From nobody Tue Mar  6 08:47:17 2018
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E411112762F for <saag@ietfa.amsl.com>; Tue,  6 Mar 2018 08:47:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.32
X-Spam-Level: 
X-Spam-Status: No, score=-4.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=XMRhYsgV; dkim=pass (1024-bit key) header.d=ericsson.com header.b=QJ7GjCcB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vlfn5fScJREi for <saag@ietfa.amsl.com>; Tue,  6 Mar 2018 08:47:14 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D6E1274D2 for <saag@ietf.org>; Tue,  6 Mar 2018 08:47:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1520354832; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=DEq47uuiTCKqMz0UsLyp9Xvpr8QvT2z3Fdr0kndB/zg=; b=XMRhYsgVbQj6pWca3hIUzUDBjaOTzvGgzVJzVscAz95iJnY+p1i4ejHBZSdCfqca lcw+u6CHBQ99HNbEtPgcXTb47RsDlKLYKOfkHDgy4QokK/s8flvWozClmLfk8ENW 0NXXi+2GnPzj091amiW8v0uN2xrcrQVg1X3YhQESTo0=;
X-AuditID: c1b4fb3a-728f89c0000067b4-0c-5a9ec60f8f7f
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.183.45]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id A4.6E.26548.F06CE9A5; Tue,  6 Mar 2018 17:47:12 +0100 (CET)
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESSHC009.ericsson.se (153.88.183.45) with Microsoft SMTP Server (TLS) id 14.3.352.0; Tue, 6 Mar 2018 17:47:11 +0100
Received: from ESESBMB502.ericsson.se (153.88.183.169) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.26; Tue, 6 Mar 2018 17:47:10 +0100
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1034.26 via Frontend Transport; Tue, 6 Mar 2018 17:47:10 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=DEq47uuiTCKqMz0UsLyp9Xvpr8QvT2z3Fdr0kndB/zg=; b=QJ7GjCcBT+2s4PhGVjXahkyZKkJxwolMAOhCCsjNhgfV7Xc44G4Hp07xSNpBB/2cSQaXzQ1M1rPb/yF7V5ruFtGM45XeKOV6DgZoBn4V3rzyXuR26BIznRG+9E+jcNI30dkiF7QTM9qwV1vlI9y1Tces2FLyKNkXWLuvLpxoOY4=
Received: from HE1PR0701MB2011.eurprd07.prod.outlook.com (10.167.189.149) by HE1PR0701MB2972.eurprd07.prod.outlook.com (10.168.93.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.567.6; Tue, 6 Mar 2018 16:47:09 +0000
Received: from HE1PR0701MB2011.eurprd07.prod.outlook.com ([fe80::3002:c1b8:44df:2d8a]) by HE1PR0701MB2011.eurprd07.prod.outlook.com ([fe80::3002:c1b8:44df:2d8a%3]) with mapi id 15.20.0567.011; Tue, 6 Mar 2018 16:47:09 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>, "saag@ietf.org" <saag@ietf.org>, "hrpc@irtf.org" <hrpc@irtf.org>
Thread-Topic: Curve25519 chosen for identity encryption in 3GPP 5G
Thread-Index: AQHTtWrEcGHgBrj5+E+WshA7fDdr4w==
Date: Tue, 6 Mar 2018 16:47:09 +0000
Message-ID: <2279226F-67C1-4FE7-B8B4-F87AD6AED7C0@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.a.0.180210
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com; 
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2972; 7:SYJSJY8rOS6VxpB3U2bqI/kJ0YZhcBnx14h9RfBH2Kt7OexIcdMN9a+3Gt/zeday8blQxqo9w8w/bjQyGAFKMjDgIeJOy3bDzVJjceYukgJDbES6ElHuBAS1qLl6lCTaGFdy5EPIl4XOnTL9yM+gvB6wUhC9Otv8wmTYzjpeU4APjRt2UFvBU23SEfC0vtnOD1c+kh1991d8w0SRQP4mHTf7N2/lhfuBPq7nx+jAGk8V+3mT15pnQHnNte//g39a
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 6788ad0f-eeaa-4a06-8c6b-08d58381e743
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:HE1PR0701MB2972; 
x-ms-traffictypediagnostic: HE1PR0701MB2972:
x-microsoft-antispam-prvs: <HE1PR0701MB2972692873C179CB9034403989D90@HE1PR0701MB2972.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(192374486261705)(202460600054446)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040501)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3231220)(944501244)(52105095)(3002001)(6041288)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(6072148)(201708071742011); SRVR:HE1PR0701MB2972; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0701MB2972; 
x-forefront-prvs: 06036BD506
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(39380400002)(346002)(366004)(39860400002)(199004)(189003)(3280700002)(6486002)(6512007)(54896002)(25786009)(83716003)(236005)(2906002)(186003)(97736004)(606006)(2900100001)(6306002)(2201001)(478600001)(59450400001)(790700001)(3846002)(6506007)(105586002)(86362001)(26005)(99286004)(14454004)(8558605004)(53936002)(6116002)(102836004)(5250100002)(6436002)(68736007)(3660700001)(106356001)(8936002)(36756003)(966005)(2501003)(316002)(7736002)(81166006)(58126008)(110136005)(5660300001)(33656002)(81156014)(8676002)(66066001)(82746002)(564094006)(19623455009); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2972; H:HE1PR0701MB2011.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: YasHdjWQPHGlB9XS0d2jxD7UHSbswhUm49Vom2ONMbRsm9SoWyENoPvvNeGnTpjElTa5CQ4WLEglLS2On0VtW9u8iHQVzAP5iAO+ZGZdYk9gt3y+FTGXi+jhsdrGN7CuYtjqdq/bYPsYrITOjdNwNVZ8SgYZn8V/amNwK8dBbqLlob9cCL8SrH5RYW2m7aIHK1BxubG04ze0hAoSbphgagzOMPDJBdf+t4t0Tiqpu6a1brSgVrv8hNFxi0D7GLHez3LmDSygBwwziFWvYQ4cGlpiJaXx3IZApGEsCkPQcLz0Qsj6QMlMz6XkgG2lF3H/Ts7SIC98aui+d96Xsevscw==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_2279226F67C14FE7B8B4F87AD6AED7C0ericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6788ad0f-eeaa-4a06-8c6b-08d58381e743
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2018 16:47:09.5475 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2972
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRzGec85246jwetS98dL6JCyyM0kaImmCYF9qDSIZF106XGK13ZU UgxMWalLNNRMzVuui6bYrFTMC5tpOaOgL3kJUjNTqfBCTg2jzbPAb7/n+T/vAw+8NCnu4bnS CSnpjCZFlSTlC6mqyC5fXzxcp/Qz91IK3bqRUNStziBFeUkhEUKG6fUbRFiZYZAfTiiFgbFM UkImo5EfixbGf/ncidJK/a5tmmvJXDQpK0IONODDMDazTBUhIS3GgwgaX40gTjxHsPlwzC7W EDTryglO6AloGxgnbYLCKwRYlh9TtjIxLifgiSWYS31DUGDOE9gOfOwHtb25fBs7YTV0Lk2R Nt6Ng+CtxSjg/FDou1FvZxn8Gi9DNqawN0zdLCZsLMLBsPSub7sHYRewmFu3fRJLYGK2nuAW YdD3fiA5doaFr395Nna2duavfBJwby+BVlvJ4zKeMHyvmeLYAz7W67Y3A+4kIH9hCnEHX1iq qLCXnoKqjhqCC5kRWNrn7aGD0DQ3YG9NhaH8DbufAwXP7pDcg2YShrYm7CF36FisEZQiWfWO FdWItnIMNP1gqrdHO8JI1SzF2fuhvUfOpb2gXDct4NgHtPdrBVwkDGoHYnZGGhDdgpxZhmWT 1f7+MkaTEMOyqSmyFCa9A1l/lPHFn4BuZPx+3IQwjaS7RPL+OqWYp8pks5JNCGhS6iSKlFst UawqK5vRpEZpMpIY1oTcaEoqEYXGKZRirFalM4kMk8Zo/l8J2sE1F53E54qlujP82Acv3Vrd NlvCAo+ezbp7PfvCPsPWtGF0oe2E8fbi+pv+xNXB01ejA+YvdkkmtQNRlyUZc55IluE5Gulb 2O/lk2f6rfYuLnFxD3eIuBLUXbkn9b1ir3xV4xKVs+ixpnQ8AomvQwx5Pxvi2s7faqxWRayM Bj166lm1LKXYeNWhA6SGVf0D8eMt6E0DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/hCsbLWCeB5UBrK1aGtpwKrQH1qc>
Subject: [saag] Curve25519 chosen for identity encryption in 3GPP 5G
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Mar 2018 16:47:16 -0000

--_000_2279226F67C14FE7B8B4F87AD6AED7C0ericssoncom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSBhbSBoYXBweSB0byBhbm5vdW5jZSB0aGF0IEN1cnZlMjU1MTkgW1JGQyA3NzQ4XSB3aWxsIGJl
IG1hbmRhdG9yeSB0byBzdXBwb3J0IFtTMy0xODA5NjRdIGZvciBFQ0lFUyBlbmNyeXB0aW9uIG9m
IHN1YnNjcmliZXLigJlzIGxvbmctdGVybSBpZGVudGlmaWVycyAoZm9ybWVybHkga25vd24gYXMg
SU1TSXMpIGluIDNHUFAgNUcuIFRoaXMgc2lnbmlmaWNhbnRseSBpbXByb3ZlIHN1YnNjcmliZXJz
4oCZIHByaXZhY3kgYnkgcHJvdGVjdGluZyBhZ2FpbnN0IHNvIGNhbGxlZCBJTVNJIGNhdGNoZXJz
LiBDdXJ2ZTQ0OCB3aWxsIGxpa2VseSBiZSBhZGRlZCBpbiBhIGxhdGVyIHJlbGVhc2UgYXMgM0dQ
UCBpcyBsb29raW5nIGF0IGludHJvZHVjaW5nIGEgaGlnaGVyIHNlY3VyaXR5IGxldmVsIHJlcXVl
c3RlZCBieSBnb3Zlcm5tZW50cyBhbmQgZmluYW5jaWFsIGluc3RpdHV0aW9ucy4NCg0KQ2hlZXJz
LA0KSm9obg0KDQpodHRwOi8vd3d3LjNncHAub3JnL2Z0cC90c2dfc2EvV0czX1NlY3VyaXR5L1RT
R1MzXzkwQmlzX1NhbkRpZWdvL2RvY3MvUzMtMTgwOTY0LnppcA0KaHR0cHM6Ly90b29scy5pZXRm
Lm9yZy9odG1sL3JmYzc3NDgNCmh0dHBzOi8vd3d3LmVyaWNzc29uLmNvbS9yZXNlYXJjaC1ibG9n
L3Byb3RlY3RpbmctNWctaW1zaS1jYXRjaGVycy8NCg0K

--_000_2279226F67C14FE7B8B4F87AD6AED7C0ericssoncom_
Content-Type: text/html; charset="utf-8"
Content-ID: <BD9223FC7330BD449152E8D5F2B7F98A@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglt
c28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJ
e21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlv
bjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21z
by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1
bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwt
Y29tcG9zZTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5k
b3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0K
CWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdl
OkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCglt
YXJnaW46NzAuODVwdCA3MC44NXB0IDcwLjg1cHQgNzAuODVwdDt9DQpkaXYuV29yZFNlY3Rpb24x
DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4
bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94
bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2
OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFw
ZWxheW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IlNWIiBsaW5r
PSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0OjE4LjBwdDt0ZXh0LWF1dG9z
cGFjZTpub25lIj48c3BhbiBsYW5nPSJFTi1VUyI+SSBhbSBoYXBweSB0byBhbm5vdW5jZSB0aGF0
IEN1cnZlMjU1MTkgW1JGQyA3NzQ4XSB3aWxsIGJlIG1hbmRhdG9yeSB0byBzdXBwb3J0IFtTMy0x
ODA5NjRdIGZvciBFQ0lFUyBlbmNyeXB0aW9uIG9mIHN1YnNjcmliZXLigJlzIGxvbmctdGVybSBp
ZGVudGlmaWVycyAoZm9ybWVybHkga25vd24gYXMgSU1TSXMpDQogaW4gM0dQUCA1Ry4gVGhpcyBz
aWduaWZpY2FudGx5IGltcHJvdmUgc3Vic2NyaWJlcnPigJkgcHJpdmFjeSBieSBwcm90ZWN0aW5n
IGFnYWluc3Qgc28gY2FsbGVkIElNU0kgY2F0Y2hlcnMuIEN1cnZlNDQ4IHdpbGwgbGlrZWx5IGJl
IGFkZGVkIGluIGEgbGF0ZXIgcmVsZWFzZSBhcyAzR1BQIGlzIGxvb2tpbmcgYXQgaW50cm9kdWNp
bmcgYSBoaWdoZXIgc2VjdXJpdHkgbGV2ZWwgcmVxdWVzdGVkIGJ5IGdvdmVybm1lbnRzIGFuZCBm
aW5hbmNpYWwgaW5zdGl0dXRpb25zLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJsaW5lLWhlaWdodDoxOC4wcHQ7dGV4dC1hdXRvc3BhY2U6bm9uZSI+
PHNwYW4gbGFuZz0iRU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJsaW5lLWhlaWdodDoxOC4wcHQ7dGV4dC1hdXRvc3BhY2U6bm9u
ZSI+PHNwYW4gbGFuZz0iRU4tVVMiPkNoZWVycyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibGluZS1oZWlnaHQ6MTguMHB0O3RleHQtYXV0b3NwYWNl
Om5vbmUiPjxzcGFuIGxhbmc9IkVOLVVTIj5Kb2huPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0OjE4LjBwdDt0ZXh0LWF1dG9zcGFj
ZTpub25lIj48c3BhbiBsYW5nPSJFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9ImxpbmUtaGVpZ2h0OjE4LjBwdDt0ZXh0LWF1dG9z
cGFjZTpub25lIj48c3BhbiBsYW5nPSJFTi1VUyI+PGEgaHJlZj0iaHR0cDovL3d3dy4zZ3BwLm9y
Zy9mdHAvdHNnX3NhL1dHM19TZWN1cml0eS9UU0dTM185MEJpc19TYW5EaWVnby9kb2NzL1MzLTE4
MDk2NC56aXAiPmh0dHA6Ly93d3cuM2dwcC5vcmcvZnRwL3RzZ19zYS9XRzNfU2VjdXJpdHkvVFNH
UzNfOTBCaXNfU2FuRGllZ28vZG9jcy9TMy0xODA5NjQuemlwPC9hPjxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJsaW5lLWhlaWdodDoxOC4wcHQ7dGV4
dC1hdXRvc3BhY2U6bm9uZSI+PHNwYW4gbGFuZz0iRU4tVVMiPjxhIGhyZWY9Imh0dHBzOi8vdG9v
bHMuaWV0Zi5vcmcvaHRtbC9yZmM3NzQ4Ij5odHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvcmZj
Nzc0ODwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibGluZS1oZWlnaHQ6MTguMHB0O3RleHQtYXV0b3NwYWNlOm5vbmUiPjxzcGFuIGxhbmc9IkVO
LVVTIj48YSBocmVmPSJodHRwczovL3d3dy5lcmljc3Nvbi5jb20vcmVzZWFyY2gtYmxvZy9wcm90
ZWN0aW5nLTVnLWltc2ktY2F0Y2hlcnMvIj5odHRwczovL3d3dy5lcmljc3Nvbi5jb20vcmVzZWFy
Y2gtYmxvZy9wcm90ZWN0aW5nLTVnLWltc2ktY2F0Y2hlcnMvPC9hPjxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLVVTIiBzdHlsZT0iZm9u
dC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Jv
ZHk+DQo8L2h0bWw+DQo=

--_000_2279226F67C14FE7B8B4F87AD6AED7C0ericssoncom_--


From nobody Mon Mar 12 12:09:06 2018
Return-Path: <sean@sn3rd.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB5A812D94D for <saag@ietfa.amsl.com>; Mon, 12 Mar 2018 12:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hTyTTLtJGPrq for <saag@ietfa.amsl.com>; Mon, 12 Mar 2018 12:08:42 -0700 (PDT)
Received: from mail-pl0-x232.google.com (mail-pl0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76E5012D88B for <saag@ietf.org>; Mon, 12 Mar 2018 12:08:42 -0700 (PDT)
Received: by mail-pl0-x232.google.com with SMTP id c11-v6so9887258plo.0 for <saag@ietf.org>; Mon, 12 Mar 2018 12:08:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :cc:to; bh=BDTQkeYbqSJJm6K9OBy2ixrzPHGXRsk2KoSrCFCO7M0=; b=IqstanqD9lo7DmzC4U8edM0vnxNwlTSv0FEPnMf9NPR/ZYXewNovLM3kJ6Q7ZRJ6MG M0Qwnzk4gq5Mr4meOfkm+FKIJLEM3zqyuqvtLjmUx1wpXmskc/Bnv2x21KvZNojwJfiT gMhQcAHtblEINiGnosP2QgJPrNgCqSBCwXsmA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:cc:to; bh=BDTQkeYbqSJJm6K9OBy2ixrzPHGXRsk2KoSrCFCO7M0=; b=hsuS6VqpJyWg9lihk/EuVx1vmLgyolDYhYkuEIz+NBcKJyYKlmGrmSuAgQU0BqtsWC D+H+Joz0W4ppLTWfq7ubIiDJK5PF2zope/y5m4hyzeqYxkQ6/FAPusCQXPXin5s3jna/ 4HjnWh5r2llwcYCIuS76RWcMw8TTiywjal9/0izhdarieOdNejXryvYO2vwTkT1rgyaL M62hBgakVD484pAjUjoUqaAFUxoP8lXkJ8Cqtf4SXUP/IfJfxL/LWKGnkG6MInN6QBOp A9Ka2PX7D/IqDWKaoeD6YemVODslZgAct88O9CW9MXMFgj9hjgKATTMd7ea8EvjMfXXt 2p2g==
X-Gm-Message-State: AElRT7ES6MzE11T8KmkRRkXZf4CvqiF0dYObUTMTgV3LFDjEPrycaq1/ qiQh38LVAAv7nX26Xfat9Ok+nHT7yZQ=
X-Google-Smtp-Source: AG47ELtwZTmdEkt07RwUQ2AYu0JKE4nIPhHgwf7CgDi1qH8tk16SWrGBCa2WgwhZ0ooSCV74MymBDw==
X-Received: by 2002:a17:902:7b90:: with SMTP id w16-v6mr9008963pll.26.1520881721898;  Mon, 12 Mar 2018 12:08:41 -0700 (PDT)
Received: from [5.5.33.116] (vpn.snozzages.com. [204.42.252.17]) by smtp.gmail.com with ESMTPSA id b5sm18827309pfc.12.2018.03.12.12.08.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Mar 2018 12:08:41 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <B35D52EB-A09C-4FE8-B54F-97331FCA045F@sn3rd.com>
Date: Mon, 12 Mar 2018 19:08:34 +0000
Cc: draft-richer-vectors-of-trust@ietf.org
To: saag@ietf.org
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/B9fmNKp_jiX3SsJ6e7-1QTWaU8Q>
Subject: [saag] Shepherd Review: draft-richer-vectors-of-trust-07
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 19:08:53 -0000

Kathleen (and later Ben) asked me to Shepherd =
draft-richer-vectors-of-trust.  Here=E2=80=99s the review I sent to the =
authors (should have sent it here too).  I threw in a PR to the repo to =
take care of the changes - except s8 I wasn=E2=80=99t sure where to =
refer:

   https://github.com/vectorsoftrust/strawman/pull/7

tl;dr: I like the idea after I got over my RBAC flashbacks!

I=E2=80=99ll be honest that at first I was like here we go again, but I =
do like that you managed to keep it to only 4 vectors initially and =
allow it to be expanded later.  I thought the recommendation for the =
second marker (alpha vs numeric) was pretty much what I would have done: =
P needs to have # the others not so much.  Note that for the same =
reasons you did C0 you could also do A0 - it is a =E2=80=9CNo=E2=80=9D.

I was initially a little confused about it being standards track because =
it=E2=80=99s specifying a framework, but you are specifying a wire =
format so that seems okay in my book.

Question in s3.4: When you say =E2=80=9Csuch as a session cookie in a =
web browser=E2=80=9D you talking about HTTP=E2=80=99s cookies right and =
not TLSs?
Answer: Yes (see PR).

The IANA considerations section looks fine.  I assume you two would =
offer to the DEs?
Answer: Yes.

I can see some asking for more information for the Sec/Priv sections, =
but honestly what you got there is pretty much it: don=E2=80=99t send =
these things in the clear, bind them with cryptography, and don=E2=80=99t =
share too much otherwise you=E2=80=99ll give away something you might =
not have meant to.   So, in my book that=E2=80=99s probably good enough.

Nits:=20

0) Update to match the new terminology paragraph:

 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
 NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
  "MAY", and "OPTIONAL" in this document are to be interpreted as
  described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
  appear in all capitals, as shown here.

1) s5.1: vtr vs votr?  I know everybody loves the 3-letter once but it =
make more sense that vot is the request and votr is the response. I=E2=80=99=
m in no way going any where near a mat to argue this point though.

Answer: JSON loves the 3-letter so we=E2=80=99ll just leave it alone.

2) s8: sentence end abruptly:

3) I think both SP-800 references are missing something.

4) I-D nits complains about two outdated references:

 ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126)

 ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)=


From nobody Mon Mar 12 12:11:11 2018
Return-Path: <sean@sn3rd.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C89126CD6 for <saag@ietfa.amsl.com>; Mon, 12 Mar 2018 12:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PDYGSfFY2p_E for <saag@ietfa.amsl.com>; Mon, 12 Mar 2018 12:11:06 -0700 (PDT)
Received: from mail-pl0-x235.google.com (mail-pl0-x235.google.com [IPv6:2607:f8b0:400e:c01::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B067126CC4 for <saag@ietf.org>; Mon, 12 Mar 2018 12:11:06 -0700 (PDT)
Received: by mail-pl0-x235.google.com with SMTP id m22-v6so9892505pls.5 for <saag@ietf.org>; Mon, 12 Mar 2018 12:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:mime-version:subject:date:references:cc:to:message-id; bh=1iaPAogEKrVZEAaGa6ktefvilVTGKHOulfwxxGnqpZU=; b=HkRMLJW1nmhK5Gp87ZdAo4LxgSeila83D7Y2Om6shj8OS15Wkzrty1b1suEnQ/xP3c bZOuajKyorWZ6bwe8vmEVbHVJJJmEyWRb4+r/1B5Q1jgDrmqx4UZpDmwFh2PsG1fusH7 xR6BoMOheuAqnM7BJrTLct+JCR/IrwjzEtuWc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:cc:to :message-id; bh=1iaPAogEKrVZEAaGa6ktefvilVTGKHOulfwxxGnqpZU=; b=WUKqADt1GaIRM5HPayS90ImgMEjqUpgyOrBN+XJnMApQGx7u7SWKGwSnxkb8i13bxP q0tidwOdNGZR9ARFClhXlRXQp4xMH7q1yq+xn6IcA6nKN1uv7LlETo0ucI/UoPotuWz1 mwuPuTOR6iRXxdC3QfE8oiJofSB1mUUHoqMopfDU/Toy0ClRJfbidYQ5hb3AL7M407/d tBqAU3dlFLGpyMp2R0dzKvuiIbPZT9DQewJUmafuo1PHP5WRDYcSDiIJ0dmnMF0gx9DJ QWqAT5XLJPekqIdxAfHEe9IZGp2Yxj/5L0eJmvQKdG0PFXbw9/rlZrbYg8xdFiCjmCCi bJlQ==
X-Gm-Message-State: AElRT7Hi7f/L/H64RleP5NvncUDZASIlIfaXI9U2BRByZAJmQ4ZrDiEh ikfADn013YvGpiLKG6GIT88DqPd2v9o=
X-Google-Smtp-Source: AG47ELuHTqpeWwg5sz5RSXAVwpROA92+C08fuCCpu5b5Gc20jJkK0bf9TrxjqfpVY4OKTnq5JNnHwA==
X-Received: by 2002:a17:902:341:: with SMTP id 59-v6mr3298452pld.407.1520881865682;  Mon, 12 Mar 2018 12:11:05 -0700 (PDT)
Received: from [5.5.33.116] (vpn.snozzages.com. [204.42.252.17]) by smtp.gmail.com with ESMTPSA id d70sm18307188pfl.119.2018.03.12.12.11.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Mar 2018 12:11:05 -0700 (PDT)
From: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7971FCCE-14B0-4658-8EE7-A8C5082DCCF7"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Mon, 12 Mar 2018 19:11:01 +0000
References: <202944E0-CBED-465B-A55F-A6F1BE4E3F10@mit.edu>
Cc: draft-richer-vectors-of-trust@ietf.org
To: saag@ietf.org
Message-Id: <EBA69A3C-4984-4BEB-A230-4AA40791895B@sn3rd.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zBnO2zwV02eVnbe7tYU-oCOy4AU>
Subject: [saag] Fwd: New Version Notification for draft-richer-vectors-of-trust-07.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Mar 2018 19:11:10 -0000

--Apple-Mail=_7971FCCE-14B0-4658-8EE7-A8C5082DCCF7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Messages related to draft-richer-vectors-of-trust.

> Begin forwarded message:
>=20
> From: Justin Richer <jricher@mit.edu>
> Subject: Re: New Version Notification for =
draft-richer-vectors-of-trust-07.txt
> Date: March 12, 2018 at 19:09:35 GMT
> To: Sean Turner <sean@sn3rd.com>
> Cc: Leif Johansson <leifj@sunet.se>
>=20
>>> On Mar 12, 2018, at 18:07, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>>>=20
>>> Hi Sean, thanks so much. Responses inline:
>>>=20
>>>> On Mar 12, 2018, at 1:46 PM, Sean Turner <sean@sn3rd.com =
<mailto:sean@sn3rd.com>> wrote:
>>>>=20
>>>> Sorry just found the gh repo in an old mail =E2=80=A6 I can put in =
PRs if you want on the nits.
>>>=20
>>> Yes please, that would be great. Feel free to do it as just one PR =
or several, whatever=E2=80=99s your preference.
>>=20
>> I will try my best to not screw up the xml.
>>=20
>>>> spt
>>>>=20
>>>>> On Mar 12, 2018, at 17:33, Sean Turner <sean@sn3rd.com =
<mailto:sean@sn3rd.com>> wrote:
>>>>>=20
>>>>> Here=E2=80=99s my review of draft-richer-vectors-of-trust (should =
I send this someplace else too -secdir?):
>>>>>=20
>>>>> tl;dr: I like the idea after I got over my RBAC flashbacks!
>>>=20
>>> I totally get that, and since this work is meant to stand in =
contrast to RBAC if there=E2=80=99s a way we can make that clearer then =
that would be good.
>>=20
>> After we exchanged those emails earlier I was wondering if the =
RBAC-flashback was a good thing or a bad thing.  I come to think it was =
a good thing because it definitely gets you thinking about what worked =
and what didn=E2=80=99t.
>>=20
>>>>> I=E2=80=99ll be honest that at first I was like here we go again, =
but I do like that you managed to keep it to only 4 vectors initially =
and allow it to be expanded later.  I thought the recommendation for the =
second marker (alpha vs numeric) was pretty much what I would have done: =
P needs to have # the others not so much.  Not that for the same reasons =
you did C0 you could also do A0 - it is a =E2=80=9CNo=E2=80=9D.
>>>=20
>>> What would an A0 be, though? An unsigned assertion? C0 is something =
you might want to communicate (we did nothing in particular but =
there=E2=80=99s a user here maybe) but I=E2=80=99m not seeing the value =
in A0.
>>>=20
>>> As another example of how this works, NIST=E2=80=99s implementation =
uses both alpha and numeric for all their categories, requiring numeric =
for base values and adding alpha values as optional additional info on =
top of the category the number represents.=20
>>>=20
>>> =
https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping.=
md =
<https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping=
.md>
>>=20
>> I was simply thinking about 0 =3D None/No.  I don=E2=80=99t think you =
have to change it to make all of the ones with no checks 0.
>>=20
>>>>>=20
>>>>> I was initially a little confused about it being standards track =
because it=E2=80=99s specifying a framework, but you are specifying a =
wire format so that seems okay in my book.
>>>=20
>>> I=E2=80=99m fine with whatever target is recommended but it feels =
standards track to me.=20
>>=20
>> Like I said initially I was like oh it=E2=80=99s a framework, but =
once you started defining stuff that gets sent on the wire well I can go =
with standards track.
>>=20
>>>>> Question in s3.4: When you say =E2=80=9Csuch as a session cookie =
in a web browser=E2=80=9D you talking about HTTP=E2=80=99s cookies right =
and not TLSs?
>>>=20
>>> Yes, HTTP cookies. We can add text to make that more explicit.=20
>>=20
>> I can slap that in my PR.
>>=20
>>>>> The IANA considerations section looks fine.  I assume you two =
would offer to the Des?
>>>=20
>>> Yes. I volunteer and I=E2=80=99ll gladly volunteer Leif.
>>=20
>> I guess this is more for the ADs to know there=E2=80=99s a pool of =
candidates waiting to that the lead :)
>>=20
>>>>> I can see some asking for more information for the Sec/Priv =
sections, bit honestly what you got there is pretty much it: don=E2=80=99t=
 send these things in the clear, bind them with cryptography, and =
don=E2=80=99t share too much otherwise you=E2=80=99ll give away =
something you might not have meant to.   So, in my book that=E2=80=99s =
probably good enough.
>>>=20
>>> I found it hard to draw out much more than what we=E2=80=99ve got in =
there, especially in privacy because this is by its nature identifying =
information. Happy to expand if anyone=E2=80=99s got a good suggestion.
>>=20
>> I think this is exactly the right way to play it.  You could write a =
novel here, but instead hit the hi points.  When somebody says what =
about blah you can point them at the gh repo and PRs welcome ;)
>>=20
>>>>> Nits:=20
>>>>>=20
>>>>> 0) Update to match the new terminology paragraph:
>>>>>=20
>>>>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
>>>>> NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
>>>>> "MAY", and "OPTIONAL" in this document are to be interpreted as
>>>>> described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
>>>>> appear in all capitals, as shown here.
>>>=20
>>> Sounds fine.
>>=20
>> Can do.
>>=20
>>>>> 1) s5.1: vtr vs votr?  I know everybody loves the 3-letter once =
but it make more sense that vot is the request and votr is the response. =
 I=E2=80=99m in no way going any where near a mat to argue this point =
though.
>>>=20
>>> The JWT community loves the three-letter fields so we went with =
this. If we were to change it (which I=E2=80=99d kinda rather not) I=E2=80=
=99d instead go with =E2=80=9Cvot_req=E2=80=9D to expand it out.=20
>>=20
>> Ah I get that - no need to change it.
>>=20
>>>>> 2) s8: sentence end abruptly:
>>>=20
>>> I think it=E2=80=99s just missing a reference target which rendered =
funny
>>=20
>> I=E2=80=99ll leave this one to you because I=E2=80=99m not sure where =
it=E2=80=99s supposed to point.
>>=20
>>>>> 3) I think both SP-800 references are missing something.
>>>=20
>>> Possibly, I wasn=E2=80=99t sure how to best pull those in.
>>=20
>> I=E2=80=99ll see what I can dig up and put it in the PR.
>>=20
>>>>> 4) I-D nits complains about two outdated references:
>>>>>=20
>>>>> ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126)
>>>>>=20
>>>>> ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)
>>>=20
>>> I had no idea there was a new JSON, again!
>>=20
>> This bit me in the ass earlier this month.
>>=20
>>> =E2=80=94 Justin
>>>=20


--Apple-Mail=_7971FCCE-14B0-4658-8EE7-A8C5082DCCF7
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D"">Messages related to&nbsp;draft-richer-vectors-of-trust.<br =
class=3D""><div><br class=3D""><blockquote type=3D"cite" class=3D""><div =
class=3D"">Begin forwarded message:</div><br =
class=3D"Apple-interchange-newline"><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span=
 style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">From: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">Justin Richer &lt;<a =
href=3D"mailto:jricher@mit.edu" class=3D"">jricher@mit.edu</a>&gt;<br =
class=3D""></span></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span =
style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">Subject: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D""><b class=3D"">Re: New Version =
Notification for draft-richer-vectors-of-trust-07.txt</b><br =
class=3D""></span></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span =
style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">Date: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">March 12, 2018 at 19:09:35 =
GMT<br class=3D""></span></div><div style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span=
 style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">To: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">Sean Turner &lt;<a =
href=3D"mailto:sean@sn3rd.com" class=3D"">sean@sn3rd.com</a>&gt;<br =
class=3D""></span></div><div style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px;" class=3D""><span =
style=3D"font-family: -webkit-system-font, Helvetica Neue, Helvetica, =
sans-serif; color:rgba(0, 0, 0, 1.0);" class=3D""><b class=3D"">Cc: =
</b></span><span style=3D"font-family: -webkit-system-font, Helvetica =
Neue, Helvetica, sans-serif;" class=3D"">Leif Johansson &lt;<a =
href=3D"mailto:leifj@sunet.se" =
class=3D"">leifj@sunet.se</a>&gt;</span></div><div class=3D""><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; line-break: =
after-white-space;" class=3D""><div class=3D""><br class=3D""></div><div =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">On Mar 12, 2018, at 18:07, Justin Richer &lt;<a =
href=3D"mailto:jricher@mit.edu" class=3D"">jricher@mit.edu</a>&gt; =
wrote:<br class=3D""><br class=3D"">Hi Sean, thanks so much. Responses =
inline:<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D"">On Mar 12, 2018, at 1:46 PM, Sean Turner &lt;<a =
href=3D"mailto:sean@sn3rd.com" class=3D"">sean@sn3rd.com</a>&gt; =
wrote:<br class=3D""><br class=3D"">Sorry just found the gh repo in an =
old mail =E2=80=A6 I can put in PRs if you want on the nits.<br =
class=3D""></blockquote><br class=3D"">Yes please, that would be great. =
Feel free to do it as just one PR or several, whatever=E2=80=99s your =
preference.<br class=3D""></blockquote><br class=3D"">I will try my best =
to not screw up the xml.<br class=3D""><br class=3D""><blockquote =
type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D"">spt<br =
class=3D""><br class=3D""><blockquote type=3D"cite" class=3D"">On Mar =
12, 2018, at 17:33, Sean Turner &lt;<a href=3D"mailto:sean@sn3rd.com" =
class=3D"">sean@sn3rd.com</a>&gt; wrote:<br class=3D""><br =
class=3D"">Here=E2=80=99s my review of draft-richer-vectors-of-trust =
(should I send this someplace else too -secdir?):<br class=3D""><br =
class=3D"">tl;dr: I like the idea after I got over my RBAC =
flashbacks!<br class=3D""></blockquote></blockquote><br class=3D"">I =
totally get that, and since this work is meant to stand in contrast to =
RBAC if there=E2=80=99s a way we can make that clearer then that would =
be good.<br class=3D""></blockquote><br class=3D"">After we exchanged =
those emails earlier I was wondering if the RBAC-flashback was a good =
thing or a bad thing. &nbsp;I come to think it was a good thing because =
it definitely gets you thinking about what worked and what didn=E2=80=99t.=
<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">I=E2=80=99ll be honest that at first I was like here we go =
again, but I do like that you managed to keep it to only 4 vectors =
initially and allow it to be expanded later. &nbsp;I thought the =
recommendation for the second marker (alpha vs numeric) was pretty much =
what I would have done: P needs to have # the others not so much. =
&nbsp;Not that for the same reasons you did C0 you could also do A0 - it =
is a =E2=80=9CNo=E2=80=9D.<br class=3D""></blockquote></blockquote><br =
class=3D"">What would an A0 be, though? An unsigned assertion? C0 is =
something you might want to communicate (we did nothing in particular =
but there=E2=80=99s a user here maybe) but I=E2=80=99m not seeing the =
value in A0.<br class=3D""><br class=3D"">As another example of how this =
works, NIST=E2=80=99s implementation uses both alpha and numeric for all =
their categories, requiring numeric for base values and adding alpha =
values as optional additional info on top of the category the number =
represents.&nbsp;<br class=3D""><br class=3D""><a =
href=3D"https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_=
mapping.md" =
class=3D"">https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/v=
ot_mapping.md</a><br class=3D""></blockquote><br class=3D"">I was simply =
thinking about 0 =3D None/No. &nbsp;I don=E2=80=99t think you have to =
change it to make all of the ones with no checks 0.<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><br class=3D"">I was =
initially a little confused about it being standards track because =
it=E2=80=99s specifying a framework, but you are specifying a wire =
format so that seems okay in my book.<br =
class=3D""></blockquote></blockquote><br class=3D"">I=E2=80=99m fine =
with whatever target is recommended but it feels standards track to =
me.&nbsp;<br class=3D""></blockquote><br class=3D"">Like I said =
initially I was like oh it=E2=80=99s a framework, but once you started =
defining stuff that gets sent on the wire well I can go with standards =
track.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">Question in s3.4: When you say =E2=80=9Csuch as a session =
cookie in a web browser=E2=80=9D you talking about HTTP=E2=80=99s =
cookies right and not TLSs?<br class=3D""></blockquote></blockquote><br =
class=3D"">Yes, HTTP cookies. We can add text to make that more =
explicit.&nbsp;<br class=3D""></blockquote><br class=3D"">I can slap =
that in my PR.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">The IANA considerations section looks fine. &nbsp;I assume =
you two would offer to the Des?<br =
class=3D""></blockquote></blockquote><br class=3D"">Yes. I volunteer and =
I=E2=80=99ll gladly volunteer Leif.<br class=3D""></blockquote><br =
class=3D"">I guess this is more for the ADs to know there=E2=80=99s a =
pool of candidates waiting to that the lead :)<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D"">I can see some asking =
for more information for the Sec/Priv sections, bit honestly what you =
got there is pretty much it: don=E2=80=99t send these things in the =
clear, bind them with cryptography, and don=E2=80=99t share too much =
otherwise you=E2=80=99ll give away something you might not have meant =
to. &nbsp;&nbsp;So, in my book that=E2=80=99s probably good enough.<br =
class=3D""></blockquote></blockquote><br class=3D"">I found it hard to =
draw out much more than what we=E2=80=99ve got in there, especially in =
privacy because this is by its nature identifying information. Happy to =
expand if anyone=E2=80=99s got a good suggestion.<br =
class=3D""></blockquote><br class=3D"">I think this is exactly the right =
way to play it. &nbsp;You could write a novel here, but instead hit the =
hi points. &nbsp;When somebody says what about blah you can point them =
at the gh repo and PRs welcome ;)<br class=3D""><br class=3D""><blockquote=
 type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D""><blockquote=
 type=3D"cite" class=3D"">Nits:&nbsp;<br class=3D""><br class=3D"">0) =
Update to match the new terminology paragraph:<br class=3D""><br =
class=3D"">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", =
"SHALL<br class=3D"">NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT =
RECOMMENDED",<br class=3D"">"MAY", and "OPTIONAL" in this document are =
to be interpreted as<br class=3D"">described in BCP 14 [RFC2119] =
[RFC8174] when, and only when, they<br class=3D"">appear in all =
capitals, as shown here.<br class=3D""></blockquote></blockquote><br =
class=3D"">Sounds fine.<br class=3D""></blockquote><br class=3D"">Can =
do.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">1) s5.1: vtr vs votr? &nbsp;I know everybody loves the =
3-letter once but it make more sense that vot is the request and votr is =
the response. &nbsp;I=E2=80=99m in no way going any where near a mat to =
argue this point though.<br class=3D""></blockquote></blockquote><br =
class=3D"">The JWT community loves the three-letter fields so we went =
with this. If we were to change it (which I=E2=80=99d kinda rather not) =
I=E2=80=99d instead go with =E2=80=9Cvot_req=E2=80=9D to expand it =
out.&nbsp;<br class=3D""></blockquote><br class=3D"">Ah I get that - no =
need to change it.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">2) s8: sentence end abruptly:<br =
class=3D""></blockquote></blockquote><br class=3D"">I think it=E2=80=99s =
just missing a reference target which rendered funny<br =
class=3D""></blockquote><br class=3D"">I=E2=80=99ll leave this one to =
you because I=E2=80=99m not sure where it=E2=80=99s supposed to =
point.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">3) I think both SP-800 references are missing something.<br =
class=3D""></blockquote></blockquote><br class=3D"">Possibly, I wasn=E2=80=
=99t sure how to best pull those in.<br class=3D""></blockquote><br =
class=3D"">I=E2=80=99ll see what I can dig up and put it in the PR.<br =
class=3D""><br class=3D""><blockquote type=3D"cite" class=3D""><blockquote=
 type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D"">4) I-D =
nits complains about two outdated references:<br class=3D""><br =
class=3D"">** Obsolete normative reference: RFC 5226 (Obsoleted by RFC =
8126)<br class=3D""><br class=3D"">** Obsolete normative reference: RFC =
7159 (Obsoleted by RFC 8259)<br class=3D""></blockquote></blockquote><br =
class=3D"">I had no idea there was a new JSON, again!<br =
class=3D""></blockquote><br class=3D"">This bit me in the ass earlier =
this month.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D"">=E2=80=94 Justin<br class=3D""><br class=3D""><blockquote =
type=3D"cite" =
class=3D""></blockquote></blockquote></blockquote></div></div></div></bloc=
kquote></div><br class=3D""></body></html>=

--Apple-Mail=_7971FCCE-14B0-4658-8EE7-A8C5082DCCF7--


From nobody Thu Mar 15 05:08:39 2018
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4D5127867; Thu, 15 Mar 2018 05:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6mhjyUURSE1; Thu, 15 Mar 2018 05:08:32 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7051241F3; Thu, 15 Mar 2018 05:08:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1521115711; d=isode.com; s=june2016; i=@isode.com; bh=CQnQgfbALHszuAG1x0jQiUlVVktT7hbda7XvAfqRfjw=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=AKh8biomsRmPQNWK8jRPPWpAWx3hRcf+OByGQpUcBolU5JMFtEt7dJ/xidtQTE6CN61Eqy TQOUR44Z3fKEgz8MitCPYh0fJc5BQsTefLgr1W4ux4y56kODdftk7JqtZVPSVAp6rDIqyJ sPv3+Z5YwXSUvP994lDdvTjpCh7Cu+I=;
Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <WqpiPgBV-LbI@waldorf.isode.com>; Thu, 15 Mar 2018 12:08:31 +0000
To: draft-gutmann-scep.notify@ietf.org
From: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: "saag@ietf.org" <saag@ietf.org>
Message-ID: <8251a239-4efe-9603-4b62-e792681a4310@isode.com>
Date: Thu, 15 Mar 2018 12:08:08 +0000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/k9540IwNhp_9BW5etFAn9Jc9kj4>
Subject: [saag] Another AD review of draft-gutmann-scep-10
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 12:08:37 -0000

Hi,

Kathleen passed AD-sponsorship of this document to me. So here is=20
another review of the document:

In general the document is quite readable and contains enough details to=20
implement a SCEP client/server. However it is rather light on=20
references. I don't think readers need to fallback to google in order to=20
find them. (I identified some of the most important ones below). The=20
document also violates several HTTP related conventions. I am glad that=20
this document is Informational, as the bar for Standards Track is higher.

Major issues:

1) In general, the document is using several unregistered MIME types=20
with "x-" prefix:

application/x-x509-ca-cert
application/x-x509-ca-ra-cert
application/x-pki-message
application/x-x509-next-ca-cert

 =C2=A0These should be registered in the IANA Considerations as per Appendix=
=20
A of RFC 6838.

application/x-x509-ca-cert

 =C2=A0How is this different from application/pkix-cert registered in RFC 25=
85?

2) Use of CGI-PROG/CGI-PROG and hardcoded paths in general are=20
problematic. More on this below:

3.5.1.=C2=A0 GetCACaps HTTP Message Format

 =C2=A0=C2=A0 This message requests capabilities from a CA, with the format:

 =C2=A0=C2=A0 "GET" CGI-PATH CGI-PROG "?operation=3DGetCACaps"

This is not a correct ABNF (in case you intended to define a formal=20
syntax here) and this is not a correct HTTP request line. Please make it=20
one or another, or clarify somewhere syntax that you use.

Also, I don't think CGI-PATH and CGI-PROG are significant for the request


4.1.=C2=A0 HTTP POST and GET Message Formats

 =C2=A0=C2=A0 SCEP uses the HTTP "POST" and "GET" messages to exchange infor=
mation
 =C2=A0=C2=A0 with the CA.=C2=A0 The following defines the syntax of HTTP PO=
ST and GET
 =C2=A0=C2=A0 messages sent from a client to a CA:

 =C2=A0=C2=A0 "POST" CGI-PATH CGI-PROG "?operation=3D" OPERATION

 =C2=A0=C2=A0 "GET" CGI-PATH CGI-PROG "?operation=3D" OPERATION "&message=3D=
" MESSAGE

Again, this is neither correct formal syntax nor correct HTTP requests.


 =C2=A0=C2=A0 where:

 =C2=A0=C2=A0 o=C2=A0 CGI-PATH defines the path to invoke the CGI program th=
at parses
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 the request.
 =C2=A0=C2=A0 o=C2=A0 CGI-PROG is set to be the string "pkiclient.exe".=C2=
=A0 This is
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 intended to be the program that the CA will =
use to handle the SCEP
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 transactions.
 =C2=A0=C2=A0 o=C2=A0 OPERATION depends on the SCEP transaction and is defin=
ed in the
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 following sections.

 =C2=A0=C2=A0 The CA will typically ignore CGI-PATH and/or CGI-PROG since it=
's
 =C2=A0=C2=A0 unlikely to be issuing certificates via a web server.=C2=A0 Cl=
ients SHOULD
 =C2=A0=C2=A0 set CGI-PATH/CGI-PROG to the fixed string "/cgi-bin/pkiclient.=
exe"
 =C2=A0=C2=A0 unless directed to do otherwise by the CA.=C2=A0 The CA SHOULD=
 ignore the
 =C2=A0=C2=A0 CGI-PATH and CGI-PROG unless its precise format is critical to=
 the
 =C2=A0=C2=A0 CA's operation.


Firstly, clients don't care about HTTP server using CGI, they just care=20
about knowing where to send SCEP requests.

Secondly, hardcoded URI paths are in violation of RFC 7320. You can read=20
more on this in Section 4.4 of

 =C2=A0<https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?includ=
e_text=3D1>


I understand that this is a deployed protocol and the default path used=20
is unlikely to change. However, I don't think the document should pay so=20
much attention to use of CGI-PATH/CGI-PROG. My suggestion is:
a) Remove any reference to CGI-PROG/CGI-PATH from the document
b) Replace the above section with something like this:

 =C2=A0=C2=A0 SCEP uses the HTTP "POST" and "GET" messages to exchange infor=
mation
 =C2=A0=C2=A0 with the CA.=C2=A0 The following defines the syntax of HTTP PO=
ST and GET
 =C2=A0=C2=A0 messages sent from a client to a CA:

 =C2=A0=C2=A0 "POST " SCEP-PATH "?operation=3D" OPERATION " HTTP/1.1"

 =C2=A0=C2=A0 "GET " SCEP-PATH "?operation=3D" OPERATION "&message=3D" MESSA=
GE "=20
HTTP/1.1"

 =C2=A0=C2=A0 where:

 =C2=A0=C2=A0 o=C2=A0 SCEP-PATH is the HTTP URL path for accessing CA

 =C2=A0=C2=A0 o=C2=A0 OPERATION depends on the SCEP transaction and is defin=
ed in the
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 following sections.

 =C2=A0=C2=A0 Clients SHOULD set SCEP-PATH to the fixed string=20
"/cgi-bin/pkiclient.exe"
 =C2=A0=C2=A0 unless directed to do otherwise by the CA.


Minor:

1) Missing references:

The first mention of X.509 certificate needs a Normative Reference to=20
RFC 5280.

The first mentions of SHA-256, AES and AES128-CBC need Normative=20
References, as these are mandatory to implement.

The first mention of LDAP needs an Informative Reference to RFC 4510.

In Section 3.3.3: ASN.1 syntax needs to be a Normative Reference, as you=20
define a new structure using ASN.1 syntax.

2) Should ACME work be mentioned in the Introduction?

