdXIgbWFueSBzdWdnZXN0aW9ucy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv Tm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJp ZXIgTmV3Ijtjb2xvcjpibGFjayc+QXMgYSBmaXJzdCBzdGVwLCBJIGVkaXRlZCB5b3VyIHN1Z2dl c3RlZCA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2sn PnRleHQgZm9yIHNlY3Rpb25zIDQgYW5kIDQuMSwgYmVsb3cgYW5kPG86cD48L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5hdHRhY2hlZC4gU2VlIHdoYXQgeW91 IHRoaW5rLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFj ayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJs YWNrJz5BbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFj ayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJs YWNrJz4tPS09LT0tPS09LT0tPS09LT0tPS09LT0tPS08bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAg Y2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+NC7CoCBFbmNyeXB0aW9uIGZvciBFbnRlcnBy aXNlIFVzZXJzPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJs YWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFu IHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6 YmxhY2snPkVuY3J5cHRpb24gb2YgbmV0d29yayB0cmFmZmljIHdpdGhpbiB0aGUgcHJpdmF0ZSBl bnRlcnByaXNlIGlzIGEgZ3Jvd2luZyB0cmVuZCwgcGFydGljdWxhcmx5IGluIGluZHVzdHJpZXMg d2l0aCBhdWRpdCBhbmQgcmVndWxhdG9yeSByZXF1aXJlbWVudHMuIFNvbWUgZW50ZXJwcmlzZSBp bnRlcm5hbCBuZXR3b3JrcyBhcmUgYWxtb3N0IGNvbXBsZXRlbHkgVExTIGFuZC9vciBJUHNlYyBl bmNyeXB0ZWQuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJs YWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFu IHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6 YmxhY2snPkZvciBlYWNoIHR5cGUgb2YgbW9uaXRvcmluZywgZGlmZmVyZW50IHRlY2huaXF1ZXMg YW5kIGFjY2VzcyB0byBwYXJ0cyBvZiB0aGUgZGF0YSBzdHJlYW0gbWF5IGJlIG5lY2Vzc2FyeS7C oCBBcyB3ZSB0cmFuc2l0aW9uIHRvIGFuIGluY3JlYXNlZCB1c2Ugb2YgZW5jcnlwdGlvbiB0aGF0 IGlzIGluY3JlYXNpbmdseSBoYXJkZXIgdG8gYnJlYWssIGFsdGVybmF0ZSBtZXRob2RzIG9mIG1v bml0b3JpbmcgZm9yIG9wZXJhdGlvbmFsIHB1cnBvc2VzIG1heSBiZSBuZWNlc3NhcnkgdG8gcHJl dmVudCB0aGUgbmVlZCB0byBicmVhayBlbmNyeXB0aW9uIGFuZCB0aHVzIHByaXZhY3kgb2YgdXNl cnMgKG90aGVyIHBvbGljaWVzIG1heSBhcHBseSBpbiBzb21lIGVudGVycHJpc2Ugc2V0dGluZ3Mp LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2Zv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0n Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxl PSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2sn PjQuMS7CoCBNb25pdG9yaW5nIE5lZWRzIG9mIHRoZSBFbnRlcnByaXNlPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPkxhcmdlIGNvcnBvcmF0ZSBl bnRlcnByaXNlcyBhcmUgdGhlIG93bmVycyBvZiB0aGUgcGxhdGZvcm1zLCBkYXRhLCBhbmQgbmV0 d29yayBpbmZyYXN0cnVjdHVyZSB0aGF0IHByb3ZpZGUgY3JpdGljYWwgYnVzaW5lc3Mgc2Vydmlj ZXMgdG8gdGhlaXIgdXNlciBjb21tdW5pdGllcy7CoCBBcyBzdWNoLCB0aGVzZSBlbnRlcnByaXNl cyBhcmUgcmVzcG9uc2libGUgZm9yIGFsbCBhc3BlY3RzIG9mIHRoZSBwZXJmb3JtYW5jZSwgYXZh aWxhYmlsaXR5LCBzZWN1cml0eSwgYW5kIHF1YWxpdHkgb2YgZXhwZXJpZW5jZSBmb3IgYWxsIHVz ZXIgc2Vzc2lvbnMuIFRoZXNlIHJlc3BvbnNpYmlsaXRpZXMgYnJlYWsgZG93biBpbnRvIHRocmVl IGJhc2ljIGFyZWFzOjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNw YW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xv cjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48 c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2Nv bG9yOmJsYWNrJz7CoMKgwqDCoMKgwqDCoMKgwqAgMS4gU2VjdXJpdHkgTW9uaXRvcmluZyBhbmQg Q29udHJvbDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFj ayc+wqDCoMKgwqDCoMKgwqDCoMKgIDIuIEFwcGxpY2F0aW9uIFBlcmZvcm1hbmNlIE1vbml0b3Jp bmcgYW5kIFJlcG9ydGluZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+ PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtj b2xvcjpibGFjayc+wqDCoMKgwqDCoMKgwqDCoMKgIDMuIE5ldHdvcmsgRGlhZ25vc3RpY3MgYW5k IFRyb3VibGVzaG9vdGluZyA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFs PjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Ijtjb2xvcjpibGFjayc+SW4gZWFjaCBvZiB0aGUgYWJvdmUgYXJlYXMsIHRlY2huaWNhbCBzdXBw b3J0IHRlYW1zIHV0aWxpemUgY29sbGVjdGlvbiwgbW9uaXRvcmluZywgYW5kIGRpYWdub3N0aWMg c3lzdGVtcyB0aGF0IGluIHNvbWUgb3JnYW5pemF0aW9ucyBjdXJyZW50bHkgdXNlIHN0YXRpYyBS U0EgcHJpdmF0ZSBrZXlzIHRvIGRlY3J5cHQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3Vy aWVyIE5ldyI7Y29sb3I6YmxhY2snPnBhc3NpdmVseSBtb25pdG9yZWQgY29waWVzIG9mIGVuY3J5 cHRlZCBUTFMgcGFja2V0IHN0cmVhbXMuPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1z b05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmll ciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9 TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3Vy aWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFz cz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNv dXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+VG8gYW4gZW50ZXJwcmlzZSAoYW5kIHRoZSBjdXN0b21l cnMgdGhhdCBpdCBzZXJ2ZXMpLCB0aGUgY29zdCBvZiBuZXR3b3JrIGFuZC9vciBhcHBsaWNhdGlv biBkb3duIHRpbWUgY2FuIGJlIGdyZWF0LsKgIFRoZSBmb2N1cyBvZiBlbnRlcnByaXNlcyBpbiB0 aGVpciBwcml2YXRlIGRhdGEgY2VudGVycyBpcyB0byBkZWxpdmVyIGV4cGVjdGVkIGxldmVscyBv ZiBzZXJ2aWNlLCBwZXJmb3JtYW5jZSwgcHJvdGVjdGlvbiwgYW5kIGF2YWlsYWJpbGl0eS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz40LjEu MSBTZWN1cml0eSBNb25pdG9yaW5nIGluIHRoZSBFbnRlcnByaXNlPG86cD48L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPkVudGVycHJpc2UgU2VjdXJpdHkg TW9uaXRvcmluZyBicmVha3MgZG93biBpbnRvIHRoZSBmb2xsb3dpbmcgYXJlYXM6PG86cD48L286 cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjEuwqAgRGF0YSBM b3NzIFByZXZlbnRpb24gLSBpbnRlcmNlcHQgb3V0Ym91bmQgc2Vzc2lvbiB0cmFmZmljIHRvIG1v bml0b3IgZm9yIGludGVsbGVjdHVhbCBwcm9wZXJ0eSBsZWFrYWdlIChieSB1c2VycyBvciBtb3Jl IGxpa2VseSB0aGVzZSBkYXlzIHRocm91Z2ggbWFsd2FyZSBhbmQgdHJvamFucyksPG86cD48L286 cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwv bzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjIuwqAgSW50cnVz aW9uIERldGVjdGlvbi9JbnRydXNpb24gUHJldmVudGlvbiAtIGRldGVjdCB2aXJ1c2VzL21hbHdh cmUgZW50ZXJpbmcgdGhlIG5ldHdvcmsgdmlhIGVtYWlsIG9yIHdlYiB0cmFmZmljLDxvOnA+PC9v OnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8 L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz4zLsKgIE1hbHdh cmUgRGV0ZWN0aW9uIC0gZGV0ZWN0IG1hbHdhcmUvVHJvamFucyBpbiBhY3Rpb24sIHBvc3NpYmx5 IGNvbm5lY3RpbmcgdG8gcmVtb3RlIGhvc3RzLCA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+NC7CoCBTZWN1cml0eSBBbmFseXRpY3MgLSBkZXRl Y3QgYXR0YWNrcyAoQ3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgYW5kIG90aGVyIGNvbW1vbiB3ZWIgcmVs YXRlZCBhdHRhY2tzKSw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29s b3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+ PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtj b2xvcjpibGFjayc+NS7CoCBUcmFjayBtaXN1c2UgYW5kIGFidXNlIGJ5IGVtcGxveWVlcyw8bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+Ni7CoCBS ZXN0cmljdCB0aGUgdHlwZXMgb2YgcHJvdG9jb2xzIHBlcm1pdHRlZCB0by9mcm9tIHRoZSBjb3Jw b3JhdGUgZW52aXJvbm1lbnQsPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1h bD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXci O2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9y bWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l dyI7Y29sb3I6YmxhY2snPjcuwqAgRERvUyBQcmV2ZW50aW9uIC0gZGV0ZWN0IGFuZCBkZWZlbmQg YWdhaW5zdCBJbnRlcm5ldCBERG9TIGF0dGFja3MsIGluY2x1ZGluZyBib3RoIHZvbHVtZXRyaWMg YW5kIGxheWVyIDcgYXR0YWNrcy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9y bWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l dyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29O b3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIg TmV3Ijtjb2xvcjpibGFjayc+QSBzaWduaWZpY2FudCBwb3J0aW9uIG9mIG1hbHdhcmUgaGlkZXMg aXRzIGFjdGl2aXR5IHdpdGhpbiBUTFMgb3Igb3RoZXIgZW5jcnlwdGVkIHByb3RvY29scy7CoCBU aGlzIGluY2x1ZGVzIGxhdGVyYWwgbW92ZW1lbnQsIENvbW1hbmQgYW5kIENvbnRyb2wsIGFuZCBE YXRhIEV4ZmlsdHJhdGlvbi7CoCBUaGVzZSBmdW5jdGlvbnMgYXJlIGNyaXRpY2FsIHRvIHNlY3Vy aXR5IGFuZCBmcmF1ZCBtb25pdG9yaW5nLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1N c29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJp ZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291 cmllciBOZXciO2NvbG9yOmJsYWNrJz5Gb3IgYW4gZW50ZXJwcmlzZSB0byBhdm9pZCBjb3N0bHkg YXBwbGljYXRpb24gZG93biB0aW1lIGFuZCBkZWxpdmVyIGV4cGVjdGVkIGxldmVscyBvZiBwZXJm b3JtYW5jZSwgcHJvdGVjdGlvbiwgYW5kIGF2YWlsYWJpbGl0eSwgc29tZSBmb3JtIG9mIHRyYWZm aWMgYW5hbHlzaXMgc29tZXRpbWVzIGluY2x1ZGluZyBleGFtaW5hdGlvbiBvZiBwYWNrZXQgcGF5 bG9hZHMgY2FuIGJlIGEgdmFsdWFibGUgYXNzZXQuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBj bGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxw IGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+NC4xLjIgQXBwbGljYXRpb24gUGVyZm9y bWFuY2UgTW9uaXRvcmluZyBpbiB0aGUgRW50ZXJwcmlzZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD48 cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w PjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5UaGVyZSBhcmUgdHdvIG1haW4gZ29hbHMg b2YgbW9uaXRvcmluZzo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxz cGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29s b3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+ PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtj b2xvcjpibGFjayc+MS7CoCBBc3Nlc3MgdHJhZmZpYyB2b2x1bWUgb24gYSBwZXItYXBwbGljYXRp b24gYmFzaXMsIGZvciBiaWxsaW5nLCBjYXBhY2l0eSBwbGFubmluZywgb3B0aW1pemF0aW9uIG9m IGdlb2dyYXBoaWNhbCBsb2NhdGlvbiBmb3Igc2VydmVycyBvciBwcm94aWVzLCBhbmQgb3RoZXIg bmVlZHMuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5 bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFj ayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBz dHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJs YWNrJz4yLsKgIEFzc2VzcyBwZXJmb3JtYW5jZSBpbiB0ZXJtcyBvZiBhcHBsaWNhdGlvbiByZXNw b25zZSB0aW1lIGFuZCB1c2VyIHBlcmNlaXZlZCByZXNwb25zZSB0aW1lPG86cD48L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPk5ldHdvcmstYmFzZWQgQXBw bGljYXRpb24gUGVyZm9ybWFuY2UgTW9uaXRvcmluZyB0cmFja3MgYXBwbGljYXRpb24gcmVzcG9u c2UgdGltZSBieSB1c2VyIGFuZCBieSBVUkwsIHdoaWNoIGlzIHRoZSBpbmZvcm1hdGlvbiB0aGF0 IHRoZSBhcHBsaWNhdGlvbiBvd25lcnMgYW5kIHRoZSBsaW5lcyBvZiBidXNpbmVzcyBuZWVkLiBD b250ZW50IERlbGl2ZXJ5IE5ldHdvcmtzIChDRE5zKSBhZGQgY29tcGxleGl0eSBpbiBkZXRlcm1p bmluZyB0aGUgdWx0aW1hdGUgZW5kcG9pbnQgZGVzdGluYXRpb24uwqAgQnkgdGhlaXIgdmVyeSBu YXR1cmUsIHN1Y2ggaW5mb3JtYXRpb24gaXMgb2JzY3VyZWQgYnkgQ0ROcyBhbmQgZW5jcnlwdGVk IHByb3RvY29scyAtLSBhZGRpbmcgYSBuZXcgY2hhbGxlbmdlIGZvciB0cm91Ymxlc2hvb3Rpbmcg bmV0d29yayBhbmQgYXBwbGljYXRpb24gcHJvYmxlbXMuIFVSTCBpZGVudGlmaWNhdGlvbiBhbGxv d3MgdGhlIGFwcGxpY2F0aW9uIHN1cHBvcnQgdGVhbSB0byBkbyBncmFudWxhciwgY29kZSBsZXZl bCB0cm91Ymxlc2hvb3RpbmcgYXQgbXVsdGlwbGUgdGllcnMgb2YgYW4gYXBwbGljYXRpb24uIDxv OnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9u dC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5OZXcg bWV0aG9kb2xvZ2llcyB0byBtb25pdG9yIHVzZXIgcGVyY2VpdmVkIHJlc3BvbnNlIHRpbWUgYW5k IHRvIHNlcGFyYXRlIG5ldHdvcmsgZnJvbSBzZXJ2ZXIgdGltZSBhcmUgZXZvbHZpbmcuwqAgRm9y IGV4YW1wbGUsIHRoZSBJUHY2IERlc3RpbmF0aW9uIE9wdGlvbiBpbXBsZW1lbnRhdGlvbiBvZiBQ ZXJmb3JtYW5jZSBhbmQgRGlhZ25vc3RpYyBNZXRyaWNzIChQRE0pIHdpbGwgcHJvdmlkZSB0aGlz LiBbZHJhZnQtaWV0Zi1pcHBtLTZtYW4tcGRtLW9wdGlvbi0wNl08bzpwPjwvbzpwPjwvc3Bhbj48 L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu PjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjQuMS4zIEVudGVycHJpc2Ug TmV0d29yayBEaWFnbm9zdGljcyBhbmQgVHJvdWJsZXNob290aW5nPG86cD48L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPk9uZSBwcmltYXJ5IGtleSB0byBu ZXR3b3JrIHRyb3VibGVzaG9vdGluZyBpcyB0aGUgYWJpbGl0eSB0byBmb2xsb3cgYSB0cmFuc2Fj dGlvbiB0aHJvdWdoIHRoZSB2YXJpb3VzIHRpZXJzIG9mIGFuIGFwcGxpY2F0aW9uIGluIG9yZGVy IHRvIGlzb2xhdGUgdGhlIGZhdWx0IGRvbWFpbi7CoCBBIHZhcmlldHkgb2YgZmFjdG9ycyByZWxh dGluZyB0byB0aGUgc3RydWN0dXJlIG9mIHRoZSBtb2Rlcm4gZGF0YSBjZW50ZXIgYW5kIHRoZSBt b2Rlcm4gbXVsdGktdGllcmVkIGFwcGxpY2F0aW9uIGhhdmUgbWFkZSBpdCBpbXBvc3NpYmxlIHRv IGZvbGxvdyBhIHRyYW5zYWN0aW9uIGluIG5ldHdvcmsgdHJhY2VzIHdpdGhvdXQgdGhlIGFiaWxp dHkgdG8gZXhhbWluZSBzb21lIG9mIHRoZSBwYWNrZXQgcGF5bG9hZC48bzpwPjwvbzpwPjwvc3Bh bj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7 Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz40LjEuMy4xIE5BVDxvOnA+ PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5Db250ZW50 IERlbGl2ZXJ5IE5ldHdvcmtzIChDRE5zKSBhbmQgTkFUcyBvYnNjdXJlIHRoZSB1bHRpbWF0ZSBl bmRwb2ludCBkZXNpZ25hdGlvbi7CoCBUcm91Ymxlc2hvb3RpbmcgYSBwcm9ibGVtIGZvciBhIHNw ZWNpZmljIGVuZCB1c2VyIHJlcXVpcmVzIGZpbmRpbmcgaW5mb3JtYXRpb24gc3VjaCBhcyB0aGUg SVAgYWRkcmVzcyBhbmQgb3RoZXIgaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24gc28gdGhhdCB0aGVp ciBwcm9ibGVtIGNhbiBiZSByZXNvbHZlZCBpbiBhIHRpbWVseSBtYW5uZXIuPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPk5BVCBpcyBhbHNvIGZy ZXF1ZW50bHkgdXNlZCBieSBsb3dlciBsYXllcnMgb2YgdGhlIGRhdGEgY2VudGVyIGluZnJhc3Ry dWN0dXJlLsKgIEZpcmV3YWxscywgTG9hZCBCYWxhbmNlcnMsIFdlYiBTZXJ2ZXJzLCBBcHAgU2Vy dmVycywgYW5kIE1pZGRsZXdhcmUgc2VydmVycyBhbGwgcmVndWxhcmx5IE5BVCB0aGUgc291cmNl IElQIG9mIHBhY2tldHMuIENvbWJpbmUgdGhpcyB3aXRoIHRoZSBmYWN0IHRoYXQgdXNlcnMgYXJl IG9mdGVuIGFsbG9jYXRlZCByYW5kb21seSBieSBsb2FkIGJhbGFuY2VycyB0byBhbGwgdGhlc2Ug ZGV2aWNlcywgdGhlIG5ldHdvcmsgdHJvdWJsZXNob290ZXIgaXMgb2Z0ZW4gbGVmdCB3aXRoIG5v IG9wdGlvbiBpbiB0b2RheSdzIGVudmlyb25tZW50IGV4Y2VwdCB0byB0cmFjZSBhbGwgcGFja2V0 cyBhdCBhIHBhcnRpY3VsYXIgbGF5ZXIsIGRlY3J5cHQgdGhlbSBhbGwsIGFuZCBsb29rIGF0IHRo ZSBwYXlsb2FkIHRvIGZpbmQgYSB1c2VyIHNlc3Npb24uPG86cD48L286cD48L3NwYW4+PC9wPjxw IGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt aWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+VGhpcyBraW5kIG9mIGJ1bGsgcGFja2V0 IGNhcHR1cmUgYW5kIGJ1bGsgZGVjcnlwdGlvbiBpcyBmcmVxdWVudGx5IHJlcXVpcmVkIHdoZW4g dHJvdWJsZXNob290aW5nIGEgbGFyZ2UgYW5kIGNvbXBsZXggYXBwbGljYXRpb24uIEVuZHBvaW50 cyB0eXBpY2FsbHkgZG9uJ3QgaGF2ZSB0aGUgY2FwYWNpdHkgdG8gaGFuZGxlIHRoaXMgbGV2ZWwg b2YgbmV0d29yayBwYWNrZXQgY2FwdHVyZSwgc28gb3V0LW9mLWJhbmQgbmV0d29ya3Mgb2Ygcm9i dXN0IHBhY2tldCBicm9rZXJzIGFuZCBuZXR3b3JrIHNuaWZmZXJzIHRoYXQgZGVwZW5kIG9uIHN0 YXRpYyBSU0EgcHJpdmF0ZSBrZXlzIGhhdmUgZXZvbHZlZCB0byBmaWxsIHRoaXMgbmVlZC48bzpw PjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+NC4xLjMu MiBUQ1AgUGlwZWxpbmluZy9TZXNzaW9uIE11bHRpcGxleGluZzxvOnA+PC9vOnA+PC9zcGFuPjwv cD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+ PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz5XaGVuIFRDUCBQaXBlbGluaW5nL1Nl c3Npb24gTXVsdGlwbGV4aW5nIGlzIHVzZWQsIHVzdWFsbHkgYnkgTWlkZGxlIGJveGVzIHRvZGF5 LCBtdWx0aXBsZSBlbmQgdXNlciBzZXNzaW9ucyBzaGFyZSB0aGUgc2FtZSBUQ1AgY29ubmVjdGlv bi7CoCBUb2RheSdzwqAgbmV0d29yayB0cm91Ymxlc2hvb3RlciBvZnRlbiByZWxpZXMgdXBvbiBz ZXNzaW9uIGRlY3J5cHRpb24gdG8gdGVsbCB3aGljaCBwYWNrZXQgYmVsb25ncyB0byB3aGljaCBl bmQgdXNlci48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0 eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6Ymxh Y2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4g c3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpi bGFjayc+V2l0aCB0aGUgYWR2ZW50IG9mIEhUVFAyLCBzZXNzaW9uIG11bHRpcGxleGluZyB3aWxs IGJlIHVzZWQgdWJpcXVpdG91c2x5LCBib3RoIG9uIHRoZSBJbnRlcm5ldCBhbmQgaW4gdGhlIHBy aXZhdGUgZGF0YSBjZW50ZXIuIDxvOnA+PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3Jt YWw+PHNwYW4gc3R5bGU9J2ZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3 Ijtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05v cm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBO ZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv Tm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7Y29sb3I6YmxhY2snPjQuMS4zLjMgSFRUUCBTZXJ2aWNlIENhbGxzPG86cD48L286cD48 L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBw dDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpw Pjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEu MHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPldoZW4gYW4gYXBwbGlj YXRpb24gc2VydmVyIG1ha2VzIGFuIEhUVFAgc2VydmljZSBjYWxsIHRvIGJhY2sgZW5kIHNlcnZp Y2VzIG9uIGJlaGFsZiBvZiBhIHVzZXIgc2Vzc2lvbiwgaXQgdXNlcyBhIGNvbXBsZXRlbHkgZGlm ZmVyZW50IFVSTCBhbmQgYSBjb21wbGV0ZWx5IGRpZmZlcmVudCBUQ1AgY29ubmVjdGlvbi7CoCBJ dCBtdXN0IGJlIHBvc3NpYmxlwqAgdG8gbWF0Y2ggdXAgdGhlIHVzZXIgcmVxdWVzdCBhYm92ZSB3 aXRoIHRoZSBIVFRQIHNlcnZpY2UgY2FsbCBiZWxvdy7CoCBUb2RheSwgdGhpcyBpcyBkb25lIGJ5 IGRlY3J5cHRpbmcgdGhlIFRMUyBwYWNrZXQgYW5kIGluc3BlY3RpbmcgdGhlIHBheWxvYWQuPG86 cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNzPU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1z aXplOjExLjBwdDtmb250LWZhbWlseToiQ291cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PHNwYW4gc3R5bGU9J2Zv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijtjb2xvcjpibGFjayc+NC4x LjMuNCBBcHBsaWNhdGlvbiBMYXllciBEYXRhPG86cD48L286cD48L3NwYW4+PC9wPjxwIGNsYXNz PU1zb05vcm1hbD48c3BhbiBzdHlsZT0nZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseToiQ291 cmllciBOZXciO2NvbG9yOmJsYWNrJz48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PHAgY2xh c3M9TXNvTm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJD b3VyaWVyIE5ldyI7Y29sb3I6YmxhY2snPk1vZGVybiBhcHBsaWNhdGlvbnMgb2Z0ZW4gdXNlIFhN TCBzdHJ1Y3R1cmVzIGluIHRoZSBwYXlsb2FkIG9mIHRoZSBkYXRhIHRvIHN0b3JlIGFwcGxpY2F0 aW9uIGxldmVsIGluZm9ybWF0aW9uLsKgIFdoZW4gdGhlIG5ldHdvcmsgYW5kIGFwcGxpY2F0aW9u IHRlYW1zIG11c3Qgd29yayB0b2dldGhlciwgZWFjaCBoYXMgYSBkaWZmZXJlbnQgdmlldyBvZiB0 aGUgdHJhbnNhY3Rpb24gZmFpbHVyZS4gSXQgaXMgaW1wb3J0YW50IHRvIGJlIGFibGUgdG8gY29y cmVsYXRlIHRoZSBuZXR3b3JrIHBhY2tldCB3aXRoIHRoZSBhY3R1YWwgcHJvYmxlbSBleHBlcmll bmNlZCBieSBhbiBhcHBsaWNhdGlvbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+PHAgY2xhc3M9TXNv Tm9ybWFsPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiJDb3VyaWVy IE5ldyI7Y29sb3I6YmxhY2snPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD48ZGl2IHN0eWxl PSdib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBp biAwaW4gNC4wcHQnPjxkaXY+PGRpdiBzdHlsZT0nYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xp ZCAjQjVDNERGIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4nPjxwIGNsYXNzPU1zb05v cm1hbD48Yj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseToiVGFob21h Iiwic2Fucy1zZXJpZiInPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0nZm9udC1zaXplOjEw LjBwdDtmb250LWZhbWlseToiVGFob21hIiwic2Fucy1zZXJpZiInPiBuYWxpbmkuZWxraW5zQGlu c2lkZXRoZXN0YWNrLmNvbSBbbWFpbHRvOm5hbGluaS5lbGtpbnNAaW5zaWRldGhlc3RhY2suY29t XSA8YnI+PGI+U2VudDo8L2I+IFRodXJzZGF5LCBPY3RvYmVyIDEzLCAyMDE2IDg6MjggQU08YnI+ PGI+VG86PC9iPiBzYWFnQGlldGYub3JnPGJyPjxiPkNjOjwvYj4gTU9SVE9OLCBBTEZSRUQgQyAo QUwpOyBLYXRobGVlbiBNb3JpYXJ0eTxicj48Yj5TdWJqZWN0OjwvYj4gUmU6IGRyYWZ0LW1tLXdn LWVmZmVjdC1lbmNyeXB0LTAzPG86cD48L286cD48L3NwYW4+PC9wPjwvZGl2PjwvZGl2PjxwIGNs YXNzPU1zb05vcm1hbD48bzpwPiZuYnNwOzwvbzpwPjwvcD48ZGl2PjxkaXYgaWQ9Inl1aV8zXzE2 XzBfeW0xOV8xXzE0NzYzNjE0NDEzMjNfMTM0NDciPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0n YmFja2dyb3VuZDp3aGl0ZSc+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJIZWx2ZXRpY2EiLCJz YW5zLXNlcmlmIjtjb2xvcjpibGFjayc+S2F0aGxlZW4gYW5kIEFsLDxvOnA+PC9vOnA+PC9zcGFu PjwvcD48L2Rpdj48ZGl2PjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbWFyZ2luLWJvdHRvbTox Mi4wcHQ7YmFja2dyb3VuZDp3aGl0ZSc+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJIZWx2ZXRp Y2EiLCJzYW5zLXNlcmlmIjtjb2xvcjpibGFjayc+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w PjwvZGl2PjxkaXYgaWQ9Inl1aV8zXzE2XzBfeW0xOV8xXzE0NzYzNjE0NDEzMjNfMTM0OTMiPjxk aXYgaWQ9Inl1aV8zXzE2XzBfeW0xOV8xXzE0NzYzNjE0NDEzMjNfMTM0OTIiPjxkaXYgaWQ9Inl1 aV8zXzE2XzBfeW0xOV8xXzE0NzYzNjE0NDEzMjNfMTM0OTEiPjxkaXYgaWQ9Inl1aV8zXzE2XzBf eW0xOV8xXzE0NzYzNjE0NDEzMjNfMTM1MjgiPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nYmFj a2dyb3VuZDp3aGl0ZSc+PHNwYW4gc3R5bGU9J2ZvbnQtZmFtaWx5OiJIZWx2ZXRpY2EiLCJzYW5z LXNlcmlmIjtjb2xvcjpibGFjayc+PGJyPlRoZSAmcXVvdDtFZmZlY3Qgb2YgVWJpcXVpdG91cyBF bmNyeXB0aW9uJnF1b3Q7IGRyYWZ0IGlzIGFuIGV4Y2VsbGVudCBzdW1tYXJ5IG9mIHRoZSBpbXBh Y3Qgb24gb3BlcmF0aW9ucyBhbmQgbmV0d29yayBtYW5hZ2VtZW50IHBvc2VkIGJ5IHRoZSBjaGFu Z2VzIHRvIHRoZSBzZWN1cml0eSBlbnZpcm9ubWVudC4mbmJzcDsmbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+PC9kaXY+PGRpdiBpZD0ieXVpXzNfMTZfMF95bTE5XzFfMTQ3NjM2MTQ0MTMyM18x MzUyOCI+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdiYWNrZ3JvdW5kOndoaXRlJz48c3BhbiBz dHlsZT0nZm9udC1mYW1pbHk6IkhlbHZldGljYSIsInNhbnMtc2VyaWYiO2NvbG9yOmJsYWNrJz48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdiBpZD0ieXVpXzNfMTZfMF95bTE5 XzFfMTQ3NjM2MTQ0MTMyM18xMzUyOCI+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxlPSdiYWNrZ3Jv dW5kOndoaXRlJz48c3BhbiBzdHlsZT0nZm9udC1mYW1pbHk6IkhlbHZldGljYSIsInNhbnMtc2Vy aWYiO2NvbG9yOmJsYWNrJz5HcmVhdCB3b3JrLCBndXlzISEhPGJyPjxicj5JIHdhbnRlZCB0byBj b21tZW50IG9uIGEgZmV3IHRoaW5ncyBhcyBmYXIgYXMgdGhleSBpbXBhY3QgcHJpdmF0ZSBlbnRl cnByaXNlcy48YnI+PGJyPjxicj4xLiBJbiB0aGUgQWJzdHJhY3Q6IHdlIG1heSB3YW50IHRvIHJl bWluZCB0aGUgcmVhZGVyIHRoYXQgbmV0d29yayBtYW5hZ2VtZW50IGluY2x1ZGVzIHRyb3VibGVz aG9vdGluZyBiZWNhdXNlIGEgbnVtYmVyIG9mIGNoYW5nZXMgd2lsbCBuZWVkIHRvIGJlIG1hZGUg aW4gaG93IHRyb3VibGVzaG9vdGluZyBpcyBkb25lLiZuYnNwOyBJIHdvdWxkIHN1Z2dlc3QgdGhl IGZvbGxvd2luZzo8YnI+PGJyPk9sZDogVGhpcyBkcmFmdCBpbmNsdWRlcyBhIGNvbGxlY3Rpb24g b2YgY3VycmVudCBzZWN1cml0eSBhbmQgbmV0d29yayBtYW5hZ2VtZW50IGZ1bmN0aW9ucyB0aGF0 IG1heSBiZSBpbXBhY3RlZCBieSB0aGlzIHNoaWZ0IHRvIGluY3JlYXNlZCB1c2Ugb2YgZW5jcnlw dGlvbi4gPGJyPjxicj48YnI+TmV3OiBUaGlzIGRyYWZ0IGluY2x1ZGVzIGEgY29sbGVjdGlvbiBv ZiBjdXJyZW50IHNlY3VyaXR5IGFuZCBuZXR3b3JrIG1hbmFnZW1lbnQgKGluY2x1ZGluZyB0cm91 Ymxlc2hvb3RpbmcpIGZ1bmN0aW9ucyB0aGF0IG1heSBiZSBpbXBhY3RlZCBieSB0aGlzIHNoaWZ0 IHRvIGluY3JlYXNlZCB1c2Ugb2YgZW5jcnlwdGlvbi48YnI+PGJyPjxicj48YnI+Mi4mbmJzcDsg QXQgdGhlIGVuZCBvZiBzZWN0aW9uIDEsIHdlIG1pZ2h0IHdhbnQgdG8gYWRkIHRoYXQgcHJpdmF0 ZSBlbnRlcnByaXNlcyBhcmUgYWxzbyBjb25zaWRlcmVkLjxicj48YnI+U3VnZ2VzdGVkIHdvcmRz Ojxicj48YnI+JnF1b3Q7V2Ugd2lsbCBhbHNvIGNvbnNpZGVyIHRoZSBzaXR1YXRpb24gb2YgdGhl IHByaXZhdGUgZW50ZXJwcmlzZSwgd2hlcmUgSVAgcGFja2V0IHRyYW5zcG9ydCwgYXBwbGljYXRp b25zLCBhbmQgaW5mcmFzdHJ1Y3R1cmUgYXJlIHByaXZhdGVseSBvd25lZCBhbmQgY29udGFpbmVk IHdpdGhpbiBvciBpbnRlcmNvbm5lY3QgcHJpdmF0ZSBkYXRhIGNlbnRlcnMuJnF1b3Q7IDxicj48 YnI+PGJyPjxicj4zLiZuYnNwOyBUaGVuLCBJIHdvdWxkIHN1Z2dlc3QgcmVwbGFjaW5nIFNlY3Rp b25zIDQgYW5kIDQuMSBvZiB0aGUgZHJhZnQgaW4gaXRzIGVudGlyZXR5IHdpdGggdGhlIHdvcmRz IGJlbG93Ojxicj48YnI+KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq Kio8YnI+PGJyPjQuJm5ic3A7IEVuY3J5cHRpb24gZm9yIEVudGVycHJpc2UgVXNlcnM8YnI+PGJy PkVuY3J5cHRpb24gb2YgbmV0d29yayB0cmFmZmljIHdpdGhpbiB0aGUgcHJpdmF0ZSBlbnRlcnBy aXNlIGlzIGEgZ3Jvd2luZyB0cmVuZCwgcGFydGljdWxhcmx5IGluIGluZHVzdHJpZXMgd2l0aCBh dWRpdCBhbmQgcmVndWxhdG9yeSByZXF1aXJlbWVudHMuIFNvbWUgZW50ZXJwcmlzZSBpbnRlcm5h bCBuZXR3b3JrcyBhcmUgYWxtb3N0IGNvbXBsZXRlbHkgVExTIGFuZC9vciBJUHNlYyBlbmNyeXB0 ZWQuPGJyPjxicj5Gb3IgZWFjaCB0eXBlIG9mIG1vbml0b3JpbmcsIGRpZmZlcmVudCB0ZWNobmlx dWVzIGFuZCBwYXJ0cyBvZiB0aGUgZGF0YSBzdHJlYW0gbWF5IGJlIG5lY2Vzc2FyeS4mbmJzcDsg QXMgd2UgdHJhbnNpdGlvbiB0byBhbiBpbmNyZWFzZWQgdXNlIG9mIGVuY3J5cHRpb24gdGhhdCBp cyBpbmNyZWFzaW5nbHkgaGFyZGVyIHRvIGJyZWFrLCBhbHRlcm5hdGUgbWV0aG9kcyBvZiBtb25p dG9yaW5nIGZvciBvcGVyYXRpb25hbCBwdXJwb3NlcyBtYXkgYmUgbmVjZXNzYXJ5IHRvIHByZXZl bnQgdGhlIG5lZWQgdG8gYnJlYWsgZW5jcnlwdGlvbiBhbmQgdGh1cyBwcml2YWN5IG9mIHVzZXJz ICh3aGljaCBtYXkgbm90IGFwcGx5IGluIGEgY29ycG9yYXRlIHNldHRpbmcgYnkgcG9saWN5KS48 YnI+PGJyPjxicj40LjEuJm5ic3A7IE1vbml0b3JpbmcgTmVlZHMgb2YgdGhlIEVudGVycHJpc2U8 YnI+PGJyPkxhcmdlIGNvcnBvcmF0ZSBlbnRlcnByaXNlcyBhcmUgdGhlIG93bmVycyBvZiB0aGUg cGxhdGZvcm1zLCBkYXRhLCBhbmQgbmV0d29yayBpbmZyYXN0cnVjdHVyZSB0aGF0IHByb3ZpZGUg Y3JpdGljYWwgYnVzaW5lc3Mgc2VydmljZXMgdG8gdGhlaXIgdXNlciBjb21tdW5pdGllcy4mbmJz cDsgQXMgc3VjaCwgdGhlc2UgZW50ZXJwcmlzZXMgYXJlIHJlc3BvbnNpYmxlIGZvciBhbGwgYXNw ZWN0cyBvZiB0aGUgcGVyZm9ybWFuY2UsIGF2YWlsYWJpbGl0eSwgc2VjdXJpdHksIGFuZCBxdWFs aXR5IG9mIGV4cGVyaWVuY2UgZm9yIGFsbCB1c2VyIHNlc3Npb25zLiBUaGVzZSByZXNwb25zaWJp bGl0aWVzIGJyZWFrIGRvd24gaW50byB0aHJlZSBiYXNpYyBhcmVhczo8YnI+PGJyPiZuYnNwOyAm bmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgMS4gU2VjdXJpdHkgTW9uaXRvcmluZyBhbmQgQ29u dHJvbDxicj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbmJzcDsgJm5ic3A7IDIuIEFwcGxpY2F0aW9u IFBlcmZvcm1hbmNlIE1vbml0b3JpbmcgYW5kIFJlcG9ydGluZzxicj4mbmJzcDsgJm5ic3A7ICZu YnNwOyAmbmJzcDsgJm5ic3A7IDMuIE5ldHdvcmsgRGlhZ25vc3RpY3MgYW5kIFRyb3VibGVzaG9v dGluZyA8YnI+PGJyPkluIGVhY2ggb2YgdGhlIGFib3ZlIGFyZWFzLCB0ZWNobmljYWwgc3VwcG9y dCB0ZWFtcyB1dGlsaXplIGNvbGxlY3Rpb24sIG1vbml0b3JpbmcsIGFuZCBkaWFnbm9zdGljIHN5 c3RlbXMgdGhhdCBpbiBzb21lIG9yZ2FuaXphdGlvbnMgY3VycmVudGx5IHVzZSBzdGF0aWMgUlNB IHByaXZhdGUga2V5cyB0byBkZWNyeXB0PGJyPnBhc3NpdmVseSBtb25pdG9yZWQgY29waWVzIG9m IGVuY3J5cHRlZCBUTFMgcGFja2V0IHN0cmVhbXMuPGJyPjxicj48YnI+VG8gYW4gZW50ZXJwcmlz ZSAoYW5kIHRoZSBjdXN0b21lcnMgdGhhdCBpdCBzZXJ2ZXMpLCB0aGUgY29zdCBvZiBuZXR3b3Jr IGFuZC9vciBhcHBsaWNhdGlvbiBkb3duIHRpbWUgY2FuIGJlIGdyZWF0LiZuYnNwOyBUaGUgZm9j dXMgb2YgZW50ZXJwcmlzZXMgaW4gdGhlaXIgcHJpdmF0ZSBkYXRhIGNlbnRlcnMgaXMgdG8gZGVs aXZlciBleHBlY3RlZCBsZXZlbHMgb2Ygc2VydmljZSwgcGVyZm9ybWFuY2UsIHByb3RlY3Rpb24s IGFuZCBhdmFpbGFiaWxpdHkuPGJyPjxicj48YnI+NC4xLjEgU2VjdXJpdHkgTW9uaXRvcmluZyBp biB0aGUgRW50ZXJwcmlzZTxicj48YnI+RW50ZXJwcmlzZSBTZWN1cml0eSBNb25pdG9yaW5nIGJy ZWFrcyBkb3duIGludG8gdGhlIGZvbGxvd2luZyBhcmVhczo8YnI+PGJyPjEuJm5ic3A7IERhdGEg TG9zcyBQcmV2ZW50aW9uIC0gaW50ZXJjZXB0IG91dGJvdW5kIHNlc3Npb24gdHJhZmZpYyB0byBt b25pdG9yIGZvciBpbnRlbGxlY3R1YWwgcHJvcGVydHkgbGVha2FnZSAoYnkgdXNlcnMgb3IgbW9y ZSBsaWtlbHkgdGhlc2UgZGF5cyB0aHJvdWdoIG1hbHdhcmUgYW5kIHRyb2phbnMpLDxicj48YnI+ Mi4mbmJzcDsgSW50cnVzaW9uIERldGVjdGlvbi9JbnRydXNpb24gUHJldmVudGlvbiAtIGRldGVj dCB2aXJ1c2VzL21hbHdhcmUgZW50ZXJpbmcgdGhlIG5ldHdvcmsgdmlhIGVtYWlsIG9yIHdlYiB0 cmFmZmljLDxicj48YnI+My4mbmJzcDsgTWFsd2FyZSBEZXRlY3Rpb24gLSBkZXRlY3QgbWFsd2Fy ZS9Ucm9qYW5zIGluIGFjdGlvbiwgcG9zc2libHkgY29ubmVjdGluZyB0byByZW1vdGUgaG9zdHMs IDxicj48YnI+NC4mbmJzcDsgU2VjdXJpdHkgQW5hbHl0aWNzIC0gZGV0ZWN0IGF0dGFja3MgKENy b3NzIHNpdGUgc2NyaXB0aW5nIGFuZCBvdGhlciBjb21tb24gd2ViIHJlbGF0ZWQgYXR0YWNrcyks PGJyPjxicj41LiZuYnNwOyBUcmFjayBtaXN1c2UgYW5kIGFidXNlIGJ5IGVtcGxveWVlcyw8YnI+ PGJyPjYuJm5ic3A7IFJlc3RyaWN0IHRoZSB0eXBlcyBvZiBwcm90b2NvbHMgcGVybWl0dGVkIHRv L2Zyb20gdGhlIGNvcnBvcmF0ZSBlbnZpcm9ubWVudCw8YnI+PGJyPjcuJm5ic3A7IEREb1MgUHJl dmVudGlvbiAtIGRldGVjdCBhbmQgZGVmZW5kIGFnYWluc3QgSW50ZXJuZXQgRERvUyBhdHRhY2tz LCBpbmNsdWRpbmcgYm90aCB2b2x1bWV0cmljIGFuZCBsYXllciA3IGF0dGFja3MuPGJyPjxicj5B IHNpZ25pZmljYW50IHBvcnRpb24gb2YgbWFsd2FyZSBoaWRlcyBpdHMgYWN0aXZpdHkgd2l0aGlu IFRMUyBvciBvdGhlciBlbmNyeXB0ZWQgcHJvdG9jb2xzLiZuYnNwOyBUaGlzIGluY2x1ZGVzIGxh dGVyYWwgbW92ZW1lbnQsIENvbW1hbmQgYW5kIENvbnRyb2wsIGFuZCBEYXRhIEV4ZmlsdHJhdGlv bi4mbmJzcDsgVGhlc2UgZnVuY3Rpb25zIGFyZSBjcml0aWNhbCB0byBzZWN1cml0eSBhbmQgZnJh dWQgbW9uaXRvcmluZy48YnI+PGJyPlRvIGFuIGVudGVycHJpc2UgKGFuZCB0aGUgY3VzdG9tZXJz IHRoYXQgaXQgc2VydmVzKSwgdGhlIGNvc3Qgb2YgbmV0d29yayBhbmQvb3IgYXBwbGljYXRpb24g ZG93biB0aW1lIGNhbiBiZSBncmVhdC4mbmJzcDsgVGhlIGZvY3VzIG9mIGVudGVycHJpc2VzIGlu IHRoZWlyIHByaXZhdGUgZGF0YSBjZW50ZXJzIGlzIHRvIGRlbGl2ZXIgZXhwZWN0ZWQgbGV2ZWxz IG9mIHNlcnZpY2UsIHBlcmZvcm1hbmNlLCBwcm90ZWN0aW9uLCBhbmQgYXZhaWxhYmlsaXR5LiBB TkQgdGhpcyBjYW4gYmUgYWNjb21wbGlzaGVkIHVzaW5nIHNvbWUgZm9ybSBvZiB0cmFmZmljIGFu YWx5c2lzIHNvbWV0aW1lcyBpbmNsdWRpbmcgZXhhbWluYXRpb24gb2YgdGhlIHBheWxvYWQuPGJy Pjxicj48YnI+PGJyPjQuMS4yIEFwcGxpY2F0aW9uIFBlcmZvcm1hbmNlIE1vbml0b3JpbmcgaW4g dGhlIEVudGVycHJpc2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+PC9kaXY+PGRpdiBpZD0ieXVpXzNf MTZfMF95bTE5XzFfMTQ3NjM2MTQ0MTMyM18xMzUyOCI+PHAgY2xhc3M9TXNvTm9ybWFsIHN0eWxl PSdtYXJnaW4tYm90dG9tOjEyLjBwdDtiYWNrZ3JvdW5kOndoaXRlJz48c3BhbiBzdHlsZT0nZm9u dC1mYW1pbHk6IkhlbHZldGljYSIsInNhbnMtc2VyaWYiO2NvbG9yOmJsYWNrJz48YnI+MS4mbmJz cDsgQXNzZXNzIHRyYWZmaWMgdm9sdW1lIG9uIGEgcGVyLWFwcGxpY2F0aW9uIGJhc2lzLCBmb3Ig YmlsbGluZywgY2FwYWNpdHkgcGxhbm5pbmcsIG9wdGltaXphdGlvbiBvZiBnZW9ncmFwaGljYWwg bG9jYXRpb24gZm9yIHNlcnZlcnMgb3IgcHJveGllcywgYW5kIG90aGVyIG5lZWRzLCA8YnI+PGJy PjIuJm5ic3A7IEFzc2VzcyBwZXJmb3JtYW5jZSBpbiB0ZXJtcyBvZiBhcHBsaWNhdGlvbiByZXNw b25zZSB0aW1lIGFuZCB1c2VyIHBlcmNlaXZlZCByZXNwb25zZSB0aW1lLDxicj48YnI+TmV0d29y ay1iYXNlZCBBcHBsaWNhdGlvbiBQZXJmb3JtYW5jZSBNb25pdG9yaW5nIHRyYWNrcyBhcHBsaWNh dGlvbiByZXNwb25zZSB0aW1lIGJ5IHVzZXIgYW5kIGJ5IFVSTCwgd2hpY2ggaXMgdGhlIGluZm9y bWF0aW9uIHRoYXQgdGhlIGFwcGxpY2F0aW9uIG93bmVycyBhbmQgdGhlIGxpbmVzIG9mIGJ1c2lu ZXNzIG5lZWQuIENvbnRlbnQgRGVsaXZlcnkgTmV0d29ya3MgKENETnMpIGFkZCBjb21wbGV4aXR5 IGluIGRldGVybWluaW5nIHRoZSB1bHRpbWF0ZSBlbmRwb2ludCBkZXN0aW5hdGlvbi4mbmJzcDsg QnkgdGhlaXIgdmVyeSBuYXR1cmUsIHN1Y2ggaW5mb3JtYXRpb24gaXMgb2JzY3VyZWQgYnkgQ0RO cyBhbmQgZW5jcnlwdGVkIHByb3RvY29scyAtLSBhZGRpbmcgYSBuZXcgY2hhbGxlbmdlIGZvciB0 cm91Ymxlc2hvb3RpbmcgbmV0d29yayBhbmQgYXBwbGljYXRpb24gcHJvYmxlbXMuIFVSTCBpZGVu dGlmaWNhdGlvbiBhbGxvd3MgdGhlIGFwcGxpY2F0aW9uIHN1cHBvcnQgdGVhbSB0byBkbyBncmFu dWxhciwgY29kZSBsZXZlbCB0cm91Ymxlc2hvb3RpbmcgYXQgbXVsdGlwbGUgdGllcnMgb2YgYW4g YXBwbGljYXRpb24uIDxicj48YnI+TmV3IG1ldGhvZG9sb2dpZXMgdG8gbW9uaXRvciB1c2VyIHBl cmNlaXZlZCByZXNwb25zZSB0aW1lIGFuZCB0byBzZXBhcmF0ZSBuZXR3b3JrIGZyb20gc2VydmVy IHRpbWUgYXJlIGV2b2x2aW5nLiZuYnNwOyBGb3IgZXhhbXBsZSwgdGhlIElQdjYgRGVzdGluYXRp b24gT3B0aW9uIGltcGxlbWVudGF0aW9uIG9mIFBlcmZvcm1hbmNlIGFuZCBEaWFnbm9zdGljIE1l dHJpY3MgKFBETSkgd2lsbCBwcm92aWRlIHRoaXMuIFtkcmFmdC1pZXRmLWlwcG0tNm1hbi1wZG0t b3B0aW9uLTA2XTxicj48YnI+PGJyPjxicj40LjEuMyBFbnRlcnByaXNlIE5ldHdvcmsgRGlhZ25v c3RpY3MgYW5kIFRyb3VibGVzaG9vdGluZzxicj48YnI+T25lIHByaW1hcnkga2V5IHRvIG5ldHdv cmsgdHJvdWJsZXNob290aW5nIGlzIHRoZSBhYmlsaXR5IHRvIGZvbGxvdyBhIHRyYW5zYWN0aW9u IHRocm91Z2ggdGhlIHZhcmlvdXMgdGllcnMgb2YgYW4gYXBwbGljYXRpb24gaW4gb3JkZXIgdG8g aXNvbGF0ZSB0aGUgZmF1bHQgZG9tYWluLiZuYnNwOyBBIHZhcmlldHkgb2YgZmFjdG9ycyByZWxh dGluZyB0byB0aGUgc3RydWN0dXJlIG9mIHRoZSBtb2Rlcm4gZGF0YSBjZW50ZXIgYW5kIHRoZSBt b2Rlcm4gbXVsdGktdGllcmVkIGFwcGxpY2F0aW9uIGhhdmUgbWFkZSBpdCBpbXBvc3NpYmxlIHRv IGZvbGxvdyBhIHRyYW5zYWN0aW9uIGluIG5ldHdvcmsgdHJhY2VzIHdpdGhvdXQgdGhlIGFiaWxp dHkgdG8gZXhhbWluZSBzb21lIG9mIHRoZSBwYWNrZXQgcGF5bG9hZC48YnI+PGJyPjxicj40LjEu My4xIE5BVDxicj48YnI+Q29udGVudCBEZWxpdmVyeSBOZXR3b3JrcyAoQ0ROcykgYW5kIE5BVHMg b2JzY3VyZSB0aGUgdWx0aW1hdGUgZW5kcG9pbnQgZGVzaWduYXRpb24uJm5ic3A7IFRyb3VibGVz aG9vdGluZyBhIHByb2JsZW0gZm9yIGEgc3BlY2lmaWMgZW5kIHVzZXIgcmVxdWlyZXMgZmluZGlu ZyBpbmZvcm1hdGlvbiBzdWNoIGFzIHRoZSBJUCBhZGRyZXNzIGFuZCBvdGhlciBpZGVudGlmeWlu ZyBpbmZvcm1hdGlvbiBzbyB0aGF0IHRoZWlyIHByb2JsZW0gY2FuIGJlIHJlc29sdmVkIGluIGEg dGltZWx5IG1hbm5lci48YnI+PGJyPk5BVCBpcyBhbHNvIGZyZXF1ZW50bHkgdXNlZCBieSBsb3dl ciBsYXllcnMgb2YgdGhlIGRhdGEgY2VudGVyIGluZnJhc3RydWN0dXJlLiZuYnNwOyBGaXJld2Fs bHMsIExvYWQgQmFsYW5jZXJzLCBXZWIgU2VydmVycywgQXBwIFNlcnZlcnMsIGFuZCBNaWRkbGV3 YXJlIHNlcnZlcnMgYWxsIHJlZ3VsYXJseSBOQVQgdGhlIHNvdXJjZSBJUCBvZiBwYWNrZXRzLiBD b21iaW5lIHRoaXMgd2l0aCB0aGUgZmFjdCB0aGF0IHVzZXJzIGFyZSBvZnRlbiBzcHJheWVkIHJh bmRvbWx5IGJ5IGxvYWQgYmFsYW5jZXJzIHRvIGFsbCB0aGVzZSBkZXZpY2VzLCB0aGUgbmV0d29y ayB0cm91Ymxlc2hvb3RlciBpcyBvZnRlbiBsZWZ0IHdpdGggbm8gb3B0aW9uIGluIHRvZGF5J3Mg ZW52aXJvbm1lbnQgZXhjZXB0IHRvIHRyYWNlIGFsbCBwYWNrZXRzIGF0IGEgcGFydGljdWxhciBs YXllciwgZGVjcnlwdCB0aGVtIGFsbCwgYW5kIGxvb2sgYXQgdGhlIHBheWxvYWQgdG8gZmluZCBh IHVzZXIgc2Vzc2lvbi48YnI+PGJyPjxicj5UaGlzIGtpbmQgb2YgYnVsayBwYWNrZXQgY2FwdHVy ZSBhbmQgYnVsayBkZWNyeXB0aW9uIGlzIGZyZXF1ZW50bHkgcmVxdWlyZWQgd2hlbiB0cm91Ymxl c2hvb3RpbmcgYSBsYXJnZSBhbmQgY29tcGxleCBhcHBsaWNhdGlvbi4gRW5kcG9pbnRzIHR5cGlj YWxseSBkb24ndCBoYXZlIHRoZSBjYXBhY2l0eSB0byBoYW5kbGUgdGhpcyBsZXZlbCBvZiBuZXR3 b3JrIHBhY2tldCBjYXB0dXJlLCBzbyBvdXQtb2YtYmFuZCBuZXR3b3JrcyBvZiByb2J1c3QgcGFj a2V0IGJyb2tlcnMgYW5kIG5ldHdvcmsgc25pZmZlcnMsIHdoaWNoIGRlcGVuZCBvbiBzdGF0aWMg UlNBIHByaXZhdGUmbmJzcDsga2V5cywgaGF2ZSBldm9sdmVkIHRvIGZpbGwgdGhpcyBuZWVkLjxi cj48YnI+NC4xLjMuMiBUQ1AgUGlwZWxpbmluZy9TZXNzaW9uIE11bHRpcGxleGluZzxicj48YnI+ V2hlbiBUQ1AgUGlwZWxpbmluZy9TZXNzaW9uIE11bHRpcGxleGluZyBpcyB1c2VkLCB1c3VhbGx5 IGJ5IE1pZGRsZSBib3hlcyB0b2RheSwgbXVsdGlwbGUgZW5kIHVzZXIgc2Vzc2lvbnMgc2hhcmUg dGhlIHNhbWUgVENQIGNvbm5lY3Rpb24uJm5ic3A7IFRvZGF5J3MmbmJzcDsgbmV0d29yayB0cm91 Ymxlc2hvb3RlciBvZnRlbiByZWxpZXMgdXBvbiBzZXNzaW9uIGRlY3J5cHRpb24gdG8gdGVsbCB3 aGljaCBwYWNrZXQgYmVsb25ncyB0byB3aGljaCBlbmQgdXNlci48YnI+PGJyPldpdGggdGhlIGFk dmVudCBvZiBIVFRQMiwgc2Vzc2lvbiBtdWx0aXBsZXhpbmcgd2lsbCBiZSB1c2VkIHViaXF1aXRv dXNseSwgYm90aCBvbiB0aGUgSW50ZXJuZXQgYW5kIGluIHRoZSBwcml2YXRlIGRhdGEgY2VudGVy LiA8YnI+PGJyPjxicj40LjEuMy4zIEhUVFAgU2VydmljZSBDYWxsczxicj48YnI+V2hlbiBhbiBh cHBsaWNhdGlvbiBzZXJ2ZXIgbWFrZXMgYW4gSFRUUCBzZXJ2aWNlIGNhbGwgdG8gYmFjayBlbmQg c2VydmljZXMgb24gYmVoYWxmIG9mIGEgdXNlciBzZXNzaW9uLCBpdCB1c2VzIGEgY29tcGxldGVs eSBkaWZmZXJlbnQgVVJMIGFuZCBhIGNvbXBsZXRlbHkgZGlmZmVyZW50IFRDUCBjb25uZWN0aW9u LiZuYnNwOyBJdCBtdXN0IGJlIHBvc3NpYmxlJm5ic3A7IHRvIG1hdGNoIHVwIHRoZSB1c2VyIHJl cXVlc3QgYWJvdmUgd2l0aCB0aGUgSFRUUCBzZXJ2aWNlIGNhbGwgYmVsb3cuJm5ic3A7IFRvZGF5 LCB0aGlzIGlzIGRvbmUgYnkgZGVjcnlwdGluZyB0aGUgVExTIHBhY2tldCBhbmQgaW5zcGVjdGlu ZyB0aGUgcGF5bG9hZC48YnI+PGJyPjxicj40LjEuMy40IEFwcGxpY2F0aW9uIExheWVyIERhdGE8 YnI+PGJyPk1vZGVybiBhcHBsaWNhdGlvbnMgb2Z0ZW4gdXNlIFhNTCBzdHJ1Y3R1cmVzIGluIHRo ZSBwYXlsb2FkIG9mIHRoZSBkYXRhIHRvIHN0b3JlIGFwcGxpY2F0aW9uIGxldmVsIGluZm9ybWF0 aW9uLiZuYnNwOyBXaGVuIHRoZSBuZXR3b3JrIGFuZCBhcHBsaWNhdGlvbiB0ZWFtcyBtdXN0IHdv cmsgdG9nZXRoZXIsIGVhY2ggaGFzIGEgZGlmZmVyZW50IHZpZXcgb2YgdGhlIHRyYW5zYWN0aW9u IGZhaWx1cmUuIEl0IGlzIGltcG9ydGFudCB0byBiZSBhYmxlIHRvIGNvcnJlbGF0ZSB0aGUgbmV0 d29yayBwYWNrZXQgd2l0aCB0aGUgYWN0dWFsIHByb2JsZW0gZXhwZXJpZW5jZWQgYnkgYW4gYXBw bGljYXRpb24uPGJyPiZuYnNwOyA8YnI+PGJyPjxicj5UaGFua3MsPGJyPjxicj5OYWxpbmkgRWxr aW5zPGJyPkluc2lkZSBQcm9kdWN0cywgSW5jLjxicj48YSBocmVmPSJodHRwOi8vd3d3Lmluc2lk ZXRoZXN0YWNrLmNvbSI+d3d3Lmluc2lkZXRoZXN0YWNrLmNvbTwvYT48YnI+KDgzMSkgNjU5LTgz NjA8YnI+PGJyPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48 L2Rpdj48L2Rpdj48L2Rpdj48L2JvZHk+PC9odG1sPg== --_000_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_-- --_004_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_ Content-Type: text/plain; name="Nalini-sec4-effect-encrypt-03acm.txt" Content-Description: Nalini-sec4-effect-encrypt-03acm.txt Content-Disposition: attachment; filename="Nalini-sec4-effect-encrypt-03acm.txt"; size=7198; creation-date="Sun, 16 Oct 2016 13:55:43 GMT"; modification-date="Sun, 16 Oct 2016 14:26:28 GMT" Content-Transfer-Encoding: base64 DQo0LiAgRW5jcnlwdGlvbiBmb3IgRW50ZXJwcmlzZSBVc2Vycw0KDQpFbmNyeXB0aW9uIG9mIG5l dHdvcmsgdHJhZmZpYyB3aXRoaW4gdGhlIHByaXZhdGUgZW50ZXJwcmlzZSBpcyBhIGdyb3dpbmcg dHJlbmQsIHBhcnRpY3VsYXJseSBpbiBpbmR1c3RyaWVzIHdpdGggYXVkaXQgYW5kIHJlZ3VsYXRv cnkgcmVxdWlyZW1lbnRzLiBTb21lIGVudGVycHJpc2UgaW50ZXJuYWwgbmV0d29ya3MgYXJlIGFs bW9zdCBjb21wbGV0ZWx5IFRMUyBhbmQvb3IgSVBzZWMgZW5jcnlwdGVkLg0KDQpGb3IgZWFjaCB0 eXBlIG9mIG1vbml0b3JpbmcsIGRpZmZlcmVudCB0ZWNobmlxdWVzIGFuZCBhY2Nlc3MgdG8gcGFy dHMgb2YgdGhlIGRhdGEgc3RyZWFtIG1heSBiZSBuZWNlc3NhcnkuICBBcyB3ZSB0cmFuc2l0aW9u IHRvIGFuIGluY3JlYXNlZCB1c2Ugb2YgZW5jcnlwdGlvbiB0aGF0IGlzIGluY3JlYXNpbmdseSBo YXJkZXIgdG8gYnJlYWssIGFsdGVybmF0ZSBtZXRob2RzIG9mIG1vbml0b3JpbmcgZm9yIG9wZXJh dGlvbmFsIHB1cnBvc2VzIG1heSBiZSBuZWNlc3NhcnkgdG8gcHJldmVudCB0aGUgbmVlZCB0byBi cmVhayBlbmNyeXB0aW9uIGFuZCB0aHVzIHByaXZhY3kgb2YgdXNlcnMgKG90aGVyIHBvbGljaWVz IG1heSBhcHBseSBpbiBzb21lIGVudGVycHJpc2Ugc2V0dGluZ3MpLg0KDQoNCjQuMS4gIE1vbml0 b3JpbmcgTmVlZHMgb2YgdGhlIEVudGVycHJpc2UNCg0KTGFyZ2UgY29ycG9yYXRlIGVudGVycHJp c2VzIGFyZSB0aGUgb3duZXJzIG9mIHRoZSBwbGF0Zm9ybXMsIGRhdGEsIGFuZCBuZXR3b3JrIGlu ZnJhc3RydWN0dXJlIHRoYXQgcHJvdmlkZSBjcml0aWNhbCBidXNpbmVzcyBzZXJ2aWNlcyB0byB0 aGVpciB1c2VyIGNvbW11bml0aWVzLiAgQXMgc3VjaCwgdGhlc2UgZW50ZXJwcmlzZXMgYXJlIHJl c3BvbnNpYmxlIGZvciBhbGwgYXNwZWN0cyBvZiB0aGUgcGVyZm9ybWFuY2UsIGF2YWlsYWJpbGl0 eSwgc2VjdXJpdHksIGFuZCBxdWFsaXR5IG9mIGV4cGVyaWVuY2UgZm9yIGFsbCB1c2VyIHNlc3Np b25zLiBUaGVzZSByZXNwb25zaWJpbGl0aWVzIGJyZWFrIGRvd24gaW50byB0aHJlZSBiYXNpYyBh cmVhczoNCg0KICAgICAgICAgIDEuIFNlY3VyaXR5IE1vbml0b3JpbmcgYW5kIENvbnRyb2wNCiAg ICAgICAgICAyLiBBcHBsaWNhdGlvbiBQZXJmb3JtYW5jZSBNb25pdG9yaW5nIGFuZCBSZXBvcnRp bmcNCiAgICAgICAgICAzLiBOZXR3b3JrIERpYWdub3N0aWNzIGFuZCBUcm91Ymxlc2hvb3Rpbmcg DQoNCkluIGVhY2ggb2YgdGhlIGFib3ZlIGFyZWFzLCB0ZWNobmljYWwgc3VwcG9ydCB0ZWFtcyB1 dGlsaXplIGNvbGxlY3Rpb24sIG1vbml0b3JpbmcsIGFuZCBkaWFnbm9zdGljIHN5c3RlbXMgdGhh dCBpbiBzb21lIG9yZ2FuaXphdGlvbnMgY3VycmVudGx5IHVzZSBzdGF0aWMgUlNBIHByaXZhdGUg a2V5cyB0byBkZWNyeXB0DQpwYXNzaXZlbHkgbW9uaXRvcmVkIGNvcGllcyBvZiBlbmNyeXB0ZWQg VExTIHBhY2tldCBzdHJlYW1zLg0KDQoNClRvIGFuIGVudGVycHJpc2UgKGFuZCB0aGUgY3VzdG9t ZXJzIHRoYXQgaXQgc2VydmVzKSwgdGhlIGNvc3Qgb2YgbmV0d29yayBhbmQvb3IgYXBwbGljYXRp b24gZG93biB0aW1lIGNhbiBiZSBncmVhdC4gIFRoZSBmb2N1cyBvZiBlbnRlcnByaXNlcyBpbiB0 aGVpciBwcml2YXRlIGRhdGEgY2VudGVycyBpcyB0byBkZWxpdmVyIGV4cGVjdGVkIGxldmVscyBv ZiBzZXJ2aWNlLCBwZXJmb3JtYW5jZSwgcHJvdGVjdGlvbiwgYW5kIGF2YWlsYWJpbGl0eS4NCg0K DQo0LjEuMSBTZWN1cml0eSBNb25pdG9yaW5nIGluIHRoZSBFbnRlcnByaXNlDQoNCkVudGVycHJp c2UgU2VjdXJpdHkgTW9uaXRvcmluZyBicmVha3MgZG93biBpbnRvIHRoZSBmb2xsb3dpbmcgYXJl YXM6DQoNCjEuICBEYXRhIExvc3MgUHJldmVudGlvbiAtIGludGVyY2VwdCBvdXRib3VuZCBzZXNz aW9uIHRyYWZmaWMgdG8gbW9uaXRvciBmb3IgaW50ZWxsZWN0dWFsIHByb3BlcnR5IGxlYWthZ2Ug KGJ5IHVzZXJzIG9yIG1vcmUgbGlrZWx5IHRoZXNlIGRheXMgdGhyb3VnaCBtYWx3YXJlIGFuZCB0 cm9qYW5zKSwNCg0KMi4gIEludHJ1c2lvbiBEZXRlY3Rpb24vSW50cnVzaW9uIFByZXZlbnRpb24g LSBkZXRlY3QgdmlydXNlcy9tYWx3YXJlIGVudGVyaW5nIHRoZSBuZXR3b3JrIHZpYSBlbWFpbCBv ciB3ZWIgdHJhZmZpYywNCg0KMy4gIE1hbHdhcmUgRGV0ZWN0aW9uIC0gZGV0ZWN0IG1hbHdhcmUv VHJvamFucyBpbiBhY3Rpb24sIHBvc3NpYmx5IGNvbm5lY3RpbmcgdG8gcmVtb3RlIGhvc3RzLCAN Cg0KNC4gIFNlY3VyaXR5IEFuYWx5dGljcyAtIGRldGVjdCBhdHRhY2tzIChDcm9zcyBzaXRlIHNj cmlwdGluZyBhbmQgb3RoZXIgY29tbW9uIHdlYiByZWxhdGVkIGF0dGFja3MpLA0KDQo1LiAgVHJh Y2sgbWlzdXNlIGFuZCBhYnVzZSBieSBlbXBsb3llZXMsDQoNCjYuICBSZXN0cmljdCB0aGUgdHlw ZXMgb2YgcHJvdG9jb2xzIHBlcm1pdHRlZCB0by9mcm9tIHRoZSBjb3Jwb3JhdGUgZW52aXJvbm1l bnQsDQoNCjcuICBERG9TIFByZXZlbnRpb24gLSBkZXRlY3QgYW5kIGRlZmVuZCBhZ2FpbnN0IElu dGVybmV0IEREb1MgYXR0YWNrcywgaW5jbHVkaW5nIGJvdGggdm9sdW1ldHJpYyBhbmQgbGF5ZXIg NyBhdHRhY2tzLg0KDQpBIHNpZ25pZmljYW50IHBvcnRpb24gb2YgbWFsd2FyZSBoaWRlcyBpdHMg YWN0aXZpdHkgd2l0aGluIFRMUyBvciBvdGhlciBlbmNyeXB0ZWQgcHJvdG9jb2xzLiAgVGhpcyBp bmNsdWRlcyBsYXRlcmFsIG1vdmVtZW50LCBDb21tYW5kIGFuZCBDb250cm9sLCBhbmQgRGF0YSBF eGZpbHRyYXRpb24uICBUaGVzZSBmdW5jdGlvbnMgYXJlIGNyaXRpY2FsIHRvIHNlY3VyaXR5IGFu ZCBmcmF1ZCBtb25pdG9yaW5nLg0KDQpGb3IgYW4gZW50ZXJwcmlzZSB0byBhdm9pZCBjb3N0bHkg YXBwbGljYXRpb24gZG93biB0aW1lIGFuZCBkZWxpdmVyIGV4cGVjdGVkIGxldmVscyBvZiBwZXJm b3JtYW5jZSwgcHJvdGVjdGlvbiwgYW5kIGF2YWlsYWJpbGl0eSwgc29tZSBmb3JtIG9mIHRyYWZm aWMgYW5hbHlzaXMgc29tZXRpbWVzIGluY2x1ZGluZyBleGFtaW5hdGlvbiBvZiBwYWNrZXQgcGF5 bG9hZHMgY2FuIGJlIGEgdmFsdWFibGUgYXNzZXQuIA0KDQoNCg0KNC4xLjIgQXBwbGljYXRpb24g UGVyZm9ybWFuY2UgTW9uaXRvcmluZyBpbiB0aGUgRW50ZXJwcmlzZQ0KDQpUaGVyZSBhcmUgdHdv IG1haW4gZ29hbHMgb2YgbW9uaXRvcmluZzoNCg0KMS4gIEFzc2VzcyB0cmFmZmljIHZvbHVtZSBv biBhIHBlci1hcHBsaWNhdGlvbiBiYXNpcywgZm9yIGJpbGxpbmcsIGNhcGFjaXR5IHBsYW5uaW5n LCBvcHRpbWl6YXRpb24gb2YgZ2VvZ3JhcGhpY2FsIGxvY2F0aW9uIGZvciBzZXJ2ZXJzIG9yIHBy b3hpZXMsIGFuZCBvdGhlciBuZWVkcy4gDQoNCjIuICBBc3Nlc3MgcGVyZm9ybWFuY2UgaW4gdGVy bXMgb2YgYXBwbGljYXRpb24gcmVzcG9uc2UgdGltZSBhbmQgdXNlciBwZXJjZWl2ZWQgcmVzcG9u c2UgdGltZQ0KDQpOZXR3b3JrLWJhc2VkIEFwcGxpY2F0aW9uIFBlcmZvcm1hbmNlIE1vbml0b3Jp bmcgdHJhY2tzIGFwcGxpY2F0aW9uIHJlc3BvbnNlIHRpbWUgYnkgdXNlciBhbmQgYnkgVVJMLCB3 aGljaCBpcyB0aGUgaW5mb3JtYXRpb24gdGhhdCB0aGUgYXBwbGljYXRpb24gb3duZXJzIGFuZCB0 aGUgbGluZXMgb2YgYnVzaW5lc3MgbmVlZC4gQ29udGVudCBEZWxpdmVyeSBOZXR3b3JrcyAoQ0RO cykgYWRkIGNvbXBsZXhpdHkgaW4gZGV0ZXJtaW5pbmcgdGhlIHVsdGltYXRlIGVuZHBvaW50IGRl c3RpbmF0aW9uLiAgQnkgdGhlaXIgdmVyeSBuYXR1cmUsIHN1Y2ggaW5mb3JtYXRpb24gaXMgb2Jz Y3VyZWQgYnkgQ0ROcyBhbmQgZW5jcnlwdGVkIHByb3RvY29scyAtLSBhZGRpbmcgYSBuZXcgY2hh bGxlbmdlIGZvciB0cm91Ymxlc2hvb3RpbmcgbmV0d29yayBhbmQgYXBwbGljYXRpb24gcHJvYmxl bXMuIFVSTCBpZGVudGlmaWNhdGlvbiBhbGxvd3MgdGhlIGFwcGxpY2F0aW9uIHN1cHBvcnQgdGVh bSB0byBkbyBncmFudWxhciwgY29kZSBsZXZlbCB0cm91Ymxlc2hvb3RpbmcgYXQgbXVsdGlwbGUg dGllcnMgb2YgYW4gYXBwbGljYXRpb24uIA0KDQpOZXcgbWV0aG9kb2xvZ2llcyB0byBtb25pdG9y IHVzZXIgcGVyY2VpdmVkIHJlc3BvbnNlIHRpbWUgYW5kIHRvIHNlcGFyYXRlIG5ldHdvcmsgZnJv bSBzZXJ2ZXIgdGltZSBhcmUgZXZvbHZpbmcuICBGb3IgZXhhbXBsZSwgdGhlIElQdjYgRGVzdGlu YXRpb24gT3B0aW9uIGltcGxlbWVudGF0aW9uIG9mIFBlcmZvcm1hbmNlIGFuZCBEaWFnbm9zdGlj IE1ldHJpY3MgKFBETSkgd2lsbCBwcm92aWRlIHRoaXMuIFtkcmFmdC1pZXRmLWlwcG0tNm1hbi1w ZG0tb3B0aW9uLTA2XQ0KDQoNCg0KNC4xLjMgRW50ZXJwcmlzZSBOZXR3b3JrIERpYWdub3N0aWNz IGFuZCBUcm91Ymxlc2hvb3RpbmcNCg0KT25lIHByaW1hcnkga2V5IHRvIG5ldHdvcmsgdHJvdWJs ZXNob290aW5nIGlzIHRoZSBhYmlsaXR5IHRvIGZvbGxvdyBhIHRyYW5zYWN0aW9uIHRocm91Z2gg dGhlIHZhcmlvdXMgdGllcnMgb2YgYW4gYXBwbGljYXRpb24gaW4gb3JkZXIgdG8gaXNvbGF0ZSB0 aGUgZmF1bHQgZG9tYWluLiAgQSB2YXJpZXR5IG9mIGZhY3RvcnMgcmVsYXRpbmcgdG8gdGhlIHN0 cnVjdHVyZSBvZiB0aGUgbW9kZXJuIGRhdGEgY2VudGVyIGFuZCB0aGUgbW9kZXJuIG11bHRpLXRp ZXJlZCBhcHBsaWNhdGlvbiBoYXZlIG1hZGUgaXQgaW1wb3NzaWJsZSB0byBmb2xsb3cgYSB0cmFu c2FjdGlvbiBpbiBuZXR3b3JrIHRyYWNlcyB3aXRob3V0IHRoZSBhYmlsaXR5IHRvIGV4YW1pbmUg c29tZSBvZiB0aGUgcGFja2V0IHBheWxvYWQuDQoNCg0KNC4xLjMuMSBOQVQNCg0KQ29udGVudCBE ZWxpdmVyeSBOZXR3b3JrcyAoQ0ROcykgYW5kIE5BVHMgb2JzY3VyZSB0aGUgdWx0aW1hdGUgZW5k cG9pbnQgZGVzaWduYXRpb24uICBUcm91Ymxlc2hvb3RpbmcgYSBwcm9ibGVtIGZvciBhIHNwZWNp ZmljIGVuZCB1c2VyIHJlcXVpcmVzIGZpbmRpbmcgaW5mb3JtYXRpb24gc3VjaCBhcyB0aGUgSVAg YWRkcmVzcyBhbmQgb3RoZXIgaWRlbnRpZnlpbmcgaW5mb3JtYXRpb24gc28gdGhhdCB0aGVpciBw cm9ibGVtIGNhbiBiZSByZXNvbHZlZCBpbiBhIHRpbWVseSBtYW5uZXIuDQoNCk5BVCBpcyBhbHNv IGZyZXF1ZW50bHkgdXNlZCBieSBsb3dlciBsYXllcnMgb2YgdGhlIGRhdGEgY2VudGVyIGluZnJh c3RydWN0dXJlLiAgRmlyZXdhbGxzLCBMb2FkIEJhbGFuY2VycywgV2ViIFNlcnZlcnMsIEFwcCBT ZXJ2ZXJzLCBhbmQgTWlkZGxld2FyZSBzZXJ2ZXJzIGFsbCByZWd1bGFybHkgTkFUIHRoZSBzb3Vy Y2UgSVAgb2YgcGFja2V0cy4gQ29tYmluZSB0aGlzIHdpdGggdGhlIGZhY3QgdGhhdCB1c2VycyBh cmUgb2Z0ZW4gYWxsb2NhdGVkIHJhbmRvbWx5IGJ5IGxvYWQgYmFsYW5jZXJzIHRvIGFsbCB0aGVz ZSBkZXZpY2VzLCB0aGUgbmV0d29yayB0cm91Ymxlc2hvb3RlciBpcyBvZnRlbiBsZWZ0IHdpdGgg bm8gb3B0aW9uIGluIHRvZGF5J3MgZW52aXJvbm1lbnQgZXhjZXB0IHRvIHRyYWNlIGFsbCBwYWNr ZXRzIGF0IGEgcGFydGljdWxhciBsYXllciwgZGVjcnlwdCB0aGVtIGFsbCwgYW5kIGxvb2sgYXQg dGhlIHBheWxvYWQgdG8gZmluZCBhIHVzZXIgc2Vzc2lvbi4NCg0KDQpUaGlzIGtpbmQgb2YgYnVs ayBwYWNrZXQgY2FwdHVyZSBhbmQgYnVsayBkZWNyeXB0aW9uIGlzIGZyZXF1ZW50bHkgcmVxdWly ZWQgd2hlbiB0cm91Ymxlc2hvb3RpbmcgYSBsYXJnZSBhbmQgY29tcGxleCBhcHBsaWNhdGlvbi4g RW5kcG9pbnRzIHR5cGljYWxseSBkb24ndCBoYXZlIHRoZSBjYXBhY2l0eSB0byBoYW5kbGUgdGhp cyBsZXZlbCBvZiBuZXR3b3JrIHBhY2tldCBjYXB0dXJlLCBzbyBvdXQtb2YtYmFuZCBuZXR3b3Jr cyBvZiByb2J1c3QgcGFja2V0IGJyb2tlcnMgYW5kIG5ldHdvcmsgc25pZmZlcnMgdGhhdCBkZXBl bmQgb24gc3RhdGljIFJTQSBwcml2YXRlIGtleXMgaGF2ZSBldm9sdmVkIHRvIGZpbGwgdGhpcyBu ZWVkLg0KDQo0LjEuMy4yIFRDUCBQaXBlbGluaW5nL1Nlc3Npb24gTXVsdGlwbGV4aW5nDQoNCldo ZW4gVENQIFBpcGVsaW5pbmcvU2Vzc2lvbiBNdWx0aXBsZXhpbmcgaXMgdXNlZCwgdXN1YWxseSBi eSBNaWRkbGUgYm94ZXMgdG9kYXksIG11bHRpcGxlIGVuZCB1c2VyIHNlc3Npb25zIHNoYXJlIHRo ZSBzYW1lIFRDUCBjb25uZWN0aW9uLiAgVG9kYXkncyAgbmV0d29yayB0cm91Ymxlc2hvb3RlciBv ZnRlbiByZWxpZXMgdXBvbiBzZXNzaW9uIGRlY3J5cHRpb24gdG8gdGVsbCB3aGljaCBwYWNrZXQg YmVsb25ncyB0byB3aGljaCBlbmQgdXNlci4NCg0KV2l0aCB0aGUgYWR2ZW50IG9mIEhUVFAyLCBz ZXNzaW9uIG11bHRpcGxleGluZyB3aWxsIGJlIHVzZWQgdWJpcXVpdG91c2x5LCBib3RoIG9uIHRo ZSBJbnRlcm5ldCBhbmQgaW4gdGhlIHByaXZhdGUgZGF0YSBjZW50ZXIuIA0KDQoNCjQuMS4zLjMg SFRUUCBTZXJ2aWNlIENhbGxzDQoNCldoZW4gYW4gYXBwbGljYXRpb24gc2VydmVyIG1ha2VzIGFu IEhUVFAgc2VydmljZSBjYWxsIHRvIGJhY2sgZW5kIHNlcnZpY2VzIG9uIGJlaGFsZiBvZiBhIHVz ZXIgc2Vzc2lvbiwgaXQgdXNlcyBhIGNvbXBsZXRlbHkgZGlmZmVyZW50IFVSTCBhbmQgYSBjb21w bGV0ZWx5IGRpZmZlcmVudCBUQ1AgY29ubmVjdGlvbi4gIEl0IG11c3QgYmUgcG9zc2libGUgIHRv IG1hdGNoIHVwIHRoZSB1c2VyIHJlcXVlc3QgYWJvdmUgd2l0aCB0aGUgSFRUUCBzZXJ2aWNlIGNh bGwgYmVsb3cuICBUb2RheSwgdGhpcyBpcyBkb25lIGJ5IGRlY3J5cHRpbmcgdGhlIFRMUyBwYWNr ZXQgYW5kIGluc3BlY3RpbmcgdGhlIHBheWxvYWQuDQoNCg0KNC4xLjMuNCBBcHBsaWNhdGlvbiBM YXllciBEYXRhDQoNCk1vZGVybiBhcHBsaWNhdGlvbnMgb2Z0ZW4gdXNlIFhNTCBzdHJ1Y3R1cmVz IGluIHRoZSBwYXlsb2FkIG9mIHRoZSBkYXRhIHRvIHN0b3JlIGFwcGxpY2F0aW9uIGxldmVsIGlu Zm9ybWF0aW9uLiAgV2hlbiB0aGUgbmV0d29yayBhbmQgYXBwbGljYXRpb24gdGVhbXMgbXVzdCB3 b3JrIHRvZ2V0aGVyLCBlYWNoIGhhcyBhIGRpZmZlcmVudCB2aWV3IG9mIHRoZSB0cmFuc2FjdGlv biBmYWlsdXJlLiBJdCBpcyBpbXBvcnRhbnQgdG8gYmUgYWJsZSB0byBjb3JyZWxhdGUgdGhlIG5l dHdvcmsgcGFja2V0IHdpdGggdGhlIGFjdHVhbCBwcm9ibGVtIGV4cGVyaWVuY2VkIGJ5IGFuIGFw cGxpY2F0aW9uLg0KICANCg== --_004_4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4NJFPSRVEXG0re_-- From nobody Sun Oct 16 07:58:11 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BF691294D4 for ; Sun, 16 Oct 2016 07:58:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPIpK-7nrbYs for ; Sun, 16 Oct 2016 07:58:08 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 241D612948B for ; Sun, 16 Oct 2016 07:58:08 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id AC10BBE3E; Sun, 16 Oct 2016 15:58:05 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pYvfn1JG9Zc1; Sun, 16 Oct 2016 15:58:04 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id E8F55BE39; Sun, 16 Oct 2016 15:58:03 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476629884; bh=fXmveroeOB1ZPspQQtApia15vcPZFk19NigHyojk+I0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=eWsZvVw3eEWxHa0DDkDZbVW2kWQfNQALzBMMMNT2OH1oCxNdvaHyxl8tzibJHKeBH ntHIholnRkwpVbY6Tmpdojff3/l1QXs9DI60WgQfEGdQ5mpYJZb6NKaFE3nzn0s3dk HXcHxqI+B9DPd02zyd4lpvS8+JR2F9pwHjlb5GmU= To: "MORTON, ALFRED C (AL)" , "nalini.elkins@insidethestack.com" , "saag@ietf.org" References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Sun, 16 Oct 2016 15:58:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030203040203080508000102" Archived-At: Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 14:58:10 -0000 This is a cryptographically signed message in MIME format. --------------ms030203040203080508000102 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Al, I've a general question about this text but will just use the one example below. There are other examples in the text you just sent to the list... On 16/10/16 15:36, MORTON, ALFRED C (AL) wrote: > For an enterprise to avoid costly application down time and deliver > expected levels of performance, protection, and availability, some > form of traffic analysis sometimes including examination of packet > payloads can be a valuable asset. What is the goal of this text? Is it to a) describe current or historic practice or b) describe the changes that are needed when we properly protect things or c) argue that MITM behaviour is somehow necessary or correct? I think if the goal were (a) or (b) we would not use the language above ("valuable asset"), so I'm left wondering if this text is really aimed at (c). My understanding is that this draft aims at a mixture of (a) and (b), and I would have a problem with anything that seems to me like it has goal (c). To be clear: if asked to sponsor a document as AD I will not start a last call for anything with chunks of text that I think has goal (c). Goals (a) and (b) are of course useful so I'd be happy to progress such a document. I hope you and Kathleen take that into account when doing edits to the draft so that we can all save ourselves some cycles and angst:-) Thanks, S. PS: I realise that this is your initial edit of Nalini's text so it could be that additional edits are all that's needed here. --------------ms030203040203080508000102 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTYx NDU4MDRaMC8GCSqGSIb3DQEJBDEiBCC64lpA9B5YegMRPYmBm9NHZgdeY8/5l81EL1XCQjf4 LTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAyLVtj4xwyzN36xsdYb1I6HhIgrMKQls1d86f1gnolaK1slzCVfzep DHaUGAUSQv7B49CjIeDtRrvNgIAtBjGr4YIbci0kd55ddovGBqy6CFOPZR8DjqPBzJjVukux CmwW2gMWbIG3xcNjDpksR974/NHyolX8Icoap/XJSnZMcjzipVCRVWNiNPln9wq9sE4TBZs4 lf1/X5PXjuny3w7wHxCKo6/UdWCYJhNJXttLgN3b0bLcMiYXSuCLhVo7Vxq8Z+AKmMQ6ulfo e6Uf5YwY+CsDMCFOI+qxK64lftJSw6lU0WpERaopZ5NGTeRY8SFcWIafZkpm0azte5g7QK8j AAAAAAAA --------------ms030203040203080508000102-- From nobody Sun Oct 16 08:02:18 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F09EE1294DC for ; Sun, 16 Oct 2016 08:02:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgN5QcQzU8vT for ; Sun, 16 Oct 2016 08:02:15 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 013281294CC for ; Sun, 16 Oct 2016 08:02:14 -0700 (PDT) X-AuditID: c1b4fb2d-5b107980000009f7-f7-580396750729 Received: from ESESSHC015.ericsson.se (Unknown_Domain [153.88.183.63]) by (Symantec Mail Security) with SMTP id 66.FD.02551.57693085; Sun, 16 Oct 2016 17:02:13 +0200 (CEST) Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.65) with Microsoft SMTP Server id 14.3.319.2; Sun, 16 Oct 2016 17:02:12 +0200 Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 714F64E8F9; Sun, 16 Oct 2016 18:01:15 +0300 (EEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id B364C4E8CC; Sun, 16 Oct 2016 18:01:14 +0300 (EEST) To: Stephen Farrell , "saag@ietf.org" References: From: Mohit Sethi Message-ID: Date: Sun, 16 Oct 2016 11:02:10 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------31C7B7680A2A9502D147246A" X-Virus-Scanned: ClamAV using ClamSMTP X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGLMWRmVeSWpSXmKPExsUyM2K7vW7pNOYIg5X/+C2m9HcyWUzfe43d gcljbfdVNo8lS34yBTBFcdmkpOZklqUW6dslcGVMecta8Ne8YtLj7ewNjM90uhg5OSQETCQu r2ph7WLk4hASWM8osfHefShnG6PEjN/rmSCcdYwSD8+fh8rMZ5TY2bmEDaRfWMBa4uOhrWC2 iECQxP8Zj6CKJjNK/HzxCyzBJqAn0XnuODOIzStgL3FnyhsmEJtFQFVixb4dYDWiAhEStx52 sEDUCEqcnPkEzOYUsJVY/GsVWA2zQJhE99vbrBCHq0lcPbcJbKaQgLrE1o4DjBMYBWchaZ+F pGUWIweQbS/xYGsZRFheYvvbOcwQtr7E9Tv3WZHFFzCyrWIULU4tLs5NNzLWSy3KTC4uzs/T y0st2cQIDP2DW37r7mBc/drxEKMAB6MSD++DZUwRQqyJZcWVuYcYJTiYlUR4V01kjhDiTUms rEotyo8vKs1JLT7EKM3BoiTOa7byfriQQHpiSWp2ampBahFMlomDU6qB0fLITsmHqUe39Erf Dfya/CZac759f8+uouXXk4TnFej9fVgoFsh/4YxLmGcJ//XfKzmTm9ast7u8+ee3Uys25jTr l26xXyX6Zc7j50EFdnJP07rC758KZ8v1nSswKeVhmYD2881Rv69Oapec4nPAwOaRoO6TjSW1 jXs+u76uTF/x/NWNZ9M2CCqxFGckGmoxFxUnAgCX1KnxeQIAAA== Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 15:02:17 -0000 --------------31C7B7680A2A9502D147246A Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit Dear all I find this draft useful for what it is: a summary of the discussions from the software update workshop. I have two minor comments. I hope they can be addressed in the future versions: 1. For me scheduling of updates is important: I don't want my connected light bulb to update at night when I am using it. Although software updates should be as automated as possible, complete automation can lead to havoc. Continuing on the light example, I may want to only update the light bulbs in one room and see the consequences before updating the light bulbs in my entire house. How to encourage/force users to perform critical updates is still an important concern. The draft does touch upon this but never states this explicitly as a requirement. I am hoping that this can be addressed somewhere in the draft? 2. The draft provides a lot of useful examples. For example, I found it useful to read the story about Little Printer and how its code was released as open source. I am hoping that the draft could try to document more examples. There are other open source projects that have been picked up by the community such openwrt and cyanogenmod. Similarly, while the eyefi example is useful, perhaps it would nice to document the case of Revolv smart hub which is no longer supported. I don't think documenting all the examples out there is necessary, but providing many references and examples would definitely help. Thanks /--Mohit On 10/07/2016 03:47 PM, Stephen Farrell wrote: > Hiya, > > I hope this is of interest to some folks here. If so, please > join the iotsu@iab.org list and/or discuss here. > > Do folks think this'd be a good topic on which to spend some > time at the saag session at IETF97? > > Cheers, > S. > > -------- Forwarded Message -------- > Subject: [Iotsu] Initial version of the IoTSU workshop report submitted > Date: Fri, 7 Oct 2016 19:44:03 +0000 > From: Hannes Tschofenig > To: iotsu@iab.org > > Hi all, > > I have just submitted the initial version of the report: > https://tools.ietf.org/html/draft-farrell-iotsu-workshop-00 > > We tried to capture the received comments as best as we could but I am > sure there is room for improvement. > Feedback is welcome! > > Ciao > Hannes > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy > the information in any medium. Thank you. > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------31C7B7680A2A9502D147246A Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: 7bit