3)

2.1.1.=C2=A0 Client

 =C2=A0=C2=A0 A client MUST have the following information locally configure=
d:

 =C2=A0=C2=A0 1.=C2=A0 The CA fully qualified domain name or IP address.
 =C2=A0=C2=A0 2.=C2=A0 The CA HTTP CGI script path (this usually has a defau=
lt value,
 =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 see Section 4.1).

Clients shouldn't care whether or not SCEP is provided by a CGI program.=20
Please change this to "CA HTTP URL path" or "CA HTTP URI path".

4)

2.5.=C2=A0 Certificate Enrolment/Renewal


 =C2=A0=C2=A0 If the CA returns a CertRep message (Section 3.3.2) with statu=
s set
 =C2=A0=C2=A0 to PENDING, the client enters into polling mode by periodicall=
y
 =C2=A0=C2=A0 sending a CertPoll message (Section 3.3.3) to the CA until the=
 CA
 =C2=A0=C2=A0 operator completes the manual authentication (approving or den=
ying
 =C2=A0=C2=A0 the request).

How often and for how long should a client poll? Recommending some=20
defaults would be useful to set expectations.

5)

3.2.1.4.=C2=A0 failInfo and failInfoText

 =C2=A0=C2=A0 The failInfoText is a free-form UTF-8 text string that provide=
s
 =C2=A0=C2=A0 further information in the case of pkiStatus =3D FAILURE.=C2=
=A0 In
 =C2=A0=C2=A0 particular it may be used to provide details on why a certific=
ate
 =C2=A0=C2=A0 request was not granted that go beyond what's provided by the =
near-
 =C2=A0=C2=A0 universal failInfo =3D badRequest status.=C2=A0 Since this is =
a free-form
 =C2=A0=C2=A0 text string intended for interpretation by humans, implementat=
ions
 =C2=A0=C2=A0 SHOULD NOT assume that it has any type of machine-processable
 =C2=A0=C2=A0 content.

Why not "MUST NOT" and what are possible implications of violating the=20
SHOULD NOT?

6)

3.3.2.1.=C2=A0 CertRep SUCCESS

In the table for "PKCSReq" (and similar text for GetCert):

 =C2=A0 The reply MUST contain at least the issued
 =C2=A0 certificate in the certificates field of the
 =C2=A0 Signed-Data.=C2=A0 The reply MAY contain additional
 =C2=A0 certificates, but the issued certificate MUST be
 =C2=A0 the leaf certificate.

What does the last requirement actually mean? Is this describing order=20
of certificates or just saying that it is not an intermediate certificate?

7)
3.3.4.=C2=A0 GetCert and GetCRL

 =C2=A0=C2=A0 A self-signed certificate MAY be used in the signed envelope. =
This
 =C2=A0=C2=A0 enables the client to request their own certificate if they we=
re
 =C2=A0=C2=A0 unable to store it previously.

So just to double check that I understood this correctly: the client is=20
generating a self-signed certificate B in order to retrieve its=20
certificate A signed by CA?

8)

3.5.2.=C2=A0 CA Capabilities Response Format

Near the bottom of page 24:

 =C2=A0=C2=A0 The Content-type of the reply SHOULD be "text/plain".=C2=A0 Cl=
ients SHOULD
 =C2=A0=C2=A0 ignore the Content-type, as older implementations of SCEP may =
send
 =C2=A0=C2=A0 various Content-types.

The last requirement is quite problematic for extensibility. I=20
understand why this sentence is there though. Are future extensions to=20
SCEP likely?


Nits:

1)

2.1.2.=C2=A0 Certificate Authority

 =C2=A0=C2=A0 A SCEP CA is the entity that signs client certificates.=C2=A0 =
A CA MAY
 =C2=A0=C2=A0 enforce any arbitrary policies and apply them to certificate
 =C2=A0=C2=A0 requests, and MAY reject a request for any reason.

I think this is pretty much granted and doesn't need to be said,=20
especially the latter part.

2) In Section 3.3.3: s/od/of

3) In Section 4.1, last paragraph:

 =C2=A0=C2=A0 When using GET messages to communicate binary data, base64 enc=
oding
 =C2=A0=C2=A0 as specified in [2] MUST be used.

When referncing RFC 4648 you should specify the section number to avoid=20
all confusion. I assume you meant Section 4?

 =C2=A0=C2=A0 The base64 encoded data is
 =C2=A0=C2=A0 distinct from "base64url" and may contain URI reserved charact=
ers,
 =C2=A0=C2=A0 thus it MUST be escaped as specified in [8] in addition to bei=
ng
 =C2=A0=C2=A0 base64 encoded.=C2=A0 Finally, the encoded data is inserted in=
to the
 =C2=A0=C2=A0 MESSAGE portion of the HTTP GET request.

Best Regards,
Alexey


From nobody Thu Mar 15 12:37:33 2018
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C23C61270B4 for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 12:37:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dg2-1U0q68-1 for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 12:37:30 -0700 (PDT)
Received: from mail-ot0-x22d.google.com (mail-ot0-x22d.google.com [IPv6:2607:f8b0:4003:c0f::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 240F9126C22 for <saag@ietf.org>; Thu, 15 Mar 2018 12:37:30 -0700 (PDT)
Received: by mail-ot0-x22d.google.com with SMTP id h8-v6so8072277oti.6 for <saag@ietf.org>; Thu, 15 Mar 2018 12:37:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=G0C5GJ3lSCoBZ6m78QcIn3NH4/5Cp/4xd5LELM1KuzQ=; b=cogZMm/y/j1a/y5cO3hyfLta1QcEVvxypjxxMia6DZbxpPQqDKFhz4Lqgzw+z0uO4J j0dBK7MVMfhMJAKI0R3EaU06woSrZxTYZA0TjgkVqdYtUPEPB8lOzTsIJrqN5PCYbFo3 n3QiDaGegpw9eT1mwlMKPaloZEKv0T5xj+Xo8gLEb7na75v2wzkgUNWpQdDJYHj6RSKk 20nD/5/ZeKdQHdJByjPIUElA8ZzVs7uMusNVHGuJLtWv24cG7x/TIuG1eo/hsWLR9kd8 n6eBxK0sAoaiF36iEStYgylAkKXoGOFhfiIKA/HYRCyOP13TQA+uJ5bAmxC6mOexd+ma oKFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=G0C5GJ3lSCoBZ6m78QcIn3NH4/5Cp/4xd5LELM1KuzQ=; b=hPQyUYWcBWRo/Oz1lPPgnSkJhhaxAZ5x5HIYSAt71hMj/61WEF3r0umgpHa+aI6E8k Dol9UZeBxJ5ZQIQTkltHsG0KCoy3DJlG5oy8tq8Xh1lv+V1BJsi8uc+cZRe5dzl0tFGL xXuQCWRivjfaNLflP5R2Kw1yifOetxQrOZ60mdyY+1+bGQvXyDHV1Zz5nXNz1r16MVRb 62S7Top8JGD4GU3FpNkgASb8NAtwBoOFyXse0XP1APsnAL8DL8+vULk/yRiuyPU1DGFV TCDtHh/30F09Ua7EuTdjvlsuI2eWXz55kebZpCpVTr4iyWtz3+qVec/OHwMbfyWgXnXA 4xoA==
X-Gm-Message-State: AElRT7HjctrUq6mgF42huHS4A8UkBwmsEHIC4uzYuMPIP3fK36KPc3ty gspbWVR3xt1gEYv4sVxPcWztQg6WAJTSo0UOTsDePJ7VymE=
X-Google-Smtp-Source: AG47ELurC/iv95WhGhsB5mgLmomC2hsxxm4whRed1BDRAzZpx4/8jvVynpRTjyEpM3/kHv1/kr1C4jGs1xc1NBXKa1o=
X-Received: by 10.157.97.194 with SMTP id h2mr6066620otk.236.1521142649279; Thu, 15 Mar 2018 12:37:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:1711:0:0:0:0:0 with HTTP; Thu, 15 Mar 2018 12:36:48 -0700 (PDT)
From: Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>
Date: Thu, 15 Mar 2018 15:36:48 -0400
Message-ID: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com>
To: Security Area Advisory Group <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/rktX1nvQbXJ-heBL-iznpE9xx3A>
Subject: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 19:37:32 -0000

Hi,

RFC 4122, section 6 states as follows:

>> Do not assume that UUIDs are hard to guess; they should not be used
>> as security capabilities (identifiers whose mere possession grants
>> access), for example.  A predictable random number source will
>> exacerbate the situation.

Is this really true for type-4 UUIDs when used with a
cryptographically-secure RNG? Would that essentially be the same as
using a large random number (122 bits)?

Thanks


From nobody Thu Mar 15 12:41:49 2018
Return-Path: <rsalz@akamai.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6BD31270B4 for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 12:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r05OVFLjAXmN for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 12:41:45 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B582124C27 for <saag@ietf.org>; Thu, 15 Mar 2018 12:41:45 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w2FJcH1Q012501; Thu, 15 Mar 2018 19:41:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=Z4g+bvyVrTdOgknzUco0KDpwVfcCxl5eAK45BYvztpw=; b=OOxfg3VL3bTJkN1UmIP9jOaHyLPw6RMTGgCtM5VTivnvry4vGHZlxVP3ZTviFwUiQZ9Y 2pEthQLYT4Lt85v6gxG3uckiLnW/ZVmiAua8uqa76NaXpD/vijoMkYZMkv3IMBhAJYQ5 TLRowzCYQYvY/ibKGLCjtbVi9GByDEBO+0EGkvfIL3KCRzu+Mf8TYEnGhAvE+Fvj7IaH rr0rzxWleJNpSbUF0ZQfiSRiBpwoCB3MRW5yM3i+07TMKXuyrxgZsfq3LnnkbS90Pfyv QSR59BLIHxlT/2Sh+uZXb3e7nL7ItYEOOR02zoTayvJK68Fg7KLXv02U6pU4sMmE5HGx Sg== 
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050102.ppops.net-00190b01. with ESMTP id 2gqt5yrx71-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 15 Mar 2018 19:41:44 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2FJbl1o013589; Thu, 15 Mar 2018 15:41:43 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.31]) by prod-mail-ppoint2.akamai.com with ESMTP id 2gmbk02xus-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 15 Mar 2018 15:41:43 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag3mb3.msg.corp.akamai.com (172.27.123.58) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 15 Mar 2018 15:41:42 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 15 Mar 2018 15:41:42 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1263.000; Thu, 15 Mar 2018 15:41:42 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>, "Security Area Advisory Group" <saag@ietf.org>
Thread-Topic: [saag] Security of Type-4 UUIDs (RFC 4122)
Thread-Index: AQHTvJUWPu/1GuXHRUWp0MibgD4xKaPRsh2A
Date: Thu, 15 Mar 2018 19:41:41 +0000
Message-ID: <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
References: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com>
In-Reply-To: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.38.113]
Content-Type: text/plain; charset="utf-8"
Content-ID: <6A415B8DD3D5524BB359AEDC9CB12F4D@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-15_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=496 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803150214
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-15_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=440 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803150214
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/wbWAH25cXxTUqBQ42hvr6L0a8Ng>
Subject: Re: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 19:41:47 -0000

VGhhdCBSRkMgaXMgdHdlbHZlIHllYXJzIG9sZDsgMTIyIGJpdHMgaXMgbm90IGNvbnNpZGVyZWQg
YSBsYXJnZSByYW5kb20gbnVtYmVyIGFueSBtb3JlLg0KDQoNCg0K


From nobody Thu Mar 15 14:22:09 2018
Return-Path: <msj@nthpermutation.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F314127241 for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 14:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level: 
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XRZk44vFt39b for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 14:22:06 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD73A126DED for <saag@ietf.org>; Thu, 15 Mar 2018 14:22:05 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id h2so9682291wre.12 for <saag@ietf.org>; Thu, 15 Mar 2018 14:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5suBgeGlNiJ7SEcwmZqNI+xT3RqXq8dywH+sTKhIXIM=; b=cmFIb72Ssbbb3WCkWn2o0USjgrC5slQQ4M89oI88IaOezDsR06ivgY//qHLakqQvYx qTm05L2cxnYvmNfCTSLDuTX5R+SRkSTRIkCHpA1BZw728dEPRDGvZLsYBLmTAoOIBfB6 ma3Lry+IguUuNSh1F5xf0V1tgtKrGSYvkz7Xi6LrLabfvwecLHY6NzgHW2i5HWD1Iwb3 DNsG14jqYKkjeN33Z4eh2vuSA7ymhYIxkHUeRPHcQ3i6y8CO1RiAZvGCedBXqV8IDOvh Hw15lBBN3pSYTyLwBHB8rlPwJFx6XwxXleVq992zMetlYwCE4j6qaPKIdc+P77IObNtu zEIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5suBgeGlNiJ7SEcwmZqNI+xT3RqXq8dywH+sTKhIXIM=; b=OHRrY+9tt2C5ByxDObKw7T4pUSMzWDCBx3ECghBDSaG+PEDnSL/gUzs5l1yvKxGVXC BGLY8lKzdYPSrjrNCE9xhhPtfUEf2jzOiSerVNKgDtx5xmRawEsyEVn+nSl5vo+SK5+P pMIt6Cz4K/BEyja+FrIhNpEzzazYVAWsQb7bM7trLnnamtQxIMdpnYNHYW5tzU+EtYJm l5SFhawaq35/NmElGxAZV3D0kBNoSCK5YR9qXJaqE09TV5Ph51sWOW05flsY3u/OIf8b g+O/kXgqMSYzXDy7ITCnEYRdXESpOKWHQ/rYlkNnxLJRyE9dlCsr9tRV2gJE08nXCYBt KaYw==
X-Gm-Message-State: AElRT7HVVGNYd496XXflqcEsx88WtSORJAJdtL8Ho1oDhMjijaEL4Yvz YR42OX0dn3UrXzhxm48TKmsKTU2RzNHv2sz7JVlQ2Q==
X-Google-Smtp-Source: AG47ELtxC/lUpD+jtNwREUbl6lCgqXGLf0vMJi4sPPSQ+d5/1nCbWNNTSZds4lVUTlG+zItrJCc812E7fKoAz/ghGks=
X-Received: by 10.223.163.136 with SMTP id l8mr8925555wrb.270.1521148924201; Thu, 15 Mar 2018 14:22:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com> <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
In-Reply-To: <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
From: Michael StJohns <msj@nthpermutation.com>
Date: Thu, 15 Mar 2018 21:21:53 +0000
Message-ID: <CANeU+ZCoMFcf9WEkp2UBZAzp9=RKSnyiKN=Ja3wf0sbj=-unRA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>,  Security Area Advisory Group <saag@ietf.org>
Content-Type: multipart/alternative; boundary="f403045f126e47271b05677a151f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/YbuZOPO3o6eRU8WNRtTfjO3VuAY>
Subject: Re: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 21:22:08 -0000

--f403045f126e47271b05677a151f
Content-Type: text/plain; charset="UTF-8"

Besides, while you may know how you generated the UUID, never assume the
other guy did too.  Mike

On Thu, Mar 15, 2018 at 15:41 Salz, Rich <rsalz@akamai.com> wrote:

> That RFC is twelve years old; 122 bits is not considered a large random
> number any more.
>
>
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

--f403045f126e47271b05677a151f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div><div dir=3D"auto">Besides, while you may know how you generated the UU=
ID, never assume the other guy did too.=C2=A0 Mike</div><br><div class=3D"g=
mail_quote"><div>On Thu, Mar 15, 2018 at 15:41 Salz, Rich &lt;<a href=3D"ma=
ilto:rsalz@akamai.com">rsalz@akamai.com</a>&gt; wrote:<br></div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex">That RFC is twelve years old; 122 bits is not considere=
d a large random number any more.<br>
<br>
<br>
<br>
_______________________________________________<br>
saag mailing list<br>
<a href=3D"mailto:saag@ietf.org" target=3D"_blank">saag@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/saag" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.ietf.org/mailman/listinfo/saag</a><br>
</blockquote></div></div>

--f403045f126e47271b05677a151f--


From nobody Thu Mar 15 21:30:38 2018
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76C6C120721 for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 21:30:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level: 
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xt5qH4hyOTPu for <saag@ietfa.amsl.com>; Thu, 15 Mar 2018 21:30:34 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0D901200F1 for <saag@ietf.org>; Thu, 15 Mar 2018 21:30:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1521174634; x=1552710634; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=YwWstmjK3ia0kPRjsWfvSWJdzniJsEjkaPiUbALDv68=; b=E8CjwkpMzESqy3LPRT7icGl0m1kj+o7hM5qJ5rDg+uGreuRuVA7qgPLI UCVh9Kiv+EArbJ/AQ6XfwTVJdbyOk+DBZBIXV9/yqIKIjZr1Pw2Sw6emj kc1ur1Y00k9SOHRUhop6B43SZzL1q7nXukRiZxZ+r7cdilUGcFW88pdYz NTqLW9ZM5oHN0Qcm1e6mEjDg7IGqCEwl7ZNqsRjPC8rVoVg/SyoLZLRv0 v9tB8rbuPstgkmqtKhMSs5DAp4MCwm7PGzuW5MrDrC1+tNF1TGKVZdoaa YDL4pZyN47x0l7XzncArylcWuLyY/kqhQ4JSlkXGh7qgFOFjdfvelUcT1 g==;
X-IronPort-AV: E=Sophos;i="5.48,313,1517828400";  d="scan'208";a="4318492"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing
Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Mar 2018 17:30:30 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 16 Mar 2018 17:30:29 +1300
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 16 Mar 2018 17:30:30 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Salz, Rich" <rsalz@akamai.com>, Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>, Security Area Advisory Group <saag@ietf.org>
Thread-Topic: [saag] Security of Type-4 UUIDs (RFC 4122)
Thread-Index: AQHTvJUaGUl8tiS57UybQwZ9PDiOT6PQ2C+AgAFtdLM=
Date: Fri, 16 Mar 2018 04:30:29 +0000
Message-ID: <1521174621492.81016@cs.auckland.ac.nz>
References: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com>,  <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
In-Reply-To: <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/mdJRECix1E73Jg2_AQ4cMqG779Q>
Subject: Re: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2018 04:30:36 -0000

Salz, Rich <rsalz@akamai.com> writes:=0A=
=0A=
>That RFC is twelve years old; 122 bits is not considered a large random=0A=
>number any more.=0A=
=0A=
Below is a 128-bit data block consisting of 128 bits of zeroes encrypted us=
ing=0A=
AES keyed with a not-large 122-bit random number.  Let me know when you've=
=0A=
recovered said not large random number, and what its value is:=0A=
=0A=
  34 A9 38 5F E9 BE CE 72 4A 9D F0 A7 36 EB 93 A4=0A=
=0A=
Peter.=0A=


From nobody Fri Mar 16 04:44:18 2018
Return-Path: <yakov@nightwatchcybersecurity.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E38EA12778E for <saag@ietfa.amsl.com>; Fri, 16 Mar 2018 04:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKLVT81QF3z0 for <saag@ietfa.amsl.com>; Fri, 16 Mar 2018 04:44:15 -0700 (PDT)
Received: from mail-ot0-x232.google.com (mail-ot0-x232.google.com [IPv6:2607:f8b0:4003:c0f::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FEB912762F for <saag@ietf.org>; Fri, 16 Mar 2018 04:44:15 -0700 (PDT)
Received: by mail-ot0-x232.google.com with SMTP id r30-v6so10076967otr.2 for <saag@ietf.org>; Fri, 16 Mar 2018 04:44:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=foj5WfWul0HHnUPnVJinoSPbTK551q1xB4P79a2bkmk=; b=GruZ2RIvy1c0rbwSysFnuTWgNel6IDZV+2M5Q/U8/xwnApJHxBQKFEB7hujBwzMF2v YvlTQzQb8hBnsdY+NlPm4yn2EXVvNKhyEyt6B98elFX9rvHAzjd2b2mW5SmoJZJwCb1x 5ttHSCY0ShFs0AxQ8OnBoVM7on/eJYEvd4jfLa51/dZhTwSVhie1jTS28KhM7MkcURoY /J7A/HumkflLsqabqacpTc/k279VuOviT+XmNEy08I+YustSfDqdfLnNOdSgkurbG2ef mJzCnsdvQUTtkx+/kCj4NYbzDi8s4n3Ckl1vUQHOv6tQrjuiEtCZUxWYbbooUwcKYMiu IS+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=foj5WfWul0HHnUPnVJinoSPbTK551q1xB4P79a2bkmk=; b=ltb2jeCvYugEKyXwap1R3PjL3ALQr4N9QNeSY7ob1FGNh7Djtl9vg54ZQo1V+YSKWA cGU0zFxWw/qbwGthen1zIs+mTfPd7lcX8m673GV1aocmlczUnTGr3f8bDBQzof13EhAz FPRhKU1lXZwKgwN/aAHddLXpFizAOdI9QNotbbc/LjBKvZSXcPRixZoO90XNFiLqQa+L AySArX4aaCxCXSB4eYG5sAvRNDiQptS6nIKszpGwsgQ+zgMBwRb7zxHEJw5/3/gCKhJ6 FKwgTSIV5OJCrLHchOlEd/eJ7ms+PkcKIWiMKFsCNcTHRRFgWnH0/XmozGC4ykMtOwUa kqmQ==
X-Gm-Message-State: AElRT7GhaGt1fIjg5VEl0V5fOgeBw8YUox4MGcW8n/Fq9zdI6cEaMdty etKCwxmSgEmoFUlSqPQO+vUW39Oz4TCBSmhaqRUWZibzrWI=
X-Google-Smtp-Source: AG47ELu4j4izRv4UmN5dQ9QT7mLpudfrvq2NOruSZH0BaloCW3CX3388xTmnnVB17lRR8NHYxAPE63WYgkIWH82EFag=
X-Received: by 2002:a9d:61c2:: with SMTP id h2-v6mr857629otk.236.1521200654614;  Fri, 16 Mar 2018 04:44:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:1711:0:0:0:0:0 with HTTP; Fri, 16 Mar 2018 04:43:34 -0700 (PDT)
In-Reply-To: <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
References: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com> <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com>
From: Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>
Date: Fri, 16 Mar 2018 07:43:34 -0400
Message-ID: <CAAyEnSNqZ0i3cieb2XCvgcO7ffbR_O138dUxvX=qri8te9TTTA@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Security Area Advisory Group <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/0Pq2kj7pzRF3z5ySR029Zqm-x-I>
Subject: Re: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2018 11:44:17 -0000

On Thu, Mar 15, 2018 at 3:41 PM, Salz, Rich <rsalz@akamai.com> wrote:
> That RFC is twelve years old; 122 bits is not considered a large random number any more.
>

There are 122 bits of entropy in a UUID used with a good RNG. The use
case would be not to use this for cryptography but for things like
session IDs and record IDs, especially in a distributed system where
record IDs may need to be generated by different systems and not run
into a collision. Current guidance from OWASP for session IDs is to
have a 128-bit identifier with 64 bits of entropy:
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Session_ID_Properties

My question regarding RFC 4122 is as follows:
- Is the original security guidance based on the fact that UUIDs are
likely to be non-random (non-type-4 or type-4 without a good RNG)?
- Or is the original security guidance based on the fact that the 122
bit space is too small?
- What is the current guidance for such use cases like record IDs and
session IDs, especially when used for things like access tokens or API
tokens?

I do see that type-4 UUIDs are used in existing standard; some
examples are RFC 8182, RFC 6355, RFC 7047, RFC 7989, RFC 7519, etc.

Thank you


From nobody Fri Mar 16 17:39:37 2018
Return-Path: <rsalz@akamai.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFAA91243F3 for <saag@ietfa.amsl.com>; Fri, 16 Mar 2018 17:39:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV7Mk_vtPfqd for <saag@ietfa.amsl.com>; Fri, 16 Mar 2018 17:39:34 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF07B120454 for <saag@ietf.org>; Fri, 16 Mar 2018 17:39:34 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2H0dXEE015759; Sat, 17 Mar 2018 00:39:33 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=Y6mc3dFBeffLCWfZAfXEyVRm03CD86M/y/5PxE6h3XI=; b=M4hhwXLbgFmYN4mlLCQiRYHd8wXCFZSLFTI9WsYJF7JqE2rDSlpjvw1HD14iodYcW2i7 Zh6VJa/xbiQVcJcvUbRuf1Orz3mkrSyyPFjOKHHNLLZY2ydwIAyBEkiONNbVBor3tA5H jV5r99uNMqrJ9HLaSPc19LDOSFN8BDkeFzeSCeCkybT0ihkFIev69kZRN55QUAU9R5sp jaMu58qostqjIpUSDGM6GehrIjGKIKb4udJaVE8lTSQEtvEGnED/FeTP1N6zp69YIAyx NuEvaKJJN8ItxUPvRuwsbc8KkyKWUbdCWPHWkP2L2O7DbsjgQAk2qmGoXFcsN86A/6z8 Fg== 
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by mx0b-00190b01.pphosted.com with ESMTP id 2gqvdbbr56-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 17 Mar 2018 00:39:33 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2H0a5Tr000758; Fri, 16 Mar 2018 20:39:32 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint2.akamai.com with ESMTP id 2gmbk07gu8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 16 Mar 2018 20:39:32 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 16 Mar 2018 20:39:32 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1263.000; Fri, 16 Mar 2018 20:39:32 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Nightwatch Cybersecurity <yakov@nightwatchcybersecurity.com>
CC: Security Area Advisory Group <saag@ietf.org>
Thread-Topic: [saag] Security of Type-4 UUIDs (RFC 4122)
Thread-Index: AQHTvJUWPu/1GuXHRUWp0MibgD4xKaPRsh2AgAFPzgCAAJW+gA==
Date: Sat, 17 Mar 2018 00:39:31 +0000
Message-ID: <8D7EC5B9-4231-4783-AB71-B803B650232C@akamai.com>
References: <CAAyEnSN_ByKEpRxZYuJmAYv_2Tf6DvOVv39Y-s8jRX4zbWr9_Q@mail.gmail.com> <239BDE92-37DC-4C85-ADCF-F7721C45957B@akamai.com> <CAAyEnSNqZ0i3cieb2XCvgcO7ffbR_O138dUxvX=qri8te9TTTA@mail.gmail.com>
In-Reply-To: <CAAyEnSNqZ0i3cieb2XCvgcO7ffbR_O138dUxvX=qri8te9TTTA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.93]
Content-Type: text/plain; charset="utf-8"
Content-ID: <AC99527F418B37498E57658C73F9B86F@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-16_16:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=696 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803170005
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-16_16:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=629 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803170005
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/pfHa6RPXN84G2Iiz8O5zNcm_7g0>
Subject: Re: [saag] Security of Type-4 UUIDs (RFC 4122)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2018 00:39:36 -0000

QmFjayB0aGVuLCByZWFsIGNyeXB0by1zdHJvbmcgUk5HJ3Mgd2VyZW4ndCB3aWRlbHkgYXZhaWxh
YmxlIG5vciBvbiBldmVyeW9uZSdzIG1pbmRzLg0KDQpJcyBpdCBva2F5IGlmIHRoZSBpZGVudGlm
aWVyIGlzIGd1ZXNzYWJsZT8gIEp1c3QgdXNlIGEgY291bnRlci4gSWYgbm90LCB1c2Ugc29tZXRo
aW5nIGxpa2UgYSBEUkJHIHNlZWRlZCB3aXRoIGdvb2QgcmFuZG9tbmVzcy4gSSByZWNvbW1lbmQg
UkFORF9ieXRlcyBpbiB0aGUgY3VycmVudCBtYXN0ZXIgYnJhbmNoIG9mIE9wZW5TU0wuDQoNCkRv
bid0IHdhc3RlIGJpdHMgbWFraW5nIGl0IGxvb2sgbGlrZSBhIFVVSUQuDQogDQoNCg==


From nobody Sun Mar 18 02:36:27 2018
Return-Path: <randy@psg.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4035127337 for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 02:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level: 
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UCuUWpRl8vVY for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 02:36:25 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B311200FC for <saag@ietf.org>; Sun, 18 Mar 2018 02:36:25 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1exUjn-0007qa-Q8 for saag@ietf.org; Sun, 18 Mar 2018 09:36:23 +0000
Date: Sun, 18 Mar 2018 09:36:23 +0000
Message-ID: <m2y3ipiv3c.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: saag@ietf.org
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/XC4zeYSwowdAKMlrbVHCcZcc1I0>
Subject: [saag] ffox and chrome offer sha1 and then puke
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 09:36:26 -0000

i am using both ffox 59.01 and chrome 65.0.3325.162 on latest macos high
sierra.

i am trying to connect to mycheckfree.com

ffox and chrome are offering sha1 and then puking when the site selects
it.

what the heck?

randy


From nobody Sun Mar 18 06:56:16 2018
Return-Path: <jricher@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42BCA12711A; Sun, 18 Mar 2018 06:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level: 
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43SnpxPC76e5; Sun, 18 Mar 2018 06:56:12 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6897126C0F; Sun, 18 Mar 2018 06:56:11 -0700 (PDT)
X-AuditID: 12074425-1a5ff7000000167b-8f-5aae6ff7f166
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 27.A0.05755.8FF6EAA5; Sun, 18 Mar 2018 09:56:09 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2IDu3XL032426; Sun, 18 Mar 2018 09:56:05 -0400
Received: from dhcp-90dd.meeting.ietf.org (dhcp-90dd.meeting.ietf.org [31.133.144.221]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2IDtx1v021360 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 18 Mar 2018 09:56:02 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <4E90B3B8-6B2A-4604-92D4-A4BBB2B05E02@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_31506C08-41D4-48D4-A8A8-803734C5627A"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Sun, 18 Mar 2018 13:56:15 +0000
In-Reply-To: <EBA69A3C-4984-4BEB-A230-4AA40791895B@sn3rd.com>
Cc: saag@ietf.org, draft-richer-vectors-of-trust@ietf.org
To: Sean Turner <sean@sn3rd.com>
References: <202944E0-CBED-465B-A55F-A6F1BE4E3F10@mit.edu> <EBA69A3C-4984-4BEB-A230-4AA40791895B@sn3rd.com>
X-Mailer: Apple Mail (2.3445.5.20)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrBKsWRmVeSWpSXmKPExsUixG6nrvszf12UwcW32hbH/3WwWEzp72Sy uLKqkdmB2WPJkp9MHgcPMgYwRXHZpKTmZJalFunbJXBltH0+w1xwahdjxampbewNjJcXMHYx cnJICJhINKw4ztzFyMUhJLCYSeJJ13smCGcjo0TPpf2MEM4VJokFKyaCtbAJqEpMX9PCBGLz ClhJzD21ByzOLJAk8eDZXTaIuInE+7cPwWqEBfwkzr2BWMcC1NuzcytYnFPAVuLG2/XsXYwc QL2WEg+WiYCERQQUJJqOPmAFsYUEciV+ND5mgrhUSWL699tsExj5ZyHZNgvJNoi4tsSyha+Z IWxNif3dy1kwxTUkOr9NZF3AyLaKUTYlt0o3NzEzpzg1Wbc4OTEvL7VI10IvN7NELzWldBMj OMhdVHcwzvnrdYhRgINRiYdXomxtlBBrYllxZe4hRkkOJiVR3rub10QJ8SXlp1RmJBZnxBeV 5qQWH2KU4GBWEuE1iFoXJcSbklhZlVqUD5OS5mBREuf1MNGOEhJITyxJzU5NLUgtgsnKcHAo SfDuzQNqFCxKTU+tSMvMKUFIM3FwggznARoumw8yvLggMbc4Mx0if4rRnmPLo5dtzBwHwOSN F6+BZMOmVd3MQix5+XmpUuK8DCBtAiBtGaV5cJNBCUy+dcLdV4ziQI8K8yqAVPEAkx/c7FdA a5mA1vosXQOytiQRISXVwLj4z/vyw75PfG8XfhG0dDku1HnyB8sy+RNv7dJe1m15USzK2nBq gcb118KtHbziOj7XxVgL1rIGrQ/fKfatMIBj6/Wm3odLzZM70leubv5rPfGwUVFnXP1xm8a5 h9PLkksWHbe0OVOiG3h6v+IG5upvJlOv9F88qPLCZylTzA/5tun3p7l1TVBiKc5INNRiLipO BABzyc64OwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/FbUfyaHY7WV10kH1KRj5RJxAtzQ>
Subject: Re: [saag] New Version Notification for draft-richer-vectors-of-trust-07.txt
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 13:56:15 -0000

--Apple-Mail=_31506C08-41D4-48D4-A8A8-803734C5627A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi everyone,

I=E2=80=99ve uploaded a new version of Vectors of Trust that addresses =
all of Sean=E2=80=99s comments.=20

Name:		draft-richer-vectors-of-trust
Revision:	08
Title:		Vectors of Trust
Document date:	2018-03-18
Group:		Individual Submission
Pages:		23
URL:            =
https://www.ietf.org/internet-drafts/draft-richer-vectors-of-trust-08.txt =
<https://www.ietf.org/internet-drafts/draft-richer-vectors-of-trust-08.txt=
>
Status:         =
https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/ =
<https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/>
Htmlized:       =
https://tools.ietf.org/html/draft-richer-vectors-of-trust-08 =
<https://tools.ietf.org/html/draft-richer-vectors-of-trust-08>
Htmlized:       =
https://datatracker.ietf.org/doc/html/draft-richer-vectors-of-trust =
<https://datatracker.ietf.org/doc/html/draft-richer-vectors-of-trust>
Diff:           =
https://www.ietf.org/rfcdiff?url2=3Ddraft-richer-vectors-of-trust-08 =
<https://www.ietf.org/rfcdiff?url2=3Ddraft-richer-vectors-of-trust-08>


 =E2=80=94 Justin

> On Mar 12, 2018, at 7:11 PM, Sean Turner <sean@sn3rd.com> wrote:
>=20
> Messages related to draft-richer-vectors-of-trust.
>=20
>> Begin forwarded message:
>>=20
>> From: Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>>
>> Subject: Re: New Version Notification for =
draft-richer-vectors-of-trust-07.txt
>> Date: March 12, 2018 at 19:09:35 GMT
>> To: Sean Turner <sean@sn3rd.com <mailto:sean@sn3rd.com>>
>> Cc: Leif Johansson <leifj@sunet.se <mailto:leifj@sunet.se>>
>>=20
>>>> On Mar 12, 2018, at 18:07, Justin Richer <jricher@mit.edu =
<mailto:jricher@mit.edu>> wrote:
>>>>=20
>>>> Hi Sean, thanks so much. Responses inline:
>>>>=20
>>>>> On Mar 12, 2018, at 1:46 PM, Sean Turner <sean@sn3rd.com =
<mailto:sean@sn3rd.com>> wrote:
>>>>>=20
>>>>> Sorry just found the gh repo in an old mail =E2=80=A6 I can put in =
PRs if you want on the nits.
>>>>=20
>>>> Yes please, that would be great. Feel free to do it as just one PR =
or several, whatever=E2=80=99s your preference.
>>>=20
>>> I will try my best to not screw up the xml.
>>>=20
>>>>> spt
>>>>>=20
>>>>>> On Mar 12, 2018, at 17:33, Sean Turner <sean@sn3rd.com =
<mailto:sean@sn3rd.com>> wrote:
>>>>>>=20
>>>>>> Here=E2=80=99s my review of draft-richer-vectors-of-trust (should =
I send this someplace else too -secdir?):
>>>>>>=20
>>>>>> tl;dr: I like the idea after I got over my RBAC flashbacks!
>>>>=20
>>>> I totally get that, and since this work is meant to stand in =
contrast to RBAC if there=E2=80=99s a way we can make that clearer then =
that would be good.
>>>=20
>>> After we exchanged those emails earlier I was wondering if the =
RBAC-flashback was a good thing or a bad thing.  I come to think it was =
a good thing because it definitely gets you thinking about what worked =
and what didn=E2=80=99t.
>>>=20
>>>>>> I=E2=80=99ll be honest that at first I was like here we go again, =
but I do like that you managed to keep it to only 4 vectors initially =
and allow it to be expanded later.  I thought the recommendation for the =
second marker (alpha vs numeric) was pretty much what I would have done: =
P needs to have # the others not so much.  Not that for the same reasons =
you did C0 you could also do A0 - it is a =E2=80=9CNo=E2=80=9D.
>>>>=20
>>>> What would an A0 be, though? An unsigned assertion? C0 is something =
you might want to communicate (we did nothing in particular but =
there=E2=80=99s a user here maybe) but I=E2=80=99m not seeing the value =
in A0.
>>>>=20
>>>> As another example of how this works, NIST=E2=80=99s implementation =
uses both alpha and numeric for all their categories, requiring numeric =
for base values and adding alpha values as optional additional info on =
top of the category the number represents.=20
>>>>=20
>>>> =
https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping.=
md =
<https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_mapping=
.md>
>>>=20
>>> I was simply thinking about 0 =3D None/No.  I don=E2=80=99t think =
you have to change it to make all of the ones with no checks 0.
>>>=20
>>>>>>=20
>>>>>> I was initially a little confused about it being standards track =
because it=E2=80=99s specifying a framework, but you are specifying a =
wire format so that seems okay in my book.
>>>>=20
>>>> I=E2=80=99m fine with whatever target is recommended but it feels =
standards track to me.=20
>>>=20
>>> Like I said initially I was like oh it=E2=80=99s a framework, but =
once you started defining stuff that gets sent on the wire well I can go =
with standards track.
>>>=20
>>>>>> Question in s3.4: When you say =E2=80=9Csuch as a session cookie =
in a web browser=E2=80=9D you talking about HTTP=E2=80=99s cookies right =
and not TLSs?
>>>>=20
>>>> Yes, HTTP cookies. We can add text to make that more explicit.=20
>>>=20
>>> I can slap that in my PR.
>>>=20
>>>>>> The IANA considerations section looks fine.  I assume you two =
would offer to the Des?
>>>>=20
>>>> Yes. I volunteer and I=E2=80=99ll gladly volunteer Leif.
>>>=20
>>> I guess this is more for the ADs to know there=E2=80=99s a pool of =
candidates waiting to that the lead :)
>>>=20
>>>>>> I can see some asking for more information for the Sec/Priv =
sections, bit honestly what you got there is pretty much it: don=E2=80=99t=
 send these things in the clear, bind them with cryptography, and =
don=E2=80=99t share too much otherwise you=E2=80=99ll give away =
something you might not have meant to.   So, in my book that=E2=80=99s =
probably good enough.
>>>>=20
>>>> I found it hard to draw out much more than what we=E2=80=99ve got =
in there, especially in privacy because this is by its nature =
identifying information. Happy to expand if anyone=E2=80=99s got a good =
suggestion.
>>>=20
>>> I think this is exactly the right way to play it.  You could write a =
novel here, but instead hit the hi points.  When somebody says what =
about blah you can point them at the gh repo and PRs welcome ;)
>>>=20
>>>>>> Nits:=20
>>>>>>=20
>>>>>> 0) Update to match the new terminology paragraph:
>>>>>>=20
>>>>>> The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
>>>>>> NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
>>>>>> "MAY", and "OPTIONAL" in this document are to be interpreted as
>>>>>> described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
>>>>>> appear in all capitals, as shown here.
>>>>=20
>>>> Sounds fine.
>>>=20
>>> Can do.
>>>=20
>>>>>> 1) s5.1: vtr vs votr?  I know everybody loves the 3-letter once =
but it make more sense that vot is the request and votr is the response. =
 I=E2=80=99m in no way going any where near a mat to argue this point =
though.
>>>>=20
>>>> The JWT community loves the three-letter fields so we went with =
this. If we were to change it (which I=E2=80=99d kinda rather not) I=E2=80=
=99d instead go with =E2=80=9Cvot_req=E2=80=9D to expand it out.=20
>>>=20
>>> Ah I get that - no need to change it.
>>>=20
>>>>>> 2) s8: sentence end abruptly:
>>>>=20
>>>> I think it=E2=80=99s just missing a reference target which rendered =
funny
>>>=20
>>> I=E2=80=99ll leave this one to you because I=E2=80=99m not sure =
where it=E2=80=99s supposed to point.
>>>=20
>>>>>> 3) I think both SP-800 references are missing something.
>>>>=20
>>>> Possibly, I wasn=E2=80=99t sure how to best pull those in.
>>>=20
>>> I=E2=80=99ll see what I can dig up and put it in the PR.
>>>=20
>>>>>> 4) I-D nits complains about two outdated references:
>>>>>>=20
>>>>>> ** Obsolete normative reference: RFC 5226 (Obsoleted by RFC 8126)
>>>>>>=20
>>>>>> ** Obsolete normative reference: RFC 7159 (Obsoleted by RFC 8259)
>>>>=20
>>>> I had no idea there was a new JSON, again!
>>>=20
>>> This bit me in the ass earlier this month.
>>>=20
>>>> =E2=80=94 Justin
>>>>=20
>=20


--Apple-Mail=_31506C08-41D4-48D4-A8A8-803734C5627A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" class=3D"">Hi =
everyone,<div class=3D""><br class=3D""></div><div class=3D"">I=E2=80=99ve=
 uploaded a new version of Vectors of Trust that addresses all of =
Sean=E2=80=99s comments.&nbsp;</div><div class=3D""><br =
class=3D""></div><div class=3D"">Name:<span class=3D"Apple-tab-span" =
style=3D"white-space: pre;">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;">	</span>draft-richer-vectors-of-trust<br =
class=3D"">Revision:<span class=3D"Apple-tab-span" style=3D"white-space: =
pre;">	</span>08<br class=3D"">Title:<span class=3D"Apple-tab-span" =
style=3D"white-space: pre;">	</span><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;">	</span>Vectors of Trust<br =
class=3D"">Document date:<span class=3D"Apple-tab-span" =
style=3D"white-space: pre;">	</span>2018-03-18<br =
class=3D"">Group:<span class=3D"Apple-tab-span" style=3D"white-space: =
pre;">	</span><span class=3D"Apple-tab-span" style=3D"white-space: =
pre;">	</span>Individual Submission<br class=3D"">Pages:<span =
class=3D"Apple-tab-span" style=3D"white-space: pre;">	</span><span =
class=3D"Apple-tab-span" style=3D"white-space: pre;">	</span>23<br =
class=3D"">URL: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://www.ietf.org/internet-drafts/draft-richer-vectors-of-trust=
-08.txt" =
class=3D"">https://www.ietf.org/internet-drafts/draft-richer-vectors-of-tr=
ust-08.txt</a><br class=3D"">Status: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/" =
class=3D"">https://datatracker.ietf.org/doc/draft-richer-vectors-of-trust/=
</a><br class=3D"">Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://tools.ietf.org/html/draft-richer-vectors-of-trust-08" =
class=3D"">https://tools.ietf.org/html/draft-richer-vectors-of-trust-08</a=
><br class=3D"">Htmlized: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://datatracker.ietf.org/doc/html/draft-richer-vectors-of-trus=
t" =
class=3D"">https://datatracker.ietf.org/doc/html/draft-richer-vectors-of-t=
rust</a><br class=3D"">Diff: =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a =
href=3D"https://www.ietf.org/rfcdiff?url2=3Ddraft-richer-vectors-of-trust-=
08" =
class=3D"">https://www.ietf.org/rfcdiff?url2=3Ddraft-richer-vectors-of-tru=
st-08</a><br class=3D""><br class=3D""></div><div class=3D""><br =
class=3D""></div><div class=3D"">&nbsp;=E2=80=94 Justin</div><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On Mar =
12, 2018, at 7:11 PM, Sean Turner &lt;<a href=3D"mailto:sean@sn3rd.com" =
class=3D"">sean@sn3rd.com</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><meta =
http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8" =
class=3D""><div style=3D"word-wrap: break-word; -webkit-nbsp-mode: =
space; line-break: after-white-space;" class=3D"">Messages related =
to&nbsp;draft-richer-vectors-of-trust.<br class=3D""><div class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">Begin =
forwarded message:</div><br class=3D"Apple-interchange-newline"><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, &quot;Helvetica Neue&quot;, Helvetica, sans-serif;" =
class=3D""><b class=3D"">From: </b></span><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" =
class=3D"">Justin Richer &lt;<a href=3D"mailto:jricher@mit.edu" =
class=3D"">jricher@mit.edu</a>&gt;<br class=3D""></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, &quot;Helvetica Neue&quot;, Helvetica, sans-serif;" =
class=3D""><b class=3D"">Subject: </b></span><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=3D""><b=
 class=3D"">Re: New Version Notification for =
draft-richer-vectors-of-trust-07.txt</b><br class=3D""></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, &quot;Helvetica Neue&quot;, Helvetica, sans-serif;" =
class=3D""><b class=3D"">Date: </b></span><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" =
class=3D"">March 12, 2018 at 19:09:35 GMT<br class=3D""></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, &quot;Helvetica Neue&quot;, Helvetica, sans-serif;" =
class=3D""><b class=3D"">To: </b></span><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" =
class=3D"">Sean Turner &lt;<a href=3D"mailto:sean@sn3rd.com" =
class=3D"">sean@sn3rd.com</a>&gt;<br class=3D""></span></div><div =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px;" class=3D""><span style=3D"font-family: =
-webkit-system-font, &quot;Helvetica Neue&quot;, Helvetica, sans-serif;" =
class=3D""><b class=3D"">Cc: </b></span><span style=3D"font-family: =
-webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" =
class=3D"">Leif Johansson &lt;<a href=3D"mailto:leifj@sunet.se" =
class=3D"">leifj@sunet.se</a>&gt;</span></div><div class=3D""><div =
style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; line-break: =
after-white-space;" class=3D""><div class=3D""><br class=3D""></div><div =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">On Mar 12, 2018, at 18:07, Justin Richer &lt;<a =
href=3D"mailto:jricher@mit.edu" class=3D"">jricher@mit.edu</a>&gt; =
wrote:<br class=3D""><br class=3D"">Hi Sean, thanks so much. Responses =
inline:<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D"">On Mar 12, 2018, at 1:46 PM, Sean Turner &lt;<a =
href=3D"mailto:sean@sn3rd.com" class=3D"">sean@sn3rd.com</a>&gt; =
wrote:<br class=3D""><br class=3D"">Sorry just found the gh repo in an =
old mail =E2=80=A6 I can put in PRs if you want on the nits.<br =
class=3D""></blockquote><br class=3D"">Yes please, that would be great. =
Feel free to do it as just one PR or several, whatever=E2=80=99s your =
preference.<br class=3D""></blockquote><br class=3D"">I will try my best =
to not screw up the xml.<br class=3D""><br class=3D""><blockquote =
type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D"">spt<br =
class=3D""><br class=3D""><blockquote type=3D"cite" class=3D"">On Mar =
12, 2018, at 17:33, Sean Turner &lt;<a href=3D"mailto:sean@sn3rd.com" =
class=3D"">sean@sn3rd.com</a>&gt; wrote:<br class=3D""><br =
class=3D"">Here=E2=80=99s my review of draft-richer-vectors-of-trust =
(should I send this someplace else too -secdir?):<br class=3D""><br =
class=3D"">tl;dr: I like the idea after I got over my RBAC =
flashbacks!<br class=3D""></blockquote></blockquote><br class=3D"">I =
totally get that, and since this work is meant to stand in contrast to =
RBAC if there=E2=80=99s a way we can make that clearer then that would =
be good.<br class=3D""></blockquote><br class=3D"">After we exchanged =
those emails earlier I was wondering if the RBAC-flashback was a good =
thing or a bad thing. &nbsp;I come to think it was a good thing because =
it definitely gets you thinking about what worked and what didn=E2=80=99t.=
<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">I=E2=80=99ll be honest that at first I was like here we go =
again, but I do like that you managed to keep it to only 4 vectors =
initially and allow it to be expanded later. &nbsp;I thought the =
recommendation for the second marker (alpha vs numeric) was pretty much =
what I would have done: P needs to have # the others not so much. =
&nbsp;Not that for the same reasons you did C0 you could also do A0 - it =
is a =E2=80=9CNo=E2=80=9D.<br class=3D""></blockquote></blockquote><br =
class=3D"">What would an A0 be, though? An unsigned assertion? C0 is =
something you might want to communicate (we did nothing in particular =
but there=E2=80=99s a user here maybe) but I=E2=80=99m not seeing the =
value in A0.<br class=3D""><br class=3D"">As another example of how this =
works, NIST=E2=80=99s implementation uses both alpha and numeric for all =
their categories, requiring numeric for base values and adding alpha =
values as optional additional info on top of the category the number =
represents.&nbsp;<br class=3D""><br class=3D""><a =
href=3D"https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/vot_=
mapping.md" =
class=3D"">https://github.com/usnistgov/800-63-3/blob/volume-d/sp800-63d/v=
ot_mapping.md</a><br class=3D""></blockquote><br class=3D"">I was simply =
thinking about 0 =3D None/No. &nbsp;I don=E2=80=99t think you have to =
change it to make all of the ones with no checks 0.<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><br class=3D"">I was =
initially a little confused about it being standards track because =
it=E2=80=99s specifying a framework, but you are specifying a wire =
format so that seems okay in my book.<br =
class=3D""></blockquote></blockquote><br class=3D"">I=E2=80=99m fine =
with whatever target is recommended but it feels standards track to =
me.&nbsp;<br class=3D""></blockquote><br class=3D"">Like I said =
initially I was like oh it=E2=80=99s a framework, but once you started =
defining stuff that gets sent on the wire well I can go with standards =
track.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">Question in s3.4: When you say =E2=80=9Csuch as a session =
cookie in a web browser=E2=80=9D you talking about HTTP=E2=80=99s =
cookies right and not TLSs?<br class=3D""></blockquote></blockquote><br =
class=3D"">Yes, HTTP cookies. We can add text to make that more =
explicit.&nbsp;<br class=3D""></blockquote><br class=3D"">I can slap =
that in my PR.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">The IANA considerations section looks fine. &nbsp;I assume =
you two would offer to the Des?<br =
class=3D""></blockquote></blockquote><br class=3D"">Yes. I volunteer and =
I=E2=80=99ll gladly volunteer Leif.<br class=3D""></blockquote><br =
class=3D"">I guess this is more for the ADs to know there=E2=80=99s a =
pool of candidates waiting to that the lead :)<br class=3D""><br =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D"">I can see some asking =
for more information for the Sec/Priv sections, bit honestly what you =
got there is pretty much it: don=E2=80=99t send these things in the =
clear, bind them with cryptography, and don=E2=80=99t share too much =
otherwise you=E2=80=99ll give away something you might not have meant =
to. &nbsp;&nbsp;So, in my book that=E2=80=99s probably good enough.<br =
class=3D""></blockquote></blockquote><br class=3D"">I found it hard to =
draw out much more than what we=E2=80=99ve got in there, especially in =
privacy because this is by its nature identifying information. Happy to =
expand if anyone=E2=80=99s got a good suggestion.<br =
class=3D""></blockquote><br class=3D"">I think this is exactly the right =
way to play it. &nbsp;You could write a novel here, but instead hit the =
hi points. &nbsp;When somebody says what about blah you can point them =
at the gh repo and PRs welcome ;)<br class=3D""><br class=3D""><blockquote=
 type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D""><blockquote=
 type=3D"cite" class=3D"">Nits:&nbsp;<br class=3D""><br class=3D"">0) =
Update to match the new terminology paragraph:<br class=3D""><br =
class=3D"">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", =
"SHALL<br class=3D"">NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT =
RECOMMENDED",<br class=3D"">"MAY", and "OPTIONAL" in this document are =
to be interpreted as<br class=3D"">described in BCP 14 [RFC2119] =
[RFC8174] when, and only when, they<br class=3D"">appear in all =
capitals, as shown here.<br class=3D""></blockquote></blockquote><br =
class=3D"">Sounds fine.<br class=3D""></blockquote><br class=3D"">Can =
do.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">1) s5.1: vtr vs votr? &nbsp;I know everybody loves the =
3-letter once but it make more sense that vot is the request and votr is =
the response. &nbsp;I=E2=80=99m in no way going any where near a mat to =
argue this point though.<br class=3D""></blockquote></blockquote><br =
class=3D"">The JWT community loves the three-letter fields so we went =
with this. If we were to change it (which I=E2=80=99d kinda rather not) =
I=E2=80=99d instead go with =E2=80=9Cvot_req=E2=80=9D to expand it =
out.&nbsp;<br class=3D""></blockquote><br class=3D"">Ah I get that - no =
need to change it.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">2) s8: sentence end abruptly:<br =
class=3D""></blockquote></blockquote><br class=3D"">I think it=E2=80=99s =
just missing a reference target which rendered funny<br =
class=3D""></blockquote><br class=3D"">I=E2=80=99ll leave this one to =
you because I=E2=80=99m not sure where it=E2=80=99s supposed to =
point.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D""><blockquote type=3D"cite" class=3D""><blockquote type=3D"cite" =
class=3D"">3) I think both SP-800 references are missing something.<br =
class=3D""></blockquote></blockquote><br class=3D"">Possibly, I wasn=E2=80=
=99t sure how to best pull those in.<br class=3D""></blockquote><br =
class=3D"">I=E2=80=99ll see what I can dig up and put it in the PR.<br =
class=3D""><br class=3D""><blockquote type=3D"cite" class=3D""><blockquote=
 type=3D"cite" class=3D""><blockquote type=3D"cite" class=3D"">4) I-D =
nits complains about two outdated references:<br class=3D""><br =
class=3D"">** Obsolete normative reference: RFC 5226 (Obsoleted by RFC =
8126)<br class=3D""><br class=3D"">** Obsolete normative reference: RFC =
7159 (Obsoleted by RFC 8259)<br class=3D""></blockquote></blockquote><br =
class=3D"">I had no idea there was a new JSON, again!<br =
class=3D""></blockquote><br class=3D"">This bit me in the ass earlier =
this month.<br class=3D""><br class=3D""><blockquote type=3D"cite" =
class=3D"">=E2=80=94 Justin<br class=3D""><br class=3D""><blockquote =
type=3D"cite" =
class=3D""></blockquote></blockquote></blockquote></div></div></div></bloc=
kquote></div><br class=3D""></div></div></blockquote></div><br =
class=3D""></body></html>=

--Apple-Mail=_31506C08-41D4-48D4-A8A8-803734C5627A--


From nobody Sun Mar 18 08:16:21 2018
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDBF126E01 for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 08:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.026
X-Spam-Level: 
X-Spam-Status: No, score=-2.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_IMAGE_ONLY_24=1.618, HTML_IMAGE_RATIO_04=0.556, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rerGRiUaMb3d for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 08:16:17 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84374126BF7 for <saag@ietf.org>; Sun, 18 Mar 2018 08:16:16 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 90FEB7A3309 for <saag@ietf.org>; Sun, 18 Mar 2018 15:16:15 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Content-Type: multipart/alternative; boundary="Apple-Mail=_61905D7A-8BB9-4693-A718-6DB14959273C"
Reply-To: saag@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Sun, 18 Mar 2018 11:16:14 -0400
References: <m2y3ipiv3c.wl-randy@psg.com>
To: saag@ietf.org
In-Reply-To: <m2y3ipiv3c.wl-randy@psg.com>
Message-Id: <CBAF354D-45EB-4143-9D43-1F65888BBA7C@dukhovni.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/HaeUmamcUuYtnTDYmWl3VbWfo-k>
Subject: Re: [saag] ffox and chrome offer sha1 and then puke
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 15:16:19 -0000

--Apple-Mail=_61905D7A-8BB9-4693-A718-6DB14959273C
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii



> On Mar 18, 2018, at 5:36 AM, Randy Bush <randy@psg.com> wrote:
>=20
> I am using both ffox 59.01 and chrome 65.0.3325.162 on latest macos =
high sierra.

Ditto.

> I am trying to connect to mycheckfree.com
>=20
> ffox and chrome are offering sha1 and then puking when the site =
selects it.

I observe no involuntary discharge from either Chrome:

   Connection - obsolete connection settings
   The connection to this site uses TLS 1.2 (a strong protocol),
   RSA (an obsolete key exchange), and AES_256_CBC
   with HMAC-SHA1 (an obsolete cipher).

or firefox:



Perhaps some middle-box or other obstacle on your end?
You'll want a PCAP file and tshark to shed more light on this:

  # tcpdump -s0 -w /tmp/pkts.pcap tcp port 443 and host mycheckfree.com
  ... <CTRL-C> after browser connection to the site ...

  $ tshark -r /tmp/pkts.pcap -d tcp.port=3D=3D443,ssl -V |
      sed -ne '/^Secure Sockets Layer/,/^$/p'

--=20
	Viktor.


--Apple-Mail=_61905D7A-8BB9-4693-A718-6DB14959273C
Content-Type: multipart/related; type="text/html";
 boundary="Apple-Mail=_4E6774E9-6470-419B-A74C-5042F55982E1"


--Apple-Mail=_4E6774E9-6470-419B-A74C-5042F55982E1
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
line-break: after-white-space;"><br class=3D""><br class=3D""><blockquote =
type=3D"cite" class=3D"">On Mar 18, 2018, at 5:36 AM, Randy Bush &lt;<a =
href=3D"mailto:randy@psg.com" class=3D"">randy@psg.com</a>&gt; wrote:<br =
class=3D""><br class=3D"">I am using both ffox 59.01 and chrome =
65.0.3325.162 on latest macos high&nbsp;sierra.<br =
class=3D""></blockquote><div class=3D""><br class=3D""></div><div =
class=3D"">Ditto.</div><br class=3D""><blockquote type=3D"cite" =
class=3D"">I am trying to connect to&nbsp;<a =
href=3D"http://mycheckfree.com" class=3D"">mycheckfree.com</a><br =
class=3D""><br class=3D"">ffox and chrome are offering sha1 and then =
puking when the site selects&nbsp;it.<br class=3D""></blockquote><div =
class=3D""><br class=3D""></div>I observe no involuntary discharge from =
either Chrome:<div class=3D""><br class=3D""></div><div class=3D"">&nbsp; =
&nbsp;Connection -&nbsp;obsolete connection settings<br class=3D"">&nbsp; =
&nbsp;The connection to this site uses TLS 1.2 (a strong =
protocol),</div><div class=3D"">&nbsp; &nbsp;RSA (an obsolete key =
exchange), and AES_256_CBC</div><div class=3D"">&nbsp; &nbsp;with =
HMAC-SHA1 (an obsolete cipher).</div><div class=3D""><br =
class=3D""></div><div class=3D"">or firefox:<div class=3D""><br =
class=3D""></div><div class=3D""><img apple-inline=3D"yes" =
id=3D"5E2B202E-4295-48DE-A969-38CCCC0C022E" width=3D"600" height=3D"550" =
src=3D"cid:DAA80262-8514-43FB-891B-8DDCD09F0F2E@imrryr.org" class=3D""><br=
 class=3D""><br class=3D"">Perhaps some middle-box or other obstacle on =
your end?</div><div class=3D"">You'll want a PCAP file and tshark to =
shed more light on this:</div><div class=3D""><br class=3D""></div><div =
class=3D"">&nbsp;&nbsp;# tcpdump -s0 -w /tmp/pkts.pcap tcp port 443 and =
host <a href=3D"http://mycheckfree.com" =
class=3D"">mycheckfree.com</a></div><div class=3D"">&nbsp; ... =
&lt;CTRL-C&gt; after browser connection to the site ...</div><div =
class=3D""><br class=3D""></div><div class=3D"">&nbsp; $ tshark -r =
/tmp/pkts.pcap -d tcp.port=3D=3D443,ssl -V |</div><div class=3D"">&nbsp; =
&nbsp; &nbsp; sed -ne '/^Secure Sockets Layer/,/^$/p'</div><div =
class=3D""><br class=3D""><div class=3D"">--&nbsp;<br class=3D""><span =
class=3D"Apple-tab-span" style=3D"white-space:pre">	=
</span>Viktor.<br class=3D""></div><br =
class=3D""></div></div></body></html>=

--Apple-Mail=_4E6774E9-6470-419B-A74C-5042F55982E1
Content-Transfer-Encoding: base64
Content-Disposition: inline;
	filename=foo.jpg
Content-Type: image/jpeg;
	x-unix-mode=0644;
	name="foo.jpg"
Content-Id: <DAA80262-8514-43FB-891B-8DDCD09F0F2E@imrryr.org>