Dear all

I find this draft useful for what it is: a summary of the discussions from the software update workshop.

I have two minor comments. I hope they can be addressed in the future versions:

1. For me scheduling of updates is important: I don't want my connected light bulb to update at night when I am using it. Although software updates should be as automated as possible, complete automation can lead to havoc. Continuing on the light example, I may want to only update the light bulbs in one room and see the consequences before updating the light bulbs in my entire house. How to encourage/force users to perform critical updates is still an important concern. The draft does touch upon this but never states this explicitly as a requirement. I am hoping that this can be addressed somewhere in the draft?

2. The draft provides a lot of useful examples. For example, I found it useful to read the story about Little Printer and how its code was released as open source. I am hoping that the draft could try to document more examples. There are other open source projects that have been picked up by the community such openwrt and cyanogenmod. Similarly, while the eyefi example is useful, perhaps it would nice to document the case of Revolv smart hub which is no longer supported. I don't think documenting all the examples out there is necessary, but providing many references and examples would definitely help.

Thanks
/--Mohit


On 10/07/2016 03:47 PM, Stephen Farrell wrote:
Hiya,

I hope this is of interest to some folks here. If so, please
join the iotsu@iab.org list and/or discuss here.

Do folks think this'd be a good topic on which to spend some
time at the saag session at IETF97?

Cheers,
S.

-------- Forwarded Message --------
Subject: [Iotsu] Initial version of the IoTSU workshop report submitted
Date: Fri, 7 Oct 2016 19:44:03 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: iotsu@iab.org <iotsu@iab.org>

Hi all,

I have just submitted the initial version of the report:
https://tools.ietf.org/html/draft-farrell-iotsu-workshop-00

We tried to capture the received comments as best as we could but I am
sure there is room for improvement.
Feedback is welcome!

Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are
confidential and may also be privileged. If you are not the intended
recipient, please notify the sender immediately and do not disclose the
contents to any other person, use it for any purpose, or store or copy
the information in any medium. Thank you.




_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

--------------31C7B7680A2A9502D147246A-- From nobody Sun Oct 16 10:20:29 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E27F2126D73 for ; Sun, 16 Oct 2016 10:20:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.62 X-Spam-Level: X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BYMCsVsJc5pn for ; Sun, 16 Oct 2016 10:20:24 -0700 (PDT) Received: from mx0a-00191d01.pphosted.com (mx0a-00191d01.pphosted.com [67.231.149.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E78F712943B for ; Sun, 16 Oct 2016 10:20:24 -0700 (PDT) Received: from pps.filterd (m0048589.ppops.net [127.0.0.1]) by m0048589.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id u9GHEdqB015883; Sun, 16 Oct 2016 13:20:21 -0400 Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0048589.ppops.net-00191d01. with ESMTP id 264b1vu28v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 16 Oct 2016 13:20:21 -0400 Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u9GHKJR4017399; Sun, 16 Oct 2016 13:20:20 -0400 Received: from mlpi409.sfdc.sbc.com (mlpi409.sfdc.sbc.com [130.9.128.241]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id u9GHKBCq017272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 16 Oct 2016 13:20:14 -0400 Received: from clpi183.sldc.sbc.com (clpi183.sldc.sbc.com [135.41.1.46]) by mlpi409.sfdc.sbc.com (RSA Interceptor); Sun, 16 Oct 2016 17:19:54 GMT Received: from sldc.sbc.com (localhost [127.0.0.1]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GHJsF9025601; Sun, 16 Oct 2016 12:19:54 -0500 Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.178.11]) by clpi183.sldc.sbc.com (8.14.5/8.14.5) with ESMTP id u9GHJjdp025296; Sun, 16 Oct 2016 12:19:46 -0500 Received: from exchange.research.att.com (njfpsrvexg0.research.att.com [135.207.255.124]) by mail-blue.research.att.com (Postfix) with ESMTP id D6E87F0412; Sun, 16 Oct 2016 13:19:44 -0400 (EDT) Received: from NJFPSRVEXG0.research.att.com ([fe80::108a:1006:9f54:fd90]) by NJFPSRVEXG0.research.att.com ([fe80::108a:1006:9f54:fd90%25]) with mapi; Sun, 16 Oct 2016 13:19:44 -0400 From: "MORTON, ALFRED C (AL)" To: Stephen Farrell , "nalini.elkins@insidethestack.com" , "saag@ietf.org" Date: Sun, 16 Oct 2016 13:19:43 -0400 Thread-Topic: [saag] draft-mm-wg-effect-encrypt-03 Thread-Index: AdInvbmBCRUIHXluRh2qI0NOpmy2CgADEYUw Message-ID: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-RSA-Inspected: yes X-RSA-Classifications: public X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-16_07:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1610160315 Archived-At: Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 17:20:28 -0000 SGkgU3RlcGhlbiwgdGhhbmtzIGZvciBzaGFyaW5nIGFuIGV4YW1wbGUgdGhhdCBuZWVkcyBmaXgu DQoNCkkgcmUtd29yZGVkIGEgcGFyYWdyYXBoIHRoYXQgcmVwZWF0ZWQgc3RhdGVtZW50cw0KZnJv bSBhbiBlYXJsaWVyIHNlY3Rpb24uIEkgYmVsaWV2ZSBOYWxpbmkgd2FzIGRlc2NyaWJpbmcNCmN1 cnJlbnQgY2FwYWJpbGl0aWVzLCBhbmQgaW1wbHlpbmcgYSBnYXAgaWYgdGhlcmUgaXMgDQpubyBy ZXBsYWNlbWVudCB0byBhaWQgbmV0d29yayBtYW5hZ2VtZW50IGluIHRoZSBmdXR1cmUuDQpUaGlz IGlzIHRoZSBmdW5kYW1lbnRhbCB0ZW5zaW9uLCBhcyBJIHVuZGVyc3RhbmQgaXQuDQoNClN0ZXBo ZW4gd3JvdGU6DQo+IFdoYXQgaXMgdGhlIGdvYWwgb2YgdGhpcyB0ZXh0PyBJcyBpdCB0byBhKSBk ZXNjcmliZSBjdXJyZW50DQo+IG9yIGhpc3RvcmljIHByYWN0aWNlIG9yIGIpIGRlc2NyaWJlIHRo ZSBjaGFuZ2VzIHRoYXQgYXJlDQo+IG5lZWRlZCB3aGVuIHdlIHByb3Blcmx5IHByb3RlY3QgdGhp bmdzIG9yIGMpIGFyZ3VlIHRoYXQgTUlUTQ0KPiBiZWhhdmlvdXIgaXMgc29tZWhvdyBuZWNlc3Nh cnkgb3IgY29ycmVjdD8NCj4NCj4gSSB0aGluayBpZiB0aGUgZ29hbCB3ZXJlIChhKSBvciAoYikg d2Ugd291bGQgbm90IHVzZSB0aGUgbGFuZ3VhZ2UNCj4gYWJvdmUgKCJ2YWx1YWJsZSBhc3NldCIp LCBzbyBJJ20gbGVmdCB3b25kZXJpbmcgaWYgdGhpcyB0ZXh0IGlzDQo+IHJlYWxseSBhaW1lZCBh dCAoYykuDQoNCkkgYWdyZWUgdG8gc3Vic3RpdHV0ZSBhbm90aGVyIHBocmFzZSBmb3IgInZhbHVh YmxlIGFzc2V0Ig0Kc2luY2UgaXQncyBkaXN0cmFjdGluZzsgImN1cnJlbnQgY2FwYWJpbGl0eSIg b3Igb3RoZXIsIFdGTS4NCkkgZGlkbid0IHdyaXRlICJpcyBhIHJlcXVpcmVkIGNhcGFiaWxpdHki LCB0aGF0IHdvdWxkIGJlIA0KbW9yZSBjb25zaXN0ZW50IHdpdGggZ29hbCBjKS4NCg0KQ2xlYXJs eSwgY2hhbmdlcyBpbiBjdXJyZW50IG1hbmFnZW1lbnQgcHJhY3RpY2VzIHdpbGwgYmUgbmVlZGVk LA0KYW5kIHRoYXQgcHJvY2VzcyBjb3VsZCBiZSBtb3JlIGVmZmljaWVudCB3aXRoIGNvbnN0cnVj dGl2ZSBpbnB1dA0KZnJvbSBhbGwgaW52b2x2ZWQuIFVuZGVyc3RhbmRpbmcgdGhlIG1hbnkgZ2Fw cyBpcyB0aGUgZmlyc3Qgc3RlcCwNCmFuZCBJTU8sIHdoYXQgdGhpcyBtZW1vIGlzIGFib3V0LiAg Tm8gYXJndWluZyBmb3Igc29sdXRpb25zLA0KTUlUTSBvciBvdGhlcndpc2UuDQoNCkkgaG9wZSB0 aGlzIGhlbHBzLA0KQWwNCg0KDQo+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQo+IEZyb206 IFN0ZXBoZW4gRmFycmVsbCBbbWFpbHRvOnN0ZXBoZW4uZmFycmVsbEBjcy50Y2QuaWVdDQo+IFNl bnQ6IFN1bmRheSwgT2N0b2JlciAxNiwgMjAxNiAxMDo1OCBBTQ0KPiBUbzogTU9SVE9OLCBBTEZS RUQgQyAoQUwpOyBuYWxpbmkuZWxraW5zQGluc2lkZXRoZXN0YWNrLmNvbTsNCj4gc2FhZ0BpZXRm Lm9yZw0KPiBTdWJqZWN0OiBSZTogW3NhYWddIGRyYWZ0LW1tLXdnLWVmZmVjdC1lbmNyeXB0LTAz DQo+IA0KPiANCj4gSGkgQWwsDQo+IA0KPiBJJ3ZlIGEgZ2VuZXJhbCBxdWVzdGlvbiBhYm91dCB0 aGlzIHRleHQgYnV0IHdpbGwganVzdCB1c2UgdGhlDQo+IG9uZSBleGFtcGxlIGJlbG93LiBUaGVy ZSBhcmUgb3RoZXIgZXhhbXBsZXMgaW4gdGhlIHRleHQgeW91DQo+IGp1c3Qgc2VudCB0byB0aGUg bGlzdC4uLg0KPiANCj4gT24gMTYvMTAvMTYgMTU6MzYsIE1PUlRPTiwgQUxGUkVEIEMgKEFMKSB3 cm90ZToNCj4gPiBGb3IgYW4gZW50ZXJwcmlzZSB0byBhdm9pZCBjb3N0bHkgYXBwbGljYXRpb24g ZG93biB0aW1lIGFuZCBkZWxpdmVyDQo+ID4gZXhwZWN0ZWQgbGV2ZWxzIG9mIHBlcmZvcm1hbmNl LCBwcm90ZWN0aW9uLCBhbmQgYXZhaWxhYmlsaXR5LCBzb21lDQo+ID4gZm9ybSBvZiB0cmFmZmlj IGFuYWx5c2lzIHNvbWV0aW1lcyBpbmNsdWRpbmcgZXhhbWluYXRpb24gb2YgcGFja2V0DQo+ID4g cGF5bG9hZHMgY2FuIGJlIGEgdmFsdWFibGUgYXNzZXQuDQo+IA0KPiBXaGF0IGlzIHRoZSBnb2Fs IG9mIHRoaXMgdGV4dD8gSXMgaXQgdG8gYSkgZGVzY3JpYmUgY3VycmVudA0KPiBvciBoaXN0b3Jp YyBwcmFjdGljZSBvciBiKSBkZXNjcmliZSB0aGUgY2hhbmdlcyB0aGF0IGFyZQ0KPiBuZWVkZWQg d2hlbiB3ZSBwcm9wZXJseSBwcm90ZWN0IHRoaW5ncyBvciBjKSBhcmd1ZSB0aGF0IE1JVE0NCj4g YmVoYXZpb3VyIGlzIHNvbWVob3cgbmVjZXNzYXJ5IG9yIGNvcnJlY3Q/DQo+IA0KPiBJIHRoaW5r IGlmIHRoZSBnb2FsIHdlcmUgKGEpIG9yIChiKSB3ZSB3b3VsZCBub3QgdXNlIHRoZSBsYW5ndWFn ZQ0KPiBhYm92ZSAoInZhbHVhYmxlIGFzc2V0IiksIHNvIEknbSBsZWZ0IHdvbmRlcmluZyBpZiB0 aGlzIHRleHQgaXMNCj4gcmVhbGx5IGFpbWVkIGF0IChjKS4NCj4gDQo+IE15IHVuZGVyc3RhbmRp bmcgaXMgdGhhdCB0aGlzIGRyYWZ0IGFpbXMgYXQgYSBtaXh0dXJlIG9mIChhKSBhbmQNCj4gKGIp LCBhbmQgSSB3b3VsZCBoYXZlIGEgcHJvYmxlbSB3aXRoIGFueXRoaW5nIHRoYXQgc2VlbXMgdG8g bWUNCj4gbGlrZSBpdCBoYXMgZ29hbCAoYykuDQo+IA0KPiBUbyBiZSBjbGVhcjogaWYgYXNrZWQg dG8gc3BvbnNvciBhIGRvY3VtZW50IGFzIEFEIEkgd2lsbCBub3QNCj4gc3RhcnQgYSBsYXN0IGNh bGwgZm9yIGFueXRoaW5nIHdpdGggY2h1bmtzIG9mIHRleHQgdGhhdCBJIHRoaW5rDQo+IGhhcyBn b2FsIChjKS4gR29hbHMgKGEpIGFuZCAoYikgYXJlIG9mIGNvdXJzZSB1c2VmdWwgc28gSSdkIGJl DQo+IGhhcHB5IHRvIHByb2dyZXNzIHN1Y2ggYSBkb2N1bWVudC4gSSBob3BlIHlvdSBhbmQgS2F0 aGxlZW4gdGFrZQ0KPiB0aGF0IGludG8gYWNjb3VudCB3aGVuIGRvaW5nIGVkaXRzIHRvIHRoZSBk cmFmdCBzbyB0aGF0IHdlIGNhbg0KPiBhbGwgc2F2ZSBvdXJzZWx2ZXMgc29tZSBjeWNsZXMgYW5k IGFuZ3N0Oi0pDQo+IA0KPiBUaGFua3MsDQo+IFMuDQo+IA0KPiBQUzogSSByZWFsaXNlIHRoYXQg dGhpcyBpcyB5b3VyIGluaXRpYWwgZWRpdCBvZiBOYWxpbmkncyB0ZXh0IHNvDQo+IGl0IGNvdWxk IGJlIHRoYXQgYWRkaXRpb25hbCBlZGl0cyBhcmUgYWxsIHRoYXQncyBuZWVkZWQgaGVyZS4NCj4g DQoNCg== From nobody Sun Oct 16 11:27:43 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40BF312940E for ; Sun, 16 Oct 2016 11:27:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AMG7ZoyPwMaZ for ; Sun, 16 Oct 2016 11:27:40 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37759126579 for ; Sun, 16 Oct 2016 11:27:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3037BBE3E; Sun, 16 Oct 2016 19:27:38 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9tw2k0aR4oIl; Sun, 16 Oct 2016 19:27:36 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 257E4BE39; Sun, 16 Oct 2016 19:27:36 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476642456; bh=WOqKUA49Dc3uOxOInDyEIzCjPM51d+fCsRMIHWc6AOI=; h=Subject:To:References:From:Date:In-Reply-To:From; b=oijUhCGRiffCXGTz+KmlmBrGri41xUfFzgreL+5hrYbGj0N6K0lELSZ3pX+omw7x3 iTDO9qRhqMOl92vW6PuFJwR7cklRvY9XfVyoSExcw9pQRlV6u+6ofiK9mZLJiMpao7 PLYcM5pjfmGzf0JN4ppv+3nnNNjIH32o2J8GndWU= To: "MORTON, ALFRED C (AL)" , "nalini.elkins@insidethestack.com" , "saag@ietf.org" References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <71f30bfd-ee8b-942a-4058-6f95b15a2b2e@cs.tcd.ie> Date: Sun, 16 Oct 2016 19:27:36 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000601080203040705060302" Archived-At: Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Oct 2016 18:27:42 -0000 This is a cryptographically signed message in MIME format. --------------ms000601080203040705060302 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Al, On 16/10/16 18:19, MORTON, ALFRED C (AL) wrote: >=20 > Clearly, changes in current management practices will be needed, > and that process could be more efficient with constructive input > from all involved. Understanding the many gaps is the first step, > and IMO, what this memo is about. No arguing for solutions, > MITM or otherwise. I agree. Figuring out what solutions are needed for n/w management given the fact of much more ciphertext is work for another day and for other documents and WGs. I think what makes this tricky is that people understandably tend to mix up current solutions and requirements, e.g. it is natural enough (but wrong) to think that because I do X today that that implies doing X is required (and hence language like "valuable" etc.). We directly saw that in the recent TLS WG discussion of RSA key transport, which was kicked off by (I think) the same set of folks. In the end the TLS WG chairs saw a very clear consensus to stick with PFS and to not add back RSA key transport to TLS1.3, despite RSA key transport being a "feature" on which it appears some enterprise networks still seem to depend for some forms of "attacking"/deciphering traffic to/from their own TLS servers. I think another related thing we need to be careful about here are claims of utility for features where there is little or no (at least public) evidence but only assertion. For example, many of the claims I hear about the effectiveness of scanning outbound traffic seem dubious to me, so we'll want to try find evidence to backup claims along those lines too if we want this document to be of most use later on. (Or to qualify such things as being e.g. "current practices for which there isn't such good evidence" or something.) Buy hey, that's why you get all those big bucks for being such good document editors/authors I guess:-) Cheers, S. --------------ms000601080203040705060302 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTYx ODI3MzZaMC8GCSqGSIb3DQEJBDEiBCDGgfbkyt198razuJ9N3ViCmEeGOFTPXLL2+cEanXe8 MjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCkj86obI6WJCRvrBF2g9QhkRDBbbNOUeKBEJjei3QIPYkSJZZVBqP+ a9SOHd4ccGgRLZZZNcRNJCt+ARrZlii7dauiTzXNJCkJMpQpsfPaY35fV2P1wqTzh4Bb9q2O zgEiz6fZ0Zr8NXnK0JDwC9a+RBjpeQTiFHcip8SwvbRxJpxIOz3MWwLCDuCLjAHotZRqseAY uLD2yoxB4L5jbL56R3CGs+TrHab+aL+KFtvxQpGYbpytXAs47qe3YP2Urdakgst4P2E/QHok cVJiYXtI8W3PqQQFYFBD768icoxHtorzZsnS7Zx4/qA3oro8xMUgG7nhX+F3wf/y+ZAgW9/E AAAAAAAA --------------ms000601080203040705060302-- From nobody Sun Oct 16 18:35:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C4391293F8 for ; Sun, 16 Oct 2016 18:35:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8YxGS92w9t0I for ; Sun, 16 Oct 2016 18:35:24 -0700 (PDT) Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9056127077 for ; Sun, 16 Oct 2016 18:35:23 -0700 (PDT) Received: by mail-yw0-x236.google.com with SMTP id t192so106923044ywf.0 for ; Sun, 16 Oct 2016 18:35:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ie8vO8Ck2JZy9HzpVQdpUtm7DUBFbsnBUqqsUc2IH7w=; b=11EeUuAg1rMn4dthlUqtCU6DrHPm8CJlddTrnfbphzWPmAkqa3Nb9mUoF0AkNjcZHA /PMCRQeUkaML+yZku8mqbLX6lgnv9v2ML9945PmLdk5Hayk1CWhvxlT/Z1Y0hcWC/P7H i8nVVT/8J9cvNjZG0uun4g9jt3F1539QCjvF/jV7tyKTNeym8drDAkV9o+w5RGjerw8l 0yDyfBNBk3XBOQRviYF7WPGv8mFjfDAULM+pTvNf5Ae8+4N2LwVASoivTH80T6Ox9nY5 tJjupHZ4Lc9mVMagvDL0VFeuCRgJJ23zO9YwZNUgihJCp9P1yxv5PM8BNq/FuPOTzaWt pJFQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ie8vO8Ck2JZy9HzpVQdpUtm7DUBFbsnBUqqsUc2IH7w=; b=GHtKj1pzSPdaeZiFapapKWNXssX0z/9b+7TmpJgaxOTqFflTNyaUweR7tYQpgkOd7O YUkeMx08s6fDe4lmGKnOxxgSWPSFwmriotuVB2hD3M6xXQ1YXQ40LxO5JyGgE3Z48HVR 1mFmUuDxY2+S7YYCKa9nkr+GjEy2RoFQpofsFfNvTbwEM9nhE4Enznt6oMUjq0Da9gCj Dg40XFcDXW2wUZfiL71xZFLwFrKxM96AHgScmvdr55GDGJDDVxnC001oQoK7yeJ3fnKr D2x++Twd3inrfLfbCt59QhUBEAh0KbpHKRaYnqrPm8u3PlrTeosUl/uNX0vlDxFL715H G8vQ== X-Gm-Message-State: AA6/9RnEBxi0xai4ftO2LgOAkYCPb6gQN+rdI3zJdUk8ampMSuFvMjGx/Zhv79jgc63JBibP3r2e8rPrF/1QtQ== X-Received: by 10.13.195.1 with SMTP id f1mr4278198ywd.354.1476668123142; Sun, 16 Oct 2016 18:35:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.75.212 with HTTP; Sun, 16 Oct 2016 18:34:42 -0700 (PDT) In-Reply-To: <1474625071.45169.131.camel@infradead.org> References: <1474625071.45169.131.camel@infradead.org> From: Eric Rescorla Date: Sun, 16 Oct 2016 18:34:42 -0700 Message-ID: To: David Woodhouse Content-Type: multipart/alternative; boundary=001a114e4e5cee91a1053f05964b Archived-At: Cc: Nikos Mavrogiannopoulos , IETF SAAG Subject: Re: [saag] openconnect (ssl) vpn protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 01:35:26 -0000 --001a114e4e5cee91a1053f05964b Content-Type: text/plain; charset=UTF-8 On Fri, Sep 23, 2016 at 3:04 AM, David Woodhouse wrote: > On Fri, 2016-09-23 at 11:57 +0200, Nikos Mavrogiannopoulos wrote: > > Hi, > > The last few weeks together with David Woodhouse have improved the > > openconnect VPN protocol quite significantly and eliminated any legacy > > constructs arising from the pre-DTLS era, and pre-TLS-PSK era. Even > > though it still provides backwards compatibility with the cisco's > > anyconnect protocol, it has been greatly simplified, making it one of > > the simplest SSL VPN protocols I'm aware of. It is described at: > > https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-00 > > > > We would appreciate any feedback on the protocol and approach. > > Did I catch a suggestion that using PSK in (D)TLSv1.3 is going to > require us to pre-agree a hash algorithm for the hello_finished? > Yes. The reason is that there's no guarantee that it's safe to derive using different hash-based KDFs from the same underlying key (which is not to say that there is an actual attack on concrete hash algorithms). Note: this issue also applies to TLS 1.2, it's just that we didn't have the benefit of having it pointed out by cryptographers. -Ekr > > -- > dwmw2 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > --001a114e4e5cee91a1053f05964b Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

= On Fri, Sep 23, 2016 at 3:04 AM, David Woodhouse <dwmw2@infradead.org> wrote:
On F= ri, 2016-09-23 at 11:57 +0200, Nikos Mavrogiannopoulos wrote:
> Hi,
>=C2=A0 The last few weeks together with David Woodhouse have improved t= he
> openconnect VPN protocol quite significantly and eliminated any legacy=
> constructs arising from the pre-DTLS era, and pre-TLS-PSK era. Even > though it still provides backwards compatibility with the cisco's<= br> > anyconnect protocol, it has been greatly simplified, making it one of<= br> > the simplest SSL VPN protocols I'm aware of. It is described at: > https://tools.ietf.org/html/<= wbr>draft-mavrogiannopoulos-openconnect-00
>
> We would appreciate any feedback on the protocol and approach.