/9j/4AAQSkZJRgABAQAAkACQAAD/4QCeRXhpZgAATU0AKgAAAAgABQESAAMAAAABAAEAAAEaAAUA
AAABAAAASgEbAAUAAAABAAAAUgEoAAMAAAABAAIAAIdpAAQAAAABAAAAWgAAAAAAAACQAAAAAQAA
AJAAAAABAAOShgAHAAAAEgAAAISgAgAEAAAAAQAABLCgAwAEAAAAAQAABEwAAAAAQVNDSUkAAABT
Y3JlZW5zaG90/+EJIWh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8APD94cGFja2V0IGJlZ2lu
PSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4
PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPiA8cmRmOlJERiB4bWxu
czpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRm
OkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIi8+IDwvcmRmOlJERj4gPC94OnhtcG1ldGE+ICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0
IGVuZD0idyI/PgD/7QA4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAAA4QklNBCUAAAAAABDUHYzZ
jwCyBOmACZjs+EJ+/+IPYElDQ19QUk9GSUxFAAEBAAAPUGFwcGwCEAAAbW50clJHQiBYWVogB+IA
AQABAAEAEQAQYWNzcEFQUEwAAAAAQVBQTAAAAAAAAAAAAAAAAAAAAAAAAPbWAAEAAAAA0y1hcHBs
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARZGVzYwAAAVAA
AABiZHNjbQAAAbQAAAQ2Y3BydAAABewAAAAjd3RwdAAABhAAAAAUclhZWgAABiQAAAAUZ1hZWgAA
BjgAAAAUYlhZWgAABkwAAAAUclRSQwAABmAAAAgMYWFyZwAADmwAAAAgdmNndAAADowAAAAwbmRp
bgAADrwAAAA+Y2hhZAAADvwAAAAsbW1vZAAADygAAAAoYlRSQwAABmAAAAgMZ1RSQwAABmAAAAgM
YWFiZwAADmwAAAAgYWFnZwAADmwAAAAgZGVzYwAAAAAAAAAIRGlzcGxheQAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAG1sdWMAAAAAAAAAIwAAAAxockhSAAAAFAAAAbRrb0tSAAAADAAAAchuYk5PAAAA
EgAAAdRpZAAAAAAAEgAAAeZodUhVAAAAFAAAAfhjc0NaAAAAFgAAAgxkYURLAAAAHAAAAiJubE5M
AAAAFgAAAj5maUZJAAAAEAAAAlRpdElUAAAAFAAAAmRyb1JPAAAAEgAAAnhlc0VTAAAAEgAAAnhh
cgAAAAAAFAAAAop1a1VBAAAAHAAAAp5oZUlMAAAAFgAAArp6aFRXAAAADAAAAtB2aVZOAAAADgAA
Atxza1NLAAAAFgAAAup6aENOAAAADAAAAtBydVJVAAAAJAAAAwBmckZSAAAAFgAAAyRtcwAAAAAA
EgAAAzpoaUlOAAAAEgAAA0x0aFRIAAAADAAAA15jYUVTAAAAGAAAA2plc1hMAAAAEgAAAnhkZURF
AAAAEAAAA4JlblVTAAAAEgAAA5JwdEJSAAAAGAAAA6RwbFBMAAAAEgAAA7xlbEdSAAAAIgAAA85z
dlNFAAAAEAAAA/B0clRSAAAAFAAABABwdFBUAAAAFgAABBRqYUpQAAAADAAABCoATABDAEQAIAB1
ACAAYgBvAGoAac7st+wAIABMAEMARABGAGEAcgBnAGUALQBMAEMARABMAEMARAAgAFcAYQByAG4A
YQBTAHoA7QBuAGUAcwAgAEwAQwBEAEIAYQByAGUAdgBuAP0AIABMAEMARABMAEMARAAtAGYAYQBy
AHYAZQBzAGsA5gByAG0ASwBsAGUAdQByAGUAbgAtAEwAQwBEAFYA5AByAGkALQBMAEMARABMAEMA
RAAgAGMAbwBsAG8AcgBpAEwAQwBEACAAYwBvAGwAbwByIA8ATABDAEQAIAZFBkQGSAZGBikEGgQ+
BDsETAQ+BEAEPgQyBDgEOQAgAEwAQwBEIA8ATABDAEQAIAXmBdEF4gXVBeAF2V9pgnIAIABMAEMA
RABMAEMARAAgAE0A4AB1AEYAYQByAGUAYgBuAP0AIABMAEMARAQmBDIENQRCBD0EPgQ5ACAEFgQa
AC0ENAQ4BEEEPwQ7BDUEOQBMAEMARAAgAGMAbwB1AGwAZQB1AHIAVwBhAHIAbgBhACAATABDAEQJ
MAkCCRcJQAkoACAATABDAEQATABDAEQAIA4qDjUATABDAEQAIABlAG4AIABjAG8AbABvAHIARgBh
AHIAYgAtAEwAQwBEAEMAbwBsAG8AcgAgAEwAQwBEAEwAQwBEACAAQwBvAGwAbwByAGkAZABvAEsA
bwBsAG8AcgAgAEwAQwBEA4gDswPHA8EDyQO8A7cAIAO/A7gDzAO9A7cAIABMAEMARABGAOQAcgBn
AC0ATABDAEQAUgBlAG4AawBsAGkAIABMAEMARABMAEMARAAgAGEAIABDAG8AcgBlAHMwqzDpMPwA
TABDAEQAAHRleHQAAAAAQ29weXJpZ2h0IEFwcGxlIEluYy4sIDIwMTgAAFhZWiAAAAAAAADzFgAB
AAAAARbKWFlaIAAAAAAAAHHAAAA5igAAAWdYWVogAAAAAAAAYSMAALnmAAAT9lhZWiAAAAAAAAAj
8gAADJAAAL3QY3VydgAAAAAAAAQAAAAABQAKAA8AFAAZAB4AIwAoAC0AMgA2ADsAQABFAEoATwBU
AFkAXgBjAGgAbQByAHcAfACBAIYAiwCQAJUAmgCfAKMAqACtALIAtwC8AMEAxgDLANAA1QDbAOAA
5QDrAPAA9gD7AQEBBwENARMBGQEfASUBKwEyATgBPgFFAUwBUgFZAWABZwFuAXUBfAGDAYsBkgGa
AaEBqQGxAbkBwQHJAdEB2QHhAekB8gH6AgMCDAIUAh0CJgIvAjgCQQJLAlQCXQJnAnECegKEAo4C
mAKiAqwCtgLBAssC1QLgAusC9QMAAwsDFgMhAy0DOANDA08DWgNmA3IDfgOKA5YDogOuA7oDxwPT
A+AD7AP5BAYEEwQgBC0EOwRIBFUEYwRxBH4EjASaBKgEtgTEBNME4QTwBP4FDQUcBSsFOgVJBVgF
ZwV3BYYFlgWmBbUFxQXVBeUF9gYGBhYGJwY3BkgGWQZqBnsGjAadBq8GwAbRBuMG9QcHBxkHKwc9
B08HYQd0B4YHmQesB78H0gflB/gICwgfCDIIRghaCG4IggiWCKoIvgjSCOcI+wkQCSUJOglPCWQJ
eQmPCaQJugnPCeUJ+woRCicKPQpUCmoKgQqYCq4KxQrcCvMLCwsiCzkLUQtpC4ALmAuwC8gL4Qv5
DBIMKgxDDFwMdQyODKcMwAzZDPMNDQ0mDUANWg10DY4NqQ3DDd4N+A4TDi4OSQ5kDn8Omw62DtIO
7g8JDyUPQQ9eD3oPlg+zD88P7BAJECYQQxBhEH4QmxC5ENcQ9RETETERTxFtEYwRqhHJEegSBxIm
EkUSZBKEEqMSwxLjEwMTIxNDE2MTgxOkE8UT5RQGFCcUSRRqFIsUrRTOFPAVEhU0FVYVeBWbFb0V
4BYDFiYWSRZsFo8WshbWFvoXHRdBF2UXiReuF9IX9xgbGEAYZRiKGK8Y1Rj6GSAZRRlrGZEZtxnd
GgQaKhpRGncanhrFGuwbFBs7G2MbihuyG9ocAhwqHFIcexyjHMwc9R0eHUcdcB2ZHcMd7B4WHkAe
ah6UHr4e6R8THz4faR+UH78f6iAVIEEgbCCYIMQg8CEcIUghdSGhIc4h+yInIlUigiKvIt0jCiM4
I2YjlCPCI/AkHyRNJHwkqyTaJQklOCVoJZclxyX3JicmVyaHJrcm6CcYJ0kneierJ9woDSg/KHEo
oijUKQYpOClrKZ0p0CoCKjUqaCqbKs8rAis2K2krnSvRLAUsOSxuLKIs1y0MLUEtdi2rLeEuFi5M
LoIuty7uLyQvWi+RL8cv/jA1MGwwpDDbMRIxSjGCMbox8jIqMmMymzLUMw0zRjN/M7gz8TQrNGU0
njTYNRM1TTWHNcI1/TY3NnI2rjbpNyQ3YDecN9c4FDhQOIw4yDkFOUI5fzm8Ofk6Njp0OrI67zst
O2s7qjvoPCc8ZTykPOM9Ij1hPaE94D4gPmA+oD7gPyE/YT+iP+JAI0BkQKZA50EpQWpBrEHuQjBC
ckK1QvdDOkN9Q8BEA0RHRIpEzkUSRVVFmkXeRiJGZ0arRvBHNUd7R8BIBUhLSJFI10kdSWNJqUnw
SjdKfUrESwxLU0uaS+JMKkxyTLpNAk1KTZNN3E4lTm5Ot08AT0lPk0/dUCdQcVC7UQZRUFGbUeZS
MVJ8UsdTE1NfU6pT9lRCVI9U21UoVXVVwlYPVlxWqVb3V0RXklfgWC9YfVjLWRpZaVm4WgdaVlqm
WvVbRVuVW+VcNVyGXNZdJ114XcleGl5sXr1fD19hX7NgBWBXYKpg/GFPYaJh9WJJYpxi8GNDY5dj
62RAZJRk6WU9ZZJl52Y9ZpJm6Gc9Z5Nn6Wg/aJZo7GlDaZpp8WpIap9q92tPa6dr/2xXbK9tCG1g
bbluEm5rbsRvHm94b9FwK3CGcOBxOnGVcfByS3KmcwFzXXO4dBR0cHTMdSh1hXXhdj52m3b4d1Z3
s3gReG54zHkqeYl553pGeqV7BHtje8J8IXyBfOF9QX2hfgF+Yn7CfyN/hH/lgEeAqIEKgWuBzYIw
gpKC9INXg7qEHYSAhOOFR4Wrhg6GcobXhzuHn4gEiGmIzokziZmJ/opkisqLMIuWi/yMY4zKjTGN
mI3/jmaOzo82j56QBpBukNaRP5GokhGSepLjk02TtpQglIqU9JVflcmWNJaflwqXdZfgmEyYuJkk
mZCZ/JpomtWbQpuvnByciZz3nWSd0p5Anq6fHZ+Ln/qgaaDYoUehtqImopajBqN2o+akVqTHpTil
qaYapoum/adup+CoUqjEqTepqaocqo+rAqt1q+msXKzQrUStuK4trqGvFq+LsACwdbDqsWCx1rJL
ssKzOLOutCW0nLUTtYq2AbZ5tvC3aLfguFm40blKucK6O7q1uy67p7whvJu9Fb2Pvgq+hL7/v3q/
9cBwwOzBZ8Hjwl/C28NYw9TEUcTOxUvFyMZGxsPHQce/yD3IvMk6ybnKOMq3yzbLtsw1zLXNNc21
zjbOts83z7jQOdC60TzRvtI/0sHTRNPG1EnUy9VO1dHWVdbY11zX4Nhk2OjZbNnx2nba+9uA3AXc
it0Q3ZbeHN6i3ynfr+A24L3hROHM4lPi2+Nj4+vkc+T85YTmDeaW5x/nqegy6LzpRunQ6lvq5etw
6/vshu0R7ZzuKO6070DvzPBY8OXxcvH/8ozzGfOn9DT0wvVQ9d72bfb794r4Gfio+Tj5x/pX+uf7
d/wH/Jj9Kf26/kv+3P9t//9wYXJhAAAAAAADAAAAAmZmAADypwAADVkAABPQAAAKW3ZjZ3QAAAAA
AAAAAQABAAAAAAAAAAEAAAABAAAAAAAAAAEAAAABAAAAAAAAAAEAAG5kaW4AAAAAAAAANgAAp0AA
AFWAAABMwAAAnsAAACWAAAAMwAAAUAAAAFRAAAIzMwACMzMAAjMzAAAAAAAAAABzZjMyAAAAAAAB
DHIAAAX4///zHQAAB7oAAP1y///7nf///aQAAAPZAADAcW1tb2QAAAAAAAAGEAAAoC4AAAAA0OXu
AAAAAAAAAAAAAAAAAAAAAAD/wAARCARMBLADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAA
AAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEI
I0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlq
c3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW
19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL
/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLR
ChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOE
hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn
6Onq8vP09fb3+Pn6/9sAQwAcHBwcHBwwHBwwRDAwMERcRERERFx0XFxcXFx0jHR0dHR0dIyMjIyM
jIyMqKioqKioxMTExMTc3Nzc3Nzc3Nzc/9sAQwEiJCQ4NDhgNDRg5pyAnObm5ubm5ubm5ubm5ubm
5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm5ubm/90ABABL/9oADAMBAAIRAxEAPwDo
yaSiigAopjNjgUzc3rQBNRTFbPBp9ABRRTGbHAoAfRUO5vWnq2eDQA+iiigAopjNjgUzc3rQBNRT
FbPBp9ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFQ+cvoaAJqKYjq4+Wn0AFFFFABRRRQAUUU0sAwU9
6AHUUUUAFFRGT5tijJ71LQAUUUUAFFFFABRTC+GC+tPoAKKaWAIB6mgsF696AHUUUUAFFFFABRRT
XYIu40AOoppbau40oOQD60ALRRRQAUUUUAFFFMd9gB9TigB9FFFABRRRQAUUUxX3MV9KAH0UVEsm
5sAHHrQBLRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRTWYKpY9qaHywXHUZoAkooooAKKQnAyaRG3
ru6ZoAdRRRQAUUUUAFFFNZggy1ADqKiWZSccjPrUtABRRRQAUUUUAFFFRtIqtt70ASUU1mCjJqMT
KSMgjPc0ATUU1mCjJqMTKSMgjPc0ATUUhIUZPSohMvcEA96AJqKQkAZPSmo6vnb2oAfRUbSBTtwS
falRw4yKAH0UUUAFFFFABRRTHfYAfU4oAfRRTHYIu40APoqLzCELkYqQHIzQAtFMdti7jT6ACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAClBpKKAP/9DoqKKK
AIPeilIwcUlAB71PUIGTipqACoPep6hIwcUAJR70UoGTigCaiiigCD3opSMHFJQAe9T1CBk4qagA
ooooAKKKKACiiigAooooAKKKKACq8TKFIJA5qxVeJFZSSM80ACkNKWTpigiXGSwB9KlYYQhOOKqj
ytuMEtQBN5p8rf3pMTBd27J9KaFLQADrTjKSuAp3UAHmERBjyTxSHzEG7cD6im7S0Axzg5o3Q4+V
cn0oAtA5APrUT/61PxqUDAA6VE/+tT8aAG5kaRkU4ApVLhzGxzxkGhP9c9B/14+lADEV/Mb5umM8
daeS7uVQ4A70qf61/wAKbu8qQ7ujd6AFVnV9jnOehqeq4PmSBh0WrFADN6f3h+dO68imeVH6U8DA
wKAIJN3mLt60EyRsMncCcU5v9an40Tfw/wC8KAGSBvMX5uvT2olVvly3cfnTpTtdWPQUSnKq45Gc
0AEhdI85yc9aQibbv3c+lErBotw9aDMNuMHd6UADSnyww4zTgJAQQ24d6b/q4gGXI70z5C48nOe9
AE5L7wAPlpsnzMqepzTi4DhMdaavzSs3pxQAS84T1NIxfzAinHFKPmmJ/uikP+vH0oAbmUP5ec57
05S6ybGOQRSn/Xj6UN/rl+lACxsx3K3UGmCQ7WkPTtSS5Rtw/iGKeYz5WwdaAGgTFd27n0olLGNS
Rg5oEwC4IO70okJKKWGDkUADeag37s+1OdyAAvVqdL/qzUTr8qNjIHUUABZ48MW3DvT3Zi/lpx3J
qPMRwEXJNOYmOTeehGKAHASK2CdwNMDhHcn2wKeJd7YQZHc1H5Yd39R0oAlUSFSWOCf0qOEN1zxn
pT43J+RvvCiH7p+tADEMsmfmwAacWZnKqdoHeiD7p+tMYKshMgyD0NAD0Zg+xjnuDTQzyZYNtHal
j2FvkXgd6jURplZRz60ATxOWyrdRTnbYpamRYwWC4H86QnzoztFACATFd27n0pzOwQcYY8U0TALg
g7vSh95VXxyDnFAA3moN27OOopXdsrs/ipryh12pyTSsNrRj0oARjKjAZzupcyI6gnINOk/1ifWi
X7yfWgAl5wnqaY+7zQE64p4+aYn+6KZIxWUHGeKAFJkjILHcDxSuz+ZsQ4yKa7CUhE55yTTj/rx9
KAB9yx7Sck8UuSjqvYjFDfNKq+nNEw+XcP4TmgBvmN5uP4en408MxkI7AVHtPlbu+d1Pi5Usf4jm
gBiGWRc7sU+NmyVfqKiikCLhvwqSPLM0mOvSgBql5BuDYPpUu3cB5g5FQExMDuG1qni3bBu60ARs
fNYKo4B5NDMxk2A7RToSpB2jHNJIybsSLx2NAD03jIY5HY1EhlkXO7FEX3m25202KQIuG/CgCWNm
JKP1FHmn+435UkeWZpOgPSl2y/3/ANKAHqxbOQR9ahdFQLj+8OamUOPvHNMm/h/3hQAk3JRT0Jp0
oBjPtSSg4DL1U5pjyh12pyTQAjfMsYPepZQDGfamyIQileStNeUOu1OSaABzmNAe+KmdQUI9qjkQ
+WAvVaa0wZNq9TxigByKJI13dqIuHcD1qRF2qFpkf33+tAEbPskLLz609MIMsclz2piMsYKSDB/n
UYOGB52A8UATuz+ZsQ4yKGLoAgOWPej/AJbj6US5BVxzt60ANfzY1zuzUpcqAcE59KhllDphefWp
iGKjacUAN80/3G/KknPyA+9Ltl/v/pST5CD1zQAjCVRv3fhTZSWQODwe1OaYFdoB3HjFI6lYQDQA
6QMIjuOaQCUruDY9qfN/qzTBMAuCDu9KAEd98OasVVKlYOe5zVqgBaKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0eiooooATr1pNi06igBOnSloooAK
Tr1paKAG7FpenSlooAKKKKAE69aTYtOooATp0paKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigBrDcpAOKi2zEbSRj171PRQA1VCqFHanUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAE
cib129KfS0UAFFFFABTETYMde9PooAYibc98nNPoooAKKKKAIijM4LHgdBUtFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAMRNue+Tmn0UUAFFFFADAmGLetPoooA
KSlooAjjTYu081JRRQAUUUUAFFFFACUyNNi7TzUlFABRRRQAUUUUAFJS0UAFJS0UAFJS0UAFFFFA
CUtFFABRRRQAx13qVHenAYGKWigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAP/0uiooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKQnF
LTR1NABk+lGT6U6igBuT6UZPpUck8MOBK6pnpk4p0csco3RMGHqDmgB2T6UZPpTqKAG5PpRk+lOo
oAbk+lGT6U6igBuT6UZPpTqKAG5PpRk+lDMqKXY4AGSaRHWRQ6HKnoaAFyfSjJHanUh6GgBMk9qM
n0pR0FLQA3J9KMn0od0jG5yFHqTilBBGRQAmT6UZPpSPJHHgyMFzwMnFPoAbk+lGT6U6igBuT6UZ
PpTXljRlR2AZ/uj1pguITObYN+8AyR7UAS5PpRk+lOooAbk+lGT6U6igBoJPajJ9KF7/AFp1ADcn
0oyfSlJAGTwBUP2m3/56J/30KAJcn0oyfSl68iloAbk+lGT6U6igBuT6UZPpTqKAG5PpRk+lMmmi
t4zLMdqjvT1ZXUOpyCMg0AGT6UZPpTqKAG5PpRk+lJI6RIZHOFUZJpIpY5oxLEdyt0NADsn0oyfS
nUUANyfSjJ9KdRQA3J9KMn0p1FADcn0pCxBxin1E33qAF3+1G/2ptFADt/tRv9qQAnpQQR1oAXf7
Ub/am0UAO3+1G/2ptFADt/tRv9qbRQA7f7Ub/ak60EEcGgBd/tRv9qbRQA7f7Uu/2plFAEgINOqJ
fvVLQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAF
FFFABRRRQAUUUUAFFFFABRRRQAUUUUAf/9PoqKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACmjqadTR1NADqim
k8mF5euxSfyqWobiMywSRL1ZSB+IoAytPso5o/tl2PMkk5+bkAVN/Z5hukuLPCL0dcnBHtTdMnjl
tfsrna6Aqy9DiqUsFtHewQWhLOHBbnIAFPqBqXN60cwtreMyykZIzgAe5pLe+aSY21xGYpAMgZyC
PY1nsjf2rKvmmEuoKnjngetWEhjF/H5lwZJUBwuO2O5HSkgHf2jNJNJBbwF3jYjrgYHfP9KsWd6b
hnilQxyR9R1qtpv/AB83f/XT+ppsYJ1W4A6mMfyFAEn9oTzM32OAyIhwWJAyfapo79JbV7hVIaMH
cp6gjtWZpsbvblFuGjKE7kwOPzqWOOFbW7eGUy7gdxxjnB/OgC1bX1xdFWjgIjPBYn88etDXt07s
ttbl1Q4LE7c/TNT6f/x4xf7tZ1tLc3qNcPciJQT8oA4HuTQBbF0t3YTOFKlVZWU9jiptP/48ov8A
drLsSDY3ZDbsl+T3461qaf8A8eUX+7QBdpD0NLSHoaAAdBS0g6CloAytY/48W+o/nTtLlZrcwSff
hO0j+VJrH/Hi31H86r3Un9n3gusZSVSGH+0OlAFPVpGnuNq/chwD/vNW3d3i2oVQpd3OFUd6xpIW
j0xZZPvyyB2/HpVnUgVvreQuYlII3+ho8gLCX8yTJFeQ+V5nCkHIzUlzfNHMLa3j82QjJGcAD3qp
cQJujS5u2JLAqMA8/hT4nSHVpll4MirtJ78dKAIJLmSa/to5ozE6MSRnIII7GtFZI/7QaIRgPs3b
+/XGKp3csb6lbRoQWUnOO2amH/IXb/rj/WgBWvbp3Zba3LqhwWJ25+mas2d0t3EXClSp2sp7Gsy2
lub1GuHuREoJ+UAcD3JqXRyDHMQ27Mh5Pf3oA2aKKKAGr3+tOpq9/rTqAK93/wAesv8AuN/Ks+ys
LOWzjaSMEsvJ71oXf/HrL/uN/Ksm008y2sbmeVQy/dDcUAO06Rbf7TGWzFC2QfQc5p/9o3Rj+0Lb
Ew9c55x64p11Zx2+mSw247ZOepwRk1DAha0WX7WVQLgjA446UAXJ9QSO0W8jXerEcZxRDd3MgaV4
CkYUspJ5OPbtWZdJFHpCrC5dN+QSMdzW9P8A8e7/AO6f5UPqNdDLTU7mWLzobYsq/eO7+XrThqU8
yGW1ty6AckkDnuAO9P03/kGL9G/madpX/IOT/gX8zQxCSXkUunG7aPevdG9c4qSe8FtHEsce55MB
UHArLX/kAn/P8VXbpLWVYI5pDHJj5GH4d6AJoryfz1guYTGW6EHIpj30zzvDaQ+Z5fDEsBzUCy3d
pdxW0komWTjphh70vkRTXEkljcGKQH5xjjP0OKALSXQntZXliKlAdyN0OB600XkNvYJclNikcIvq
e1Vobmae1uo5yGMSsNy9DwarzfLp9pKwyqMpb6UAW21G6iUS3NsUjPcHJGfUVPd6gtt5RVTIsvTH
XtjHrnNF/cQCxdtwIdcLjuTWfIrJ/ZytwQf8KALX9oXEUiLdQGNZDgENnBqxdXjQSpbwp5kr8gZx
xVbWf+PZP+ug/kafeRW01wiGUxTgfKR6f596AJre7meY29xEY2xkHOQfxq/WNBPdQ3os5pBMGXOQ
MEfWtmgAqJvvVLUTfeoASiiigBzh2A2HA9utNDOPkcZ/2qQxspzGxGfTkflUg3FP3mM0ANYog3SH
GaUjgEHINDlhhlQN+NIGcAbkCjr1oAGMaYDtgmnbecetIy/MTjrQibCBQAmOcU7b82KMHdTh980A
RZQnYrfN7U5cK4VmyT0z3pFABwKf/HQA3KMxAPIPNGPmxSMDmpMjG/2oAjOAcCkoooAUfeFS1EPv
CpaACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigD//1OiooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKaOpp1NIOcigB1FN
yfSjJ9KAKk+n2ly2+VMt6jjP5VJb2lva58hApPU9T+ZqfJ9KMn0oAhntbe6AE6BsdOx/MUkFpbWu
fIQKT1PU/manyfSjJ9KAI44Iomd41wXOW9zQsESzNcKvzsME+1SZPpRk+lAFSbT7Od/MljBY9SCR
/KpxbwrCYFUBCMED3qTJ9KMn0oASONIkEcYwqjAFVH02xeQytGNxOTycfl0q5k+lGT6UAQpa28aP
FGmFkzuA9/5VLHGkSCOMYVRgClyfSjJ9KAHUh6GkyfSg5IxigBR0FLTRkDGKMn0oAZNDFcIY5huU
9un8qSaCG4TZMoZc5xUmT6UZPpQBHLBFOnlyrlQQcdOn0pZYYp0McyhlPY0/J9KMn0oAqw2Fnbv5
kUYDepJP86fcWtvdACdN2OnY/pU+T6UZPpQBVjsLOIq0cYBQ5Byc8/zqfyYhN9ox85G3PtT8n0oy
fSgCm+m2LyGVoxuJyeTj8ulWIbeG3BEK7QxyQPWpMn0oyfSgB1FNyfSjJ9KABe/1p1MGRnilyfSg
AdFkQo4yGGD9DSRxpEgjjGFUYApcn0oyfSgB1Z50uwZ95iGevU4/LpV7J9KMn0oAilt4JohDIoKD
GAOOn0qUqGUqeh4oyfSjJ9KAGRQxQxCGMYQdvrRFDHBGIohhR0H1p+T6UZPpQBALS3EH2UL+79Mn
1z1606W2gnjEUqBlHT2/Gpcn0oyfSgCtBY2ls2+GMBvXkn9aSbT7O4fzJYwW9QSP5VayfSjJ9KAI
ktoI4jAiAIRggd805YYliEAUbAMYPPH40/J9KMn0oApR6ZYxuJEjGR0ySf5mrMkEUro8i5aM5U+h
qTJ9KMn0oAjmgiuFCTLuAOR25/Cmz2tvcgCdA2OnY/mKmyfSjJ9KAK8FnbWuTAgUnv1P5mrVNyfS
jJ9KAHVE33qfk+lNIJOcUANopcN6UYb0oAYBIv3G49CM0AMTuds+nYU/DelGG9KAGYcH5GwD2xmg
Bs5c7jT8N6UYb0oAjAkXhHwPQjNLtODkkk96fhvSjDelAEf748F/0pf3m3hvm9cU/DelGG9KAE57
daTDYwxyfWnYb0ow3pQA1d//AC0bPvjGKXehG1DkDk4pSpPBFIFI4AxQAUUuG9KMN6UAA+8Klpir
jk0+gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigAooooAKKKKACiiigAooooA//9XoqKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA
KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA/9be2ijaKWigBNoo2ilo
oATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWig
BNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE
2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATa
KNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo
2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ija
KWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNop
aKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilo
oATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWig
BNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAE2ijaKWigBNoo2ilooATaKNopaKAP
/9ffooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigD/9DfooooAKKKKACiisy7kkhvLdwx2OdrDtk9KANOisfV55Y0SOAk
M2ScdcAVYkuv+JcboHBKcfU8fzoA0KKz4JltbKOS7c5IyS3JyecVJBf2ty2yJ/m9DxQBcorHkuEt
9SZpn2p5X659KuQX9rctsifLeh4oAuUVUnvba2YJK2GPYDJp0VxBdxMYmyOhxwRQBZorGWe2stP3
QSEg7thI/i/KrdjeR3UQw2XUDfxjmgC9RWc2q2KvsMmfcAkfnV9WV1DKcg8gigB1FZ2pyPFbho2K
neBkVbmnit08yZtooAmorBvtQt57RhBJ8wI45B61rzXEVvH5kzbRQBPRVOC/tbltkT/N6HillvrW
B2jlfayjJGD3oAt0VUt722uiVhbJHODxVBdWhN2ys/7rA28Hr/OgDaorPKW4v/NLt5mzO3ttqtBq
kT3Toz/ISoj4PU9aANmioY7iKV3jQ5aM4YYIxR58XnfZ8/PjOMdqAJqKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKK
KKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooo
oAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA//0d+i
iigAooooAKztUjL2bMv3oyGH4f8A1q0aa6h0KN0YYP40AZFuy3t80/VEjCj6t1/qKoZJhGmZ5E23
/gPXNbdjZiyiMYbcSck4xTfsKfbvtuecfdx3xjOaAKN9vOowIih9qkhTwM8/4U+aG9nmilMSo0bA
5Dc49KvXdmt0FbcUdOVYdqgSwkaVZbqYy7DlRjAzQBE0ccmsDzADtjyM+uaNRVVntpV4fzAPcipr
jT/PuPtIkKMFwuB0Pr/9aiKwYTi4uZTKy/d4wBQBFLb3cN415bKsgcAFTwR9KfZzRSySqYvKmH3x
60+Wxczm4tpTEzfe4yD+FSW1n5BeR3MkknVj/hQBQtf+QK/+6/8AWpWJXR8r18oVags1itPsjNuB
BBPTrTbazaCNoZJPMjIwFIxgUMEUrYXP2NYkgQoy/wB7rnuavadDNb2wim6gnHOeKrDTp41MUNwy
xH+HGSPxrRt4Etolhj6D1oAo6v8A8eo/31qO7VZdRt45eVwTg9CavXdt9qiEe7bhgc4z0pt5Zpdq
vzFHQ5Vh2oApa1HGbYSHAYMAD/So73zG1GBVUPhchW4Gef8ACpZdLluF/wBIuC7D7vGAPwq5d2a3
QUhijp91h2oAozQ3s80UpiVGjYHIbnHpSqitrLlhnbGCPrxUyWEjSrLdTGXYcqMYGasLa7bxrvd9
5du3H9aAKcwC6vAVGCynPvwadF/yFpf+uY/pVqS18y7jut2PLBGMdc+9RT2TvcC5hlMbYweM5FCB
kf8AzF/+2P8AWi1/5CN1/wAA/lVr7N/pn2vd/Bsxj3znNQvZN9q+1QylC2NwxkHFAEMo+zamkvRZ
xtP1HSjTx50s16f422r/ALopmryQvCLYHdKWG1R1zWnbwiCBIR/CMfj3oQMmooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigD
/9LfooooAKKKKAGk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZ
PpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUAN2
pv8AM2jd696fk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC
5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJ
RQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZ
PpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk
+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlF
AC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+
lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6
UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUA
Lk+lGT6UlFAC5PpRk+lJRQAuT6UZPpSUUALk+lGT6UlFAC5PpRk+lJRQAuT6UA+tJRQA+iiigAoo
ooA//9PfooooAKKKKAGUUUUAFFFFABRUUs0cIBkOAxCj6miaeK3TzJm2rnFAEtFRyyxwxmWQ4Ud6
eDkZFAC0UyR1ijaRuijJ/ClRg6B16MMj8aAHUUUhOBn0oAWiq0N1FNB9ozsT/a49qs0AFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUVVnu4rd443BzIcDH+ferVABRRRQAUUVVuLuK2ZFk
BJc4GKALVFFUbjUILaQRMGZvRRmgC9RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQA+iiigAooooA//1N+iiigAooooAZRRRQAUUUUAU9Qj820kUdQNw/DmqFznUPIgU43IZD+WB+tb
ZGRg1l6faSW7yNL/ALqd/lFAFdpPtNvawHq7Yb6J1p8t08ty8KzrAseBkgEsfxqS3s5I76SVv9WM
lPq3WkkgnguHliiWZJOSCQCD9TQAxbl57K4SRg7RgjcvQjHBpEXUBarcLKBtUEJt4wB6/SrIiuHt
JVkRVdwQqr9OATUGNSFuLXy1zt2793AH060ALcXkhigZG8pZfvPjOParNoZiW3SrNH/CwxkexxxT
XjuIIY44FWVVGGU8E/TPFR2ltItw9w0YhVlxsBz+PHFAFSd559J8137ndwOfmwPpVqeaeztlBkDO
7BQxAAUH/ChbSY6YbVhh+eM++aWWG5urZCyBJY2BAJyDj/GgZAl1JDNGpuFnWQ7SAACM9DxWmpuf
tDBgvlY49c1UiF08q7oEhUck8En6Yq2rXP2llZR5OOD3zQIsUUUUAFFFFABRRRQAUUUUAUtQlkht
HkiOGGOfxrIln1GCGK7aUEPj5ce2efrWvqEMk9o8UQyxxgfjVO8tLiWxhhjXLptyMjsMUAQvLf21
xCZZAwlPIA4Ht+tWVuJ49TNvK2UcZUcfX/EU69tpppLdo1yI2y3I46VW1kqhjmRgJFOMd8UAEV7O
ftNyWzHHwg7ZJ4psY1WWAXSSZJOQnHSrVtZ503yG4MgyfqelVY49WiiFqigAHh8jp/n2oAbqRmZ7
ViAsh7ds8U8y31pdxRzyCRZCB09eKmurW4ke2K/P5Z+duB3HNSXttNNdQSRrlUOWORxyKAKlxeyy
3bQLMIETjPqRT7TUJfKnEpEhiGQ3rRLaXEN21xBGsqv1U44/Op4LW4kilW5Cp5gwAoHH5f40dAKk
f9qTwfao5OSeEwOlJqTvttXnG1gSWH5U6OPVoIvssargHh8jgf59qmvLO4mW3X/WFPvnIHXFAC2s
9zfXDSq2yBDjHGTVARXR1NkWUCTGd2O2PSr0VpcWd4Wtl3Qv1GRx+fpUq20w1Rrkr+7K4zkegoAr
3E161+bW3faCB1AwOOTSXdzc2qxWpkG9uWc+meKti3m/tM3GPk24zkdaZqFnLM6XEADOn8J70AVb
a8lS8W3MonR+/oaje9muJ5FE4gROB71dt47x5w8saQovYAEn8arm0urWeRoYkmRzkZxx+dAFvTLu
S5jYSnLIcZ9Qak1G5a1t96feY4HtTLeO8jt5GYL5rD5VAAA+uKjktrq8sRHcYEoOR0/XFDBEQTVo
wkwfzc8snAxTri4upr37HbNsAGWP601Rq8gSJgIgvV8jJ/U0+5tbqO7F5aAMSMFT9Me1ABaXFzHe
NZXLb+Mhv1qpFLqNwkrJLhYyewyfarlpa3LXTXt2ArYwFH5UtnazxQzpIuC5OORzxQwKKz6jPaNd
CUKI+MAcnHU1t2crT2ySv94jms+3tJ49OkgdcO2cDI71esYnhtUjkGGA5H40xFuiiikMKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooA
KKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAfRRRQAUUUUAf/9XfooooAKKKKAGUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFVZLK2ll86RNze+cfl0q1RQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAooooA//9bfooooAKKKKAGU
UUUAFFFFAEM8yW8TTP0WqAk1WRPNVY1B5CnOafqn/HruIyFZSR7ZrQVlZQynIIyDQBVt7yOaEyv+
72nawY4wass6IQGYAtwMnrWPFGLqO82cq7Hb9R3qCR2vFWZDk28Yc4/vZ5H6UAdBvQP5ZYbsZxnn
FQm7tRjMqc9ORVO3Zbi6luV5VVCKf1NQWNrbvp+50BLBsk9e9AGyzKqlmIAHc9KZHNDNnynVsdcH
NYchdrazjxuDdQTgHHQZqytvMLqKVYkhAyDtI5B9sCgDSa4t0JDSKCDjqOtS5GcVk2tvDJc3Ekih
iHwMjNaC28S3DXI++wwf8/hQBPRRRQAUUUUAFFFFABRRRQAUUUUAVrprlIwbVQ7Z6H0/MVkrf6m0
xtxEm9eSP8tW/WJD/wAhmX/d/oKAFu7u8ghhZ8I7MQwGCP61prdW7v5ayKW9AaytaGViHqxqG/to
baa3MC7SWxx7EUAabPP9uCCVBHj7n8XT6VPJdW0TbJJFB9M1nP8A8hlP9z+hqm9vLHPNIsaXCMST
zkjr+INAHRqyuoZCCD0IpvnReZ5O4b/7ueapaY8L22YVKAMcgnPPtVW/Itr6G7P3SCD/AJ/GgDXW
aJ3MaMCy9QDyKRZ4XUujqQvUg8CuYhke1Zbxz/r1f8//ANdLIjRaUmOPMfJ/p/KgDo47u2lbZHIp
b0zVKe6ki1GOHcBGVyc49+9Zs1tNsjdY44dvRgwGfzqa+SOXVIkm+6VGf1oA247iCYkROrEehpsl
1bRNskkUH0zWNLHFb6rCLcYzjIHbP/1qje3ljnmkWNLhGJJ5yR1/EGgDYu5HNt5lvIq5I+YnjH61
DcX/ANkgjL7ZJGAyAcduv0rOd4X0ljCpQBxkE5546U7UkT7FBLj5sKM+2KAN1J4nj81WBUdTngUy
O6t5W2RyKx9Aax9URYbOOOEbUZsnHfioZraYGJ1jjh2nghhz+dAHTVAbq3D+UZFDdMZqSQkIxXqA
cVz2nW9rPbSyT4LAnJJ6DHWgDR0y4luInaY5IbA4x2q19stS2wSrnp1rAtmZdKnK/wB7H4HAqRra
1GkiYAb+u7vnPSgDondI1LyEKB3NRRXMEx2xOGI7A1zly8kltaI3IOeCcA4OBn8KsG3mS7hk2Rw4
I4DDkZ9KANuS5t4W2yuqn0JqVHSRQ8ZDA9xzXPzW8y3ck0caXCt1BIJH4etXtKeF4W8lDHhuRnPN
AGg80UZCyMFLdMnrTI7m3lbZHIrH0BrK1VBJcW0bdGbB/Eio7iGK31K38kbc4zj64oA2pbiCEgSu
FJ9TSieEx+aHGz1zxWHbRxXOoz/aBuIJwD9cfpS6fHGbq4tx80Xp24NAF+y1BLvKkBGzgDOSa0CQ
oLMcAdSawdFiiIeQgFlbg+nFad/H51q8YYKTjknA60MB6XdrI2xJFJPbNS+dF5nlbhv/ALuea5k4
t1jF5bjA6OhwT75B5q8SBrQz3X+lAGx50Rk8oMN4/hzzUZu7YAkyLwcHnvWXGQdafH93+gqCwgt5
7m484BiCcA+mTk0Ab6zRNH5qsCg754qI3lqACZV56c1hWmFivY0OUCnH60tvbWraY8z4LgHnuCOg
oA1dRuJILXzYGwSRz14NTx3Ee2NZHAd1Bxnk5rAYk6Muez4FWL6MrbW12nWML/8AW/WgDbaaJHEb
uAzdATyalrDgIvNTaccpGox/n86vakzLZSFeuAPwJoAl+2WpbYJVz061KZYlkETMAx6DPNc+1taj
SRMAN/Xd3znpSSllgs7xuqnBPtnj9KAOhE0RkMQYbx2zzTRPAd2HX5Pvc9PrXOJIY7gakx+R5GH4
Y/z+VT2yH+zbidusmT+X/wBfNAGyby0GMyrz05qdnRF3uQFHc9K5v7LANI8/b8/XP44pt4zmztE7
Ed+nGMUAdDFc28x2xOrH0Boe5t0Yq8igr1BNYb28q3MMmyODBHRhzzTxbxXGryrKMhRnH4CgDZa5
gRBIzqFboc9aWOeKZSYXDY9DWRfWjedEbcI2wYEbH+hNLYvF9pkjMPlS7ecHj8u1AElhqG+Fnu5A
DuwM4HYVcuZGNsZLeRVzjDE8dfxrG020gntpXlXJyQD6cVHESdHlB7OP6UAdAkyxwxmeRdzAc54J
9qctzbu/lrIpb0BrCvwDZ2gY4GBn8hRqcFvbLE9vhWzxg9QO9HUDpKzrOWXbI9zKjhT1Xt9elaA6
Vztt/wAeN39TQBtG8tBjMq89Oag1C7+ywboyN7fd/wAayfssA0jz9vz9c/jin3SK2lQyEZYAAH2o
YI1LGV3tzLPKr98jAwMdD0qdLu2lbZHIpb0zWLfIsOnRLENocqWx3OKbqNvbQW0UkGA2RgjqRjrQ
wRvPPBG2yR1U4zgnHFJ9pt9gl8xdpOM54zWLcxLcalDHL0ZAT+pqTVoo4bREiG1d/QfQ0AaourZn
8tZFLDtmljubeZtkTqxHYGsK/tIIprdI1wGOD78ipnhig1aFYhtBXOB+NAGtJdW8TbZJFU+hNEtz
FHAZwwK4OOeCfSsTMc8szQWwfBO5nb/HpS2KLJpcwcZALEfULQM0re9F1bsyFUkAPBOcY7n2qSye
Uwbp5FkOT8y9MVnadFGLB5QBvIYE96qbmXRgF7vg/SgRvreWrtsWRST2zUrzRRsFkYKW6AnrXP3d
tax6dHLGAG4we5z1p12vnyWay87wN344zQBtx3NvM2yJ1YjsDU9c/LDHb6rCIRtBGSB+Ire3oXMY
YbhzjPNADqKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAH0UUUAFFFFAH//19+iiigAoooo
AZRRRQAUUUUANZVdSrDIPBFZ39lxgFFlkVD/AABuK06KAI4oo4UEcYwo7VDBaQ24dUzhzk5/l9Kt
UUAV7e2jtYvKjzjOeevNLDbpBAIEJKjPXrzU9FAFRrKFrdbZslV6HuPemw2McUglZnkYdC5zj6Vd
ooAhigSJndc5kO45pq20a3LXQJ3MMH0qxRQAUUUUAFFFFABRRRQAUUUUAFFFFABVVbSNLlrsE7mG
CO3b/CrVFAFW5tI7sKJCRtORii4tI7lkaQkeWcjFWqKAKxtYzci7ydwGMdqqyaVbyO0is6buoU8H
NadFAEMEEVtH5UQwP5mmXVpHdoI5SQAc8VZooAozWEE8KQMSBH0Ixn+VTPbQvALZxlAAB+FWKKAM
uPSbZGDEs4XoGPFTXGnwXMomlySBjAPFXqKAM+2023tZPNTLN23dqZJpVvI7SKzpu6hTwc1p0UAU
jYW5tvsoyqk5OOuafLaQzwLbyZKrjB78cVaooAorp9utubY5ZCc89Qaii0q2jdXJZ9vQMeBWnRQA
VltpFo0hk+YAnO0Hj/GtSigCpb2UNvE0K5ZXPO6qn9jWm7OWxnO3PH+Na1FAFae0guIhC4wF6Y4x
9KrwaZbwSCXLOy9Nx6Vo0UAZ02mQSyGUFkZuu04zVm2torWPy4hx1JPUmrFFAFWe0juJI5XJBjOR
j+v5US2kc06TsTuj6Y6VaooAz7nTbe5k81sq3cr3qe2tIbRCsQ69SepqzRQBQj063hn+0R7gRnjP
HNWpoY54zFKMqalooAy00m2VlLM7heiseP5VNdafBdsHkyGAxkelXqKAKFvp1vbS+bEWzjHJ4rNt
9NW4eY3Csnz/ACnpxz610NFAGcbOO2spYoASWU+5JxVG20mGW3Rpg6PzkdO/vW/RQBUksoJLcWvK
oOmKrX5aO1FtHG0m5doxzjGME4rUooAzdMtWtrf94MO5yR6elaDKrqUcZBGCKdRQBk/2Nabs5bGc
7c8f41entYp4Ps7cLxjHbFWKKAKLWEDWq2hztU5B75qUWsYtvsozsxj3qzRQBUNnEbX7Hltnr365
pGsoHt1tnyVXoe4q5RQBmw6XbwyCUlnK9Nx6VYS0jS5a6BO5xgjt2/wq1RQBSubGG6YO+VZejKcG
i2sYbYs65Zm6sxyau0UAVLazitY2ijJIY5OaiXToFtmtQW2sck5Ge3t7VoUUAYuoWzGO3hjVnVDg
9+OBzip49JtI5RKNxwcgE8Vp0UAFUksYY4pIVLYl69P04q7RQBUNnEbX7Hltnr365pHsopLZbVi2
1cYPfj8KuUUAQPbxSQC3cZUAD8qoxaRaxuHJZ8dAx4/lWrRQBVa0ja5W7JO5RgDt3/xpbq1ju0Ec
hIAOeKs0UAVZ7SO4eORyQYzkY/r+VK9rHJcpdEncgwB27/41ZooAzG0m1eQyHcNxyVB4qzb2cVtE
0K5ZWJJ3e/FWqKAM+HTbe3ZmjLfOpUgnsaljsoY7c2vLIfX/AOtVuigDKTR7RXDEswHYnj+VW5bS
OaWOZiQY+mOlWqKAKslpHJcJcsTuQYAHSkWziS6a7BO5h07VbooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKAH0UUUAFFFFAH//Q36KKKACiiigBlFFFABRRRQAUVR1GNpLYun3oyHH4Ulxd
AWJuE6uo2/U0AX6Ky1kNlFFaQoZJSucA4+pJ+tT2920sjQTRmORRnGc5HqDQBdpquj5KENg4ODnm
s+2vp7ogpDhM4Lbun09agZ9lnObWLHzurfN7ctz/ACoA1fOiALF1wvU5HH1qTryKw4giaazTQALt
U9fv+/HIq/Nc+RshhTe7D5VBxwPegC7RVK3u3klME8ZjkAyBnII+tQi/mkLNbwF41OC2QM49B3oA
0gysMqc/SgsAQCcE9KoaYwe3LjozsfzNMv5PJmt5MFsMeB1JIxQBp0VnpeSiZYbqLyt/3TkEZ9Km
t7nzjIrLtaNsEZzx60AWqKoLfbrY3RjO3dgAckjOM1eByAemaAFooooAKKKKACkyAcE81T1Cdre1
aROG6D8ayotMikthPcyEPIMgk8c9OvWgDoqKyrSR7W2c3MiuI+QVOTj0/wAKh/tS4CC4aAiInrnm
gDborOudRSBEMa72kGVHtUC3ryyGyvIzEZBgEH1oA2KK5a80+G3mhjQsRIcHOPUe3vWg6R6PEZYg
X3kAhj9fQUAbNFZUd/O8bzNCVRV3KSetSrelrH7Zt5wflz7460AaFFZcmpCOzS6KZLnAXP8AWnQ3
dyZliuICgbow5H40AaVFc4Lu7GoNhGJx/q93HTrXR0AFFYGmP5SXUmM7ecfTNO/tadovOSD5V+8c
8UAbtFZz6jElot1gnfwF96gXUpkdBdQ7Fk6HNAGxRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAPooooAKKKKAP/R36KKKACiiigBlFFFABRRRQAHng1z8EchulsWH7uBi/4fw/zroKKAMa+RY7tb
iYssZTaWQkYOe+KfZi3kuDLB5j4XG9icfQZ5rWooAztL/wCPJfq386gT/jyu/wDekrYooAypv+QQ
P+ua/wBKhvUCXEVxLuEe3aWU4IP4Vt0UdbgZFoLaW4LweY+1cb2Jxz25qO0u47OH7LOCJEJAABO7
J4xW3RQBnaYSbYlhgl249OaZqEhilt5ApbDHgcnpWpRQBjS3Ed9PDHbZYI4dmwQBim3/AJlvOWiG
ftC7P+BdAfyrbqmbVnuRPLJuVOUXGAD/AFoAV3jsLUFgSqADjrVoHcAR3paKACiiigAooooApahA
1xatGn3uo/CsUX0Btha3kTFo+AOnTpnkEV09JgdcUAc5b2UxsJvlIaTBUd8LzVVGtPJETrK0mcFA
eM111FAHPXcclu1tchDtjUAjrjH+etI0v9pX0TQKQkZBJP1zXRUUAYmqf8fVr/vf1FSa1/x6L/vj
+RrXooAq3KM9m6IMkpwPwrn1vANPazCMXGcnHAGc11VFAHPHy/7Lh82NnXnlTgryeahtGIvI0snd
o/4g3QDv7V09FHW4HPzy/ZNVM8qnay4GPpXQUUUAc5Y/8e959D/I1Nb/APIGb6N/Ot2igDmHikk0
qF4wW2MSR7ZNXl1Xz3SO3iLMfvZ7Vs0UAUmvQt4tnsOWGd1XaKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiii
gAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKA
CiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAK
KKKACiiigB9FFFABRRRQB//S36KKKACiiigBlFFFABRRRQAUVDcTpbRGZwSBjp15qqNQB/5YTf8A
fH/16ANCiiigAooqCSV0mjjWMsr5yw6LigCeiiigAooooAKKKKACiiigAooooAKKKKACiiigAoqG
eZbeJpnBIX06022uY7uPzYs4zjB60AWKKovqECXItcMWJAyMYyfxq9QAUUUUAFFFVru4+ywmbbuw
RxnHWgCzRUcUnmxJLjG4A4+tSUAFFZ1xqUEEvkgM7DqFHSp7W8hu0LR5BHUHqKALVFZL6xbKxVVZ
wvUgcVowTx3EYliOQaAJaKKp3V9DaYEmSzdAOtAFyiqFtqMFzIYgCj+jUXOoQ2ziIgu57LQBfoqp
a3sN4pMeQR1B61DJqlrHKIQSxzjK9AaANGiq9zdRWieZKevAA6mqkeqwPIsbq0ZboWHBzQBp0UUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQA+iiigAooooA//9PfooooAKKKKAGUUUUAFFFFAGdqv/Hi/wBR/MU5
Zr4kBrcAZGTvHSpL2B7m2aGMgE469ODUIGq8ZMOP+BUANvJJLOUXYJaM/Ky5/Iiom89NPluJHPmO
N3B4UdgKtS2rXFwGmwYkHC+pPc1UlgltrCaJ2DIPueoGehpdB9Qe2uEtvtPnv5qru6/L9MVMZnkm
tGBIEgYkA8fdzUQtr+SBbcyJ5ZAG7B3Y9PSrjWx823aPAWEEYPXkYFUJFKKGS5uJ98zqiPgBTiop
J1nuJVmlkjVDtUJnt1JwDWpbwNDJM7EESNuGKrtb3UMzy2bJiTllfOM+oxSAghmums5hGS7ocIxH
JH+NMtniMqCO4kEn8SSZOfbnvWgsNz5DK8v7xjncBwPYe1VzbXk7x/ajGFjIbK5ySPrQBpk7QT6V
j28E15D9pkmdWfJUKcAenFbPXg1lLbX1upgtnTy+cFs7lzQBXkuLiWyiYPtkMoQkfiKmkiktJoXS
V2DvtYMcg5qVrErbwwRkHy3DEnv61YuYWmaIqQNjhjn0FAMcEn+0GQv+7xgLjvViq4W4+0lyw8rb
wvfNWKACiiigAooooAoan/x4yfh/MVkWU32BsSn5JYw4+vpW5eQtcWzwoQC2OvTrVSbTfPtoomYK
0YxkDP19KAMeGN/tNvcSfemct+taF60RuSs1wygDhEB4/Grk9kzzwPFgJD2PXHtUEljdJdvcWrqu
/ruHI/Q0AVrGeRre5XeWCKdpPXoadp9vPMiXUszYU8Lknoe9WLawnhS4V2VjKMA8+/X86uWMD21s
sMhBIz06cmgDHtop9SMk7ysgBwoB4FTXaXMemMlywZgwwRzx707+z7y3d/sUgVH7Ht+hqV9PlNib
YPudiCS2cf1oAzZoZ4LSK7WZs4HHYAjjFdJExeJHPVlB/OqNxZyzWKWykblC8npwKvRIY4kQ9VUD
8qfcClO1pp++52/vJO2eSf6VX0+2l8uWeT5Wnzgemc1Hc6deTXRuFdOD8uc8D6YxV61ivlZvtciu
pHAHr+QpAZVnNLZxvayQMzEnGBwe3PtVjRNwWVD2YfnSmz1KLdHBMCjd2PI/Q1I0Z0zT38pvnyDn
3JxQBr1UnjtUf7ZMMMg6kn+VSweZ5KGU5cgE/Ws/UbK5vHXy2UIo6Enr69KAILQSXt79uK7Y14X3
7UWQD6ncO/LLnH54qxb2+pROgklQxr1UDt+QptxY3AuftVm4Vm6g0AQwgJrMipwCvP4gGob+2htm
t1iGMtye55HWtCysngdri4bdK/XHSnX1pJdPE0ZAEZyc/hR2Aq615ZSMc+Zn5QBnPrVO6kuHmhbU
E8tAeq8/1rWv7JrrZJE2106Z6VUksb67ZRdyKEX+7/8AqoQG5RSAYGBS0AFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQA+iiigAooooA/9TfooooAKKKKAGUUUUAFFFFABRRRQAUjKrDawBB7GlooAOnAooooAKKKKAC
iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACmPGki7ZFDD0I
zT6KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigB9FFFABRRRQB//1d+iiigA
ooooAZRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAPooooAKKKKAP/9bfooooAKKKKAGUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFAD6KKKACiiigD//X36KKKACiiigBlFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAooooA//0N+iiigA
ooooAZRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAPooooAKKKKAP/9HfooooAKKKKAGUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABTlXdyelNqSL7n4n+dAC+Wn+SaPLT/JNPqlfXElrGsygFQwD57K
e4oAteWn+SaPLT/JNR3Ewggec/wjP19KqpJduLZ2dE35Lr0J7gDOelAF7y0/yTR5af5Jpss8EOBM
6pnpk4pTLEEEhdQp6HPHPvQAvlp/kmjy0/yTQ0iKyqzAFugJ6/Sl3pv8vcN2M4zzj1xQAnlp/kmj
y0/yTUdzOlrC08nRf1rPWXV3j88JGAeQhzux/jQBqeWn+SaPLT/JNQ2tyl1bicDbnqD2I60+O5t5
W2xSKx9AQaAH+Wn+SaPLT/JNMe5t4yRJIqkdQSOM1Xnv4YJ44SVw+cndjaMcZ+tAFvy0/wAk0eWn
+Sars0huYykqeUVJK9z7j2qnFetcXrRpMixoQAOCXyOcH/CgDU8tP8k0eWn+SagtTMfM82RZMOQN
vYeh96et1bO/lpIpb0BGaAJPLT/JNHlp/kmkkmhhAMrqmemTik8+HyjMHUoP4sjH50AO8tP8k0eW
n+SarWV5HeRBxgN3XOSOalFzbGTyhIpbpjIzmgCTy0/yTTWjAGVqWigCuOeaKav3R9KdQAUUUUAP
ooooAKKKKAP/0t+iiigAooooAZRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFSRfc/E/zqOpIj8uPQmgCSop4lnheFujDFS0UAc4spu4bewb7wbEg9k9
frWld/8AH3a/7zf+g1NHZwxXL3SZ3v19Pw+tSyQJLJHK2cxkkY9xjmgDDjWSa7uXMCTEPt+cjgDp
wQalSzl+w3EDgAElkUHOO+Kvz6fFNL5yu8TkYJQ4z9ant7aK2j8uIHk5JPJJ9TQBgzSNeYu4zn7M
ivgf3ickfkK0rMrcXc92pBXhFPsBk/rViCygt4niTJWQknPv2p9rbR2kIhiyQMnJ680AU9X/AOPT
cRkK6kj2zWkrKyh1OVIyD7UOiupRxkEYINZn9kxAFFllEZ/gDfL9KAItSuFmsg0B3I7hSegx9ajk
tZy0TR28cJRwdysOnp0Ga1jawG3+y7R5eMYqtHpkKOrO8kmzlQ7ZA/CgCvHbwzapcNMofaFwDyOR
6U69hha+tQUU7iwPA5AHFaCW6RzyXAJ3SYz6celNubSO6ChyylDkMpwRQBXkAGoQKBgCNhj8qgso
IRe3OEUbGXbwOOO3pWiLdPMSUklo1KjJ659feiO3SKWSVScykE59vSgDEkdksb0pwfOYfgSAavyW
Nh9mUHbGowRIMA/XPvVpLWJFkTlllYswPv1qouk24IDPI6KchGbKj8KAZHcGN73ZHbieRUGSxwAO
3XNMsI1L3UUkaquRlByo4q9PYRzy+cHeN8YJQ4yPen21nDaFzFn58E5OelAGRbARaK00SgOVbLAc
9T3qMWkklkqJbxqSoIk3DOfXp/WtmCxht96oWKP/AAMcqM+gquNJt/uF5DHnPl7vloA0Yt3lrv8A
vYGfrT6AABgUhIAye1AFZfuj6U6kXhRS0AFFFFAD6KKKACiiigD/09+iiigAooooAZRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFNIOcqcGnUUAJmX+
/wDoKMy/3/0FLRQAmZf7/wCgozL/AH/0FLRQAmZf7/6CjMv9/wDQUtFACZl/v/oKMy/3/wBBS0UA
JmX+/wDoKMy/3/0FLRQAmZf7/wCgozL/AH/0FLRQAmZf7/6CjMv9/wDQUtFACZl/v/oKMy/3/wBB
S0UAJmX+/wDoKMy/3/0FLRQAmZf7/wCgozL/AH/0FLRQAmZf7/6CjMv9/wDQUtFACZl/v/oKTDH7
xzTqKACiiigAooooAfRRRQAUUUUAf//U36KKKACiiigBMUYFLRQAmBRgUtFACYFGBS0UAJgUYFLR
QAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYF
LRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgU
YFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJ
gUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0U
AJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS
0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFG
BS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACY
FGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRilooAKKKKACiiigD//V36KKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooA//W36KKKACiiigAqhe3M1uYkhUM0jY5q/WRqj+XJbSEE7XzgdTQASXd/bDzLiFTGOpU
8itRHWRFdTkMMj8ax7m8luojb28Em5+MsMACor2Ar9jttxBHykj8BxQBsXHnNCwtmAk7E9qkj3iN
RKQXwM49azLm0gtbCYQrjcBnknpUNwPJS0vh/wAswqt/ukUAbtISB1OKyrr/AEm+hthyqfvG/p/n
3qC6Gnm6Y3btI3ZBnC/lQBu9elIWUdTisPTpFja5WHPlIAyhu3XNFnYxXkP2q7y7yZPU8flQBu0V
kvYOLGS2Z/Mxymeox0FRS3Zk0pWXl5MR/j0NAG3VO9uvskHmAbmJwB7mpreEQQpCv8Ix/jVDU5Fd
BZqm+SXoOmMd6AQLdXkM8cV2qbZeAUzwffNatc9ahlvNmoMTLGP3efu49R71rWVw11brM4AJJ4Hs
aAEvrh7W3MyAEggc+9W6zNX/AOPFvqP50gfV8fci/X/GgCzDcPJdTQEDEe3HryKdai6Ct9qZWO7j
b6VQ08zG9uTOAH+XO3p0plqJTaXQh+/5j4x+FAG3kZxnmq1zci22ZGd7BfpnvWBGummNY5d8M4xl
jnOfX0q7qVtE3kSN8zM6oWz1FAG5SBlJwCM1kXyfZ7eO1tfkEjhep4zTLnTIILcy2+UkjG4Nk5OK
ANuk3A9DXP3Za6FkSSpk6ke+M4q3cabAtnJHAuDw3XPK0Aa1FYlxdGbTU2cvNhPx71rQxLDEsS9F
AFAEtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQB//9ffooooAKKKKACqF5DLLNbvGMhHy3sKvEgUm4UAOrOvIJZbi3kjGRG2W9hx
V/cKNwoAr3sbzWskcYyzDgUjW/m2X2Z+CUA+hA/xqzuFG4UAZmm208W+W6/1jYHY8AcdKiSK9s7i
VoYhKsp3ZyAR7c1sbhRuFAGZZ29ys073YH70DkdPp+FRQpqFipgijEydVOQMZ9a2Nwo3CgCtaJcJ
GTdNudjnA6D2rJgtydTeIHMUTGTHYE/5/St2QLIhQkjIxkcGoba2gtVKxA5Y5JPJNAFqsy8t5zOl
5a4Z0GCp7itHcKNwoAxLmG91AKjwrEF53E5P4Yq/YLPFAIZ0ClOAQQQR61c3CjcKAKWowyT2rRxD
cxI46d/erw6Um4UbhQBSghkS9uJWGFfbtPrgVFb29zHBOqny3aRmU8H0+taW4UbhQBjSjUbmH7NL
AuTwXJGPrip7q0mNpFHAQzwlSM98CtLcKNwoAz7iCe8tV3gRTKdwGc8j3qvJ/ad1H9neJYw3DPkH
j6VsbhRuFAGbPaSb7UQjKwnk57cf4VqU3cKZKqyoYySAe44NAGHaW5OovGDmOAllHYFu3+fSuhqr
b28NqhSIHk5JPJJqxuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRu
FADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4U
bhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbu
FG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im
7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOo
pu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFAD
qKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hRuFADqKbuFG4UAOopu4UbhQ
A6im7hRuFADqKbuFG4UAOopu4UbhQA6im7hSgg0ALRRRQAUUUUAf/9DfooooAKKKKAGUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAD6KKKACiiig
D//R36KKKACiiigBlFFFABRRRQAUVnar/wAeL/UfzFTi8tMf61PzFAFqismxlEdi0oBbDMQFGSea
lF5OjoLiHy1kO0ENnk9M0AaNFVobjzZZYWXa0Z9c5B6Gq41BfJecqdofYuOS30oA0aKzlvZlkRLq
ExhzhTkHn0NaNABRWdpv+rk/66tVia48maKIr8shI3Z6H/69AFmmq6OMoQw6cHNQNcYultlXOVLE
56CqsU8FtaPMke1VcjaDnJzigDTpodGJVSCV6gHp9apx3NwZFSeAoG6EHcB9fSo1YJLcm3izIpXP
ON2R79MUAaVFZOn3Ev2TzLgHYoJ3k5J5PbrS/wBoTBBO8BEJ/iyM49cUAatJuAIUnk9BVO4u/KKR
xL5jycqAcceuaqCaSXUIUmjMbqG4zkYI7GgDYopkjOqFo13sOgzjP41l6fNcSWx81SVw2HLZJPpj
rQBrAhhlTkH0pGdEwGIGTgZPU1i213PHZo0cBaNBy2QOnXAq5PJDItvKyb97jbk4xnnNAGhRVCS7
l85oLeLzCgBYk469KswSmaMOyFD0INAE1FVmuNt0tuV4dSQ2e47YqOC9SeeWADHl989fWgC7RWcN
QBt1m2EtIxVFB606K8l85YLmLymf7pzkHH0oAvBlJIBzjrS1jJPLHdXEcERkYsCeQABj1q3FfK8U
jyKUaL7y9aAL1NDoWKAjcOSM81npeXDbHeAiN8YIOSM9CRT8ot3KY48yBAc5xn29ulAF+isnTp7h
94lU7QzfMWzg+mKd/aEzKZooC0Q/iyASB1OKANSio4pFmjWVOjDIqnNevHcfZo4i7FcjnH5+lAGh
RVK3u2llaCZPLkUZxnII9Qaitr6e6IKQ4TOC27p9PWgDQV0fJQhsHBwc806s2Ga3ggmlCbFR2BAO
cnp+tNN/NGqy3EBSNv4s5Iz6igDUoqhcXjwzLBHGZGcZGDircTSNGGlXYx6jOcfjQBJRWOJ7v+0W
TyyV2gY3cAZ+9/8AWqzJeSecYLaLzGQfMc4AoAv0VVtbkXAYMpR0OGU9qrapLNFbExAgHqwOCOR/
OgDToqi928MAkmjIdjtVAckntzTVvJVlSO6i8vfwpzkZ9DQBoUm4ElQeR2qjNeSCc29tEZWUZbnA
Gahs5TLdzuylCFUFT2IzQBq0VltfXCoZmtyIx1JPzY9cVaFz/pKwFcB03K3r7YoAtUVSaZ5pZbWL
5Sq/f9CenFZlxbQ2ojWAk3RI5BOT6k+1AHQUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUVzurmQXURizvC5GOvWlvLpbvTQ44YMAw9DQB0NFZcl6tpawgLvd1GB+ApsWoyCdbe6i8
sv0OaANaiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiig
AooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKAC
iiigAooooAKKKKACiiigB9FFFABRRRQB/9LfooooAKKKKAGUUUUAFFFFAGdqv/Hi/wBR/MVaFtb4
/wBWn/fIqeigDBjaWPS3MGQQ56dhnmoWe3eSDyHklxIuSxOB+feukooQGPqDPbSi5jBJkUxnHr2N
F1atHYxIgJ8pgzBep9cVsUUAYKGynljWJpZTuB5JwuO5zW9RRQBnab/q5P8Arq1S38RktiU+8nzr
9RVyigDN08mcyXrDHmHA+g4qFCgsZPNQyL5jZA69etbFFAGBBIguI0sJXdCfmVskKPx6Vftxm7uh
7r/KtCigDCtsTac9kufNQHKkY75qBXszCImMxkxtMeT1/lXSUUAZExFncxXDKfLCeWT12+maaLlL
nUIWiBKANhiMZ47fStmigArI0+RBbtanIkTdkY9616KAM63/AOQYP+uZ/lVc/wDHtZf76fyrZoo6
3DpYxbtrMXDecXgfHDrkbh+Gauae8zwZmJPzHaSMEr2NXqKAM3UiYkS6UZMTZ/A8GqE6SWttDMoy
7KVb1y/P6GuhooAxby38qK3b5ikPDbeDj1og+yTXCeSZJSvOSThfzraooAxku47a7uPOBCsw+bBI
zjpxSwN5pubsxlo3AAXHLADmtiigDm1kiQoNOeTeSMxHJAHfOa1k/wCQhJ/1zX+Zq9RQBkWbqfPs
2OJCznGOx71Rha2hh8m4aVJFyCgJ5+mOOa6WigCvaosduiqpUY6HqM+tZ0twtvqTPIDtMYBIGcc9
62ariAC5Nznqu3FAFKCQXd8biIHy0TbuxjJzmpNL/wCPJfq3860aKAMIxPLZXCxjLCZjj1wafc3s
V3bm3gBaR8Dbg8eua2qKAM0rt1CJfSIitKiigDKeVINT3S5AkQKpx3z0pqzpY3UwuMqsh3K2Mg+3
Fa9FAGbZEyzzXQBCSYC57gDrT9TVmsnCjJ4P5Gr9FAGRczLLHDeQAusbZIA5x3/KmzXEd9JDFbZb
a4djggACtmigDI89LK8mNxlUlwVbGRwOnFNt5mlnupolIJQbcjk8HB/GtmigDlnlie1bdJK8xHzL
k4Hr7YrVuwUgiulGTDg/geDWpVS6tnuQE8wrH/EoHX8e1AEenofJMz/emYufx6fpSQGA30+0N5mB
knGPwq+AFAUcAUtABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAGNd/8hO3+lUN
Us2t2M0WRHIeQOgNdRRQBz14kiJa3SqWWNVz7YwaSSf+0ryHyFO2M5JP1z/SuiooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KAH0UUUAFFFFAH//09+iiigAooooAZRRRQAUUUUAFFQ3E6W0RmcEgY6deamoAKKKjllSGMyyHCjq
aAJKKgnnEEYkxkEgfmanoAKKgErm4MPlkKFzv7Z9KnoAKKKKACiiigAopGO1S3pUcEonhWUDG4Zx
QBLRRRQAUVVjuSYWmnQxBScg+g71YVg6h15BGRQA6iiigAooqOSaOLb5hxvIUfU0ASUUUUAFFFQR
Su8skbRlQhGGPRvpQBPRRRQAUUUh4GetAC0VBbyvNEJJEMZP8JqegAoqnNdGOZbeOMyORuwDjAq5
QAUUUUAFFFFABRRSEgDJ7UALRUAnV4DPCN4wSAO+KfC7SRK7qUJHKnqKAJKKKKACiimsyopdjgAZ
NADqKht5fPiEu0qG5APpU1ABRRRQAUUVA84SeODHMgJz6YoAnopGJCkgZwOlRQSPNEJHQxk/wnqK
AJqKKKACioLicW8fmkEqCM47A96mBBGRQAtFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFAD6KKKACiiigD/1N+iiigAooooAZRRRQAUUUUAZ2q/8eL/AFH8xUd+7q8e
4usPO4p1z7+1Wr2B7m2aFCATjr04NE6Xe5XtnAwMFW6H8uaAIrAoQ5inMqcYDdV/Pmmasm6zZtxG
3HAPB5HWpbW2ljlkuJyu+THCjgYqa6h+0QPDnG4daGCKF3CYrHYjsxLKQWOTnIomhltWimSZ2JcK
wY5Bz7VO0FzLbCKYpvDA5GcYBH61PdQtOqKpA2urc+goAiDv/aDJk7fKBx2zmspZM5F1PJDPnvnb
+XTFbPkN9rNxkbSm33znNVHttQkjNu7xsh/iIO7H06UAaa52jJycdR3rKad7c3SsxO35kyc/e7D8
a1IkEUaxjkKAPyqlc2TT3MUynAX7w9QDkUAUhLOlk1u7Hzg4QHPPzc9fpS3Ewa6NtJI6RxqPuZyT
7kZq29kz3y3II2AZI9WHANOmt5xP9ptGUMwwyt0OO/FAFezlcmaHczooyrMDnnqOaitbOWa0SQzO
rY+UKcADtkVowx3O1zcOGZugX7o/rVKK11GCEQRyR7cdTnIz6UAMe4uZtPjlXdkthyn3sDgkVNZN
E0x8i4Z1xyj5Jz6jNTfZZobdIrV9rJzyOG9c02K2uGuRdXJQFRgBAe/qTQBVkDTafKzu2VZz164P
Q+1OdmstNDxuzMwXBY5xkdqtpasLaS3YjLluR79KYLWaW0+zXDKCMbWXPGOmc0AZ5lEBSS3mlkbI
3KwOCO/UV0NZyx6ixVZZEVVPJUHcfz4rRoA55pBvcXc0sMm47eoXHbGKmvoi4tnMrMWZVypwD/tD
3qd4NQKtDvjdG7sDuAP04p8tk5tooYWG6IggnoSKAGXAlDw2UcjANks2fmwPek2yWd1EqyM8cuQQ
xyQR6VNNbTyrHKGVZ4/T7pz1FNjtrmS4W4u2X93naqZxk9+aAK9vDJczzM8zhUkICg/54qUyPuvf
mPygbeeny9qs2sDwtKXIO9ywx6GmG2kzcnI/fDC/ljmgOpQ8ib7CLszyeYF3Dnjjtip55JpzbwKx
TzV3MR14GcCrX2d/sP2bI3bNue2cVVuo0jSAtIIpU4VsZXpyDQAjRS213Aiyu0bk8Mc8gfyrXrDy
738BklWRxnhOijH9a3KAMEyzHTI2V2Dl8bs89TU8sUtpJDKkrtucKwY5Bz7U8WUv2OO3yu5H3H06
5q1dQvOI9hA2SKxz6CgGZzW27UyvmSDKbsg89en0qbZJe3MoaRkjiO0BTjJ7k1a8h/tv2nI2+Xtx
3znNQvbXMU7T2jL+8+8r5xkdxigCusk0UV1bu5YxLlW74Iqa0gdYRcySu7MnQngZHpSpZyCGbzGD
SzDk9hxgCrcUTJbrCcZChf0oAxkjnaw+2GeTeoyOeOD39aklSaGCO985y5KlgT8pz2xVxLWRdP8A
shI3bSM9uadPavLZrbqRuG3k9OKfURDetF5yrLOyDH3Ezkn1JFQ2xM8U8HmOVQjax4b1xVmW3uVu
Tc2pTLLgh89vTFOtbaaJpWnYOZccj6UhlawjMdgZQ7Esh4J4GM9PShpZnt7WBHKtMOW74A5/Gp7a
2uIoGtpGUrghCM55z1oeyka2iRWCywgbT2z/AIUdQInSSxmiZJHdJGCMHOevcU1YpLm7nRpXVEIw
FOOoqZba6mmSS8ZNsfKqmeT6nNWIIHinmlYjEhBGPYUARWBk2yRSMX8tyoJ64pNTYrZSY74H5mp7
eFomlZiPncsMelJewme1eJepHH1HNAEF48kUUUEB2GRggPoKFtJoZUeGZmH8Yc5yPb3pCn9oWkbo
21xhgfRhSpFfySI1xIqqhziPPzfWgCGNJL6WV3kdERiiqhx07mmfap7e2nR23vCQoY+h6Zqwba7g
ld7Nk2yHJV88H2xSpYZt5Ipm3PKcs3v2x9KAK81tPbQfaUncyJ8xycqfUYovLpYZre5YEjaxwPcC
ntbX8yC3mkTy+7LncQP0q3JbFriGQY2RhgQfcYoAisxK6G6lcsZBkKD8qj6etUmuZU06H5yGkbaW
6kDJq9b2sttI6owMLcgHqp9vao/sLmzjgLBZIzuVhyM5oAqJL5M8f2eWWQM21lcHoe/Ip1y+Lpxd
vJHHgbCmQPfp3q7HHftIpndFVeoTPzfXNEkd+sjGF0ZG7Pnj6YoAVF8yxZDIJQVI3etOsGLWcRP9
3H5cVWaP7BYOmdzvkDA6s3GAKv28XkwJEeqqAaAKl40rzRWsbFA+SxHXA9Kj2yWd1EqyM8cuQQxy
QR6VZurZ5WSaFgskZOM9DnqDUUdtcyXC3F2y/u87VTOMnvzQBXhhkupJ98zhVkIAU4q3p7yNCyyt
uKOVz64p9rA8LSlyDvcsMehpbWFoFcOQdzswx6GhAyvfmUyQRxOU3sQSKrNBKl2tqs8mx13HJyeP
Q9q0Z4GllhkUjEbEnNDQO14lwCNqqV9+aAKMccokuLNZGPygqSeQT70jXMklhGqEiWQiPPcEdTV5
YWS6kuGI2soH5Vn2sSSahJLGd0aHIx03MOcUIDaUbVC9cDHNLRRQAUUUUAFFFFABRWZd3k1pcIGA
ML9TzketJd3skc8dtbBWd+uegz9KANSiq8l1bxNslkUN6ZqXzE2eZuG3Gc54x9aAH0VXS7tpG2JI
pJ7ZqxQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFAAAWOBUnlD1NNj+830FTUAR+UPU0eUPU0TO0cTSKu4qCceuKbbzLcQJ
OvAYZx6e1ADvKHqaPKHqaprdzTxzm1jBMbbVyeGI6+n86vIWKAyABsDIHTPegBvlD1NHlD1NSZB6
UUAR+UPU0eUPU1JRQBH5Q9TR5Q9TWeb+aWRksofNVDgsTtGfQVPaXguS0boY5E+8p/pQBZ8oepo8
oepqTIziigCPyh6mjyh6mpAQelVYrhpLmaAgAR7cH1yM0ATeUPU0eUPU0y5a4WEtaqGk4wD0/pUw
JxluPWgBnlD1NHlD1NSdelGRnFAEflD1NNZCBkHNTUUAV6Kav3R9KdQAUUUUAPooooAKKKKAP//V
36KKKACiiigBlFFFABRRRQAUVBcTpbRGV+g7DuaqC9nRk+0wGNXIAOc4J6ZoA0qKoS3bic29vH5j
KMtzgDNEd7vjlLIVkhBLKf8AGgC/RWR/aUwiFw0BERxk5GfyqUX0yunnQlI5DgNnnnpkUAaVFZ8t
663JtYoi7AAjnA/H0p9vdmV3hlQxyIM4znI9jQBdoqrDc+bai5244Jxn096oXl1O1kk0SlQ+CSGx
jnp+NAGzRVGS7eGFWljIkc4CA55+tJFeS+csFzF5TP8AdOcg4+lAF+isz7dO8zwww7yhwTuwKbcW
kBaS5vm3L/CMkbR7e9AGrRWfppkNqDJk8nbnrt7VoUAFFFFABRRRQAUUUUAFFFFABRRRQAUx40kX
bIoYehGafRQBFHBDDkxIq564GKloooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigBCARg8g01ESNdsahR6AYp9FABRRRQAU
UUUAFFFFAFW9gW5t2jbrjIPoRWVo0O4PdOdzD5Rn6VvEZBB71XtbWO0jMcZJBOeaAOcs45J/Nbyk
lJPJY4IzVqK3c6dJA0ife4+YEdjjNX5dKt5ZDICyFuoU8GpxY2wt/s235Dz759c0AYYxbmIXluBj
GHQ4z78da6isyPSrdGVmZ329Ax4rToAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigB0f3m+g/rU1Qx/eP0FTUAFYKTf2fFdQ
f88zuj+jdPyNb1Z9zp8dzcx3DHHl9RjrjkUAQNB9m0hoj1CEn6nk1XvWMkltbMrPGU3MqdTgcVs3
EXnwPDnG8YzVe4shMsZRykkX3XH+FAFG0iaK7AghkihZSGDdM9j1NQYb7I2mrwxm8sf7v3s1rQWs
scvnXEzStjAGNoH4DvSfYU+3fbs87cYx36Zz9KAM5GNwtpat1RiX/wC2fH61uvnYcdcVThsUhu5L
sHJk7Y6ev51eoAzNI2/YI9vvn65qzM0UQklQL5qoT23YHr3xVU6fLHIz2UxiDnJXAYZ9s1NbWSwb
3kYyySfeY9x6Y9KGCKEGnQT2gnlJMrjdvycg/wD1qjM0t1Z2sTsR5zbXPcgf41a/syZUMEVwywn+
DAJweozVqWwhkt1t1JQR4KkdQR3oAoz20VhLBNa5TdIEYZOCDVa6upbe8uRGCN+wF8ZCjHWtJLGU
ypLdzGby+VGAoB9eKnFovmzSOdyzAArjpgYoAoXdvFb6VIkXIOCW7sSRzTL4+bepbSI8kapuKJ3O
cc8irQ09vsj2ZlJUn5SRyoznHXmprmzMzrNE5ilTgMBnj0IoApWMbw3TLFG8UDLnD9m9uTVDyYoV
I1CKQPuz5ynPfg57Vu29rJG7SzytK7DHoAPYCqp0+4KGD7S3lHqpAJx6bqANOMgxqVO4EDB9fen0
2NFjRY06KAB9BTjwM0AVV+6PpTqav3RTqACiiigB9FFFABRRRQB//9bfooooAKKKKAGUUUUAFFFF
AFDUY3eBXjG4xuHx64pi6lFKyJbqZGY8jkbR6nitKigDI85bK8mNxlUlwVbGRwOnFMUmcXV0AQjJ
tXPfA61tUUAY0/8AyBh/uL/MVNf/AOqg/wCuqVp0UAYz3KW2pSNIDsKqCwGcfWn27/ar17mIHywm
wE8ZOc1eWALcPcZ++AMfSrFAGDBeRxWZtHDecoZdgByadICdHQgZwFPHoDW5RQBi3rJcJDdx7mjR
ju25BA9fwxRB9kmuE8kySlecknC/nW1RQBnWX+uuf+un9KW+MAMInDH5xgDGM+9aFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAhB6g4Ipd8vtRRQAb5f9n/P40b5f9n/P40UUAG+X/Z/z+NG+X/Z/
z+NFFABvl/2f8/jRvl/2f8/jRRQAb5f9n/P40b5f9n/P40UUAG+X/Z/z+NG+X/Z/z+NFFABvl/2f
8/jRvl/2f8/jRRQAb5f9n/P40b5f9n/P40UUAG+X/Z/z+NG+X/Z/z+NFFABvl/2f8/jRvl/2f8/j
RRQAb5f9n/P40hLtwxGPalooAKKKKACiiigB9FFFABRRRQB//9ffooooAKKKKAGUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFHU4HNLtf8Au/yoASil2v8A3f5UbX/u/wAqAEop
dr/3f5UbX/u/yoASil2v/d/lRtf+7/KgBKKXa/8Ad/lRtf8Au/yoASil2v8A3f5UbX/u/wAqAEop
dr/3f5UbX/u/yoASil2v/d/lRtf+7/KgBKKXa/8Ad/lRtf8Au/yoASil2v8A3f5UbX/u/wAqAEop
dr/3f5UbX/u/yoASil2v/d/lRtf+7/KgBKKXa/8Ad/lRtf8Au/yoASil2v8A3f5UbX/u/wAqAEop
dr/3f5UbX/u/yoASil2v/d/lRtf+7/KgBKKXa/8Ad/lSHI+8MUAFFFFABRRRQA+iiigAooooA//Q
36KKKACiiigBlFFFABRRRQBHLLHAhklOFHepKztV/wCPF/qP5ilF82P+PeX/AL5oAuRSxzLvjORn
H5VJWRYtJ9gZo8K25sbuAOe9Ri4liki/0lZ97BWUAd+4xQBt0VRhmkFzNBM2cYdf90/4VT+2zraG
4JGZZMR56KPegDaorEW6lgljzcLOrttIAAIz34rboAjjljmBMZyASD9RUlZ2m/6uT/rq1GoXEkIj
VG8sOcF8ZxQBo0VRtDMWbMyzR9iMZB9OKpSzXCB5Guo1dckRjBHHb1oA26KzftMokt5GOI5lwR6M
Rke9K1y4uZiD+6gTkerdaANGiuf+1XBi+0/aUDY3eVgfl61cmuppRBHbYRphuJPOAOaAL7zJG6Rt
1ckD8OalrGZLmO8t0ncSLliGxg5x0rZoAKKwpZ7iNWka6j3rz5YwRx29as3E9yzWywMFMwOcjI6A
/pQBqUVmI11BdrBLJ5iyA4OACCPpSwXTrbzG4OXhJB7Z9PzoA0qKrWhlNujTnLkZPGOtVJ5Ltr77
NA4RSm4kjOOeooA1KKzYZLmK6+y3DeYGXcrYweO1V5pbhd7tdRowzhBg9OxzzQBtUVk3F3KLWGQM
I/NxubGduR6VNbNMXY+cs8eOoxkH04oA0KKwYbi5uF3rcKsmf9WwAH09a0POkS98qQ/I0e4exHWg
C9RWPbXspjmefsu9On3T0pTNdssFujYlkXczkDgfSgDXorNR7m3ukgnfzElB2nGCCPpUVu17cyyN
5u1I5CMbQSQD0oA16ijmSUuF/gbafrWcjXl5JI8UoiRGKgYBzjuc0y2lmjt7qVgPMVySB0yAKANm
ise2lnlKPHcrIT95CAOO+Mc1rnJHHFAFf7XEbj7MoZmHUgcD6mrNYtjHOs8zNLkK/wAw2j5uP0p8
Rv7uI3KSiMNnYuARgepoA16KxpLy4eziliwsjSBD6Z5rRt4541PnyeYT7YxQBMzohAYgbjgZ7mmP
MiSJE33pM4/Cs3UUlaaApJtBcADGcH1/+tRdrOJrVEYGT5huI9uTigDXqCG4SdnVAR5bbTn1qnG1
1BdpBNJ5qyAkHABBH0pRczCK5f7xjYhR7AUAaVFY9tLPKUeO5WQn7yEAcd8Y5rXOSCBxQAtFYxu7
g2I2nM+/y+g6g/l0qX7VJKLURNgynLfRRyKANSoppkgjMknQY6e/FZBupZ5ZMXCwKjFQCAScd+aS
W5e40x2bBZGCkjocEcigDdorHmOoW0f2ppQ4GCybcDB9DT7u5dZo4lk8lHXdvIzn25oA0ZZFijaV
skKMnFNSeNoklJ2h8Y3cde1VEe4W2ldpFkCqSjr9O46VTvPOlt7aTzMbimeB949//rUAbtFZd1PN
bJFB5g3uTmRgAAB3x0qOC5kS6SBplnWQHkYBBH0oAtvqFnHJ5TyDcDg9f51cBBAIOQay7hY7eL7F
bx7nmzgf1JNX7eIwwJExyVABoAmooooAKKKKACiiigAooooAKKKKACiiigCCS5gikWKRsM/QU6ae
K3TzJjtXOM9f5Vh6rE093FEvBZeM1XnuzNYmCbiWNgDnqcf55pDOnVg6h15BGRTqxLm6miht7e34
eRRz6dKb515ZXUcc8nmpJx0piN2iiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKAJIvu59SakqOL7n4n+dSUANaRExvYLuOBk4yfSnVR1GEz2jhfvL8y/UVXuLzfpo
mj+/KAoA/vHg/wBaALzXdsoQlwRIdqkcgn8KsVlyKtpFawKqt86rkjOPUj3olurqS5e2swg8sDcz
5xk9higDUorI+33H2aclVE0GNw6qR6/lTrrUTC8HlgFZMMx9FOOf1oA1aKpi4ka+NuoGxUDMe+Se
B+VLfxyy2kkcP3iOPf1H5UAPF3al9glQt0xkVYrnEk0qSEWs8fkPjHzLgg+uf8a1pTdRRRxWgDnG
C7ngAdz65oAu0VmRXN35z2swQvs3qy5x6cihb8nTjeMAHUEEdt3TFAGnRWXLd3K+TbxqvnyLuOeF
WnW91OLg2t4F3bdwZOhH40AaVMjkSVd8ZyOmfpWVHdajcKbi3RPKydqtncwH6VNpJ3WSt0yzH9TQ
Bekmhhx5rqmem4gfzpI54ZSRE6vjrtIP8qzdQERu7UTY2ZbO7p0HrVe6W0S5t/se0S+YMhP7vfOK
AN+is+V9QMrLAsaIvQv/ABfl0qL+0HXTzdsg3qdpHbOcflQBq0VnQSX5kQyCOSNxy0Z6fn1qH7Ve
Tzyx2vlgRHGHzkn8O1AGvRWc11OjW/moEEpKuDyQe2CPWkjvmfUHtSBsAwD6sMEigDSorIOoyiFp
AgYtKY4gO/uacbm+tpI/taoySELlM/KT65oA1aKypbm9a8e1tlTCqDubPGfpQ9zevP8AZbYJuRQZ
GbOMnsKANISIZDED8wGSPY0+sezkme/m+0KFdUUHHQ+4psV5f3KGe3WIqD9wk7sfXpmgDapCMjBo
UkqCRgkdPSloArLyAaWmr90fSnUAFFFFAD6KKKACiiigD//R36KKKACiiigBlFFFABRRRQBS1CKS
e1aOIZY44/Gro6UUUAY/2OdtPe3wA5YkAnqM5prQ3UrRYt1iVHUnBGePpW1RQBmahbTylZLb72Cj
f7pqS5szJbJFDgGIgrnpx61fooAy4xdSSKGt0iUHLE4OfpitSiigClZRSQo4kGCZGI+hp919oAUw
Ksg/iU9x7GrVFAGTbW0v2h5zGIFK7QoOcn144qslrdx27WqwJuII8wkc5/Wt+igDPktnewSLGJEV
SP8AeWi2tWFq8c/Dy7i+PVq0KKAMVI7yKMQC3RiOBISMY9SOtWbiCcGGeDDPFwV6Ag9cVo0UAZWy
9nuoZpYwiITxuBPI61pOpZGUHBIIzT6KAMAW12tsbVbdAcEb8jn/AOvV4wSmS0bHEQO7kccYrRoo
ApyxO13DKo+VA2T9RxVC7hL3yxIflmAMg9lrbqCO2ghkaWNcM/U0AT1jTmddT3W6hiIuVJxkZ9a2
aj8qPzfOx8+NufagCjDFcy3JubhRGFXaq5z175qnHa3UULWywIWOR5hI5z7da3qKAM7ZdxWsSRKr
FQA6Hv8AQ9Kit7ab7SbjylgG0rtBzk+vHFa1FAGJPDd3CGKW3QuePMyMf41NfWk0kMYgOZE+Un2I
wetatFAGRd2MkjRLB90AI/8Augg1YuoZvNjubYAsmQVPGQav0UAZscdzcXKXFwgjWMHauckk1LZQ
yQiXzBjdIzD6GrtFAGUiXlpJIsMYlR2LD5sYJ9c062hvIopt20Su5YHqDWnRQBiNb3Fw8ZaBYmVg
zSAjnHpituiigClbQukk5kGA75HuMVViW/tIzbRxiQDO19wGAfUVr0UAZJspUtoYV+ZlkDsf59a1
qKKAKN9FNII3gAZo3DYJxmh45pZ7eYpt27twyDjI/Wr1FAFOWJ2u4ZVHyoGyfqOKZHFcRicpgM7l
lzyO1X6KAMRre4uHjLQLEysGaQEc49MVt0UUAZaWkq35lP8AquXH+8Rg0WtpLFdO7/6tciPp/Ecm
tSigDH8i4tpJPLhWZHYsMkAjPbmpJre5ksWiKr5jEHC8AcitSigDImXULmP7K8aoDgM+7IIHoOtW
bgXClRHGs0WMFTgH9eKvUUAZEFrMsdwxQR+auFjBzjg/hUk1vM1lCiD95FtOCe4HStOigDMuIZ51
iuAgEsZJKEggg9s06AXLyhnhSFB9CSfYjpWjRQBUcT/a0KxqY9pBY/eHtVuiigAooooAKKKKACii
igAooooAKKKKACiiigDMuLeaS+hmRconU5HFQanpzTsJrcZfow6Z962qKAMe6sp5IoJIceZCBwfb
FRrb313cxy3ahFj5AHf9TW5RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUU
UUAFFFFABRRRQBJF9z8T/OpKrq+zhulP86P1/Q0AS1gQWk633kuD5ELGRDjjJ6D8K2vOj9f0NHnR
+v6GgCrfI7tblATtlBOOw55rPuLdYrySaeBp45MEFRkgjtitrzo/X9DR50fr+hoApWUKNHJ+48lX
4wepHuO1UrS0nlhmS5XBCeUmR2Hf862vOj9f0NHnR+v6GgChpaTbHuLlSskhGQRjhRgVdufPEDG2
x5g6A96d50fr+ho86P1/Q0AZFxdvdW7QG1kMjDHK/KD659qZc20qR2qTI0sUa4dU55xxwK2vOj9f
0NHnR+v6GgDIsoiL8ypA0MZjwMjryOvoaR7WY3v2cKfIdxKT2yByPxNbHnR+v6Gjzo/X9DQBl6hb
5uI7pojMgG1lHX2IFOtIo3lZorYwptI3NwxJ9q0vOj9f0NHnR+v6GgDItprmzh+xtA7umQrKPlOe
mT2q5piSR2arKCrZbIP1NW/Oj9f0NHnR+v6GgCjeweddWwZN6Atu4yOnGauRW1vCd0UaqfUDmned
H6/oaPOj9f0NAGE8QF1K11byTszfIRyu3sPQVYtUnh05lMG5txzGfTPbNavnR+v6Gjzo/X9DQBhw
xbruN7KCSAA5k3cAj0xUl0sTyuLm0dmz8rxjOR2yR3rY86P1/Q0edH6/oaAMowXX9lqJMtNGQ4B5
PByB+VRvBcR2KXCKTOHMhGDn5uox171s+dH6/oaPOj9f0NAGXJaTR2Vv5K5eAhyvr6iklkm1Bo4U
heNVYM7OMdOwrV86P1/Q0edH6/oaAKkSONRmkKnaUXB7GoHM1leyTiJpI5gPuDJBHHStLzo/X9DR
50fr+hoAzrQ3El5LPLGYwyDbn09/eqE6CUH/AESSO4zwyfdz656V0HnR+v6Gjzo/X9DQAsIdYkEp
y4Ubj796kqLzo/X9DSNKCMJyaAI1+6PpTqQDAxS0AFFFFAD6KKKACiiigD//0t+iiigAooooAZRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAPooo
oAKKKKAP/9PfooooAKKKKAGUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFAD6KKKACiiigD//U36KKKACiiigBlFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAooooA//1d+iiigAooooAZRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAPooo
oAKKKKAP/9bfooooAKKKKAExSYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1
FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADc
UYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1
FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADc
UYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1
FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADc
UYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1
FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUYp1FADcUuKWigAooooAKKKKAP/X36KK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooA//Q36KKKACiiigAqncXkdu4R1ckjPyjNXKKAMsatbtkKshx1wtaEUgljWRQ
QGGcHrWfp/8Arbr/AK6monnuLq5khglEKRcE4ySfxoA2aKyrS4nW4e0uWDkDcrjuPeoonvdQLTRS
+TGDhRjJP1oA1pXEUbSEZ2gn8qbBKJ4VmAwGGcVRDXf2SdLscqrYYfxDBqraRahLaI8cwjAHyrjO
cepoA3qKxftsz6W1xnEinBOO+RSMNSNt9r84Kdu7YFGMdetAGjdXD20YdIzIScYFWqyJ7yU6fHcx
nazEZx+vWpLy4nM6WdqQrsNxY9hQBp0VlouoW86Bn8+NuGOACvvTpkvpJm2yiGMdDgEmgDSqta3C
3UXmqCBkjB9qq2M8zSS287BzHjDDuDSaR/x5j/eNAF6eZLeJppM7V64qj/a1sAGKuAe5XipNU/48
JPw/mKuRgGJQf7o/lQAkU0U6CSJgyn0qWsa2QW2pSwR8Iyb8ehpkct1fFpY5hDGDhRgEn60AblRx
SxzLviO4dM1m201zcxS27OEmjIG8DII+lRaPHN5Ik8z5MkbMd/XNAG3UU0hiiaRVLlRnA71nNHqE
jMzzrCM/KoAPHuaIbuaSwlkYjzItw3DuQOtAFh7zy4I5pEIMhC7e4Jq9WHdO0ljbSOcszoSfwqW9
uJRdJaxyCEMMlz/LmgDXoqhbLeRylZnEsZGQ3Q5q/QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAH//0d+iiigAooooAKKKKAMv
T/8AW3X/AF1NUHjt7a8lN9HlJDuV8ZH04ro6KAMiy+zSzM1tBtQDAk6Z9gKgtLpdOVrS7BXaSVOO
CK3qKAMsXMl1aTyMmxNrbM9SMHmrGn/8eUX+7VyigDm1/wCQTP8A75/mK1m/5Bp/64/+y1eoo6WA
5yT/AJA8P+8P5mrd4XtbxL3aWj27Gx2rYooAy01EXE6xWilx/ExyABWcxtVu5jqQYtn5M5xt7YxX
S0UAYel7Tc3BRDGvy4U9QOasaR/x5j/eNalFAGfqn/HhJ+H8xVdNXtFjVV3MwAGAO9bFFAGTYwzy
TSXtwuwyDaq+grOgWytd0GoR4YE4bBORXT0UAZun+UyvLFD5Sk4BPVh64qtpcwRGsmBWVSxwRW3R
QBy1u1kgYXqM9xnkHJJ9MVYs/wDkGXPG3l+PTjpXQ0UAYM//ACDrX/eT+VWb6aBZFjvIcxkcP1wf
TjmtWigDAsAn20my3eRt+bOcZ9s1v0UUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA
UUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABR
RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFF
FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQB/9LfooooAKKKKAGdaTApaKAEwKMClooA
TAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClo
oATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMC
looATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwK
MClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAE
wKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaK
AEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjAp
aKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCj
ApaKAEwKMClooATAowKWigBMCjApaKAEwKMClooATAowKWigBMCjApaKAEwKXpRRQA+iiigAoooo
A//T36KKKACiiigBlFFFABRRRQAUVWu7gWsDTEZI4A9zWSn9ryxfaVkAB5C4HT8qAN+iqFneefbG
aYbCvDdh9aauq2TNt34z3IOKANGiq013BbsqzNt3dKjg1C1uJPKjb5u2RjNAF2iqUmoWkLtHI2GX
qMGpbe6gulLQtnHUdDQBYorObVLJH2F847gEirb3EMcXnOwCHofX6UATUVRh1G0ncRo3zHpkYzVS
TVVjvPKyPKHDHBzkUAbNFZkrBr6LEzLlchADg9fwqafULW3fy5G+buAM4oAu0VXjuoJYTPG2VUEn
2x7VWOq2QAO8nPsaANGimI6yIJEOVYZBrJvp7tbyO3tnC717gdcn2NAGzRWdbR6isubqRWTHQev5
ClbU7NMgvypwRg0AaFFQRXME0RmRhtHUnjH1qqNVsmbbvx7kHFAGjRVWa8t7dgkzYJGRwai/tK08
sS7jtJxnB6igC/RVee6gtgplbG7pxmmS31rDIY5W2sBnoaALdFVIL22uSRE2SOcHiqEWrI900bEC
L+E4OSeKANqiqdxfW1s2yVvm9BzUsNzBcIZImyB17Y+tAE9FZUup2rRyJHJhtpweRzjsam0x3ks1
eQliSeTz3oAv0Vl6rcvBAFjOHc4BHXHenSQ34ijS2lAIHzluST+INAGlRXOW8uq3LuiSqDGcHIH+
HtVy6uLmCe2iDffwH4HPIz2oA16KKwI576+mkEEixqnQf5zQBv0VQsnu2DJdrgqeG9av0AFFYUs1
/LfyW1tIFCjIyB6D2NSW13dpefY7vDE9CPpn2oA2aKwmuLy6vHt4JBEqZHucVcsnvg7Q3YyB0cd6
ANGisTUr24ilWG2OCFLNwD/OtK0m+0W6S9yOfqOtAFmig1kWF5KwnW6bLRd8AcDOen0oA16KxdMv
pZ/MFw2So3DoOO9Ja3V1LaT3Dt90HZwOMDNAG3RWTC97dWKPE4EhY5JA6c+1Ull1V7lrQSruUZJw
Mfy96AOjorFvJ7y0tYyzjzCxDEAYPX2rTuXaO2kkQ4ZVJB98UAT0VS0+aSe1WSU5Yk8/jV2gAorE
1K9uIpVhtjghSzcA/wA60rSb7RbpL3I5+o60AWaK52CXVLtn8mVQEOOQP8DWg8t1aWTy3BDyA8Y6
c4HoKANKisBDqrwC6jlD552gDp+VbULu8SvIu1iOR70AS0UyRikbOo3EAkAd6wi+qmBrtnCAc7CM
cfiKAOgorKa9kbTPta/K+P1zjvVaM6pIFIuIwWAIU4zz7baAN6is3ULuS3RIoeZZOBVZG1KKVfnW
cfxKCMj+VAG3RRWVqF5NE6W1sMyP39KANWisGSTVLLbLKwlQnBA//VUt/dXCyQJbNt831A74x1Bo
A2aKwmuL+0uY47h1kWQ44GP6Cp7+8mSVbS1H7x+/pQBrUVgyS6nYsskzCVCcED/9QrdBDAEd6AFo
rN1O7ktYl8rAZzjJ7VWP9qwbZAwnU9VH/wCqgDborKvbmaK5t442wrn5hgeoqxqEskFo0sRwwxg/
jQBdoqtbylrVJpTzsDE/hWNa6jcvdJ5x/dSEhRgfhzQB0VFFFABRWTcPfzXXkW/7tFHLkcH8aSxu
bk3L2dyQ5QZ3CgDXornzcX808wimSNI2x82B/StO3aeKBpLt1fGWBXpjH0FAF2iueWfULpGuEkWJ
c/Kpxzj61sWj3Dwg3K7XHH196ALNFY+pTPDPb7XKqT82DgYyOtWotRtJpBEj8npkEZoAvUVmZA1E
5mbhc+Xg4xj8qgg1VZLpo3IEZ4QgHJOeKANqimvwjEehrH06722bzXTkgPjJ5PQUAbVFVWvbdYRc
M2EPTIOT9BTYL+1uW2Rt83oeKALlFV4LqG4LLEclOuQR/OmJfW0iu6t8sf3jg0AW6Kz49Ts5HCK+
CeBkEVoUAFFMkDmNhGcNg4J9e1c/PLqtvJHG8qkyHAwB/hQB0dFZi/b4LeaS5kViFyuB0Iz7CptP
mkntVklOWJPP40AXaKy9Su5bfy44SFaQ/ePaoh/alvIhZhOjdQB0/lQBs0UVzkuoXxljcDy43OFG
Acj8aAOjoorLupL57hbe1BRcZLkcfnQBqUVjWlzdJeNZXLB8DII/Olgmlh1F7SRiyvyuTnHegDYo
oooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigB9FFFABRRRQB//
1N+iiigAooooAZRRRQAUUUUAZeroz2ZK/wAJBP0p1vf2otVZnAKqAVzzke1aJAIwaoHS7Etu8v8A
U4oApXd0bzTXlRSoDAc9xUFw9mdLRUK7xjAHXPeuhEcYTywo24xjHGKqLptkr7xGM+5JH5UAZUyb
nsUlGcgZB/CprlFTVoNgAyBnH41ryW8MsiSuuWT7pyeKR7aF5lnZcuvQ5NAGVboj6tOWAOBxn8Kg
tlKy3qRDGA2APxrdW3hSVp1XDt1OTSR20MUjSxrhn+8cnmgDm7YM1m6+bGqH7wYfN/n0pbhQljbj
dvjDtkjPr7/jW42m2TvvaMZPoSB+VWWhiePyWUFOmO1AGfK+mNJFnBbjZs7enSqs/lR6uhk2qu3J
z06GtOGwtIH8yNMN6kk/zp89pb3JDTIGI79P5UAZ1xj+1oMdNv8AjUFk0KX1x9pIDZOC31561tG2
gMqzFfnQYByeBUc1la3Db5UBb15H8qAMWz2kXpi/1e04/XFSQRRnR3cqMkE59weK2kt4I4jAigIR
gj1zQttCkJt1X5DkYye9AFbS/wDjxj/H+ZrO1JUbUIldtilRlumOTW7FFHBGIohhR0FQz2VtcsHm
TcQMdSP5Gh7gVbSK2jlzFcGRsdCwNVtNijea5LqG+bHPpk1pQ2Nrbv5kKbW6ZyT/ADNSxW8MBYxL
gucnk8mgDmYQ39mXAX+8Py4rQR9N+wRrNgjjIH3t3fpzWpFawQKyRrhW6jrn86hGm2SvvEYz9Tj8
ulAGddJFJeWqY+QqMA+nvV7ULZZLN1RQCvzDHt/9arb28MkqzOuXToeeKbdNOsRNugdjxg0AYUD/
AG+5t0PIiTLfUf5FSzmFdYBnxtwOvTOOM1b0yye1VnmwHbt6Ckksml1AyyoGiK459f50MCohibWF
Nvgrg5K9M4NLD5MerSh9qjHGcDniteC0t7YkwptJ79T+tJJZ20sglkQFh35HT6UAYa+b/ac2HRGy
cb/T2/CnRRhYroxyK5K8hQcD+lbU9nbXJDTJkjv0P6VJDbw26bIVCg9fegDAheyGlsrlfMweP4s9
q09J/wCPFPqf51J/ZtluLeUOfrjn2q1FDHAgjiGFHagDH1bCzW7N90Mc/mK3KpX9p9rg2KcMDkE1
YhEgiUTY3gYOKAMnSv8AX3P+9/U0mpsFvLZmOADkn8RWrFbQwMzRLgucnk802e0t7kgzru29OSP5
UdgHJc28jbEkViewIzWH5GnXbvJFIYXHJBwPx/ya14rC0gkEsSYYdDk/40kunWczl3Tk9cEj+VAF
HSZpWeWF38xU6HrW3VQwG3hKWKqrZ7/1qt/xN/8Apl+tAFBo5ZdWlWGTy2xnPXsKNMXN7IbkkzL0
z+RrcW2hWY3AX94wwTk0htYDP9p2/vPXJ+lCAx5YtPu7hwHMUgPOcAE0umyyrdSW5l82NQTnqO3S
tOawtbht8qZb1GR/KnxWlvCjRxpgMMH1P49aAMGFrme4muYYhIHyvJxx+fpVrR5GQyWknDKc4/Q1
rwwRW6eXCu1c5qGS2VWa4t1AmI4JJx+VAFyuWvy1tdyhBxMv8+v8q1f+Jv8A9Mv1q01tFMUkuFBk
QDkZ60AYV6hsGQoPvxFD9e5rRji8rSCvcxlj+IzV+e2huQFmXcByOSP5VI0aOhjYZUjBHtQBQ0n/
AI8U+p/nVaH/AJDMv+7/AEFa8UMcCCOIYUdqYtvCsxuAvzsME5NAGXrf+oj/AN7+lNn0xI7d5BK5
2qTgnjitae3huVCzLuAORyR/KpXRZEMbjKsMEe1AGfpP/Hin1P8AOtInAyaoPFcQIsdgECjOQ2aa
i6g7bLgR+Wchtuc4oAyYWuZ7ia5hiEgfK8nHH5+lWtHkZDJaScMpzj9DWvDBFbp5cK7Vzmmi2gWc
3AXEh6nJ/l0oA5y0igkeUzTGLDcYIGeta5+yQ2LB2M0WcE5yealOmWJJJj5Puf8AGrEdtBFEYUUb
D1B5/nQBzstvbxQfabS4IPpnn6cVvWMsk1okkv3iP61ENLsQ27y/1P8AjT5xeqwW0EYQDo3/ANag
C4zBQWY4A5JrnJ7oajN5PmCKBeSScE/nWrEt87FLsR+WwIO3OeaT+y7D/nn+p/xoAjuvsgsNoJMQ
wPkwe9Zd1Dp6WayW7fvOMc8n1yO1dDHbwxxeQijYex56/Wq66ZZI24R9PUkj8qAMjUA7RWsspIyo
3N3B4pl5Ha27RPYt8+exzXSyRRzIY5AGU9qrRafaQv5kafMOmSTj86ALtYN8wt9SiuJPuYxn8wf5
1b/4m3/TL9asLC08Gy+VWOe3SgCG41O2gUFWEhPZTVDVMST22/5A3X2yR/KtOLTrOFw6JyOmST/O
pJ7S3uSDOu7b05I/lQBz9yIbWaOa1m8189CQ38qtXbi21SO4kzsI6/pWnHp9nC29IxkeuT/Op5oI
rhNkyhhQBTuNTt4ANhEhJ6Kc1oA5AJGKpxafaQuJET5h0JJP86hP9rZOPKx+NAC6k1psWO7DYY8E
djWPcRixCyWdxnJ+6D+vHFbyQvPCUv1Vjnt0/wD102PTbOJg6x8jpkk/zoAzdTXzZ7ZG438HHbJF
NvtOSC2aUSO2McE8da25LaGZ1kkXLJypyeKfLFHPGYpRlT1FAGNczeVpMajrIoX8Mc1QuIryO2j3
xBFh6MDzyfrXRNZ2zhFZMiP7vJ4qeSNJUMcgyrcEUARRXEb263DsFDAck4GanBDAMpyDyCKzLyzJ
tktbVcLvBPPQd+taYAUBR0HFAGVqGofZ/wBxD/rD37Lml06K3hBxIskz8sQc1ZlsLSeQyyplj1OT
/jSw2Nrbv5kKbW6ZyT/M0AZMUOmTTSmVjuBOQ5C9+cYptgGeC6giJZMEL+Of51rzWFpO/mSJ8x6k
Ej+VTxQxQJ5cShR7UAc1Zw2Mls7XL4cZxk4wPYd609GZ2tSGOQGwPpVmTTrOVzI8fJ64JH8qtoiR
qEjAVR0AoAw9Z2ebB5n3cnP0yM1FqLW7ywC1Klwf4ce2Olbs1tBcMrTLuK9M1HHY2kMnmxxgN+NC
Aoj/AJDJ/wBz+lQWphTVJg+1c5C59cjpW19nh877Rt+fGM5PSo3s7aSUTOgLjBzyOlCAnk+430Nc
XGHWNZZAWhV+R78f0rtiARg96rrZ2yQtAqfI3JGSaAMbU2WSS2dCPLPQnp1HUU7yy17E8k0ZcEYC
A8j8K1hZWvk+Rsymc4JJwfb0pIbG1t23xIA3ryf50AY87/2feysOBKhI+p/+vUsVvGulFZm2eZ82
evfinXlrd3tyqsgWNCcNnkithoo2j8plBXGMGjoHU5ppZbaOMTeVPH/D3IFdKZY1YIzAM3QE8mqs
enWcTh0j5HTJJ/nTGt5JNSWdh8iJwff/ACaANGsTVP8Aj6tf97+orbqCW3hmZXlXJQ5Xk8UANvP+
PSX/AHD/ACqhplzbx2apJIqkE8Egd61nRZEMbjKsMEVR/suw/wCef6n/ABoAh1B7GQRpcE4flXXt
+NZcymwdGs594Y/dBz+eOOa6J7W3kiEDoCi8Aen49aii06zhcOicjpkk/wA6ALtYmrf622/3j/St
uoJraGcq0q5KHI5NACyXEMTrHIwDP0FUtQvxaL5acyMOPb3q5LbQTOski5ZOhqOaxtbh/MmTc2MZ
yR/I0AUtOjgjJd5VeeTrgg+//wCuo5+dZiA7Lz+taEVhaQSCWJMMOhyf8aht7OUXkl3PjJ4UDnA/
/VQBpUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAo
oooA/9XfooooAKKKKAGUUUUAFFFFABRTHkjiG6Rgo9ScVF9rtf8Anqn/AH0KALFFR+bHuVdwy4yv
uKkoAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiopZoodvmtjccD60
AS0UUUAFFFFABRUUM0U6eZE25emaloAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoo
ooAKKKKACiimLIjMyKcleo9M0APopjyJGu5zgZx+dPoAKKKKACioFuYHlMKOC46gVPQAUUUUAFFF
ISAMmgBaKajrIgdDlT0NOoAKKKiSeKR3jRssnDD0oAlooooAKKKKACiiigAooooAKKKKACiiigAo
oqKGeKdS8TbgDj8aAJaKKKACiiigAopgkQuYwfmAyR7U+gAooooAKKKKACiiigAoopiyIztGpyy4
yPTNAD6KKKACiimh0LFAQWXqM8igB1FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAD6KKKACiiigD//1t+iiigA
ooooAZRRRQAUUUUAMkijlG2VQwHOCM1lW9tbteXKNGpC7cDAwMitiqFujre3LsCA23B7HjtQBBeF
47q3W3UFsMFB4A4H6CpoZ7pbn7NdBTuXcrLnt9afMjm9gcAkAPk9hxSyIxvonAO0I2T27UAVvtN5
cM5tBGEQ7fnzkkfSrlpcfaYRJjackEehFZAgjt3dJ7ZpcsSrKM5B9a1rNNkIzGIiTnaDmgGQ3VzP
FPHBAoYyA9fakjuLmO5W3uguJAdrJnqOoOaivXkjvYHjXeQG4HXHelVpby7jkEbRxxZOXGCSfagC
WR9QLt5Sxoq9N/Vvyppvz9jS4VMu52qvvnFURFtll+0W7zSMx2nquO3OeKlS2nOnRBVxJE+8KeM4
J4oAlluL+2CmZY2DsBlc8Z9amuLmbzxa2oXft3MW6AfhVS7nnmjQGIxqHXdu9c9BTruALd/aJITN
Gy4IHJBHtQBbtbiV5Ht7gASIAcr0INPvJpLeHzowDtI3A+nfFQ2SLvaRIPJXGATwx/CrzosiNG3R
hg/jQBVuLlkaFIcFpW7/AN3uaiNxdzyuloECxnaWfPJ9sVW05JHmLS8+QPKX655P5VIjy2MsqtE8
iOxdSgz17GgCT7dJ9llkZQssRwR2zU95cPb2pnQAsMdenJqmtvPLbXDuu15uQvsOgqG5nnubTyVg
kDcbsjjj09aAN6qEr35kYQqiovQv3/Krw6VhPHi5lNzA8zM3yEcrjsPQUAWmvpRYG5CgOp2kdRnO
Kc1zc28D3F0q442quc5PY1T8iYaU8XlkNu+6Af71aN/A1xalEGWGCB647UAVzc3tuVe6EZRiAduc
jNatYSJFIyrHZsGyNxYYA9ee9btAFG3umaKVp8BoSQ2PQd6gNxI9vBLMiFpJFGCOgPQj3qO8gmNw
VhB2XAAcjtg9fyq1eRsVgWNSQsq9OwFCAbNc3D3DW9oEygBZn6c9uKjF5ceTMGVRNDye6kdc/lUV
xAsd280sJmjkA+6MkEe1WbONSHIg8lW4APUj3HagBtzfmJYXjGRJhm9l4/xqx57m8+zqBtCbmP48
Vn2lrK4lS4BAVfKQkYyOean02Oba81wpV2IXnjhRigBn2p4rDz40UEMRgDA64p7XF9C0bTqmx2C4
XORmoGhl/s3y9jbt+cY5+9V69RnSMICcSKePTNCAZNcXDXH2a1C5UZZm6DPbikt7m5e5a2uFVSq5
yM8+49qbIJra8aeNDIkgAYDqCKZbPK+ou0q7Mx8DqQM96EDLl5NJbwGaMA7SMg+neoLi9MVzFCoy
rY3H0zwKuzRiWJoj/ECPzrGgtp5bSYzKRIQFUHr8g4/WgDRFxI1xLGigrEo+pY84z0qrJc38CefM
se0HlRncAf0ogjuDZSuQVml3HHQjsKznhDW3lxWr+aANzEfnj1oA17m5lWdLaHaGYbsv0x6D3qe3
a5O5blQCOhXof61WvMFlWaAyx46rywNN06N0MhCskRI2K/UevFAFm7uDbRgoNzuQqjtk+tVxc3cM
qJdhCsh2gpng++afqMDzRKUXeUYNt9R3FVYUheZPJtCmDks4xj6etCAm+0XstxLBAEAjI+Zs9x0p
8V6wt5ZbhQGhJUgdCfanWyOtzcMwIDMuCe/FQfZpJorqLBBdyVz36YoAXz9SVBO0aMp52DO7Bp9x
c3QultrZVO5N2WzxzUYvLoxiJLdhL0JI+T65qco/9orIQdvlYzjjOaAATzx3EUM+3Einlc/eH9Kc
Lh2uZIkA2RLknvuNN1BCbfzV+9EQ4/Cm2aEWrTP96XLn8en6UAQQ3OpXEHnxpGB6HOWx6VHezyXO
nCaMAKfvA9c57fjTbO7mhs1TyXc4O0qMg89/SpntZhpZgxmT7xA+uaARPLc3FvAgkCtM7bVC528/
Wmpc3UUyRXYQiTgFM8H3zUd0j3cEcyxMTG2TG3BI702BInmQw2pQA5LOMY+nrQBO1xdzTPHaBAsZ
wWfPJ9Bim2Du89w0q7WyoI+gxTVeWynlBieRJG3goMnJ6g1JYiczTyToULkEA+mKEDHam2213Yzh
lOPxqGS5vrcCe4RPLJGQudyg1PqKyPbERAs25cAfWqtxLcXkX2VYXRmIDFh8owecHvQgLNxczect
tahS5XcS3QCmxXNyzyW0gQTKu5SM7SP51DeW4W5W4eIzR7dpA5II74qayRPMaSO38lcYBbhj+FAF
fTmmjheaTZ5YLEkZ3ZFSC41F4vtSomzqF53EU+1gdrKSBwVLFxz71Clxcx24tfIcyqNoIHy+mc0A
TTXsuyB7ZQ3ndjSyXF1CiROEaaRiFxnaAO5qP7NJELSMAnYTuI6Din6jA0hjmCeYIydyeoNACxXN
ylwtvdhD5gO1kz1HY5q/J9xvoay7ZImnVobYxherPwc+wrVflGA9DQ9gMW1k1A2iNAibFGAGzlse
lWm1DNtHLEuXlO1VPTPvVa2ubm3tlheCQuB8uBx7Z9KR7GVbKEFPMaNtzJ6g9RQCLKXN1FMkV2EI
k4BTPB9804TFXuiqqDGAQccn5c8+tV4EieZDDalADks4xj6etSmOTdefKfnA28dfl7UB1I/tWoG3
F3sj2AZK85I7mrE93IBEluoMkwyM9AOvNIEf+zPL2nd5WMY5zj0qKSKdFt7iJdzRrhl6HBFADxcX
kdzHbzqhDk/MuewrQk37D5WN2OM9M+9ZLyyy3tuXQxrlsBupOPStmgDI0v7QIiW27Mt0znOf5U+y
uL66CysEWPnPXJ+lFj5kQe1kjYEFiGx8pB96l05HSyRHBVhng8HqaAIpJtRCvKFjRVzhW6kD6HFL
NezBIHhQEzdj9PWs1YSImjltnkuDnLH7v1zmrwik22Xyn5PvcdOO9AEyT3cdykF0EIkBwUz1H1pn
2m6mmkjtvLAjOMNnJP4dqmuEc3luwBIXfk9hkVTuRG8ji4tXZv4WjGc+mSKALNxdXENvHJ5YEjMF
KnnrnuKie51CGRInSNjLnbjIAI9ajaK5+yW6Sgs6yqT3IGT1q3co7XdsygkKWyew470AJBPci5Nt
chc7dwK56Zx3qtK8j6fKYlRQGYMMY4Hp71aKP/aQkwdvlYz2zmokhkaxmi2kMxfAPGeeKQEMn2v+
zDu2fdHTP3cfzqZLia1sVkmCscKEC55yOM5pV8y409ovLZHCbcMMZIHaoZI5LuwVBGyvEV+VxjOB
TYIk+03lu6G6EZRyF+TOQT9akluLl7g29oFygBZmzjnoOKqRpDI6CKzZTkbi4wB9PWp3MtpeSTCN
pI5QPujJBHtQAWjyvfS+eoV1RQcdD7ir1zOLaFpiM46D1JqnameS8kmljKKyjbn0/wAasX0Lz2zR
x/e4I+ooAqPcX9ugnnRCn8QXO4A1aW4f7YbdsbWXch/mKpTz3F3D9mSB0dsBiwwo9ee9WL2OREjn
gXc8J4A7g8GgBDfFftErAGOI7R6lu/61E11fQKLidYzGSMhc7gDTvsbtppt/+WjDcc/3s5/+tVVU
iYCNbI+Z0O4YUevNAF24ubkXS21sqncm7LZ45q/H5mwebjd3x0qmUf8AtFXCnaIsZ7Zz0q/QBir9
r/tNsbPujPX7uf507Nz9vnW2C5IXJbOBx7VK/mQ6h5vlsyOgXKjODnvUsCOL24YggNswexwKAGQ3
jiOb7SoDQ9dvQ+mKgN3fJELp1jMfXaCd2D+lPNu8rXaYI8zbtJ6HAqmiRhBGbJjKODkfL9c0Ab6s
HUMvQjIrPg4v7k+yfyrQQbVCgYwMYFUYkcXtw5UgMFwex4oYIrRXWoz2/wBoRYwBng5ycelNvZZp
7WGaMKFZlJB657fhVqwR0sFR1IbDcEc9TVd4pTpkQVCWTa23vxQwLM1xPBEiMFaaQ4AGdv15psdz
cxzpDdhCJM7Smeo9c1FeI11HFcrEx2E5jYYJHf8AlSW6RPOphtTGF5LOMY+g70APW4vpp5IoVQLG
2NzZpxuLyS6lt4AmEx8zZ7ipLRHWW4LAgM+RnvRbo63ty7AgNtwex47UIBIbx/Jla5UBoSQcdD9K
rm7vkiF06xmPrtBO7B/SpDbvKLuPBG8/KT0PFUkSMIIzZMZRwcj5frmgCxetO9xbtCU2k5XOeuO/
tWum/YPMxuxzjpn2rPvEdPIljQsIm5VeTjGOKsPcSBogkTESdT02/WgC1RRRQAUUUUAFFFFABRRR
QAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAPooooAKKKKAP/19+iiigA
ooooAZRRRQAUUUUAFFFFABRRRQAUUUUAQtAjTJOc7kBA9OamoooAKhngjuYjFJ0PpU1FAFBbBN6t
LI8mzkBjxkVfoooAKjlj82Mx7mXPdTg1JRQBDBBHbxiKPp6nqT6mpqKKACiiigAooooAKKKKACii
igAooooAKKKKACiiigAooooAqTWaTSCYM0bgYypxkUtvapblnBZ3fqzHJq1RQAUUUUAFFFFABRRR
QAUUUUAFFFFABRRRQBWuLVLraJGYKOqg4B+tWCo27e2MUtFAEUMKQRLEmcL0zUtFFABRRRQAUUUU
AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABVa4to7kAMSpU5VlOCKs0UAUorJI5fPd3kccAs
en0q7RRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAooooA/9DfooooAKKKKAGUUUUAFFFFAFa7uPss
DTbd2McZx1OKgFzfH/l1/wDHxSar/wAeL/UfzFOQalkbjFjjOAc4oAv0delY80CXGp7JclRFkj15
706FBaXE8cWdgQOF96ANXI6UtYttYQ3NsJ5iWkk53Z5B9vpRdW+6S0t5WLfeBboTgCgDayDRWTdW
8dpHHPAuBC+SOvB4NSD/AEjUd3VYF/8AHm/+tQBo5FMlkWKNpW6KCTj2rHs7OC4ErzZb94wAycCm
iMPY3EMh3iBm2E9sDigDVeWV7bzrVQzMAVDe/wCNTqTtBbg45rHaGOLSWMYwXRWPueKknT7TdRWs
hPlhN5A4yelHWwGt16UmQOtZSxLZ30ccGQkobK54yO9Q2tnBctO8wLfvWAGeB70AblFUNOyLbYST
sZlGfQGoL6JZry3ifO07s4+lAGrkdaWsMWcAvzbAERFN5TJwTnFSWwS3e6hDFY0wR6jI5xQBr5HS
oGmZblIMcMpOfpWBKsCW/nW8UqsCCJW+vXr3q/fzvb3Ecka722Nx+XNAGxSZGcVjRgQ2Ml6rb5XX
Jf09h9KqCAGAPFDKJ8A789/zoA6Wisi8jllMMkkZkQDLoD3+nepNPNsGkWDenTMbfw/T60AXLhrh
UBtlDNkZB9KGnRJkgOdzgkenFQah/wAe4/31/nVS6tYJNQjDrnzAxbk84HFAGzSZFKBgYFYsFrFf
PLPc5c7yoGSMAfSgC6s80iz+UoLxsVUHv9aSe5lggjYqDK5C4zxk1RhUpaXiFi20sMnr0pLqCJ4r
R2GSxRD/ALuOlCAvz3EtvbqzqpkYhQAeMmnlrweV8qHJ+fB6D2qjqFpbqkAVcAOqdT0PUVPNFHC1
tHEMKJOB+BoA0SQOtLWQsCXt1M1x8wjO1VzwPem3Vv8AZtPmQMWUkFQf4RkcUAbNVjMwult8cFC2
foaran/x5/8AAl/nT2/5CKf9cj/OgCxHOkskkS5zGQD+NT9OTWNZWsC3kxVf9Ww28njIrUmiSaJo
5BlT1FAFazuJroGVlVYznbzzwe9XcjOK5+3VbfS2u4hiRgQW/wCBYqeawhhtTNGSJUXdvyck0AbV
HXpWJMgu57US5AdCTjjtnFa8UUcEYiiGFHQUASUVQh/4/wCf/dT+tV0/4+L3/dX/ANBNAGtkUtYE
djA2nee2TIELBsnjHSpp3ikt7dbje5ZQdifxcd6ANnr0orFswsd80cSNEjR7treueverWn/8en/A
m/maALU86W8TTPkhfTrTLicwxCRRnJUc+5rFMaPoquwyUyR7ZbFXLu3jhsfLgGwFlPfqSOaANbI6
UvTrWNcWkVqYpoMq/mKCck5B65p7RLeXzxz5KRAYXsSe9AGtSZrJiQW11Laxk+WY94B5welJplpC
IY7kgmTnBJPHUdKANG3ados3KhXyeB6VPWXaQxT2WyYZUMx9OhNQWlrDLc/aoV2RJwvX5j689qAZ
tZA60tc6qpcyyyXEUkpDlRt6ADt1FSlrmLTzG+5CX2KW6hTQBqXc5t7dplAJXHH44qzWDfafb29o
ZIcqwxnk/Nz3rdHSgBaKxY7WK5vbjzssqkfLnjJHWkQtZ/aoYiSsahlzzjIoA2sjOKWuaWBWtw6Q
y+cRuEme/XPWrswe5lt7afKhk3OBxkjtQBsZB6UZFZPkpZ3sS2+VWUMGXPHAzmobSzhuHneYFgJW
AGTge9AGtcSmGB5VGSozUiNuQMe4zWKu5LO6ty25YshSfTHSlvGLG3tyGZGGWVepwKANvIPSkJCg
se1Y1tG0V2pt4njjYEOG6ex6mtS4iSaFkkGQR/KhgEEy3ESzJkBvXrUuRnFYlsq22mNcxDEjLyfx
wKc+nwJZmZSfNC79+TnOM0MEbVFQ27tLbxyN1ZQTVIEWt9IG4SVd/wCK9f8AGgC7cNMsRNuoZ+wP
T+lSKTtBbg45rE2H+zJrh/vTEt+GeKfeMZLiK3dWePZuKr3oA2uvSisa0iaO5KxRPHCy8humfzNQ
YZ7UaeDhvNKZPoPmzQB0FI2dp28nHFYsbm5NpE3VMs31Tj+dbTdDQBFA0zRA3ChX7gdKlyK59l36
ZbLnGZAMj6mrM1rFaTQSW+VJcKeeoPrT6gWprmYXItrdVLbdxLHjGcVdJA61jNaW76mVZcgpv6n7
2etOigjvp5pLnLBGKKuTgAUgNijI6VhcxwXlrklIx8uewI6VYgtIYbUzKCXaLliT3FAGpkUuR0rn
PskQ00XPPmABg2Txz2qae1it44bmPPmb1y2Tk565oA3cgdaQkAFj0HNZN39mkutsiSTMo+4v3V9z
0plpEkkFxburCNW4VjyO9AGis5ntvPtxkkEqG9fepYjIY1MoAfHIHTNZFpDEmmPKowzxtuPrjNDg
yx2dqSQki5bHfA6UwNoEHpRkDrWS8EdlcwvbZUSNtZc5B96ZBaQ3NxcGYFgHwBkgfWkBtVDPOluo
d84JC8e9VNOBSOSLJIjkZVz6Co9VhjeNHYZIcL+B60AatGQax723jVLe3jyq+ZjjqM0+5htLW28r
5lV2+6nJY+nNAGoCD0pawYVSK9hEMTwhwwIbvgfU1Kkv2GO5h/55/Mn0bp+tAGzSAg9KwJY2hitr
MhiHyXC9T3xUtvEYrtGtoZIo2BDhunt3NAF9Z5ZFn8tQWjYqo9eO9WIjIY1MoAcjkD1rNT/U3v8A
vN/6DUEsYlisoySAQOnXoKEM3Mg9KMisn7PHaX0H2cFRIGDDPBwKbb20V6801zlzvKgZ6AUCNmq1
zO0Hl7Rne4X86q6auwTpuLbZCMnrRqil4olB25lUZ9OtAGlkUucdaxbq1islS5tsqysAeSdwPY0y
fFxeyJNG8qRgAKvQZGcnkUAbmQBmoredLmITJkA+vXis21gJWa3kRlgOCqt1Hr096jsbSKTTiQPn
kUgn6E4oA3KK52WR7qCERn5o0Mh+q8f41cEonuvtC8iKLI+rc/yoA1cjpS1zMUSzwebJDK8rZO8e
vbHNWbiScwW0EwbLk7wPvEDt+NAG4CD0oyB1rEhiMV1G1tDJEhyHDdCO3c06C0hubi4MwLAPgDJA
+tAG1RWdpwKRyRZJEcjKufQVo0AFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAP
ooooAKKKKAP/0d+iiigAooooAZRRRQAUUUUAVru3+1QNDu25xzjPQ5quLW+B/wCPr/xwVo0UAVvs
/wDpf2rd/Bsxj3znNOEGLhpyc7lC4+lT0UAZf9nyoDFDOUib+HGcZ64NT/Y1VoChwIM4HrkVdooA
qXksMUDef0YFcDuSKj02BoLUb/vP8xz+n6VfooAw7W2nYSvDMYiZGBGAQfzrRis44rdrfJO/O5j1
JPerdFAGetlJ9la1eXcCMKcdB/WpLi087Y6OUkj+6w/wq5RQBRgtGSU3E8hlkxgHGAB9Klt7f7P5
nzbt7l+mMZ7VZooAgt4fIQpnOWLfmabJb+ZcRT7seXnjHXIqzRQBW+z/AOl/at38GzGPfOc1H9jU
vOzNkTgDA7YGKth0LFAQWXqM8inUAZLabNJF5ElwSi42jaB09fWr7Qbp0nz9xSMfWnyyxwIZZThR
1NPBDAMvIPIoApR2KRtIFP7qUcpjoT6GoRYThRD9obyh2AGcem6tSigCnPbPIyyQymNlGPUEe4NL
b2phdpZHMkj4ycY6egqxJIkS75DgDvT6AILiHz49mccg/kc1Fc2rTOksUhjdM4OM9farlFAAOnNZ
zWUiyvJbTGIOcsMA8+3pWjRQBQisRFBLAHJ83PJ6jIx+NPktPMjhTdjymU9Ou2rEkscKF5WCqO5p
Y5ElQSRnKnoaAIri3+0BBnbscN+VLND5rxvnHltu+vFT0UAUJbNzMZ7aUxMww3GQfwNC2CCCSGRi
5lOWbvmr9FAGS2nTyoI5rgsFxgbQOnr61fMGbkXGeilcfU5qeigCmtq6XTXEchCvjcmOuB61bPIx
S0ySRIl3yHAHegCvDaJHafZHO9cEE9Opqr/Z0rIIJJ2aEfw4GcDoM1oGeJZRAW+dhkD2pySJJnYc
7Tg/UUAQtbAzxzA4EYIAx61ZoooAozWkjz/aIJTExGDxkGkhsjD5pMhcyjkkc96uJIkmdhztOD9R
T6AKqW+20+y7v4SucevtUL2LFYTHIUeEbQ2M9sdK0KKAKMFm8VwbmSUyMV2nIx+XpUQsJULLFOyR
OSSoAzz1wa0EkSTOw52nB+op9AFFLJRZfY2bI55x75o+yyNbiGWXeQwO7GOB2q9RQBBcQeeqrnG1
g35VDPaNJKLiCQxSYwTjII9xV2igClBZ+VveRzJJJwWPH5CpraH7PAsOd23v0qeigDPaxY2htVk2
5JJOOxOcdaWG2uoioM+5F/h2AcVfooAzmspVkaS1mMW85YYBGfUZqX7EhtjbSMzBuSxPOfWrlFAG
TJp080flTXBYDp8o/X1rWoooAxUglkvLiSGQxMCBnGQRj0NXYLNYkcSMZGl++T3q7RQBliwnVfJW
4YRemBnHpuqxcWgmCFGKPH91hz+frVyigCjDZss32i4kMrgYHGAPwqja207tPJDKYiZWB4BBH41u
UUAUUsVS1e3DEmTO5j1JPenT2gmRMMUeP7rCrPmJ5nlZ+bGce1PoApQ20qS+dPMZCBgDG0D8BVwj
Iwe9IzKil2OABkmlVgyhl5B5FAFK3szDE0DyGSMjAUjGAfeoP7OlKeQ1wxh/u4Gcema0HmiSRYmb
DP0HripaAGqqooVRgAYAqreWYvEVd20qevt3FXKKAK81uJbc26naCMD2qO4tPO2OjmOSPow5/MVc
ooAqQW0kbmWaUyMRjpgAfQU1bNFvGvM8kYxjv61dooApQWSQXElwDkydsdPWrh5GKWigDP8AsP8A
o8UG/wD1TBs464/GrE8HnGM5x5bhvrirFFAFb7P/AKV9q3fwbMY985zUElnJ5zT20piL/eGMg/nW
hRQBQSxVLeSHcS0udznqSasiLEHkZ/h25/DFKZ4hMIC3zkZA9qloApm0zZfY938ON2P6U6e286JI
t2NpBzj0q1RQBQls5DO09vKYy4AbgNnH1p9taC2EgLF/MOTnrVyigChDZPFC9uZSyMCFBH3c/wA6
WSyWSCOLcVeIDa49RV6igChFZv5wnuZTKy/d4wB+AqeGDyXkfOfMbd9KsUwyIrrGThmzgeuKAIoI
PI8znO9y/TpntRdW4uYTETtPBBHYirFFAFJrWSRYvNk3NE24nGM0+6tvtKqAxRkbcpHPIqeSRIkM
khwo6mn0AZyWUnnpcTTGRkz2AGCPan3FklxPHMWxs6j+8AcgVeooAq3NsLlV+Yo6HKsOxpkNtMso
lnmMhHQY2j8hV2igCoLXCTJu/wBcSenTIxSfZOIBu/1Ht14xVyigCvJB5k8U2ceXnjHXIxWVI1vH
cyDzXtyeWGOG9x1rdpCAetAGbpahYpGUEIzkrnqR61Yu7UXcaxlioDBuPardFAGaLGR5Fa5mMioc
quMc9s+tSTWjPN9ot5DE5GCcZBH0q28iRlQ5xuOB7mn0AVre3aEMZHMjN1J/oO1MtLV7UFBIWj/h
Ujp+NXKKAKVtZJbySyA58w5xjoPSizs1s0ZAd2456dvSrtFAGWLCaMGOCdkiJ+7jJGfQ1Yls0lhW
IMQY+VbqQR3q5RQBRitZhIJbiYybegA2j8cdamhg8l5HznzG3fSrFFAFeCDyPM5zvcv06Z7VYooo
AKKKY8iRlQ5xuOB7mgB9FFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQA+iiigAooooA//S
36KKKACiiigBlFFFABRRRQBWurj7NF5mNxJAUepNVhLqEbIZkRlYgHZnK571LfQyTQgxcujBwPXF
RLeXEzIkUDKc/MXGAB3xQAslxcyXDW9qF/d43M2cZPYYpI7ubZMkyhZYRnjoeMg0xjLZ3UknltJH
Lg5QZII9qakc0q3Ny6FfMTaq98AUDGG8v1txeMkfl8ErznB71Kbm9iaN51Ty5GC4GcjPSkmjkOki
MKS2xflxz1Hapr1HeOEKpOJFJwOgoEMkubo3bWsCqcAHc2ePrUlvczGV7a5UB1G4FehFVXmkh1GR
1QyLtXcF5I9OKmtxLcXT3ToY12bFDdTznNAE8Fw8tkLhgN20njpxWfeSzzafHKNoDYLdeueMUQyX
ENqbIwOXAKggfLz3zUjwytpSxqp3qAdvfg0dQLEtxcQRIjhWmkOABnb9eabHc3Mc6Q3YQiTO0pnq
PXNRXaNdRRXIiY7CcxsMEjvSW6RPOphtTGF5LOMY+g70APW4vpp5IoVQLG2NzZpzXN1LcSQ2/lr5
fHz5yT+HapLRHWW4LAgM+RnvVW6EbysLm1Zv7rRjOfrjFAGpA0rxBpl2P3HWpazIXurWxVnRpHB+
7nJwT+NaQ6UAZse/7ddeXjdtXGemcd6j0v7R+837dm9s4znd/hViBHF9cOQQpC4PY8VHY+ZFJLby
RsPnZg2PlIPvQgZZvX8u1d9obA6MMiobi5ljkigh2BnGct0GKlv1Z7SRUBJI4AqC7x8iywGWPHJX
lgfpQBYt2uiWW5VRjoy9D+FVtW8z7G2zG3jdnr1HSm6fG6PIyq8cJxtV+ue/HarN/E81pJHGMsRw
Poc0MEVLwzjTmNxtLAr93OMZHrTnuL6EpJMqeWzAEDORmi4aS5sDtjdWyo2kc8EVYvkZ4AEBJ3r0
+tMQye5nM/2a1C7lGWL9B7cUkN3KRLHMFEsQzx0PHFVrqAJdmeSEzRuAPlGSCPapbeMGOVo4PKBU
hc/ePHpU9B9Rbe5u5IxczBFiCknGd3Heo/td+YvtYWPy8btuTux/KrMELPp4gbKkpt57ZrMSNEjE
T2bNKOM4+U++aYInv3lmW3eLbsdlIDZzuPr7ValuLlDHbIqGZhknnaB6+tNuYn8u2VE+5IuQvIAH
9KW6WWG5S8jQyALsYDrj1FADori4S4FtdBcsCVZc4OO3NRQ3F9cSuEVAiOVJOckA9velj827u0nM
bRxxA43DBJPtUtgjoJt4IzKxGe49aAIftN5cM5tBGEQ7fnzkkfSrlpcfaYRJjackEehFZAgjt3dJ
7ZpcsSrKM5B9a1rNNkIzGIiTnaDmgGEkzpdRQjG1wxPrxSNO63iW4A2spb34qG8Esc8NyiFwmQwX
k81FG0s9+kxiZECEAsOfx9KACO41C43mFYwEYjJzzim3E5udM81htJIBHuGxVmwR0jkDgrmRiM+l
VDFL/Zhj2HdvzjHP3qF0Avu+LyNNqnKsc45GPQ1QiuhbidVG6RpmCqOp6fpV6RGN7E4B2hGBPbtW
cLKRjNcRgpMsrFCeMj/69AF2a5uIUjjIVp5DgDoo9fypsVzcpcLb3YQ+YDtZM9R2Oar3CyXUcNy0
JJjJDxkYPPpT7ZImnVobYxherPwc+woAIpJIoLqSIAssrHn2xmrE92Vto5YQC0pUKD0yaWzRl88O
pG6ViM9wao2cTm78hvuW2dv/AALp+lAM2+ce9Y9l9r+2Tb9mNw34z6cY/wDr1s1mQ+ZDfSq0bFZS
CGA44HegCC3N4ZJ1tggAlYktnk+gxVuG6mltWkEeZVJUqDxkUtkjoZ9wIzKxGe49aptDcGznSNWD
GVjjoSM9qAe5N9ovYHj+0iMrIwX5c5BP1qGT7X/af7vZnZxnONue/vUHlIzwm2tnjCyKWZhz/wDq
q9ceZDfJcCNnUpsO0ZIOc0AadZskuo/O6LGqrnAbqQPpWlXOLCQrpNbPJOc/Mfu+3OaANCa9lW2h
nhQFpWA2n3pRPeRTxx3IQrJxlc8H8agMUv2W0Xacq6kjHT61culZpYCoJAfJx24NMQtvcM7TRzYD
RN2/u9jVYX032ZZQgLysVjX29TUWopIkymHrOvln/GrF1A6RwvbruMBGF9RjFIYn2i7glRbsIUkO
0FM8H3zQbi8kupbeAJhMfM2e4qN3lvpIkWJ40Rg7Fxjp2FWLdHW9uXYEBtuD2PHagBIbx/Jla5UB
oSQcdD9Krm7vkiF06xmPrtBO7B/SpDbvKLuPBG8/KT0PFUkSMIIzZMZRwcj5frmgDfVg6hl6EZFZ
puL6W4lgt1TEZHzNnvWkg2qFAxgYwKpWyOtzcMwIDMuCe/FADHubmWd4LQIPLxuZ89T6YqSC6lli
kDIPNiOCoPBPbFUZYFhupHmgMyScgqMkHuMVKIpTZy/Z4fJZvujPJA9fSgBzXF9BsknEe1iAVXOR
mpZ7i4M4tbRVLAbmZugH4VltCjIgt7V1KspZmBz+HrWhN5tteG5WNpEkUKdvJBHtQAyBp21Ii4UB
lix8vQ89RV67837O/lYzg9fTvVOBppb8zvGyJ5eFyPfv71pSKXjZB3BFD2H1MiHz/wCy38zbt8s7
cZz0PWhZ7+K1S4CJ5aqPl53Y9fSnwmVtOkt2jdXRCvI69enrViVHOnFADu8sDHfOKbEhZZR9otwF
U793JHI4zxUP2m6mmkjtvLAjOMNnJP4dqe6Obi1IU4UNk46fL3qtciN5HFxauzfwtGM59MkUmBrQ
tI8YaVdjHqOtUri5uUultoFVtyZyc8c9T7VNZJMlsiz53jrnk+1UrmSSLUkeNC+I+QOuM9qALENx
cLcfZroLlhlWXODj602SXUfndFjVVzgN1IH0psZlurxZzG0ccQIG4YJJ9qoLCQrpNbPJOc/Mfu+3
OaANKS9YW0UkSZkmwFX3qN7i+t3jSZUIkcLuXPGeoqPyJxaW8ka/vIiDtPGfUU25mmmeDdGY0Eq/
e6k/SjqBamubh7hre0CZQAsz9Oe3FSWlzJKzwzgCSM87ehB6EVSuIFju3mlhM0cgH3Rkgj2q3YoB
vdYfJBxjPU/UdqEBYuHmSPNuodyccnAHuaqx3F1HcJBchCJAcFM8EDPOaNSjkkiTarOoYF1XqVqn
DEDeQyQW7RIN2Sw56d6EBZ+03U00kdt5YEZxhs5J/DtWhC0jxhpV2Meo61k3IjeRxcWrs38LRjOf
TJFX7JJktkWfO8dc8n2oARnxerGFXJjJ3Ec9emfSqVh9q+0TbtmN/wA+M5zjtVxkb7er4O3yyM9s
5qG3MkN5LG0bYkbcGA+Xp3NCBl2483yW8nG7H8XT9KzbB7iOwMjbdqoSnXPGetazDKkeorKtvN+w
SWzxurojDkcHOenrQBNazXsyiaRUCFcgDO4/05qKS41CGM3EqxhR1TJ3Y+vSrEaS/wBniNMrJ5eB
2IOKxnhBtjHHav52PmZgevcj1oA2zcOt2kLAbJFJU98jt+VRm8IlmyB5cK8nuW9KW9jcwpLECZIi
GAHU+oqKK1d7B434klyxz6mgCM3d8kQunWMx9doJ3YP6VPKwe9tmXoVcj8hWeiRhBGbJjKODkfL9
c1pPGwu7cqvyqrA46DgUxEX2m7nkcWgQJGduXzkkdcYpw1D/AERp2X51OwqP71UvIS3lkFxbtKGY
srKM8HsasNbSPYkRxCJ928Ln09aQyC9e/Fo32hU2tj7ucrz3rdHSsS7uLi6tjFHbyAnG7I9+3rW2
OlAFGV78yMIVRUXoX7/lTBfEWZuJF+cHbtHds44qm8eLmU3MDzMzfIRyuOw9BTo7WdtOMYXbIrlg
p9jQBZEuoxlHmRGViAQmcjNElxeNdNbW6p8oBy2eKBeXMpVIoGViRuLj5QO+D3qSNHF/K5B2lVwe
1ADGuLp5vs1uE3IAXY5xk9hTobuUebHcqBJEN3y9CPao3MtpdyTCNpI5QPuDJBHtS24nkllvGj25
XaitwTj1oAZFc38qCdFjdSfug/MB9emalnuZhci1g2KSu7L/AMhWdJGJMeRbSRT56jhR+PSr15tL
hbi3MqY4ZOTmgC5btcMpFyoVgcZHQj1FUtV87y02bdu8dc5z2/Cn6dHLGj7gyxlvkVuoFSagjvb5
jUsVYNgd8UAVr1p0jgaQK0glHC8AnnHWpRPeRTxx3IQrJwCmeD+NE5e4W3kVGH70EgjkAZ61NdKz
SwFQSA+TjtwaYEMlzcyzvBaBB5eNzPnqewxU1pcNOGWUBZIzhgOn1FZ8sCw3UjzQGZJOQVGSD3GK
vWKBUZhD5IY8DuR6mkDC9uJbfy/JUMXbbg1Gs95FcJDchCsmcFM8Ec96feI7yQFQTtkBOOwp1wjN
c27KCQrNk+nFAEL3N1NM8VoEAjOCXzyfbFMa4muLKYAKsiZVwenA5xUDwJBcSNPA0yyHcrKMkZ6g
1bhhJtZVWIQ7wQF79OM0dB9SGKW7g04TYQhVUqBn7vfNTXN8YZoUQAq+Cx9ATgGltMy2n2aWNkKr
sO4Yz24qnb2s0ttMJ1w20RrkY4Xp+tAi+10VnlUgeXEm5vXPp+VV/tGo+T9q2Js+9s53bfrRbQTT
WkxmG2SbPUYxxgUz7Rci2+y+Q/m7dmcfL6ZzQBNPeTfuPsqhvOB4b6Uy5Mqrbm6KhhMMlemOfWl+
zvFJZoASIwwYjoOKl1CHzxChUsvmDdj05oAdBcy3MpaIAQLxuPVj7e1XqzLdZbOf7NtLQtyjDnb7
GrcE0krSK8ZQI2AT/F70AWKKKKACiiigAooooAKKKKACiiigAooooAKKKKAH0UUUAFFFFAH/09+i
iigAooooAZRRRQAUUUUAFFFFABRRRQAUUUUAQrAizNOM7mAB9OKmoooAKKKKACiiigAooooAKKKK
ACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigBrrvQp
krkYyOo+lQ29tHbKVTJJOSSckmrFFABRRRQAUUUUAFFFFABRRRQAUUUUAVRaR/aPtLFmYdATwPoK
tUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAVD5CGcXHO4Lt9sdamooAKKKKAILi
3juY/LkzwcgjqD6ioEsUEiyySPIU+7uOQPer1FABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAD6KKKACiiigD/1N+iiigAooooAZRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAPooo
oAKKKKAP/9XfooooAKKKKAGUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAU
UUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRR
RQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFF
ABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUA
FFFFABRRRQAUUUUAFFFFAD6KKKACiiigD//W36KKKACiiigBMUYFLRQAmBRgUtFACYFGBS0UAJgU
YFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJ
gUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0U
AJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS
0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFG
BS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACY
FGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFA
CYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRgUt
FACYFGBS0UAJgUYFLRQAmBRgUtFACYFGBS0UAJgUYFLRQAmBRilooAKKKKACiiigD//X36KKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiikJxQAtFKEJ6
8Uvlr70ANopShHTmmg5oAWiiigAooooA/9DfooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKVBk7vypKen3B9KAGyyCKNpD2qoGvmTzRtHGdtX6pzyyGT7
ND94jJJ7CtIdrES73JoJhPEJAMZ6inOMHd+dJDEIIxGvOO9Pf7h+lRK19Cle2oyiiikMKKKKAP/R
36KKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACljPBX
0pKaQc7l6igCeqnnL9r8rZzj71TrKp4bg+9SZHWmnYTQVHIeAvrQ0qjheT7UwA53N1NIY6iiigAo
oooA/9LfooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigA
ooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACi
iigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKK
KACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAoooo
AKKKKAEIB603y09KfRQAgAHSloooAKKKKACiiigD/9Pfop7AdaZQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUU
UAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQ
AUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFAB
RRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFF
FFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFFABRRRQAUUUUAFFFPUDrQB//9k=
--Apple-Mail=_4E6774E9-6470-419B-A74C-5042F55982E1--