Did I catch a suggestion that using PSK in (D)TLSv1.3 is going to require us to pre-agree a hash algorithm for the hello_finished?

Yes. The reason is that there's no guarantee = that it's safe to derive using different
hash-based KDFs from= the same underlying key (which is not to say that there is
an ac= tual attack on concrete hash algorithms). Note: this issue also applies to = TLS 1.2,
it's just that we didn't have the benefit of hav= ing it pointed out by cryptographers.

-Ekr
=C2=A0

--
dwmw2
_______________________________________________=
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


--001a114e4e5cee91a1053f05964b-- From nobody Sun Oct 16 18:48:18 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C426A1294AB for ; Sun, 16 Oct 2016 18:48:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.919 X-Spam-Level: X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jW5VhsoqGr7L for ; Sun, 16 Oct 2016 18:48:14 -0700 (PDT) Received: from nm27.bullet.mail.ne1.yahoo.com (nm27.bullet.mail.ne1.yahoo.com [98.138.90.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26FB41293FE for ; Sun, 16 Oct 2016 18:48:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1476668893; bh=0u9aeANclpN62l0cooBAhDXX8QxnqMKiDFEGy77n7wo=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=eohWj8cxl1PCf1cm6kuGX0SbTGRYfrlsBC+CAOMlGYkO6UBAjGLLzR7Sqh223m4KWyQF2a6wFCDt0xlqdb43tjcgs5Yj17kHh1OVZxD8qPjOzmeZLtqNyQeHhq0wfgDRKX9+m2yC+OzE3g+HRKy0jF0HkXy3eVryXZm64EZ+9B9Qd6fvaUOeff3TEeaqpibHrXxVqkqNmV42aOqulbLHcpg9zyVcssJz2ERiNOgpdzcorARFwB8ve9/lnc1ZfgNMon+8LhmXkN1fdJZGdjIPhZ9US8x9QUNZRNhE579bwLub2EyN2MgVLOdtZB47FGS+2iziDtqisLpe0fxoTNrZBw== Received: from [98.138.100.118] by nm27.bullet.mail.ne1.yahoo.com with NNFMP; 17 Oct 2016 01:48:13 -0000 Received: from [98.138.89.164] by tm109.bullet.mail.ne1.yahoo.com with NNFMP; 17 Oct 2016 01:48:13 -0000 Received: from [127.0.0.1] by omp1020.mail.ne1.yahoo.com with NNFMP; 17 Oct 2016 01:48:13 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 612103.58107.bm@omp1020.mail.ne1.yahoo.com X-YMail-OSG: lsA5q_IVM1lvCy_IrSPxx5V49ApMP_TgqlqLMcw89mBPEwTK4nIfPBQBdeaW7Xo IDZviJ0Se875GjEaWOla1ECTZfIbwcnpEn4wOOZzEoRK0M1KKlr.WS7RSUP1SXgAgf6pmRBXyC7r V6J3qVii8yeHJA2.f.61Gv2qwqQCgGhariAiSFtS4ooajcrBCaJBylOTTdsRzn1Wqik_mpg8Kqa9 TYDCyhkjCorDPeVnrTmN95zLdaZRKhDF_OVw3..vStEZJa.1INtQS2exoJeCLrPbO_NWl8IoGeMK rvddQh4FCVnhoKee0YvTiASpCRb3E57FOmnpeaC1FVk6O5IgDqIz29tGCV9OjKJq0u_ypel8CPVf oQBd7V7MlO6oc3ubd1TC9glIGPkPJQBYmAycNOJyOTki1RHVsNhuOqaB90XdSmjhH87Xb4tpIFJ9 EGb_coLgjopQ3K1zeDp3iHpxGH12eHkNb0C3MsGyC5FoD6CzgpnkWyK5_Qoh7zAJHNMp3N9qmNVV ENQxwM_LfB9GwaqwnI56ozPm85sfS2OU_Uwfb7S_qITk- Received: from jws200118.mail.ne1.yahoo.com by sendmailws144.mail.ne1.yahoo.com; Mon, 17 Oct 2016 01:48:13 +0000; 1476668893.206 Date: Mon, 17 Oct 2016 01:48:12 +0000 (UTC) From: To: "MORTON, ALFRED C (AL)" , Stephen Farrell , "saag@ietf.org" Message-ID: <966336503.869322.1476668892606@mail.yahoo.com> In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_869321_586531185.1476668892600" Archived-At: Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: nalini.elkins@insidethestack.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 01:48:16 -0000 ------=_Part_869321_586531185.1476668892600 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Stephen & Al, My comments inline.=C2=A0Thanks, Nalini ElkinsInside Products, Inc.www.insidethestack.com(831) 659-8360 From: "MORTON, ALFRED C (AL)" To: Stephen Farrell ; "nalini.elkins@insidethes= tack.com" ; "saag@ietf.org" =20 Sent: Sunday, October 16, 2016 10:19 AM Subject: RE: [saag] draft-mm-wg-effect-encrypt-03 =20 >Hi Stephen, thanks for sharing an example that needs fix. >I re-worded a paragraph that repeated statements >from an earlier section. I believe Nalini was describing >current capabilities, and implying a gap if there is=20 >no replacement to aid network management in the future. >This is the fundamental tension, as I understand it. Definitely. =C2=A0 =C2=A0Sorry if the wording is awkward. =C2=A0 I was tryi= ng to not imply any solutions as that is not in the spirit of this draft. I hope that the many issues (including a few of the ones that I suggested) = in network management and diagnostics that have been pointed out by this dr= aft will spark the conversation about how we might go about resolving them.= =C2=A0 Maybe this is new tools, strategies or protocols. >>Stephen wrote: >> What is the goal of this text? Is it to a) describe current >> or historic practice or b) describe the changes that are >> needed when we properly protect things or c) argue that MITM >> behaviour is somehow necessary or correct? >> >> I think if the goal were (a) or (b) we would not use the language >> above ("valuable asset"), so I'm left wondering if this text is >> really aimed at (c). >I agree to substitute another phrase for "valuable asset" >since it's distracting; "current capability" or other, WFM. >I didn't write "is a required capability", that would be=20 >more consistent with goal c). >Clearly, changes in current management practices will be needed, >and that process could be more efficient with constructive input >from all involved. Understanding the many gaps is the first step, >and IMO, what this memo is about.=C2=A0 No arguing for solutions, >MITM or otherwise. >I hope this helps, >Al > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Sunday, October 16, 2016 10:58 AM > To: MORTON, ALFRED C (AL); nalini.elkins@insidethestack.com; > saag@ietf.org > Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 >=20 >=20 > Hi Al, >=20 > I've a general question about this text but will just use the > one example below. There are other examples in the text you > just sent to the list... >=20 > On 16/10/16 15:36, MORTON, ALFRED C (AL) wrote: > > For an enterprise to avoid costly application down time and deliver > > expected levels of performance, protection, and availability, some > > form of traffic analysis sometimes including examination of packet > > payloads can be a valuable asset. >=20 > What is the goal of this text? Is it to a) describe current > or historic practice or b) describe the changes that are > needed when we properly protect things or c) argue that MITM > behaviour is somehow necessary or correct? >=20 > I think if the goal were (a) or (b) we would not use the language > above ("valuable asset"), so I'm left wondering if this text is > really aimed at (c). >=20 > My understanding is that this draft aims at a mixture of (a) and > (b), and I would have a problem with anything that seems to me > like it has goal (c). >=20 > To be clear: if asked to sponsor a document as AD I will not > start a last call for anything with chunks of text that I think > has goal (c). Goals (a) and (b) are of course useful so I'd be > happy to progress such a document. I hope you and Kathleen take > that into account when doing edits to the draft so that we can > all save ourselves some cycles and angst:-) >=20 > Thanks, > S. >=20 > PS: I realise that this is your initial edit of Nalini's text so > it could be that additional edits are all that's needed here. >=20 =20 ------=_Part_869321_586531185.1476668892600 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Stephen & Al,

My comments inline.
 
Thanks,

Nalini Elkins
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360


From: "MORTON, ALFRED C (AL)" <acm= orton@att.com>
To: = Stephen Farrell <stephen.farrell@cs.tcd.ie>; "nalini.elkins@insidethe= stack.com" <nalini.elkins@insidethestack.com>; "saag@ietf.org" <sa= ag@ietf.org>
Sent:= Sunday, October 16, 2016 10:19 AM

>Hi Stephen, thanks for sharing an example that needs fix.

>I re-worded a paragraph that repeated statements
>from an earlier section. I believe Nalini was describing>current capabilities, and implying a gap if there is >no replacement to aid network management in the future= .
>This is the fundamental tension, as I understand it= .

Definitely.    Sorry if the wording is awkward= .   I was trying to not imply any solutions as that is not in the spir= it of this draft.

I hope that the many issues = (including a few of the ones that I suggested) in network management and di= agnostics that have been pointed out by this draft will spark the conversat= ion about how we might go about resolving them.   Maybe this is new to= ols, strategies or protocols.


&= gt;>Stephen wrote:
>> What is the goal of this t= ext? Is it to a) describe current
>> or historic pr= actice or b) describe the changes that are
>> neede= d when we properly protect things or c) argue that MITM
&= gt;> behaviour is somehow necessary or correct?
>&g= t;
>> I think if the goal were (a) or (b) we would = not use the language
>> above ("valuable asset"), s= o I'm left wondering if this text is
>> really aime= d at (c).

>I agree to substitute an= other phrase for "valuable asset"
>since it's distract= ing; "current capability" or other, WFM.
>I didn't wri= te "is a required capability", that would be
>more co= nsistent with goal c).

>Clearly, ch= anges in current management practices will be needed,
>= ;and that process could be more efficient with constructive input
>from all involved. Understanding the many gaps is the first s= tep,
>and IMO, what this memo is about.  No argui= ng for solutions,
>MITM or otherwise.

>I hope this helps,
>Al


> -----Original Message-----
>= ; From: Stephen Farrell [mailto:stephen.farre= ll@cs.tcd.ie]
> Sent: Sunday, October 16, 2016 10:= 58 AM
> To: MORTON, ALFRED C (AL); nalini.elkins@insidethestack.com;
> saag@ietf.org
> Subject: Re: [saa= g] draft-mm-wg-effect-encrypt-03
>
= >
> Hi Al,
>
> I've a general question about this text but will just use the
> one example below. There are other examples in the text y= ou
> just sent to the list...
> <= br clear=3D"none">> On 16/10/16 15:36, MORTON, ALFRED C (AL) wrote:
> > For an enterprise to avoid costly application down = time and deliver
> > expected levels of performance= , protection, and availability, some
> > form of tr= affic analysis sometimes including examination of packet
= > > payloads can be a valuable asset.
>
> What is the goal of this text? Is it to a) describe current=
> or historic practice or b) describe the changes tha= t are
> needed when we properly protect things or c) a= rgue that MITM
> behaviour is somehow necessary or cor= rect?
>
> I think if the goal we= re (a) or (b) we would not use the language
> above ("= valuable asset"), so I'm left wondering if this text is
&= gt; really aimed at (c).
>
> My = understanding is that this draft aims at a mixture of (a) and
> (b), and I would have a problem with anything that seems to me> like it has goal (c).
>
> To be clear: if asked to sponsor a document as AD I will not=
> start a last call for anything with chunks of text = that I think
> has goal (c). Goals (a) and (b) are of = course useful so I'd be
> happy to progress such a doc= ument. I hope you and Kathleen take
> that into accoun= t when doing edits to the draft so that we can
> all s= ave ourselves some cycles and angst:-)
>
> Thanks,
> S.
>
> PS: I realise that this is your initial edit of Nalini's t= ext so
> it could be that additional edits are all tha= t's needed here.
>



------=_Part_869321_586531185.1476668892600-- From nobody Mon Oct 17 08:30:56 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCD812952C; Mon, 17 Oct 2016 08:30:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTFqmvSoCI_r; Mon, 17 Oct 2016 08:30:53 -0700 (PDT) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B835129864; Mon, 17 Oct 2016 08:30:53 -0700 (PDT) X-AuditID: c1b4fb2d-5b107980000009f7-ac-5804eeabc8de Received: from ESESSHC003.ericsson.se (Unknown_Domain [153.88.183.27]) by (Symantec Mail Security) with SMTP id B3.A2.02551.BAEE4085; Mon, 17 Oct 2016 17:30:51 +0200 (CEST) Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC003.ericsson.se ([153.88.183.27]) with mapi id 14.03.0319.002; Mon, 17 Oct 2016 17:30:50 +0200 From: John Mattsson To: Paul Wouters , "ipsec@ietf.org WG" Thread-Topic: [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSInPGicgFRx0r+0aIJTg4zs5+RKCs0pWA Date: Mon, 17 Oct 2016 15:30:49 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.7.160722 x-originating-ip: [153.88.183.154] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEIsWRmVeSWpSXmKPExsUyM2K7tO7qdywRBncmKVjs3/KCzeL9rUtM FlP6O5kcmD2WLPnJ5PF9HlMAUxSXTUpqTmZZapG+XQJXRvu/x0wFGxQqDnetZ25gPCLfxcjJ ISFgIrH8w37WLkYuDiGB9YwSn+f9hnKWMEosPXmRHaSKTcBAYu6eBjYQW0TAXWLXjw5GEJtZ QFni7Z8nTCC2sICFRNf01ywQNZYSE+5tA4pzANlGEj2PxEHCLAKqEvc/fmEGsXkFzCV+dHwG Gy8kYC/xoW0RmM0p4CCx7dx6sBpGATGJ76fWMEGsEpe49WQ+E8TRAhJL9pxnhrBFJV4+/scK YosK6Ek8+/ycHSKuJLHo9mewE5gFNCXW79KHGGMtceD6VjYIW1FiSvdDdohzBCVOznzCMoFR fBaSbbMQumch6Z6FpHsWku4FjKyrGEWLU4uLc9ONjPVSizKTi4vz8/TyUks2MQJj7uCW37o7 GFe/djzEKMDBqMTDm3CTJUKINbGsuDL3EKMEB7OSCO/l+0Ah3pTEyqrUovz4otKc1OJDjNIc LErivGYr74cLCaQnlqRmp6YWpBbBZJk4OKUaGNdWH1oaWSx3f/5fQ8vFpV2FewM3Tr9r6clT 37b+uvyVP2XqPzVm7C26FPSkh0NwZ/Srt2EZ4ipXU+JO+QV3Rl8ucTAVT3leP/lum8TaiNAd UzMbVn5LuX77jrDDdjvd/KU/LqZ2zdxv3p8/6+jNGf8XP10jO+cK/yy//SoHD1hMDw6dvKr4 b5MSS3FGoqEWc1FxIgCbIIDltQIAAA== Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 15:30:55 -0000 PiBJJ20gcHJvcG9zaW5nIGl0IGlzIHRpbWUgdG8gY2hhbmdlIHRoaXMgdG8gTVVTVCBOT1QgZm9y IDQzMDdiaXMuDQoNCg0KDQorMSANCg0KT24gMDkvMTAvMTYgMjM6MjYsICJJUHNlYyBvbiBiZWhh bGYgb2YgUGF1bCBXb3V0ZXJzIg0KPGlwc2VjLWJvdW5jZXNAaWV0Zi5vcmcgb24gYmVoYWxmIG9m IHBhdWxAbm9oYXRzLmNhPiB3cm90ZToNCg0KPg0KPlJlbGVhc2VkIGEgZmV3IGRheXMgYWdvOg0K Pg0KPiAJaHR0cDovL2VwcmludC5pYWNyLm9yZy8yMDE2Lzk2MQ0KPg0KPiAJQSBraWxvYml0IGhp ZGRlbiBTTkZTIGRpc2NyZXRlIGxvZ2FyaXRobSBjb21wdXRhdGlvbg0KPiAJSm9zaHVhIEZyaWVk IGFuZCBQaWVycmljayBHYXVkcnkgYW5kIE5hZGlhIEhlbmluZ2VyIGFuZCBFbW1hbnVlbCBUaG9t w6kNCj4NCj4gCVdlIHBlcmZvcm0gYSBzcGVjaWFsIG51bWJlciBmaWVsZCBzaWV2ZSBkaXNjcmV0 ZSBsb2dhcml0aG0NCj4gCWNvbXB1dGF0aW9uIGluIGEgMTAyNC1iaXQgcHJpbWUgZmllbGQuIFRv IG91ciBrbm93bGVkZ2UsIHRoaXMNCj4gCWlzIHRoZSBmaXJzdCBraWxvYml0LXNpemVkIGRpc2Ny ZXRlIGxvZ2FyaXRobSBjb21wdXRhdGlvbiBldmVyDQo+IAlyZXBvcnRlZCBmb3IgcHJpbWUgZmll bGRzLiBUaGlzIGNvbXB1dGF0aW9uIHRvb2sgYSBsaXR0bGUgb3Zlcg0KPiAJdHdvIG1vbnRocyBv ZiBjYWxlbmRhciB0aW1lIG9uIGFuIGFjYWRlbWljIGNsdXN0ZXIgdXNpbmcgdGhlDQo+IAlvcGVu LXNvdXJjZSBDQURPLU5GUyBzb2Z0d2FyZS4NCj4NCj5CYXNpY2FsbHksIHRoaXMgcGFwZXIgc2hv d3MgaG93IHRvIG1ha2UgYSBESCBncm91cCBvZiAxMDI0IG1vZHANCj53aXRoIGEgYmFja2Rvb3Is IGluIHR3byBtb250aHMgb2YgYWNhZGVtaWMgY29tcHV0aW5nIHJlc291cmNlcywNCj4NCj5UaGUg cGFwZXIgbWVudGlvbnMgNTExNCBhIGZldyB0aW1lczoNCj4NCj4gCVJGQyA1MTE0IFszM10gc3Bl Y2lmaWVzIGEgbnVtYmVyIG9mIGdyb3VwcyBmb3IgdXNlIHdpdGgNCj4gCURpZmZpZS1IZWxsbWFu LCBhbmQgc3RhdGVzIHRoYXQgdGhlIHBhcmFtZXRlcnMgd2VyZSBkcmF3bg0KPiAJZnJvbSBOSVNU IHRlc3QgZGF0YSwgYnV0IG5laXRoZXIgdGhlIE5JU1QgdGVzdCBkYXRhIFszOV0gbm9yDQo+IAlS RkMgNTExNCBpdHNlbGYgY29udGFpbiB0aGUgc2VlZHMgdXNlZCB0byBnZW5lcmF0ZSB0aGUgZmlu aXRlDQo+IAlmaWVsZCBwYXJhbWV0ZXJzDQo+DQo+QW5kIGNvbmNsdWRlczoNCj4NCj4gCUJvdGgg ZnJvbSB0aGlzIHBlcnNwZWN0aXZlLCBhbmQgZnJvbSBvdXIgbW9yZSBtb2Rlcm4gb25lLCBkaXNt aXNzaW5nIHRoZQ0KPiAJcmlzayBvZiB0cmFwZG9vcmVkIHByaW1lcyBpbiByZWFsIHVzYWdlIGFw cGVhcnMgdG8gaGF2ZSBiZWVuIGEgbWlzdGFrZSwNCj4gCWFzIHRoZSBhcHBhcmVudCBkaWZmaWN1 bHRpZXMgZW5jb3VudGVyZWQgYnkgdGhlIHRyYXBkb29yIGRlc2lnbmVyIGluDQo+MTk5Mg0KPiAJ dHVybiBvdXQgdG8gYmUgZWFzaWx5IGNpcmN1bXZlbnRlZC4gQSBtb3JlIGNvbnNlcnZhdGl2ZSBk ZXNpZ24gZGVjaXNpb24NCj4gCWZvciBGSVBTIDE4NiB3b3VsZCBoYXZlIHJlcXVpcmVkIG1hbmRh dG9yeSBzZWVkIHB1YmxpY2F0aW9uIGluc3RlYWQgb2YNCj4gCW1ha2luZyBpdCBvcHRpb25hbC4g IEFzIGEgcmVzdWx0LCB0aGVyZSBhcmUgb3BhcXVlLCBzdGFuZGFyZGl6ZWQNCj4xMDI0LWJpdA0K PiAJYW5kIDIwNDgtYml0IHByaW1lcyBpbiB3aWRlIHVzZSB0b2RheSB0aGF0IGNhbm5vdCBiZSBw cm9wZXJseSB2ZXJpZmllZC4NCj4NCj5UaGlzIGlzIHRoZSBzdHJvbmdlc3Qgc3RhdGVtZW50IHll dCB0aGF0IEkndmUgc2VlbiB0byBub3QgdHJ1c3QgYW55DQo+b2YgdGhlIFJGQy01MTE0IGdyb3Vw cy4NCj4NCj5UaGUgbGF0ZXN0IDQzMDdiaXMgZG9jdW1lbnQgaGFzIHRoZXNlIGdyb3VwcyAoMjIt MjQpIGFzIFNIT1VMRCBOT1QsDQo+c3RhdGluZzoNCj4NCj4gCUdyb3VwIDIyLCAyMyBhbmQgMjQg b3IgMTAyNC1iaXQgTU9EUCBHcm91cCB3aXRoIDE2MC1iaXQsIGFuZA0KPiAJMjA0OC1iaXQgTU9E UCBHcm91cCB3aXRoIDIyNC1iaXQgYW5kIDI1Ni1iaXQgUHJpbWUgT3JkZXIgU3ViZ3JvdXANCj4g CWhhdmUgc21hbGwgc3ViZ3JvdXBzLCB3aGljaCBtZWFucyB0aGF0IGNoZWNrcyBzcGVjaWZpZWQg aW4gdGhlDQo+IAkiQWRkaXRpb25hbCBEaWZmaWUtSGVsbG1hbiBUZXN0IGZvciB0aGUgSUtFdjIi IFtSRkM2OTg5XSBzZWN0aW9uDQo+IAkyLjIgZmlyc3QgYnVsbGV0IHBvaW50IE1VU1QgYmUgZG9u ZSB3aGVuIHRoZXNlIGdyb3VwcyBhcmUgdXNlZC4NCj4gCVRoZXNlIGdyb3VwcyBhcmUgYWxzbyBu b3Qgc2FmZS1wcmltZXMuCVRoZSBzZWVkcyBmb3IgdGhlc2UgZ3JvdXBzDQo+IAloYXZlIG5vdCBi ZWVuIHB1YmxpY2x5IHJlbGVhc2VkLCByZXN1bHRpbmcgaW4gcmVkdWNlZCB0cnVzdCBpbg0KPiAJ dGhlc2UgZ3JvdXBzLiAgVGhlc2UgZ3JvdXBzIHdlcmUgcHJvcG9zZWQgYXMgYWx0ZXJuYXRpdmVz IGZvcg0KPiAJZ3JvdXAgMiBhbmQgMTQgYnV0IG5ldmVyIHNhdyB3aWRlIGRlcGxveW1lbnQuICBJ dCBpcyBleHBlY3RlZA0KPiAJaW4gdGhlIG5lYXIgZnV0dXJlIHRvIGJlIGZ1cnRoZXIgZG93bmdy YWRlZCB0byBNVVNUIE5PVC4NCj4NCj5JJ20gcHJvcG9zaW5nIGl0IGlzIHRpbWUgdG8gY2hhbmdl IHRoaXMgdG8gTVVTVCBOT1QgZm9yIDQzMDdiaXMuDQo+DQo+UG9zc2libHksIHdlIHNob3VsZCBk byB0aGlzIHZpYSBTQUFHIGluIGdlbmVyYWwsIGFuZCB0aGVuIGZvbGxvdyBTQUFHJ3MNCj5hZHZp c2UgaW4gSVBTRUNNRS4NCj4NCj5JcyB0aGVyZSBfYW55XyByZWFzb24gd2h5IGdyb3VwIDIyLTI0 IHNob3VsZCBub3QgYmUgTVVTVCBOT1QgPw0KPg0KPlBhdWwNCj4NCj5fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KPklQc2VjIG1haWxpbmcgbGlzdA0KPklQ c2VjQGlldGYub3JnDQo+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9pcHNl Yw0KDQo= From nobody Mon Oct 17 08:54:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5491129883; Mon, 17 Oct 2016 08:54:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTQz8u1tWcWj; Mon, 17 Oct 2016 08:54:22 -0700 (PDT) Received: from mail-it0-x234.google.com (mail-it0-x234.google.com [IPv6:2607:f8b0:4001:c0b::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 458551295B1; Mon, 17 Oct 2016 08:54:21 -0700 (PDT) Received: by mail-it0-x234.google.com with SMTP id 4so54784434itv.0; Mon, 17 Oct 2016 08:54:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=Bx+jnFlyv0UcWaM+gvr0EJz2/Lj1YXNvbmQyVeCBvaAYtp/670lWYKNoHs/IkdMzVR ZBU4OzZJOPWkGUBKRy8uqgPzyEk+OXWKHv6hDggqlC3WVh4dM2Od0KeC5/rhdkeeRIhY e68b7WQA6Jo01YgLIVwBjGwQdTbajDTuryqbR/XFXgHmI/ByPrDdpauMOhhs12UHMgur 4DQc3HBwufC2663sWEXux6Iy61ZcnvVw0E11hAEDzV8A7PkNBOuX/iFSln16Rm+oZBbH K9N3/TTpS439vr1Wgk2oNNPKjEtbPlaaRCGw3AsUv7sGK2oEZ2+ac2sXe4/MbYPJGq94 OZ5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=jASj6BiLK9m1/kugc2btQsvRkMBemNYRfscQHniTBYA=; b=YBi+vaikM0X8QBN8cWBT1jxdRUeNgd6JrQv6gOdnAAzkOtYE8i1nrisuUXAig5xxv3 qaEGf8K+kVV3o5XY2wGJbyLUZff4pkaTftfiXLVBoYf+u4UKs75e8s2UuhNiEGOQI1QG EiK9vIVmR11ob4CfzClvjhKlYVfXM+gYv/XPvx0UX6yW4XyiofrFV6yb+Ax9svWWJ6nF DZwQdyspFpTv7bqoZG1uIONgJog6PK+lkuHwbEPCwbUewMrAZWzEkABOyQLlhZ8brdAu 7KOhqPcrYJzWEnEGrLbr/yunB0VNxftfbYKPXztQyF2oBK6BhB87YUp6XJGXP4g6RYsj H1CQ== X-Gm-Message-State: AA6/9RnEfWM/9llKKreZBLgSbthjIWPHD7carEZJWe/INy8MyloqktKxE2ge7mYkHZULcGTALIBRaXPiXOHlSQ== X-Received: by 10.36.254.200 with SMTP id w191mr9913833ith.101.1476719660461; Mon, 17 Oct 2016 08:54:20 -0700 (PDT) MIME-Version: 1.0 Sender: mglt.ietf@gmail.com Received: by 10.107.188.4 with HTTP; Mon, 17 Oct 2016 08:54:19 -0700 (PDT) In-Reply-To: References: From: Daniel Migault Date: Mon, 17 Oct 2016 11:54:19 -0400 X-Google-Sender-Auth: gLMcNedO7nuRXi1KTa6eaA-Ihd0 Message-ID: To: John Mattsson Content-Type: multipart/alternative; boundary=94eb2c03473ecb737b053f1196a6 Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , "saag@ietf.org" Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 15:54:27 -0000 --94eb2c03473ecb737b053f1196a6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable In fact is there anyone opposing their status becomes MUST NOT in rfc4307bis. On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson wrote: > > I'm proposing it is time to change this to MUST NOT for 4307bis. > > > > +1 > > On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" > wrote: > > > > >Released a few days ago: > > > > http://eprint.iacr.org/2016/961 > > > > A kilobit hidden SNFS discrete logarithm computation > > Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel > Thom=C3=A9 > > > > We perform a special number field sieve discrete logarithm > > computation in a 1024-bit prime field. To our knowledge, this > > is the first kilobit-sized discrete logarithm computation ever > > reported for prime fields. This computation took a little over > > two months of calendar time on an academic cluster using the > > open-source CADO-NFS software. > > > >Basically, this paper shows how to make a DH group of 1024 modp > >with a backdoor, in two months of academic computing resources, > > > >The paper mentions 5114 a few times: > > > > RFC 5114 [33] specifies a number of groups for use with > > Diffie-Hellman, and states that the parameters were drawn > > from NIST test data, but neither the NIST test data [39] nor > > RFC 5114 itself contain the seeds used to generate the finite > > field parameters > > > >And concludes: > > > > Both from this perspective, and from our more modern one, > dismissing the > > risk of trapdoored primes in real usage appears to have been a > mistake, > > as the apparent difficulties encountered by the trapdoor designer > in > >1992 > > turn out to be easily circumvented. A more conservative design > decision > > for FIPS 186 would have required mandatory seed publication > instead of > > making it optional. As a result, there are opaque, standardized > >1024-bit > > and 2048-bit primes in wide use today that cannot be properly > verified. > > > >This is the strongest statement yet that I've seen to not trust any > >of the RFC-5114 groups. > > > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, > >stating: > > > > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > > 2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup > > have small subgroups, which means that checks specified in the > > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section > > 2.2 first bullet point MUST be done when these groups are used. > > These groups are also not safe-primes. The seeds for these group= s > > have not been publicly released, resulting in reduced trust in > > these groups. These groups were proposed as alternatives for > > group 2 and 14 but never saw wide deployment. It is expected > > in the near future to be further downgraded to MUST NOT. > > > >I'm proposing it is time to change this to MUST NOT for 4307bis. > > > >Possibly, we should do this via SAAG in general, and then follow SAAG's > >advise in IPSECME. > > > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > > > >Paul > > > >_______________________________________________ > >IPsec mailing list > >IPsec@ietf.org > >https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > --94eb2c03473ecb737b053f1196a6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
In fact is there anyone opposing their status becomes MUST= NOT in rfc4307bis.

On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson <john= .mattsson@ericsson.com> wrote:
> I'm proposing it is time to change this to MU= ST NOT for 4307bis.



+1

On 09/10/16 23:26, "IPsec on behalf of Paul Wouters"
<ipsec-bounces@ietf.org on behalf of paul@nohats.ca> wrote:

>
>Released a few days ago:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0http://eprint.iacr.org/2016/961
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0A kilobit hidden SNFS discrete logarithm com= putation
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Joshua Fried and Pierrick Gaudry and Nadia H= eninger and Emmanuel Thom=C3=A9
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0We perform a special number field sieve disc= rete logarithm
>=C2=A0 =C2=A0 =C2=A0 =C2=A0computation in a 1024-bit prime field. To ou= r knowledge, this
>=C2=A0 =C2=A0 =C2=A0 =C2=A0is the first kilobit-sized discrete logarith= m computation ever
>=C2=A0 =C2=A0 =C2=A0 =C2=A0reported for prime fields. This computation = took a little over
>=C2=A0 =C2=A0 =C2=A0 =C2=A0two months of calendar time on an academic c= luster using the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0open-source CADO-NFS software.
>
>Basically, this paper shows how to make a DH group of 1024 modp
>with a backdoor, in two months of academic computing resources,
>
>The paper mentions 5114 a few times:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0RFC 5114 [33] specifies a number of groups f= or use with
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Diffie-Hellman, and states that the paramete= rs were drawn
>=C2=A0 =C2=A0 =C2=A0 =C2=A0from NIST test data, but neither the NIST te= st data [39] nor
>=C2=A0 =C2=A0 =C2=A0 =C2=A0RFC 5114 itself contain the seeds used to ge= nerate the finite
>=C2=A0 =C2=A0 =C2=A0 =C2=A0field parameters
>
>And concludes:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Both from this perspective, and from our mor= e modern one, dismissing the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0risk of trapdoored primes in real usage appe= ars to have been a mistake,
>=C2=A0 =C2=A0 =C2=A0 =C2=A0as the apparent difficulties encountered by = the trapdoor designer in
>1992
>=C2=A0 =C2=A0 =C2=A0 =C2=A0turn out to be easily circumvented. A more c= onservative design decision
>=C2=A0 =C2=A0 =C2=A0 =C2=A0for FIPS 186 would have required mandatory s= eed publication instead of
>=C2=A0 =C2=A0 =C2=A0 =C2=A0making it optional.=C2=A0 As a result, there= are opaque, standardized
>1024-bit
>=C2=A0 =C2=A0 =C2=A0 =C2=A0and 2048-bit primes in wide use today that c= annot be properly verified.
>
>This is the strongest statement yet that I've seen to not trust any=
>of the RFC-5114 groups.
>
>The latest 4307bis document has these groups (22-24) as SHOULD NOT,
>stating:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0Group 22, 23 and 24 or 1024-bit MODP Group w= ith 160-bit, and
>=C2=A0 =C2=A0 =C2=A0 =C2=A02048-bit MODP Group with 224-bit and 256-bit= Prime Order Subgroup
>=C2=A0 =C2=A0 =C2=A0 =C2=A0have small subgroups, which means that check= s specified in the
>=C2=A0 =C2=A0 =C2=A0 =C2=A0"Additional Diffie-Hellman Test for the= IKEv2" [RFC6989] section
>=C2=A0 =C2=A0 =C2=A0 =C2=A02.2 first bullet point MUST be done when the= se groups are used.
>=C2=A0 =C2=A0 =C2=A0 =C2=A0These groups are also not safe-primes.=C2=A0= The seeds for these groups
>=C2=A0 =C2=A0 =C2=A0 =C2=A0have not been publicly released, resulting i= n reduced trust in
>=C2=A0 =C2=A0 =C2=A0 =C2=A0these groups.=C2=A0 These groups were propos= ed as alternatives for
>=C2=A0 =C2=A0 =C2=A0 =C2=A0group 2 and 14 but never saw wide deployment= .=C2=A0 It is expected
>=C2=A0 =C2=A0 =C2=A0 =C2=A0in the near future to be further downgraded = to MUST NOT.
>
>I'm proposing it is time to change this to MUST NOT for 4307bis. >
>Possibly, we should do this via SAAG in general, and then follow SAAG&#= 39;s
>advise in IPSECME.
>
>Is there _any_ reason why group 22-24 should not be MUST NOT ?
>
>Paul
>
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec<= br>
_______________________= ________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

--94eb2c03473ecb737b053f1196a6-- From nobody Mon Oct 17 09:05:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F55112962F; Mon, 17 Oct 2016 09:05:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XpHvHhB66OY; Mon, 17 Oct 2016 09:05:23 -0700 (PDT) Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A801294BB; Mon, 17 Oct 2016 09:05:23 -0700 (PDT) Received: by mail-vk0-x22d.google.com with SMTP id 2so182025679vkb.3; Mon, 17 Oct 2016 09:05:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JLpv+h0dfj0KdiZ6VhOkZP7YYZSx42POxmRvfjxveME=; b=o6hcg8VdhEGQOGZVtAfzVOW5RPKLb+nIrDXbtmY9CbxCYO1W8fEJdT2XGVzNHccH87 nBFHeLkWGhs/BrdkgUH2i8d3o5a1ImjyTSWGYlKe3wZNLqnwqXQrOB96kkNBCAfzl+MT O+TXyFOj9M8IZl3QtpJRoHxOsmeUIgHQCPAAv/DAZLeQapf619nxADD1RX3NUPY7DoRB sWnpdMJ+HW7Bbsi0e2a3c0zFkpzrt2OEfJSjDCXR21P2eLz9yK6TkspO2i8Gfc1qpoDv Het4O7e8tyogzrQbvET8dRKs7IA9R8bCAiQjXn3YLZrR7944KRwcYJgUgjUds5KJkYpy dU7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JLpv+h0dfj0KdiZ6VhOkZP7YYZSx42POxmRvfjxveME=; b=Xp7SnNKixo27qydqoT+SMCiwBotel1G2b3QeDHERLSvt0i9fztKYA+1ebsKJ0Lo5hi TkVAJgvoJozx1Fzb5hIoN4QV0FiuexkI17BoN/1w5MDJNA1fmJEk+6gwh06tJfYM9Bjq E/21XsRZ7vwGvYg2hDEJwxzagyDgQnrt7kPTlsr1uDpsfvqaclfkF1+/YGGzwsFa5DoG hntLZG2ACmM9Om3NzB37XDe4Ycq5flHuGEA8hdl0JbAEzOGm8wC1AQRE/qfX05YN7HL+ cR+0/Rnulk1jS/Broo9+ej5ZrOxbME8AeQZ6b6BEIDAvgHjvvSAu5frpVhlv9d8YCMcl w7EA== X-Gm-Message-State: AA6/9RlxwrMsKXCETCCvSBM4R16sH7RG7phlzBoSR3uh7mi7RVRnXil7HnKrDCqOsPKO3Q== X-Received: by 10.194.113.35 with SMTP id iv3mr11384928wjb.169.1476720322535; Mon, 17 Oct 2016 09:05:22 -0700 (PDT) Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id n5sm54012058wjv.35.2016.10.17.09.05.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Oct 2016 09:05:21 -0700 (PDT) From: Yoav Nir Message-Id: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_78200560-BB3F-48D5-886E-80A7CC99F720" Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) Date: Mon, 17 Oct 2016 19:05:18 +0300 In-Reply-To: To: Daniel Migault References: X-Mailer: Apple Mail (2.3226) Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 16:05:26 -0000 --Apple-Mail=_78200560-BB3F-48D5-886E-80A7CC99F720 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I=E2=80=99m not entirely comfortable with calling something a MUST NOT = when all we have is conjecture, but I have no love and no need of those = DH groups. I don=E2=80=99t believe anyone else depends on these groups (at least in = IPsec), so I=E2=80=99m fine with such a change. Yoav > On 17 Oct 2016, at 18:54, Daniel Migault = wrote: >=20 > In fact is there anyone opposing their status becomes MUST NOT in = rfc4307bis. >=20 > On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson = > wrote: > > I'm proposing it is time to change this to MUST NOT for 4307bis. >=20 >=20 >=20 > +1 >=20 > On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" > on behalf of = paul@nohats.ca > wrote: >=20 > > > >Released a few days ago: > > > > http://eprint.iacr.org/2016/961 = > > > > A kilobit hidden SNFS discrete logarithm computation > > Joshua Fried and Pierrick Gaudry and Nadia Heninger and = Emmanuel Thom=C3=A9 > > > > We perform a special number field sieve discrete logarithm > > computation in a 1024-bit prime field. To our knowledge, this > > is the first kilobit-sized discrete logarithm computation ever > > reported for prime fields. This computation took a little over > > two months of calendar time on an academic cluster using the > > open-source CADO-NFS software. > > > >Basically, this paper shows how to make a DH group of 1024 modp > >with a backdoor, in two months of academic computing resources, > > > >The paper mentions 5114 a few times: > > > > RFC 5114 [33] specifies a number of groups for use with > > Diffie-Hellman, and states that the parameters were drawn > > from NIST test data, but neither the NIST test data [39] nor > > RFC 5114 itself contain the seeds used to generate the finite > > field parameters > > > >And concludes: > > > > Both from this perspective, and from our more modern one, = dismissing the > > risk of trapdoored primes in real usage appears to have been a = mistake, > > as the apparent difficulties encountered by the trapdoor = designer in > >1992 > > turn out to be easily circumvented. A more conservative design = decision > > for FIPS 186 would have required mandatory seed publication = instead of > > making it optional. As a result, there are opaque, = standardized > >1024-bit > > and 2048-bit primes in wide use today that cannot be properly = verified. > > > >This is the strongest statement yet that I've seen to not trust any > >of the RFC-5114 groups. > > > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, > >stating: > > > > Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > > 2048-bit MODP Group with 224-bit and 256-bit Prime Order = Subgroup > > have small subgroups, which means that checks specified in the > > "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] = section > > 2.2 first bullet point MUST be done when these groups are = used. > > These groups are also not safe-primes. The seeds for these = groups > > have not been publicly released, resulting in reduced trust in > > these groups. These groups were proposed as alternatives for > > group 2 and 14 but never saw wide deployment. It is expected > > in the near future to be further downgraded to MUST NOT. > > > >I'm proposing it is time to change this to MUST NOT for 4307bis. > > > >Possibly, we should do this via SAAG in general, and then follow = SAAG's > >advise in IPSECME. > > > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > > > >Paul > > > >_______________________________________________ > >IPsec mailing list > >IPsec@ietf.org > >https://www.ietf.org/mailman/listinfo/ipsec = >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag = >=20 > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec --Apple-Mail=_78200560-BB3F-48D5-886E-80A7CC99F720 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I=E2=80=99m not entirely comfortable with calling something a = MUST NOT when all we have is conjecture, but I have no love and no need = of those DH groups.

I = don=E2=80=99t believe anyone else depends on these groups (at least in = IPsec), so I=E2=80=99m fine with such a change.

Yoav

On = 17 Oct 2016, at 18:54, Daniel Migault <daniel.migault@ericsson.com> wrote:

In fact is there anyone opposing their status becomes MUST = NOT in rfc4307bis.

On Mon, Oct 17, 2016 at 11:30 AM, = John Mattsson <john.mattsson@ericsson.com> wrote:
> = I'm proposing it is time to change this to MUST NOT for 4307bis.



+1

On 09/10/16 23:26, "IPsec on behalf of Paul Wouters"
<ipsec-bounces@ietf.org on behalf of paul@nohats.ca> = wrote:

>
>Released a few days ago:
>
>       http://eprint.iacr.org/2016/961
>
>       A kilobit hidden SNFS discrete logarithm = computation
>       Joshua Fried and Pierrick Gaudry and = Nadia Heninger and Emmanuel Thom=C3=A9
>
>       We perform a special number field sieve = discrete logarithm
>       computation in a 1024-bit prime field. To = our knowledge, this
>       is the first kilobit-sized discrete = logarithm computation ever
>       reported for prime fields. This = computation took a little over
>       two months of calendar time on an = academic cluster using the
>       open-source CADO-NFS software.
>
>Basically, this paper shows how to make a DH group of 1024 modp
>with a backdoor, in two months of academic computing resources,
>
>The paper mentions 5114 a few times:
>
>       RFC 5114 [33] specifies a number of = groups for use with
>       Diffie-Hellman, and states that the = parameters were drawn
>       from NIST test data, but neither the NIST = test data [39] nor
>       RFC 5114 itself contain the seeds used to = generate the finite
>       field parameters
>
>And concludes:
>
>       Both from this perspective, and from our = more modern one, dismissing the
>       risk of trapdoored primes in real usage = appears to have been a mistake,
>       as the apparent difficulties encountered = by the trapdoor designer in
>1992
>       turn out to be easily circumvented. A = more conservative design decision
>       for FIPS 186 would have required = mandatory seed publication instead of
>       making it optional.  As a result, = there are opaque, standardized
>1024-bit
>       and 2048-bit primes in wide use today = that cannot be properly verified.
>
>This is the strongest statement yet that I've seen to not trust = any
>of the RFC-5114 groups.
>
>The latest 4307bis document has these groups (22-24) as SHOULD = NOT,
>stating:
>
>       Group 22, 23 and 24 or 1024-bit MODP = Group with 160-bit, and
>       2048-bit MODP Group with 224-bit and = 256-bit Prime Order Subgroup
>       have small subgroups, which means that = checks specified in the
>       "Additional Diffie-Hellman Test for the = IKEv2" [RFC6989] section
>       2.2 first bullet point MUST be done when = these groups are used.
>       These groups are also not = safe-primes.  The seeds for these groups
>       have not been publicly released, = resulting in reduced trust in
>       these groups.  These groups were = proposed as alternatives for
>       group 2 and 14 but never saw wide = deployment.  It is expected
>       in the near future to be further = downgraded to MUST NOT.
>
>I'm proposing it is time to change this to MUST NOT for 4307bis.
>
>Possibly, we should do this via SAAG in general, and then follow = SAAG's
>advise in IPSECME.
>
>Is there _any_ reason why group 22-24 should not be MUST NOT ?
>
>Paul
>
>_______________________________________________
>IPsec mailing list
>IPsec@ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
IPsec = mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

= --Apple-Mail=_78200560-BB3F-48D5-886E-80A7CC99F720-- From nobody Mon Oct 17 09:19:45 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 332981298BD; Mon, 17 Oct 2016 09:19:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.431 X-Spam-Level: X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kc8VW-tjYgt1; Mon, 17 Oct 2016 09:19:35 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9011298B7; Mon, 17 Oct 2016 09:19:34 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3syNh44ZChz3Yt; Mon, 17 Oct 2016 18:19:32 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476721172; bh=6TUKiCH8pES+vr+948o0XR2Nz1mleXLEEQyDTonH4TY=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=Ns7z33VgkFZBuVQuHTJUqcqMJeu8rZrHnlPZU6jfTD2fZXc+I6GoYmmeXlGddsFW8 m50B40imzYHb4CeLMaQMecBxwYEp7kavGNFX6NU7OV4m7l5jZrreXNZk1om3bqJTil PJgk/rcxDLJXIH8GTjYM+G4WkeVYckKcnsSiJPMM= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id FY58Ssjx8pBd; Mon, 17 Oct 2016 18:19:29 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 17 Oct 2016 18:19:29 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id E28FE4533F1; Mon, 17 Oct 2016 12:19:26 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca E28FE4533F1 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id DA03C4163767; Mon, 17 Oct 2016 12:19:26 -0400 (EDT) Date: Mon, 17 Oct 2016 12:19:26 -0400 (EDT) From: Paul Wouters To: Yoav Nir , Stephen Kent In-Reply-To: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> Message-ID: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 16:19:42 -0000 On Mon, 17 Oct 2016, Yoav Nir wrote: > I’m not entirely comfortable with calling something a MUST NOT when all we have is conjecture, It's a little more than conjecture. 1) It has been proven that malicious 1024 bit DH values can be generated by academia that cannot be independantly discovered. Therefore any nationstate with access to the same theory and more CPU power could have done this years ago. 2) We have the RFC 5114 values who'se original authors/sponsors are not disclosing how these were generated. 1) + 2) means we cannot know if these values were trapdoor'ed. If BBN/NIST/NSA wants to share how they seeded these values, we can all publicly decide if we can keep using these or not. Without such information, it just becomes an unnecessary risk to take. Adding Steve Kent, co-author of RFC-5114, to the CC: so that he has the opportunity to share what he knows about the origins of these values and their seeds. > but I have no love and no need of those DH groups. > I don’t believe anyone else depends on these groups (at least in IPsec), so I’m fine with such a change. Thanks, Paul > Yoav > > On 17 Oct 2016, at 18:54, Daniel Migault wrote: > > In fact is there anyone opposing their status becomes MUST NOT in rfc4307bis. > > On Mon, Oct 17, 2016 at 11:30 AM, John Mattsson wrote: > > I'm proposing it is time to change this to MUST NOT for 4307bis. > > > > +1 > > On 09/10/16 23:26, "IPsec on behalf of Paul Wouters" > wrote: > > > > >Released a few days ago: > > > >       http://eprint.iacr.org/2016/961 > > > >       A kilobit hidden SNFS discrete logarithm computation > >       Joshua Fried and Pierrick Gaudry and Nadia Heninger and Emmanuel Thomé > > > >       We perform a special number field sieve discrete logarithm > >       computation in a 1024-bit prime field. To our knowledge, this > >       is the first kilobit-sized discrete logarithm computation ever > >       reported for prime fields. This computation took a little over > >       two months of calendar time on an academic cluster using the > >       open-source CADO-NFS software. > > > >Basically, this paper shows how to make a DH group of 1024 modp > >with a backdoor, in two months of academic computing resources, > > > >The paper mentions 5114 a few times: > > > >       RFC 5114 [33] specifies a number of groups for use with > >       Diffie-Hellman, and states that the parameters were drawn > >       from NIST test data, but neither the NIST test data [39] nor > >       RFC 5114 itself contain the seeds used to generate the finite > >       field parameters > > > >And concludes: > > > >       Both from this perspective, and from our more modern one, dismissing the > >       risk of trapdoored primes in real usage appears to have been a mistake, > >       as the apparent difficulties encountered by the trapdoor designer in > >1992 > >       turn out to be easily circumvented. A more conservative design decision > >       for FIPS 186 would have required mandatory seed publication instead of > >       making it optional.  As a result, there are opaque, standardized > >1024-bit > >       and 2048-bit primes in wide use today that cannot be properly verified. > > > >This is the strongest statement yet that I've seen to not trust any > >of the RFC-5114 groups. > > > >The latest 4307bis document has these groups (22-24) as SHOULD NOT, > >stating: > > > >       Group 22, 23 and 24 or 1024-bit MODP Group with 160-bit, and > >       2048-bit MODP Group with 224-bit and 256-bit Prime Order Subgroup > >       have small subgroups, which means that checks specified in the > >       "Additional Diffie-Hellman Test for the IKEv2" [RFC6989] section > >       2.2 first bullet point MUST be done when these groups are used. > >       These groups are also not safe-primes.  The seeds for these groups > >       have not been publicly released, resulting in reduced trust in > >       these groups.  These groups were proposed as alternatives for > >       group 2 and 14 but never saw wide deployment.  It is expected > >       in the near future to be further downgraded to MUST NOT. > > > >I'm proposing it is time to change this to MUST NOT for 4307bis. > > > >Possibly, we should do this via SAAG in general, and then follow SAAG's > >advise in IPSECME. > > > >Is there _any_ reason why group 22-24 should not be MUST NOT ? > > > >Paul > > > >_______________________________________________ > >IPsec mailing list > >IPsec@ietf.org > >https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > From nobody Mon Oct 17 13:48:22 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E531299A6 for ; Mon, 17 Oct 2016 13:48:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.72 X-Spam-Level: X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fnK-JdhGpkYW for ; Mon, 17 Oct 2016 13:48:20 -0700 (PDT) Received: from mail-qt0-f174.google.com (mail-qt0-f174.google.com [209.85.216.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB7FB129992 for ; Mon, 17 Oct 2016 13:48:19 -0700 (PDT) Received: by mail-qt0-f174.google.com with SMTP id m5so134139029qtb.3 for ; Mon, 17 Oct 2016 13:48:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uNHUebR2zeNw2gKp7Mh0Zh/qkJ5tRg7iWGkYyC2ttTM=; b=t6Gl/4Y7Oa1JVrDKqUpW1FxmPHfnL+CpKCVlrMVK+qdXqJFONX2mYKIlRtLLulo6k5 egPobWKa5quegufH/xzRY0v6ZbBLH9773RELSAYRzA+JJBkGWJOxgP6SyQqLnla2ccFi CmVRaEflcnvh4t2ERY3D4t6MDDFhj2+AmxZ7DWg/+IASZxTRql6dH7s0bM/Nm+VDD5XA sQGDynNFUZZbpbZdnykIqJVV3cZcpcInrWSTq7I6u5UPmqb9pdNIdlwAPNCPCF7Wqofj eQur9RErDBjAHD7P2QIAwtoiHMDxqPTtFho2vSyBfQX4c5jX7RvIBFJqYoMDOXDRgl79 zJog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uNHUebR2zeNw2gKp7Mh0Zh/qkJ5tRg7iWGkYyC2ttTM=; b=La2VQ5d3GAxCfzqwyKxRV/QLvGawod2w9ohmoO+u0npuDQN6HeRGtlPul3gGxQeP1B bh0oGrcR/0oUsNBKuyZj/5znKNix/70RcuvZwpQ2jkXSHwvwOqOTRQmIozk8FJaThlTY ER1Mpq6VDAgOaTr4Wlf/zAtr8CBtk4lorKcK2jqZgqx/kY8/g0LZAK0PF90bA2jR9cN0 fE2Yv4n+a4GWC92BEf6QqNmv1oCD15/sH4TxzjjFWrA0CC8gfMAMe7/sv/tHwCm0Aj02 qbw+gC9v4ynB6nOQTd2BMp65dSPg/XAdxXYCMomyfHbw9gOyqm3Mg+p60NnZx1Yo1iAD FWig== X-Gm-Message-State: AA6/9Rlzw7kGWvu6Xj2tmLgB8Wb6mOS2Wb/n6U6El7Rilr7O4PRkUyttbm6tcQNFEW8R+z8o6Q8g2AYEDEIlZA== X-Received: by 10.200.50.215 with SMTP id a23mr27352655qtb.79.1476737238968; Mon, 17 Oct 2016 13:47:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.169.91 with HTTP; Mon, 17 Oct 2016 13:46:38 -0700 (PDT) In-Reply-To: References: <1474625071.45169.131.camel@infradead.org> From: Nikos Mavrogiannopoulos Date: Mon, 17 Oct 2016 22:46:38 +0200 Message-ID: To: Eric Rescorla Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: IETF SAAG Subject: Re: [saag] openconnect (ssl) vpn protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Oct 2016 20:48:21 -0000 On Mon, Oct 17, 2016 at 3:34 AM, Eric Rescorla wrote: >> > The last few weeks together with David Woodhouse have improved the >> > openconnect VPN protocol quite significantly and eliminated any legacy >> > constructs arising from the pre-DTLS era, and pre-TLS-PSK era. Even >> > though it still provides backwards compatibility with the cisco's >> > anyconnect protocol, it has been greatly simplified, making it one of >> > the simplest SSL VPN protocols I'm aware of. It is described at: >> > https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-00 >> > We would appreciate any feedback on the protocol and approach. >> Did I catch a suggestion that using PSK in (D)TLSv1.3 is going to >> require us to pre-agree a hash algorithm for the hello_finished? > Yes. The reason is that there's no guarantee that it's safe to derive using > different > hash-based KDFs from the same underlying key (which is not to say that there > is > an actual attack on concrete hash algorithms). Note: this issue also applies > to TLS 1.2, > it's just that we didn't have the benefit of having it pointed out by > cryptographers. Is there more information on that attack that you describe (pointers or the discussion behind it)? As far as I understand, that can be summarized as use only ciphersuites with a fixed PRF on PSK rather than mixing them. That can also seen as an argument for TLS to have a unique PRF for the finished messages (at least for the plain PSK ciphersuites). Otherwise managing and mapping PSKs to user interfaces becomes quite more complex. For the PSK usage of openconnect that is not issue as PSKs are uniquely generated per session. regards, Nikos From nobody Mon Oct 17 17:07:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CDB1299B7 for ; Mon, 17 Oct 2016 17:07:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.631 X-Spam-Level: X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLo5jpHvSg2C for ; Mon, 17 Oct 2016 17:07:22 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34FD312941C for ; Mon, 17 Oct 2016 17:07:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476749242; x=1508285242; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=hk01htASjgXH1zvO+cz02QD3plzZ45qsLU7sYGvMNc0=; b=MLoZaJCyvnuNsHOhtM5zZpctOu1oRdf1ArvdJpGmEPJW0E6zKilpU1G1 bOI0pAm2Me8jTQe1beM0L5HZSQqw8nqaveDzvtl/7nQQMr0ohrkG8XS5F t83JZlRkQzyyzw8sqMTtxbl9OPxkpaiaLbHhSkeAE6sqVz/Oz7JScYIsn my5G//Ba5SmBD1s0qXjADkA/shDt6WBAH6Q1XlJHYbqD3FwFXKifUKipQ GoWTWrjAUkiZQe9i5G3EHvrIaUvPDfE6NbpkTQlpHzBMhMu+Ebleufthy pd+TwLh1F/OSJRxnX6UNYiR2tanaIwO4lhDpN9/KQOZWztPYqjIkyW2/n w==; X-IronPort-AV: E=Sophos;i="5.31,359,1473076800"; d="scan'208";a="110680441" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 18 Oct 2016 13:07:19 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.25) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.25) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Tue, 18 Oct 2016 13:07:19 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Tue, 18 Oct 2016 13:07:19 +1300 From: Peter Gutmann To: Mohit Sethi , Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] software update for teeny-weeny devices Thread-Index: AQHSJ75TLGgnde4PuU6TmF5JhHBu66CtV44R Date: Tue, 18 Oct 2016 00:07:18 +0000 Message-ID: <1476749236821.94996@cs.auckland.ac.nz> References: , In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 00:07:27 -0000 Mohit Sethi writes:=0A= =0A= >For me scheduling of updates is important: I don't want my connected light= =0A= >bulb to update at night when I am using it.=0A= =0A= So not this then:=0A= =0A= https://twitter.com/markrittman/status/785905327967498240/photo/1=0A= =0A= (that was part of an 11-hour battle to get a WiFi kettle working).=0A= =0A= Peter.= From nobody Mon Oct 17 17:48:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A8AF1294BF for ; Mon, 17 Oct 2016 17:48:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdx9lf5Nlw9g for ; Mon, 17 Oct 2016 17:48:11 -0700 (PDT) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A171294B8 for ; Mon, 17 Oct 2016 17:48:11 -0700 (PDT) Received: by mail-it0-x231.google.com with SMTP id k64so16761930itb.0 for ; Mon, 17 Oct 2016 17:48:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:from:date:message-id:subject:to:cc; bh=/gzvDZikEX/cnFdKz1bJDYUpuja2WCJTbWVidldvwZ0=; b=pES7P0KcvKvsvh6kHSQ5xhGyOFL4C4EEnWJfzDFnT+P9rEqFKtegWofeF9YHqQF9gO Yp2XCU409CgjvYHBfdvmgjt8sy5thN8Z06p8xZMc/85RvKKiRKauyzMDBMXE4cpAJP+L WML2iuTY4EVXYYChYmMIHtEaMWGyTt9CD+oBEDwiSFFb8UdhH0b310N0LezZL50GCtbu +q0SY9cp3YgSLHZqZ1UVk9hv+ZsOWmszPTEGv9Z0Fh2naHFXmZv6QlIFjLL2802dWVWh 4+6cuTtHZ08nukaRvBU0w+MZjBL3eBvaiIttLgb/b/OVUo3Y0ZziV4lKmvFbL4rckIki /KXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:from:date:message-id :subject:to:cc; bh=/gzvDZikEX/cnFdKz1bJDYUpuja2WCJTbWVidldvwZ0=; b=CBBwzTtj0UKCLVWqzUxrbfr9Y+VnayFjdzJrJHv5u2ab+9XwLh7Wv80//XLUbsxEbB QtT1vSNKL/J7Ys7drlStmN8kzEsfkH4YitTsmmH7Q2zUwADwdVV8Wd14La3geHpwZwtd haf4Gh/B7VpKfJnVrfMVWaL0bZ05ofOBQufMXvLuoVIdmxKxqShFP8DVAzJQpmLUSqUk sLIil/DdQOmLqEL/4mfnf33IBPe8c1YN2O3DuG7AlbvRIYmKt4kL1LDOyG0lp+jRgWcL LRow2YVsg1wA2tYAK0B8gq4/0yHY5HQdVMOfs2zkXjJ40XaW8hAoYqoOhI4Uz4XMpJ23 DwjA== X-Gm-Message-State: AA6/9RmHPJRcbJxr/+DAuMwB9y8S85NY61rNdJWFnbLdSUa3UJB7G20/1yFfs+quq+MU1HOQ3YKeCmv9XzN1oQ== X-Received: by 10.36.89.206 with SMTP id p197mr10953810itb.103.1476751690397; Mon, 17 Oct 2016 17:48:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.36.194 with HTTP; Mon, 17 Oct 2016 17:48:09 -0700 (PDT) From: Jeffrey Walton Date: Mon, 17 Oct 2016 20:48:09 -0400 Message-ID: To: Ben Laurie Content-Type: text/plain; charset=UTF-8 Archived-At: Cc: "saag@ietf.org" Subject: [saag] Roughtime (Was: software update for teeny-weeny devices) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: noloader@gmail.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 00:48:12 -0000 >> Our story for >> providing time securely to these device isn't that great either since >> NTP again assumes that you have been configured with the correct time. > > How so? > > BTW, are you aware of roughtime? https://roughtime.googlesource.com/roughtime I'm not sure this is entirely correct: "There are essentially only two ways to achieve this [accurate or fresh time]: nonces or synchronised clocks.". If I am on a train with 100 other people or a stadium with 500 people around me, then it seems like a gossip protocol would be able to provide the correct time also. The crowd always seems to converge on the right answer regardless of how wrong one sampling is. I've been looking for a paper that explains it for a couple of years now. Jeff From nobody Mon Oct 17 18:50:26 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3585C129483 for ; Mon, 17 Oct 2016 18:50:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fI_4E3sKSNrd for ; Mon, 17 Oct 2016 18:50:22 -0700 (PDT) Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3615129498 for ; Mon, 17 Oct 2016 18:50:21 -0700 (PDT) Received: by mail-vk0-x22f.google.com with SMTP id b186so199904674vkb.1 for ; Mon, 17 Oct 2016 18:50:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+z7Fv8zl/SxwT8F0xxwWUFPTNcm+w3DHJk2DKFvgIX0=; b=Nl4Ny/1Szd2JGdTk53it/GHrRGymoFM+VGubyHSyInDm/iN19+PNe49+Dqp/MsEpex fHpVrk5rDU8kuY2AhAEN78h1TYPTzSzNJZQsWjOP+t8ERP3rvDeU27W4ixPF416HefEl bno2E+oFcx7roPtmOouCt4/toKI9+MM/Fb6ivClxyXRT+KdZQ2H6YZtDEH+wqelYnf40 q6scSfsXo0lV4PRTtnO/PQWW3/sjaChsXA2/DjENpw6e8IKf4ExW6fAbBdORoFwbo0jk rT7J783NWXejlP6pM59fOWQ98xNAJgc/gYYZPCumRA/4x5JHLEw48ec03Fv+tOIXfuUt Suow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+z7Fv8zl/SxwT8F0xxwWUFPTNcm+w3DHJk2DKFvgIX0=; b=HkXWk8Yd2irWLzP9sQoCfKcq+3wBlROZO7kv2PcVIet/TN0MWOPLxpklHXCzzhd19A 4cYrnBcbGF6L4lBtjf6eixoG7+reC8nMXTXLI+xnm3oFzVIlFBCIxugKZsitXNgcjGYe XO44X251N9WV0SHHvlF7K+NK4y32ZqMbvtaHjaR62PzRBqy2l8RRwGjFT7fCtDhHyU3r rdtJshyofRKkif0jmvyqPftZ1iyLdTNTXQ8rg29C0ntZ/T2NKR8A4WopWcVT+BHRoDwA U1tfDsqvSpVsRhiWoHGbfszzcmsxoBFk6Ks5oG5h0kOROUj+HHddNeipcZo45reWHHXt GQ2A== X-Gm-Message-State: AA6/9RnFdEsMtJJYad14NFLFRDIKbqg12+Gh72MelI1USQBqfbkRfdJYbdqF2yyfyDQPPGceOVUe23UAONrVYg== X-Received: by 10.31.87.133 with SMTP id l127mr443890vkb.152.1476755421003; Mon, 17 Oct 2016 18:50:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.82.68 with HTTP; Mon, 17 Oct 2016 18:50:20 -0700 (PDT) In-Reply-To: <71f30bfd-ee8b-942a-4058-6f95b15a2b2e@cs.tcd.ie> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A8@NJFPSRVEXG0.research.att.com> <71f30bfd-ee8b-942a-4058-6f95b15a2b2e@cs.tcd.ie> From: Kathleen Moriarty Date: Mon, 17 Oct 2016 21:50:20 -0400 Message-ID: To: Stephen Farrell Content-Type: multipart/alternative; boundary=001a114fa81c4a0593053f19ea14 Archived-At: Cc: "saag@ietf.org" , "MORTON, ALFRED C \(AL\)" Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 01:50:25 -0000 --001a114fa81c4a0593053f19ea14 Content-Type: text/plain; charset=UTF-8 Hi, I'll start with responding to this message and then will respond to ones with text for possible edits to the suggestions. On Sun, Oct 16, 2016 at 2:27 PM, Stephen Farrell wrote: > > Hi Al, > > On 16/10/16 18:19, MORTON, ALFRED C (AL) wrote: > > > > Clearly, changes in current management practices will be needed, > > and that process could be more efficient with constructive input > > from all involved. Understanding the many gaps is the first step, > > and IMO, what this memo is about. No arguing for solutions, > > MITM or otherwise. > > I agree. Figuring out what solutions are needed for n/w > management given the fact of much more ciphertext is work for > another day and for other documents and WGs. > > I think what makes this tricky is that people understandably > tend to mix up current solutions and requirements, e.g. it is > natural enough (but wrong) to think that because I do X today > that that implies doing X is required (and hence language like > "valuable" etc.). > Yes, agreed. As the draft stands now, before these additions that point is very clear. The intent is to document the purpose of activities, what is used now so that other methods might be identified to achieve the same goal, possibly via an entirely different mechanism. > We directly saw that in the recent TLS WG discussion of RSA key > transport, which was kicked off by (I think) the same set of > folks. In the end the TLS WG chairs saw a very clear consensus > to stick with PFS and to not add back RSA key transport to > TLS1.3, despite RSA key transport being a "feature" on which > it appears some enterprise networks still seem to depend for > some forms of "attacking"/deciphering traffic to/from their own > TLS servers. > I agree entirely with the consensus, not to worry. I'll comb through the proposed text to make sure the intended approach for the draft is maintained. > > I think another related thing we need to be careful about here > are claims of utility for features where there is little or no > (at least public) evidence but only assertion. For example, many > of the claims I hear about the effectiveness of scanning outbound > traffic seem dubious to me, so we'll want to try find evidence > to backup claims along those lines too if we want this document > to be of most use later on. (Or to qualify such things as being > e.g. "current practices for which there isn't such good evidence" > or something.) > Yes, agreed. For attack detection, we can confirm with MILE, but from my experience attackers use whatever they would like to hide their tracks, so worrying about TLS and the ability to break it doesn't really help anyway as they'll just use something else. I don't think that seeing into TLS traffic is necessary for attack detection (Note: I have led incident response and security teams that are quite advanced and consulted with other teams that are quite advanced more recently. ) We can confirm with MILE and DOTS as well, this should give us feedback from multiple industry sectors. > > Buy hey, that's why you get all those big bucks for being such > good document editors/authors I guess:-) > Ha. Thanks, Kathleen > > Cheers, > S. > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > -- Best regards, Kathleen --001a114fa81c4a0593053f19ea14 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi,

I'll start with responding to t= his message and then will respond to ones with text for possible edits to t= he suggestions.

On Sun, Oct 16, 2016 at 2:27 PM, Stephen Farrell <= stephen.farr= ell@cs.tcd.ie> wrote:

Hi Al,

On 16/10/16 18:19, MORTON, ALFRED C (AL) wrote:
>
> Clearly, changes in current management practices will be needed,
> and that process could be more efficient with constructive input
> from all involved. Understanding the many gaps is the first step,
> and IMO, what this memo is about.=C2=A0 No arguing for solutions,
> MITM or otherwise.

I agree. Figuring out what solutions are needed for n/w
management given the fact of much more ciphertext is work for
another day and for other documents and WGs.

I think what makes this tricky is that people understandably
tend to mix up current solutions and requirements, e.g. it is
natural enough (but wrong) to think that because I do X today
that that implies doing X is required (and hence language like
"valuable" etc.).

Yes, agreed= .=C2=A0 As the draft stands now, before these additions that point is very = clear.=C2=A0 The intent is to document the purpose of activities, what is u= sed now so that other methods might be identified to achieve the same goal,= possibly via an entirely different mechanism.=C2=A0


We directly saw that in the recent TLS WG discussion of RSA key
transport, which was kicked off by (I think) the same set of
folks. In the end the TLS WG chairs saw a very clear consensus
to stick with PFS and to not add back RSA key transport to
TLS1.3, despite RSA key transport being a "feature" on which
it appears some enterprise networks still seem to depend for
some forms of "attacking"/deciphering traffic to/from their own TLS servers.

I agree entirely with the = consensus, not to worry.=C2=A0 I'll comb through the proposed text to m= ake sure the intended approach for the draft is maintained.
=C2= =A0

I think another related thing we need to be careful about here
are claims of utility for features where there is little or no
(at least public) evidence but only assertion. For example, many
of the claims I hear about the effectiveness of scanning outbound
traffic seem dubious to me, so we'll want to try find evidence
to backup claims along those lines too if we want this document
to be of most use later on. (Or to qualify such things as being
e.g. "current practices for which there isn't such good evidence&q= uot;
or something.)

Yes, agreed.=C2=A0 For a= ttack detection, we can confirm with MILE, but from my experience attackers= use whatever they would like to hide their tracks, so worrying about TLS a= nd the ability to break it doesn't really help anyway as they'll ju= st use something else.=C2=A0 I don't think that seeing into TLS traffic= is necessary for attack detection (Note: I have led incident response and = security teams that are quite advanced and consulted with other teams that = are quite advanced more recently. ) =C2=A0We can confirm with MILE and DOTS= as well, this should give us feedback from multiple industry sectors.
=C2=A0

Buy hey, that's why you get all those big bucks for being such
good document editors/authors I guess:-)

Ha.

Thanks,
Kathleen
=C2=A0<= /div>

Cheers,
S.


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag




--
=
Best regards,
Kathleen
--001a114fa81c4a0593053f19ea14-- From nobody Mon Oct 17 19:18:42 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 061411294F3 for ; Mon, 17 Oct 2016 19:18:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52MQnqKNuUnN for ; Mon, 17 Oct 2016 19:18:35 -0700 (PDT) Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D0B4129498 for ; Mon, 17 Oct 2016 19:18:35 -0700 (PDT) Received: by mail-vk0-x235.google.com with SMTP id q126so147232217vkd.2 for ; Mon, 17 Oct 2016 19:18:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CQ0vlNT9drJR2fTOEOkr2JWRaDRRe9vJjOAYgRpXgTg=; b=ffUf/0oflmrgBdrEcH+K4PHSpvacJoAGzlOV6MV1X+u0maYv0S6sfqqCKiaTr4A6gK UxOgcsIOi7Ikb+3QtQitEXCcbXRaCF++Lz718yiJ29h/kq4RLU2K43fj099KyEBAFKrG in9pbkp5yroFhPRHDzJRqJX3j/f1IklKXcwLrbN6k4I6BEIh9zpgvTcuu+aTjqdefwAR wngtgpOFmK9GsYC9NuoLEtNDIClMeLAsKAa6ptOyVY63NhrmQDRCw0hkkaRVISjTENjZ 3wFCjYP2fewSwMpznghQYcSo7x//G/CH+g/Ewz/ajl+rm/FxQkocuoFXXXk/Kn5lp+f/ ZGYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CQ0vlNT9drJR2fTOEOkr2JWRaDRRe9vJjOAYgRpXgTg=; b=NahhmHuFs+7wCyT8devvwMdf4xSy5vwpGd0q6FYfcYq63LXeIGzi1Zi1+BsRC6arsC ARXZDlsvk5+ifcyQpLM3Q8yWeN4t1SCky6Ha36nvKIbpY84YIRrNUYmO5kFhHC3TfInC 1EK1pck5Ot7/3YpRwANa32iZm7TYxIaZDeThQtw+YkBIl3EsOeU3iS1pYqAFGKoEU6+K 2f21N+Yg0lK60oVmINUeSP+ReqoW+9IEjIvqsSS1uH2VP5sSu8FHAeRUPQw6bNWydHMe ATHCKRmM1rWqej7AKT5VOnV4y2F0t3ofo+e19S++RMmbl+TXdgdJCzmRztxbvdRRqjQS FkFw== X-Gm-Message-State: AA6/9RkzIY30yEzTZx9ABHX1fCc7ikaA2bkjdqR8iXj+Ri9ZtGOkQDZFPTfJre5XPTVbt5YQr0BfP1WNIzb67Q== X-Received: by 10.31.215.67 with SMTP id o64mr519455vkg.92.1476757113990; Mon, 17 Oct 2016 19:18:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.176.82.68 with HTTP; Mon, 17 Oct 2016 19:18:33 -0700 (PDT) In-Reply-To: <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> References: <1901933387.417923.1476328888389.ref@mail.yahoo.com> <1901933387.417923.1476328888389@mail.yahoo.com> <2122275166.97735.1476361683603@mail.yahoo.com> <4AF73AA205019A4C8A1DDD32C034631D45A1F2E5A4@NJFPSRVEXG0.research.att.com> From: Kathleen Moriarty Date: Mon, 17 Oct 2016 22:18:33 -0400 Message-ID: To: "MORTON, ALFRED C (AL)" Content-Type: multipart/alternative; boundary=94eb2c07c97232f15a053f1a4fe7 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 02:18:41 -0000 --94eb2c07c97232f15a053f1a4fe7 Content-Type: text/plain; charset=UTF-8 Hello, Nalini, thank you very much for your suggested text, this is helpful to fill a gap in the draft and is much appreciated. Al had provided a text diff file from your proposed text, so I used that to edit a little further and provide additional edit suggestions on your text. I also inserted a note. I hope it's easy enough to see the changes although I am afraid it may be a little tougher. Here's the suggested changes: Section 4., paragraph 2: OLD: For each type of monitoring, different techniques and parts of the data stream may be necessary. As we transition to an increased use of encryption that is increasingly harder to break, alternate methods of monitoring for operational purposes may be necessary to prevent the need to break encryption and thus privacy of users (which may not apply in a corporate setting by policy). NEW: For each type of monitoring, different techniques and access to parts of the data stream are part of current practice. As we transition to an increased use of encryption that is increasingly harder to break, alternate methods of monitoring for operational purposes may be necessary to prevent the need to break encryption and thus privacy of users (other policies may apply in some enterprise settings). Section 4.1, paragraph 2: OLD: In each of the above areas, technical support teams utilize collection, monitoring, and diagnostic systems that in some organizations currently use static RSA private keys to decrypt passively monitored copies of encrypted TLS packet streams. NEW: In each of the above areas, technical support teams utilize collection, monitoring, and diagnostic systems. Some organizations currently use attack methods such as static RSA private keys to decrypt passively monitored copies of encrypted TLS packet streams. Section 7., paragraph 2: OLD: To an enterprise (and the customers that it serves), the cost of network and/or application down time can be great. The focus of enterprises in their private data centers is to deliver expected levels of service, performance, protection, and availability. AND this can be accomplished using some form of traffic analysis sometimes including examination of the payload. NEW: For an enterprise to avoid costly application down time and deliver expected levels of performance, protection, and availability, some form of traffic analysis sometimes including examination of packet payloads can be a valuable asset. Section 4.1.1, 4.1.2 Note: I'm not thrilled with the proposed headings for each bullet as I don't think they are really needed, but will go with consensus if others really think it's helpful. Some have a subheading now and others don't. The headings are technology specific, whereas the previous bullets were just covering the functions without naming technologies. I'm fine with the additional bullets, but would like the technologies removed. Section 4.1.2, paragraph 1: OLD: 1. Assess traffic volume on a per-application basis, for billing, capacity planning, optimization of geographical location for servers or proxies, and other needs, NEW: There are two main goals of monitoring: Section 4.1.2, paragraph 2: OLD: 2. Assess performance in terms of application response time and user perceived response time, NEW: 1. Assess traffic volume on a per-application basis, for billing, capacity planning, optimization of geographical location for servers or proxies, and other needs. 2. Assess performance in terms of application response time and user perceived response time Section 4.1.3.1, paragraph 2: OLD: NAT is also frequently used by lower layers of the data center infrastructure. Firewalls, Load Balancers, Web Servers, App Servers, and Middleware servers all regularly NAT the source IP of packets. Combine this with the fact that users are often sprayed randomly by load balancers to all these devices, the network troubleshooter is often left with no option in today's environment except to trace all packets at a particular layer, decrypt them all, and look at the payload to find a user session. NEW: NAT is also frequently used by lower layers of the data center infrastructure. Firewalls, Load Balancers, Web Servers, App Servers, and Middleware servers all regularly NAT the source IP of packets. Combine this with the fact that users are often allocated randomly by load balancers to all these devices, the network troubleshooter is often left with no option in today's environment except to trace all packets at a particular layer, decrypt them all, and look at the payload to find a user session. Section 4.1.3.1, paragraph 3: OLD: This kind of bulk packet capture and bulk decryption is frequently required when troubleshooting a large and complex application. Endpoints typically don't have the capacity to handle this level of network packet capture, so out-of-band networks of robust packet brokers and network sniffers, which depend on static RSA private keys, have evolved to fill this need. NEW: This kind of bulk packet capture and bulk decryption is frequently used when troubleshooting a large and complex application. Endpoints typically don't have the capacity to handle this level of network packet capture, so out-of-band networks of robust packet brokers and network sniffers that utilize static RSA private keys to accomplish this task today. Thank you, Kathleen On Sun, Oct 16, 2016 at 10:36 AM, MORTON, ALFRED C (AL) wrote: > Hi Nalini, > > > > Thanks for your many suggestions. > > > > As a first step, I edited your suggested > > text for sections 4 and 4.1, below and > > attached. See what you think. > > > > Al > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > 4. Encryption for Enterprise Users > > > > Encryption of network traffic within the private enterprise is a growing > trend, particularly in industries with audit and regulatory requirements. > Some enterprise internal networks are almost completely TLS and/or IPsec > encrypted. > > > > For each type of monitoring, different techniques and access to parts of > the data stream may be necessary. As we transition to an increased use of > encryption that is increasingly harder to break, alternate methods of > monitoring for operational purposes may be necessary to prevent the need to > break encryption and thus privacy of users (other policies may apply in > some enterprise settings). > > > > > > 4.1. Monitoring Needs of the Enterprise > > > > Large corporate enterprises are the owners of the platforms, data, and > network infrastructure that provide critical business services to their > user communities. As such, these enterprises are responsible for all > aspects of the performance, availability, security, and quality of > experience for all user sessions. These responsibilities break down into > three basic areas: > > > > 1. Security Monitoring and Control > > 2. Application Performance Monitoring and Reporting > > 3. Network Diagnostics and Troubleshooting > > > > In each of the above areas, technical support teams utilize collection, > monitoring, and diagnostic systems that in some organizations currently use > static RSA private keys to decrypt > > passively monitored copies of encrypted TLS packet streams. > > > > > > To an enterprise (and the customers that it serves), the cost of network > and/or application down time can be great. The focus of enterprises in > their private data centers is to deliver expected levels of service, > performance, protection, and availability. > > > > > > 4.1.1 Security Monitoring in the Enterprise > > > > Enterprise Security Monitoring breaks down into the following areas: > > > > 1. Data Loss Prevention - intercept outbound session traffic to monitor > for intellectual property leakage (by users or more likely these days > through malware and trojans), > > > > 2. Intrusion Detection/Intrusion Prevention - detect viruses/malware > entering the network via email or web traffic, > > > > 3. Malware Detection - detect malware/Trojans in action, possibly > connecting to remote hosts, > > > > 4. Security Analytics - detect attacks (Cross site scripting and other > common web related attacks), > > > > 5. Track misuse and abuse by employees, > > > > 6. Restrict the types of protocols permitted to/from the corporate > environment, > > > > 7. DDoS Prevention - detect and defend against Internet DDoS attacks, > including both volumetric and layer 7 attacks. > > > > A significant portion of malware hides its activity within TLS or other > encrypted protocols. This includes lateral movement, Command and Control, > and Data Exfiltration. These functions are critical to security and fraud > monitoring. > > > > For an enterprise to avoid costly application down time and deliver > expected levels of performance, protection, and availability, some form of > traffic analysis sometimes including examination of packet payloads can be > a valuable asset. > > > > > > > > 4.1.2 Application Performance Monitoring in the Enterprise > > > > There are two main goals of monitoring: > > > > 1. Assess traffic volume on a per-application basis, for billing, > capacity planning, optimization of geographical location for servers or > proxies, and other needs. > > > > 2. Assess performance in terms of application response time and user > perceived response time > > > > Network-based Application Performance Monitoring tracks application > response time by user and by URL, which is the information that the > application owners and the lines of business need. Content Delivery > Networks (CDNs) add complexity in determining the ultimate endpoint > destination. By their very nature, such information is obscured by CDNs > and encrypted protocols -- adding a new challenge for troubleshooting > network and application problems. URL identification allows the application > support team to do granular, code level troubleshooting at multiple tiers > of an application. > > > > New methodologies to monitor user perceived response time and to separate > network from server time are evolving. For example, the IPv6 Destination > Option implementation of Performance and Diagnostic Metrics (PDM) will > provide this. [draft-ietf-ippm-6man-pdm-option-06] > > > > > > > > 4.1.3 Enterprise Network Diagnostics and Troubleshooting > > > > One primary key to network troubleshooting is the ability to follow a > transaction through the various tiers of an application in order to isolate > the fault domain. A variety of factors relating to the structure of the > modern data center and the modern multi-tiered application have made it > impossible to follow a transaction in network traces without the ability to > examine some of the packet payload. > > > > > > 4.1.3.1 NAT > > > > Content Delivery Networks (CDNs) and NATs obscure the ultimate endpoint > designation. Troubleshooting a problem for a specific end user requires > finding information such as the IP address and other identifying > information so that their problem can be resolved in a timely manner. > > > > NAT is also frequently used by lower layers of the data center > infrastructure. Firewalls, Load Balancers, Web Servers, App Servers, and > Middleware servers all regularly NAT the source IP of packets. Combine this > with the fact that users are often allocated randomly by load balancers to > all these devices, the network troubleshooter is often left with no option > in today's environment except to trace all packets at a particular layer, > decrypt them all, and look at the payload to find a user session. > > > > > > This kind of bulk packet capture and bulk decryption is frequently > required when troubleshooting a large and complex application. Endpoints > typically don't have the capacity to handle this level of network packet > capture, so out-of-band networks of robust packet brokers and network > sniffers that depend on static RSA private keys have evolved to fill this > need. > > > > 4.1.3.2 TCP Pipelining/Session Multiplexing > > > > When TCP Pipelining/Session Multiplexing is used, usually by Middle boxes > today, multiple end user sessions share the same TCP connection. Today's > network troubleshooter often relies upon session decryption to tell which > packet belongs to which end user. > > > > With the advent of HTTP2, session multiplexing will be used ubiquitously, > both on the Internet and in the private data center. > > > > > > 4.1.3.3 HTTP Service Calls > > > > When an application server makes an HTTP service call to back end services > on behalf of a user session, it uses a completely different URL and a > completely different TCP connection. It must be possible to match up the > user request above with the HTTP service call below. Today, this is done > by decrypting the TLS packet and inspecting the payload. > > > > > > 4.1.3.4 Application Layer Data > > > > Modern applications often use XML structures in the payload of the data to > store application level information. When the network and application > teams must work together, each has a different view of the transaction > failure. It is important to be able to correlate the network packet with > the actual problem experienced by an application. > > > > *From:* nalini.elkins@insidethestack.com [mailto:nalini.elkins@ > insidethestack.com] > *Sent:* Thursday, October 13, 2016 8:28 AM > *To:* saag@ietf.org > *Cc:* MORTON, ALFRED C (AL); Kathleen Moriarty > *Subject:* Re: draft-mm-wg-effect-encrypt-03 > > > > Kathleen and Al, > > > > > The "Effect of Ubiquitous Encryption" draft is an excellent summary of the > impact on operations and network management posed by the changes to the > security environment. > > > > Great work, guys!!! > > I wanted to comment on a few things as far as they impact private > enterprises. > > > 1. In the Abstract: we may want to remind the reader that network > management includes troubleshooting because a number of changes will need > to be made in how troubleshooting is done. I would suggest the following: > > Old: This draft includes a collection of current security and network > management functions that may be impacted by this shift to increased use of > encryption. > > > New: This draft includes a collection of current security and network > management (including troubleshooting) functions that may be impacted by > this shift to increased use of encryption. > > > > 2. At the end of section 1, we might want to add that private enterprises > are also considered. > > Suggested words: > > "We will also consider the situation of the private enterprise, where IP > packet transport, applications, and infrastructure are privately owned and > contained within or interconnect private data centers." > > > > 3. Then, I would suggest replacing Sections 4 and 4.1 of the draft in its > entirety with the words below: > > ******************************************** > > 4. Encryption for Enterprise Users > > Encryption of network traffic within the private enterprise is a growing > trend, particularly in industries with audit and regulatory requirements. > Some enterprise internal networks are almost completely TLS and/or IPsec > encrypted. > > For each type of monitoring, different techniques and parts of the data > stream may be necessary. As we transition to an increased use of > encryption that is increasingly harder to break, alternate methods of > monitoring for operational purposes may be necessary to prevent the need to > break encryption and thus privacy of users (which may not apply in a > corporate setting by policy). > > > 4.1. Monitoring Needs of the Enterprise > > Large corporate enterprises are the owners of the platforms, data, and > network infrastructure that provide critical business services to their > user communities. As such, these enterprises are responsible for all > aspects of the performance, availability, security, and quality of > experience for all user sessions. These responsibilities break down into > three basic areas: > > 1. Security Monitoring and Control > 2. Application Performance Monitoring and Reporting > 3. Network Diagnostics and Troubleshooting > > In each of the above areas, technical support teams utilize collection, > monitoring, and diagnostic systems that in some organizations currently use > static RSA private keys to decrypt > passively monitored copies of encrypted TLS packet streams. > > > To an enterprise (and the customers that it serves), the cost of network > and/or application down time can be great. The focus of enterprises in > their private data centers is to deliver expected levels of service, > performance, protection, and availability. > > > 4.1.1 Security Monitoring in the Enterprise > > Enterprise Security Monitoring breaks down into the following areas: > > 1. Data Loss Prevention - intercept outbound session traffic to monitor > for intellectual property leakage (by users or more likely these days > through malware and trojans), > > 2. Intrusion Detection/Intrusion Prevention - detect viruses/malware > entering the network via email or web traffic, > > 3. Malware Detection - detect malware/Trojans in action, possibly > connecting to remote hosts, > > 4. Security Analytics - detect attacks (Cross site scripting and other > common web related attacks), > > 5. Track misuse and abuse by employees, > > 6. Restrict the types of protocols permitted to/from the corporate > environment, > > 7. DDoS Prevention - detect and defend against Internet DDoS attacks, > including both volumetric and layer 7 attacks. > > A significant portion of malware hides its activity within TLS or other > encrypted protocols. This includes lateral movement, Command and Control, > and Data Exfiltration. These functions are critical to security and fraud > monitoring. > > To an enterprise (and the customers that it serves), the cost of network > and/or application down time can be great. The focus of enterprises in > their private data centers is to deliver expected levels of service, > performance, protection, and availability. AND this can be accomplished > using some form of traffic analysis sometimes including examination of the > payload. > > > > 4.1.2 Application Performance Monitoring in the Enterprise > > > 1. Assess traffic volume on a per-application basis, for billing, > capacity planning, optimization of geographical location for servers or > proxies, and other needs, > > 2. Assess performance in terms of application response time and user > perceived response time, > > Network-based Application Performance Monitoring tracks application > response time by user and by URL, which is the information that the > application owners and the lines of business need. Content Delivery > Networks (CDNs) add complexity in determining the ultimate endpoint > destination. By their very nature, such information is obscured by CDNs > and encrypted protocols -- adding a new challenge for troubleshooting > network and application problems. URL identification allows the application > support team to do granular, code level troubleshooting at multiple tiers > of an application. > > New methodologies to monitor user perceived response time and to separate > network from server time are evolving. For example, the IPv6 Destination > Option implementation of Performance and Diagnostic Metrics (PDM) will > provide this. [draft-ietf-ippm-6man-pdm-option-06] > > > > 4.1.3 Enterprise Network Diagnostics and Troubleshooting > > One primary key to network troubleshooting is the ability to follow a > transaction through the various tiers of an application in order to isolate > the fault domain. A variety of factors relating to the structure of the > modern data center and the modern multi-tiered application have made it > impossible to follow a transaction in network traces without the ability to > examine some of the packet payload. > > > 4.1.3.1 NAT > > Content Delivery Networks (CDNs) and NATs obscure the ultimate endpoint > designation. Troubleshooting a problem for a specific end user requires > finding information such as the IP address and other identifying > information so that their problem can be resolved in a timely manner. > > NAT is also frequently used by lower layers of the data center > infrastructure. Firewalls, Load Balancers, Web Servers, App Servers, and > Middleware servers all regularly NAT the source IP of packets. Combine this > with the fact that users are often sprayed randomly by load balancers to > all these devices, the network troubleshooter is often left with no option > in today's environment except to trace all packets at a particular layer, > decrypt them all, and look at the payload to find a user session. > > > This kind of bulk packet capture and bulk decryption is frequently > required when troubleshooting a large and complex application. Endpoints > typically don't have the capacity to handle this level of network packet > capture, so out-of-band networks of robust packet brokers and network > sniffers, which depend on static RSA private keys, have evolved to fill > this need. > > 4.1.3.2 TCP Pipelining/Session Multiplexing > > When TCP Pipelining/Session Multiplexing is used, usually by Middle boxes > today, multiple end user sessions share the same TCP connection. Today's > network troubleshooter often relies upon session decryption to tell which > packet belongs to which end user. > > With the advent of HTTP2, session multiplexing will be used ubiquitously, > both on the Internet and in the private data center. > > > 4.1.3.3 HTTP Service Calls > > When an application server makes an HTTP service call to back end services > on behalf of a user session, it uses a completely different URL and a > completely different TCP connection. It must be possible to match up the > user request above with the HTTP service call below. Today, this is done > by decrypting the TLS packet and inspecting the payload. > > > 4.1.3.4 Application Layer Data > > Modern applications often use XML structures in the payload of the data to > store application level information. When the network and application > teams must work together, each has a different view of the transaction > failure. It is important to be able to correlate the network packet with > the actual problem experienced by an application. > > > > Thanks, > > Nalini Elkins > Inside Products, Inc. > www.insidethestack.com > (831) 659-8360 > > -- Best regards, Kathleen --94eb2c07c97232f15a053f1a4fe7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hello,

Nalini, thank you very much for = your suggested text, this is helpful to fill a gap in the draft and is much= appreciated.=C2=A0 Al had provided a text diff file from your proposed tex= t, so I used that to edit a little further and provide additional edit sugg= estions on your text.=C2=A0 I also inserted a note.=C2=A0 I hope it's e= asy enough to see the changes although I am afraid it may be a little tough= er.=C2=A0 Here's the suggested changes:

<= br>
Section 4., paragraph 2:
OLD:

<= div>=C2=A0For each type of monitoring, different techniques and parts of th= e data stream may be necessary.=C2=A0 As we transition to an increased use = of encryption that is increasingly harder to break, alternate methods of mo= nitoring for operational purposes may be necessary to prevent the need to b= reak encryption and thus privacy of users (which may not apply in a corpora= te setting by policy).

NEW:

=C2=A0For each type of monitoring, different techniques and access to pa= rts of the data stream are part of current practice.=C2=A0 As we transition= to an increased use of encryption that is increasingly harder to break, al= ternate methods of monitoring for operational purposes may be necessary to = prevent the need to break encryption and thus privacy of users (other polic= ies may apply in some enterprise settings).

Sectio= n 4.1, paragraph 2:
OLD:
In each of the above areas, te= chnical support teams utilize collection, monitoring, and diagnostic system= s that in some organizations currently use static RSA private keys to decry= pt
passively monitored copies of encrypted TLS packet streams.
=C2=A0
NEW:
In each of the above areas, technic= al support teams utilize collection, monitoring, and diagnostic systems.=C2= =A0 Some organizations currently use attack methods such as static RSA priv= ate keys to decrypt
passively monitored copies of encrypted TLS p= acket streams.

Section 7., paragraph 2:
= OLD:

=C2=A0To an enterprise (and the customers tha= t it serves), the cost of network and/or application down time can be great= .=C2=A0 The focus of enterprises in their private data centers is to delive= r expected levels of service, performance, protection, and availability. AN= D this can be accomplished using some form of traffic analysis sometimes in= cluding examination of the payload.

NEW:

=C2=A0For an enterprise to avoid costly application down ti= me and deliver expected levels of performance, protection, and availability= , some form of traffic analysis sometimes including examination of packet p= ayloads can be a valuable asset.

Section 4.1.1, 4.= 1.2
Note: I'm not thrilled with the proposed headings for eac= h bullet as I don't think they are really needed, but will go with cons= ensus if others really think it's helpful.=C2=A0 Some have a subheading= now and others don't.=C2=A0 The headings are technology specific, wher= eas the previous bullets were just covering the functions without naming te= chnologies.

I'm fine with the additional bulle= ts, but would like the technologies removed. =C2=A0


Section 4.1.2, paragraph 1:
OLD:

<= /div>
=C2=A01.=C2=A0 Assess traffic volume on a per-application basis, = for billing, capacity planning, optimization of geographical location for s= ervers or proxies, and other needs,

NEW:

=C2=A0There are two main goals of monitoring:

Section 4.1.2, paragraph 2:
OLD:
=

=C2=A02.=C2=A0 Assess performance in terms of applicati= on response time and user perceived response time,

NEW:

=C2=A01.=C2=A0 Assess traffic volume on a pe= r-application basis, for billing, capacity planning, optimization of geogra= phical location for servers or proxies, and other needs.
=C2=A0
=C2=A02.=C2=A0 Assess performance in terms of application response= time and user perceived response time


<= div>Section 4.1.3.1, paragraph 2:
OLD:

= =C2=A0NAT is also frequently used by lower layers of the data center infras= tructure.=C2=A0 Firewalls, Load Balancers, Web Servers, App Servers, and Mi= ddleware servers all regularly NAT the source IP of packets. Combine this w= ith the fact that users are often sprayed randomly by load balancers to all= these devices, the network troubleshooter is often left with no option in = today's environment except to trace all packets at a particular layer, = decrypt them all, and look at the payload to find a user session.

NEW:

=C2=A0NAT is also frequently = used by lower layers of the data center infrastructure.=C2=A0 Firewalls, Lo= ad Balancers, Web Servers, App Servers, and Middleware servers all regularl= y NAT the source IP of packets. Combine this with the fact that users are o= ften allocated randomly by load balancers to all these devices, the network= troubleshooter is often left with no option in today's environment exc= ept to trace all packets at a particular layer, decrypt them all, and look = at the payload to find a user session.


<= div>Section 4.1.3.1, paragraph 3:
OLD:

= =C2=A0This kind of bulk packet capture and bulk decryption is frequently re= quired when troubleshooting a large and complex application. Endpoints typi= cally don't have the capacity to handle this level of network packet ca= pture, so out-of-band networks of robust packet brokers and network sniffer= s, which depend on static RSA private =C2=A0keys, have evolved to fill this= need.

NEW:

This kind of = bulk packet capture and bulk decryption is frequently used when troubleshoo= ting a large and complex application. Endpoints typically don't have th= e capacity to handle this level of network packet capture, so out-of-band n= etworks of robust packet brokers and network sniffers that utilize static R= SA private keys to accomplish this task today.

Tha= nk you,
Kathleen

=
On Sun, Oct 16, 2016 at 10:36 AM, MORTON, ALFRED= C (AL) <acmorton@att.com> wrote:

Hi Nalini,<= /u>

=C2=A0

Thanks for your many suggestions.=

=C2=A0<= /p>

As a first step, I edited your suggested

text for sections 4 and= 4.1, below and

attac= hed. See what you think.

=C2=A0

Al=

=C2=A0

=

-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-

=C2=A0

4.=C2=A0 En= cryption for Enterprise Users

=C2=A0

Encry= ption of network traffic within the private enterprise is a growing trend, = particularly in industries with audit and regulatory requirements. Some ent= erprise internal networks are almost completely TLS and/or IPsec encrypted.=

=C2=A0<= /span>

For each type of monitoring, = different techniques and access to parts of the data stream may be necessar= y.=C2=A0 As we transition to an increased use of encryption that is increas= ingly harder to break, alternate methods of monitoring for operational purp= oses may be necessary to prevent the need to break encryption and thus priv= acy of users (other policies may apply in some enterprise settings).=

=C2= =A0

=C2=A0

4.1.=C2=A0 Monitoring Needs of the Enter= prise

=C2=A0=

Large corporate enterprises are= the owners of the platforms, data, and network infrastructure that provide= critical business services to their user communities.=C2=A0 As such, these= enterprises are responsible for all aspects of the performance, availabili= ty, security, and quality of experience for all user sessions. These respon= sibilities break down into three basic areas:

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 1. Security= Monitoring and Control

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 3. Netwo= rk Diagnostics and Troubleshooting

=C2=A0

I= n each of the above areas, technical support teams utilize collection, moni= toring, and diagnostic systems that in some organizations currently use sta= tic RSA private keys to decrypt

passively monitored copies of encrypted TLS packet streams.

=C2=A0=

=C2=A0

To an enterprise (and the customers that it serves), the = cost of network and/or application down time can be great.=C2=A0 The focus = of enterprises in their private data centers is to deliver expected levels = of service, performance, protection, and availability.=

=C2=A0

=C2=A0

4.1.1 Security Monitoring in the Enterprise

=C2=A0

Enterprise Security Monitoring breaks down into the following are= as:

=C2=A0

1.=C2=A0 Data Loss Prevention - i= ntercept outbound session traffic to monitor for intellectual property leak= age (by users or more likely these days through malware and trojans),

=C2=A0=

2.=C2=A0 Intrusion Detection/Intrusion Pre= vention - detect viruses/malware entering the network via email or web traf= fic,

=C2=A0<= /u>

3.=C2=A0 Malware Detection - det= ect malware/Trojans in action, possibly connecting to remote hosts, =

=C2=A0<= /p>

4.=C2=A0 Security Analytics - detect attack= s (Cross site scripting and other common web related attacks),

=C2=A0

5.=C2=A0 Track misuse and abuse by employees,<= /u>

=C2=A0

6.=C2=A0 Restrict the types of protocols= permitted to/from the corporate environment,

=C2=A0

7.=C2=A0 DDoS Prevention - detect and defend against Internet DDoS= attacks, including both volumetric and layer 7 attacks.

=C2=A0

A significant portion of malware hides its activity wi= thin TLS or other encrypted protocols.=C2=A0 This includes lateral movement= , Command and Control, and Data Exfiltration.=C2=A0 These functions are cri= tical to security and fraud monitoring.

=C2=A0

For an enterprise to avoid costly application down time and deliv= er expected levels of performance, protection, and availability, some form = of traffic analysis sometimes including examination of packet payloads can = be a valuable asset.

=C2=A0

=C2=A0=

4.1.2 Application Performanc= e Monitoring in the Enterprise

=C2=A0

There are two main goals of monitoring:

=C2=A0

= 1.=C2=A0 Assess traffic volume on a per-application basis, for billin= g, capacity planning, optimization of geographical location for servers or = proxies, and other needs.

=C2=A0

2.=C2=A0 Assess performance in terms of application response time an= d user perceived response time

=C2=A0

Network-based Application Performance Monitoring tracks application respon= se time by user and by URL, which is the information that the application o= wners and the lines of business need. Content Delivery Networks (CDNs) add = complexity in determining the ultimate endpoint destination.=C2=A0 By their= very nature, such information is obscured by CDNs and encrypted protocols = -- adding a new challenge for troubleshooting network and application probl= ems. URL identification allows the application support team to do granular,= code level troubleshooting at multiple tiers of an application. =

=C2=A0<= u>

New methodologies to monitor = user perceived response time and to separate network from server time are e= volving.=C2=A0 For example, the IPv6 Destination Option implementation of P= erformance and Diagnostic Metrics (PDM) will provide this. [draft-ietf-ippm= -6man-pdm-option-06]

=C2=A0

=C2= =A0

=C2=A0

4.1.3 Enterprise Network Diagnostics and= Troubleshooting

=C2=A0

One primary key to n= etwork troubleshooting is the ability to follow a transaction through the v= arious tiers of an application in order to isolate the fault domain.=C2=A0 = A variety of factors relating to the structure of the modern data center an= d the modern multi-tiered application have made it impossible to follow a t= ransaction in network traces without the ability to examine some of the pac= ket payload.

= =C2=A0

=C2=A0

4.1.3.1 NAT

<= p class=3D"MsoNormal">=C2=A0

Content Delivery Networks (CDNs) and NATs obscure the ultimate= endpoint designation.=C2=A0 Troubleshooting a problem for a specific end u= ser requires finding information such as the IP address and other identifyi= ng information so that their problem can be resolved in a timely manner.=

=C2=A0

NAT is also frequently used by l= ower layers of the data center infrastructure.=C2=A0 Firewalls, Load Balanc= ers, Web Servers, App Servers, and Middleware servers all regularly NAT the= source IP of packets. Combine this with the fact that users are often allo= cated randomly by load balancers to all these devices, the network troubles= hooter is often left with no option in today's environment except to tr= ace all packets at a particular layer, decrypt them all, and look at the pa= yload to find a user session.

=C2=A0

=C2=A0

This kind of bulk pa= cket capture and bulk decryption is frequently required when troubleshootin= g a large and complex application. Endpoints typically don't have the c= apacity to handle this level of network packet capture, so out-of-band netw= orks of robust packet brokers and network sniffers that depend on static RS= A private keys have evolved to fill this need.

=C2=A0

4.1.3.2 TCP Pipelining/Session Multiplexing

=C2=A0

When TCP Pipelining/Session Multiplexing = is used, usually by Middle boxes today, multiple end user sessions share th= e same TCP connection.=C2=A0 Today's=C2=A0 network troubleshooter often= relies upon session decryption to tell which packet belongs to which end u= ser.

=C2=A0<= /u>

With the advent of HTTP2, sessio= n multiplexing will be used ubiquitously, both on the Internet and in the p= rivate data center.

<= u>=C2=A0

=C2=A0=

4.1.3.3 HTTP Service Calls

=C2=A0

When an application server makes an HTTP = service call to back end services on behalf of a user session, it uses a co= mpletely different URL and a completely different TCP connection.=C2=A0 It = must be possible=C2=A0 to match up the user request above with the HTTP ser= vice call below.=C2=A0 Today, this is done by decrypting the TLS packet and= inspecting the payload.

=C2=A0

=C2= =A0

4.1.3.4 Application Layer= Data

=C2=A0=

Modern applications often use X= ML structures in the payload of the data to store application level informa= tion.=C2=A0 When the network and application teams must work together, each= has a different view of the transaction failure. It is important to be abl= e to correlate the network packet with the actual problem experienced by an= application.

= =C2=A0

= From: nalini.elkins@insidethestack.co= m [mailto:nalini.elkins@insidethestack.com]
Sent: Thursd= ay, October 13, 2016 8:28 AM
To: saag@ietf.org
Cc: MORTON, ALFRED C (AL); K= athleen Moriarty
Subject: Re: draft-mm-wg-effect-encrypt-03

=C2=A0

Kathleen and Al,

=C2=A0


The "Effect of Ubiquitous Encryption" draft is an excellent = summary of the impact on operations and network management posed by the cha= nges to the security environment.=C2=A0=C2=A0

=C2=A0

= Great work, guys!!!