--Apple-Mail=_61905D7A-8BB9-4693-A718-6DB14959273C--


From nobody Sun Mar 18 13:05:40 2018
Return-Path: <randy@psg.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FE5D1270A0 for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 13:05:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level: 
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D8IdbQW_ZzH3 for <saag@ietfa.amsl.com>; Sun, 18 Mar 2018 13:05:38 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 053B3126D73 for <saag@ietf.org>; Sun, 18 Mar 2018 13:05:37 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.86_2) (envelope-from <randy@psg.com>) id 1exeYh-0000xv-OI; Sun, 18 Mar 2018 20:05:35 +0000
Date: Sun, 18 Mar 2018 20:05:35 +0000
Message-ID: <m2d101i1yo.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: saag@ietf.org
In-Reply-To: <CBAF354D-45EB-4143-9D43-1F65888BBA7C@dukhovni.org>
References: <m2y3ipiv3c.wl-randy@psg.com> <CBAF354D-45EB-4143-9D43-1F65888BBA7C@dukhovni.org>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Xw08Y3DcCDWIvS_TIbrMSmLvqo8>
Subject: Re: [saag] ffox and chrome offer sha1 and then puke
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 20:05:39 -0000

[ off list ]

>> I am using both ffox 59.01 and chrome 65.0.3325.162 on latest macos
>> high sierra.
> 
> Ditto.
> 
>> I am trying to connect to mycheckfree.com
>> 
>> ffox and chrome are offering sha1 and then puking when the site selects it.
> 
> I observe no involuntary discharge from either Chrome:
> 
>    Connection - obsolete connection settings
>    The connection to this site uses TLS 1.2 (a strong protocol),
>    RSA (an obsolete key exchange), and AES_256_CBC
>    with HMAC-SHA1 (an obsolete cipher).
> 
> or firefox:
> 
> Perhaps some middle-box or other obstacle on your end?
> You'll want a PCAP file and tshark to shed more light on this:
> 
>   # tcpdump -s0 -w /tmp/pkts.pcap tcp port 443 and host mycheckfree.com
>   ... <CTRL-C> after browser connection to the site ...
> 
>   $ tshark -r /tmp/pkts.pcap -d tcp.port==443,ssl -V |
>       sed -ne '/^Secure Sockets Layer/,/^$/p'

the mac is on the naked global internet, the ietf network.  safari
worked.  can try to debug more in next day or so.

randy


From nobody Mon Mar 19 03:07:42 2018
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BCEC126DED for <saag@ietfa.amsl.com>; Mon, 19 Mar 2018 03:07:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level: 
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fz0hNDp2bHri for <saag@ietfa.amsl.com>; Mon, 19 Mar 2018 03:07:37 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0058.outbound.protection.outlook.com [104.47.1.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC962126CBF for <saag@ietf.org>; Mon, 19 Mar 2018 03:07:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com;  s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HimTECiUldzyW/dioUh0RoGDld3k+A5MKk6JoVdn2/o=; b=fhzB0wfgLkcT4WhZdcJZZt7mNVY5VNIidsmUKYe//RIwGiu66CRTaD9De+EkpV8RWdSrnmt4rBNcOCd4Yl0L1zZc5P8lfQqJRrRF4lLsUhyTTpQpXpyWkZVnZ4/Eyk0g+EROh9d6+KscJUqDqje5w3q0/Pl401uBEEJppW4o2es=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1437.eurprd08.prod.outlook.com (10.167.210.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Mon, 19 Mar 2018 10:07:33 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::783f:d09c:fea6:f83d%17]) with mapi id 15.20.0588.016; Mon, 19 Mar 2018 10:07:33 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: ATLS side meeting to discussion application layer TLS (today @ lunch time)
Thread-Index: AdO/ZXUmtBPjJsJPQbCgRHIKaumuUg==
Date: Mon, 19 Mar 2018 10:07:33 +0000
Message-ID: <VI1PR0801MB21124A98093B4EC9DBD40DC2FAD40@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; 
x-originating-ip: [31.133.155.188]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1437; 7:DUG+hbmxR+bj4tL+Dy797hFcN0L9XDBJW5gpKPyG46BX9w73uvxU0oubuSz6WIf4fblno4g0IM7V6GpwyU7KD6GFhPQWtf65jduH2oKL9P+fQdjUqyDsIvHx7H9j83xaKsUzv3Bkqvm7WwyI886TBLGLAzVix8Ykk+ibf9eN3r8fMbUvZ51iqCHbIijmawiY8LWh1UDjI8m4qOEEFN3oyDmk+q1w5rwc1nTCwomhy1QEYg6OojgBiDDFtU17l0Vp
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: f128dc59-eef1-41ad-b5b2-08d58d813bf7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1437; 
x-ms-traffictypediagnostic: VI1PR0801MB1437:
x-microsoft-antispam-prvs: <VI1PR0801MB143749612FE90C2D0E3EEF7AFAD40@VI1PR0801MB1437.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3231221)(944501244)(52105095)(3002001)(6055026)(6041310)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(6072148)(201708071742011); SRVR:VI1PR0801MB1437; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1437; 
x-forefront-prvs: 06167FAD59
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39860400002)(396003)(376002)(366004)(39380400002)(69234005)(40434004)(53754006)(189003)(199004)(1730700003)(33656002)(81166006)(6436002)(102836004)(53546011)(2906002)(59450400001)(3280700002)(72206003)(7736002)(790700001)(74316002)(68736007)(6116002)(6506007)(81156014)(8936002)(3846002)(478600001)(6916009)(8676002)(99286004)(66066001)(86362001)(5630700001)(186003)(2501003)(3660700001)(5890100001)(25786009)(5250100002)(5640700003)(54896002)(236005)(2351001)(6306002)(9686003)(2900100001)(966005)(55016002)(606006)(5660300001)(97736004)(26005)(53936002)(14454004)(105586002)(106356001)(7696005)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1437; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; 
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: IDMrlotiUX0cQWuiQyEHO3q0mvl62ZfxOmlNiOnsHKKqap9MB5ldE4DGj5Z2+lhtLT4YEFpESvWz0xjtyhD6tQeiudbp5HdgZVqo+vtPRZoSxuawgL8Q2Waqg/epuHIEYeRO/yTCv/1zaqa90ofnVSKmNfXT4dt86v1GyqY3lX0D0wD8lsHW5IbaOQZIk0UrOurNrZ+dYPC9dj+vTCgTBocDjE3EMK7k6rakz4qGey1mFe7ibpQHgqd1CbMQDHMqp3X6RzWiyvmupHjF6CkaACXd1yXT4AlQNfpQU3wSA3PxAkUd1ABpAlTZrz/YsCOAlYIOQ+/z1Hkiz1xNwu9u1Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21124A98093B4EC9DBD40DC2FAD40VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f128dc59-eef1-41ad-b5b2-08d58d813bf7
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Mar 2018 10:07:33.7930 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1437
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/PZNuxFSt-F6UlRuZJoA-0sXPjNI>
Subject: [saag] ATLS side meeting to discussion application layer TLS (today @ lunch time)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 10:07:40 -0000

--_000_VI1PR0801MB21124A98093B4EC9DBD40DC2FAD40VI1PR0801MB2112_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SGkgYWxsLA0KDQpUaGlzIGlzIGEgcmVtaW5kZXIgcmVnYXJkaW5nIHRoZSBzaWRlIG1lZXRpbmcg
YWJvdXQgYXBwbGljYXRpb24gbGF5ZXIgVExTLiBXZSB3aWxsIHRhbGsgYWJvdXQgdGhlIGJhY2tn
cm91bmQgb2YgaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWZyaWVsLXRscy1hdGxz
LTAwDQoNCkNpYW8NCkhhbm5lcw0KDQpGcm9tOiBBdGxhcyBbbWFpbHRvOmF0bGFzLWJvdW5jZXNA
aWV0Zi5vcmddIE9uIEJlaGFsZiBPZiBSaWNoYXJkIEJhcm5lcw0KU2VudDogMTQgTWFyY2ggMjAx
OCAxNjowNA0KVG86IGF0bGFzQGlldGYub3JnDQpTdWJqZWN0OiBbQXRsYXNdIEFUTFMgc2lkZSBt
ZWV0aW5nDQoNCkhleSBhbGwsDQoNCkZZSSwgd2UgaGF2ZSBhIHJvb20gYm9va2VkIGZvciBhIHNp
ZGUgbWVldGluZyBhdCB0aGUgSUVURiBtZWV0aW5nLCBkdXJpbmcgdGhlIGx1bmNoIGJyZWFrIG9u
IE1vbmRheS4gIFRoZSBhc3NpZ25lZCByb29tIGlzIEhpbHRvbiBNZWV0aW5nIFJvb21zIDEtNC4N
Cg0KVGhlcmUgd2lsbCBub3QgYmUgY2F0ZXJpbmcsIHNvIGx1bmNoIGlzIEJZTy4NCg0KLS1SaWNo
YXJkDQoNCklNUE9SVEFOVCBOT1RJQ0U6IFRoZSBjb250ZW50cyBvZiB0aGlzIGVtYWlsIGFuZCBh
bnkgYXR0YWNobWVudHMgYXJlIGNvbmZpZGVudGlhbCBhbmQgbWF5IGFsc28gYmUgcHJpdmlsZWdl
ZC4gSWYgeW91IGFyZSBub3QgdGhlIGludGVuZGVkIHJlY2lwaWVudCwgcGxlYXNlIG5vdGlmeSB0
aGUgc2VuZGVyIGltbWVkaWF0ZWx5IGFuZCBkbyBub3QgZGlzY2xvc2UgdGhlIGNvbnRlbnRzIHRv
IGFueSBvdGhlciBwZXJzb24sIHVzZSBpdCBmb3IgYW55IHB1cnBvc2UsIG9yIHN0b3JlIG9yIGNv
cHkgdGhlIGluZm9ybWF0aW9uIGluIGFueSBtZWRpdW0uIFRoYW5rIHlvdS4NCg==

--_000_VI1PR0801MB21124A98093B4EC9DBD40DC2FAD40VI1PR0801MB2112_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTQgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJ
e2ZvbnQtZmFtaWx5OlRhaG9tYTsNCglwYW5vc2UtMToyIDExIDYgNCAzIDUgNCA0IDIgNDt9DQov
KiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1z
b05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp
emU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLCJzZXJpZiI7fQ0KYTps
aW5rLCBzcGFuLk1zb0h5cGVybGluaw0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6
Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29I
eXBlcmxpbmtGb2xsb3dlZA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxl
Ow0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTcNCgl7bXNv
LXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLCJzYW5z
LXNlcmlmIjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10
eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIiwic2Fucy1zZXJpZiI7DQoJ
bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVM7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6
NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0K
ZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPjwhLS1b
aWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1h
eD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0K
PG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9
IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9k
eSBsYW5nPSJFTi1HQiIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJX
b3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OywmcXVvdDtzYW5zLXNlcmlm
JnF1b3Q7O2NvbG9yOiMxRjQ5N0QiPkhpIGFsbCwNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0
OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+VGhpcyBpcyBhIHJlbWlu
ZGVyIHJlZ2FyZGluZyB0aGUgc2lkZSBtZWV0aW5nIGFib3V0IGFwcGxpY2F0aW9uIGxheWVyIFRM
Uy4NCjxhIG5hbWU9Il9NYWlsRW5kQ29tcG9zZSI+V2Ugd2lsbCB0YWxrIGFib3V0IHRoZSBiYWNr
Z3JvdW5kIG9mIDwvYT48YSBocmVmPSJodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQt
ZnJpZWwtdGxzLWF0bHMtMDAiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1mcmll
bC10bHMtYXRscy0wMDwvYT4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjojMUY0OTdEIj48bzpwPiZu
YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LCZxdW90O3Nh
bnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+Q2lhbzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt
ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssJnF1b3Q7c2Fucy1zZXJpZiZxdW90Oztjb2xvcjoj
MUY0OTdEIj5IYW5uZXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LCZxdW90O3NhbnMtc2VyaWYmcXVvdDs7Y29sb3I6IzFGNDk3RCI+PG86cD4mbmJzcDs8
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4t
VVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4t
VVMiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1RhaG9tYSZxdW90
OywmcXVvdDtzYW5zLXNlcmlmJnF1b3Q7Ij4gQXRsYXMgW21haWx0bzphdGxhcy1ib3VuY2VzQGll
dGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5SaWNoYXJkIEJhcm5lczxicj4NCjxiPlNlbnQ6
PC9iPiAxNCBNYXJjaCAyMDE4IDE2OjA0PGJyPg0KPGI+VG86PC9iPiBhdGxhc0BpZXRmLm9yZzxi
cj4NCjxiPlN1YmplY3Q6PC9iPiBbQXRsYXNdIEFUTFMgc2lkZSBtZWV0aW5nPG86cD48L286cD48
L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkhleSBhbGwsPG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv
cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkZZSSwgd2UgaGF2ZSBhIHJv
b20gYm9va2VkIGZvciBhIHNpZGUgbWVldGluZyBhdCB0aGUgSUVURiBtZWV0aW5nLCBkdXJpbmcg
dGhlIGx1bmNoIGJyZWFrIG9uIE1vbmRheS4mbmJzcDsgVGhlIGFzc2lnbmVkIHJvb20gaXMgSGls
dG9uIE1lZXRpbmcgUm9vbXMgMS00LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGVyZSB3aWxsIG5vdCBiZSBjYXRlcmluZywgc28gbHVuY2gg
aXMgQllPLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4tLVJpY2hhcmQ8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KSU1QT1JUQU5UIE5PVElD
RTogVGhlIGNvbnRlbnRzIG9mIHRoaXMgZW1haWwgYW5kIGFueSBhdHRhY2htZW50cyBhcmUgY29u
ZmlkZW50aWFsIGFuZCBtYXkgYWxzbyBiZSBwcml2aWxlZ2VkLiBJZiB5b3UgYXJlIG5vdCB0aGUg
aW50ZW5kZWQgcmVjaXBpZW50LCBwbGVhc2Ugbm90aWZ5IHRoZSBzZW5kZXIgaW1tZWRpYXRlbHkg
YW5kIGRvIG5vdCBkaXNjbG9zZSB0aGUgY29udGVudHMgdG8gYW55IG90aGVyIHBlcnNvbiwgdXNl
IGl0IGZvciBhbnkgcHVycG9zZSwNCiBvciBzdG9yZSBvciBjb3B5IHRoZSBpbmZvcm1hdGlvbiBp
biBhbnkgbWVkaXVtLiBUaGFuayB5b3UuDQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_VI1PR0801MB21124A98093B4EC9DBD40DC2FAD40VI1PR0801MB2112_--


From nobody Tue Mar 20 04:25:30 2018
Return-Path: <housley@vigilsec.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35A13126CBF for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ir8yxMk1Brp for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:25:27 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6200A1200F1 for <saag@ietf.org>; Tue, 20 Mar 2018 04:25:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 4B324300494 for <saag@ietf.org>; Tue, 20 Mar 2018 07:25:25 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 45xkjzJi7Fdp for <saag@ietf.org>; Tue, 20 Mar 2018 07:25:24 -0400 (EDT)
Received: from dhcp-8e33.meeting.ietf.org (dhcp-8e33.meeting.ietf.org [31.133.142.51]) by mail.smeinc.net (Postfix) with ESMTPSA id 4A520300418 for <saag@ietf.org>; Tue, 20 Mar 2018 07:25:24 -0400 (EDT)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Message-Id: <6CB16E6F-7EA7-4762-8A23-3DF2D9D1363F@vigilsec.com>
Date: Tue, 20 Mar 2018 07:25:28 -0400
To: IETF SAAG <saag@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/YFjHuyeeAXz8gWLpMZ4aaqDZ7wA>
Subject: [saag] SUIT WG Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:25:28 -0000

SUIT Working Group

On Monday, the SUIT WG held their first face-to-face meeting.

The WG adopted draft-moran-suit-architecture as the starting point for
the architecture document.  The WG discussed the addition of three modes
to the document:

  1) the manifest and the firmware are pushed to the client;

  2) client pulls the manifest and the firmware; and

  3) the manifest is pushed to the client, and then the client
     pulls the firmware.

An information model will be removed from the architecture document and
placed in a document of its own.

The WG discussed draft-suit-moran-manifest, which was recently updated
to use CBOR and COSE.

The Hackathon included a project related to SUIT, and the participants
reported that they could only find a single cryptographic library that
implemented COSE digital signatures.  More work is needed if the COSE
format is going to be widely implemented.


From nobody Tue Mar 20 04:30:47 2018
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F4701200F1 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:30:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level: 
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LyvQtrrYDDue for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:30:44 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08049126DED for <saag@ietf.org>; Tue, 20 Mar 2018 04:30:44 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id h21so2701813wmd.1 for <saag@ietf.org>; Tue, 20 Mar 2018 04:30:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=4hXCqjd9oqYBKtkBfe1IUDoZ5//kT6VA2GJ3OW5dkJ0=; b=CvZaaFCQ7JFcIgPDtbpGyJZ5MeJ7gZ3iQqAyy60uSzhRd+D3Kh1hna0npaRoUkUBAs RCQhLYj10CtX5+cUprSyq4Gv1GdjQwkOBP4imD+LUFrUYSAzZO3hKPpNhuSQA5rUHzrD 9jlLtCnqpdz3Fqzf72qBK1Txgda4sobhqMkpD05teaJuYMQiluWnHiVij+mI3X75gYPo EM9TrkI08sgk2Npc0bztUx6CLmQkPwhpR5aWupE2nhpLP+N8gSnQYyGOjnoyu+HJaM8t JpY/gFa9Z09GDqGChbNSd4eZfZ0VR41Q6zOhKXxLKEr+bV+wNHi+3eCeoGOh3LbZ0sSP SDIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=4hXCqjd9oqYBKtkBfe1IUDoZ5//kT6VA2GJ3OW5dkJ0=; b=I5uPb6pEp/qEYE0jp/aPDh8DwKJ2PeYkIfvWAHTwe1En20tpiRSWp+mURJoo+uwibj jX6Ur8B6Np/XEyidIkeuyN9gH0sBECWLyPxo3dPlwbWZrUnpxNDLjzFBDdPnvpYg23tK 1J44A7FKj/A4mJs/k0W7sp7vsWrmvzj/qCsjJpeGKM15puKN9jXvvwrZXQbgexLgxhPb xLNtUzf+Hb9Y67MDattdiNdQVULIfZQr1TxeBdl+9jCR8ZiOxsawCu1OkLGT5DnAl6aJ bXDRlq0V5W2XFPkoJIip0YU48tJXXw4d4iLE/yOrI6/A2ORJb8x2iEuG35AGoKdAFZF9 gTiA==
X-Gm-Message-State: AElRT7HhsI6ZQhPQy+ZwJ40usJulL0Z69krvKsMUO+ERv2djddsitNet TfOBm7uMouPpoCwGp8Zm/FK7xOHy
X-Google-Smtp-Source: AG47ELs3xdAA4xTY6rbw3+271b5v2o/+Ui2du8AJt+X35bbpgKKSm3fZtMR2fcXxTjNhh16eHkoGCg==
X-Received: by 10.28.220.2 with SMTP id t2mr1959231wmg.21.1521545442186; Tue, 20 Mar 2018 04:30:42 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:11fb:f307:5bab:e324? ([2001:67c:370:128:11fb:f307:5bab:e324]) by smtp.gmail.com with ESMTPSA id b9sm1233376wrc.85.2018.03.20.04.30.41 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Mar 2018 04:30:41 -0700 (PDT)
To: saag@ietf.org
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <c33835a2-c418-b72c-7029-e4bfc034711f@gmail.com>
Date: Tue, 20 Mar 2018 11:30:40 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/html; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/q6g8Rt-Z3qayDybYgOy8JGWdZMw>
Subject: [saag] SecEvent WG summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:30:46 -0000

<html style="direction: ltr;">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    <style type="text/css">body p { margin-bottom: 0cm; margin-top: 0pt; } </style>
  </head>
  <body bidimailui-charset-is-forced="true" style="direction: ltr;"
    text="#000000" bgcolor="#FFFFFF">
    Our meeting this week will take place Friday, first session, so
    after SAAG.<br>
    <br>
    We recently sent the SET format I-D to our incoming AD, and the
    meeting on Friday will focus on the next layer up the stack, SET
    delivery through a REST API.<br>
    <br>
    Thanks,<br>
            Yaron<br>
    <br>
  </body>
</html>


From nobody Tue Mar 20 04:40:45 2018
Return-Path: <krose@krose.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6975126DFB for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:40:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ok45uunhnCHz for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:40:42 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17F92126DC2 for <saag@ietf.org>; Tue, 20 Mar 2018 04:40:42 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id n12so1161938qtl.5 for <saag@ietf.org>; Tue, 20 Mar 2018 04:40:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=k+yIt1bmalE+MaVErHJN0hJLe+vW4cWrP9rmtlD4qcA=; b=FaMtSkzpW8x7w4OnfMormhrsOq5M2azxwxy0R9p2VKSUM1MCzhizfmZz3exQ0ViBeE jLjH/mnxNX3sAagsKh+Lrl/N/1xjHLZCiDAnrMY4n7Gv1IkeAo8eWFqky6m/hexz0PgP Z3f1XjoZIWgqpHbtMZcQrEOd8jYSKkAFOOvRU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=k+yIt1bmalE+MaVErHJN0hJLe+vW4cWrP9rmtlD4qcA=; b=jEXgo7kZx4z8QAqPS4ir+pf3cUW7G77gW07nP0lwZ9HrsGTZq6JerVuS7ZRiCnfhfz fk+nPuWw/E/1gzk6ycdwqWKUTx3OLIHoey+PFpTIk3TkyiWgW3Gm/wCz7xOW5YhvZ/+L PxrLk3lhnqV2QFHlTOP7Rm/X9LLpdjD07T29kzrFmT+WcWN52O7W55C2drCgDiYabGj4 e6gzHGOoSA5tFt9bBsdTAx3pp17No2PXCnZCozXrC5orZKS7mF+kYR/ywIdbL1mjWlrJ zyL2P/mK2Dp33GVHoL4dsm6vt+A1qv5EqjRebJ9Vb5tiCsRLyZUJBHAutUrqHGCxXJ8c dFSw==
X-Gm-Message-State: AElRT7GuvndyXFsNfGVGRwcRuwTF1lmzUbPTD9yb6uIt6HmYEZZH45yw TMfETtRDai9FpxS2Ae22VXpoV5vYqU826GxDEDUM2Rf4doE=
X-Google-Smtp-Source: AG47ELvx9nzQHSC6rsSLXNxaOEUJiQfH3mkNss0E/2Zx3DGZYXpRhAyx3vHXcKC3/JwHRo7ubwxVQLx2ZfZc1IFgRvE=
X-Received: by 10.237.55.33 with SMTP id i30mr23978650qtb.340.1521546038181; Tue, 20 Mar 2018 04:40:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.215.204 with HTTP; Tue, 20 Mar 2018 04:40:37 -0700 (PDT)
X-Originating-IP: [2001:67c:1232:144:6593:e906:4824:a547]
From: Kyle Rose <krose@krose.org>
Date: Tue, 20 Mar 2018 11:40:37 +0000
Message-ID: <CAJU8_nVqfG1XEp2Co-CQ=jyeUnqOxz4fh7faHCxsFpG=Z4bW4A@mail.gmail.com>
To: saag@ietf.org, tcpinc-chairs@ietf.org
Content-Type: multipart/alternative; boundary="001a113758481d9a190567d68b8b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ZGFyRvh-dh50qpQlBs5w3dXNI6Q>
Subject: [saag] TCPINC report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:40:44 -0000

--001a113758481d9a190567d68b8b
Content-Type: text/plain; charset="UTF-8"

TCPINC did not meet at IETF 101.

Of the two main drafts, TCP-ENO has been approved for publication and is
pending a writeup. Tcpcrypt has an open discuss point pending a resolution
by the authors. The remaining milestone is to complete and request
publication of an informational abstract API draft.

--001a113758481d9a190567d68b8b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>TCPINC did not meet at IETF 101.<br><br>Of the two ma=
in drafts, TCP-ENO has been approved for publication and is pending a write=
up. Tcpcrypt has an open discuss point pending a resolution by the authors.=
 The remaining milestone is to complete and request publication of an infor=
mational abstract API draft.<br><br></div></div>

--001a113758481d9a190567d68b8b--


From nobody Tue Mar 20 04:51:34 2018
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D69A12D892 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:51:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.29
X-Spam-Level: 
X-Spam-Status: No, score=-4.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OdkH0Wbo7YoK for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:51:24 -0700 (PDT)
Received: from usplmg21.ericsson.net (usplmg21.ericsson.net [198.24.6.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02E5F127419 for <saag@ietf.org>; Tue, 20 Mar 2018 04:51:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1521546675; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8iBZrb3N2I9pxtSFRp0oVN944xy8AeLW4DC2dY+Wg38=; b=BpSUSrPhLwEKzCZAZn62O2P72Y6a6+bamvAOvVqDWnjQS/iBXmLbfYr1PEU5qgtY 1rk1drQqF9aD4HV2u+V+fffu0nHlskXJX1FJbtF7wIM36Yu3mUuGNzPv+/tz8Mzi oqBvGNl7otMG82GHP5V5MRH9r4mWH4xlA/VSpx0d1E4=;
X-AuditID: c6180641-81dff70000007a40-e3-5ab0f5b3ecd4
Received: from EUSAAHC003.ericsson.se (Unknown_Domain [147.117.188.81]) by usplmg21.ericsson.net (Symantec Mail Security) with SMTP id E6.86.31296.3B5F0BA5; Tue, 20 Mar 2018 12:51:15 +0100 (CET)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC003.ericsson.se ([147.117.188.81]) with mapi id 14.03.0382.000; Tue, 20 Mar 2018 07:51:14 -0400
From: Daniel Migault <daniel.migault@ericsson.com>
To: "saag@ietf.org" <saag@ietf.org>
CC: curdle-chairs <curdle-chairs@ietf.org>
Thread-Topic: [saag] SecEvent WG summary
Thread-Index: AQHTwD7r0wGhuDudd0CaUrvRvzgmf6PY/5Eg
Date: Tue, 20 Mar 2018 11:51:14 +0000
Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C118DF4118@eusaamb107.ericsson.se>
References: <c33835a2-c418-b72c-7029-e4bfc034711f@gmail.com>
In-Reply-To: <c33835a2-c418-b72c-7029-e4bfc034711f@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [147.117.188.217]
Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4118eusaamb107erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRmVeSWpSXmKPExsUyuXRPoO7mrxuiDFpb5S1m9mxgtpjS38nk wOSxZMlPpgDGKC6blNSczLLUIn27BK6MtZ9PsBZs0a7Yv3ASWwPjBK0uRk4OCQETiTUfVrN3 MXJxCAkcYZTY0L2TCcJZzijxbPFcJpAqNgEjibZD/ewgtoiAssTyP8/BbGYBLYnXm46wgNjC AuoS13p3MHYxcgDVaEh8flMNUW4ksXVCE9gYFgFViS87l7OBlPAK+ErMOwwWFhKwkfh/8xEr SJhTwFbi4lEJkDCjgJjE91NrmCAWiUvcejKfCeJkAYkle84zQ9iiEi8f/2OFsJUl+q6dhTos X2LBtL1g9bwCghInZz5hmcAoMgvJqFlIymYhKZsFdAWzgKbE+l36ECWKElO6H7JD2BoSrXPm siOLL2BkX8XIUVpckJObbmS4iREYLcck2Bx3MO7t9TzEKMDBqMTDO/3Lhigh1sSy4srcQ4wS HMxKIrzq0UAh3pTEyqrUovz4otKc1OJDjNIcLErivOc8eaOEBNITS1KzU1MLUotgskwcnFIN jFtbC4N7tM9I2tjPTXPbfTU1zuG17I1vams2PfCOOd7a80NxT/U1kzrZ9gzmKxnuh2REFtw8 +nVJULE8k5Vtom2txpK4ixcZrTd6b/6vo3wgtcJLeavTnBPXgrenGzYw6PC2tFvPld4ocjqs 9di3Xv1X39L3cDDNMaqtejM1dvkFTsaP53afVGIpzkg01GIuKk4EAEPtH6iSAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/5-R_pcjliNvbO8nZzdZm_d7DvKQ>
Subject: Re: [saag] SecEvent WG summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:51:32 -0000

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4118eusaamb107erics_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Q3VyZGxlIGRvZXMgbm90IG1lZXQgdGhpcyBtZWV0aW5nLiBUaGVyZSBhcmUgdHdvIHJlbWFpbmlu
ZyBkb2N1bWVudHMgdG8gYmUgc2VudCB0byB0aGUgSUVTRyBhbmQgd2UgZXhwZWN0IHRoZSB3b3Jr
IHRvIGJlIGRvbmUgYnkgbmV4dCBJRVRGIG1lZXRpbmcuDQpZb3VycywNCkRhbmllbA0KDQpGcm9t
OiBzYWFnIFttYWlsdG86c2FhZy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgWWFyb24g
U2hlZmZlcg0KU2VudDogVHVlc2RheSwgTWFyY2ggMjAsIDIwMTggMTE6MzEgQU0NClRvOiBzYWFn
QGlldGYub3JnDQpTdWJqZWN0OiBbc2FhZ10gU2VjRXZlbnQgV0cgc3VtbWFyeQ0KDQpPdXIgbWVl
dGluZyB0aGlzIHdlZWsgd2lsbCB0YWtlIHBsYWNlIEZyaWRheSwgZmlyc3Qgc2Vzc2lvbiwgc28g
YWZ0ZXIgU0FBRy4NCg0KV2UgcmVjZW50bHkgc2VudCB0aGUgU0VUIGZvcm1hdCBJLUQgdG8gb3Vy
IGluY29taW5nIEFELCBhbmQgdGhlIG1lZXRpbmcgb24gRnJpZGF5IHdpbGwgZm9jdXMgb24gdGhl
IG5leHQgbGF5ZXIgdXAgdGhlIHN0YWNrLCBTRVQgZGVsaXZlcnkgdGhyb3VnaCBhIFJFU1QgQVBJ
Lg0KDQpUaGFua3MsDQogICAgICAgIFlhcm9uDQo=

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4118eusaamb107erics_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj
b2xvcjpibGFjazt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlv
cml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0K
YTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0
eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5t
c29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFt
ZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBp
bjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9u
dC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xv
cjpibGFjazt9DQpzcGFuLkVtYWlsU3R5bGUxOQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1y
ZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0
ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZv
bnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGlu
Ow0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJ
e3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+
DQo8bzpzaGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+
PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4
dD0iZWRpdCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxh
eW91dD48L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD4NCjxib2R5IGJnY29sb3I9IndoaXRlIiBs
YW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0i
V29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjp3
aW5kb3d0ZXh0Ij5DdXJkbGUgZG9lcyBub3QgbWVldCB0aGlzIG1lZXRpbmcuIFRoZXJlIGFyZSB0
d28gcmVtYWluaW5nIGRvY3VtZW50cyB0byBiZSBzZW50IHRvIHRoZSBJRVNHIGFuZCB3ZSBleHBl
Y3QgdGhlIHdvcmsgdG8gYmUgZG9uZSBieSBuZXh0IElFVEYgbWVldGluZy4NCjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5k
b3d0ZXh0Ij5Zb3VycywgPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQiPkRhbmllbDxvOnA+PC9vOnA+PC9zcGFu
PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjp3aW5kb3d0ZXh0
Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVy
Om5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBp
biAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRv
d3RleHQiPkZyb206PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iY29sb3I6d2luZG93dGV4dCI+IHNh
YWcgW21haWx0bzpzYWFnLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhhbGYgT2YgPC9iPllh
cm9uIFNoZWZmZXI8YnI+DQo8Yj5TZW50OjwvYj4gVHVlc2RheSwgTWFyY2ggMjAsIDIwMTggMTE6
MzEgQU08YnI+DQo8Yj5Ubzo8L2I+IHNhYWdAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g
W3NhYWddIFNlY0V2ZW50IFdHIHN1bW1hcnk8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N
CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPk91ciBtZWV0aW5n
IHRoaXMgd2VlayB3aWxsIHRha2UgcGxhY2UgRnJpZGF5LCBmaXJzdCBzZXNzaW9uLCBzbyBhZnRl
ciBTQUFHLjxicj4NCjxicj4NCldlIHJlY2VudGx5IHNlbnQgdGhlIFNFVCBmb3JtYXQgSS1EIHRv
IG91ciBpbmNvbWluZyBBRCwgYW5kIHRoZSBtZWV0aW5nIG9uIEZyaWRheSB3aWxsIGZvY3VzIG9u
IHRoZSBuZXh0IGxheWVyIHVwIHRoZSBzdGFjaywgU0VUIGRlbGl2ZXJ5IHRocm91Z2ggYSBSRVNU
IEFQSS48YnI+DQo8YnI+DQpUaGFua3MsPGJyPg0KJm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZu
YnNwOyZuYnNwOyBZYXJvbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+
DQo=

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4118eusaamb107erics_--


From nobody Tue Mar 20 04:52:36 2018
Return-Path: <daniel.migault@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF70126D85 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.29
X-Spam-Level: 
X-Spam-Status: No, score=-4.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rt6r1rsekfGN for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 04:52:26 -0700 (PDT)
Received: from usplmg21.ericsson.net (usplmg21.ericsson.net [198.24.6.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67F0B12D878 for <saag@ietf.org>; Tue, 20 Mar 2018 04:52:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1521546737; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=A1W54elCnGOKiZQBXk0sbJM7Z04kRpiyV/W+uDrdmBc=; b=IOsf3bKEXODk5fWzaP+Cods0+LfONOKS6Fz2VjIxRKEyX6Jtc2LTN+9OgmiAaxRb X5+IxELxiYU2eO+W6gGvzbS3LHL3aYDXUi0yAYuIpwPZrCeUBYJNmLsjxNaY7/Zw ixmi1RrSf5SnUQ53PODX87o93gIcIcdzEFSslgj26bo=;
X-AuditID: c6180641-81dff70000007a40-4f-5ab0f5f19b19
Received: from EUSAAHC004.ericsson.se (Unknown_Domain [147.117.188.84]) by usplmg21.ericsson.net (Symantec Mail Security) with SMTP id 32.A6.31296.1F5F0BA5; Tue, 20 Mar 2018 12:52:17 +0100 (CET)
Received: from EUSAAMB107.ericsson.se ([147.117.188.124]) by EUSAAHC004.ericsson.se ([147.117.188.84]) with mapi id 14.03.0382.000; Tue, 20 Mar 2018 07:52:16 -0400
From: Daniel Migault <daniel.migault@ericsson.com>
To: "'saag@ietf.org'" <saag@ietf.org>
CC: 'curdle-chairs' <curdle-chairs@ietf.org>, "curdle@ietf.org" <curdle@ietf.org>
Thread-Topic: Curdle WG summary
Thread-Index: AdPAQdIfv1MpU0vaQSSntF6R9gYc6A==
Date: Tue, 20 Mar 2018 11:52:16 +0000
Message-ID: <2DD56D786E600F45AC6BDE7DA4E8A8C118DF4129@eusaamb107.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [147.117.188.217]
Content-Type: multipart/alternative; boundary="_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4129eusaamb107erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHLMWRmVeSWpSXmKPExsUyuXRPiO7HrxuiDD59kLaY2bOB2WLrwlnM FlP6O5kcmD2WLPnJFMAYxWWTkpqTWZZapG+XwJXRvfQXc8EFuYqWH5UNjDdkuxg5OSQETCS2 /Gpn7GLk4hASOMIosXT9VxYIZzmjxMOXq5lBqtgEjCTaDvWzg9giAqoSPXfbWEBsZoFgicOL 54HFhQWkJOZ+2ckGUSMv8bZnCyOErSdx9O9qMJsFqHfT9vdgNq+Ar8SqtavAehkFxCS+n1rD BDFTXOLWk/lMENcJSCzZc54ZwhaVePn4HyuErSzRd+0sO0R9vsS+3h4miJmCEidnPmGZwCg0 C8moWUjKZiEpm8XIARTXlFi/Sx+iRFFiSvdDdghbQ6J1zlx2ZPEFjOyrGDlKiwtyctONDDcx AmPhmASb4w7Gvb2ehxgFOBiVeHinf9kQJcSaWFZcmXuIUYKDWUmEVz0aKMSbklhZlVqUH19U mpNafIhRmoNFSZz3nCdvlJBAemJJanZqakFqEUyWiYNTqoGRM8+1/LxwzPRW33V7LzhcXlqb +be80zF9qv7BKX1aee3cEpxHf5hKq+178U9wgUL7QrYtn+XCzSel2st61X8+ktWa2XPxvpfA Y9nsG7XcTzpPxR6vCZi3yeSpS3jr7fzsmNv3oxWmHOd8rN/ouq5jrbdQbWdWfrYcg3w2e+vS qEPxcdoF/5VYijMSDbWYi4oTAeUlnA6BAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/58dq7H4F88bC6V5FvHC7H5PvT7A>
Subject: [saag] Curdle WG summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 11:52:35 -0000

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4129eusaamb107erics_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

Q3VyZGxlIGRvZXMgbm90IG1lZXQgdGhpcyBtZWV0aW5nLiBUaGVyZSBhcmUgdHdvIHJlbWFpbmlu
ZyBkb2N1bWVudHMgdG8gYmUgc2VudCB0byB0aGUgSUVTRyBhbmQgd2UgZXhwZWN0IHRoZSB3b3Jr
IHRvIGJlIGRvbmUgYnkgbmV4dCBJRVRGIG1lZXRpbmcuDQpZb3VycywNCkRhbmllbA0KDQo=

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4129eusaamb107erics_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws
IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ
Zm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCglj
b2xvcjpibGFjazt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlv
cml0eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0K
YTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0
eTo5OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5t
c29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFt
ZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBp
bjsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9u
dC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xv
cjpibGFjazt9DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsN
Cglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30N
CnNwYW4uRW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1z
b0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEw
LjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2lu
OjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3Jk
U2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBl
ZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0t
LT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4N
CjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1s
PjwhW2VuZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgYmdjb2xvcj0id2hpdGUiIGxhbmc9IkVOLVVT
IiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlv
bjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQi
PkN1cmRsZSBkb2VzIG5vdCBtZWV0IHRoaXMgbWVldGluZy4gVGhlcmUgYXJlIHR3byByZW1haW5p
bmcgZG9jdW1lbnRzIHRvIGJlIHNlbnQgdG8gdGhlIElFU0cgYW5kIHdlIGV4cGVjdCB0aGUgd29y
ayB0byBiZSBkb25lIGJ5IG5leHQgSUVURiBtZWV0aW5nLg0KPG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOndpbmRvd3RleHQiPllv
dXJzLCA8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz
dHlsZT0iY29sb3I6d2luZG93dGV4dCI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_2DD56D786E600F45AC6BDE7DA4E8A8C118DF4129eusaamb107erics_--


From nobody Tue Mar 20 06:11:58 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2974C124B17 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 06:11:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id whQinz-Ku8pe for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 06:11:49 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F93C12DA73 for <saag@ietf.org>; Tue, 20 Mar 2018 06:11:49 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w2KDBhcZ007870 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <saag@ietf.org>; Tue, 20 Mar 2018 15:11:43 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w2KDBhKj004075; Tue, 20 Mar 2018 15:11:43 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23217.2191.213847.199470@fireball.acr.fi>
Date: Tue, 20 Mar 2018 15:11:43 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: saag@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 9 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/TOc0mF9ZkzxGIOJaZ_NJDEHBxf4>
Subject: [saag] IPsecME WG Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 13:11:52 -0000

IPsecME will be meeting in the last slot in Friday, so after SAAG.