I wanted to comment on a few things as far as th= ey impact private enterprises.


1. In the Abstract: we may want t= o remind the reader that network management includes troubleshooting becaus= e a number of changes will need to be made in how troubleshooting is done.= =C2=A0 I would suggest the following:

Old: This draft includes a col= lection of current security and network management functions that may be im= pacted by this shift to increased use of encryption.


New: This = draft includes a collection of current security and network management (inc= luding troubleshooting) functions that may be impacted by this shift to inc= reased use of encryption.



2.=C2=A0 At the end of section 1, = we might want to add that private enterprises are also considered.

S= uggested words:

"We will also consider the situation of the pri= vate enterprise, where IP packet transport, applications, and infrastructur= e are privately owned and contained within or interconnect private data cen= ters."



3.=C2=A0 Then, I would suggest replacing Sectio= ns 4 and 4.1 of the draft in its entirety with the words below:

****= ****************************************

4.=C2=A0 Encryption fo= r Enterprise Users

Encryption of network traffic within the private = enterprise is a growing trend, particularly in industries with audit and re= gulatory requirements. Some enterprise internal networks are almost complet= ely TLS and/or IPsec encrypted.

For each type of monitoring, differe= nt techniques and parts of the data stream may be necessary.=C2=A0 As we tr= ansition to an increased use of encryption that is increasingly harder to b= reak, alternate methods of monitoring for operational purposes may be neces= sary to prevent the need to break encryption and thus privacy of users (whi= ch may not apply in a corporate setting by policy).


4.1.=C2=A0 M= onitoring Needs of the Enterprise

Large corporate enterprises are th= e owners of the platforms, data, and network infrastructure that provide cr= itical business services to their user communities.=C2=A0 As such, these en= terprises are responsible for all aspects of the performance, availability,= security, and quality of experience for all user sessions. These responsib= ilities break down into three basic areas:

=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 1. Security Monitoring and Control
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 2. Application Performance Monitoring and Reporting
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 3. Network Diagnostics and Troubleshooting
=
In each of the above areas, technical support teams utilize collection,= monitoring, and diagnostic systems that in some organizations currently us= e static RSA private keys to decrypt
passively monitored copies of encry= pted TLS packet streams.


To an enterprise (and the customers tha= t it serves), the cost of network and/or application down time can be great= .=C2=A0 The focus of enterprises in their private data centers is to delive= r expected levels of service, performance, protection, and availability.

4.1.1 Security Monitoring in the Enterprise

Enterprise Secu= rity Monitoring breaks down into the following areas:

1.=C2=A0 Data = Loss Prevention - intercept outbound session traffic to monitor for intelle= ctual property leakage (by users or more likely these days through malware = and trojans),

2.=C2=A0 Intrusion Detection/Intrusion Prevention - de= tect viruses/malware entering the network via email or web traffic,

= 3.=C2=A0 Malware Detection - detect malware/Trojans in action, possibly con= necting to remote hosts,

4.=C2=A0 Security Analytics - detect attac= ks (Cross site scripting and other common web related attacks),

5.= =C2=A0 Track misuse and abuse by employees,

6.=C2=A0 Restrict the ty= pes of protocols permitted to/from the corporate environment,

7.=C2= =A0 DDoS Prevention - detect and defend against Internet DDoS attacks, incl= uding both volumetric and layer 7 attacks.

A significant portion of = malware hides its activity within TLS or other encrypted protocols.=C2=A0 T= his includes lateral movement, Command and Control, and Data Exfiltration.= =C2=A0 These functions are critical to security and fraud monitoring.
To an enterprise (and the customers that it serves), the cost of network = and/or application down time can be great.=C2=A0 The focus of enterprises i= n their private data centers is to deliver expected levels of service, perf= ormance, protection, and availability. AND this can be accomplished using s= ome form of traffic analysis sometimes including examination of the payload= .



4.1.2 Application Performance Monitoring in the Enterprise=


1.=C2=A0 Assess traffic volume on a pe= r-application basis, for billing, capacity planning, optimization of geogra= phical location for servers or proxies, and other needs,

2.=C2=A0 A= ssess performance in terms of application response time and user perceived = response time,

Network-based Application Performance Monitoring trac= ks application response time by user and by URL, which is the information t= hat the application owners and the lines of business need. Content Delivery= Networks (CDNs) add complexity in determining the ultimate endpoint destin= ation.=C2=A0 By their very nature, such information is obscured by CDNs and= encrypted protocols -- adding a new challenge for troubleshooting network = and application problems. URL identification allows the application support= team to do granular, code level troubleshooting at multiple tiers of an ap= plication.

New methodologies to monitor user perceived response tim= e and to separate network from server time are evolving.=C2=A0 For example,= the IPv6 Destination Option implementation of Performance and Diagnostic M= etrics (PDM) will provide this. [draft-ietf-ippm-6man-pdm-option-06]


4.1.3 Enterprise Network Diagnostics and Troubleshooting
<= br>One primary key to network troubleshooting is the ability to follow a tr= ansaction through the various tiers of an application in order to isolate t= he fault domain.=C2=A0 A variety of factors relating to the structure of th= e modern data center and the modern multi-tiered application have made it i= mpossible to follow a transaction in network traces without the ability to = examine some of the packet payload.


4.1.3.1 NAT

Content D= elivery Networks (CDNs) and NATs obscure the ultimate endpoint designation.= =C2=A0 Troubleshooting a problem for a specific end user requires finding i= nformation such as the IP address and other identifying information so that= their problem can be resolved in a timely manner.

NAT is also frequ= ently used by lower layers of the data center infrastructure.=C2=A0 Firewal= ls, Load Balancers, Web Servers, App Servers, and Middleware servers all re= gularly NAT the source IP of packets. Combine this with the fact that users= are often sprayed randomly by load balancers to all these devices, the net= work troubleshooter is often left with no option in today's environment= except to trace all packets at a particular layer, decrypt them all, and l= ook at the payload to find a user session.


This kind of bulk pac= ket capture and bulk decryption is frequently required when troubleshooting= a large and complex application. Endpoints typically don't have the ca= pacity to handle this level of network packet capture, so out-of-band netwo= rks of robust packet brokers and network sniffers, which depend on static R= SA private=C2=A0 keys, have evolved to fill this need.

4.1.3.2 TCP P= ipelining/Session Multiplexing

When TCP Pipelining/Session Multiplex= ing is used, usually by Middle boxes today, multiple end user sessions shar= e the same TCP connection.=C2=A0 Today's=C2=A0 network troubleshooter o= ften relies upon session decryption to tell which packet belongs to which e= nd user.

With the advent of HTTP2, session multiplexing will be used= ubiquitously, both on the Internet and in the private data center.

4.1.3.3 HTTP Service Calls

When an application server makes an = HTTP service call to back end services on behalf of a user session, it uses= a completely different URL and a completely different TCP connection.=C2= =A0 It must be possible=C2=A0 to match up the user request above with the H= TTP service call below.=C2=A0 Today, this is done by decrypting the TLS pac= ket and inspecting the payload.


4.1.3.4 Application Layer Data
Modern applications often use XML structures in the payload of the da= ta to store application level information.=C2=A0 When the network and appli= cation teams must work together, each has a different view of the transacti= on failure. It is important to be able to correlate the network packet with= the actual problem experienced by an application.
=C2=A0


Th= anks,

Nalini Elkins
Inside Products, Inc.
www.insidethestack.com
(8= 31) 659-8360



=

--

Best regards,
Kathleen
--94eb2c07c97232f15a053f1a4fe7-- From nobody Mon Oct 17 23:40:08 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10A31129493 for ; Mon, 17 Oct 2016 23:40:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0fYK0vv0whSK for ; Mon, 17 Oct 2016 23:40:02 -0700 (PDT) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0074.outbound.protection.outlook.com [104.47.37.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF99F1293DA for ; Mon, 17 Oct 2016 23:40:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UMTUg+Su+UXgjm622eUyAXTYIP1ZcYLit6BDbzIe+XA=; b=VE2zOeRCkJmVHGDqwLlFvMgnva3D0oTaBe5n7lNeAylwxL8djCWgIkrFHYH4oL5wBfaIOe1JYRWjJvmXFVsSlhCudiBNdE1e6GvaVsuvEC5MovAONyfP4BEFMXdDGXK5T1m6ADI/D27FaMprRL18hJAOCvxcMWH0MyhzdKGZ1+4= Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1029.namprd02.prod.outlook.com (10.161.203.147) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Tue, 18 Oct 2016 06:40:01 +0000 Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0659.025; Tue, 18 Oct 2016 06:40:00 +0000 From: Antonio Sanso To: "saag@ietf.org" Thread-Topic: [saag] Possible backdoor in RFC 5114 Thread-Index: AQHSJFiqSvl175lGTEyC9BTnWXL4IqCtzDEA Date: Tue, 18 Oct 2016 06:40:00 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [192.147.117.11] x-ms-office365-filtering-correlation-id: 26e9e06d-6d6b-4a4d-d528-08d3f72195de x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1029; 7:xPnuYXHGWv7Z2wiqWvHHReA5wYB3w7UNO+PgSHGKB4Nb3SKt/nquaG1qd+/nl7cTmYV3e7yyYltw5TL1jzQ4zIja6/BwbbemhwdUIyLODLK+IiOjThDN6oDVGMRvrae8zLJCkGWKoDqdGxD6GsnhN9RuiKU9UEGrIWyE2SHIXS9VAFtQb49AyFoMin5QNGF2klboI79vu/fu5Rb4rY1M6hlAb5ZjVXowiwFq7YiyAJeBRgApdCg+zgOutOoEZ2MeqmhVm0JKwQE+33g5Gl8bK1wcKnLRM+FgG1uX53SlsItkhIgaPvSoMXU5SwiX6723Qb4M0kZI+V/JCOZ/jXYWDsFCPqBmlaDLUDGKdtGjhwQ=; 20:TB1GP6TKvYQLxh+OnDwVtrVifzMbFxPFdFNDmZTwy/dFNM14gVTh3+qyjlPyGNR+K7cVEsqJ6PMP5ylFf0+FjLHT6/HdJMrZHWTLboy3qMAO0gMKuANRBWjsq8+JUAXk93RZsl4EOdn1SWetQQT6tfaADt6xWHMljXVYBQxCR6c= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1029; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1029; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1029; x-forefront-prvs: 00997889E7 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(199003)(189002)(3846002)(7846002)(33656002)(7736002)(97736004)(50986999)(5660300001)(10090500001)(107886002)(36756003)(86362001)(102836003)(82746002)(2900100001)(6116002)(87936001)(83716003)(450100001)(77096005)(15975445007)(92566002)(19580395003)(66066001)(68736007)(101416001)(105586002)(106116001)(2351001)(106356001)(1730700003)(8676002)(81166006)(8936002)(586003)(5002640100001)(99286002)(2906002)(10400500002)(3660700001)(3280700002)(6916009)(2950100002)(2501003)(76176999)(122556002)(110136003)(189998001)(81156014)(54356999)(5640700001)(305945005)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1029; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Oct 2016 06:40:00.6349 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1029 Archived-At: Subject: Re: [saag] Possible backdoor in RFC 5114 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 06:40:06 -0000 hi *, > IANA numbers have been assigned to them for IKE, but they have not seen w= idespread use jut for the sake of completeness you can find a detailed analysis of the RF= C 5114=92s usage in the wild in Measuring small subgroup attacks against Di= ffie-Hellman [0] regards antonio [0] https://eprint.iacr.org/2016/995.pdf =20 From nobody Tue Oct 18 02:40:42 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 184171295CC for ; Tue, 18 Oct 2016 02:40:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdjWzo1M39yz for ; Tue, 18 Oct 2016 02:40:39 -0700 (PDT) Received: from ppsw-41.csi.cam.ac.uk (ppsw-41.csi.cam.ac.uk [131.111.8.141]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FAF9129565 for ; Tue, 18 Oct 2016 02:40:39 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from grey.csi.cam.ac.uk ([131.111.57.57]:37656) by ppsw-41.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1bwQsv-00016w-RP (Exim 4.86_36-e07b163) (return-path ); Tue, 18 Oct 2016 10:40:37 +0100 Date: Tue, 18 Oct 2016 10:40:37 +0100 From: Tony Finch To: Jeffrey Walton In-Reply-To: Message-ID: References: User-Agent: Alpine 2.11 (DEB 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Roughtime (Was: software update for teeny-weeny devices) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 09:40:41 -0000 Jeffrey Walton wrote: > > If I am on a train with 100 other people or a stadium with 500 people > around me, then it seems like a gossip protocol would be able to > provide the correct time also. > > The crowd always seems to converge on the right answer regardless of > how wrong one sampling is. I've been looking for a paper that explains > it for a couple of years now. I did some brief and sketchy experiments along these lines a few years ago, but instead of a gossip protocol I was looking for consensus of opinion across many authenticated (but not individually trusted) time sources. Basically, a wrapper around tlsdate that samples several servers and looks for the mode. http://fanf.livejournal.com/128861.html http://fanf.livejournal.com/129371.html I am interested if anyone has properly analysed how much security we can expect to get from this kind of consensus. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode North Fitzroy, Sole: Northwesterly 4 or 5, occasionally 6 in Sole, becoming variable 3 or 4. Moderate or rough. Fair. Good. From nobody Tue Oct 18 03:00:45 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFABF12999F for ; Tue, 18 Oct 2016 03:00:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.597 X-Spam-Level: X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xiyS9Z5fqwAF for ; Tue, 18 Oct 2016 03:00:42 -0700 (PDT) Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E124712998D for ; Tue, 18 Oct 2016 03:00:41 -0700 (PDT) Received: by mail-lf0-x233.google.com with SMTP id x79so347046716lff.0 for ; Tue, 18 Oct 2016 03:00:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=UMlXkBScp5uRHdjB++IFKUkEtaKpiogqA+MB1W273+8=; b=IzffQiaVoSR8pQ3YSHOs+3T2x6Fb7QspuDvG2MBJfDBiL/YWKGra4Fa0jwLfpCFTAr I/TG2MYLRg/hv/RmbwCRhgyeSPPbNW3J8WBWr+TJE5z1Q+T9MZ8ByKAviMNKSN0MUO6p 3+aT0R3zDYGFzfcgDaeyX4a58NS6SAFrP9a700U+7ZZxcehC3sW7kCo/pAqQ7unnhkro REFU0jY6AiSwGLzjtle+4WyWk/QWf8X0p7zD9zCOdJ8ajT0qlEjR2ZYzSrXlbzu6Eb2r 8hAvekZdje8Ra8gJFDKZTDpldQ10LnX34vSwM6i7QynWISsssNNdJFwWBlaz4f8RKQb1 WaGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=UMlXkBScp5uRHdjB++IFKUkEtaKpiogqA+MB1W273+8=; b=FnGWNAdyhUKX4xr0zr0GLga61ufXEPOGjJy7/ojLmgT6dqAFjJ7NZOe7ODBurq77ij SEvv3ckvC+btRoyqvIZy9IbhrWs7/uRbvdFvahg5MagYhTYT9A5M2li9mj2FT4EfhN0/ R0rD7LtXhlT6iZ7+50HfddLm82dyP67L7hOtz5QdmKiKNsJUnju0LEdRnLWN66R/mIHT oJ+yIlpNnNq4gZLsJdMtzwOJG6XLfpdf8/qQXyE4jPcAMC4FR8SS0NyMqjeoXL66FLfk i5oqRXdOuxJLpvvGGsmGFVl9WR6LYqeEMYWHTjKAhg/sWbndaqpx4aPZvX6p1aVMIkdT 3X1g== X-Gm-Message-State: AA6/9RkWbiW/KUxVBIAubNLJVaNVJ9+KHc3jmEzSBdzFWlSesbi73t2dyyyo0hqznfCUjITRBf2DR8ehP2ngOQ== X-Received: by 10.28.54.142 with SMTP id y14mr11777996wmh.11.1476784839999; Tue, 18 Oct 2016 03:00:39 -0700 (PDT) MIME-Version: 1.0 Sender: benlaurie@gmail.com Received: by 10.80.163.39 with HTTP; Tue, 18 Oct 2016 03:00:38 -0700 (PDT) In-Reply-To: References: From: Ben Laurie Date: Tue, 18 Oct 2016 11:00:38 +0100 X-Google-Sender-Auth: c6spOgkzcycQ7VGYg6Q01fgHU2s Message-ID: To: Jeffrey Walton Content-Type: multipart/alternative; boundary=001a114364dccc4aa8053f20c3f5 Archived-At: Cc: "saag@ietf.org" Subject: Re: [saag] Roughtime (Was: software update for teeny-weeny devices) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 10:00:44 -0000 --001a114364dccc4aa8053f20c3f5 Content-Type: text/plain; charset=UTF-8 On 18 October 2016 at 01:48, Jeffrey Walton wrote: > >> Our story for > >> providing time securely to these device isn't that great either since > >> NTP again assumes that you have been configured with the correct time. > > > > How so? > > > > BTW, are you aware of roughtime? https://roughtime. > googlesource.com/roughtime > > I'm not sure this is entirely correct: "There are essentially only two > ways to achieve this [accurate or fresh time]: nonces or synchronised > clocks.". > "this" is actually "ensure that information is 'fresh' in secure protocols", not accurate time. --001a114364dccc4aa8053f20c3f5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 18 October 2016 at 01:48, Jeffrey Walton <noloader@gmail.com&g= t; wrote:
>&= gt; Our story for
>> providing time securely to these device isn't that great eithe= r since
>> NTP again assumes that you have been configured with the correct t= ime.
>
> How so?
>
> BTW, are you aware of roughtime? https://roughtime.= googlesource.com/roughtime

I'm not sure this is entirely correct: "There are essentially only= two
ways to achieve this [accurate or fresh time]: nonces or synchronised
clocks.".

"this" is actu= ally "ensure that information is 'fresh' in secure protocols&q= uot;, not accurate time.
=C2=A0
--001a114364dccc4aa8053f20c3f5-- From nobody Tue Oct 18 03:33:43 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D8AC1295F0; Tue, 18 Oct 2016 03:33:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 995m5imHtauK; Tue, 18 Oct 2016 03:33:35 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 806B9129421; Tue, 18 Oct 2016 03:33:35 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9IAXTj8010256 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 18 Oct 2016 13:33:29 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9IAXSoR020344; Tue, 18 Oct 2016 13:33:28 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22533.64120.595277.953942@fireball.acr.fi> Date: Tue, 18 Oct 2016 13:33:28 +0300 From: Tero Kivinen To: Yoav Nir In-Reply-To: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 13 min X-Total-Time: 34 min Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 10:33:37 -0000 Yoav Nir writes: > I=E2=80=99m not entirely comfortable with calling something a MUST NO= T when all we > have is conjecture, but I have no love and no need of those DH groups= =2E Same here, and it also makes it so that we cannot say our implementation is conforming rfc4307bis, even when we do already have support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to implement algorithms in the new document, but we do also have code to propose the RFC5114 MODP groups, if user configures them to be used. Changing that is of course is very easy to do in implementation, but before this is deployed etc will take some time, and there is change, that some customer has explictly configure RFC5114 2048-bit MODP group in use, and by removing that we suddenly break their existing configuration. It is always annoying to explain to customer why we explictly broke their existing configurations unless there is real security reason for it. Looking that the paper, this only applies to the 1024-bit MODP group in RFC5114, even the paper says that 2048-bit MODP groups are safe, even if they would have same backdoor. We are already downgrading normal 1024-bit MODP group to SHOULD NOT, and this would make it two reasons to make RFC5114 1024-bit MODP group to SHOULD NOT (too short, and might be backdoored), so perhaps the compromize can be to make RFC5114 1024-bit MODP group number 22 to MUST NOT, and keep the groups 23-24 as SHOULD NOTs. Anyways we need to modify the rfc4307bis text and add reference to this paper, as one more reason why groups 22-24 MUST NOT/SHOULD NOT be used. > I don=E2=80=99t believe anyone else depends on these groups (at least= in > IPsec), so I=E2=80=99m fine with such a change. I do not think people depend on them, but I assume there is quite a lot of implementations there that can be configured to use them if explictly asked, thus making them MUST NOT will make it so that those implementations will not be conforming rfc4307bis. --=20 kivinen@iki.fi From nobody Tue Oct 18 05:47:41 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7356912957A; Tue, 18 Oct 2016 05:47:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRlkkTXbDSxY; Tue, 18 Oct 2016 05:47:39 -0700 (PDT) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C45BA12949A; Tue, 18 Oct 2016 05:47:38 -0700 (PDT) Received: by mail-qk0-x22e.google.com with SMTP id n189so290132883qke.0; Tue, 18 Oct 2016 05:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ghH067bqQRQTItA31F/3FfdTaq7a2laQaCUAsqFRmhE=; b=h/rdnq1avW/NtGqWSWHFCapwrwLoRhgCV+pGM20ac5sZ79/22/IVvDskzYEzs0bCFk DPUVRmsL2/1wIK4qsqjWcyBHuqsvoi6TCyHiLRlc4qrkQucZoFx5IZRPb3+lay5YlnJ+ qJRTUw7Jtbu8qaFOIRgsQDkX9E4rFXLx4HG5OIhxvTadJrNAuy1Z1V4R17Oqf4INhB0U 1U+kWjdSbt8KFc5dLLsDmC1yPpwGK/JDU2VLDnABsjrLo1ZEBzyKr1S5So+jIsER8R4j 39dL5Jgi0HDBBOCzs0OaY6DoFP31Y6Z1A0fQ5NJZKDHyVhdTEEvxf4Vo1nAinb+mkhlh lAHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ghH067bqQRQTItA31F/3FfdTaq7a2laQaCUAsqFRmhE=; b=ly75vOVx5Mm/HRS819BZS7XRjQLWJSKzryCUyTxrvP/6B2XqgGK1hZ0Vn0soN4MRQA S9nn/Lw1t+kbFdR3GeDjEwebEExti/uhBBOyxKUSiJ+th8CWGlXC57e8gHZqK6dlPMk7 1/hue9uMoo1dYkK+gJODNuilN7WJbhcbfYRT5wR8MAegGptANucPv237A9RwUWAJFi3F bNH6seOzl4M8Cqks8KOK3GR2YNMXp9R++d+1vlA2TNWHsYABkLjrRRNjCVk99D+B6nUS ZzCTuUWcxu5jZwAXk5W70X4Kda3Pxb8VTdcgAht4QWmsbN3pqYDOsd6+A9LWtobf+hK5 ODOQ== X-Gm-Message-State: AA6/9RkhKoG/ni8pFeZeECVYTfLtIYtHp5iIrtlTEmEwoV83BV0JHtEJchyY097U5GImLw== X-Received: by 10.194.143.47 with SMTP id sb15mr162095wjb.110.1476794857890; Tue, 18 Oct 2016 05:47:37 -0700 (PDT) Received: from [172.24.250.180] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id g17sm62596505wjs.38.2016.10.18.05.47.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Oct 2016 05:47:37 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) From: Yoav Nir In-Reply-To: Date: Tue, 18 Oct 2016 15:47:34 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> To: Paul Wouters X-Mailer: Apple Mail (2.3226) Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 12:47:40 -0000 > On 17 Oct 2016, at 19:19, Paul Wouters wrote: >=20 > On Mon, 17 Oct 2016, Yoav Nir wrote: >=20 >> I=E2=80=99m not entirely comfortable with calling something a MUST = NOT when all we have is conjecture, >=20 > It's a little more than conjecture. >=20 > 1) It has been proven that malicious 1024 bit DH values can be = generated > by academia that cannot be independantly discovered. Therefore any > nationstate with access to the same theory and more CPU power could > have done this years ago. Someone can trapdoor 1024-bit values, therefore someone else can = trapdoor 2048-bit values. > 2) We have the RFC 5114 values who'se original authors/sponsors are = not > disclosing how these were generated. >=20 > 1) + 2) means we cannot know if these values were trapdoor=E2=80=99ed. Yeah, we cannot know. That=E2=80=99s why it=E2=80=99s conjecture. Yoav From nobody Tue Oct 18 05:50:38 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAEE31295CE; Tue, 18 Oct 2016 05:50:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.631 X-Spam-Level: X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zvPhuDFPYf58; Tue, 18 Oct 2016 05:50:29 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E5A3129638; Tue, 18 Oct 2016 05:50:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476795026; x=1508331026; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Qq5MhfuybKkuTjy4zDv3JmgTzxXlX2h3KcIusIgFYOk=; b=VhqR0GnotjnSQI2jhVlL/lDqvKzcCahj2plH/HN7SWpAe3B/gnk6kj3Z 7AqKDw+wSpm80qdODbLpxVaXiCSO5mY+DqN+PpRRRmA0Gk62vYbhqCymy kpB96Xar50GPjBr5vDRE0JPTKmaPbri8IgOh2pMALdnMNdfvFclSUpsY7 jKKwN+wr5RcKypQniPckq0SFFgI+qoKKUCZEX3DbHa6T8AQm3d3/eb/+i BLmYcbanaF8FDYnsp4UuAQe3oy0auXHOIzsuNY/RC3C/jm8qnLGj+vulJ eBH8AaQqnxykDBRLSbdKjaDC5LgGxoJYy6+Chl9ThMzTWIXL7PooTN8Zm w==; X-IronPort-AV: E=Sophos;i="5.31,361,1473076800"; d="scan'208";a="110827870" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing Received: from uxcn13-ogg-c.uoa.auckland.ac.nz ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 19 Oct 2016 01:50:24 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.24) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 19 Oct 2016 01:50:24 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Wed, 19 Oct 2016 01:50:24 +1300 From: Peter Gutmann To: Yoav Nir , Paul Wouters Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSKJBVMii7pwSBmUObyTN/Wey1dKCr+WYAgAFXIwCAANqPSA== Date: Tue, 18 Oct 2016 12:50:24 +0000 Message-ID: <1476795020698.67090@cs.auckland.ac.nz> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> , In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 12:50:33 -0000 Yoav Nir writes:=0A= =0A= >Someone can trapdoor 1024-bit values, therefore someone else can trapdoor= =0A= >2048-bit values.=0A= =0A= Yep, space aliens. However I'm really not too worried about those at the= =0A= moment.=0A= =0A= Peter.=0A= From nobody Tue Oct 18 05:51:55 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064281295CE; Tue, 18 Oct 2016 05:51:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jul0Ar7mhDYy; Tue, 18 Oct 2016 05:51:48 -0700 (PDT) Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FF43129A3C; Tue, 18 Oct 2016 05:51:48 -0700 (PDT) Received: by mail-yw0-x231.google.com with SMTP id t193so136651087ywc.2; Tue, 18 Oct 2016 05:51:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KGETESt+xk5jcXV/fNQJ+b/toJkcA1oGvPawuV3zgLA=; b=MHb7z4s5D5viuGD0tyMTPcRRjXNL6/RfzUcSxxEG3ivrbgdYj9+Qy/kubqfZrXvfcO +hi0/RPQutMU0zCIbXYvuqkqvPEveTl8I8MGHjWChYqCs4yg5LYHNcHMQt2P1qqMtBvq 7TrMZnXynlhZajGvHv18fgQn82KEq/SfGUfmeCq3CcLh7zMY4LnHGxM/UV3AHpzelkZZ CJhnz1Wiko2LFMUxk3P3z1HYbCI0lzYJIL4DnOmydhFigdi5pqW4XffWsHxIppZ1tuL4 jePEzKdYxGEFOr1RGwBUqzS2yO5a2sorF0YH5TsnuAJYtql3tUimzI3fGdjKwXe12MGV C2Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=KGETESt+xk5jcXV/fNQJ+b/toJkcA1oGvPawuV3zgLA=; b=m4IDMA/hzlJVkv38DemJJ3nGqYAwx2Qv/S2RjFor3TTjBSgn0uRMAgxrhmA5f8wG4r HHgfSzfs8dywqtDWrQTO6zKzlRmDIsrtrxtVxMPtte3I1LJKX5KjHfrF5H9n3cKo1UA1 IAQuR+k4b7iHJ7DMTdFp4c7/WDWe6t67d9457Oc8m9N1mc2fliZ9MPQZsskwtc6gCTbX YJF27LDKF64Na5o3PYKHUiQ9EnAmD1N7l+wfUbj35mjZXZfc7DegB3SNp6M71qWJBwFk Adar25EWqk+VC0jjwUt4CCmRwor+xcwHKGFgzeF1KwGjA4Bk+EaLKFci0qIBBj8W91mo Aq9w== X-Gm-Message-State: AA6/9RnWyiCR8nXdMymZ2yVA9MvDboZ3oR9NBJQ2kK0rA80JNZbDo1U9xo4dNkHsoV04Lg== X-Received: by 10.28.25.68 with SMTP id 65mr581529wmz.93.1476795107817; Tue, 18 Oct 2016 05:51:47 -0700 (PDT) Received: from [172.24.250.180] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id o1sm62694963wjh.9.2016.10.18.05.51.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Oct 2016 05:51:47 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) From: Yoav Nir In-Reply-To: <22533.64120.595277.953942@fireball.acr.fi> Date: Tue, 18 Oct 2016 15:51:45 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: <913F2EDE-2945-4036-A555-51611F8CF5AC@gmail.com> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <22533.64120.595277.953942@fireball.acr.fi> To: Tero Kivinen X-Mailer: Apple Mail (2.3226) Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 12:51:50 -0000 > On 18 Oct 2016, at 13:33, Tero Kivinen wrote: >=20 > Yoav Nir writes: >> I=E2=80=99m not entirely comfortable with calling something a MUST = NOT when all we >> have is conjecture, but I have no love and no need of those DH = groups. >=20 > Same here, and it also makes it so that we cannot say our > implementation is conforming rfc4307bis, even when we do already have > support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to > implement algorithms in the new document, but we do also have code to > propose the RFC5114 MODP groups, if user configures them to be used. I don=E2=80=99t think that=E2=80=99s the right way to interpret = compliance with RFC4307bis. If you can configure your implementation to = support only algorithms that are MUST, SHOULD, or MAY in the document, = then you can configure your implementation to comply with 4307bis. I = don=E2=80=99t think implementation compliance requires pulling out code. Our implementation allows the user to key in long hex strings to = construct MODP groups that are not available out of the box. With your = interpretation we can never be compliant because they can always make up = their own 512-bit group and add that to the available groups. Yoav From nobody Tue Oct 18 06:24:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89D08129A6A; Tue, 18 Oct 2016 06:24:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISPAotSbBZ5x; Tue, 18 Oct 2016 06:24:38 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D842129A64; Tue, 18 Oct 2016 06:24:38 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id u9IDOYn9013841 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 18 Oct 2016 16:24:34 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u9IDOYgB029757; Tue, 18 Oct 2016 16:24:34 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Message-ID: <22534.8850.6018.431180@fireball.acr.fi> Date: Tue, 18 Oct 2016 16:24:34 +0300 From: Tero Kivinen To: Yoav Nir In-Reply-To: <913F2EDE-2945-4036-A555-51611F8CF5AC@gmail.com> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <22533.64120.595277.953942@fireball.acr.fi> <913F2EDE-2945-4036-A555-51611F8CF5AC@gmail.com> X-Mailer: VM 8.2.0b under 24.5.1 (x86_64--netbsd) X-Edit-Time: 9 min X-Total-Time: 10 min Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 13:24:39 -0000 Yoav Nir writes: > > Same here, and it also makes it so that we cannot say our > > implementation is conforming rfc4307bis, even when we do already ha= ve > > support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to > > implement algorithms in the new document, but we do also have code = to > > propose the RFC5114 MODP groups, if user configures them to be used= =2E >=20 > I don=E2=80=99t think that=E2=80=99s the right way to interpret compl= iance with > RFC4307bis. If you can configure your implementation to support only > algorithms that are MUST, SHOULD, or MAY in the document, then you > can configure your implementation to comply with 4307bis. I don=E2=80= =99t > think implementation compliance requires pulling out code.=20 When rfc4307bis says MUST NOT do DES, and MUST NOT do 768-bit MODP, I assume that to be conforming to that document, user is not able to configure DES with 768-bit MODP group. Of course MUST NOTs are difficult as it is really hard to show where in your code you implement this specific MUST NOT (yes, there was one customer asking us to point out where in code we implement each MUST NOTs). > Our implementation allows the user to key in long hex strings to > construct MODP groups that are not available out of the box. With > your interpretation we can never be compliant because they can > always make up their own 512-bit group and add that to the available > groups.=20 That is different issue, as this is SHOULD feature in the RFC7296: parameters, up to certain size limits. In support of this goal, all= implementations of IKEv2 SHOULD include a management facility that allows specification (by a user or system administrator) of Diffie- Hellman parameters (the generator, modulus, and exponent lengths and= values) for new Diffie-Hellman groups. Implementations SHOULD provide a management interface through which these parameters and th= e associated Transform IDs may be entered (by a user or system administrator), to enable negotiating such groups. Also there is nothing in the rfc4307bis saying that that is MUST NOT... On the otherhand if someone uses that interface to configure the 768-bit MODP group 1, then he is going against MUST NOT in rfc4307bis, and his system is longer conforming... It might be good idea to limit that interface so it will not allow any groups which are shorter than 1024-bits, just so users cannot do stupid things...=20 --=20 kivinen@iki.fi From nobody Tue Oct 18 06:55:29 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE2A12948C for ; Tue, 18 Oct 2016 06:55:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qq39PT2x4Ypm for ; Tue, 18 Oct 2016 06:55:25 -0700 (PDT) Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F1961294AB for ; Tue, 18 Oct 2016 06:55:24 -0700 (PDT) Received: by mail-yw0-x22c.google.com with SMTP id t192so139216926ywf.0 for ; Tue, 18 Oct 2016 06:55:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7w6/FoN5BFoIu+9Pp4DqwxxjecAyw3j+3Cp9XcwSco4=; b=qgv4hKf9jv4cQzjhxS5dSXIMblA7bHp/iJLl7OchBJYtMHgjuaUdKz5M6JSX+Z2WQh Cz+095PJn1am2g+GS3vh0MgS42DUP4NE0/fIdwRRlkA0yjpdaMvNR0RHfQMuaV8omz4m nl3DZelyAhe58PIxiXiDkArKvs6ZZHMPclsxRlvdHpYyfltGaW+/WyMjOOCyPaB8TvrX t83i6qAEwiT2QHn+02GzgSYNlos2WmtPhOWPWuv0D3CN7zh+otj1DUNjbHQZKf5Sw2ZR hD920PfAmRvM2/O4sG6A8h276PRjp7IXqaFYOUVQtDUAlW3aSouOfj25i8AH4k78fKA4 LRBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7w6/FoN5BFoIu+9Pp4DqwxxjecAyw3j+3Cp9XcwSco4=; b=XxvKzQDSazZZJGwvD40996MQWRZtTM6Ndfv8rVvOP2gSitaUwkktkYit9Scd7jQyHo ANUlM+w+LprChv7mNWd8r89K0dSGlux5Mdm2DBcG81xneOQZV7MuPW45Cd4iGphp45gn byoCEv5vLlSlxoVbTGZkMN95lajLw8xUpGSQa3jPlD7B6hEsnMKXf4jUDuU8qTBj11b1 dpF3XeEeeCFDVyPMhIL5q+MYP5K6C/PrN98P4Dbf33kiOTHu/QBGbIZUiamy4UVsODPi xnpITqGPGG2yqpH+sH2Ke50HOveju7nqpVg8KwNNDw38hF/zUz6ZO3YpccfDhI3APkgn 8NVQ== X-Gm-Message-State: AA6/9Rn4VzTS8vAzPZeAdnjz+KBJQumcbtDKz/1cHgVU/YWbfJRMp4qiDwpNm313v7Q8HLbfDEyoNqLsJ/JynA== X-Received: by 10.129.125.198 with SMTP id y189mr625146ywc.234.1476798923747; Tue, 18 Oct 2016 06:55:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.75.212 with HTTP; Tue, 18 Oct 2016 06:54:43 -0700 (PDT) In-Reply-To: References: <1474625071.45169.131.camel@infradead.org> From: Eric Rescorla Date: Tue, 18 Oct 2016 09:54:43 -0400 Message-ID: To: Nikos Mavrogiannopoulos Content-Type: multipart/alternative; boundary=001a114926a0418b5a053f240b3f Archived-At: Cc: IETF SAAG Subject: Re: [saag] openconnect (ssl) vpn protocol X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 13:55:27 -0000 --001a114926a0418b5a053f240b3f Content-Type: text/plain; charset=UTF-8 On Mon, Oct 17, 2016 at 4:46 PM, Nikos Mavrogiannopoulos < n.mavrogiannopoulos@gmail.com> wrote: > On Mon, Oct 17, 2016 at 3:34 AM, Eric Rescorla wrote: > >> > The last few weeks together with David Woodhouse have improved the > >> > openconnect VPN protocol quite significantly and eliminated any legacy > >> > constructs arising from the pre-DTLS era, and pre-TLS-PSK era. Even > >> > though it still provides backwards compatibility with the cisco's > >> > anyconnect protocol, it has been greatly simplified, making it one of > >> > the simplest SSL VPN protocols I'm aware of. It is described at: > >> > https://tools.ietf.org/html/draft-mavrogiannopoulos-openconnect-00 > >> > We would appreciate any feedback on the protocol and approach. > >> Did I catch a suggestion that using PSK in (D)TLSv1.3 is going to > >> require us to pre-agree a hash algorithm for the hello_finished? > > Yes. The reason is that there's no guarantee that it's safe to derive > using > > different > > hash-based KDFs from the same underlying key (which is not to say that > there > > is > > an actual attack on concrete hash algorithms). Note: this issue also > applies > > to TLS 1.2, > > it's just that we didn't have the benefit of having it pointed out by > > cryptographers. > > Is there more information on that attack that you describe (pointers > or the discussion behind it)? As I said, it's not an attack, it's just not a property that is guaranteed by KDFs. As far as I understand, that can be > summarized as use only ciphersuites with a fixed PRF on PSK rather > than mixing them. That can also seen as an argument for TLS to have a > unique PRF for the finished messages (at least for the plain PSK > ciphersuites). Well it's not just the finished messages, but any use of the PSK. Any way, I don't think restricting it in TLS is the answer; implementations can restrict themselves to a single KDF if they want. -Ekr Otherwise managing and mapping PSKs to user interfaces > becomes quite more complex. For the PSK usage of openconnect that is > not issue as PSKs are uniquely generated per session. > > > regards, > Nikos > --001a114926a0418b5a053f240b3f Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On Mon, Oct 17, 2016 at 4:46 PM, Nikos Mavrogiannopoulos <= n.mavrogiannopoulos@gmail.com> wrote:
On Mon, Oct 17, 2016 at 3:34 AM, Eric Rescorla = <ekr@rtfm.com> wrote:
>> >=C2=A0 The last few weeks together with David Woodhouse have i= mproved the
>> > openconnect VPN protocol quite significantly and eliminated a= ny legacy
>> > constructs arising from the pre-DTLS era, and pre-TLS-PSK era= . Even
>> > though it still provides backwards compatibility with the cis= co's
>> > anyconnect protocol, it has been greatly simplified, making i= t one of
>> > the simplest SSL VPN protocols I'm aware of. It is descri= bed at:
>> > https://tools.ietf.o= rg/html/draft-mavrogiannopoulos-openconnect-00
>> > We would appreciate any feedback on the protocol and approach= .
>> Did I catch a suggestion that using PSK in (D)TLSv1.3 is going to<= br> >> require us to pre-agree a hash algorithm for the hello_finished? > Yes. The reason is that there's no guarantee that it's safe to= derive using
> different
> hash-based KDFs from the same underlying key (which is not to say that= there
> is
> an actual attack on concrete hash algorithms). Note: this issue also a= pplies
> to TLS 1.2,
> it's just that we didn't have the benefit of having it pointed= out by
> cryptographers.

Is there more information on that attack that you describe (pointers=
or the discussion behind it)?

As I said, i= t's not an attack, it's just not a property that is guaranteed by K= DFs.
=C2=A0

As= far as I understand, that can be
summarized as use only ciphersuites with a fixed PRF on PSK rather
than mixing them. That can also seen as an argument for TLS to have a
unique PRF for the finished messages (at least for the plain PSK
ciphersuites).

Well it's not just the = finished messages, but any use of the PSK. Any way,
I don't t= hink restricting it in TLS is the answer; implementations can restrict
themselves to a single KDF if they want.

-Ek= r



Otherwise managing and mapping PSKs to user interfaces
becomes quite more complex. For the PSK usage of openconnect that is
not issue as PSKs are uniquely generated per session.
=
=C2=A0