We have quite full agenda. We have two documents ready (ipsec-eddsa in
RFC editor queue and split-dns in publication requested state).

We have two other drafts almost ready for publication (implicit-iv and
qr-ikev2).

Those are last items in our charter, so we are now rechartering to add
new items, and we have finished the discussions about the new charter.
The charter is now ready to be put forward.

During the meeting will start talking about the new items added to the
charter (postquantum key exchange, labeled IPsec, Group Key
Management) and some items not yet in charter (Privacy concerns and
PMTU PLPMTUD). 
-- 
kivinen@iki.fi


From nobody Tue Mar 20 06:57:34 2018
Return-Path: <derek@ihtfp.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3495512D86D for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 06:57:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level: 
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ihtfp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHzlE64UQHpX for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 06:57:31 -0700 (PDT)
Received: from mail2.ihtfp.org (MAIL2.IHTFP.ORG [204.107.200.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16B621270AE for <saag@ietf.org>; Tue, 20 Mar 2018 06:57:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail2.ihtfp.org (Postfix) with ESMTP id CA534E205A; Tue, 20 Mar 2018 09:57:25 -0400 (EDT)
Received: from mail2.ihtfp.org ([127.0.0.1]) by localhost (mail2.ihtfp.org [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 16937-02; Tue, 20 Mar 2018 09:57:19 -0400 (EDT)
Received: from securerf.ihtfp.org (c-73-17-152-195.hsd1.ct.comcast.net [73.17.152.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mocana.ihtfp.org", Issuer "IHTFP Consulting Certification Authority" (verified OK)) by mail2.ihtfp.org (Postfix) with ESMTPS id 07D21E2048; Tue, 20 Mar 2018 09:57:17 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ihtfp.com; s=default; t=1521554239; bh=EzTvNqN1RNVunTBLkv0lTmSC+BpaZ1noT6OhqwalRiQ=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=TWYvlInjh/OfecTttvhON0TH9WzzTmenxpOnpZTuNlQppcxWMqwa/REp+YwpXAMHY FAVyWwFAvdtMIgBUVbskxalPxrcW7i5gaFru90ZxCTsoJYjdTfZn/mWUAOB8FIIu5i 11wmgsmS2O7wNYkfHMFLj9VQONcVJs8WJwOPKxws=
Received: (from warlord@localhost) by securerf.ihtfp.org (8.15.2/8.15.2/Submit) id w2KDvC1D000895; Tue, 20 Mar 2018 09:57:12 -0400
From: Derek Atkins <derek@ihtfp.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF SAAG <saag@ietf.org>
References: <6CB16E6F-7EA7-4762-8A23-3DF2D9D1363F@vigilsec.com>
Date: Tue, 20 Mar 2018 09:57:12 -0400
In-Reply-To: <6CB16E6F-7EA7-4762-8A23-3DF2D9D1363F@vigilsec.com> (Russ Housley's message of "Tue, 20 Mar 2018 07:25:28 -0400")
Message-ID: <sjmbmfiyhmv.fsf@securerf.ihtfp.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: Maia Mailguard 1.0.2a
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gvjwPwmhiR-IFSlohuw34_SCYpc>
Subject: Re: [saag] SUIT WG Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 13:57:33 -0000

Russ Housley <housley@vigilsec.com> writes:

[snip]
> The Hackathon included a project related to SUIT, and the participants
> reported that they could only find a single cryptographic library that
> implemented COSE digital signatures.  More work is needed if the COSE
> format is going to be widely implemented.

In case it matters, my company has a COSE signature implementation, but
it's not open-source.

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant


From nobody Tue Mar 20 07:18:07 2018
Return-Path: <linuxwolf+ietf@outer-planes.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 854FC1242F5 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 07:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level: 
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu0-2GyEjBF0 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 07:18:04 -0700 (PDT)
Received: from mail-wm0-x232.google.com (mail-wm0-x232.google.com [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B131200B9 for <saag@ietf.org>; Tue, 20 Mar 2018 07:18:04 -0700 (PDT)
Received: by mail-wm0-x232.google.com with SMTP id l9so3805662wmh.2 for <saag@ietf.org>; Tue, 20 Mar 2018 07:18:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:to:from:subject:message-id:date:user-agent:mime-version; bh=3I7he7inQj7HASULj/BC9K17ZktHq8JIXLZgI/IUzoA=; b=JQz6skjwS6Du638f3JcnOm5bmGzwg2n2VvADE/+uBORV3MfnTV5eKDNn7zbF9G+c9C QIH7cDubtJtDJ0spykuYLCpXYGYYDbnYt5q2K4PBXJsLja9IVwCbl1jwLB7MPUy6ZQML 1SgXdISF5h3ug3s5AM7ogm4w3uA+qeN9XEx9XN59HeLya8kHHIWi5JMdYU9iuCYxYzJw AVkB5l5H2hWZCa/UbDZNcTq3k3rBP5gcOeKOUHm0pUmq3EeFO0zdjp60vQBPEvkB475v IQh1eLJdy9md8bcQfJmVgqmhKdxbm+ndhiILydZsEj8pt3l8Xd0BLyqzP1u5jSqBTUrH pZUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:to:from:subject:message-id:date :user-agent:mime-version; bh=3I7he7inQj7HASULj/BC9K17ZktHq8JIXLZgI/IUzoA=; b=qhTYiAR1vdbpSQ8fIXuw5CFiz05hlKRnfmvF/81mB6JBQoi938DLYFwR/phFm+PuRb Y9uyFpuJw5K+bmHQ14wfMyTNgVk/hgSFn3wSk/nTUwxfMq7MIo6d7KDOqqXlk8aVeY9W 8j2PaRotmHAmV5eYUW6RgHsKkJ1nTBUUcpiC3sZIE6ye9LldwjigvtMMIbRqLXcV34h/ wA+3Fh2x1BDn/rp8au8KEzuv8V4NxH+Wjgr60KW5xBxQU2OPlyvmI/92wkcdBYcdMJ9G SlhfRU5E6i1blmc2YGMRbt1ylLCTCXqrRFSV9Ntv4DwmtXtkJ5zr3gb4M48qQ7N3U/nl R1qw==
X-Gm-Message-State: AElRT7EgO+ooo2TcqU1fNUZvPsAOR7srZxCrNEZ2Nn7WxSQoEy4t0NxG cxkPm4g41qQ5OV62eEWrbP0nlHGOPb8=
X-Google-Smtp-Source: AG47ELssZlVWCNGPWshVOCiUTDwunWTVH+3ZwNb4WIT+44KIDNcyRzOvZO1eGTysE/rBGqd6Mc5fQw==
X-Received: by 10.80.169.13 with SMTP id l13mr18208721edc.168.1521555482198; Tue, 20 Mar 2018 07:18:02 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:5c5d:93d6:3242:5824? ([2001:67c:370:128:5c5d:93d6:3242:5824]) by smtp.gmail.com with ESMTPSA id m23sm1941701edc.69.2018.03.20.07.18.01 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Mar 2018 07:18:01 -0700 (PDT)
Sender: Matthew Miller <linuxwolf@outer-planes.net>
To: saag@ietf.org
From: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
Message-ID: <41f4cc83-d09c-ca1a-174a-b5942c6f2af7@outer-planes.net>
Date: Tue, 20 Mar 2018 14:18:00 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ntZGwdC1qWc6VoF6U37RfAS57hnnbaPuN"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Vwe10214-zxA7x_t1asEfMRXlK0>
Subject: [saag] Kitten WG Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 14:18:05 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--ntZGwdC1qWc6VoF6U37RfAS57hnnbaPuN
Content-Type: multipart/mixed; boundary="cqyeiGyUIl2ccThtUfWLIIkSw0DtDfCCc";
 protected-headers="v1"
From: "Matthew A. Miller" <linuxwolf+ietf@outer-planes.net>
To: saag@ietf.org
Message-ID: <41f4cc83-d09c-ca1a-174a-b5942c6f2af7@outer-planes.net>
Subject: Kitten WG Summary

--cqyeiGyUIl2ccThtUfWLIIkSw0DtDfCCc
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

The kitten working group is not meeting in London.

Ben ascends to Security AD and leaves the chair duties of this working
group behind.  Thank you and congratulations, Ben!

The working group is discussing its continued existence.  The outcome of
that discussion determines how its active documents progress forward.
Regardless of the outcome of the existence discussion, the mailing list
is expected to stay open.


--=20
- m&m

Matthew A. Miller


--cqyeiGyUIl2ccThtUfWLIIkSw0DtDfCCc--

--ntZGwdC1qWc6VoF6U37RfAS57hnnbaPuN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlqxGBgACgkQ7PRyThCe
Bbs8Wgf/UBJGBFfuo/QPEVTx7mm4UOaUpT8WNBfm14ZjV850BysM1g7MyDFDrFwZ
MGnEv1N/cISTH3OkCcT4hoCsqfglwULFUk4uLWdcbGu6AFcbEwUy/trsLi4+PFGV
VyBjZ3Hc6m2leRTttoUjWhg2JL+qD90D3JhVHvwZu8GGBDRC31LVtRKc2F6gjKyH
gw3NdxtnM3jop2Qzw/MVR/uHRSge6oXO6zIoC+a0TR6Zxe9/zEXCslWVMv2ehAPr
Ofmg7QIqJA4zIfdzGnaqIyB/CJHLpALlFAyKudYYW56f+Q51Qr5BFJuH5/MPq1s8
5ddvqSs9pe3oIpOywakKTvpkkXwM+g==
=IdgG
-----END PGP SIGNATURE-----

--ntZGwdC1qWc6VoF6U37RfAS57hnnbaPuN--


From nobody Tue Mar 20 08:17:57 2018
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7797812704A; Tue, 20 Mar 2018 08:17:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okiAbb4890_8; Tue, 20 Mar 2018 08:17:55 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74AA8126FB3; Tue, 20 Mar 2018 08:17:55 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id 141so2769311iou.12; Tue, 20 Mar 2018 08:17:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to:cc; bh=dx67nEvvWqMFI/8qmXvC2c8MrmpvwVBm/RL/akwOci0=; b=GoXQNYNdXL7CcCJHAvzhbZiKRgpD0SxpWyWjTXfPFznAY3pzwvQU1Nj5biIKcrr1aJ izVL/X/3wmS+WRuIUjh9yT/e8KLxv41YX/31Tx34kDVxoqUm4zzRAN8PjYo3oPY1cUF/ VBFu+JKuakiu8735uu2x5aj+cnjzm/jVbArqi01ND5T5v1x03l9HsT5MGeQtKvhDCQs8 WYGqzX2aSRq2EXQ1MYsAIq5bRhvSRnhkZFqBn30th1jHW3qoe4IKXV5+e3sj2cTTyvI7 qfKkdOqbyWFDdJlI0p/b4qd5CVRir08w1J+9sCyXOuI07ss0WHi7tIUsLiem5hyvap5I SPKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=dx67nEvvWqMFI/8qmXvC2c8MrmpvwVBm/RL/akwOci0=; b=sZ48140M1zE1MK7D/N+aQZYfHOAR2YYy0F1APHMN7j/ToDmkXNt3A4gD3grDHteJMs ASPrgjTFTVOfQzb8E+75il283P7fBiD9h3zgWz2anpxt4/nXca3nlbjQRYlWWb0rfEgO wUQYXCCIUxZiwTTLkvSknXqHSRtFHrPDd1D+B+YBTTIsmfqtlj77I40RXdCXSHd0QXxN gKuRJrRCsV07dHo3rJZduP1V6jtXYurtvrv3zXPMPsD93VSHCHnMrCY2OCFekgx3SIlw D4di9Rb1rNhZADmComkGi2JZPEEJ4egPugQdehRDU8ggecOsYGzZDJuJ+TjUmMydRMA8 gOCQ==
X-Gm-Message-State: AElRT7F7TLyDcxhSJ+o1y+bArLyPe4P/9QfpFo+0E/ZI7xXW7JvKcRle A7MX67QEsoW6zL7nmsiHgv2hlEiRcpL4ITm10iw=
X-Google-Smtp-Source: AG47ELtO9OQRXShesiLJpuvAluHlbap3bbOFi9uXUHjNT7MT+jq9a1JYCLQYgEQXXPUlqzPlfADvAM69BjqoNLUfYpk=
X-Received: by 10.107.155.148 with SMTP id d142mr15525268ioe.163.1521559074722;  Tue, 20 Mar 2018 08:17:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.192.156.137 with HTTP; Tue, 20 Mar 2018 08:17:14 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 20 Mar 2018 11:17:14 -0400
Message-ID: <CAHbuEH6UMvY7dDD3Fzff0gDgc3LHVC6shCeHNUANUeriXq_xsw@mail.gmail.com>
To: saag@ietf.org
Cc: "<sec-ads@ietf.org>" <sec-ads@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/yvrFD5gGDyquEwbLzvxPtB4FfJI>
Subject: [saag] Minutes and jabber volunteers
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 15:17:56 -0000

Hello,

Please let the SecADs know if you are willing to take minutes or be
the jabber scribe on Thursday.  Thanks in advance.

-- 

Best regards,
Kathleen


From nobody Tue Mar 20 09:17:59 2018
Return-Path: <paul@nohats.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9C712762F for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 09:17:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level: 
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYRUAdN4vH-U for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 09:17:56 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F40A2127601 for <saag@ietf.org>; Tue, 20 Mar 2018 09:17:55 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 405J4d6LT3z1J7; Tue, 20 Mar 2018 17:17:53 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1521562673; bh=bamyBHWtY69DaFjPUHwe0FPCwWct4mDxTMnJtjjO8YU=; h=Date:From:To:cc:Subject; b=Wl0U34GNkuCuOaMnSnyvV3jiJnyu97lNq6T2J2+CUbA3ot+IzwnIWzPO/jfpj4qRY YWEZz5tgmCeRnpYKIWtzqk80nOj2e5VIITtHBnEEOn8z+EwuZ5jAWT6t5ATRLwHUj0 gK+zhlYJumQPWvDkkB3LtlBt//1l5sguelgUj/gs=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id U0Wy4VzOEIR7; Tue, 20 Mar 2018 17:17:52 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 20 Mar 2018 17:17:52 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 08773366701; Tue, 20 Mar 2018 12:17:51 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 08773366701
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id F2CBE402333B; Tue, 20 Mar 2018 12:17:51 -0400 (EDT)
Date: Tue, 20 Mar 2018 12:17:51 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: saag@ietf.org
Message-ID: <alpine.LRH.2.21.1803201209480.536@bofh.nohats.ca>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/pYMwSGXJCbGZOmC9C0q3JqfCcGM>
Subject: [saag] trans report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 16:17:58 -0000

The trans group is not meeting this week.

The 6962bis document was updated, and we are waiting to see if there are
any issues left. We are hopefull this can go to Last Call, especially
since most major players in this eco system have given their input now.

To aid DNSSEC transparency, a new draft was submitted a few days ago to
make this more feasable and we will see how this is received in the next
little while. This work is happening in the dnsops working group. Once
we have some idea of how well is received, work can be done on dnssec
transparency, but we probably don't need to keep the WG open for that.

The gossip draft just missed being submited before the cut-off and
should appear soon.

We're slowly moving towards closing down the group.

Paul & Melinda


From nobody Tue Mar 20 11:30:44 2018
Return-Path: <ncamwing@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BBB2126C25 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 11:30:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.53
X-Spam-Level: 
X-Spam-Status: No, score=-14.53 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6qIcDjiOoSGX for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 11:30:40 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67DA6120047 for <saag@ietf.org>; Tue, 20 Mar 2018 11:30:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6596; q=dns/txt; s=iport; t=1521570640; x=1522780240; h=from:to:subject:date:message-id:mime-version; bh=QngyiaHqCu5tzlL4vPjNI1O2MAS4xDl8tQtb9YFproA=; b=XBwVmlEL6OBu5bbvc6yZemymiRxvkNS7zKJ/V7PJHm8l0ridWm2b0fMA UEg/pzS5yTlebwGFawitrOYbD7uZFP2Puwyuf0NzUAjloT6lq9ioGm2yS 472E7H8uk2HwjsYdLSnPjIP7uDcNGqEd6Ly5hv8yLT27DZlWFdD7MHZ08 w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AlBABRUrFa/51dJa1eGgEBAQEBAgEBA?= =?us-ascii?q?QEIAQEBAYJadWZyKAqDVJgYgxmOeIUPghILhS2DMyE1FwECAQEBAQEBAmsdC4V?= =?us-ascii?q?PaAEaLQMCBDAPBQMQBBMbhBtkqiKCJoRug22CDoU3ghWDKSiEHoZoMIIkA5g9C?= =?us-ascii?q?QKPOIFOi2iHQ4hQAhETAYEpAR8BNoFScBU6KgGCGJBrdI9NgRgBAQE?=
X-IronPort-AV: E=Sophos;i="5.48,336,1517875200";  d="scan'208,217";a="368463144"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Mar 2018 18:30:39 +0000
Received: from XCH-RTP-013.cisco.com (xch-rtp-013.cisco.com [64.101.220.153]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id w2KIUd0M015032 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <saag@ietf.org>; Tue, 20 Mar 2018 18:30:39 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-013.cisco.com (64.101.220.153) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 20 Mar 2018 14:30:38 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Tue, 20 Mar 2018 14:30:38 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: TEEP report
Thread-Index: AQHTwHmL0YRj6ue5j0euvxZyqf6x+A==
Date: Tue, 20 Mar 2018 18:30:38 +0000
Message-ID: <95577E32-2A2F-49DA-B613-8A6AC3F70336@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.9.0.180116
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.26.138]
Content-Type: multipart/alternative; boundary="_000_95577E322A2F49DAB6138A6AC3F70336ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/DYAEODzCIgtLITurNkXH7GoXIrw>
Subject: [saag] TEEP report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 18:30:43 -0000

--_000_95577E322A2F49DAB6138A6AC3F70336ciscocom_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VEVFUCBoZWxkIGl0cyBmaXJzdCBmYWNlLXRvLWZhY2UgbWVldGluZyBhcyBhIFdHIG9uIFR1ZXNk
YXkgTWFyIDIwIFNlc3Npb24gSS4NCg0KVGhlIGNoYWlycyByZXZpZXdlZCB0aGUgbWlsZXN0b25l
cyBhbmQgbm90ZWQgdGhhdCB3ZSBuZWVkIHRvIHVwZGF0ZSBhbmQgZml4IHRoZSBtaWxlc3RvbmVz
IHRvIHJlZmxlY3QgdGhlIGFwcHJvcHJpYXRlIHNlcXVlbmNpbmcgb2YgV0dMQyBhbmQgSUVTRyBw
cm9jZXNzICh0aGV5IGFyZSBjdXJyZW50bHkgcmV2ZXJzZWQpOyAgYWxzbyBub3RlZCBpcyB0aGUg
YWJzZW5jZSBvZiBhbiBhcmNoaXRlY3R1cmUgZG9jdW1lbnQgc28gYWRvcHRpb24gZm9yIHN1Y2gg
YSB3ZyBpdGVtIHdpbGwgYmUgZGVsYXllZCBwb3N0IE1hciAyMDE4IGFzIG9yaWdpbmFsbHkgc2No
ZWR1bGVkLg0KDQpUaGUgZ3JvdXAgcmV2aWV3ZWQgdGhlIHByb2JsZW0gc3RhdGVtZW50IGFuZCB1
c2UgY2FzZXMuDQoNCkEgVEVFUCBhcmNoaXRlY3R1cmUgZG9jdW1lbnQgd2lsbCBuZWVkIHRvIGJl
IGF1dGhvcmVkIHRvIGluY2x1ZGUgc29tZSBvZiB0aGUgZmVlZGJhY2sgcHJvdmlkZWQgZHVyaW5n
IHRoZSBhcmNoaXRlY3R1cmUgcHJlc2VudGF0aW9uLiAgQnJpZWYgZGlzY3Vzc2lvbnMgYWZmaXJt
ZWQgVEVFUCBzdHJpdmUgYWxpZ25tZW50IHdpdGggR2xvYmFsIFBsYXRmb3JtLCBUQ0cgYW5kIFNV
SVQgYXMgdGhlIHdvcmtpbmcgZ3JvdXAgZXZvbHZlcyB0aGUgc29sdXRpb24gdG8gZW5zdXJlIHN1
cHBvcnQgZm9yIHRoZSBkaWZmZXJlbnQgdXNlIGNhc2VzLCBpbmNsdWRpbmcgSW9ULiAgSW4gcGFy
dGljdWxhciwgaW5mb3JtYXRpb24gbW9kZWwsIG1lc3NhZ2UgZm9ybWF0KEpTT04sIENCT1IsIG9u
ZSwgYm90aCBvciBvdGhlcikgYW5kIHRyYW5zcG9ydCAoaHR0cHMsIENvQVAsIGJvdGggb3Igb3Ro
ZXIpIGRpc2N1c3Npb25zIHdpbGwgY29udGludWUgb24gdGhlIHRlZXBAaWV0Zi5vcmc8bWFpbHRv
OnRlZXBAaWV0Zi5vcmc+IGxpc3QuDQoNClRoZXJlIGlzIGNvbnNlbnN1cyB0byBhZG9wdCBkcmFm
dC1wZWktb3BlbnRydXN0cHJvdG9jb2wtMDYudHh0IGFzIGEgd2cgZG9jdW1lbnQgYW5kIHdpbGwg
YmUgY29uZmlybWVkIGluIHRlZXBAaWV0Zi5vcmc8bWFpbHRvOnRlZXBAaWV0Zi5vcmc+Lg0KDQoN
Cg==

--_000_95577E322A2F49DAB6138A6AC3F70336ciscocom_
Content-Type: text/html; charset="utf-8"
Content-ID: <99D2393E68C1E7478CD591B47A6F370D@emea.cisco.com>
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4
bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo
dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo
dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp
dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l
dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg
bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj
ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2
IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy
IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt
YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i
b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp
IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9
DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y
aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpz
cGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1jb21wb3NlOw0KCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1z
b0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7fQ0KQHBhZ2UgV29yZFNl
Y3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBpbiAx
LjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi0tPjwvc3R5
bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iIzA1NjNDMSIgdmxpbms9IiM5
NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5URUVQIGhlbGQgaXRzIGZpcnN0IGZhY2Ut
dG8tZmFjZSBtZWV0aW5nIGFzIGEgV0cgb24gVHVlc2RheSBNYXIgMjAgU2Vzc2lvbiBJLjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhlIGNoYWlycyByZXZpZXdl
ZCB0aGUgbWlsZXN0b25lcyBhbmQgbm90ZWQgdGhhdCB3ZSBuZWVkIHRvIHVwZGF0ZSBhbmQgZml4
IHRoZSBtaWxlc3RvbmVzIHRvIHJlZmxlY3QgdGhlIGFwcHJvcHJpYXRlIHNlcXVlbmNpbmcgb2Yg
V0dMQyBhbmQgSUVTRyBwcm9jZXNzICh0aGV5IGFyZSBjdXJyZW50bHkgcmV2ZXJzZWQpOyZuYnNw
OyBhbHNvIG5vdGVkIGlzIHRoZSBhYnNlbmNlDQogb2YgYW4gYXJjaGl0ZWN0dXJlIGRvY3VtZW50
IHNvIGFkb3B0aW9uIGZvciBzdWNoIGEgd2cgaXRlbSB3aWxsIGJlIGRlbGF5ZWQgcG9zdCBNYXIg
MjAxOCBhcyBvcmlnaW5hbGx5IHNjaGVkdWxlZC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJz
cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQiPlRoZSBncm91cCByZXZpZXdlZCB0aGUgcHJvYmxlbSBzdGF0ZW1lbnQg
YW5kIHVzZSBjYXNlcy4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dCI+QSBURUVQIGFyY2hpdGVjdHVyZSBkb2N1bWVudCB3aWxsIG5lZWQgdG8gYmUgYXV0aG9yZWQg
dG8gaW5jbHVkZSBzb21lIG9mIHRoZSBmZWVkYmFjayBwcm92aWRlZCBkdXJpbmcgdGhlIGFyY2hp
dGVjdHVyZSBwcmVzZW50YXRpb24uJm5ic3A7IEJyaWVmIGRpc2N1c3Npb25zIGFmZmlybWVkIFRF
RVAgc3RyaXZlIGFsaWdubWVudCB3aXRoIEdsb2JhbCBQbGF0Zm9ybSwNCiBUQ0cgYW5kIFNVSVQg
YXMgdGhlIHdvcmtpbmcgZ3JvdXAgZXZvbHZlcyB0aGUgc29sdXRpb24gdG8gZW5zdXJlIHN1cHBv
cnQgZm9yIHRoZSBkaWZmZXJlbnQgdXNlIGNhc2VzLCBpbmNsdWRpbmcgSW9ULiZuYnNwOyBJbiBw
YXJ0aWN1bGFyLCBpbmZvcm1hdGlvbiBtb2RlbCwgbWVzc2FnZSBmb3JtYXQoSlNPTiwgQ0JPUiwg
b25lLCBib3RoIG9yIG90aGVyKSBhbmQgdHJhbnNwb3J0IChodHRwcywgQ29BUCwgYm90aCBvciBv
dGhlcikgZGlzY3Vzc2lvbnMgd2lsbA0KIGNvbnRpbnVlIG9uIHRoZSA8YSBocmVmPSJtYWlsdG86
dGVlcEBpZXRmLm9yZyI+dGVlcEBpZXRmLm9yZzwvYT4gbGlzdC48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoZXJlIGlzIGNvbnNlbnN1cyB0byBhZG9wdCBkcmFm
dC1wZWktb3BlbnRydXN0cHJvdG9jb2wtMDYudHh0IGFzIGEgd2cgZG9jdW1lbnQgYW5kIHdpbGwg
YmUgY29uZmlybWVkIGluDQo8YSBocmVmPSJtYWlsdG86dGVlcEBpZXRmLm9yZyI+dGVlcEBpZXRm
Lm9yZzwvYT4uPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw
YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJz
cDsgPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bh
bj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_95577E322A2F49DAB6138A6AC3F70336ciscocom_--


From nobody Tue Mar 20 15:17:00 2018
Return-Path: <rdd@cert.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A016B129515 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 15:16:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jb2tGTUOpXr for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 15:16:58 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25FC81200B9 for <saag@ietf.org>; Tue, 20 Mar 2018 15:16:57 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2KMGs7U010063 for <saag@ietf.org>; Tue, 20 Mar 2018 18:16:55 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w2KMGs7U010063
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1521584215; bh=iikmxbJDd2s5BSICa1MWNAc7WR3Pgb6rybwkpuPcBaw=; h=From:To:Subject:Date:From; b=d+antU1vWSymxKB+5zRjeYyiwuaxl+/lv7iHeezXPrZk/mMZ5TTZhXtx4YQ1itkZO tkzA9yiE7icBRlN75jpomUUXT5tWSPBkG4cd7pGbMQPZl8mEtpoWdL4QVZALamo6fR MIcjZEDEQ6BGWmj+w2YQRsAKu3lQZEWi/zWIXgjg=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2KMGoOd007406 for <saag@ietf.org>; Tue, 20 Mar 2018 18:16:50 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0361.001; Tue, 20 Mar 2018 18:16:50 -0400
From: Roman Danyliw <rdd@cert.org>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: SECDISPATCH WG Summary from IETF 101
Thread-Index: AdPAmP+UPxv6/OKzTQCQBeavpLrUTw==
Date: Tue, 20 Mar 2018 22:16:49 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C36B492@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Bgey0Z4yFnp-YlKolM_fG6H9Mds>
Subject: [saag] SECDISPATCH WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 22:17:00 -0000

The SECDISPATCH WG met on Tuesday morning.  The items were dispatched as fo=
llows:

** draft: draft-foudil-securitytxt-03 -- AD-sponsorship

** draft: draft-nir-saag-star-01 -- bring to the LAMPS WG

** draft-housley-cms-mts-hash-sig-08 -- bring to the LAMPS WG

** draft: draft-birk-pep-trustwords-00 -- describe scope/problem statement =
to SAAG/SECDISPATCH mailing lists

** draft-friel-tls-atls-00 -- requires ART-SEC AD discussion for next steps


From nobody Tue Mar 20 15:55:49 2018
Return-Path: <fgont@si6networks.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A28124D37 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 15:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JNEhOXVDKJ8q for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 15:55:44 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C72C41200B9 for <saag@ietf.org>; Tue, 20 Mar 2018 15:55:44 -0700 (PDT)
Received: from [192.168.1.128] (unknown [31.75.233.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 40D5A80C0D; Tue, 20 Mar 2018 23:55:43 +0100 (CET)
To: Roman Danyliw <rdd@cert.org>, "saag@ietf.org" <saag@ietf.org>
References: <359EC4B99E040048A7131E0F4E113AFC014C36B492@marathon>
From: Fernando Gont <fgont@si6networks.com>
Message-ID: <19748a07-9922-6fcf-d389-b7792eff473b@si6networks.com>
Date: Tue, 20 Mar 2018 22:55:34 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC014C36B492@marathon>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/sekN4faLIgI6b60EG-B_c_-tO5Y>
Subject: Re: [saag] SECDISPATCH WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 22:55:47 -0000

Hello, Roman,

I had requested agenda time for the secdispatch session, but didn't get
a slot or a response about it.

Any clues?

Thanks,
Fernando




On 03/20/2018 10:16 PM, Roman Danyliw wrote:
> The SECDISPATCH WG met on Tuesday morning.  The items were dispatched as follows:
> 
> ** draft: draft-foudil-securitytxt-03 -- AD-sponsorship
> 
> ** draft: draft-nir-saag-star-01 -- bring to the LAMPS WG
> 
> ** draft-housley-cms-mts-hash-sig-08 -- bring to the LAMPS WG
> 
> ** draft: draft-birk-pep-trustwords-00 -- describe scope/problem statement to SAAG/SECDISPATCH mailing lists
> 
> ** draft-friel-tls-atls-00 -- requires ART-SEC AD discussion for next steps
> 
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
> 


-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492





From nobody Tue Mar 20 17:12:40 2018
Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527B51205F0 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 17:12:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id skBOPmSfjulB for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 17:12:37 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 403D112D0C3 for <saag@ietf.org>; Tue, 20 Mar 2018 17:12:37 -0700 (PDT)
X-AuditID: 12074425-fb5ff70000001f6c-e6-5ab1a3720aca
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 25.28.08044.373A1BA5; Tue, 20 Mar 2018 20:12:35 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w2L0CXx6029257; Tue, 20 Mar 2018 20:12:34 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2L0CSPB030271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 20 Mar 2018 20:12:32 -0400
Date: Tue, 20 Mar 2018 19:12:28 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Fernando Gont <fgont@si6networks.com>
Cc: Roman Danyliw <rdd@cert.org>, "saag@ietf.org" <saag@ietf.org>
Message-ID: <20180321001228.GX55745@kduck.kaduk.org>
References: <359EC4B99E040048A7131E0F4E113AFC014C36B492@marathon> <19748a07-9922-6fcf-d389-b7792eff473b@si6networks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <19748a07-9922-6fcf-d389-b7792eff473b@si6networks.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IR4hRV1i1evDHKYN1pHYsnq96wWXxuY7OY 0t/J5MDsMWODj8eSJT+ZPD4c6mEPYI7isklJzcksSy3St0vgypjdfZa14CJzxd17bxkbGF8x dTFyckgImEi8617PDmILCSxmklixQ7uLkQvI3sgosfjELxYI5yqTxLETv4GqODhYBFQl3j8Q AmlgE1CRaOi+zAxiiwhoSsx9fgRsKLOAo0Tv215GEFtYwEJi5r0VTCCtvEDLzu7ygNhVJTFt yVuwvbwCghInZz5hgWjVkrjx7yVYObOAtMTyfxwgYU4BZ4nXPxaBlYgKKEvs7TvEPoFRYBaS 7llIumchdC9gZF7FKJuSW6Wbm5iZU5yarFucnJiXl1qka6GXm1mil5pSuokRFLDsLqo7GOf8 9TrEKMDBqMTDO0FiY5QQa2JZcWXuIUZJDiYlUd5ARaAQX1J+SmVGYnFGfFFpTmrxIUYJDmYl Ed5DEUA53pTEyqrUonyYlDQHi5I4r4eJdpSQQHpiSWp2ampBahFMVoaDQ0mCV2QRUKNgUWp6 akVaZk4JQpqJgxNkOA/Q8M8LQYYXFyTmFmemQ+RPMRpztK180sbMcePF6zZmIZa8/LxUKXFe b5BSAZDSjNI8uGmgpCORvb/mFaM40HPCvJIgS3mACQtu3iugVUxAq7JnbgBZVZKIkJJqYGwr Vf6se/65uz63BuNn74qNvD+mCK+QO/DoUYgx/8TLfUoKHKqFcw9FH37r6xIkNZlR0Et+S/ll ke7S5Swrps89zyde9XBOpt+LSC3B3Ac3193vn6KgG/h0dr1HuBbza42Tpxcp6k5wDmsLcGX3 nxcpdXTDqsCVdve32bp2Pzeq/ezz+klDsxJLcUaioRZzUXEiAHZzEhoVAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ZaAjOhJcU0dh9AXzAnt2umjMtx8>
Subject: Re: [saag] SECDISPATCH WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 00:12:38 -0000

On Tue, Mar 20, 2018 at 10:55:34PM +0000, Fernando Gont wrote:
> Hello, Roman,
> 
> I had requested agenda time for the secdispatch session, but didn't get
> a slot or a response about it.
> 
> Any clues?

There was the exchange about WG adoption not being a possible route,
which could perhaps have been confused as indicating that a timeslot
was not needed at all during a quick re-read of the mail archive.

But that's a pretty tiny clue...

-Ben


From nobody Tue Mar 20 17:15:06 2018
Return-Path: <rdd@cert.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 618E512D77D for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 17:15:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6G8EHdwbXhx5 for <saag@ietfa.amsl.com>; Tue, 20 Mar 2018 17:15:03 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1F812D0C3 for <saag@ietf.org>; Tue, 20 Mar 2018 17:15:03 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2L0F2nb029604; Tue, 20 Mar 2018 20:15:02 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w2L0F2nb029604
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1521591302; bh=KWToMSyaniFRMOMP2aQRyQ28AUNXLWHFDCDNHVvtn7Q=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=kNiEzrmqho9IG6E6TflCD63a8Op4isd6Zl4pMTSptzhtYcgkfLeg5O6PwMHb1ik2k daW9ZjdT5iPs7Vt3HAlMxu+kl223HMFdjPpQlN/UX80IU3vegBHSfWC/F8ZL8+kfYs Ox63XXXd5IP4OgKNlpNOo3PbfDWT4OMgZer7h8Z8=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2L0F1Nw033391; Tue, 20 Mar 2018 20:15:01 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0361.001; Tue, 20 Mar 2018 20:15:01 -0400
From: Roman Danyliw <rdd@cert.org>
To: Fernando Gont <fgont@si6networks.com>
CC: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] SECDISPATCH WG Summary from IETF 101
Thread-Index: AdPAmP+UPxv6/OKzTQCQBeavpLrUTwAJxVEAAAefhAA=
Date: Wed, 21 Mar 2018 00:15:00 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C36B5CA@marathon>
References: <359EC4B99E040048A7131E0F4E113AFC014C36B492@marathon> <19748a07-9922-6fcf-d389-b7792eff473b@si6networks.com>
In-Reply-To: <19748a07-9922-6fcf-d389-b7792eff473b@si6networks.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/eqDkpGAY2CCLTPyim0xBekBlnNQ>
Subject: Re: [saag] SECDISPATCH WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 00:15:05 -0000

SGVsbG8gRmVybmFuZG8hDQoNCj4gLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCj4gRnJvbTog
RmVybmFuZG8gR29udCBbbWFpbHRvOmZnb250QHNpNm5ldHdvcmtzLmNvbV0NCj4gU2VudDogVHVl
c2RheSwgTWFyY2ggMjAsIDIwMTggNjo1NiBQTQ0KPiBUbzogUm9tYW4gRGFueWxpdyA8cmRkQGNl
cnQub3JnPjsgc2FhZ0BpZXRmLm9yZw0KPiBTdWJqZWN0OiBSZTogW3NhYWddIFNFQ0RJU1BBVENI
IFdHIFN1bW1hcnkgZnJvbSBJRVRGIDEwMQ0KPiANCj4gSGVsbG8sIFJvbWFuLA0KPiANCj4gSSBo
YWQgcmVxdWVzdGVkIGFnZW5kYSB0aW1lIGZvciB0aGUgc2VjZGlzcGF0Y2ggc2Vzc2lvbiwgYnV0
IGRpZG4ndCBnZXQgYSBzbG90DQo+IG9yIGEgcmVzcG9uc2UgYWJvdXQgaXQuDQo+IA0KPiBBbnkg
Y2x1ZXM/DQoNCkFwb2xvZ2llcyBhcmUgaW4gb3JkZXIuICBZb3VyIHJlcXVlc3Qgd2FzIG9uIHRo
ZSBzZWNkaXNwYXRjaCBsaXN0IFsxXS4gIFlvdSBzaG91bGQgaGF2ZSBnb3R0ZW4gYSB0aW1lIHNs
b3QuICBXaGVuIGNvbGxhdGluZyB0aGUgcmVxdWVzdHMgb24gdGhlIGxpc3QgdG8gcHJvZHVjZSB0
aGUgZHJhZnQgYWdlbmRhLCBJIG1pc3NlZCB5b3Vycy4gIENvbXBvdW5kaW5nIHRoZSBtYXR0ZXIs
IHRoaXMgb21pc3Npb24gd2FzIG5vdCBjYXVnaHQgZHVyaW5nIHRoZSBkcmFmdCBhZ2VuZGEgcmV2
aWV3IFsyXSBvciBkdXJpbmcgdGhlIG1lZXRpbmcncyBhZ2VuZGEgYmFzaGluZy4NCg0KQm90dG9t
IGxpbmUsIEkgbWlzdGFrZW5seSBvbWl0dGVkIHlvdXIgcmVxdWVzdCB3aGVuIG1ha2luZyB0aGUg
YWdlbmRhLiAgU29ycnkgZm9yIHRoaXMgZXJyb3IgYW5kIHRoYXQgeW91IG1pc3NlZCB0aGUgb3Bw
b3J0dW5pdHkgdG8gcHJlc2VudCB5b3VyIHdvcmsgYXQgdGhpcyBtZWV0aW5nIGFzIGEgcmVzdWx0
Lg0KDQpSZWdyZXRmdWxseSwgYXMgd2UgaGF2ZSBjb25jbHVkZWQgdGhlIG1lZXRpbmcgZm9yIElF
VEYgMTAxLCBhbGwgdGhlIFdHIGNhbiBvZmZlciBpcyBhIHNsb3QgYXQgSUVURiAxMDIuDQoNClJl
Z2FyZHMsDQpSb21hbg0KDQpbMV0gaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbC1hcmNoaXZlL3dl
Yi9zZWNkaXNwYXRjaC9jdXJyZW50L21zZzAwMDA2Lmh0bWwNClsyXSBodHRwczovL3d3dy5pZXRm
Lm9yZy9tYWlsLWFyY2hpdmUvd2ViL3NlY2Rpc3BhdGNoL2N1cnJlbnQvbXNnMDAwMTEuaHRtbA0K
DQo+IFRoYW5rcywNCj4gRmVybmFuZG8NCj4gDQo+IA0KPiANCj4gDQo+IE9uIDAzLzIwLzIwMTgg
MTA6MTYgUE0sIFJvbWFuIERhbnlsaXcgd3JvdGU6DQo+ID4gVGhlIFNFQ0RJU1BBVENIIFdHIG1l
dCBvbiBUdWVzZGF5IG1vcm5pbmcuICBUaGUgaXRlbXMgd2VyZSBkaXNwYXRjaGVkDQo+IGFzIGZv
bGxvd3M6DQo+ID4NCj4gPiAqKiBkcmFmdDogZHJhZnQtZm91ZGlsLXNlY3VyaXR5dHh0LTAzIC0t
IEFELXNwb25zb3JzaGlwDQo+ID4NCj4gPiAqKiBkcmFmdDogZHJhZnQtbmlyLXNhYWctc3Rhci0w
MSAtLSBicmluZyB0byB0aGUgTEFNUFMgV0cNCj4gPg0KPiA+ICoqIGRyYWZ0LWhvdXNsZXktY21z
LW10cy1oYXNoLXNpZy0wOCAtLSBicmluZyB0byB0aGUgTEFNUFMgV0cNCj4gPg0KPiA+ICoqIGRy
YWZ0OiBkcmFmdC1iaXJrLXBlcC10cnVzdHdvcmRzLTAwIC0tIGRlc2NyaWJlIHNjb3BlL3Byb2Js
ZW0NCj4gPiBzdGF0ZW1lbnQgdG8gU0FBRy9TRUNESVNQQVRDSCBtYWlsaW5nIGxpc3RzDQo+ID4N
Cj4gPiAqKiBkcmFmdC1mcmllbC10bHMtYXRscy0wMCAtLSByZXF1aXJlcyBBUlQtU0VDIEFEIGRp
c2N1c3Npb24gZm9yIG5leHQNCj4gPiBzdGVwcw0KPiA+DQo+ID4gX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4gPiBzYWFnIG1haWxpbmcgbGlzdA0KPiA+
IHNhYWdAaWV0Zi5vcmcNCj4gPiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZv
L3NhYWcNCj4gPg0KPiANCj4gDQo+IC0tDQo+IEZlcm5hbmRvIEdvbnQNCj4gU0k2IE5ldHdvcmtz
DQo+IGUtbWFpbDogZmdvbnRAc2k2bmV0d29ya3MuY29tDQo+IFBHUCBGaW5nZXJwcmludDogNjY2
NiAzMUM2IEQ0ODQgNjNCMiA4RkIxIEUzQzQgQUUyNSAwRDU1IDFENEUgNzQ5Mg0KPiANCj4gDQo+
IA0KPiANCg0K


From nobody Wed Mar 21 04:10:01 2018
Return-Path: <rdd@cert.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2109212D960 for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 04:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001,  URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ETwT24N9edU for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 04:09:58 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A98D8127023 for <saag@ietf.org>; Wed, 21 Mar 2018 04:09:58 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2LB9vme009837 for <saag@ietf.org>; Wed, 21 Mar 2018 07:09:57 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu w2LB9vme009837
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1521630597; bh=tOS2yr/oSwh6SqK+bG7ufCs8Lk0mxRmH9rjkFTng45w=; h=From:To:Subject:Date:From; b=JdlJtnzjiO2+qLcrIrgTgZQMV07tVsy2JctbIcWLZA3vEhaI2OMF+J2d6RYZJADe3 lQXTtZY6CnNUk7kWneTCNL24KW1mYZzO82pRULDALIIArShRPHVLEjjc7ouQ0r9Ny0 /32TDQQ5mqdYyL8AOFpQL1pkeiLZLpV06m2a51rg=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w2LB9rY1020633 for <saag@ietf.org>; Wed, 21 Mar 2018 07:09:53 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0361.001; Wed, 21 Mar 2018 07:09:53 -0400
From: Roman Danyliw <rdd@cert.org>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: DOTS WG Summary from IETF 101
Thread-Index: AdPBAA4wo46/OGBOSE2lcEnwYfwVqw==
Date: Wed, 21 Mar 2018 11:09:52 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C36BA18@marathon>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/9gN06TUhu6OnL3yWI9LC6Knqbtg>
Subject: [saag] DOTS WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 11:10:00 -0000

The DOTS WG met on Tuesday afternoon.