regards,
Nikos

--001a114926a0418b5a053f240b3f-- From nobody Tue Oct 18 07:00:04 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B43F129652; Tue, 18 Oct 2016 06:59:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.431 X-Spam-Level: X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vR81q48XOYIz; Tue, 18 Oct 2016 06:59:57 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84EC61295B9; Tue, 18 Oct 2016 06:59:57 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3syxXT3QN7z3sH; Tue, 18 Oct 2016 15:59:53 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476799193; bh=9cbKUN4mebjwxETfoj6knxzTT8JPSdVSaMj8iOcpyUY=; h=Date:From:To:Subject; b=YX6t5jBCshbExNj2QL1iQ1j4KdVwdVLFIg46kE0KCG5wzGnzZ3nU0jn661LbXdYgK Qwn1oL3VEAF7iisTQ915ib0917VuqshtYaDdUzj7XdF8QUA11aOt6Gt5Ek9BwEfYUk WVuj6zgEDwKwJcc3fFQ0SCPk9djO6Rp58oiod4SI= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id sKenIa_sPEmK; Tue, 18 Oct 2016 15:59:51 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 18 Oct 2016 15:59:51 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 4D0B812EAEE; Tue, 18 Oct 2016 09:59:49 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 4D0B812EAEE Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 366DA47616DE; Tue, 18 Oct 2016 09:59:49 -0400 (EDT) Date: Tue, 18 Oct 2016 09:59:49 -0400 (EDT) From: Paul Wouters To: "ipsec@ietf.org WG" , Security Area Advisory Group Message-ID: User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: [saag] Yet another RFC-5114 attack X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 13:59:59 -0000 https://eprint.iacr.org/2016/995.pdf Several recent standards, including NIST SP 800- 56A and RFC 5114, advocate the use of “DSA” parameters for Diffie-Hellman key exchange. While it is possible to use such parameters securely, additional validation checks are necessary to prevent well-known and potentially devastating attacks. In this paper, we observe that many Diffie-Hellman implementations do not properly validate key exchange inputs. Combined with other protocol properties and implementation choices, this can radically decrease security. We measure the prevalence of these parameter choices in the wild for HTTPS, POP3S, SMTP with STARTTLS, SSH, IKEv1, and IKEv2, finding millions of hosts using DSA and other non-“safe” primes for Diffie-Hellman key exchange, many of them in combination with potentially vulnerable behaviors. We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default. This paper also actually understood the difficulties of IKE scanning! And kudos to the authors for looking into so much deployment and open source software! Paul From nobody Tue Oct 18 07:18:30 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5A12129A7E for ; Tue, 18 Oct 2016 07:18:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgKQtXJkDcLz for ; Tue, 18 Oct 2016 07:18:26 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD11B129474 for ; Tue, 18 Oct 2016 07:18:26 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id A52E7BE3E for ; Tue, 18 Oct 2016 15:18:23 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qg1NfbNVvUyY for ; Tue, 18 Oct 2016 15:18:23 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 20A13BE2E for ; Tue, 18 Oct 2016 15:18:23 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476800303; bh=g8UQ1kIPN2tm27pwj1guCwaPLVkd5rbatPjd5j0y2qo=; h=To:From:Subject:Date:From; b=g6oA1vnY4MGmIzRfW7dTfs9gf+ghXNbkQzRULavn4HM04dllTXX+cmlQj9YgEzex4 x5gb9jXKzx+qoNlvIdmSR1JnWq4rMWhOjPu89JPj77eKR9iOvFYHhM6s83SKLsWPss WKqqgu8vvUevKdqar13WN0HkDjErkB111BrtTank= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Tue, 18 Oct 2016 15:18:23 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010204080500090902080601" Archived-At: Subject: [saag] rfc552bis - your ideas needed X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 14:18:29 -0000 This is a cryptographically signed message in MIME format. --------------ms010204080500090902080601 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, At the last IETF meeting we discussed updating RFC 3552 (BCP72). [1] The editors (Yoav and Magnus) have produced an initial draft [2,3] that's pretty much the same text for now. I would love to see some discussion of that at IETF97, but for that to be worthwhile we need folks to say what they'd like to see changed in 3552bis, so please do respond here if there are things that you think need changing or adding (e.g. privacy issues). As usual, offering text is ideal. If we don't see some list discussion then there's probably no point in taking up time at the saag session in Seoul, which'd be a bit sad. Thanks, S. [1] https://tools.ietf.org/html/bcp72 [1] https://tools.ietf.org/html/draft-nir-saag-rfc3552bis-00 [3] https://github.com/IETF-SAAG/RFC3552bis --------------ms010204080500090902080601 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTgx NDE4MjNaMC8GCSqGSIb3DQEJBDEiBCCU1mDMltV47Hh6l1H6HPbPYubAkpfPpPuw+j7TsiEd UjBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCAj9VReVAcTyJpN+/x6n27Cf7IdUf6QQ2eAycp6hcftdZazbq49YVB 5I2PDA7FGdQLuM0wKGWw17g9wBokoErJZKE6O1r88yyEr16xZEUKkcetGhjmP48lkT4BdPnO BSZY22ecMiV8htNRPW5XVpeL/60Jeet4DSoblCVD1MVA3vyMTs+NxF1q/97BrlZR46TmFWkr C8dD7TqTOHS7PwyrIxq/setRGY8D8qdHJuxC8t7dTXF2jBjCtE0NRbfGzyIFVA2Z7N1MVDhg MxyE70LNa89jHs1OsbMIgzR3S8H6wkOZZyXNRKkEWjIBMQ0j+PyfX5rJ0Fui8CH8BTx/k+m6 AAAAAAAA --------------ms010204080500090902080601-- From nobody Tue Oct 18 07:31:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 291AA12965B; Tue, 18 Oct 2016 07:31:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ULpn3J0G1XnY; Tue, 18 Oct 2016 07:31:28 -0700 (PDT) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF4D5129445; Tue, 18 Oct 2016 07:31:27 -0700 (PDT) Received: by mail-qk0-x232.google.com with SMTP id f128so282609461qkb.1; Tue, 18 Oct 2016 07:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=oKH8Nl/9xEsHjf+N1I04x1a2XYvJnHG5MAWmfBXHDlg=; b=ql6p8J3fFQFDubYr7cG5AZ66waMCUF/TaUB86F5VXYh9cNTmOKawqB+7qP4h1iz1os j/cIW9Kfl6Iceuktg4XZ634PlOWF0DeTYJ9iL4UHvM8JX/gxoLUyw9GoY52EPyVidaH2 fikMaRCTWci0bBFtBbysCE5D/mGXG8fuR5zxpbmoSWj4mH+gCii8v0h+erlAGeG4Xins 7Pqm7uCDqRG9WUgbZ9GCLHynW4VnQq+iSAToLiXuvVG9p10mdlSDaKZ9oHj9w3iXkkPs re/vc2zRMoF1CZUfeDCsBAz95wwAsI1qMyh7aMSECdzYpSeXzrL/4nFR5fwy6EGVOBBF 2RoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=oKH8Nl/9xEsHjf+N1I04x1a2XYvJnHG5MAWmfBXHDlg=; b=CVyg57aeEN7b3+apClh2JqaxHYkjYpnjApOlxoeiafOk7IA3PE6zZ5vvzCK3x6gO7i gIbzkJp8nVoT6h6kfaT2wbJM5VOo79kLnmWrZ5CMj4yI2sBfLou0ALeJmPPZvCF4BK02 AeK1AxvwFafbyN8paVxgsSfbF4LyGD3fmx1fginZ0c/xAq9OkR63I8HCDIuBa9946Ppi nHnYmbOCdlWQf0Vi3oYl4m5CWs5BiDObs8PLZhO26GNW2hfs7nNXgveFnQRf0tlgNJ0E TLFNpiJkWOhLVqt3v6DYzPF+eUfRwoufZ3rjyTA1VjeyfiD+B39aY2JdbKoy1TOZJjKC xd0Q== X-Gm-Message-State: AA6/9Rn5LSHazeYdBZqFUJQO3TC4kolPTVBgQxwMBerW6dQaW5ErOpjwBxJaz5GxCKSCAB7SQR9B97HQ2tRJRw== X-Received: by 10.55.96.7 with SMTP id u7mr904150qkb.189.1476801071198; Tue, 18 Oct 2016 07:31:11 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.171.87 with HTTP; Tue, 18 Oct 2016 07:31:10 -0700 (PDT) In-Reply-To: <22533.64120.595277.953942@fireball.acr.fi> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <22533.64120.595277.953942@fireball.acr.fi> From: Watson Ladd Date: Tue, 18 Oct 2016 07:31:10 -0700 Message-ID: To: Tero Kivinen Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 14:31:30 -0000 On Tue, Oct 18, 2016 at 3:33 AM, Tero Kivinen wrote: > Yoav Nir writes: >> I=E2=80=99m not entirely comfortable with calling something a MUST NOT w= hen all we >> have is conjecture, but I have no love and no need of those DH groups. > > Same here, and it also makes it so that we cannot say our > implementation is conforming rfc4307bis, even when we do already have > support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to > implement algorithms in the new document, but we do also have code to > propose the RFC5114 MODP groups, if user configures them to be used. > > Changing that is of course is very easy to do in implementation, but > before this is deployed etc will take some time, and there is change, > that some customer has explictly configure RFC5114 2048-bit MODP group > in use, and by removing that we suddenly break their existing > configuration. In sane protocols the default MTI ciphersuite is always ready to be used for exactly this reason. IKE's extensively flexible configuration knobset was not a good idea for this reason. > > It is always annoying to explain to customer why we explictly broke > their existing configurations unless there is real security reason for > it. Looking that the paper, this only applies to the 1024-bit MODP > group in RFC5114, even the paper says that 2048-bit MODP groups are > safe, even if they would have same backdoor. > > We are already downgrading normal 1024-bit MODP group to SHOULD NOT, > and this would make it two reasons to make RFC5114 1024-bit MODP group > to SHOULD NOT (too short, and might be backdoored), so perhaps the > compromize can be to make RFC5114 1024-bit MODP group number 22 to > MUST NOT, and keep the groups 23-24 as SHOULD NOTs. This seems reasonable to me. > > Anyways we need to modify the rfc4307bis text and add reference to > this paper, as one more reason why groups 22-24 MUST NOT/SHOULD NOT be > used. > >> I don=E2=80=99t believe anyone else depends on these groups (at least in >> IPsec), so I=E2=80=99m fine with such a change. > > I do not think people depend on them, but I assume there is quite a > lot of implementations there that can be configured to use them if > explictly asked, thus making them MUST NOT will make it so that those > implementations will not be conforming rfc4307bis. That's sort of the point. We want these implementations to NOT support these groups, just as RC4 die-die-die meant TLS implementations no longer support RC4. > -- > kivinen@iki.fi > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --=20 "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Tue Oct 18 07:39:03 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E7412966E; Tue, 18 Oct 2016 07:38:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.431 X-Spam-Level: X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tw6dXZJO6jvr; Tue, 18 Oct 2016 07:38:58 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87D30129666; Tue, 18 Oct 2016 07:38:58 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3syyPW5zm6z460; Tue, 18 Oct 2016 16:38:55 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1476801535; bh=p56O4yJHvQP5FylKbPSDiuJ/v74okE/mz0bDpNt3bD8=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=YedRdoR1AZGQUt01FsOy8CHNbKbD3VdqqCbspFdizH8ezeauZv7xwP554aJv57I3j 9tDlvEYfJUKvuUoS3Qo4I7Nc3wuHFUJyGaf/FP2nfLDZhWOIKNYBRPNouWdJcc/LT3 ZkWc1Xes+Uaxr3k9yW6xAqiy9W8k7GYpu74u/LDU= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id vRFKyLbBXv4M; Tue, 18 Oct 2016 16:38:55 +0200 (CEST) Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 18 Oct 2016 16:38:54 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0C21D12EAEE; Tue, 18 Oct 2016 10:38:53 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.10.3 bofh.nohats.ca 0C21D12EAEE Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 06E614163767; Tue, 18 Oct 2016 10:38:52 -0400 (EDT) Date: Tue, 18 Oct 2016 10:38:52 -0400 (EDT) From: Paul Wouters To: Yoav Nir In-Reply-To: Message-ID: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> User-Agent: Alpine 2.20 (LRH 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 14:38:59 -0000 On Tue, 18 Oct 2016, Yoav Nir wrote: >> It's a little more than conjecture. >> >> 1) It has been proven that malicious 1024 bit DH values can be generated >> by academia that cannot be independantly discovered. Therefore any >> nationstate with access to the same theory and more CPU power could >> have done this years ago. > > Someone can trapdoor 1024-bit values, therefore someone else can trapdoor 2048-bit values. > >> 2) We have the RFC 5114 values who'se original authors/sponsors are not >> disclosing how these were generated. >> >> 1) + 2) means we cannot know if these values were trapdoor’ed. > > Yeah, we cannot know. That’s why it’s conjecture. conjecture: 1. an opinion or conclusion formed on the basis of incomplete information. I have complete information for "one cannot detect trapdoors without knowing seed" Paul From nobody Tue Oct 18 07:47:11 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 761941294A7; Tue, 18 Oct 2016 07:47:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.921 X-Spam-Level: X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9r39hOuNwoZu; Tue, 18 Oct 2016 07:47:05 -0700 (PDT) Received: from bos-mailout2.raytheon.com (bos-mailout2.raytheon.com [199.46.198.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E029C12948C; Tue, 18 Oct 2016 07:47:04 -0700 (PDT) Received: from ma-mailout10.rtnmail.ray.com (ma-mailout10.rtnmail.ray.com [147.25.130.27]) by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u9IEl0pY024719 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 18 Oct 2016 14:47:02 GMT Received: from smtp.bbn.com ([128.33.1.81]) by ma-mailout10.rtnmail.ray.com (8.15.0.59/8.15.0.59) with ESMTPS id u9IEl0Ie002381 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NOT); Tue, 18 Oct 2016 14:47:00 GMT Received: from ssh.bbn.com ([192.1.122.15]:43572 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bwVfQ-000CJu-Az; Tue, 18 Oct 2016 10:47:00 -0400 From: Stephen Kent To: Paul Wouters , Yoav Nir References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> Message-ID: <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> Date: Tue, 18 Oct 2016 10:47:00 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-CC: saag@ietf.org, ipsec@ietf.org, ynir.ietf@gmail.com, paul@nohats.ca X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-18_07:, , signatures=0 Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 14:47:06 -0000 Paul, It's been over 8 years since this RFC was published, and I have not looked at it since then. My recollection is that we wrote 5114 because an IPsec developer approached me and said that he wanted to support these groups in a product. He said that he wanted test vectors for the groups, consistent with what we have done for many other algs. I persuaded Matt to generate the RFC because it was a relatively easy task a good way for Matt to get acquainted with the RFC process. As to your question, I have no info about how the NIST DH values were generated. However, I do agree with Yoav and Tero that it seems unduly prejudicial to declare these to be a MUST NOT. The fact that one can generate trap-doored DH values that cannot be detected is not the same as having proof that a given set of values have been generated in that fashion. Moreover, if one interprets a MUST NOT in this context to mean that an implementation supporting any of these groups is non-compliant, then that unfairly penalizes existing implementations, as Tero noted. Moreover, if the concern raised by the paper (which I have read) is with MODP groups of size 1024 (or smaller), only 1 of the groups in 5114 fits that criteria (section 2.1). I have not tracked the status of these NIST groups re evaluation criteria like FIPS 140-2. If these groups are approved for use in products evaluated under that FIPS (I don't know if they are), deprecating them creates a possible conundrum for vendors who want to comply with RFCs and with FIPS evaluation criteria. Thus I suggest a less dramatic response than declaring all of the groups in 5114 to be MUST NOT. I'm not a vendor of any crypto products (these days), and I've never been a crypto mathematician. So my views are based only on what I recall about the creation of 5114 and about IETF crytpo standards practices in general. Steve From nobody Tue Oct 18 11:47:19 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261CB12970F; Tue, 18 Oct 2016 11:47:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ow-3dArfaL1A; Tue, 18 Oct 2016 11:47:16 -0700 (PDT) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35C01294A4; Tue, 18 Oct 2016 11:47:15 -0700 (PDT) X-AuditID: c1b4fb25-15fff7000000793b-2e-58066e310a27 Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id EA.EF.31035.13E66085; Tue, 18 Oct 2016 20:47:14 +0200 (CEST) Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC016.ericsson.se ([153.88.183.66]) with mapi id 14.03.0319.002; Tue, 18 Oct 2016 20:46:30 +0200 From: John Mattsson To: Stephen Kent , Paul Wouters , Yoav Nir Thread-Topic: [IPsec] [saag] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSKU6CHJtC8inrDUW+5swoRbNe7qCujeeA Date: Tue, 18 Oct 2016 18:46:29 +0000 Message-ID: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> In-Reply-To: <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.7.160722 x-originating-ip: [153.88.183.150] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUyM2K7k65RHluEQedscYv9W16wWWyczWjx /tYlJosp/Z1MFkuPfWByYPWYej7UY+esu+weS5b8ZPL4Po8pgCWKyyYlNSezLLVI3y6BK+No 81X2gmlKFTvbchsYlyh2MXJySAiYSPTuPMvWxcjFISSwnlHixoxdjBDOEkaJyYeWsYBUsQkY SMzd08AGYosIJEicunCEGcRmFoiQmHV0DyOILSxgL/Hy2wyoGgeJSbMOskLYRhIbNn0Fs1kE VCWOXDgAZvMKmEss6VjCBLHsLJPE4ksrwZo5Bawl9iw/CraYUUBM4vupNUwQy8Qlbj2ZzwRx toDEkj3nmSFsUYmXj/+BDRUV0JN49vk5O0RcSWLF9ktAx3EA9WpKrN+lDzHGWmJdxw2o+xUl pnQ/ZIe4R1Di5MwnLBMYxWch2TYLoXsWku5ZSLpnIelewMi6ilG0OLU4KTfdyFgvtSgzubg4 P08vL7VkEyMwMg9u+a26g/HyG8dDjAIcjEo8vArJbBFCrIllxZW5hxglOJiVRHhvpQGFeFMS K6tSi/Lji0pzUosPMUpzsCiJ85qtvB8uJJCeWJKanZpakFoEk2Xi4JRqYAw76i2TnjH9XdrK ucrHpfYsuDjjeeTEgOMqFxZt6/YqTanc+PWy4ibmmPsT7C7qxt5pqK8T+ZbH0TH76LNrvo75 jwU7l12Ov7unJ+uopMziuXfM2FUyuK3MNgU8/Jdc9uH1B9ZO+WszU4P1rCPrk2d6q1sYsp1e 9LV2340bXXFl259uTp5YNl2JpTgj0VCLuag4EQCi4DoqyAIAAA== Archived-At: Cc: "ipsec@ietf.org WG" , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 18:47:18 -0000 TmV3IHBhcGVyIOKAnE1lYXN1cmluZyBzbWFsbCBzdWJncm91cCBhdHRhY2tzIGFnYWluc3QgRGlm ZmllLUhlbGxtYW7igJ0NCg0KaHR0cHM6Ly9lcHJpbnQuaWFjci5vcmcvMjAxNi85OTUucGRmDQoN Cg0K4oCcQ3J5cHRvZ3JhcGhpYyByZWNvbW1lbmRhdGlvbnMgZnJvbSBzdGFuZGFyZHMgY29tbWl0 dGVlcyBhcmUgb2Z0ZW4gdG9vDQp3ZWFrIG9yIHZhZ3Vl4oCdDQoNCuKAnEhvd2V2ZXIsIHRoZSB0 YW5nbGUgb2YgUkZDcyBhbmQgc3RhbmRhcmRzIGF0dGVtcHRpbmcgdG8gZGVmaW5lIGN1cnJlbnQN CmJlc3QgcHJhY3RpY2VzIGluIGtleSBnZW5lcmF0aW9uIGFuZCBwYXJhbWV0ZXIgc2l6aW5nIGRv IG5vdCBwYWludCBhIGNsZWFyDQpwaWN0dXJlLCBhbmQgaW5zdGVhZCBkZXNjcmliZSBjb21wbGV4 IGNvbWJpbmF0aW9ucyBvZiBhcHByb2FjaGVzIGFuZA0KcGFyYW1ldGVycywgZXhwb3NpbmcgdGhl IGZyYWdpbGl0eSBvZiB0aGUgY3J5cHRvZ3JhcGhpYyBlY29zeXN0ZW0uIEFzIGENCnJlc3VsdCwg ZGV2ZWxvcGVycyBvZnRlbiBmb3JnZXQgb3IgaWdub3JlIGVkZ2UgY2FzZXMsIGxlYXZpbmcgbWFu eQ0KaW1wbGVtZW50YXRpb25zIG9mIERpZmZpZS1IZWxsbWFuIHRvbyBjbG9zZSB0byB2dWxuZXJh YmxlIg0KDQrigJxBcyB3ZSBzaG93IGluIHRoaXMgcGFwZXIsIGZpbml0ZS1maWVsZCBiYXNlZCBE aWZmaWUtSGVsbG1hbiBoYXMgbWFueSBlZGdlDQpjYXNlcyB0aGF0IG1ha2UgaXRzIGNvcnJlY3Qg dXNlIGRpZmZpY3VsdCwgYW5kIHdoaWNoIG9jY2FzaW9uYWxseSBhcmlzZSBhcw0KYnVncyBhdCB0 aGUgcHJvdG9jb2wgbGV2ZWwu4oCdDQoNCuKAnEFzIGEgY29uY3JldGUgcmVjb21tZW5kYXRpb24s IG1vZGVybiBEaWZmaWUtSGVsbG1hbiBpbXBsZW1lbnRhdGlvbnMNCnNob3VsZCBwcmVmZXIgZWxs aXB0aWMgY3VydmUgZ3JvdXBzIG92ZXIgc2FmZSBjdXJ2ZXMgd2l0aCBwcm9wZXIgcG9pbnQNCnZh bGlkYXRpb24u4oCdDQoNCi9Kb2huDQoNCg0KT24gMTgvMTAvMTYgMTY6NDcsICJJUHNlYyBvbiBi ZWhhbGYgb2YgU3RlcGhlbiBLZW50Ig0KPGlwc2VjLWJvdW5jZXNAaWV0Zi5vcmcgb24gYmVoYWxm IG9mIGtlbnRAYmJuLmNvbT4gd3JvdGU6DQoNCj5QYXVsLA0KPg0KPkl0J3MgIGJlZW4gb3ZlciA4 IHllYXJzIHNpbmNlIHRoaXMgUkZDIHdhcyBwdWJsaXNoZWQsIGFuZCBJIGhhdmUgbm90DQo+bG9v a2VkIGF0IGl0IHNpbmNlIHRoZW4uIE15IHJlY29sbGVjdGlvbiBpcyB0aGF0IHdlIHdyb3RlIDUx MTQgYmVjYXVzZQ0KPmFuIElQc2VjIGRldmVsb3BlciBhcHByb2FjaGVkIG1lIGFuZCBzYWlkIHRo YXQgaGUgd2FudGVkIHRvIHN1cHBvcnQNCj50aGVzZSBncm91cHMgaW4gYSBwcm9kdWN0LiBIZSBz YWlkIHRoYXQgaGUgd2FudGVkIHRlc3QgdmVjdG9ycyBmb3IgdGhlDQo+Z3JvdXBzLCBjb25zaXN0 ZW50IHdpdGggd2hhdCB3ZSBoYXZlIGRvbmUgZm9yIG1hbnkgb3RoZXIgYWxncy4gSQ0KPnBlcnN1 YWRlZCBNYXR0IHRvIGdlbmVyYXRlIHRoZSBSRkMgYmVjYXVzZSBpdCB3YXMgYSByZWxhdGl2ZWx5 IGVhc3kgdGFzaw0KPmEgZ29vZCB3YXkgZm9yIE1hdHQgdG8gZ2V0IGFjcXVhaW50ZWQgd2l0aCB0 aGUgUkZDIHByb2Nlc3MuDQo+DQo+QXMgdG8geW91ciBxdWVzdGlvbiwgSSBoYXZlIG5vIGluZm8g YWJvdXQgaG93IHRoZSBOSVNUIERIIHZhbHVlcyB3ZXJlDQo+Z2VuZXJhdGVkLiBIb3dldmVyLCBJ IGRvIGFncmVlIHdpdGggWW9hdiBhbmQgVGVybyB0aGF0IGl0IHNlZW1zIHVuZHVseQ0KPnByZWp1 ZGljaWFsIHRvIGRlY2xhcmUgdGhlc2UgdG8gYmUgYSBNVVNUIE5PVC4gVGhlIGZhY3QgdGhhdCBv bmUgY2FuDQo+Z2VuZXJhdGUgdHJhcC1kb29yZWQgREggdmFsdWVzIHRoYXQgY2Fubm90IGJlIGRl dGVjdGVkIGlzIG5vdCB0aGUgc2FtZQ0KPmFzIGhhdmluZyBwcm9vZiB0aGF0IGEgZ2l2ZW4gc2V0 IG9mIHZhbHVlcyBoYXZlIGJlZW4gZ2VuZXJhdGVkIGluIHRoYXQNCj5mYXNoaW9uLiBNb3Jlb3Zl ciwgaWYgb25lIGludGVycHJldHMgYSBNVVNUIE5PVCBpbiB0aGlzIGNvbnRleHQgdG8gbWVhbg0K PnRoYXQgYW4gaW1wbGVtZW50YXRpb24gc3VwcG9ydGluZyBhbnkgb2YgdGhlc2UgZ3JvdXBzIGlz IG5vbi1jb21wbGlhbnQsDQo+dGhlbiB0aGF0IHVuZmFpcmx5IHBlbmFsaXplcyBleGlzdGluZyBp bXBsZW1lbnRhdGlvbnMsIGFzIFRlcm8gbm90ZWQuDQo+TW9yZW92ZXIsIGlmIHRoZSBjb25jZXJu IHJhaXNlZCBieSB0aGUgcGFwZXIgKHdoaWNoIEkgaGF2ZSByZWFkKSBpcyB3aXRoDQo+TU9EUCBn cm91cHMgb2Ygc2l6ZSAxMDI0IChvciBzbWFsbGVyKSwgb25seSAxIG9mIHRoZSBncm91cHMgaW4g NTExNCBmaXRzDQo+dGhhdCBjcml0ZXJpYSAoc2VjdGlvbiAyLjEpLg0KPg0KPkkgaGF2ZSBub3Qg dHJhY2tlZCB0aGUgc3RhdHVzIG9mIHRoZXNlIE5JU1QgZ3JvdXBzIHJlIGV2YWx1YXRpb24NCj5j cml0ZXJpYSBsaWtlIEZJUFMgMTQwLTIuIElmIHRoZXNlIGdyb3VwcyBhcmUgYXBwcm92ZWQgZm9y IHVzZSBpbg0KPnByb2R1Y3RzIGV2YWx1YXRlZCB1bmRlciB0aGF0IEZJUFMgKEkgZG9uJ3Qga25v dyBpZiB0aGV5IGFyZSksDQo+ZGVwcmVjYXRpbmcgdGhlbSBjcmVhdGVzIGEgcG9zc2libGUgY29u dW5kcnVtIGZvciB2ZW5kb3JzIHdobyB3YW50IHRvDQo+Y29tcGx5IHdpdGggUkZDcyBhbmQgd2l0 aCBGSVBTIGV2YWx1YXRpb24gY3JpdGVyaWEuIFRodXMgSSBzdWdnZXN0IGENCj5sZXNzIGRyYW1h dGljIHJlc3BvbnNlIHRoYW4gZGVjbGFyaW5nIGFsbCBvZiB0aGUgZ3JvdXBzIGluIDUxMTQgdG8g YmUNCj5NVVNUIE5PVC4NCj4NCj5JJ20gbm90IGEgdmVuZG9yIG9mIGFueSBjcnlwdG8gcHJvZHVj dHMgKHRoZXNlIGRheXMpLCBhbmQgSSd2ZSBuZXZlcg0KPmJlZW4gYSBjcnlwdG8gbWF0aGVtYXRp Y2lhbi4gU28gbXkgdmlld3MgYXJlIGJhc2VkIG9ubHkgb24gd2hhdCBJIHJlY2FsbA0KPmFib3V0 IHRoZSBjcmVhdGlvbiBvZiA1MTE0IGFuZCBhYm91dCBJRVRGIGNyeXRwbyBzdGFuZGFyZHMgcHJh Y3RpY2VzIGluDQo+Z2VuZXJhbC4NCj4NCj5TdGV2ZQ0KPg0KPl9fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fDQo+SVBzZWMgbWFpbGluZyBsaXN0DQo+SVBzZWNA aWV0Zi5vcmcNCj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2lwc2VjDQoN Cg== From nobody Tue Oct 18 12:52:11 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CD63129842 for ; Tue, 18 Oct 2016 12:52:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCL9C_A_uax2 for ; Tue, 18 Oct 2016 12:52:07 -0700 (PDT) Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 781B5129463 for ; Tue, 18 Oct 2016 12:52:06 -0700 (PDT) X-AuditID: c1b4fb30-f60a598000000cb2-10-58067d640d06 Received: from ESESSHC006.ericsson.se (Unknown_Domain [153.88.183.36]) by (Symantec Mail Security) with SMTP id 73.9F.03250.46D76085; Tue, 18 Oct 2016 21:52:04 +0200 (CEST) Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.38) with Microsoft SMTP Server id 14.3.319.2; Tue, 18 Oct 2016 21:52:02 +0200 Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 0E2B34F55A; Tue, 18 Oct 2016 22:51:10 +0300 (EEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 14EFC4E8CC; Tue, 18 Oct 2016 22:51:08 +0300 (EEST) To: Peter Gutmann , Stephen Farrell , "saag@ietf.org" References: <1476749236821.94996@cs.auckland.ac.nz> From: Mohit Sethi Message-ID: <6b0de3ed-fdcd-68a8-4af4-b9717e7b0077@ericsson.com> Date: Tue, 18 Oct 2016 15:52:01 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1476749236821.94996@cs.auckland.ac.nz> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBLMWRmVeSWpSXmKPExsUyM2K7im5KLVuEwbnJZhYv3z1ntZjS38lk MX3vNXYHZo+LjQeYPNZ2X2XzWLLkJ1MAcxSXTUpqTmZZapG+XQJXxs1de9gLnrFXbN33k72B cQ5bFyMnh4SAicSPmV+AbC4OIYH1jBITjqxjgnC2MUrsWnmaHcJZxygxc8psqMx8RokvD3aw gPQLC1hLfDy0FWyWiECtxOEJZ5ghij4zSrzYsxesiE1AT6Lz3HFmEJtXwF5i69TnrCA2i4Cq RM/kF2BxUYEIiVsPO1ggagQlTs58AmZzAh24cP1JoAUcHMxAvQ+2loGEmQXkJba/ncMM8YOa xNVzm8BsIQF1ia0dBxgnMArNQjJpFkL3LCTdCxiZVzGKFqcWJ+WmGxnppRZlJhcX5+fp5aWW bGIEhvfBLb8NdjC+fO54iFGAg1GJh1chmS1CiDWxrLgy9xCjBAezkghveQlQiDclsbIqtSg/ vqg0J7X4EKM0B4uSOK/ZyvvhQgLpiSWp2ampBalFMFkmDk6pBsZFzjOM/J7cvVn9fVF/y5Z7 RzQF+G3OauyQZZs2b5NKkTdvwPN1M778+nm1s5ZtmVPGoowSRYmQs/P+LBNjrH3/5vyZqR2C 8YdUbHTazfSSNFb+sQlyXLB4+28FvT8f16Y/v7l6asb9Y+3nv/V3eutldTYoim6pdky/L8px ZFP8tpxmb8PWmo1KLMUZiYZazEXFiQAIh7jQawIAAA== Archived-At: Subject: Re: [saag] software update for teeny-weeny devices X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 19:52:09 -0000 Thanks for the pointer. This was indeed hilarious and sad to follow on Twitter. I think it highlights another important problem of bootstrapping/configuring IoT devices. At some point Mark has to run a port scanner to find out what IP address was assigned to his WiFi Kettle. But for his light bulb not working during dinner time, at least in this case I think he manually confirmed the firmware update. Perhaps the user can be better informed in future that the installing firmware updates may make the light bulb unusable for x amount of time. Thanks /--Mohit On 10/17/2016 08:07 PM, Peter Gutmann wrote: > Mohit Sethi writes: > >> For me scheduling of updates is important: I don't want my connected light >> bulb to update at night when I am using it. > So not this then: > > https://twitter.com/markrittman/status/785905327967498240/photo/1 > > (that was part of an 11-hour battle to get a WiFi kettle working). > > Peter. From nobody Tue Oct 18 14:32:44 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40108129895 for ; Tue, 18 Oct 2016 14:32:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.619 X-Spam-Level: X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p6RXtO6tg5gW for ; Tue, 18 Oct 2016 14:32:41 -0700 (PDT) Received: from nm5-vm5.bullet.mail.ne1.yahoo.com (nm5-vm5.bullet.mail.ne1.yahoo.com [98.138.91.227]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50AC11294E7 for ; Tue, 18 Oct 2016 14:32:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1476826360; bh=ifYjbe8YRfONE0FkIm9iYRWzm1EeA0LytBWTDHemgMs=; h=Date:From:Reply-To:To:Cc:Subject:References:From:Subject; b=uGaRVi5xRonc5AxjMvlXB2kymX8rVI8jlGh1BkiCG6mLksc1DJKwVoiRpB+V4ruFEOBxtZMU8Vxv6rTCExaRlnlvDfUCKZzi6XzrgeftuU8ETMe1qlcLa3RXmnGLk6pWtK/Q7uv7X1VHs2e9zklEel1KDfXEnN820GUUrr0fRP/jPqvIcFajLHZCBU/argrtJc9/RVZqhVHi+9RJp4CCfr6NI73AjRLi4JjYw68wfbYvQAR83tEb1r7vQBhTVwbQr5Ho7KGK1sGyJfo4sNbyVj5/umkCyENntlqTakDoVMT0+4xVmf1c+++II6lO1Y8s+N8KhzimSPXOZVNuNeljvw== Received: from [98.138.100.117] by nm5.bullet.mail.ne1.yahoo.com with NNFMP; 18 Oct 2016 21:32:40 -0000 Received: from [98.138.89.175] by tm108.bullet.mail.ne1.yahoo.com with NNFMP; 18 Oct 2016 21:32:40 -0000 Received: from [127.0.0.1] by omp1031.mail.ne1.yahoo.com with NNFMP; 18 Oct 2016 21:32:40 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 765551.67756.bm@omp1031.mail.ne1.yahoo.com X-YMail-OSG: 6Y2U5MEVM1kxyKckoJ6xZbk4NfjT.3nmy0lYO2nxIEF8U73jx1WgF82vVl72.X3 zv03kWGa_e0h8aBjWKRQtImW8bm8iCBZkfuH3cGIHDjFPyfOCt_ONN8Hd5_KlclD.YS5CyX9NBjl wyPmoLK_tkHIBsBxfygrl1YBEMa0sIV6H7uWIWLBLSnIFDaVcMjK.vzcTOwDmjE.yrFDY4cn6wJJ deifkgoGoggV95tD6odDDwQvhjHnPZHG82.wbCaJdU3bl0MMVAjoCmTi6tg3B3P_aqwy2p9_VisI bYcPzkxiCscOGkRjfT0hckjTlf6gXV6.Bl20ltG3Qe9UDfeGisJJzh4rDIRPDc5fdivDqN4nrFUE xH2SCAmhXinm2bb5uADKASoiY6FbiKJaTAv9o2TCLT392SYqeaX4q8h21C1HPK0d0yEupPK6ZsOP flPF3GK2si03hYW2yWO8e6ulSPRbt8U.gR4HekWVpk_lESCCcekMG5RF9Cz7QdJVrxGdGv.XjxY3 cMzaK0WvDfv6EcSWgT2SXaCPSEkJYZcB.IdxOFVvuS65L7anCmm.wMaxRGaPaoi7Ei2fsZ.32Z03 l99nNIhd3 Received: from jws200062.mail.ne1.yahoo.com by sendmailws147.mail.ne1.yahoo.com; Tue, 18 Oct 2016 21:32:40 +0000; 1476826360.380 Date: Tue, 18 Oct 2016 21:32:21 +0000 (UTC) From: To: Security Area Advisory Group Message-ID: <1291206601.2408471.1476826341029@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_2408470_1265036106.1476826341027" References: <1291206601.2408471.1476826341029.ref@mail.yahoo.com> Archived-At: Cc: "MORTON ALFRED C \(AL\)" Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 - Next Steps X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: nalini.elkins@insidethestack.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 21:32:43 -0000 ------=_Part_2408470_1265036106.1476826341027 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable All, One thing that occurs to me is that this document is in a sense a "Gap Anal= ysis" document. =C2=A0 It seems to beg the question, "Now what?" =C2=A0That= is, what are the best practices or recommended solutions for the problems = or gaps which have been documented? For example, Section 2:=C2=A0Network Service Provider Monitoring mentions: "The EFF reported several network service providers taking steps to prevent= the use of TLS over SMTP by breaking StartTLS, preventing the negotiation = process resulting in fallback to the use of clear text." So then I wonder, what exactly is going on? =C2=A0 What is it that NSPs are= hoping to see in clear text? =C2=A0 Is there more logging required? =C2=A0= A better API? =C2=A0 Do they just not know how to manage their mail servers= correctly? I notice that a new email list was just formed (DLNEX) "to discuss various = latency characteristics that can be exposed by network elements or segments= and to explore if there are any latency related attributes that can be uti= lized by upper layer. For example, could there be latency exposure that upp= er layer can utilize to plan how to distribute their content to the right e= dges to achieve optimal user experience?" A very interesting question. =C2=A0It leads me to wonder if there are other= classes of information which need to be exposed (or logged) also? =C2=A0An= d then doing so while maintaining privacy & security. =C2=A0(I am also look= ing forward to the information that may be provided by the new PLUS WG.) I wonder if this document,=C2=A0draft-mm-wg-effect-encrypt-03, may be the f= oundation document for something like a SECOps (Security Operations) group.= =C2=A0(As in v6Ops, we discussed best practices and user experiences of IP= v6). =C2=A0 Maybe we can take each of the topics raised by draft-mm-wg-effe= ct-encrypt-03 and dive more deeply into each one and really discuss the use= cases, etc. Of course, there is work being done in other WGs (ex. PLUS) which may prove= to be a solution for some of these problems. =C2=A0 But, I really like the= operational and topical approach taken by this draft and I wonder if it ca= n be the seminal document for add-on work? =C2=A0And a place to centralize = some of these thoughts. =C2=A0 But, maybe SAAG is the home for this? Am I completely out to lunch? =C2=A0Or does this resonate with anyone else? Thanks, Nalini Elkins Inside Products, Inc. www.insidethestack.com (831) 659-8360 ------=_Part_2408470_1265036106.1476826341027 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
All,

One thin= g that occurs to me is that this document is in a sense a "Gap Analysis" do= cument.   It seems to beg the question, "Now what?"  That is, wha= t are the best practices or recommended solutions for the problems or gaps = which have been documented?

For example, Section 2: Network Ser= vice Provider Monitoring mentions:

"The EFF reported several network= service providers taking steps to prevent the use of TLS over SMTP by brea= king StartTLS, preventing the negotiation process resulting in fallback to = the use of clear text."

So then I wonder, what exactly is going on? =   What is it that NSPs are hoping to see in clear text?   Is ther= e more logging required?  A better API?   Do they just not know h= ow to manage their mail servers correctly?

I notice that a new email= list was just formed (DLNEX) "to discuss various latency characteristics t= hat can be exposed by network elements or segments and to explore if there = are any latency related attributes that can be utilized by upper layer. For= example, could there be latency exposure that upper layer can utilize to p= lan how to distribute their content to the right edges to achieve optimal u= ser experience?"

A very interesting question.  It leads me to w= onder if there are other classes of information which need to be exposed (o= r logged) also?  And then doing so while maintaining privacy & sec= urity.  (I am also looking forward to the information that may be prov= ided by the new PLUS WG.)

I wonder if this document, draft-mm-wg-effect-encrypt-03, may = be the foundation document for something like a SECOps (Security Operations= ) group.  (As in v6Ops, we discussed best practices and user experienc= es of IPv6).   Maybe we can take each of the topics raised by dr= aft-mm-wg-effect-encrypt-03 and dive more deeply into each one and really d= iscuss the use cases, etc.

Of course, there is = work being done in other WGs (ex. PLUS) which may prove to be a solution fo= r some of these problems.   But, I really like the operational and top= ical approach taken by this draft and I wonder if it can be the seminal doc= ument for add-on work?  And a place to centralize some of these though= ts.   But, maybe SAAG is the home for this?

Am I completely out to lunch?  O= r does this resonate with anyone else?

Thanks,

Nalini Elkins
Inside Products, Inc.
www.insideth= estack.com
(831) 659-8360
------=_Part_2408470_1265036106.1476826341027-- From nobody Tue Oct 18 14:36:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1255412989F for ; Tue, 18 Oct 2016 14:36:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unaUGUf_e2QY for ; Tue, 18 Oct 2016 14:36:02 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 789C51294E7 for ; Tue, 18 Oct 2016 14:36:02 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E2DB1BE2E; Tue, 18 Oct 2016 22:35:59 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EpjUEIOs8XHn; Tue, 18 Oct 2016 22:35:53 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4AD7BBE2C; Tue, 18 Oct 2016 22:35:53 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1476826553; bh=uHRzbNAcrQePRGPn8n4Dzp3oBc/821/aqoxoExDeqkY=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=v6HjGOGfbth+G7uwBa2Z3OTAqdP4P+IRdQn4AinBwvaBkd2ur/o6RlZ2/E6/XSQSo Ksdu+xHE7STMJ0GNyOGRpO3kmt+MFfWo12xD1h+Y9+dNnDT54CIx2dmwOzv49GutWY rxv4zxCn0ffLAhjzTlacL6WPbo47nz9f5BVQTaG8= To: nalini.elkins@insidethestack.com, Security Area Advisory Group References: <1291206601.2408471.1476826341029.ref@mail.yahoo.com> <1291206601.2408471.1476826341029@mail.yahoo.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Tue, 18 Oct 2016 22:35:53 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1291206601.2408471.1476826341029@mail.yahoo.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070307070904020007030000" Archived-At: Cc: "MORTON ALFRED C \(AL\)" Subject: Re: [saag] draft-mm-wg-effect-encrypt-03 - Next Steps X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Oct 2016 21:36:05 -0000 This is a cryptographically signed message in MIME format. --------------ms070307070904020007030000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 18/10/16 22:32, nalini.elkins@insidethestack.com wrote: > A very interesting question. It leads me to wonder if there are > other classes of information which need to be exposed (or logged) > also? And then doing so while maintaining privacy & security. (I am > also looking forward to the information that may be provided by the > new PLUS WG.) Please consult the archives/minutes for the SPUD/PLUS BoF. (Not so far a tremendous success - the most recent mail I saw on that explicitly said that rumours of the idea's demise were exaggerated;-) S. --------------ms070307070904020007030000 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMTgy MTM1NTNaMC8GCSqGSIb3DQEJBDEiBCBOpE2rpieDCk8EVWDlc9qS+/fBV3dNQfBH64gFY+1n UTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAUCiwErvfs18xsVRoM1bLlbNVIvXY/wHQJv4AtX059rUGqhbvV/+9b wxA9HBgJ3k32OR1wfLlr0Q3V0r1Zp/SqfNX1YII8MRExnvMdGBH5Z/wmy6Mtk8uqs+DP0maq lS3MgJTadaWdIHPbkyxKn4/rTwNoChTTIfKbxqfYR4k9DN+4rnIYYn9B19Mo0T8aAMVNkqNH tCWoIEInDGtv9FVXUilYNd6iwabyBRvFCd34IJgev7wMEE58sG9KObsG1hSBemgKvEkwLwCb omdFDqFFTkjDl2cFDSAf9lDuCMUDhshbND3WRjYx3dcPs6fowHVB413kgQCUSPb9dR/JUz8K AAAAAAAA --------------ms070307070904020007030000-- From nobody Tue Oct 18 20:03:34 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A35129437 for ; Tue, 18 Oct 2016 20:03:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9oeLtPbMfoIa for ; Tue, 18 Oct 2016 20:03:30 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED0451294D3 for ; Tue, 18 Oct 2016 20:03:29 -0700 (PDT) Received: by mail-io0-x233.google.com with SMTP id q192so18636038iod.0 for ; Tue, 18 Oct 2016 20:03:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to; bh=dlVE9bey/AXUdoir0huS9SnVxB0x+peU+O4EjBBjomI=; b=aI8Sc1uGqgE7hUXAxu8Zc8C+daMBAJcZnhoPoWes29eZCezjCYeSwkXNTuWWvc6BeE XjR0yfM4RmUdxV1GYeXgNVukFzn3D22Iclwn+9O8Ev/3PhnLT6vzE/36wnOIPFBDguVt cneb3icVa6wH1lgGf4WcAQfSGggXvMqYxS6V8U8AAClaioMGqrrqoeoD1aoQRDoJKbeK +wj0gd/fwQDQCCaTjsfwFq5W/SmzsIHON4aztFwgv07x4ZC96+8Zbc1jpXObkeNSymHg JR4FLuLh8DtnVxbJ5OCgCIXzHk427afIo8z9roljXwzPt3lvILLEV5WPXjmHIifgWrVD salA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to; bh=dlVE9bey/AXUdoir0huS9SnVxB0x+peU+O4EjBBjomI=; b=bQ+qZY82V0GQJdB2nL+UCAGa9XoxVEl5VWJUUZU92/wEKgQ/G2maUkBdTeLrXffeh+ 2YcjNdQ8Ex/062lAbYYiXGrEpBs86D16q71Zdj3nDYrD3TPQw7u4Lt5g5Q/yH+FrubCD bZsJ7PuJ60i57Qv7cjYnNsMq5K5Tt+59zmHGqLruVLekDVx8TwBNzDlJw3ijHEtsFiON y5fgMwEGXcPtuom5sjZGfVA4IFFePBVy7HrZWt5HwNGAznJ6oZwfvziY3sUKCpNSkV23 jlQ/Eqj6CKtGVsKTHfUgPKBxoEjwQysAsqW5Hwx4t11/eEOWjPq4Pz47zIJh+TuafpWf GrBQ== X-Gm-Message-State: AA6/9Rk+VzMep5Opa37+BTWtaQwwmHjZVnKxuMqEdAEeIRov4eeW74SYfHB87axiI+c6iK6lZRZtgBqzX0Nung== X-Received: by 10.107.148.4 with SMTP id w4mr4428168iod.135.1476846208960; Tue, 18 Oct 2016 20:03:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.36.36.194 with HTTP; Tue, 18 Oct 2016 20:03:28 -0700 (PDT) In-Reply-To: References: <20160613144048.9BBA942E034@smtpvbsrv1.mitre.org> From: Jeffrey Walton Date: Tue, 18 Oct 2016 23:03:28 -0400 Message-ID: To: "saag@ietf.org" Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [saag] Fwd: [oss-security] Re: CVE Request: IKEv1 protocol is vulnerable to DoS amplification attack X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: noloader@gmail.com List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2016 03:03:33 -0000 FYI... ---------- Forwarded message ---------- From: Kurt Seifried Date: Tue, Oct 18, 2016 at 3:19 PM Subject: Re: [oss-security] Re: CVE Request: IKEv1 protocol is vulnerable to DoS amplification attack To: oss-security Cc: Huzaifa Sidhpurwala , CVE ID Requests On Tue, Jul 12, 2016 at 1:46 PM, Paul Wouters wrote: > > I have tested openswan and strongswan and confirmed it contains the same > amplification that is inherent in being IKEv1 compliant. > > Neither implementation has applied the hardening that libreswan has > applied for this that was the original information that caused > CVE-2016-5361 to be issued for libreswan. > > I believe MITRE needs to fix the inconsistency in the issuance of > CVE-2016-5361, expand it to be about the IKEv1 protocol, and gather > the other vendor information and patches, or issue additional vendor > specific CVE's. I believe the first solution is better. > So I had a chance to talk to Paul Basically: the RFC doesn't define a specific way to handle this, as such a CVE cannot be given to the RFC (currently CVEs will be given to RFCs/protocols that say "do something bad" like using weak encryption algorithms). As such it was left up to all the IKE implementations themselves to determine what to do with respect to retransmits. I think it's safe to say an amplification of 1:10 or more qualifies as a problem, I'm not sure what the exact amplification ratio to qualify for a CVE is (1:3, 1:7?) but I think 1:10 or more should definitely qualify. Thus a lot of other IKE implementations will be needing CVEs for this class of problem (as well as other protocols). From nobody Wed Oct 19 00:36:50 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B88C1294A0; Wed, 19 Oct 2016 00:36:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHLEFMja0WkS; Wed, 19 Oct 2016 00:36:42 -0700 (PDT) Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74014129545; Wed, 19 Oct 2016 00:36:42 -0700 (PDT) Received: by mail-qk0-x22d.google.com with SMTP id z190so21325674qkc.2; Wed, 19 Oct 2016 00:36:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=HIxF59MK2DuOl4dxo3654M6kRnLRbR+P56SKo1VXaIs=; b=LokSx5uqt12inj+vhszxYr7IoGgaFrpjx5VCxuYQEeMdgxYPaB8kDzbXH+NqCsMK2r gxtIpZQw34513fOdaPpBI7S4cijY2UwWUf88iveLReSbdNH5IKr74mL/JfFXU1Ihppl0 S+wHBCn/J6Z1u5KqfwVxyPLoux+FuXa0QVrVzbhlhIwREtyQ0Szkh64z8Q+XNPcW5T03 +Uzw3IEqylwl6BoMJz9lkj3HHiuSjAc4DsbfhflGiG0FpJWV+hhuv9Ooq+eK/V7QfM2q 1OiN53IFHa8XaEXDFNG/t6mmrfbFXMHBK1ULCj/m1gAR/VbCc5bAhHXC/liH2FN0qjq9 TZ+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=HIxF59MK2DuOl4dxo3654M6kRnLRbR+P56SKo1VXaIs=; b=O28B8W4eiY5DmPWUaooTeXO0AXTvIc0bUo0q59s1Oi6J21sxqWh0GyIEI5lhQR1U02 bQvAWV3MdNd5BKkp+zeBma5kuW4zxmDYCUca3afLgVYjkULfBKPs7B/0VBI6F4Hyg4bb hhWFZl7bO9NXW0qWzsA6latFGzZP/IL6Fg8h4V+C+DvlL3ieD040yFdLDdiBqJkLRcD0 UvvE9xAW9rMpM+hNmf7BXe5e0uZ5/Xtghiyp6cC+gUcpRRZSjGKy1m55iqOHbGh+W0W9 mDN5eaqy+CG33+GMuLMJRIU4LSQgNaBSCZByWmC/1c9lbLE4KxJflAE1SjAVUWUI1NPb Klzg== X-Gm-Message-State: AA6/9RnWRbAwYWHnbq4fReX8XPecnDCqHg8PxkJ1eEWhx9qgZwJiq2C95iUFtUB3A39gfEJqLoJ2H1aTNTfhiA== X-Received: by 10.55.183.2 with SMTP id h2mr4334386qkf.134.1476862601598; Wed, 19 Oct 2016 00:36:41 -0700 (PDT) MIME-Version: 1.0 Sender: n.mavrogiannopoulos@gmail.com Received: by 10.12.169.91 with HTTP; Wed, 19 Oct 2016 00:36:01 -0700 (PDT) In-Reply-To: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> From: Nikos Mavrogiannopoulos Date: Wed, 19 Oct 2016 09:36:01 +0200 X-Google-Sender-Auth: R-oj_nSECVGoukBoc0OGmWZmvDU Message-ID: To: John Mattsson Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2016 07:36:44 -0000 On Tue, Oct 18, 2016 at 8:46 PM, John Mattsson wrote: > New paper =E2=80=9CMeasuring small subgroup attacks against Diffie-Hellma= n=E2=80=9D > https://eprint.iacr.org/2016/995.pdf > =E2=80=9CCryptographic recommendations from standards committees are ofte= n too > weak or vague=E2=80=9D > =E2=80=9CHowever, the tangle of RFCs and standards attempting to define c= urrent > best practices in key generation and parameter sizing do not paint a clea= r > picture, and instead describe complex combinations of approaches and > parameters, exposing the fragility of the cryptographic ecosystem. As a > result, developers often forget or ignore edge cases, leaving many > implementations of Diffie-Hellman too close to vulnerable" > > =E2=80=9CAs we show in this paper, finite-field based Diffie-Hellman has = many edge > cases that make its correct use difficult, and which occasionally arise a= s > bugs at the protocol level.=E2=80=9D > > =E2=80=9CAs a concrete recommendation, modern Diffie-Hellman implementati= ons > should prefer elliptic curve groups over safe curves with proper point > validation.=E2=80=9D I am not sure that the recommendations of this paper should be blindly trusted. There are some inaccurate facts about a library I work on [0], but a part of the abstract is also concerning: "We examine over 20 open-source cryptographic libraries and applications and observe that until January 2016, not a single one validated subgroup orders by default." That's objectively accurate, but the authors do not attempt to find out the actual issue behind it. Are all implementations bad, or there are obstacles in doing that? I am aware that TLS client implementations do not validate subgroup orders by default, because the group information provided by TLS is not sufficient to validate the subgroup order. It is simply impossible for them to do any validation. regards, Nikos [0]. https://lists.gnupg.org/pipermail/gnutls-devel/2016-October/008198.htm= l From nobody Wed Oct 19 01:13:18 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D49512956F; Wed, 19 Oct 2016 01:13:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKAM4LKduZPO; Wed, 19 Oct 2016 01:13:15 -0700 (PDT) Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E88C129560; Wed, 19 Oct 2016 01:13:15 -0700 (PDT) X-AuditID: c1b4fb3a-ab7ff7000000099a-62-58072b1920c0 Received: from ESESSHC014.ericsson.se (Unknown_Domain [153.88.183.60]) by (Symantec Mail Security) with SMTP id F9.C7.02458.91B27085; Wed, 19 Oct 2016 10:13:13 +0200 (CEST) Received: from ESESSMB307.ericsson.se ([169.254.7.139]) by ESESSHC014.ericsson.se ([153.88.183.60]) with mapi id 14.03.0319.002; Wed, 19 Oct 2016 10:13:12 +0200 From: John Mattsson To: Nikos Mavrogiannopoulos Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSKduJ2W/sFWR35kmFUzWD99HoZqCvbiMA Date: Wed, 19 Oct 2016 08:13:12 +0000 Message-ID: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.7.160722 x-originating-ip: [153.88.183.17] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDIsWRmVeSWpSXmKPExsUyM2K7ja6kNnuEQcdkNYv9W16wWWyczWix dOduVov3ty4xWUzp72SyWHrsA5MDm8fU86EeO2fdZfeYvK2R0WPJkp9MHt/nMQWwRnHZpKTm ZJalFunbJXBlHOxdwVbQJl2x8td69gbGNVJdjJwcEgImEk9+zWUFsYUE1jNKTHzD38XIBWQv YZSYMe0zC0iCTcBAYu6eBjYQW0RAV2LbmzvMIEXMAjsYJXYc+QFWJCxgL7HnejszRJGDxKel e9khbCOJORtOgzWzCKhK3Ox7D2RzcPAKmEvMXxAPsewQs8SbNR/A6jkFAiUWdW0Fm8koICbx /dQaJhCbWUBc4taT+UwQVwtILNlznhnCFpV4+fgf2AeiAnoSzz4/ZweZLyGgKLG8Xw7EZBbQ lFi/Sx/CtJbo3CcJMVBRYkr3Q7ClvAKCEidnPmGZwCg+C8muWQjNsxCaZyFpnoWkeQEj6ypG 0eLU4uLcdCMjvdSizOTi4vw8vbzUkk2MwDg9uOW31Q7Gg88dDzEKcDAq8fAqJLNFCLEmlhVX 5h5ilOBgVhLhFdZgjxDiTUmsrEotyo8vKs1JLT7EKM3BoiTOa7byfriQQHpiSWp2ampBahFM lomDU6qB0UahTeR+nV/9IXWu1UfyIhUfzu9Yx9T7Ni399UPTuPWvd26dld/uV7y5duK9Gc/c pf3ivu8WkhLYlLd+bwQv35Kt0b1+6cvErFoEXnY1F4iLCuZv/rt8a/E8qfWnGx7YJK26MWdv 9qfty9ML2z+2/4/nW9audrucgSGspcF8WvRD0y8/WIULlViKMxINtZiLihMBxn1E0M8CAAA= Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2016 08:13:17 -0000 SSBoYXZlIG5vdCByZWFkIHRoZSBwYXBlciBpbiBkZXRhaWwsIGJ1dCBJIGFncmVlIHdpdGggdGhl IGhpZ2ggbGV2ZWwNCmNvbmNsdXNpb25zLiBJZiBpdCB3ZXJlIG5vdCBmb3IgcXVhbnR1bSBjb21w dXRlcnMsIEkgdGhpbmsgSUVURiBzaG91bGQNCm1vdmUgdG8gY3VydmUyNTUxOSBhcyBxdWlja2x5 IGFzIHBvc3NpYmxlLiBXaXRoIHF1YW50dW0gY29tcHV0ZXJzIHRoZQ0KcGljdHVyZSBpcyBtb3Jl IGNvbXBsaWNhdGVkIGFzIEVDQyB3b3VsZCBhbnl3YXkgbmVlZCB0byBiZSByZXBsYWNlZCB3aXRo DQpQUUMgaW4gdGhlIG5vdCB0byBkaXN0YW50IGZ1dHVyZS4NCg0KQ2hlZXJzLA0KDQpKb2huDQoN Ck9uIDE5LzEwLzE2IDA5OjM2LCAibi5tYXZyb2dpYW5ub3BvdWxvc0BnbWFpbC5jb20gb24gYmVo YWxmIG9mIE5pa29zDQpNYXZyb2dpYW5ub3BvdWxvcyIgPG4ubWF2cm9naWFubm9wb3Vsb3NAZ21h aWwuY29tIG9uIGJlaGFsZiBvZg0Kbm1hdkBnbnV0bHMub3JnPiB3cm90ZToNCg0KPk9uIFR1ZSwg T2N0IDE4LCAyMDE2IGF0IDg6NDYgUE0sIEpvaG4gTWF0dHNzb24NCj48am9obi5tYXR0c3NvbkBl cmljc3Nvbi5jb20+IHdyb3RlOg0KPj4gTmV3IHBhcGVyIOKAnE1lYXN1cmluZyBzbWFsbCBzdWJn cm91cCBhdHRhY2tzIGFnYWluc3QgRGlmZmllLUhlbGxtYW7igJ0NCj4+IGh0dHBzOi8vZXByaW50 LmlhY3Iub3JnLzIwMTYvOTk1LnBkZg0KPj4g4oCcQ3J5cHRvZ3JhcGhpYyByZWNvbW1lbmRhdGlv bnMgZnJvbSBzdGFuZGFyZHMgY29tbWl0dGVlcyBhcmUgb2Z0ZW4gdG9vDQo+PiB3ZWFrIG9yIHZh Z3Vl4oCdDQo+PiDigJxIb3dldmVyLCB0aGUgdGFuZ2xlIG9mIFJGQ3MgYW5kIHN0YW5kYXJkcyBh dHRlbXB0aW5nIHRvIGRlZmluZSBjdXJyZW50DQo+PiBiZXN0IHByYWN0aWNlcyBpbiBrZXkgZ2Vu ZXJhdGlvbiBhbmQgcGFyYW1ldGVyIHNpemluZyBkbyBub3QgcGFpbnQgYQ0KPj5jbGVhcg0KPj4g cGljdHVyZSwgYW5kIGluc3RlYWQgZGVzY3JpYmUgY29tcGxleCBjb21iaW5hdGlvbnMgb2YgYXBw cm9hY2hlcyBhbmQNCj4+IHBhcmFtZXRlcnMsIGV4cG9zaW5nIHRoZSBmcmFnaWxpdHkgb2YgdGhl IGNyeXB0b2dyYXBoaWMgZWNvc3lzdGVtLiBBcyBhDQo+PiByZXN1bHQsIGRldmVsb3BlcnMgb2Z0 ZW4gZm9yZ2V0IG9yIGlnbm9yZSBlZGdlIGNhc2VzLCBsZWF2aW5nIG1hbnkNCj4+IGltcGxlbWVu dGF0aW9ucyBvZiBEaWZmaWUtSGVsbG1hbiB0b28gY2xvc2UgdG8gdnVsbmVyYWJsZSINCj4+DQo+ PiDigJxBcyB3ZSBzaG93IGluIHRoaXMgcGFwZXIsIGZpbml0ZS1maWVsZCBiYXNlZCBEaWZmaWUt SGVsbG1hbiBoYXMgbWFueQ0KPj5lZGdlDQo+PiBjYXNlcyB0aGF0IG1ha2UgaXRzIGNvcnJlY3Qg dXNlIGRpZmZpY3VsdCwgYW5kIHdoaWNoIG9jY2FzaW9uYWxseSBhcmlzZQ0KPj5hcw0KPj4gYnVn cyBhdCB0aGUgcHJvdG9jb2wgbGV2ZWwu4oCdDQo+Pg0KPj4g4oCcQXMgYSBjb25jcmV0ZSByZWNv bW1lbmRhdGlvbiwgbW9kZXJuIERpZmZpZS1IZWxsbWFuIGltcGxlbWVudGF0aW9ucw0KPj4gc2hv dWxkIHByZWZlciBlbGxpcHRpYyBjdXJ2ZSBncm91cHMgb3ZlciBzYWZlIGN1cnZlcyB3aXRoIHBy b3BlciBwb2ludA0KPj4gdmFsaWRhdGlvbi7igJ0NCj4NCj5JIGFtIG5vdCBzdXJlIHRoYXQgdGhl IHJlY29tbWVuZGF0aW9ucyBvZiB0aGlzIHBhcGVyIHNob3VsZCBiZSBibGluZGx5DQo+dHJ1c3Rl ZC4gVGhlcmUgYXJlIHNvbWUgaW5hY2N1cmF0ZSBmYWN0cyBhYm91dCBhIGxpYnJhcnkgSSB3b3Jr IG9uDQo+WzBdLCBidXQgYSBwYXJ0IG9mIHRoZSBhYnN0cmFjdCBpcyBhbHNvIGNvbmNlcm5pbmc6 DQo+IldlIGV4YW1pbmUgb3ZlciAyMCBvcGVuLXNvdXJjZSBjcnlwdG9ncmFwaGljIGxpYnJhcmll cyBhbmQNCj5hcHBsaWNhdGlvbnMgYW5kIG9ic2VydmUgdGhhdCB1bnRpbCBKYW51YXJ5IDIwMTYs IG5vdCBhIHNpbmdsZSBvbmUNCj52YWxpZGF0ZWQgc3ViZ3JvdXAgb3JkZXJzIGJ5IGRlZmF1bHQu Ig0KPg0KPlRoYXQncyBvYmplY3RpdmVseSBhY2N1cmF0ZSwgYnV0IHRoZSBhdXRob3JzIGRvIG5v dCBhdHRlbXB0IHRvIGZpbmQNCj5vdXQgdGhlIGFjdHVhbCBpc3N1ZSBiZWhpbmQgaXQuIEFyZSBh bGwgaW1wbGVtZW50YXRpb25zIGJhZCwgb3IgdGhlcmUNCj5hcmUgb2JzdGFjbGVzIGluIGRvaW5n IHRoYXQ/IEkgYW0gYXdhcmUgdGhhdCBUTFMgY2xpZW50DQo+aW1wbGVtZW50YXRpb25zIGRvIG5v dCB2YWxpZGF0ZSBzdWJncm91cCBvcmRlcnMgYnkgZGVmYXVsdCwgYmVjYXVzZQ0KPnRoZSBncm91 cCBpbmZvcm1hdGlvbiBwcm92aWRlZCBieSBUTFMgaXMgbm90IHN1ZmZpY2llbnQgdG8gdmFsaWRh dGUNCj50aGUgc3ViZ3JvdXAgb3JkZXIuIEl0IGlzIHNpbXBseSBpbXBvc3NpYmxlIGZvciB0aGVt IHRvIGRvIGFueQ0KPnZhbGlkYXRpb24uDQo+DQo+cmVnYXJkcywNCj5OaWtvcw0KPg0KPlswXS4g DQo+aHR0cHM6Ly9saXN0cy5nbnVwZy5vcmcvcGlwZXJtYWlsL2dudXRscy1kZXZlbC8yMDE2LU9j dG9iZXIvMDA4MTk4Lmh0bWwNCg0K From nobody Wed Oct 19 08:19:52 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A94312961B for ; Wed, 19 Oct 2016 08:19:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.152 X-Spam-Level: X-Spam-Status: No, score=-3.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ZFg1-zk9DXj for ; Wed, 19 Oct 2016 08:19:49 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 6E900129413 for ; Wed, 19 Oct 2016 08:19:49 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id D1A5D423726; Wed, 19 Oct 2016 15:19:48 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id BAE1742370E; Wed, 19 Oct 2016 15:19:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1476890388; bh=es0thlp6uc+fMXqbGjaSZWnBHLLdhXFnmvMvWPsFjpo=; l=100; h=From:To:Date:References:In-Reply-To:From; b=Ra1l5MR+jgZgZ4PbnzXQuGZVb+PgTxnVONXM1dKUdsnHYEW6lAYsWkVoh+WERaaQ4 YgpjwNCyqfNUqzdHYRPX/Xb1EtWpOoY61Y0yDNxlYu3fGSdUXJjT0NozyoXeXJ0tx+ 5mt/Ka59X3HlPm9/6a2GyxqYaOXIgqj9RrSLZyMc= Received: from email.msg.corp.akamai.com (usma1ex-cas3.msg.corp.akamai.com [172.27.123.32]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id B720D1FC88; Wed, 19 Oct 2016 15:19:48 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 19 Oct 2016 11:19:48 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Wed, 19 Oct 2016 11:19:48 -0400 From: "Salz, Rich" To: Stephen Farrell , "saag@ietf.org" Thread-Topic: [saag] metadata insertion draft question Thread-Index: AQHSJjQaPwWcv3Y32EWSXZ8Ui3yEAqCv6/qQ Date: Wed, 19 Oct 2016 15:19:48 +0000 Message-ID: References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> In-Reply-To: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.153.136] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2016 15:19:51 -0000 Qm90aCBkb2NzIGFyZSBzaG9ydCBlbm91Z2ggdGhhdCBJIHdvdWxkIHByZWZlciB0byBzZWUgdGhl bSBtZXJnZWQuDQoNCg0K From nobody Wed Oct 19 08:23:02 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FD311299CA for ; Wed, 19 Oct 2016 08:23:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYcMkC4rb6cu for ; Wed, 19 Oct 2016 08:23:00 -0700 (PDT) Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D34141299C8 for ; Wed, 19 Oct 2016 08:22:59 -0700 (PDT) Received: by mail-qk0-x22a.google.com with SMTP id n189so41435907qke.0 for ; Wed, 19 Oct 2016 08:22:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Hz46l/bZzINGHWW8ABX3djxvu1ZpSe5LvmUmdIV0f7M=; b=GIClRgoiRUcMzpsURftUkF6drTWc05znqCm6UuqBEGDbnLhSXInEyKF/jI/qDRSHI7 T0RjKntkmZtyh45K5nJ24eKL+ZyzhhqDWX3i7KC41bnLiL3gCiYytz6JYfzgLqIvA6hN tq7M6ElHHUrOHGrGZW2cs7rWR9je+wNAcwK5ElYtO6xDx90Oy+fCmnaDUQ531byFzDRU ZdWX9NCvhjbvN3jSz3hFXZcSuwp/jnLqaOXNRKZbJnvFkmT+KxjZwaPVTxCWSonCb/J3 oTn89Jnf/z1Ov/5EkLXEK44doxKJ7GBm2foH+gR/hLcM2uMYiRGNU24JXxNyzb4UtChO ZGFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Hz46l/bZzINGHWW8ABX3djxvu1ZpSe5LvmUmdIV0f7M=; b=XTeMAvdkLnaP1nkfI20tjQkaH3Ph2YGjXo/Xnh3zLKDXKYbX0jEmM+44x7NHHXO6Nk x+XRdm76YcYA4jLJK1Kac0WVrR0AOqNvDDGJUykh1+mPslHJ30tuW3VoxCFTDW74dCsR MouZ9uRmVdGd/T3QRFSaDee9QnWVQvzoH0aZLhnoO0nTYJ8Y48wifGsotp9yZpCUT5dO dh6gq2JFfPaqOkEN1suQboRI5N0VyTiIzZL4IIb7aZWW+sE6xx9T6OyWxofTyq4KEMGg EOSGsuDOa5nBCJlNzz+SeH/sJC/x0IZfjEZNxUIthB4Hx2VwahMKamwbI9BrCzw1TEKT f/Jw== X-Gm-Message-State: AA6/9RmAdApyqRAI7AakoCaDDo7RTbLnsGbJdxT+kIrEVM7q+od8TDcc0kNVAIQnDfwjuQ== X-Received: by 10.194.82.163 with SMTP id j3mr5531726wjy.56.1476890578918; Wed, 19 Oct 2016 08:22:58 -0700 (PDT) Received: from [172.24.250.130] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id w1sm19243201wje.36.2016.10.19.08.22.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Oct 2016 08:22:58 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.0 \(3226\)) From: Yoav Nir In-Reply-To: Date: Wed, 19 Oct 2016 18:22:55 +0300 Content-Transfer-Encoding: 7bit Message-Id: <8C32B083-A92C-4FB1-B7B0-7B4F1A3E8F52@gmail.com> References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> To: Rich Salz X-Mailer: Apple Mail (2.3226) Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Oct 2016 15:23:01 -0000 Does 44 pages (3552bis) count as short? > On 19 Oct 2016, at 18:19, Salz, Rich wrote: > > Both docs are short enough that I would prefer to see them merged. > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Wed Oct 19 17:13:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63FD2129482; Wed, 19 Oct 2016 17:13:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.631 X-Spam-Level: X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fIILhSN-qSGf; Wed, 19 Oct 2016 17:13:53 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13530129454; Wed, 19 Oct 2016 17:13:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1476922432; x=1508458432; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=7jnjkGM8SXztNQqASvFANc+VOjq3S978qdzlKjjG9Ug=; b=4jyXTUPD28MqkOHTzL+1tokb6qiHnKZ+C6/MmHtiwMbOXBmbqeTe4TaS 3lA9f2lSIM0f/TCaVRqDt4TziJfFOLuDWqDFHjMyMukbJc48UDwfjaaZF jDBCVmc3Ys+lOQn8/uXfTOcHFB57Qdxxo7gjXBQvd2Id4x80A8dP6IMO0 JtIUj/jA68xmhJSUvK0dqMeBd04r5pcsKC4eonTp21pUtQCmuitY/Aojz BBYDoMLsgXLW78G+y1kWEPW0dWzwctx2jr2GOUWt0Y/hWXoHwBx6hpapm 0wGtMYebvZufBJuer/js1X+OfKo/XdA9DzjRaXCMC8O4dl4lbAwq6UBpl w==; X-IronPort-AV: E=Sophos;i="5.31,516,1473076800"; d="scan'208";a="111224825" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 20 Oct 2016 13:13:47 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 20 Oct 2016 13:13:47 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Thu, 20 Oct 2016 13:13:47 +1300 From: Peter Gutmann To: Nikos Mavrogiannopoulos , John Mattsson Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSKduZ6MYx3bG8KE+aYJga50a7EKCweBnM Date: Thu, 20 Oct 2016 00:13:46 +0000 Message-ID: <1476922421060.41042@cs.auckland.ac.nz> References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> , In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2016 00:13:57 -0000 Nikos Mavrogiannopoulos writes:=0A= =0A= >I am not sure that the recommendations of this paper should be blindly=0A= >trusted. There are some inaccurate facts about a library I work on [0], bu= t a=0A= >part of the abstract is also concerning: "We examine over 20 open-source= =0A= >cryptographic libraries and applications and observe that until January 20= 16,=0A= >not a single one validated subgroup orders by default."=0A= =0A= I've got some comments on it as well, are any of the authors on this list?= =0A= There are no email addresses given in the paper and I'm not sure that I sho= uld=0A= be spamming them all, or at least the ones I know... in any case the commen= ts=0A= may be of interest to others, so I've posted them here.=0A= =0A= Using shorter private exponents yields faster exponentiation times, and i= s a=0A= commonly implemented optimization. The justification for matching the ord= er=0A= of the subgroup q to the exponent size rather than making subgroup order = as=0A= large as possible is not documented anywhere in the standards documents.= =0A= =0A= It's not in any standards doc, but it's in HAC AFAIK, and originally came f= rom=0A= a paper by van Oorschot and Wiener. My code uses a curve-fitting mechanism= to=0A= choose the appropriate-size exponent for a given prime (implementation=0A= provided by Colin Plumb many years ago). Calling it a quadratic curve=0A= calculation is probably over-selling it a bit, it's just a way of matching = the=0A= exponent size to the prime size without having to include a large lookup=0A= table.=0A= =0A= For protocols like TLS and SSH that allow a server to unilaterally specif= y=0A= the group to use, this validation step is not possible for clients to=0A= perform for non-safe primes: there is no way for the server to communicat= e=0A= to the client the intended order of the group=0A= =0A= Actually it is for TLS, anything implementing the TLS-LTS draft [1] will=0A= communicate the group order and the client can then verify it.=0A= =0A= We observe that no implementation that we examined validated group order = for=0A= subgroups of order larger than two=0A= =0A= That's kind of a tautology there, both TLS and SSH make this impossible to = do.=0A= At the moment there's at least one implementation that does this, and possi= bly=0A= more (there are some proprietary vendor stacks doing -LTS, but since they'r= e=0A= for embedded devices and tend to be as minimalistic as possible - the most= =0A= popular ASN.1 library there is memcpy() - I wouldn't be surprised if they= =0A= skipped this particular check). So there's a minimum of one, and a maximum= of=0A= n.=0A= =0A= In addition, we observed that nearly every implementation uses short=0A= exponents by default,=0A= =0A= Yep, because they're the most efficient. This is what killed RFC 5114,=0A= they're the most inefficient (random) DH domain parameters ever published.= =0A= Which, in the long run, was probably a good thing since it strongly=0A= discouraged their use.=0A= =0A= They have been widely implemented in IPsec and TLS=0A= =0A= Not in TLS they ain't, for the reason given above. I realise there are=0A= oddball implementations out there that use or enable their use, but I would= n't=0A= say that counts as "widely used".=0A= =0A= This means a client has no feasible way to validate that the group sent b= y=0A= the server has the desired level of security or that a server=92s key exc= hange=0A= value is in the correct group for a non-safe prime.=0A= =0A= See the previous note, TLS-LTS provides this capability. If you're using t= he=0A= RFC 3526 DH params then you can also pretty easily recreate q from them, so= =0A= it's a simple change to apply this fix.=0A= =0A= (TLS-LTS also fixes a number of other issues in TLS 1.2 and earlier, it's n= ot=0A= only the DH fix that's in there).=0A= =0A= TABLE II: TLS Library Behavior=0A= =0A= I assume this was the item that Nikos was grumbling about :-). The two iss= ues=0A= are that the "Reuses exponent" entries are rather unclear and "Validates=0A= Subgroup" is somewhat tautological since standard TLS (without -LTS) doesn'= t=0A= allow you to do this, so the anwer is always "No". I assume for "Reuses=0A= exponent" the entry "Application dependent" means "it's not very clear from= =0A= the code", because my code certainly never reuses DH exponents. However, t= o=0A= see that you need to know that although each DH instance uses an { x, y } p= air=0A= that's fixed at the time of creation, no DH instance is ever reused in a TL= S=0A= or SSH session,=0A= =0A= (Nikos, if you want to do the subgroup checking with GnuTLS and interop-tes= t=0A= an implementation that provides subgroup info and does the required checkin= g,=0A= let me know and I'll put up a server. Same for anyone else, e.g. the OpenS= SL=0A= guys).=0A= =0A= implementations should follow the guidelines outlined in RFC 7919 for=0A= selecting finite field Diffie-Hellman primes=0A= =0A= Uh, no. 7919 is a my-way-or-the-highway spec, or more accurately my-way-or= -=0A= no-way. You can't say "I'd like to do DH-2048" as with SSH, you can only u= se=0A= the one value that 7919 specifies and if either side chooses some other=0A= DH-2048 value you're required to fall back to RSA. When this was discussed= on=0A= the TLS list, the general response, from those who commented, was that they= =0A= weren't going to use it because of this and other problems it had. Some of= =0A= these issues were brought up long ago (e.g. [2]), but ignored. So 7919 is= =0A= pretty much a non-starter.=0A= =0A= implementations should prefer =93safe=94 primes of documented provenance = of at=0A= least 2048 bit=0A= =0A= This is unfortunately easier to recommend than to do. For example my code= =0A= (and some other implementations I know of) recognise and fastpath known-goo= d=0A= values like the RFC 3526 ones, but you can't restrict yourself to only usin= g=0A= known-good values because too many sites use who-knows-what sort of values,= =0A= and you'd lose the ability to connect to a significant chunk of the net if = you=0A= get too exclusive.=0A= =0A= The real solution, and obviously I'm a bit biased here because I'm the auth= or=0A= (but then it was also an obvious problem that needed fixing), is to use -LT= S,=0A= which provides what you need to validate the DH parameters.=0A= =0A= Peter.=0A= =0A= [0] Not my footnote.=0A= [1] https://datatracker.ietf.org/doc/draft-gutmann-tls-lts.=0A= [2] https://www.ietf.org/mail-archive/web/tls/current/msg18697.html.=0A= From nobody Thu Oct 20 01:18:28 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E69CF129540; Thu, 20 Oct 2016 01:18:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.022 X-Spam-Level: X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g10qeixSSvZe; Thu, 20 Oct 2016 01:18:22 -0700 (PDT) Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0046.outbound.protection.outlook.com [104.47.36.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72AD11293F8; Thu, 20 Oct 2016 01:18:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=69sN8xMJZa4DZG4UdYegRQzbD5+VqRpyXmStJS2cfoM=; b=VJQVpoS8goSec1ZmOIHFj+1nBoneI9dLek/Nrv6UusU52TfTYC5aPtnFOL0lousZa9OypCpdzbk8bBI0O/bf1nmywA7nCqH9sXJ303j2XV53Da6+KOzvlD35gy5Rt26sXoKGJf28tweFKtLeWmvvMrU2ID3uZo4wEOkTriRABIA= Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1032.namprd02.prod.outlook.com (10.161.203.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.659.11; Thu, 20 Oct 2016 08:18:20 +0000 Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0659.025; Thu, 20 Oct 2016 08:18:20 +0000 From: Antonio Sanso To: Peter Gutmann Thread-Topic: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) Thread-Index: AQHSKduU/0Rej7lBOUG2WHjBaRnjnaCwee4AgACHZ4A= Date: Thu, 20 Oct 2016 08:18:19 +0000 Message-ID: References: <8C717FB2-DDC2-452E-AEC3-115B1E1397CF@gmail.com> <551e6c5c-0db7-62d5-da31-b99f26475010@bbn.com> , <1476922421060.41042@cs.auckland.ac.nz> In-Reply-To: <1476922421060.41042@cs.auckland.ac.nz> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=asanso@adobe.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [192.147.117.11] x-ms-office365-filtering-correlation-id: 2d3ae1db-f52a-46c8-543a-08d3f8c1a6e3 x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1032; 7:yxAExWYBdOpewbOWilnZG8EBuofEDfEYVpw4y9xe0oEyigbjplt8jQ/B9z+ylP+fgao3zrjr81Qqbqqd1d8EqesR9kjug+QHKjE4csyGXjhaR1XEZP35ICqRPqYqnc05ubkWfwufKiVwv+ZGrBlMn7xHH4yLYn8g0JKfdjcr13yBi2RALbayjDOIBX36Cw/oOGkZImHOqKh7CyT2gTh0VkI3VWvh70aydq5DDVJpQnqMbsSRZHoJAsHLJwWWpFyimFIQXBu0v+Vl0kR9RGxHZcaH4MeyZ4sbUYvdglzMgCP8g+tnJn58LSvgV1meWufPZLWI60Hb7gC4Hzx0pga3/B9oR1mtHyQU0t9bJvKBDGM=; 20:n6hb/0sZMR6IJAVp9COONLCFx9/uy4lfH4WSu2Bc9rQmS9BV/+q1qjjLyyEYFKSVyWlMYwdKkECqYYtUwdfgn9e7Qdhh7vLCbkHKDWqDdR/d5U8OtD2MN/+UgBjmq1qUGL+GJRWhf6+PQCeV2HCM6JDpAeJ91W4RKX/54YK+mlI= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1032; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(190756311086443)(158342451672863)(278428928389397)(120809045254105)(192374486261705)(21532816269658); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BY1PR0201MB1032; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1032; x-forefront-prvs: 01018CB5B3 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(7916002)(189002)(377454003)(24454002)(199003)(586003)(101416001)(3846002)(8676002)(87936001)(10090500001)(5002640100001)(77096005)(15975445007)(7736002)(81156014)(7846002)(54356999)(33656002)(92566002)(6916009)(5660300001)(50986999)(305945005)(3660700001)(2950100002)(93886004)(122556002)(3280700002)(106116001)(105586002)(36756003)(76176999)(19580405001)(81166006)(83716003)(8936002)(106356001)(19580395003)(66066001)(6116002)(102836003)(97736004)(99286002)(189998001)(68736007)(4326007)(86362001)(2906002)(2900100001)(82746002)(10400500002)(110136003)(11100500001)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1032; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: adobe.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-ID: <659BC7680B462945945A8A276F19C0A7@namprd02.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: adobe.com X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Oct 2016 08:18:19.9492 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1032 Archived-At: Cc: "ipsec@ietf.org WG" , Paul Wouters , Security Area Advisory Group Subject: Re: [saag] [IPsec] trapdoor'ed DH (and RFC-5114 again) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Oct 2016 08:18:26 -0000 hi Peter, (one of the authors here) thanks a lot for you comments. As for the case with Nikos we take on board and well appreciate comments/fe= edbacks. Will pass the message. Thanks a lot and regards antonio On Oct 20, 2016, at 2:13 AM, Peter Gutmann wrot= e: > Nikos Mavrogiannopoulos writes: >=20 >> I am not sure that the recommendations of this paper should be blindly >> trusted. There are some inaccurate facts about a library I work on [0], = but a >> part of the abstract is also concerning: "We examine over 20 open-source >> cryptographic libraries and applications and observe that until January = 2016, >> not a single one validated subgroup orders by default." >=20 > I've got some comments on it as well, are any of the authors on this list= ? > There are no email addresses given in the paper and I'm not sure that I s= hould > be spamming them all, or at least the ones I know... in any case the comm= ents > may be of interest to others, so I've posted them here. >=20 > Using shorter private exponents yields faster exponentiation times, and = is a > commonly implemented optimization. The justification for matching the or= der > of the subgroup q to the exponent size rather than making subgroup order= as > large as possible is not documented anywhere in the standards documents. >=20 > It's not in any standards doc, but it's in HAC AFAIK, and originally came= from > a paper by van Oorschot and Wiener. My code uses a curve-fitting mechani= sm to > choose the appropriate-size exponent for a given prime (implementation > provided by Colin Plumb many years ago). Calling it a quadratic curve > calculation is probably over-selling it a bit, it's just a way of matchin= g the > exponent size to the prime size without having to include a large lookup > table. >=20 > For protocols like TLS and SSH that allow a server to unilaterally speci= fy > the group to use, this validation step is not possible for clients to > perform for non-safe primes: there is no way for the server to communica= te > to the client the intended order of the group >=20 > Actually it is for TLS, anything implementing the TLS-LTS draft [1] will > communicate the group order and the client can then verify it. >=20 > We observe that no implementation that we examined validated group order= for > subgroups of order larger than two >=20 > That's kind of a tautology there, both TLS and SSH make this impossible t= o do. > At the moment there's at least one implementation that does this, and pos= sibly > more (there are some proprietary vendor stacks doing -LTS, but since they= 're > for embedded devices and tend to be as minimalistic as possible - the mos= t > popular ASN.1 library there is memcpy() - I wouldn't be surprised if they > skipped this particular check). So there's a minimum of one, and a maxim= um of > n. >=20 > In addition, we observed that nearly every implementation uses short > exponents by default, >=20 > Yep, because they're the most efficient. This is what killed RFC 5114, > they're the most inefficient (random) DH domain parameters ever published= . > Which, in the long run, was probably a good thing since it strongly > discouraged their use. >=20 > They have been widely implemented in IPsec and TLS >=20 > Not in TLS they ain't, for the reason given above. I realise there are > oddball implementations out there that use or enable their use, but I wou= ldn't > say that counts as "widely used". >=20 > This means a client has no feasible way to validate that the group sent = by > the server has the desired level of security or that a server=92s key ex= change > value is in the correct group for a non-safe prime. >=20 > See the previous note, TLS-LTS provides this capability. If you're using= the > RFC 3526 DH params then you can also pretty easily recreate q from them, = so > it's a simple change to apply this fix. >=20 > (TLS-LTS also fixes a number of other issues in TLS 1.2 and earlier, it's= not > only the DH fix that's in there). >=20 > TABLE II: TLS Library Behavior >=20 > I assume this was the item that Nikos was grumbling about :-). The two i= ssues > are that the "Reuses exponent" entries are rather unclear and "Validates > Subgroup" is somewhat tautological since standard TLS (without -LTS) does= n't > allow you to do this, so the anwer is always "No". I assume for "Reuses > exponent" the entry "Application dependent" means "it's not very clear fr= om > the code", because my code certainly never reuses DH exponents. However,= to > see that you need to know that although each DH instance uses an { x, y }= pair > that's fixed at the time of creation, no DH instance is ever reused in a = TLS > or SSH session, >=20 > (Nikos, if you want to do the subgroup checking with GnuTLS and interop-t= est > an implementation that provides subgroup info and does the required check= ing, > let me know and I'll put up a server. Same for anyone else, e.g. the Ope= nSSL > guys). >=20 > implementations should follow the guidelines outlined in RFC 7919 for > selecting finite field Diffie-Hellman primes >=20 > Uh, no. 7919 is a my-way-or-the-highway spec, or more accurately my-way-= or- > no-way. You can't say "I'd like to do DH-2048" as with SSH, you can only= use > the one value that 7919 specifies and if either side chooses some other > DH-2048 value you're required to fall back to RSA. When this was discuss= ed on > the TLS list, the general response, from those who commented, was that th= ey > weren't going to use it because of this and other problems it had. Some = of > these issues were brought up long ago (e.g. [2]), but ignored. So 7919 i= s > pretty much a non-starter. >=20 > implementations should prefer =93safe=94 primes of documented provenance= of at > least 2048 bit >=20 > This is unfortunately easier to recommend than to do. For example my cod= e > (and some other implementations I know of) recognise and fastpath known-g= ood > values like the RFC 3526 ones, but you can't restrict yourself to only us= ing > known-good values because too many sites use who-knows-what sort of value= s, > and you'd lose the ability to connect to a significant chunk of the net i= f you > get too exclusive. >=20 > The real solution, and obviously I'm a bit biased here because I'm the au= thor > (but then it was also an obvious problem that needed fixing), is to use -= LTS, > which provides what you need to validate the DH parameters. >=20 > Peter. >=20 > [0] Not my footnote. > [1] https://datatracker.ietf.org/doc/draft-gutmann-tls-lts. > [2] https://www.ietf.org/mail-archive/web/tls/current/msg18697.html. >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Fri Oct 21 16:31:19 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53AC012996A for ; Fri, 21 Oct 2016 16:29:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j8w8rGKsWs-b for ; Fri, 21 Oct 2016 16:29:16 -0700 (PDT) Received: from gproxy9-pub.mail.unifiedlayer.com (gproxy9-pub.mail.unifiedlayer.com [69.89.20.122]) by ietfa.amsl.com (Postfix) with SMTP id B7C701298AF for ; Fri, 21 Oct 2016 16:27:13 -0700 (PDT) Received: (qmail 18093 invoked by uid 0); 21 Oct 2016 23:27:12 -0000 Received: from unknown (HELO cmgw4) (10.0.90.85) by gproxy9.mail.unifiedlayer.com with SMTP; 21 Oct 2016 23:27:12 -0000 Received: from box514.bluehost.com ([74.220.219.114]) by cmgw4 with id yPT91t00W2UhLwi01PTCDB; Fri, 21 Oct 2016 17:27:12 -0600 X-Authority-Analysis: v=2.1 cv=IecUBwaa c=1 sm=1 tr=0 a=9W6Fsu4pMcyimqnCr1W0/w==:117 a=9W6Fsu4pMcyimqnCr1W0/w==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=IkcTkHD0fZMA:10 a=CH0kA5CcgfcA:10 a=7bfVq9Hrg5EWseI9sncA:9 a=QEXdDO2ut3YA:10 a=zm7SLGmKkQEA:10 Received: from c-73-202-80-238.hsd1.ca.comcast.net ([73.202.80.238]:60018 helo=[192.168.11.53]) by box514.bluehost.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.86_1) (envelope-from ) id 1bxjDR-0002lA-Bz; Fri, 21 Oct 2016 17:27:09 -0600 To: Kathleen Moriarty , Stephen Farrell From: =JeffH Message-ID: <1f5732e7-fe27-a4c3-5809-39b4b2f0d676@KingsMountain.com> Date: Fri, 21 Oct 2016 16:27:08 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - box514.bluehost.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - KingsMountain.com X-BWhitelist: no X-Source-IP: 73.202.80.238 X-Exim-ID: 1bxjDR-0002lA-Bz X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: c-73-202-80-238.hsd1.ca.comcast.net ([192.168.11.53]) [73.202.80.238]:60018 X-Source-Auth: jeff.hodges+kingsmountain.com X-Email-Count: 3 X-Source-Cap: a2luZ3Ntb3U7a2luZ3Ntb3U7Ym94NTE0LmJsdWVob3N0LmNvbQ== Archived-At: Cc: IETF SAAG Subject: Re: [saag] pkcs#1 -> IETF change control X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2016 23:29:21 -0000 draft-moriarty-pkcs1-03 has not yet entered IETF-wide Last Call, correct? If so, when might it do so? thanks, =JeffH From nobody Fri Oct 21 16:43:53 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25E501294E6 for ; Fri, 21 Oct 2016 16:43:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3Lky_4oNahw for ; Fri, 21 Oct 2016 16:43:49 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78F44129575 for ; Fri, 21 Oct 2016 16:43:49 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 59329BE38; Sat, 22 Oct 2016 00:43:47 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UegzJthrnoOq; Sat, 22 Oct 2016 00:43:46 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 97CC7BE32; Sat, 22 Oct 2016 00:43:45 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1477093426; bh=HA2+vBS2P39ay/vtvtn+j6Ntjp6L+ITEDwdwTuQn70M=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=3UHJdb8Biybobc9Qx6w7gwzcouVXTk/oNaIZKfk2ssjvyEfuL+W6ZlrINqkmtryuB QCha3vaTQwGmsY+tkyy7ny2BfXaYZ6jKUEJ7t7otGROkdk4hUoswWnuQUwRHIjTh8Y KfbH2Jt8w/77+r6+rh6gIsnxRkl5X66v3ocbEmPs= To: =JeffH , Kathleen Moriarty References: <1f5732e7-fe27-a4c3-5809-39b4b2f0d676@KingsMountain.com> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <1d443a4e-8218-1026-c653-f26c0495366f@cs.tcd.ie> Date: Sat, 22 Oct 2016 00:43:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <1f5732e7-fe27-a4c3-5809-39b4b2f0d676@KingsMountain.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms040208050902090401080409" Archived-At: Cc: IETF SAAG Subject: Re: [saag] pkcs#1 -> IETF change control X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Oct 2016 23:43:51 -0000 This is a cryptographically signed message in MIME format. --------------ms040208050902090401080409 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 22/10/16 00:27, =3DJeffH wrote: > draft-moriarty-pkcs1-03 has not yet entered IETF-wide Last Call, correc= t? >=20 > If so, when might it do so? Eh, no, that's [1] been approved by the IESG and is in the RFC editor's queue. Why do you ask? S. [1] https://datatracker.ietf.org/doc/draft-moriarty-pkcs1/ >=20 > thanks, >=20 > =3DJeffH >=20 >=20 --------------ms040208050902090401080409 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMjEy MzQzNDVaMC8GCSqGSIb3DQEJBDEiBCC57bGB8CAbyqAOCieLnwQ5FXslLUF+TuQxutcF9fVo FzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCWj+FlJpEBKCA262RdQzxqzTYRL4jSR8OlpIu/B4U6+iqCygXDVzUK 9t8/B4xfJNB2zRcqVm1jOxsW9ab3ELYNBkL47ZcrEki+Q+u+pJBbjouBriwPEAX8Kn12t55h 7HyMPu5uTzzihckEW6rRuUsxE+t6E2CSuw+B+rcD6IPdqcGwik0WhFTbi6mkYeQdpjEomA/B dBvy8XTX89IccAx5CHU13/m8ac5p+xmtX/UX4ihy3pNFC+ggdzSYMyfA5uId4dqF3TEN5xbi nLHw4AR215NEMtDPjXoksWUnuXk1Uu59VemcJaUoASiVXLcJF+d9ZmqQnBAdaUqxZg5+TRzj AAAAAAAA --------------ms040208050902090401080409-- From nobody Sat Oct 22 10:07:27 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E48412963E for ; Sat, 22 Oct 2016 10:07:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.732 X-Spam-Level: X-Spam-Status: No, score=-4.732 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EfhQopolgub for ; Sat, 22 Oct 2016 10:07:23 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 107681294AB for ; Sat, 22 Oct 2016 10:07:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0441ABE4D; Sat, 22 Oct 2016 18:07:20 +0100 (IST) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EaSrOQeKePap; Sat, 22 Oct 2016 18:07:18 +0100 (IST) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 25EEDBE3E; Sat, 22 Oct 2016 18:07:18 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1477156038; bh=oxrDQINNe42KNwD/YJHQZtnCbHj7pOWrQTivdJ93YxY=; h=To:From:Subject:Cc:Date:From; b=GJtlGshkepU5Y3gd6/6IBjeB3IdSUEEDHkqlTDGlMwIQsm0rbJSzHBNSwqAZ48+6h yg/qP5LAJ6HTeMK54Rcmyr1VcnoeQpcvGejt1NwfsMkQWhVcXilD1WMzXimpnwWl+f S9Os7cEhByVU4P2/aXZGvKxIYukXk7qSqqsON+iw= To: "saag@ietf.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: Date: Sat, 22 Oct 2016 18:07:18 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000607030703000303010301" Archived-At: Subject: [saag] AD sponsoring draft-harkins-owe X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2016 17:07:25 -0000 This is a cryptographically signed message in MIME format. --------------ms000607030703000303010301 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hiya, Dan and Warren reckon they're nearly at the point where I could start an IETF last call on the OWE draft [1]. (We discussed that before in the thread starting at [2]. And in case you wonder, I believe that the IEEE folks are ok that this is being done in the IETF.) Warren and Dan plan to do an update before the cutoff for Seoul to change to use a new IANA registry and fix TODO stuff and then I'll do my AD review and all going well will start IETF LC shortly thereafter. (As I said before I'll be reaching out to some people more familiar with IEEE 802 security as well at that time, and ensuring that the last call is visible to those who care about liaising between IETF and IEEE 802.) In the meantime, if you have comments please send those here or to the authors. And if you can do that in the next few days, that'd be even better so the authors can handle those before I do my AD review. Thanks, S. [1] https://tools.ietf.org/html/draft-harkins-owe-03 [2] https://www.ietf.org/mail-archive/web/saag/current/msg07210.html --------------ms000607030703000303010301 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMjIx NzA3MThaMC8GCSqGSIb3DQEJBDEiBCAAMVc5rGxOq0YWpIrx/kJmgL21HGuMe0h/i09Mep63 dDBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQAJlL4Ts8kCRn8FaXp4cHK6Hf3OHr5UwrirytXoF+cjeQcvYUmPd3vr 26/T0e/kSvwMU8MGtgY5nDcqP0CH0f4m2cNadaVJ85BpMyCLeAyPrflEViU2gjAOc4fQcxc8 QMIUkhWciDFvjhbwv2S87B9uiYFZ7+E8TT8z6OjL5b7y6FIDljByjmD/sJnIDZ0FoQqRA9NJ XX6hh7NuzuO7ylxeRxaJCnvbZ9xP8DKhdiPvrhsyL0rp6rH3DyT9LPgJnB6+vkgNt6M16hpn 7iv3QcAnpQHIh17l4Jpx3HqKlqT3iWxMv7MOUgTZKJ3etwXSpg1N+hpMXoEgONkyRoNptBkP AAAAAAAA --------------ms000607030703000303010301-- From nobody Sun Oct 23 04:33:08 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C24B0128B44; Sun, 23 Oct 2016 04:33:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.631 X-Spam-Level: X-Spam-Status: No, score=-4.631 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1Zq4lMGjhxY; Sun, 23 Oct 2016 04:33:02 -0700 (PDT) Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D46AE129514; Sun, 23 Oct 2016 04:33:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1477222381; x=1508758381; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=RFzAzDOaa6r8i4fxreuHfuosL3oi+Qm0dSE/DjkxY50=; b=h8M4/hDgPTKf0sTmaM0eefQ91eezt6EznLS0GcjGcXiA5UcRcJVircHA mvVttM4RoVnhGw/EgdgZafA3hHKFDMyvKQ/rh+l86qiBXRhz0Hrpu5TnA ANfnYonL2v6bIzDqCgYCyzoMcQK2b4d2TApsjUp8SS1jMqjHwer0H/wvR 6yH01oPOUIlMPCbnBF89cITt3wO8UBysV0WQ6JoSfbAoAW+aU+bsYeDFG i0Xv8QPsXWaudNE3p1ZOPalw7WhmzozADQK1laCn1zdmg1pkNRSWIkJzj 4FRK9P9WT2gsNRY16jvzZvlRd41yXFa42FtX98+FkjUnFLS/rwSfZCxO8 A==; X-IronPort-AV: E=Sophos;i="5.31,388,1473076800"; d="scan'208";a="111623691" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.3 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-b.UoA.auckland.ac.nz) ([10.6.3.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 24 Oct 2016 00:32:57 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 24 Oct 2016 00:32:57 +1300 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Mon, 24 Oct 2016 00:32:57 +1300 From: Peter Gutmann To: Paul Wouters , "ipsec@ietf.org WG" , Security Area Advisory Group Thread-Topic: [saag] Yet another RFC-5114 attack Thread-Index: AQHSKUf706LEkw7PNk+MbYj2YFBVsaC17m90 Date: Sun, 23 Oct 2016 11:32:56 +0000 Message-ID: <1477222363928.11089@cs.auckland.ac.nz> References: In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] Yet another RFC-5114 attack X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2016 11:33:08 -0000 And another one:=0A= =0A= http://eprint.iacr.org/2016/999.pdf=0A= =0A= Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS=0A= =0A= Software implementations of discrete logarithm based cryptosystems over= =0A= finite fields typically make the assumption that any domain parameters th= ey=0A= are presented with are trustworthy, i.e., the parameters implement cyclic= =0A= groups where the discrete logarithm problem is assumed to be hard. An=0A= informal and widespread justification for this seemingly exists that says= =0A= validating parameters at run time is too computationally expensive relati= ve=0A= to the perceived risk of a server sabotaging the privacy of its own=0A= connection. In this paper we explore this trust assumption and examine=0A= situations where it may not always be justified.=0A= =0A= We conducted an investigation of discrete logarithm domain parameters in = use=0A= across the Internet and discovered evidence of a multitude of potentially= =0A= backdoored moduli of unknown order in TLS and STARTTLS spanning numerous= =0A= countries, organizations, and protocols. Although our disclosures resulte= d=0A= in a number of organizations taking down suspicious parameters, we argue = the=0A= potential for TLS backdoors is systematic and will persist until either= =0A= until better parameter hygiene is taken up by the community, or finite fi= eld=0A= based cryptography is eliminated altogether.=0A= =0A= This problem at least:=0A= =0A= No mechanism is provided in TLS to communicate group order=0A= =0A= is already fixed:=0A= =0A= https://datatracker.ietf.org/doc/draft-gutmann-tls-lts/=0A= =0A= Peter.= From nobody Mon Oct 24 12:40:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019981299C9 for ; Mon, 24 Oct 2016 12:40:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -22.521 X-Spam-Level: X-Spam-Status: No, score=-22.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paypal.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fle257Y0Xcxm for ; Mon, 24 Oct 2016 12:40:03 -0700 (PDT) Received: from lvs-ipout-03-data1.paypalcorp.com (lvs-ipout-03-data1.paypalcorp.com [173.224.161.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 406271299C2 for ; Mon, 24 Oct 2016 12:40:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=paypal.com; i=@paypal.com; q=dns/txt; s=pp-dkim1; t=1477338003; x=1508874003; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=OydusKGjcxhZ8tvk8BpaklvYlOOnIvEsa/kKfEppJGQ=; b=YgT9X5o7J1a2cPTii1h0n1Z6Qz4cmjQFc4AjOFUIly5/XqTU7wbYl4JX JxXMoDkxAReG2Mld6fOSIjlhzympcElE83nGWH45iDSJEFhRfYBxFhMBe IATSBaWGtlK3vv8PUcYL+s2hBLt/x6B9a/TGzKI/TtA8Z4Ia3NQyjeFsi u7mC0ulw06IaqkbrYMs2jL21oKeWch9dnePoOQxT02B0cKCUt/XpKPu21 oB5gVO9zJBzU08tn+uTnoRq6a4Ux8oBJAeBlT5GBHEaTQrpgmQqaUMBkL HcxmGDylsWhzpNBEp2ErRPhKcDsgI3L+eF819uSDS96c5M5/yAxfeazeb A==; X-IronPort-AV: E=Sophos;i="5.31,543,1473145200"; d="scan'208";a="26690298" Received: from unknown (HELO lvs-ipcld-02-data1.paypalcorp.com) ([10.185.246.167]) by lvs-ipout-03-data1.paypalcorp.com with ESMTP; 24 Oct 2016 12:40:00 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.31,543,1473145200"; d="scan'208";a="14353286" X-CloudService: Office365 Received: from mail-by2nam03lp0051.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) ([216.32.180.51]) by lvs-ipcld-02-data1.paypalcorp.com with ESMTP/TLS/AES256-SHA256; 24 Oct 2016 12:38:53 -0700 Received: from SN1PR06MB2094.namprd06.prod.outlook.com (10.169.125.142) by SN1PR06MB2094.namprd06.prod.outlook.com (10.169.125.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.679.12; Mon, 24 Oct 2016 19:39:58 +0000 Received: from SN1PR06MB2094.namprd06.prod.outlook.com ([10.169.125.142]) by SN1PR06MB2094.namprd06.prod.outlook.com ([10.169.125.142]) with mapi id 15.01.0679.015; Mon, 24 Oct 2016 19:39:58 +0000 From: "Hodges, Jeff" To: Stephen Farrell , Kathleen Moriarty Thread-Topic: [saag] pkcs#1 -> IETF change control Thread-Index: AQHSK/OqfYmoUIeWhkGSwKNdwU28eKCzkgWAgAP9hgA= Date: Mon, 24 Oct 2016 19:39:58 +0000 Message-ID: References: <1f5732e7-fe27-a4c3-5809-39b4b2f0d676@KingsMountain.com> <1d443a4e-8218-1026-c653-f26c0495366f@cs.tcd.ie> In-Reply-To: <1d443a4e-8218-1026-c653-f26c0495366f@cs.tcd.ie> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.5.9.151119 authentication-results: spf=none (sender IP is ) smtp.mailfrom=jeff.hodges@paypal.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [73.202.80.238] x-ms-office365-filtering-correlation-id: 8f927467-eb5f-43ec-a52d-08d3fc458a16 x-microsoft-exchange-diagnostics: 1; SN1PR06MB2094; 7:Kg5ObYKa2Mw+KNX31TXTcFFgV8EqiwCkrrddcs5Lm7SvL8j4C81levDJ/krLH7zB6HeuMPicn6fef4PGC8pGlpZiv1gXtCFfjUOi4bfkcL+qjKeSSjkmkPKY3Dj/29MeYKbVTz2T6XfVV8eB79HCVbMPwCjaJ+JeVdBwk70PnhSlsvr1KW1OSG32Zucs/9/IEMIF1gVFRvV3wlvbTrwUMIfgtrYwzIinY5NUbGPblowSiBO8G4QNLxoIMIiocjoHb6wch8hH2qNfovCygBtkujvsp8SDgU6avtQBkmXkbn1ZmzqSdIREfcX/c06JRqhhIxIC/1B9jZ2Bc0DycJfIA1jGxovG3tOfl/a6dma/GLI= x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:SN1PR06MB2094; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(32856632585715); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:SN1PR06MB2094; BCL:0; PCL:0; RULEID:; SRVR:SN1PR06MB2094; x-forefront-prvs: 0105DAA385 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(199003)(377454003)(24454002)(189002)(86362001)(50986999)(2950100002)(9686002)(11100500001)(97736004)(68736007)(73692002)(8676002)(189998001)(4500500003)(4001350100001)(77072002)(81156014)(8936002)(92566002)(305945005)(7846002)(7736002)(122556002)(2900100001)(5001770100001)(81166006)(76176999)(82432001)(77096005)(36756003)(54356999)(5660300001)(105586002)(10400500002)(106356001)(106116001)(99286002)(83506001)(66066001)(101416001)(3280700002)(3660700001)(10770500004)(5002640100001)(10130500003)(10300500001)(19580395003)(19580405001)(2906002)(3846002)(6116002)(10290500002)(102836003)(87936001)(586003)(4326007)(10630500005)(56826009)(17413003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR06MB2094; H:SN1PR06MB2094.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: paypal.com does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <37089A672180F24E81B905A3E57C36C4@namprd06.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: paypal.com X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2016 19:39:58.8073 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: fb007914-6020-4374-977e-21bac5f3f4c8 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR06MB2094 X-CFilter-Loop: Reflected Archived-At: Cc: IETF SAAG Subject: Re: [saag] pkcs#1 -> IETF change control X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 19:40:05 -0000 On 10/21/16, 4:43 PM, "saag on behalf of Stephen Farrell" wrote: >On 22/10/16 00:27, =3DJeffH wrote: >> draft-moriarty-pkcs1-03 has not yet entered IETF-wide Last Call, >>correct? >>=20 >> If so, when might it do so? > >Eh, no, that's [1] been approved by the IESG and is in the >RFC editor's queue. doh, sorry to trouble you. >Why do you ask? prefer to reference that rather than 3447. thx =3DJeffH From nobody Mon Oct 24 13:53:56 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA2B1299E4 for ; Mon, 24 Oct 2016 13:53:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.332 X-Spam-Level: X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFCToxBHqewp for ; Mon, 24 Oct 2016 13:53:53 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AD0D1299B6 for ; Mon, 24 Oct 2016 13:53:53 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 9474C200A7 for ; Mon, 24 Oct 2016 17:08:48 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D187E639BA for ; Mon, 24 Oct 2016 16:53:51 -0400 (EDT) From: Michael Richardson To: saag X-Attribution: mcr X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 20:53:55 -0000 --=-=-= Content-Type: text/plain Are there any common ways to present/format a hash of public key? Assuming it's 20 bytes of SHA1 or SHA2 of the binary encoding of the public key, are there any specifications that say how to show this to the user? We have GPG format, of a set of 5 groups of 4 used in the fingerprint. Are there other ways? This is mostly for diagnostic reasons. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWA503ICLcPvd0N1lAQKXpgf8CKZlhmkCNeY7EVSd90fm8kBJONqWEP4/ QBAhIVjTJjKNLTnFZaAM7/OcQyTd2yrg4wEeD7lLNm6Yfx1szgdSmlNqTWGyfXh9 fhKthq+qokI3tjzsry4wMLzoVrbKOgvHNaS8KD+jrCqbSl9tsZ9I7iMy+zkV54lx tXt6vaTwk178iSeOP/p83HjwwiQNl+C8JzWIO3CGPbNfI5n1OLT8xS+JtuzRmvGm gjA3PXbf9Sxkp9N9O4Rkq/6qT3rTFvVCnhIpJ/FUp9OVn4qmBlOe5p036LoQFSix atX3BfeCeuiqz/RuMxOVHs0DmHsHIdVKsPGPPmjf2a0qREQvfIzv5Q== =mn7Y -----END PGP SIGNATURE----- --=-=-=-- From nobody Mon Oct 24 13:56:07 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 469F9129968 for ; Mon, 24 Oct 2016 13:56:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.152 X-Spam-Level: X-Spam-Status: No, score=-3.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IpbOo-OKizlR for ; Mon, 24 Oct 2016 13:56:05 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 3F71D12952C for ; Mon, 24 Oct 2016 13:56:05 -0700 (PDT) Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 99B1A423756; Mon, 24 Oct 2016 20:56:04 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 83A62423750; Mon, 24 Oct 2016 20:56:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1477342564; bh=2DqKjbDysiqfK95mvI3oWxL5FpanpQb1ZRXPL39IFa8=; l=392; h=From:To:Date:References:In-Reply-To:From; b=rg1kmn5DCkRu08Y/8ZGB23xWoqWxweqoBjj2CRZg2Gv6hDZXM/gK3H6Q9nU84WfF/ 2x6NsfKHl9xfHjbbHg8ACjvMrQWNBgy+vCmXn5TTM6llFAuqvBsCZsQg1ZUqjPQGj3 jo3oMz2HGFvbPdaxmvj3QtbqG0SmNbi7xv6Hvunc= Received: from email.msg.corp.akamai.com (usma1ex-casadmn.msg.corp.akamai.com [172.27.123.33]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 7F7C41FC8B; Mon, 24 Oct 2016 20:56:04 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 24 Oct 2016 16:56:03 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1178.000; Mon, 24 Oct 2016 16:56:03 -0400 From: "Salz, Rich" To: Michael Richardson , saag Thread-Topic: [saag] presentation format for hash of public key Thread-Index: AQHSLjjArbpAKNJdGkChwhaDOqqld6C4FULg Date: Mon, 24 Oct 2016 20:56:02 +0000 Message-ID: References: <13018.1477342431@obiwan.sandelman.ca> In-Reply-To: <13018.1477342431@obiwan.sandelman.ca> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.42.79] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 20:56:06 -0000 For what it's worth, OpenSSL does octet pairs separated by colon. ; openssl x509 -fingerprint -in apps/server.pem SHA1 Fingerprint=3DE8:4A:8E:20:76:4E:EF:0E:ED:BE:54:9F:91:8C:A4:F6:A2:B3:D1= :04 -----BEGIN CERTIFICATE----- MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV ... JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA=3D=3D -----END CERTIFICATE----- From nobody Mon Oct 24 15:09:40 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90993129AA6 for ; Mon, 24 Oct 2016 15:09:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.601 X-Spam-Level: X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id meB28XnENKQE for ; Mon, 24 Oct 2016 15:09:36 -0700 (PDT) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2242129AB0 for ; Mon, 24 Oct 2016 15:09:35 -0700 (PDT) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u9OM544m005002; Mon, 24 Oct 2016 15:09:33 -0700 Received: from sc-exch02.marvell.com ([199.233.58.182]) by mx0a-0016f401.pphosted.com with ESMTP id 2685fnaxy0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 24 Oct 2016 15:09:32 -0700 Received: from SC-EXCH01.marvell.com (10.93.176.81) by SC-EXCH02.marvell.com (10.93.176.82) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 24 Oct 2016 15:09:31 -0700 Received: from SC-EXCH01.marvell.com ([fe80::f170:3920:359e:5bcb]) by SC-EXCH01.marvell.com ([fe80::f170:3920:359e:5bcb%21]) with mapi id 15.00.1104.000; Mon, 24 Oct 2016 15:09:31 -0700 From: Paul Lambert To: "Salz, Rich" , Michael Richardson , saag Thread-Topic: [saag] presentation format for hash of public key Thread-Index: AQHSLji/AfXON3sg8kCEUn5GUM61QaC4ivYA//+fLgA= Date: Mon, 24 Oct 2016 22:09:31 +0000 Message-ID: References: <13018.1477342431@obiwan.sandelman.ca> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.6.5.160527 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.94.250.30] Content-Type: text/plain; charset="Windows-1252" Content-ID: <54BF9A3E025A1A4DA0B2ACC7279A291E@marvell.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-10-24_16:, , signatures=0 X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609300000 definitions=main-1610240385 Archived-At: Subject: Re: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Oct 2016 22:09:38 -0000 In other forums I=B9ve been using a hash of the public key and the associated cipher suite identifier (csi): uaid =3D h( csi , public_key ) The hash used depends on the cipher suite identifier. The display representation is optimized for readability and recommends a base27 encoding. For example: Q4RM-K4FZ-T432-RZ4Q-ZA88-YQ94 The base27 encode/decode string is: b27string =3D 'ABCDEFGHJKMNPQRTWXYZ2346789' This string is selected to remove visually the ambiguous characters: 0O 1Iil 5S UV The separator characters (=8C-=8C) are optional, but recommended. The encoding allows input in lower or upper case, but the displayed representation should always be upper case for readability. Paul PS - example/reference code for base27 in: https://github.com/nymble/cryptopy/blob/master/cipher/encoding.py -----Original Message----- From: saag on behalf of "Salz, Rich" Date: Monday, October 24, 2016 at 1:56 PM To: Michael Richardson , saag Subject: Re: [saag] presentation format for hash of public key >For what it's worth, OpenSSL does octet pairs separated by colon. >; openssl x509 -fingerprint -in apps/server.pem >SHA1=20 >Fingerprint=3DE8:4A:8E:20:76:4E:EF:0E:ED:BE:54:9F:91:8C:A4:F6:A2:B3:D1:04 >-----BEGIN CERTIFICATE----- >MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV >... >JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA=3D=3D >-----END CERTIFICATE----- > >_______________________________________________ >saag mailing list >saag@ietf.org >https://www.ietf.org/mailman/listinfo/saag From nobody Tue Oct 25 10:46:56 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 836BD129652 for ; Tue, 25 Oct 2016 10:46:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.332 X-Spam-Level: X-Spam-Status: No, score=-2.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3Ns1VqJHq0F for ; Tue, 25 Oct 2016 10:46:53 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F431129430 for ; Tue, 25 Oct 2016 10:46:53 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id A4BB6200A3; Tue, 25 Oct 2016 14:01:51 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id EE1C3639BA; Tue, 25 Oct 2016 13:46:51 -0400 (EDT) From: Michael Richardson To: Paul Lambert In-Reply-To: References: <13018.1477342431@obiwan.sandelman.ca> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Cc: saag Subject: Re: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 17:46:55 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I'm getting that perhaps we have no specification here. Would one be useful? Paul Lambert wrote: > In other forums I=C2=B9ve been using a hash of the public key > and the associated cipher suite identifier (csi): > uaid =3D h( csi , public_key ) > The hash used depends on the cipher suite identifier. Can you give me examples of this case? Who defines "csi" here? I'd ideally like something that works across uses (IPsec, S/MIME, TLS, etc.) not because I think reusing keys is a great thing, but because sometimes users put the wrong cert into the wrong place... > The display representation is optimized for readability > and recommends a base27 encoding. For example: > Q4RM-K4FZ-T432-RZ4Q-ZA88-YQ94 > The base27 encode/decode string is: > b27string =3D 'ABCDEFGHJKMNPQRTWXYZ2346789' > This string is selected to remove visually the > ambiguous characters: > 0O 1Iil 5S UV > The separator characters (=C5=92-=C5=92) are optional, but recommende= d. > The encoding allows input in lower or upper case, but the > displayed representation should always be upper case for readability. > Paul > PS - example/reference code for base27 in: > https://github.com/nymble/cryptopy/blob/master/cipher/encoding.py > -----Original Message----- > From: saag on behalf of "Salz, Rich" > > Date: Monday, October 24, 2016 at 1:56 PM > To: Michael Richardson , saag > Subject: Re: [saag] presentation format for hash of public key >> For what it's worth, OpenSSL does octet pairs separated by colon. >> ; openssl x509 -fingerprint -in apps/server.pem >> SHA1 >> Fingerprint=3DE8:4A:8E:20:76:4E:EF:0E:ED:BE:54:9F:91:8C:A4:F6:A2:B3:= D1:04 >> -----BEGIN CERTIFICATE----- >> MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV >> ... >> JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA=3D=3D >> -----END CERTIFICATE----- >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag =2D- Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWA+aiYCLcPvd0N1lAQL6hQf/XUGEdio9qPg+k3iXyR+zW3K9NvyFpX5o CeV6jP1LN0I7NSFSSakC1Ggbl3ZU3kAa1QLlHY4h/gDKX8z4Ja0xsH7fOc7/7JO+ eudToKK5/et7hq15xNCmQ8nWJE2LMp4KWXBfSokvMnORI03euLHfs2fT9HerPnj2 ZMa03odSdyJIOfwIXbkF3JAvPN3g7cRHTdJyFXgwMiBl59SeMoSJuFQag9D3hamY IVUlP2+xG0ETpC7llmrTnyhvAiwPrxl8XPF7e0e+6fuZ9A4loMDifQcfQJXBqavE Skpa8ROtwe0qkKDQZJjjIMCXiHrJYHU3FXnQrcowJWpvbC3J7UrYAA== =294q -----END PGP SIGNATURE----- --=-=-=-- From nobody Tue Oct 25 13:56:58 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3310128E18 for ; Tue, 25 Oct 2016 13:56:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xeq_GKlxB7U9 for ; Tue, 25 Oct 2016 13:56:48 -0700 (PDT) Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84A31129B4F for ; Tue, 25 Oct 2016 13:56:44 -0700 (PDT) Received: by mail-oi0-x230.google.com with SMTP id m72so117919422oik.3 for ; Tue, 25 Oct 2016 13:56:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=iN5QSMrO1C3XH/x40Nerb87jilpd4oz9N9cdgI6tU2c=; b=lR6B8vp6wmwCUpBD+gyP0MQLYujMvk5SRF6kSWjtdm8da+y8adQ24ryzemtc3zoFFy nTSQsEVz6mXK8wlbo8K2hztDFCRG3xzijPlKQFtTom5+VW9bgJUGKE8bSqn7wdOLZI8Y zhSJjIihG6B3OP2kIL363+17cfXlM5Y+lQ7+A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=iN5QSMrO1C3XH/x40Nerb87jilpd4oz9N9cdgI6tU2c=; b=CXOwqlQoEptsj3q14+DB1w/zwYfqjkxAYfZZVCDv/d+quVwdF3sJTSUdR9j9EFYjtH W1UnM2/LicWUznBYpH34FXOClUFUAo3xAGEenfLd9CUq9k0P+HZZoEDkUa7OQjvsv+UN TSMbg6tg8Yw1zKreja55y9y3ItFuHjmZQ7rsdpHlOyxcmf9I8MogbHlRWHWnbYfmVwsR yWgcq8S9yKKq9f6/HAX/SYjfprnL28tHkCNRFdgQCvFyv6scXfhU1Ko/g7CE1S5D0NyJ XnB8JFma+t3QeWalHF0tMtCmQBCfyu/vOfGNcuHuNUdNuKhIE4vh3Ts4tlNfGwcRZoG3 FwEg== X-Gm-Message-State: AA6/9RlSVGCpyG6/swvM48Hb7WgX/4BfeMB3IEl1ETVPujm4Xom8MSfTorq7YCAE0+pRzbRI69Sr8p+Y+pezkA== X-Received: by 10.202.237.145 with SMTP id l139mr26439907oih.81.1477429003832; Tue, 25 Oct 2016 13:56:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.202.219.194 with HTTP; Tue, 25 Oct 2016 13:56:43 -0700 (PDT) In-Reply-To: <3918.1477417611@obiwan.sandelman.ca> References: <13018.1477342431@obiwan.sandelman.ca> <3918.1477417611@obiwan.sandelman.ca> From: Adrian Hope-Bailie Date: Tue, 25 Oct 2016 22:56:43 +0200 Message-ID: To: Michael Richardson Content-Type: multipart/alternative; boundary=001a113d3034f466cb053fb6be15 Archived-At: Cc: saag Subject: Re: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Oct 2016 20:56:57 -0000 --001a113d3034f466cb053fb6be15 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable The crypto-conditions specification defines a format for what is effectively a public key fingerprint. It's what we call the the "condition". It has 4 parts. A type (which determines how the fingerprint is generated) a bitmask of features that would be required to validate the "fulfillment" (signature) and a max fulfillment size (which indicates the max size of the signature to allow a system to check (based just on the condition) if it will be capable of validating the fulfillment later. Latest draft is at: https://datatracker.ietf.org/doc/draft-thomas-crypto-conditions/ I'm presenting the ID in Seoul if anyone is interested and will be pushing a revised ID in the next few days to hopefully make it much easier to grok the goals and usage. This might not be what you're looking for exactly but I guess that depends on the NEED for the public key fingerprint On 25 October 2016 at 19:46, Michael Richardson wrote: > > I'm getting that perhaps we have no specification here. > Would one be useful? > > Paul Lambert wrote: > > In other forums I=C2=B9ve been using a hash of the public key > > and the associated cipher suite identifier (csi): > > > uaid =3D h( csi , public_key ) > > > The hash used depends on the cipher suite identifier. > > Can you give me examples of this case? > Who defines "csi" here? > > I'd ideally like something that works across uses (IPsec, S/MIME, TLS, > etc.) > not because I think reusing keys is a great thing, but because sometimes > users put the wrong cert into the wrong place... > > > > The display representation is optimized for readability > > and recommends a base27 encoding. For example: > > > Q4RM-K4FZ-T432-RZ4Q-ZA88-YQ94 > > > The base27 encode/decode string is: > > b27string =3D 'ABCDEFGHJKMNPQRTWXYZ2346789' > > > > This string is selected to remove visually the > > ambiguous characters: > > 0O 1Iil 5S UV > > > The separator characters (=C5=92-=C5=92) are optional, but recommen= ded. > > > The encoding allows input in lower or upper case, but the > > displayed representation should always be upper case for readabilit= y. > > > Paul > > > PS - example/reference code for base27 in: > > https://github.com/nymble/cryptopy/blob/master/cipher/encoding.py > > > > > > -----Original Message----- > > From: saag on behalf of "Salz, Rich" > > > > Date: Monday, October 24, 2016 at 1:56 PM > > To: Michael Richardson , saag > > Subject: Re: [saag] presentation format for hash of public key > > >> For what it's worth, OpenSSL does octet pairs separated by colon. > >> ; openssl x509 -fingerprint -in apps/server.pem > >> SHA1 > >> Fingerprint=3DE8:4A:8E:20:76:4E:EF:0E:ED:BE:54:9F:91:8C:A4:F6: > A2:B3:D1:04 > >> -----BEGIN CERTIFICATE----- > >> MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV > >> ... > >> JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA=3D=3D > >> -----END CERTIFICATE----- > >> > >> _______________________________________________ > >> saag mailing list > >> saag@ietf.org > >> https://www.ietf.org/mailman/listinfo/saag > > > -- > Michael Richardson , Sandelman Software Works > -=3D IPv6 IoT consulting =3D- > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > --001a113d3034f466cb053fb6be15 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
The crypto-conditions specification defines a fo= rmat for what is effectively a public key fingerprint. It's what we cal= l the=C2=A0 the "condition".

It has 4 parts. A = type (which determines how the fingerprint is generated) a bitmask of featu= res that would be required to validate the "fulfillment" (signatu= re) and a max fulfillment size (which indicates the max size of the signatu= re to allow a system to check (based just on the condition) if it will be c= apable of validating the fulfillment later.
I'm presenting the ID in Seoul if anyone is interested = and will be pushing a revised ID in the next few days to hopefully make it = much easier to grok the goals and usage.

This might not be wha= t you're looking for exactly but I guess that depends on the NEED for t= he public key fingerprint

On 25 October 2016 at 19:46, Michael Richardson <mcr= +ietf@sandelman.ca> wrote:
=
I'm getting that perhaps we have no specification here.
Would one be useful?

Paul Lambert <paul@marvell.com&g= t; wrote:
=C2=A0 =C2=A0 > In other forums I=C2=B9ve been using a hash of the publi= c key
=C2=A0 =C2=A0 > and the associated cipher suite identifier (csi):

=C2=A0 =C2=A0 > uaid =3D h( csi , public_key )

=C2=A0 =C2=A0 > The hash used depends on the cipher suite identifier.
Can you give me examples of this case?
Who defines "csi" here?

I'd ideally like something that works across uses (IPsec, S/MIME, TLS, = etc.)
not because I think reusing keys is a great thing, but because sometimes users put the wrong cert into the wrong place...


=C2=A0 =C2=A0 > The display representation is optimized for readability<= br> =C2=A0 =C2=A0 > and recommends a base27 encoding. For example:

=C2=A0 =C2=A0 > Q4RM-K4FZ-T432-RZ4Q-ZA88-YQ94

=C2=A0 =C2=A0 > The base27 encode/decode string is:
=C2=A0 =C2=A0 > b27string =3D 'ABCDEFGHJKMNPQRTWXYZ2346789'


=C2=A0 =C2=A0 > This string is selected to remove visually the
=C2=A0 =C2=A0 > ambiguous characters:
=C2=A0 =C2=A0 > 0O 1Iil 5S UV

=C2=A0 =C2=A0 > The separator characters (=C5=92-=C5=92) are optional, b= ut recommended.

=C2=A0 =C2=A0 > The encoding allows input in lower or upper case, but th= e
=C2=A0 =C2=A0 > displayed representation should always be upper case for= readability.

=C2=A0 =C2=A0 > Paul

=C2=A0 =C2=A0 > PS - example/reference code for base27 in:
=C2=A0 =C2=A0 > https://github.c= om/nymble/cryptopy/blob/master/cipher/encoding.py




=C2=A0 =C2=A0 > -----Original Message-----
=C2=A0 =C2=A0 > From: saag <= saag-bounces@ietf.org> on behalf of "Salz, Rich"
=C2=A0 =C2=A0 > <rsalz@akamai.com= >
=C2=A0 =C2=A0 > Date: Monday, October 24, 2016 at 1:56 PM
=C2=A0 =C2=A0 > To: Michael Richardson <mcr+ietf@sandelman.ca>, saag <saag@ietf.org>
=C2=A0 =C2=A0 > Subject: Re: [saag] presentation format for hash of publ= ic key

=C2=A0 =C2=A0 >> For what it's worth, OpenSSL does octet pairs se= parated by colon.
=C2=A0 =C2=A0 >> ; openssl x509=C2=A0 -fingerprint -in apps/server.pe= m
=C2=A0 =C2=A0 >> SHA1
=C2=A0 =C2=A0 >> Fingerprint=3DE8:4A:8E:20:76:4E:EF:0E:ED:BE:54:= 9F:91:8C:A4:F6:A2:B3:D1:04
=C2=A0 =C2=A0 >> -----BEGIN CERTIFICATE-----
=C2=A0 =C2=A0 >> MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSI= b3DQEBBQUAMHAxCzAJBgNV
=C2=A0 =C2=A0 >> ...
=C2=A0 =C2=A0 >> JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t= /K3o+pplMVA=3D=3D
=C2=A0 =C2=A0 >> -----END CERTIFICATE-----
=C2=A0 =C2=A0 >>
=C2=A0 =C2=A0 >> _______________________________________________=
=C2=A0 =C2=A0 >> saag mailing list
=C2=A0 =C2=A0 >> saag@ietf.org =C2=A0 =C2=A0 >> https://www.ietf.org/mailman/l= istinfo/saag


--
Michael Richardson <mcr+IETF@= sandelman.ca>, Sandelman Software Works
=C2=A0-=3D IPv6 IoT consulting =3D-




_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


--001a113d3034f466cb053fb6be15-- From nobody Thu Oct 27 02:53:31 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3BC8129D12 for ; Thu, 27 Oct 2016 02:53:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.22 X-Spam-Level: X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fdto01QideQx for ; Thu, 27 Oct 2016 02:53:26 -0700 (PDT) Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C59FD129D16 for ; Thu, 27 Oct 2016 02:53:23 -0700 (PDT) X-AuditID: c1b4fb25-953ff70000001e3e-2b-5811ce912232 Received: from ESESSHC010.ericsson.se (Unknown_Domain [153.88.183.48]) by (Symantec Mail Security) with SMTP id D2.F6.07742.19EC1185; Thu, 27 Oct 2016 11:53:22 +0200 (CEST) Received: from nomadiclab.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.50) with Microsoft SMTP Server id 14.3.319.2; Thu, 27 Oct 2016 11:53:20 +0200 Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id C09E860CEC; Thu, 27 Oct 2016 12:53:22 +0300 (EEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 5E0205318F; Thu, 27 Oct 2016 12:53:22 +0300 (EEST) To: Michael Richardson , saag References: <13018.1477342431@obiwan.sandelman.ca> From: Mohit Sethi Message-ID: <1b62a3a5-1a4e-f746-733e-1bb686a765c7@ericsson.com> Date: Thu, 27 Oct 2016 12:53:20 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 MIME-Version: 1.0 In-Reply-To: <13018.1477342431@obiwan.sandelman.ca> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms080803040808060607040706" X-Virus-Scanned: ClamAV using ClamSMTP X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrIIsWRmVeSWpSXmKPExsUyM2K7ge6kc4IRBjPe8Vr0HOpnt5jS38nk wOSxZMlPJo+WOXuYA5iiuGxSUnMyy1KL9O0SuDJerDvEVPDQtaLhzWe2BsYpDl2MnBwSAiYS E06sZ+li5OIQEljPKDHz6j52CGcbo8TTfZ+gnHWMEgeufGGCcOYDlX35wQTSLyxgJ9F6axM7 iC0i4CJx88YPVhBbSMBI4sO312A2m4CeROe548wgNq+AvcTxG6cZQWwWAVWJuQefsIDYogIR ErcedrBA1AhKnJwJEecUMJbY1fmaEWQxs0A3o8T6tb/YIQ5Xk7h6bhMzxDJ1ia0dBxgnMArO QtI/C1kPSIJZIEziw/xXjBC2rcSdubuZIWxtiWULX0PZuhKLtq1gxxS3lpjx6yAbhK0oMaX7 IVSNqcTrox+hZhpLLFv3l20BI/cqRtHi1OKk3HQjY73Uoszk4uL8PL281JJNjMDIO7jlt+oO xstvHA8xCnAwKvHwPtgmECHEmlhWXJl7iFEFaM6jDasvMEqx5OXnpSqJ8BqcFYwQ4k1JrKxK LcqPLyrNSS0+xCjNwaIkzmu28n64kEB6YklqdmpqQWoRTJaJg1OqgTEoOtbk5xKeqKkhGzcF ZqbNvlqxavl2kw2XU+uPJalq+CjkNvzmmmb6sdec6ci06r8+MyN3COgeV3GKz+P8LG46z2nm O570n14/1LfnzPPaebVr+9dfQSseRhrl2q4rsVS7UbNQgL1LydWtKpwj+vvNHUvKp+gG/X+j snZiZsoO8x23RVj2KiuxFGckGmoxFxUnAgDtEkFaxAIAAA== Archived-At: Subject: Re: [saag] presentation format for hash of public key X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 09:53:30 -0000 --------------ms080803040808060607040706 Content-Type: multipart/alternative; boundary="------------0277C36EB37C3BB6287CEA79" This is a multi-part message in MIME format. --------------0277C36EB37C3BB6287CEA79 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable Hi Michael Perhaps RFC 6920 "Naming things with hashes" :=20 https://tools.ietf.org/html/rfc6920 is of interest to you. Thanks /--Mohit On 10/24/2016 11:53 PM, Michael Richardson wrote: > Are there any common ways to present/format a hash of public key? > Assuming it's 20 bytes of SHA1 or SHA2 of the binary encoding of > the public key, are there any specifications that say how to show > this to the user? > > We have GPG format, of a set of 5 groups of 4 used in the fingerprint. > Are there other ways? > > This is mostly for diagnostic reasons. > > -- > Michael Richardson , Sandelman Software Works > -=3D IPv6 IoT consulting =3D- > > > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------0277C36EB37C3BB6287CEA79 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable

Hi Michael

Perhaps RFC 6920 "Naming things with hashes" : https://tools.ietf.o= rg/html/rfc6920 is of interest to you.

Thanks
/--Mohit
On 10/24/2016 11:53 PM, Michael Richardson wrote:
Are there any common ways to present/format a hash of public key?
Assuming it's 20 bytes of SHA1 or SHA2 of the binary encoding of
the public key, are there any specifications that say how to show
this to the user?

We have GPG format, of a set of 5 groups of 4 used in the fingerprint.
Are there other ways?

This is mostly for diagnostic reasons.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software =
Works
 -=3D IPv6 IoT consulting =3D-






_______________________________________________
saag mailing list
saag@=
ietf.org
https://www.ietf.org/mailman/listinfo/saag

--------------0277C36EB37C3BB6287CEA79-- --------------ms080803040808060607040706 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DKwwggXuMIID1qADAgECAhAQR5JVnNLKtD1FopLU12S6MA0GCSqGSIb3DQEBBQUAMDoxETAP BgNVBAoMCEVyaWNzc29uMSUwIwYDVQQDDBxFcmljc3NvbiBOTCBJbmRpdmlkdWFsIENBIHYy MB4XDTE0MTEwNjA3MzMxNFoXDTE3MTEwNjA3MzMxM1owaDERMA8GA1UECgwIRXJpY3Nzb24x FjAUBgNVBAMMDU1vaGl0IFNldGhpIE0xKTAnBgkqhkiG9w0BCQEWGm1vaGl0Lm0uc2V0aGlA ZXJpY3Nzb24uY29tMRAwDgYDVQQFEwdlc2V0bW9oMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAvSfTetNQu8RTOPssYplNRFzoIht/yijWoVTkmFBi71zeZer1H0YVv7MdMeeH 7FAPhlJ8tz5l+ovh5Osu8JX+hpJYG4pvr6yI/wMMIiA4XnyD1Bw4N1X20hy23mUTzuDhBl65 HF2iOAcD2hjCQM9ObVY4A6R1Ckn6TdEzmRQ/68vzrGIY41iffIvmlT2GYvqoQIzGwdBHW78b Es3sulc1tC+inyqhqSobXcdh/mtBbg1sHlwFwlOhu7Bpa+W1hqJuZcix5HMV7D4Cg3QJ6WJ/ SOjdtnvnHM88dCFKZWftoSizUcp5MY9CMUReid0YxNi9Q016ECumbzB4rFC/8lgGjQIDAQAB o4IBwDCCAbwwSAYDVR0fBEEwPzA9oDugOYY3aHR0cDovL2NybC50cnVzdC50ZWxpYS5jb20v ZXJpY3Nzb25ubGluZGl2aWR1YWxjYXYyLmNybDCBggYIKwYBBQUHAQEEdjB0MCgGCCsGAQUF BzABhhxodHRwOi8vb2NzcDIudHJ1c3QudGVsaWEuY29tMEgGCCsGAQUFBzAChjxodHRwOi8v Y2EudHJ1c3QudGVsaWFzb25lcmEuY29tL2VyaWNzc29ubmxpbmRpdmlkdWFsY2F2Mi5jZXIw JQYDVR0RBB4wHIEabW9oaXQubS5zZXRoaUBlcmljc3Nvbi5jb20wVQYDVR0gBE4wTDBKBgwr BgEEAYIPAgMBARIwOjA4BggrBgEFBQcCARYsaHR0cHM6Ly9yZXBvc2l0b3J5LnRydXN0LnRl bGlhc29uZXJhLmNvbS9DUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMB0GA1Ud DgQWBBTiYWRwmLJKozqivzho0MUE4onqjjAfBgNVHSMEGDAWgBSxDcrURrevhgLDL28Gyg52 cX9LNzAOBgNVHQ8BAf8EBAMCBaAwDQYJKoZIhvcNAQEFBQADggIBADx5ydquiV9FvleFR/s2 8/QwBlbi6WoY4WZd5oymC2MH3iAyneZkbBlcUAWNG1XlNsYRkAYv4JR8+1TrbpeWH/D/pSwW ArWsUp41nOW9PEfZCA4oRvso9e0UWtc5bhJuEdE3Y42FJfZJcJXsUN8APuX50lcAMoqgZKqm XcAk/RsTjQp0+r63ibD5hU/EeJXpNjIoEo5NRuzHDdWFYdLAL5JjLa6RD6mp3MuuPqDw0q0h BxBrvDdxf9Ev6TPFfKhVdCOgAVVJ6B+4ky7YqVhOylT8n2v2Y2b0WhpHOTXXr1q0aMAYKI+R X1NReXfS0opDMC0Yi/y0G2s3d5zbEBtKuwukbF1nQWZpCJbwFa4So8V+f5se4PdxU/0eLfE3 bKUOpfjwdyjPoVcrs0lsJe+FNNgfPDlj39AZuNEax/DX7Nq/F6YrYrwaF5EgSLMIzfn9lPtY Cd4AmJzLjr8D4XzZGt2f/EWGZwRGR/Yn9q6oWCa+G48tkTEow1FBXD4lPtbKb+GoKK7Ziidi /hMteorcOC/S61DCOGhINSe8r+9sgpOUM5smVEL7U2/0P1uZwqSvPSLpaG+44ZTwbkGfsSMu R4U2aBkEaK9RhcM954VtbWFRT9G7NXmQw3HhoMMyGs1U9D293wwq1GD0jV1ibQH/z74bVW+G GCeXO00w3rFcVl60MIIGtjCCBJ6gAwIBAgIRAKAMy8ybmZjs4jpw9HzBwFkwDQYJKoZIhvcN AQEFBQAwNzEUMBIGA1UECgwLVGVsaWFTb25lcmExHzAdBgNVBAMMFlRlbGlhU29uZXJhIFJv b3QgQ0EgdjEwHhcNMTQwNTI3MDc0NjIxWhcNMjQwNTI3MDc0NjIxWjA6MREwDwYDVQQKDAhF cmljc3NvbjElMCMGA1UEAwwcRXJpY3Nzb24gTkwgSW5kaXZpZHVhbCBDQSB2MjCCAiIwDQYJ KoZIhvcNAQEBBQADggIPADCCAgoCggIBANq6U+tfSJZTn4k46qN13HgaeXXsMmGSWShc6A5I EyFboXMZW3lFHso+/6uO3ZilvB2ipZJhrhU+RL/va+5Chay/PZq9ZZeE9N03OsHfOzlwk7uw ojJ34tHLiX/yQoriI+b5DXxfIYXTFO5zlZLdaIxJwlLEQp0g4/zF6EGtodlpusaH07FAcLiI EeTMPRgXcn+8GoFOvtuVHNh/WHePlrupUgcI9/P54ITXvmZF6xcNBEjsu8yJm1VqqK0GXSgA mInJ4Ga8S6ME2wgSBRDolxAUbmfLQRrMvLC/tyXBvuLO8uChdzpIWt3QPtMYm2R2V1Um0zAN henIUwYCKNPq5/yHaS48jCsOBAU0TIhBnirnZmlEbC6ALqwzGAcQMaMD8LFf1oLlWLUQxEmI 4YXqBXdP5XnIcMdIEF5BtUBebzBJMMF9dDB2uj8BeoRPSYbpGl7irYUYFpq4TyocQ7qpHdYA SC+NV8VTaTrFnHWqa/CGRdp3GHpkgxfOBvpamOK8udHQYQo2uA3YNd2+j7p4C3jkGG+Z6RrZ OskPEwtaIHLxBiA141dhCy5EScOyNajrAXQupsDnvr2ib2ef+4nObPFvedPWIe57lyj0n3e1 rTqTGIBIe9wjNnAA6MqeaTS9HchPtBvOrah/cTWzXzGjwMz0P3UJqTQ2r5EAu12/W5kpAgMB AAGjggG4MIIBtDCBigYIKwYBBQUHAQEEfjB8MC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC50 cnVzdC50ZWxpYXNvbmVyYS5jb20wSwYIKwYBBQUHMAKGP2h0dHA6Ly9yZXBvc2l0b3J5LnRy dXN0LnRlbGlhc29uZXJhLmNvbS90ZWxpYXNvbmVyYXJvb3RjYXYxLmNlcjASBgNVHRMBAf8E CDAGAQH/AgEAMFUGA1UdIAROMEwwSgYMKwYBBAGCDwIDAQECMDowOAYIKwYBBQUHAgEWLGh0 dHBzOi8vcmVwb3NpdG9yeS50cnVzdC50ZWxpYXNvbmVyYS5jb20vQ1BTMEsGA1UdHwREMEIw QKA+oDyGOmh0dHA6Ly9jcmwtMy50cnVzdC50ZWxpYXNvbmVyYS5jb20vdGVsaWFzb25lcmFy b290Y2F2MS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA4GA1UdDwEB/wQE AwIBBjAdBgNVHQ4EFgQUsQ3K1Ea3r4YCwy9vBsoOdnF/SzcwHwYDVR0jBBgwFoAU8I9ZOACz 9Y+algzV6/p7qhfoExIwDQYJKoZIhvcNAQEFBQADggIBAG4HIGyvrHc9kEKyYZtxJn9cv7S2 dUxuUiegmAvUGHc+JGJyB2jyX7py9an8CsHAxg3BI3Ku9j0h7DJpXyfrlzmg36XYkNS7Ot0A 1UqdjGFrtnIISI+Zj3ywHZudmDF8ktdBihHAjuk47B/Kg/Z8JhUJ37GGx/KxiIiXg5HMTdOl 6mlDbJaTIEGagdRcmH3u57r5snZ+qdVSg5UxWdhgS2+zPru/vDbPd+91zLTj9GejKXFJ6fEA OLW1j2IjJ0cyDI67d1/OzFTwCK8wYbhopK2wJ9QTKDQuWRuGoyt2d6yzd7WoAS55JE0BIt+k XDJGbOaK42H2ifO6ERHbJiEr/oh4KzgdAes+GRjwlSaG2Z0va4Ss5lY6zfwVCEZYdZcjSDpK B0M5tTQYQeO7QyQPOI6Gb4FXA9ko3sHvAPs4+Pq+UtWjp3y8sYr1vLCER9ePEsgLdCG27mUk 9OAijkG6n5oEGOIn+70F+qvKpmm52dZ8b7DELfbuuk0CrY4p0WxH3bBt6FJkPeZJIB6YNXAY HZi7RcdBjLJh+lawbIYTJFIcoWFHAl0g0/NYsjz3DLhZz4+CrJ6SQSYmp7qDhdJAWPiaq3C+ qE/h2DZAJwoz9uHrZHB8zsZ5JL8sUZ7zgqYmNMN+9PxzasrycTJn96Y63AIZdDq1kIHIw0vF 4PBTVMZtMYIDFDCCAxACAQEwTjA6MREwDwYDVQQKDAhFcmljc3NvbjElMCMGA1UEAwwcRXJp Y3Nzb24gTkwgSW5kaXZpZHVhbCBDQSB2MgIQEEeSVZzSyrQ9RaKS1NdkujANBglghkgBZQME AgEFAKCCAZcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYx MDI3MDk1MzIwWjAvBgkqhkiG9w0BCQQxIgQgrrDExqgGwmJsf1V6INeAOhfgizgHEQVHH/4x J3hSRAUwXQYJKwYBBAGCNxAEMVAwTjA6MREwDwYDVQQKDAhFcmljc3NvbjElMCMGA1UEAwwc RXJpY3Nzb24gTkwgSW5kaXZpZHVhbCBDQSB2MgIQEEeSVZzSyrQ9RaKS1NdkujBfBgsqhkiG 9w0BCRACCzFQoE4wOjERMA8GA1UECgwIRXJpY3Nzb24xJTAjBgNVBAMMHEVyaWNzc29uIE5M IEluZGl2aWR1YWwgQ0EgdjICEBBHklWc0sq0PUWiktTXZLowbAYJKoZIhvcNAQkPMV8wXTAL BglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASC AQCoiUlBFsTXI4e4QdzvwYUBOf7CEsxzpHpfWyvOeqHd4LYwZlLOr34aF8dWeNdEhd9vb09U Hu3H+3Zu9ASfQvl4TvYdjsppemrCbbVF6hpKBbdY+BS4S5EkrtGRkXnH31fGocjhgU6DodR3 IbY4y0yEnqb9Iz53E0rDy6j1tCV8Cuta3sT28/CNSuoegPdc76JVAI1CYkHKIpBRnA+x9Ukd YKpdl0fZ+4GTABy9HZn6NTCNZFYim4DnQ/zU5HvQivAPjiSoGQXG8QnXzjKV1M5zkEQuJZRS 4H/z3Ktek5fR9FqjOfYjCDgU294LiihuoT/kbYzpKMHns6mj5P3eLsD0AAAAAAAA --------------ms080803040808060607040706-- From nobody Thu Oct 27 14:19:59 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE6F712987D for ; Thu, 27 Oct 2016 14:19:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NiSmr70RjVss for ; Thu, 27 Oct 2016 14:19:57 -0700 (PDT) Received: from mail-qt0-x234.google.com (mail-qt0-x234.google.com [IPv6:2607:f8b0:400d:c0d::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90D3412986B for ; Thu, 27 Oct 2016 14:19:57 -0700 (PDT) Received: by mail-qt0-x234.google.com with SMTP id 12so33200956qtm.3 for ; Thu, 27 Oct 2016 14:19:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=iXbGN+QjAhVrF011yshqKU+V7MuxSBqID3uTIEK6n6M=; b=vEvktMYZrhJSmMMz98A32d6U/uL82DKyPQjhmSXza31/U7phshtSpBs1DJF7LDiZAu UAhZyQWyTL2UWoUWqI5/+woE9EnSZ47DWgneOiajM83wLc/aUmGOrG7vfkr4NodRsTXu V7BXUQoZCsC5vq3U9VCLPGTnj6ar1NJ8Y9TCZcHLGQidlLhjt8ODETQsNIBt9khHYQgW wjbOHDKC+u/g0S9SGrsDyNQngT+f05iV+oXuXJPTgERFh9E0K3f5tZayx+fXCee1vbD/ VvAPCmA073++yj7b42bXgjcgsCeZ++LC/NjGOfxU1liDu5pwTEfcRfQEQ1S44ggCtE3x dOrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=iXbGN+QjAhVrF011yshqKU+V7MuxSBqID3uTIEK6n6M=; b=PeiYfRjgqei+7792DlWkwBSvLekngM3uiIHp8B1fsIVRODe0064mpfDHgEGPxsK4fD qiP2u45W8GcKfdpDOjhRUXmh/MYI/mu8sC+IuttPx6vgg8/DLHprCAfOOBPq71GdPVXf KaYRe6TG46B6k2dGlAtSa0WCmqfMuFisgJgjC9D8ltVKa2WmlXf7TsSDmDMkOF6uDtBZ q6I18H/wrG5wLMmb7Rc+/NYK1aJitQrteeorMlvfjwQ/TokanUcL9HRZ4HgLueY/n/Zm aT1XMIOHJCQ8HgqNW445IBOw3DSCS1xcYlgsmTyNKcIhoYsfrHjhFiBWxKRaopXj6cwh k5Mg== X-Gm-Message-State: ABUngvd23AI6Me+AEl5y7uckQ5svbtb4bU3asNIOYFZqXWJopfd2taIa3rL5gu37sttsbu5E8v6U80PdHcN5uw== X-Received: by 10.237.33.147 with SMTP id l19mr7211683qtc.58.1477603196691; Thu, 27 Oct 2016 14:19:56 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.7 with HTTP; Thu, 27 Oct 2016 14:19:56 -0700 (PDT) From: Martin Thomson Date: Fri, 28 Oct 2016 08:19:56 +1100 Message-ID: To: saag Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [saag] Agenda request: draft-barnes-dane-uks X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 21:19:59 -0000 DANE aren't meeting this time around, and this has a pretty strong security bent. The implications for web security in particular are interesting. I'm also interested in discussing how we can avoid creating more cases like this in the future. Can we have 10-15 for this? From nobody Thu Oct 27 15:50:36 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D134D126D74 for ; Thu, 27 Oct 2016 15:50:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.602 X-Spam-Level: X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nb57N5l2aq2d for ; Thu, 27 Oct 2016 15:50:30 -0700 (PDT) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 081531295CA for ; Thu, 27 Oct 2016 15:50:30 -0700 (PDT) Received: from xsmtp06.mail2web.com ([168.144.250.232]) by mx43.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1bztVC-000752-EP for saag@ietf.org; Fri, 28 Oct 2016 00:50:28 +0200 Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1bztV6-0006Ut-IZ for saag@ietf.org; Thu, 27 Oct 2016 18:50:24 -0400 Received: (qmail 26722 invoked from network); 27 Oct 2016 22:50:18 -0000 Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[172.56.39.170]) (envelope-sender ) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 27 Oct 2016 22:50:18 -0000 From: "Christian Huitema" To: "'Security Area Advisory Group'" References: <147759367305.24571.1901485379557644251.idtracker@ietfa.amsl.com> In-Reply-To: <147759367305.24571.1901485379557644251.idtracker@ietfa.amsl.com> Date: Thu, 27 Oct 2016 15:50:15 -0700 Message-ID: <051801d230a4$7cff6d90$76fe48b0$@huitema.net> MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQLu2culDfn2dS5/8lcO2QPyo82E/J6DYpRA Content-Language: en-us X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlUcW8ntawmIBRrYFzUH2lbvx1wTMkEUUoeb KIhkyzl2dEg6JV/61tZlj5wAuP2cHSs0HbLcIXRK+rCYHS2Pxr4sUvWQm1ERVuodk8O3ETzMD9BF XKWM8bisGZohKSi1T/r8U1Bpg3BtEE2joe6S6iG/dcmtTcWSOKD5RASVzg27isAXVRQgHbLLzV7b 3SwTZqt5kYwBFjHSX1ySASMY7Q8kVWau65pVsnZkx/s3iU5HXZFVgpT1b21uZVckGp0ccOY/32e+ 5fVqy4sN42wuoCbdc1pXJXxpAbEqfV7bN3pyp/i885J4uw2WezmviQauN2SLBDMrD7q/cJogwbqz suok2jmyqSBZG+RxUC8CBX34LAZIe8Pggnek1xH/TgvWD0MaKXvNWrRcSD72jROfhu6vZJ0Q4x+0 GOxZvoENDONKwZkjGlUCvU6ZAmJB8zrNH9DxX8G2bApANEDRnSX/sJx0Uf5/xO8dap3thvg9e/eV ioOoT5f9zNwjlArtXM+EHVJ52x4j7SJ9+yFYhxTTZdKAmJdDwLTy7ggkbtiREBmTEN9TLrF9l3It GfA/WrnALV46n/TYyQX4QewGgUaWBSqGlrtXw1c9IHjJjxHw61Bw8RquN6UIEUbDp4qQeYkcvTCl J+6wa7BDiaF6UX6W4Pbk X-Report-Abuse-To: spam@mx99.antispamcloud.com X-Originating-IP: 168.144.250.232 X-SpamExperts-Domain: xsmtpout.mail2web.com X-SpamExperts-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-SpamExperts-Outgoing-Class: unsure X-SpamExperts-Outgoing-Evidence: Combined (0.18) X-Recommended-Action: accept Archived-At: Cc: 'Tim Chown' , daniel.kaiser@uni-konstanz.de, 'Ralph Droms' Subject: [saag] FW: [dnssd] I-D Action: draft-ietf-dnssd-pairing-00.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Oct 2016 22:50:35 -0000 This draft attempts to define a secure way to establish pairing between devices, resulting in a shared secret. The proposed solution combines discovery using DNS-SD, establishment of a TLS connection using {EC]DH ANON, extraction of a shared secret per RFC 5705, and visual verification of a short authentication string established using an application level "bit flipping" protocol. A similar process is used in ZRTP. The draft is developed in the internet area, but it can certainly benefit from review by the security area... -- Christian Huitema -----Original Message----- From: dnssd [mailto:dnssd-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org Sent: Thursday, October 27, 2016 11:41 AM To: i-d-announce@ietf.org Cc: dnssd@ietf.org Subject: [dnssd] I-D Action: draft-ietf-dnssd-pairing-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Extensions for Scalable DNS Service Discovery of the IETF. Title : Device Pairing Using Short Authentication Strings Authors : Christian Huitema Daniel Kaiser Filename : draft-ietf-dnssd-pairing-00.txt Pages : 20 Date : 2016-10-27 Abstract: This document proposes a device pairing mechanism that establishes a relationship between two devices by agreeing on a secret and manually verifying the secret's authenticity using an SAS (short authentication string). Pairing has to be performed only once per pair of devices, as for a re-discovery at any later point in time, the exchanged secret can be used for mutual authentication. The proposed pairing method is suited for each application area where human operated devices need to establish a relation that allows configurationless and privacy preserving re-discovery at any later point in time. Since privacy preserving applications are the main suitors, we especially care about privacy. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnssd-pairing/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-dnssd-pairing-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ dnssd mailing list dnssd@ietf.org https://www.ietf.org/mailman/listinfo/dnssd From nobody Thu Oct 27 17:18:07 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBFE1295D9 for ; Thu, 27 Oct 2016 17:18:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JMeWQtySgQX for ; Thu, 27 Oct 2016 17:18:05 -0700 (PDT) Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9231295FB for ; Thu, 27 Oct 2016 17:18:04 -0700 (PDT) Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D5FA7284E5B; Fri, 28 Oct 2016 00:18:03 +0000 (UTC) Date: Fri, 28 Oct 2016 00:18:03 +0000 From: Viktor Dukhovni To: saag Message-ID: <20161028001803.GC26244@mournblade.imrryr.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Archived-At: Subject: Re: [saag] Agenda request: draft-barnes-dane-uks X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: saag List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2016 00:18:06 -0000 On Fri, Oct 28, 2016 at 08:19:56AM +1100, Martin Thomson wrote: > DANE aren't meeting this time around, and this has a pretty strong > security bent. The implications for web security in particular are > interesting. I'm also interested in discussing how we can avoid > creating more cases like this in the future. Can we have 10-15 for > this? If the discussion is about how to ammend RFC 7671, and what counter-measures are appropriate in any update, then I think this discussion is best handled on list. I won't be at the meeting. The recommendations of the draft in the subject are IMHO too broad and, for example, needlessly limit the use of raw public keys even in protocols where UKS is a non-issue [*]. If the discussion is of a more general nature, on how to avoid potential pitfalls in future documents, by all means proceed on-site. -- Viktor. [*] While indeed RFC 7671 introduces issues for HTTPS, DANE is not in use with HTTPS, and if and when it is, it will almost certainly use DNSSEC stapling, in which case the UKS attacks don't apply as the server then signs its TLSA records. For applications much simpler than browsers with their "same-origin" trust-mode, and especially applications that already employ MX, SRV or similar indirection, UKS is out of scope. From nobody Thu Oct 27 22:58:13 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E38312947A for ; Thu, 27 Oct 2016 22:58:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZDoHS6yi1hT for ; Thu, 27 Oct 2016 22:58:11 -0700 (PDT) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4490A129432 for ; Thu, 27 Oct 2016 22:58:11 -0700 (PDT) Received: by mail-qk0-x22b.google.com with SMTP id v138so19731276qka.0 for ; Thu, 27 Oct 2016 22:58:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=vzlW0+BlUvsBJYjhlZ5iqFb7qLWDcZfDhfYs6UIQc38=; b=bMdAb3kEcMmE7VnjwjN9swNs7Dmlvw5PQu2b7uFGQFZUZqpRE0BU/hE/5oYEwAz3MK 7t/WmhzLg2yHguBPusMTWVtkiS5Wq52lwePXX0vcVvlo4GNAgG29aes/z2WfSDyiJrSf NjxGbILcG4TrbqpfkGYFoNL28k/CapTktsRldHrbqJ/mEKI+3mtaU8O6bUb/EFLqydaf fcEOkcOaasEP9L8uOihjrqjtpEZrsdt34KaPA/vV2C48wJHKdS3OZAHv0ERhy6T5AMtu gGejXzaN1jdE2poQfpnycF1e6ECFYRPoRTfIXERNkaWBPp6pUSZdC0mXJruHiyV8iZOX QT5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=vzlW0+BlUvsBJYjhlZ5iqFb7qLWDcZfDhfYs6UIQc38=; b=PefBpy3xXnXlextgn2Ajn9ElkYEpda7m3s4AI1zezWb+kdrZbAk9fDQEl3G61XL3+2 K4u+mFRySTRwTGgj+IHFML7w4utXW2t1Q01Y+d3FZHVyus+VkqnXnGLDPE9o7w7jroxv 8pEkTkaF806AvFNO/CPmljPYu05GL666BZbgDkHuiQOP/zxJ1wmARVprJyGw+otVGSN0 EZzQ7CsaOfbBqbHcfz9hq1pHlRl2NrChepI6dfIl02VMjf+prGYn/0GrKh6QbPkM4mYu 7WofSiQCdcV7S5/0QPppJ6akbaBhsgt1PrCK0UziovRmy4I4n62GInHu9wxEnG0Ipw67 Ifwg== X-Gm-Message-State: ABUngvd1BXYwSqRHdfdllfOMK6xnBStN+pdxePo+WOcm/xAnaPeQ0sQpdu8wS0JjkriS9VzEh5HRw+dLNvd90w== X-Received: by 10.55.155.151 with SMTP id d145mr9119720qke.115.1477634290358; Thu, 27 Oct 2016 22:58:10 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.85.7 with HTTP; Thu, 27 Oct 2016 22:58:09 -0700 (PDT) In-Reply-To: <20161028001803.GC26244@mournblade.imrryr.org> References: <20161028001803.GC26244@mournblade.imrryr.org> From: Martin Thomson Date: Fri, 28 Oct 2016 16:58:09 +1100 Message-ID: To: saag Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: Re: [saag] Agenda request: draft-barnes-dane-uks X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Oct 2016 05:58:12 -0000 On 28 October 2016 at 11:18, Viktor Dukhovni wrote: >If the discussion is of a more general nature, on how to avoid > potential pitfalls in future documents, by all means proceed on-site. This was my intent. I think we can work out the detail on a mailing list. > For applications much > simpler than browsers with their "same-origin" trust-mode, and > especially applications that already employ MX, SRV or similar > indirection, UKS is out of scope. For the record, I disagree with this very broad assertion. From nobody Sun Oct 30 14:43:26 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 479B612940A for ; Sun, 30 Oct 2016 14:43:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.798 X-Spam-Level: X-Spam-Status: No, score=-5.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egMiHQagwk-e for ; Sun, 30 Oct 2016 14:43:24 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 066A01293FE for ; Sun, 30 Oct 2016 14:43:24 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 3689FBE2E; Sun, 30 Oct 2016 21:43:22 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b6BC_8Fdhqnd; Sun, 30 Oct 2016 21:43:21 +0000 (GMT) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 991CABE2C; Sun, 30 Oct 2016 21:43:20 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1477863801; bh=O/P8SAzgR99NJ1s4yG+oHAQFzs6SojXk4AIE12DRh48=; h=Subject:References:To:Cc:From:Date:In-Reply-To:From; b=EurHl6BQnO/Qu88XGpkHTmNevRCv8K1ynitp8uj6r6SO4AkNUzUfDqFuq1Maq6fPB OKExGq1aTE0nqhtMcVdtpu2I+Yjv7cKAs4fvk5ruVCGV9io+iZ6yElloVRxIEJ+UMX lOJm4fw3gKfH9uc2VsAHaPYYvyxjKhJz10OknaSw= References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> <8C32B083-A92C-4FB1-B7B0-7B4F1A3E8F52@gmail.com> To: Security Area Advisory Group From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <92f3868e-cdb8-f95c-efb4-71471f34c887@cs.tcd.ie> Date: Sun, 30 Oct 2016 21:43:20 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <8C32B083-A92C-4FB1-B7B0-7B4F1A3E8F52@gmail.com> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms090805060600060901010709" Archived-At: Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2016 21:43:25 -0000 This is a cryptographically signed message in MIME format. --------------ms090805060600060901010709 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Wrapping up on this thread - I don't see discussion of 3552bis taking off yet (sadly) so as of now I plan to AD sponsor this draft separately. Once Ted tells me he thinks this is baked, I'll do my AD review and all going well, after that's sorted start an IETF LC. If, at any point in the processing of this draft, there emerges a consensus to incorporate this into 3552bis, I'll be fine with that, but for now it looks like 3552bis may take a while. Cheers, S. PS: Ted - Randy's comment up thread was a substantive comment on the content, please take a look at that if you've not already. --------------ms090805060600060901010709 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMzAy MTQzMjBaMC8GCSqGSIb3DQEJBDEiBCAAP86nwudVlJ9mneH2yLCJN7Y16PMO9LsuvEE7yQ9E yTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQACM6dHXz/xcX8DFeB4m/SJKP0pwapMt1zx3sU9OCb45BdOk9ea2ib+ DJ7bTQT/aQvvf09sIQ9t1WYFTnzW+EhavJVD79PfW+y5LJe0TC1ENVwa0Ij7ppW7bUKfqNsn vuAQOXZQUXUNoZe5cixRKjW6urFnHTNlDAMeLXqGnE3+I70MiMuiNpWwT67eHmME5oP6VjHU P7W3eGV3qt9ogUsqRKOW6OydvP4Nunf4/1LBImsFjcv6FKN0CHTXWs7gbL8McvSPgMkYREw0 VFrlpM11ahb2tLHhyQJNxC5PUBdINdsiV5fwrlF/RKbJyxRjrf5AREhl8oWTNw3NnbxK4DHQ AAAAAAAA --------------ms090805060600060901010709-- From nobody Sun Oct 30 14:45:02 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154041294B3 for ; Sun, 30 Oct 2016 14:45:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.798 X-Spam-Level: X-Spam-Status: No, score=-5.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLG3MvXU7yb7 for ; Sun, 30 Oct 2016 14:44:59 -0700 (PDT) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BE071293FF for ; Sun, 30 Oct 2016 14:44:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B2E7ABE2E for ; Sun, 30 Oct 2016 21:44:57 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jdx_q4XleiGA for ; Sun, 30 Oct 2016 21:44:56 +0000 (GMT) Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id CC5F6BE2C for ; Sun, 30 Oct 2016 21:44:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1477863896; bh=HlYsf8WiFN+5+uY8TIfEvC82pPck8KWfnD3+FQa8GS0=; h=Subject:To:References:From:Date:In-Reply-To:From; b=w9z6OQV04ZqH1I3yR34aA0Jzx+J1kSnmUy1CeKsbbWimQgYZOEYkjsaWA3z642c8q /e4ixw2KKJ/oZFBUuVYkFkXJUPARRNcYxVfhMYqZfaR8D7Q9XnXohRKyHQrZ5F0SD1 8a0086ROcKeSxvhuWn2DfrxXcLM6k80TCbuFdu1U= To: "saag@ietf.org" References: <5774E4E3.2030605@cs.tcd.ie> From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= Message-ID: <6db56d3a-2ef6-44f8-ed81-a2d49cf4cfc5@cs.tcd.ie> Date: Sun, 30 Oct 2016 21:44:56 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: <5774E4E3.2030605@cs.tcd.ie> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060706060303000201050907" Archived-At: Subject: Re: [saag] RFC3552bis... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Oct 2016 21:45:01 -0000 This is a cryptographically signed message in MIME format. --------------ms060706060303000201050907 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Folks, Another call for comments/suggestions on this. The editors have produced a -00 [1] for you to beat up on, so I'd be very happy to see us all doing more of that. Cheers, S. [1] https://github.com/IETF-SAAG/RFC3552bis On 30/06/16 10:22, Stephen Farrell wrote: >=20 > Hiya, >=20 > RFC3552/BCP72 [1] is about to become a teenager:-) For those > of you that don't know it by heart, that's the one that tells > folks what to put into their security considerations sections > and it dates back to July 2003. >=20 > Following on from discussion at saag in B-A, partly driven by > the work Fernando and others have done on identifiers, but also > other chats going back to the STRINT workshop, Kathleen and I > have discussed what to do about all that and having re-read the > text we reckon that now would be a good time to start work on > an RFC3552bis document to replace the current one. >=20 > In outline, we think the main tasks there we'd like to see happen > would be to a) update numerous things that are out of date, b) add > text about things that weren't so important in 2003, such as privacy, > perhaps borrowing bits from RFC6973 [2] that make sense as BCP-like > statements, and c) to make it as understandable and easy to grasp > as possible and ideally a good bit shorter. >=20 > Having figured out what we'd like, and being lazy ADs, we needed > some other folks to do the actual work so we asked Yoav Nir and > Magnus Westerlund (both cc'd) and we're delighted to say that > they've agreed to be editors for this effort. (Thanks again to > you both.) >=20 > The overall plan then is roughly to:- >=20 > - Kick off discussion now on the saag list (this mail) > - Get folks' feedback on changes they'd like (if that gets > too voluminous we'll start a new list) > - Have a short slot at the saag session in Berlin where the > editors can review the plan and get more feedback/comments > - The editors will send some mail about tooling (e.g. if > they want to use github, they'll say that etc.) > - The editors will produce a -00 and we'll iterate on that > until done > - A more substantive discussion of remaining open issues > in November at IETF97 if needed, (which we suspect will > be needed:-) > - Hopefully we end up ready for IETF LC around the end of > the year or early in 2017. > - We have what'll quite probably be a fun IETF LC:-) > - Mid-2017: BCP72 will become the new RFC. >=20 > So please do re-read [1,2] and send your comments on what you > think needs changing to this list and/or the editors and/or to > Kathleen or I as appropriate. >=20 > Cheers, > S&K. >=20 > [1] https://tools.ietf.org/html/bcp72 > [2] https://tools.ietf.org/html/rfc6973 >=20 >=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >=20 --------------ms060706060303000201050907 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjEwMzAy MTQ0NTZaMC8GCSqGSIb3DQEJBDEiBCBVNotd5F7q1Kq6sog3P46YBWJcbdNsZSDPcZhZgDyr pzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQADjiOwImnq+hWuoo2PGv4DaGl88dtPBDyjx71gchuFBmcjOYQLL1M3 idGJre0iCNRT/NsVue1hX/u+wYZtdQGzJgEd/h8nDhMxSxfHiDCMHRB1dOgqltzP1hDafEbs U/hG0c5f0SQAfolKnfygT4dyMLzxzmeF+YQN94sU2zN8Jl6/uGCzT+0G4KUHhLMlQSiijn+R X1VzHOIcP8LP6Q1FLZx6s3j7ss8p1ZQAf08UylsREabtzvPpp7zdA/jKmgMWAzSig/4haQ04 saYCfUbuNmIWUel/k7Cy+OW/QJ7kSTRsbt2t0TETVZ81BnrjT/1u6HbcN9CxLc+K8smMfYcR AAAAAAAA --------------ms060706060303000201050907-- From nobody Mon Oct 31 11:18:24 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8759512946A for ; Mon, 31 Oct 2016 11:18:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHYBPmmJ_eBb for ; Mon, 31 Oct 2016 11:18:19 -0700 (PDT) Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 540E412999F for ; Mon, 31 Oct 2016 11:17:51 -0700 (PDT) Received: by mail-qk0-x234.google.com with SMTP id v138so81459373qka.0 for ; Mon, 31 Oct 2016 11:17:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ms+X78FFLRBeiLdkOdsJTRnMAt+7OfVh5KOpwVXt1UQ=; b=lwzrTmadtCRiPpCU20Z2nlb7MWg4PTD9SO8nwU3MUeEMaEKgbGlX29wErsDRSTKS5V EfrL3oKSL4IJILlvaI4eJf9q1t+ep5rbtbzFM+1NxA0TIZMGWTXIP0SsbfTNwwWI+6wf OBobX15wlMDDFMMWJoXcBKr0SjUrac1atpniqDCsBdf1azUdnD/POrzCzbIKISiKc4as 8wfcWlqOZXMrAyA4nV9K61VQoVvwYse5kzKLgqsy4FvUF2GZD8YYbf3SLmEmp5D3xCeq N36J4RPoxcjacKp6JQBshLSlGdl93DDoOSZM2JKEwGlIhP0TDKxgkbitmeiDXLnaXX0f KKyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ms+X78FFLRBeiLdkOdsJTRnMAt+7OfVh5KOpwVXt1UQ=; b=clRTkGIRa3OwW4IxYnd0jqYJTYH7jD4emicMsma2D43TGI0ZSfuNeH6kaJkRqL2cLk bWeFni8AwloscTv/S2uv5ilI7M8tyN4hlSKCTY5ji6IbGEZQv423hNo7KuVUcIqm4gNZ 606Zf0PaX3ElWDCftYn7u9uI0rXFPt9VA3UtVhl6RQs1SvolGRhumZ0lIZjTOKlPibUd 1NMcG7bieqhH1qrIadmv6UHY4Cpr4mhZy6ULIbzoj/7iEjD0W6IgveTP4iP29s3f6nzM kVo55IM2fsrJ2hh3A+qshP1c2B8iU5wIiVOWbrXtQj6jWTd7PJHXVAXQgqJPbFQbfpBj v1Zw== X-Gm-Message-State: ABUngvcyOeybA0+sIsYIuq972w+AS54EAm3IMHhqr0yZB6hyN+enD4xQSzXjMhwrCEps+33xxEFhaaUTc/xzOg== X-Received: by 10.55.100.204 with SMTP id y195mr28679656qkb.23.1477937870491; Mon, 31 Oct 2016 11:17:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.140.8 with HTTP; Mon, 31 Oct 2016 11:17:20 -0700 (PDT) In-Reply-To: <92f3868e-cdb8-f95c-efb4-71471f34c887@cs.tcd.ie> References: <86bbe523-972b-772c-b002-dbdbbedc00c8@cs.tcd.ie> <8C32B083-A92C-4FB1-B7B0-7B4F1A3E8F52@gmail.com> <92f3868e-cdb8-f95c-efb4-71471f34c887@cs.tcd.ie> From: Ted Hardie Date: Mon, 31 Oct 2016 11:17:20 -0700 Message-ID: To: Stephen Farrell Content-Type: multipart/alternative; boundary=94eb2c05c874c5573105402d3956 Archived-At: Cc: Security Area Advisory Group Subject: Re: [saag] metadata insertion draft question X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2016 18:18:21 -0000 --94eb2c05c874c5573105402d3956 Content-Type: text/plain; charset=UTF-8 On Sun, Oct 30, 2016 at 2:43 PM, Stephen Farrell wrote: > > Wrapping up on this thread - I don't see discussion of > 3552bis taking off yet (sadly) so as of now I plan to > AD sponsor this draft separately. Once Ted tells me he > thinks this is baked, I'll do my AD review and all going > well, after that's sorted start an IETF LC. > > If, at any point in the processing of this draft, there > emerges a consensus to incorporate this into 3552bis, I'll > be fine with that, but for now it looks like 3552bis may > take a while. > > Cheers, > S. > > PS: Ted - Randy's comment up thread was a substantive > comment on the content, please take a look at that if > you've not already. > > Okay, I will see about including example ameliorations, but I likely won't have that in the drafts directory before the deadline today. I hope to have it ready for when the window opens. regards, Ted --94eb2c05c874c5573105402d3956 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Sun, Oct 30, 2016 at 2:43 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:

Wrapping up on this thread - I don't see discussion of
3552bis taking off yet (sadly) so as of now I plan to
AD sponsor this draft separately. Once Ted tells me he
thinks this is baked, I'll do my AD review and all going
well, after that's sorted start an IETF LC.

If, at any point in the processing of this draft, there
emerges a consensus to incorporate this into 3552bis, I'll
be fine with that, but for now it looks like 3552bis may
take a while.

Cheers,
S.

PS: Ted - Randy's comment up thread was a substantive
comment on the content, please take a look at that if
you've not already.

Okay,=C2=A0 I will see about including example amelio= rations, but I likely won't have that in the drafts directory before th= e deadline today.=C2=A0 I hope to have it ready for when the window opens.<= br>
regards,

Ted

=C2=A0

--94eb2c05c874c5573105402d3956-- From nobody Mon Oct 31 12:13:06 2016 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37CB129A3B; Mon, 31 Oct 2016 12:13:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.398 X-Spam-Level: X-Spam-Status: No, score=-3.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c9j7klDQk4OV; Mon, 31 Oct 2016 12:13:00 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B96D129A36; Mon, 31 Oct 2016 12:13:00 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CEE342009E; Mon, 31 Oct 2016 15:28:19 -0400 (EDT) Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 62F77637A6; Mon, 31 Oct 2016 15:12:59 -0400 (EDT) From: Michael Richardson To: homenet@ietf.org, saag@ietf.org In-Reply-To: <11e43256-eb84-33b1-d572-7eb74134db69@cs.tcd.ie> References: <24389.1477921009@obiwan.sandelman.ca> <11e43256-eb84-33b1-d572-7eb74134db69@cs.tcd.ie> X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [saag] [homenet] write up of time without clocks X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: saag@ietf.org List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Oct 2016 19:13:02 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable mcr> Hi, I know that we talked a lot (especially Dave Taht) about how CPE mcr> devices without RTCs could verify certificates and DNSSEC when they mcr> don't know the time, and they won't know the time until they securely mcr> find an NTP server. mcr> But, we talked about how this wasn't a totally catch-22, that we could mcr> know how it was "at least" some time based upon file timestamp, or mcr> self-certificate not-before dates, or do DNSSEC without time validation mcr> first. mcr> My question is: did this get captured into document somewhere? Stephen Farrell wrote privately to inform me about https://roughtime.googlesource.com/roughtime. So, this is a network protocol to essentially crowd-surf the correct time via signed replies of nonces. It has a way to generate enough signatures fast enough to not get DDoS on a 10G link. I'm not sure how the client trusts the RoughTime servers' certificates, or = if that matters given the distributed nature of things (TOFU would work). I'm not looking for a network protocol, because the devices I care about do not (yet) have network! I'm looking for the write up a heuristic that says that if you have local information that time was once verified to be at X, that it must be at least >X. =3D=3D=3D=3D aside: Interesting in the protocol, it says: Since we require that requests be padded to 1KB to avoid becomi= ng a DDoS amplifier, a 10Gbps network link could only deliver 1.2 million requests per second anyway. I'm been thinking that this might be the only way to deal with (UDP) DDoS w= ith potentially forgable source addresses: insist that the sender's packet is always at least as big as the reply they want. =2D-=20 Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWBeXt4CLcPvd0N1lAQIemAgAinrswtaa/gBeGXDc+0kgCtQ9pR576i3i yi47dzYRrgM1IrAIZTQFPYk3ZjwgiWjfgsJjfZixxPW7t/sOYtClC6qE65IkQplc hq96+o/lbnSL7BIwyDAJ57REFoMkTUSfmiXIQuISQ1/FuUWx/eCmFaXThA0AWAYL 3MeE/UF/2XuihZYpwju8XZrJ3IVBsvxuNYwcmkst+euNFeNDkqilbc4ZBi7vD/7V InqB8Vr7HQ9qdfQoQ5BqMz+5iefJK1wUl85fDcdaw+FM3Ih7DHxX/0WxiNFFe/kM ++T4wJy4Dae8nHRW+WB/bIg4c1chUpopl7L+CEfdgckMIjzaMdTKgw== =6UCm -----END PGP SIGNATURE----- --=-=-=--