The WG heard the results of interoperability testing conducted at the Hacka=
thon.  This event and implementer reports identified issues in the specific=
ations; and highlighted challenges with the underlying protocol libraries.

Based on WG consensus, the requirements [1] and signal channel specificatio=
n [2] drafts entered WGLC after the meeting.

Progress and remaining issues in the architecture [3] and data channel spec=
ification [4] drafts were discussed.=20

A simplified editorial approach was adopted for a nearly complete use case =
draft [5].=20

[1] https://datatracker.ietf.org/doc/draft-ietf-dots-requirements/
[2] https://datatracker.ietf.org/doc/draft-ietf-dots-signal-channel/
[3] https://datatracker.ietf.org/doc/draft-ietf-dots-architecture/
[4] https://datatracker.ietf.org/doc/draft-ietf-dots-data-channel/
[5] https://datatracker.ietf.org/doc/draft-ietf-dots-use-cases/


From nobody Wed Mar 21 06:08:27 2018
Return-Path: <director@openca.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3115127522; Wed, 21 Mar 2018 06:08:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level: 
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0L-3k7su82F; Wed, 21 Mar 2018 06:08:12 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id D921F12DA13; Wed, 21 Mar 2018 06:08:11 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id B63423741012; Wed, 21 Mar 2018 13:08:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 7Z5D7AxZjq-Q; Wed, 21 Mar 2018 09:08:09 -0400 (EDT)
Received: from dhcp-98fb.meeting.ietf.org (dhcp-98fb.meeting.ietf.org [31.133.152.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id BECD53741011; Wed, 21 Mar 2018 09:08:08 -0400 (EDT)
To: LAMPS <spasm@ietf.org>, "saag@ietf.org" <saag@ietf.org>, PKIX <pkix@ietf.org>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
Date: Wed, 21 Mar 2018 13:08:07 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000404000703020301010105"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/CUeBD-pEr2THcC40mYacTePalG4>
Subject: [saag] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 13:08:15 -0000

This is a cryptographically signed message in MIME format.

--------------ms000404000703020301010105
Content-Type: multipart/alternative;
 boundary="------------1419891C6CABA6A3536CA3B5"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------1419891C6CABA6A3536CA3B5
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi all,

unfortunately I missed the sec-dispatch session, but I have some
important considerations about the document. In general, short-lived
certificates have been around for many years and for many different
applications (nothing new here), however nobody who have been working
with PKI long enough would actually made the case that the security
levels of short-lived-no-revo and any-lived-plus-revo are the same
(which seems the life-motif of the presentation and the document itself).=


Other aspects that I think shall be revisited are the lack of
considerations about the usability of deployed infrastructures (when no
revocation is assumed) and some wrong considerations in the document
about validity periods of OCSP Responses and CRLs (that clearly
undermine the equivalence claim).

_*Equivalence of Short-Lived w/out Rev Support and Any-Lived w/ Rev
Support*_

The statements that made me jump on my seat is the claim that
short-lived certificates without revocation support (BTW, short-lived
does not necessarily exclude revocation support) and certificates
(short-lived or not) vs. any-lived certificates with revocation support
have the same level of security as long as the validity period of the
short-lived ones is equal or shorter than CRLs or OCSP validity. I find
this quite a puzzling statement. For once, there should be
considerations about the fact that if a key is compromised and it is
used by a malicious entity to attack/disrupt/etc. another entity, the
rightful owner of the certificate does not have any possibility to prove
that someone else did it - there is no authenticated trail (OCSP
response or CRL) that can be used in this case and this can lead, in
some environments, to legal implications. I am curious about how do the
authors address this point, maybe some considerations shall be made here.=


Also the claim that:

    " it is hard to justify why the CA or a delegate needs to both sign
    blob-1 (the certificate) and also sign blob-2 (the CRL or OCSP
    response) to tell relying parties that blob-1 is still valid."

is quite curious and, I might say, misleading. Although the revocation
status (either in the form of an OCSP or CRL) does not provide
additional information besides the validity when the certificate is not
revoked, it does provide quite a lot of useful information when the
certificate is revoked (e.g., when a compromised happened, the reason
for revocation - e.g., key compromise, a person has left the
organization, a HW token is broken, etc.). I would prefer the authors to
explain what they mean in more extensive and engineering-appropriate
form. This is another evidence that the two systems are definitely NOT
equivalent from a security perspective.

Another example about the fact that some form of revocation is still
needed comes from the document itself (thus contradicting, IMO, the main
claim of the document - 5.1):

    "No matter how short-term these short term certificates are, there
    is a certain window of time when the attacker can use the
    certificate.=C2=A0 This can often be mitigated with application-level=

    measures."

this is "application-level measures =3D=3D application-level revocation".=

This means that now, instead of having standardized ways to check for
the status of certificates, each application need to implement a way to
deal with it on an ad-hoc basis and being able to distribute securely
this information to all relying parties. Undoubtedly, for anybody who
has ever had to deal with such problems this becomes a quite costly and
intractable problems very quickly. Maybe some considerations about this
should be added in the document as well.

_*Usability of Deployed Infrastructures*_

One important section that is missing is: how do these no-revocation
PKIs look like? There are basically two main choices here:

 1. Deploy a 2 level-only PKI. That means having a Trust Anchor that
    issues directly the EE certificates. Besides all security
    considerations about TAs being online (as required in short-lived
    environments), this makes it very difficult to deploy. *Important
    considerations should be made in this case.

    *
 2. Deploy a 3+ level PKIs (current best practices). This approach
    involves having (usually one) intermediate CAs (there can be more).
    In this case, the TAs issue the intermediate CAs' certificates and
    the last intermediate CAs issue the EE ones. Obviously, intermediate
    CAs can not have the same short validity period as the EE certs,
    therefore the need for revocation (at least at the intermediate CAs
    level) is evident. *Important considerations shall be made also in
    this case.*

*Wrong Considerations about CRLs and OCSP Responses validity periods*

In the document, statements like the following shall be fixed and
expanded for clarity:

    "If a CRL has a nextUpdate field that is 4 days in the future, a
    typical system will not attempt to fetch a new one before those 4
    days have elapsed."

And then it continue by stating the following:

    "For this reason, moving to STAR certificates provides a similar
    level of security to what is generally practiced on the web."

Since the first statement is incomplete and, thus, misleading - the
second statement does not hold. Let me explain further for the people
that are not familiar with how CRLs and OCSP are processed. Although
there is a validity period for revocation information, it is well-known
that the expiration field indicates the time "within a new revocation
status information will be made available" and it is NOT "this is the
revocation status of the target certificate until the expiration" -
common practice is that when a revocation event occurs, new CRLs and
OCSP responses for the revoked certificates are made available
immediately or within few hours at most.

It is an important distinction that highlights also why the lack of
revocation information makes the system less secure. Although it is
quite evident why and since this is not addressed in the document, it
might be useful to spell it out.

In a multi-party environment, different applications might have (a)
different strategies when it comes to caching of the revocation
information and/or (b) check the revocation information at different
times. Let's make the case of 2 parties checking the rev info for the
same certificate. If party A accesses OCSP/CRLs at {time1} and caches it
until {time1 + delta}, party B retrieves it at {time2} and caches it
until {time2+delta}. Let's assume that time2 > time1 and that new
revocation status information is already available at {time2}. This
means that, although party A is still vulnerable until {time1+delta},
party B is not. In a short-lived cert environment w/out revocation ALL
parties are VULNERABLE until the compromised {key+certificate} expires.

It seems quite clear that the two environments (short-lived w/ no revo
and any-lived w/ revo) do not have the same security properties.

Therefore I think that the authors ought to demonstrate the equivalence
of security levels (not just assume it as hypothesis - given I just
disproved it) or to remove all claims that the two environments are
actually equivalent from as security perspective and to add specific
considerations for short-lived-no-revo about the the fact that not
supporting revocation is inherently weaker because it potentially
exposes all parties to attacks (e.g., MITM, un-authorized access to
resources, etc.) that can not be stopped (unless you implement
application-level revocation.. and, therefore, re-introduce revocation
from the backdoor in a non-standardized, ad-hoc, hard-to-manage across
application fashion).

*Final Considerations*

I am not opposed at the concept of this document to be considered for
BCP, however all the above issues MUST, IMO, be addressed before the
document can be considered further. I think I already raised these
considerations at the last IETF, but I do not think the authors missed
or have not considered the provided feedback. I hope that a more
explicit and written feedback might be taken into considerations.

Just my 2 cents form an old barnacle... :D

Cheers,
Max

--=20
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

--------------1419891C6CABA6A3536CA3B5
Content-Type: multipart/related;
 boundary="------------B13C537DA97196213E3CF5A2"


--------------B13C537DA97196213E3CF5A2
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>

    <meta http-equiv=3D"content-type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Hi all,</p>
    <p>unfortunately I missed the sec-dispatch session, but I have some
      important considerations about the document. In general,
      short-lived certificates have been around for many years and for
      many different applications (nothing new here), however nobody who
      have been working with PKI long enough would actually made the
      case that the security levels of short-lived-no-revo and
      any-lived-plus-revo are the same (which seems the life-motif of
      the presentation and the document itself).</p>
    <p>Other aspects that I think shall be revisited are the lack of
      considerations about the usability of deployed infrastructures
      (when no revocation is assumed) and some wrong considerations in
      the document about validity periods of OCSP Responses and CRLs
      (that clearly undermine the equivalence claim).<br>
    </p>
    <p><u><b>Equivalence of Short-Lived w/out Rev Support and Any-Lived
          w/ Rev Support</b></u><br>
    </p>
    <p>The statements that made me jump on my seat is the claim that
      short-lived certificates without revocation support (BTW,
      short-lived does not necessarily exclude revocation support) and
      certificates (short-lived or not) vs. any-lived certificates with
      revocation support have the same level of security as long as the
      validity period of the short-lived ones is equal or shorter than
      CRLs or OCSP validity. I find this quite a puzzling statement. For
      once, there should be considerations about the fact that if a key
      is compromised and it is used by a malicious entity to
      attack/disrupt/etc. another entity, the rightful owner of the
      certificate does not have any possibility to prove that someone
      else did it - there is no authenticated trail (OCSP response or
      CRL) that can be used in this case and this can lead, in some
      environments, to legal implications. I am curious about how do the
      authors address this point, maybe some considerations shall be
      made here.</p>
    <p>Also the claim that:</p>
    <blockquote>
      <p>" it is hard to justify why the CA or a delegate needs to both
        sign blob-1 (the certificate) and also sign blob-2 (the CRL or
        OCSP response) to tell relying parties that blob-1 is still
        valid."</p>
    </blockquote>
    <p>is quite curious and, I might say, misleading. Although the
      revocation status (either in the form of an OCSP or CRL) does not
      provide additional information besides the validity when the
      certificate is not revoked, it does provide quite a lot of useful
      information when the certificate is revoked (e.g., when a
      compromised happened, the reason for revocation - e.g., key
      compromise, a person has left the organization, a HW token is
      broken, etc.). I would prefer the authors to explain what they
      mean in more extensive and engineering-appropriate form. This is
      another evidence that the two systems are definitely NOT
      equivalent from a security perspective.</p>
    <p>Another example about the fact that some form of revocation is
      still needed comes from the document itself (thus contradicting,
      IMO, the main claim of the document - 5.1):</p>
    <blockquote>
      <p>"No matter how short-term these short term certificates are,
        there is a certain window of time when the attacker can use the
        certificate.=C2=A0 This can often be mitigated with application-l=
evel
        measures."</p>
    </blockquote>
    <p>this is "application-level measures =3D=3D application-level
      revocation". This means that now, instead of having standardized
      ways to check for the status of certificates, each application
      need to implement a way to deal with it on an ad-hoc basis and
      being able to distribute securely this information to all relying
      parties. Undoubtedly, for anybody who has ever had to deal with
      such problems this becomes a quite costly and intractable problems
      very quickly. Maybe some considerations about this should be added
      in the document as well.</p>
    <p><u><b>Usability of Deployed Infrastructures</b></u></p>
    <p>One important section that is missing is: how do these
      no-revocation PKIs look like? There are basically two main choices
      here:</p>
    <ol>
      <li>Deploy a 2 level-only PKI. That means having a Trust Anchor
        that issues directly the EE certificates. Besides all security
        considerations about TAs being online (as required in
        short-lived environments), this makes it very difficult to
        deploy. <b>Important considerations should be made in this
          case.<br>
          <br>
        </b></li>
      <li>Deploy a 3+ level PKIs (current best practices). This approach
        involves having (usually one) intermediate CAs (there can be
        more). In this case, the TAs issue the intermediate CAs'
        certificates and the last intermediate CAs issue the EE ones.
        Obviously, intermediate CAs can not have the same short validity
        period as the EE certs, therefore the need for revocation (at
        least at the intermediate CAs level) is evident. <b>Important
          considerations shall be made also in this case.</b></li>
    </ol>
    <p><b>Wrong Considerations about CRLs and OCSP Responses validity
        periods</b></p>
    <p>In the document, statements like the following shall be fixed and
      expanded for clarity:</p>
    <blockquote>
      <p>"If a CRL has a nextUpdate field that is 4 days in the future,
        a typical system will not attempt to fetch a new one before
        those 4 days have elapsed."</p>
    </blockquote>
    <p>And then it continue by stating the following:<br>
    </p>
    <blockquote>
      <p>"For this reason, moving to STAR certificates provides a
        similar level of security to what is generally practiced on the
        web."</p>
    </blockquote>
    <p>Since the first statement is incomplete and, thus, misleading -
      the second statement does not hold. Let me explain further for the
      people that are not familiar with how CRLs and OCSP are processed.
      Although there is a validity period for revocation information, it
      is well-known that the expiration field indicates the time "within
      a new revocation status information will be made available" and it
      is NOT "this is the revocation status of the target certificate
      until the expiration" - common practice is that when a revocation
      event occurs, new CRLs and OCSP responses for the revoked
      certificates are made available immediately or within few hours at
      most.<br>
    </p>
    <p>It is an important distinction that highlights also why the lack
      of revocation information makes the system less secure. Although
      it is quite evident why and since this is not addressed in the
      document, it might be useful to spell it out.</p>
    <p>In a multi-party environment, different applications might have
      (a) different strategies when it comes to caching of the
      revocation information and/or (b) check the revocation information
      at different times. Let's make the case of 2 parties checking the
      rev info for the same certificate. If party A accesses OCSP/CRLs
      at {time1} and caches it until {time1 + delta}, party B retrieves
      it at {time2} and caches it until {time2+delta}. Let's assume that
      time2 &gt; time1 and that new revocation status information is
      already available at {time2}. This means that, although party A is
      still vulnerable until {time1+delta}, party B is not. In a
      short-lived cert environment w/out revocation ALL parties are
      VULNERABLE until the compromised {key+certificate} expires.</p>
    <p>It seems quite clear that the two environments (short-lived w/ no
      revo and any-lived w/ revo) do not have the same security
      properties.</p>
    <p>Therefore I think that the authors ought to demonstrate the
      equivalence of security levels (not just assume it as hypothesis -
      given I just disproved it) or to remove all claims that the two
      environments are actually equivalent from as security perspective
      and to add specific considerations for short-lived-no-revo about
      the the fact that not supporting revocation is inherently weaker
      because it potentially exposes all parties to attacks (e.g., MITM,
      un-authorized access to resources, etc.) that can not be stopped
      (unless you implement application-level revocation.. and,
      therefore, re-introduce revocation from the backdoor in a
      non-standardized, ad-hoc, hard-to-manage across application
      fashion).</p>
    <p><b>Final Considerations</b></p>
    <p>I am not opposed at the concept of this document to be considered
      for BCP, however all the above issues MUST, IMO, be addressed
      before the document can be considered further. I think I already
      raised these considerations at the last IETF, but I do not think
      the authors missed or have not considered the provided feedback. I
      hope that a more explicit and written feedback might be taken into
      considerations.</p>
    <p>Just my 2 cents form an old barnacle... :D</p>
    <p>Cheers,<br>
      Max<br>
    </p>
    <div class=3D"moz-signature">-- <br>
      <div style=3D"color: black; margin-top: 10px;">
        Best Regards,
        <div style=3D"margin-top: 5px; margin-left: 0px; ">
          Massimiliano Pala, Ph.D.<br>
          OpenCA Labs Director<br>
        </div>
        <img src=3D"cid:part1.ADE46842.55AEAEC9@openca.org"
          style=3D"vertical-align: 0px; margin-top: 10px; margin-left:
          0px;" alt=3D"OpenCA Logo"><br>
      </div>
    </div>
  </body>
</html>

--------------B13C537DA97196213E3CF5A2
Content-Type: image/png;
 name="cndojoacigamfbdj.png"
Content-Transfer-Encoding: base64
Content-ID: <part1.ADE46842.55AEAEC9@openca.org>
Content-Disposition: inline;
 filename="cndojoacigamfbdj.png"

iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoX
BwESCQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAq
MjpXKgs/MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1
SGdDR0lDSFJfRDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27
PgCaSANtUT57VBerSQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXae
VR+lVRZrYld1ZiB7YEuSYQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDV
WQJ1blapYjbXWgDRXACMaU6WbgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3Wq
aS6BcGeobwndXwzkXwLgYgDaYwyMeCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuv
cEPrZQDQaSyockrFbSvmZwnabQLvZwDpaQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7
gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqKgnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXl
eSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQiwCximixim/EkAORkZGVkYrOh0rPiVL5
giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvKlGqpnJLdlF2boKy+m324nImkoZ+e
o6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/SrI7dq4bqqXTOrpWttL+6s6uw
tbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfRwbXFyMvbxbPNyMP8zgTc
zMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp7/Hy9PHw9fj6/v3Y
ktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPXGT6E+l9BZ0EF
sTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+USgFL4r9g
EaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqESrMp
lYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE
y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75U
jLZfp6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/
85sH2KeXvj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf
70RPUPjxLouBEgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxc
AwyWTbacW0sTDGoJen4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+N
puKpq32qLVaexOCCJB91aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq
1LzUMQ4uxxycjl0LWO1bBsY6yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XO
cajZb6GDu7PTFEdPkVu0k4vQyd3Jc/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM
9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRb
juxtfqRypNACK28+j3FsqcilAD0ADuIWCt0yRa7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9
wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX
3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxarlr0grlQn92DQt1vBUk+nUFeHGZme
gUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJo+2PGLb2d9WE5bw1L4DcnOco
9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bFzhw3eZylM2dgwkbWW3Iy
Jp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwdElJmarxedr/u3P6C
Nn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivoBjrfUgNB69zf
b6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toVEevCi9/f
fmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzSY3Fu
BkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW
hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/d
Y1p7qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1R
grYlfrReSqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxH
dRJFGJkhfKxgmM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3lu
aLNe1F++bjXGyWyzZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCm
GIzpqKlm27KTSWUcAX1goBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJC
BVkrrBJ1BewMmlVpgRUQF7wpItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQY
IOhklDKzo2C1IV2sijzdhjorqwefNdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41q
KFl02YaswYNkULTeLC9CFFK4bDHDMmZbhnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYv
JpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkcHz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkh
mt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlCXaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/
JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7WfgZOv4uLLl0w8wUah71QLBpJeXq/eM
VVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6vjt1z/ghMehVKiUpyt1VYBXC
N6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oEDQ6jB9Wc3Z6bm6zLTtLl
gLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgXs2kV4WUC0YR/KOLv
Pby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP7LnTfsd42at3
+B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw901G+ttVlT
Ja34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K+f59
qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd
XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a
8XoAAAAASUVORK5CYII=
--------------B13C537DA97196213E3CF5A2--

--------------1419891C6CABA6A3536CA3B5--

--------------ms000404000703020301010105
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CyAwggUyMIIEGqADAgECAhEAu2YCW4tRQdGHMc0S/FQsNDANBgkqhkiG9w0BAQsFADCBlzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg
Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcxMjAxMDAw
MDAwWhcNMTgxMjAxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkaXJlY3RvckBvcGVuY2Eu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEDKYfy+DFhtDn8bIXyP25Xe
DjUIkMQDm90A1JPoQ4tuTk6kXwulPvAmvtLGuRAzEqFpV/fqz4sAlx8FgxvRZ5PunZ1H1/lJ
CNEdir53Xv8TEf+R/n+Ca5RNUR+GhS72zhp9xx8uDRZds2DeXvW9uhYp9nsbX6rWIFT5YfWF
1SukFXwXSnHuXc9nDT6p0Kp6UNzusn/lMhXhIwgpNA26/mHAdScYyMoB4yaZeMpdZN75XGWO
slhXcXdeGJo93E48kffdu0yo4WTbpLwhs/IrkG4OXB1N3Bf+9oHZwVun1hlCZEfuSit0mvrx
x8wzPCPiggXu6j6VqPoJqecV6xKCHwIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF
/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFEPV9allspkmYqkQRx2BlAdbOrjhMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMF
AjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggr
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2g
S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRp
b25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklo
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu
ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j
b20wHgYDVR0RBBcwFYETZGlyZWN0b3JAb3BlbmNhLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEA
g+REupW946f7esdYmE1QxsYlkubErxz8JLovVDSKTHwxR1/VxF/B7rGeiSPBHTmKQYwlWCrp
eHZNfzaDDkDamwLXm7v4+brNfQKRpOLnYPQQffp7xim72INakLgts8d5I7bic785dj4M5JP4
XA2qUD9wduwNwquua6v7zM3chpoRjapumzLNDDr47GccOKAZYaaqFwbpwJPQYuiC07WWnn7g
FzdNKYN6VM6Re6wVEHP6fEvNrleV0pf1iFjLKugnriGKL9wj6xX25JsMmGmqZcfdpnkTE4Zf
eQBEZVnn8s7HBX+MA/K+YnHxRwA2c5XwNbEhZ2rvh2uFIMXBDlt+tDCCBeYwggPOoAMCAQIC
EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdC
MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV
BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQ
PTRI5Or1u6zf+bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivl
JTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG
9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoS
WY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQAB
o4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKv
bIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEA
MBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFk
ZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJ
KoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo
7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaB
Q+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKS
TvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY
+hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5td
hYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4
jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJ
M/1tyZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJU
mpvVdZ4ognzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTK
TlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIEODCCBDQCAQEw
ga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01P
RE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAu2YC
W4tRQdGHMc0S/FQsNDANBglghkgBZQMEAgEFAKCCAlswGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwMzIxMTMwODA3WjAvBgkqhkiG9w0BCQQxIgQgIDZR
ZErkHOxCzNk40CdSvOLug7FhSF7QiFe2IrN+w1AwbAYJKoZIhvcNAQkPMV8wXTALBglghkgB
ZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBvgYJKwYBBAGCNxAEMYGwMIGtMIGX
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJT
QSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHR
hzHNEvxULDQwgcAGCyqGSIb3DQEJEAILMYGwoIGtMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UE
CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
RE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRp
b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHRhzHNEvxULDQwDQYJKoZIhvcNAQEB
BQAEggEAWkwRcg7GJ2d8VqMzjwZen8Werrk2JtstgM5YJq2X2NLodXCLqON3NbWIBxCvQx7n
vAY2TaoZ0qSd6wi7iEDCS8ZMngy7yclEken56wLUjgJ3NED5+VUGSkv/+5mm63/txMuFBOMG
ZT9X9m6Fi+1SL64YtXRjDlmHA0FQV+EPfXKz4xHo/z4WiJn/yqNmcfbJJSZh29J6Fniy+INF
QA5DoLMLuK4vWybKS83bz0VhX5Q03AhD7WPrEWwDlvMn2IJcGnhCzcz6wPTfNLzb+ct3UoAH
OUMq8p8tPESyxp+ZK8WuGnET0JLOiSsDzzm/wKfufFdjasJvQ4jehPOvLlP0CQAAAAAAAA==
--------------ms000404000703020301010105--


From nobody Wed Mar 21 07:24:40 2018
Return-Path: <joe@salowey.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45E3E12DA2B for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 07:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3CmjaKueU7M for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 07:24:36 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B542F1271FD for <saag@ietf.org>; Wed, 21 Mar 2018 07:24:36 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id a15so1988360pgn.5 for <saag@ietf.org>; Wed, 21 Mar 2018 07:24:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=tUZ69rmqeUKSGs8jK725PhLntROwfJjc//FVataH7Y0=; b=VtEG2Qt+hnD7FzlNh05W66MQql5lRM8ujTxAA6fsPXNE6lrSzx4mLJi+FVWRLmBO/H 4YvEeJHRm986u0n29lOxh0TUwZO06VtgxLDsW7RWPKf2bW/8krmfD9tA21ejGadZh0fV e+ZnesFcocrcU7o9hpX3TVnuZ4L9GyWMcwP7gwGSt7ytpB+8eCu86CQ5460G0ckDIkqa r6SgA9n7oYeuxWTwDstTqgBoVSylM5tln8oV2DVxO7yshqN0V8QVPTWPqmSmgOIfL9Ii hHJZAjRf29yDEhnmwQhGQ3VkEBPoEEwyW6SDr+DbIPfkA6JGR+wymDgRTZBTdJCwGtcm 3xNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=tUZ69rmqeUKSGs8jK725PhLntROwfJjc//FVataH7Y0=; b=GrsZiWUXKhf07AJjx7FCPI2Tw4XNPBnPtAG3s1XGNuinr2dKXhL1El5EV51iyvYvfw ghPTjrEmxKM/fPWSoYUAzisfBpd7YZwpzkkiMW4ljGpa4PMQIy8U3Cot65DrX5st8SVm e2xW/h8f6rD32o74Tv8AffGgm2YuK5sYPqumWaa1VnhD6V5ds/2kSMswqpvWdwdn3B3T 4y7Kj3dxQ7WihdWLXbYqarNRa+hwujDOP4de/2OEDIMi8SbK0T8zXWsfHTn3YvirhMlB 2Z0W1/mR/6jl7ByMCewRazEVYhgyQlD96UGmPa+oai+0YY/drRfgzCEmNWoz1/hpNBYt k9Ww==
X-Gm-Message-State: AElRT7E68dsPllqFwYCm/6HsMaaLFiBNlGK/s9xaFk1PsRO/qRo82wrk 0NwAfJzSdfIcqXf1zvcSrdnLp3BlyoKgZjfcOy4PRk7n
X-Google-Smtp-Source: AG47ELuVyGKVtRsq8NCoPl6a8aZ+y7IU4FScDM33Z4zdHRnP09iBmqWEkL4tuK7KSoJRhHMG5jm0XDSfQ9QoCunb6FE=
X-Received: by 10.99.186.72 with SMTP id l8mr15485008pgu.410.1521642275874; Wed, 21 Mar 2018 07:24:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.168.77 with HTTP; Wed, 21 Mar 2018 07:24:15 -0700 (PDT)
From: Joseph Salowey <joe@salowey.net>
Date: Wed, 21 Mar 2018 14:24:15 +0000
Message-ID: <CAOgPGoAV9cuqu3fZQ=kQWF5ZuEH0aeK2xJXwZ2CeeBx27tkyRA@mail.gmail.com>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="089e0821b99454407c0567ecf313"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gqFZ2lQ5fs_XFSoK88Kq-LBfSC4>
Subject: [saag] IETF 101 EMU SAAG Report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 14:24:38 -0000

--089e0821b99454407c0567ecf313
Content-Type: text/plain; charset="UTF-8"

EMU met on Monday afternoon.  The main topics of discussion:


   - There was support in the room to have a call for adoption of
   draft-mattsson-eap-tls13-02 as a working group item as the EAP-TLS TLS 1.3
   charter work item.  The work on handling large certificate chains may be
   continued in a separate document.
   - There was support in the room to have a call for adoption of
draft-arkko-eap-rfc5448bis-01
   as a working group item as part of the EAP-AKA revisions charter work item.
   - We will have some discussion on the list to determine
   if draft-arkko-eap-aka-pfs-01 should be adopted to meet the PFS for
   EAP-AKA' work item
   - We had discussion on fixing a session IDs for some existing EAP
   methods.  We expect a draft to be posted for this work.
   - We had some discussion on using TEAP for things like cert enrollment,
   BRWSKI validations and other things.

--089e0821b99454407c0567ecf313
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">EMU met on Monday afternoon.=C2=A0 The main topics of disc=
ussion:<div><br></div><div><ul><li>There was support in the room to have a =
call for adoption of draft-mattsson-eap-tls13-02 as a working group item as=
 the EAP-TLS TLS 1.3 charter work item.=C2=A0 The work on handling large ce=
rtificate chains may be continued in a separate document.=C2=A0</li><li>The=
re was support=C2=A0<span style=3D"color:rgb(34,34,34);font-family:arial,sa=
ns-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;fo=
nt-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:lef=
t;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;b=
ackground-color:rgb(255,255,255);text-decoration-style:initial;text-decorat=
ion-color:initial;float:none;display:inline">in the room to have a call for=
 adoption of<span>=C2=A0</span></span><span style=3D"color:rgb(34,34,34);fo=
nt-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-l=
igatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:nor=
mal;text-align:left;text-indent:0px;text-transform:none;white-space:normal;=
word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:in=
itial;text-decoration-color:initial;float:none;display:inline">draft-arkko-=
eap-rfc5448bis-01 as a working group item as part of the EAP-AKA revisions =
charter work item.=C2=A0</span></li><li><span style=3D"color:rgb(34,34,34);=
font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant=
-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:n=
ormal;text-align:left;text-indent:0px;text-transform:none;white-space:norma=
l;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:=
initial;text-decoration-color:initial;float:none;display:inline">We will ha=
ve some discussion on the list to determine if=C2=A0draft-arkko-eap-aka-pfs=
-01 should be adopted to meet the PFS for EAP-AKA&#39; work item</span></li=
><li><span style=3D"color:rgb(34,34,34);font-family:arial,sans-serif;font-s=
ize:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps=
:normal;font-weight:400;letter-spacing:normal;text-align:left;text-indent:0=
px;text-transform:none;white-space:normal;word-spacing:0px;background-color=
:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initi=
al;float:none;display:inline">We had discussion on fixing a session IDs for=
 some existing EAP methods.=C2=A0 We expect a draft to be posted for this w=
ork.</span></li><li><span style=3D"color:rgb(34,34,34);font-family:arial,sa=
ns-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;fo=
nt-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:lef=
t;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;b=
ackground-color:rgb(255,255,255);text-decoration-style:initial;text-decorat=
ion-color:initial;float:none;display:inline">We had some discussion on usin=
g TEAP for things like cert enrollment, BRWSKI validations and other things=
.=C2=A0=C2=A0</span></li></ul><div><br></div></div></div>

--089e0821b99454407c0567ecf313--


From nobody Wed Mar 21 07:29:14 2018
Return-Path: <joe@salowey.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F278012DA4D for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 07:29:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.1
X-Spam-Level: 
X-Spam-Status: No, score=0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_20_30=1.999, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2ngWXbp07FE for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 07:29:06 -0700 (PDT)
Received: from mail-pf0-x22d.google.com (mail-pf0-x22d.google.com [IPv6:2607:f8b0:400e:c00::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5F3912DA4A for <saag@ietf.org>; Wed, 21 Mar 2018 07:29:06 -0700 (PDT)
Received: by mail-pf0-x22d.google.com with SMTP id 68so2037048pfx.3 for <saag@ietf.org>; Wed, 21 Mar 2018 07:29:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=qyMG3t2CepjJF4x2cXZZQC1D9UFNajCapLKIU0F7BhY=; b=M6RmN08l5/N1tOE5cty1KVsnSCX7WA0LGkjfZNHNSM54wVmkYhPMtOBt1aHmobj7Rq kzLnRKsJ50ytgnJDiPRnG1+4QgyQdCakdWUFXnn51h6A4wd+R0lqgio+7SiepR2sn+HH mJMfc8sIm6em6u0uMjg0WBLXrQLvLe0BeRoKyLi7fIOS5jUNjzyQjhG/Y7pBQ93eRJ36 3Lnpb6Sfd4zwRnyIBXvvFfyGN8VyB8k0Ns9BY/IB57ghthaJiLJ63/UmJ7CjbQvSYTBx ZlGUWRl4spEeg3RKNPXQgxDZhC+Fu1KXCEgbj/eN+5k9wHvVwswVj6UH5BLzXsaFCUi7 UoUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=qyMG3t2CepjJF4x2cXZZQC1D9UFNajCapLKIU0F7BhY=; b=VqhXHL+ptO56VkFtt8uiRttt4aPtg12oI2oqIsm8/DKmHaDmAvGgGBs9KFPkCRpCrV 7MzWz5Rqor5L1LkQ72vZiXNVcFJuwRKITUIm46qH4S3o8XUXVyJIfh70xSeXglOiAaER vVF+Li9hWFIIIm9ZlKoQTyI2vjDxuxeCeURZ7Un5RbmFjo2Gbm1HzXV9Pwlh79SpzzcF TQzCRJeWTixTWBCvH06DmJdAgT8oOEla7gNWrRpQQ1X/cHbrs+HNii9f10HRx9f53xNj m69VsCeN9+UPrr9RPHQEBzkkYEhRQfLibyku7b6cmBwBqHdh+iE44/qTfiNKk02RvmCU 19wQ==
X-Gm-Message-State: AElRT7EVg1US70b5Ti4zGzlBvA0Yg3HGeZAvT/ydGYYg/sI8mQjnILXQ bcLein9DLdMQfabgjhfyhYrSOGCjUd0Rich0CZJJEoKQ
X-Google-Smtp-Source: AG47ELugSkBrX5B3GG2O439YS6DsmKKUhM5u2mhLMQTV9Zb7qxGDIQdBd2iTsoglqoYqcJIr73vSf7YwFDbAAwfNbkY=
X-Received: by 10.99.55.1 with SMTP id e1mr10736724pga.237.1521642545928; Wed, 21 Mar 2018 07:29:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.168.77 with HTTP; Wed, 21 Mar 2018 07:28:45 -0700 (PDT)
From: Joseph Salowey <joe@salowey.net>
Date: Wed, 21 Mar 2018 14:28:45 +0000
Message-ID: <CAOgPGoBup-tEPO44SXB4BCGUpxqqFSUoiBB03qL70Mx-v=5z4A@mail.gmail.com>
To: saag@ietf.org
Content-Type: multipart/alternative; boundary="001a114aefac6cf0340567ed03e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/_gJaHsX2nJqcTBFR0UAy84Vyvuk>
Subject: [saag] IETF 101 TLS SAAG Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 14:29:13 -0000

--001a114aefac6cf0340567ed03e2
Content-Type: text/plain; charset="UTF-8"

The TLS working group met on Monday and Wednesday this week.  Main points
of discussion:


   - TLS 1.3  <https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/>is
   approved by the IESG and heading to the RFC editor queue.
   - The main topic on Monday was a proposal for TLS visibility
   <https://datatracker.ietf.org/doc/draft-rhrd-tls-tls13-visibility/> in
   the data center.   The TLS working group was unable to reach consensus to
   adopt this work.  The security ADs will handle the discussion of
   alternative paths for this work.
   - Discussion on Connection ID
   <https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/> for
   TLS 1.2 and 1.3 resulted in consensus to use an explicit mechanism to
   indicate the presence of the connection ID.  There was desire to keep
   changes to DTLS 1.2 a minimal as possible.
   - After some discussion of the DNSSEC chain extension
   <https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/>
    the working group reached consensus that the draft in its current state
   will move forward and authenticated denial of existence and pinning work
   would need to be considered in a separate document.
   - There was presentation on security analysis for the exported
   authenticators draft
   <https://datatracker.ietf.org/doc/draft-ietf-tls-exported-authenticator/>

   - We will seek an advance code point assigned for Certificate compression
   <https://datatracker.ietf.org/doc/draft-ietf-tls-certificate-compression/>
    from IANA
   - The SNI encryption
   <https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/> work
   will be split out into 1 draft that discusses the problem, requirements and
   current state and several other documents that detail possible solutions.
   - There was some discussion of Semi-static DH keys for TLS
   <https://datatracker.ietf.org/doc/draft-rescorla-tls13-semistatic-dh/>
(similar
   to OPTLS)
   - We ran out of time to discuss a proposal to supplement certificate
   based authentication with a PSK
   <https://datatracker.ietf.org/doc/draft-housley-tls-tls13-cert-with-extern-psk/>
    to provide resistance to advances in quantum computing.
   - We had a presentation on a header extension format
   <https://datatracker.ietf.org/doc/draft-fossati-tls-ext-header/> for DTLS
   - A query was issued to the working group on if there is interest in
   using PAKEs such as SRP with TLS 1.3.

--001a114aefac6cf0340567ed03e2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"color:rgb(34,34,34);font-family:arial,sans-=
serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font=
-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start=
;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;ba=
ckground-color:rgb(255,255,255);text-decoration-style:initial;text-decorati=
on-color:initial;float:none;display:inline">The TLS working group met on Mo=
nday and Wednesday this week.=C2=A0 Main points of discussion:</span><div s=
tyle=3D"color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;f=
ont-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;fon=
t-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-tr=
ansform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,2=
55,255);text-decoration-style:initial;text-decoration-color:initial"><span =
style=3D"color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;f=
ont-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;fon=
t-weight:400;letter-spacing:normal;text-align:left;text-indent:0px;text-tra=
nsform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,25=
5,255);text-decoration-style:initial;text-decoration-color:initial;float:no=
ne;display:inline"><br></span></div><div style=3D"color:rgb(34,34,34);font-=
family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-lig=
atures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:norma=
l;text-align:start;text-indent:0px;text-transform:none;white-space:normal;w=
ord-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:ini=
tial;text-decoration-color:initial"><ul><li style=3D"margin-left:15px"><a h=
ref=3D"https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/" target=3D"_b=
lank" style=3D"color:rgb(17,85,204)">TLS 1.3<span>=C2=A0</span></a>is appro=
ved by the IESG and heading to the RFC editor queue.=C2=A0=C2=A0<br></li><l=
i style=3D"margin-left:15px">The main topic on Monday was a<span>=C2=A0</sp=
an><a href=3D"https://datatracker.ietf.org/doc/draft-rhrd-tls-tls13-visibil=
ity/" target=3D"_blank" style=3D"color:rgb(17,85,204)">proposal for TLS vis=
ibility</a><span>=C2=A0</span>in the data center.=C2=A0 =C2=A0The TLS worki=
ng group was unable to reach consensus to adopt this work.=C2=A0 The securi=
ty ADs will handle the discussion of alternative paths for this work.=C2=A0=
</li><li style=3D"margin-left:15px">Discussion on<span>=C2=A0</span><a href=
=3D"https://datatracker.ietf.org/doc/draft-ietf-tls-dtls-connection-id/" ta=
rget=3D"_blank" style=3D"color:rgb(17,85,204)">Connection ID</a><span>=C2=
=A0</span>for TLS 1.2 and 1.3 resulted in consensus to use an explicit mech=
anism to indicate the presence of the connection ID.=C2=A0 There was desire=
 to keep changes to DTLS 1.2 a minimal as possible.=C2=A0</li><li style=3D"=
margin-left:15px">After some discussion of the<span>=C2=A0</span><a href=3D=
"https://datatracker.ietf.org/doc/draft-ietf-tls-dnssec-chain-extension/" t=
arget=3D"_blank" style=3D"color:rgb(17,85,204)">DNSSEC chain extension</a><=
span>=C2=A0</span>the working group reached consensus that the draft in its=
 current state will move forward and authenticated denial of existence and =
pinning work would need to be considered in a separate document.</li><li st=
yle=3D"margin-left:15px">There was presentation on security analysis for th=
e<span>=C2=A0</span><a href=3D"https://datatracker.ietf.org/doc/draft-ietf-=
tls-exported-authenticator/" target=3D"_blank" style=3D"color:rgb(17,85,204=
)">exported authenticators draft</a>=C2=A0</li><li style=3D"margin-left:15p=
x">We will seek an advance code point assigned for<span>=C2=A0</span><a hre=
f=3D"https://datatracker.ietf.org/doc/draft-ietf-tls-certificate-compressio=
n/" target=3D"_blank" style=3D"color:rgb(17,85,204)">Certificate compressio=
n</a><span>=C2=A0</span>from IANA</li><li style=3D"margin-left:15px">The<sp=
an>=C2=A0</span><a href=3D"https://datatracker.ietf.org/doc/draft-ietf-tls-=
sni-encryption/" target=3D"_blank" style=3D"color:rgb(17,85,204)">SNI encry=
ption</a><span>=C2=A0</span>work will be split out into 1 draft that discus=
ses the problem, requirements and current state and several other documents=
 that detail possible solutions.</li><li style=3D"margin-left:15px">There w=
as some discussion of<span>=C2=A0</span><a href=3D"https://datatracker.ietf=
.org/doc/draft-rescorla-tls13-semistatic-dh/" target=3D"_blank" style=3D"co=
lor:rgb(17,85,204)">Semi-static DH keys for TLS</a><span>=C2=A0</span>(simi=
lar to OPTLS)</li><li style=3D"margin-left:15px">We ran out of time to disc=
uss a proposal to s<a href=3D"https://datatracker.ietf.org/doc/draft-housle=
y-tls-tls13-cert-with-extern-psk/" target=3D"_blank" style=3D"color:rgb(17,=
85,204)">upplement certificate based authentication with a PSK</a><span>=C2=
=A0</span>to provide resistance to advances in quantum computing.=C2=A0=C2=
=A0</li><li style=3D"margin-left:15px">We had a presentation on a<span>=C2=
=A0</span><a href=3D"https://datatracker.ietf.org/doc/draft-fossati-tls-ext=
-header/" target=3D"_blank" style=3D"color:rgb(17,85,204)">header extension=
 format</a><span>=C2=A0</span>for DTLS</li><li style=3D"margin-left:15px">A=
 query was issued to the working group on if there is interest in using PAK=
Es such as SRP with TLS 1.3.</li></ul></div><br></div>

--001a114aefac6cf0340567ed03e2--


From nobody Wed Mar 21 10:53:46 2018
Return-Path: <leifj@sunet.se>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BBF12E6D7 for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 10:53:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level: 
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcSXdcj2DaR2 for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 10:53:41 -0700 (PDT)
Received: from mail-wr0-x235.google.com (mail-wr0-x235.google.com [IPv6:2a00:1450:400c:c0c::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4025C12762F for <saag@ietf.org>; Wed, 21 Mar 2018 10:53:41 -0700 (PDT)
Received: by mail-wr0-x235.google.com with SMTP id s10so6077605wra.13 for <saag@ietf.org>; Wed, 21 Mar 2018 10:53:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunet-se.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=MzAMZD0LeumqsYE3d3zGaLoeai9ogkhazGgj/Tjp89w=; b=2TJnw/+vXP1gIr8vJPHG49Sza+ziWuS65g2esBfJ7OsEUbaGbL4TkDBz3p6SfrrtGJ l61HKKov6+wfp93Mmwa25IzHA3yEdVaJt7E1jiOKWskN4t4XRMPbxyHunLiSBSel9TwW JSMyc6lwELBaAMMBeL0M6MZLyrroySl1GMUm4Z21IyUrhU97YUBHpN6JKkzQg0xcUXcV 9ekcXU5qOGc0D7xKd2r7rcSqX8KeyAwmVNLloTNmeJw+a/7N+c71HQQNRHVZLYr7HBiF GkzNpKRE4EiaKB17z3GdzZbbrwHgS9FP83nJq52zt00NaCjLqEti/GcE3ReJ79x6e6t6 B91Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=MzAMZD0LeumqsYE3d3zGaLoeai9ogkhazGgj/Tjp89w=; b=N6n+v7IbrOWV99YIdW/Um5xtfUgnupD0j+cFDuabpY89tbOB3tZTmlyEEtR4AJkmrR AiWwQCTdHcX1rCNJ2rmm1lKOahUhcpRhWQ4vXAyFSREXUHyZprjksDxVZQfdK+niIekf TTRc3WJ6mOIRvP2OPUD0/WOCWATs8NP0WwAAgcmpOZc2jXgVrwC1sCES29+aEUPxjUWR tRfze2RnnhCY00JVHnTBcXNZ2UMIUPhClx707ixg83NGUHeGyqhZGmUOKiagi+nN2Rh5 NPV0Kw4Rw//7zrYhtpcokT36n3xJ1x7PJOepLoHluft8ypQqIADDLiQfyAD7VMXJQrcG En2w==
X-Gm-Message-State: AElRT7HZLFaavDQfhSqILxu+E6Q+IiCuBBD9ZYTq99feVRlgcxuJkjYC 6nw6At1tZ0xF5um4Gne7iQlRpbPUUzA=
X-Google-Smtp-Source: AG47ELuBrp2WGO+hDVHH2xx+rORrlDWZ2q/pFAHhFySQpTYstap7Joc2CESIczxnGo4Kh+oPYGYgYg==
X-Received: by 10.223.176.7 with SMTP id f7mr16664602wra.257.1521654819441; Wed, 21 Mar 2018 10:53:39 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:d116:5c96:2771:19e8? ([2001:67c:370:128:d116:5c96:2771:19e8]) by smtp.gmail.com with ESMTPSA id z9sm6181236wrz.4.2018.03.21.10.53.38 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Mar 2018 10:53:38 -0700 (PDT)
To: saag@ietf.org
From: Leif Johansson <leifj@sunet.se>
Message-ID: <2fcb372f-c62f-c9f8-6053-6e57cb22e34f@sunet.se>
Date: Wed, 21 Mar 2018 18:53:38 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GdMyFd50fXrNH3COGXdIeb0IbcE>
Subject: [saag] tokenbinding report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 17:53:45 -0000

Tokenbinding WG met in London. Quick summary is as follows:

- core documents on next IESG telechat, no known controversial issues
- transparent proxies and TLS1.3 drafts close to WGLC

We're going to ask for an early secdir review of the TLS1.3 draft.

	Cheers Leif & John


From nobody Wed Mar 21 12:09:00 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD08127867 for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 12:08:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id us5avg1kD29N for <saag@ietfa.amsl.com>; Wed, 21 Mar 2018 12:08:57 -0700 (PDT)
Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A47D8127201 for <saag@ietf.org>; Wed, 21 Mar 2018 12:08:56 -0700 (PDT)
Received: by mail-wr0-x22e.google.com with SMTP id o8so6307599wra.1 for <saag@ietf.org>; Wed, 21 Mar 2018 12:08:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:mime-version:subject:message-id:date:to; bh=wANbxPMRiwHEcw91myaprhDouoB83lwMn0j6YDd+MlY=; b=SOZbDUJrc2yEVz5lgRrrTWjMa81KrnE1INourT2n/nJTLeeV+CWDX2YB4F+katv2ch RhuWGbipt6GwuttLjox14aWwCXgbRTkb1OFdodC7vjNdWA0xPezvMjzEBUdq7LC+/kec finSvJyYjs4fDFceK5GipJ6NBk5alU8BCKeCoORFm0NHOcXZg94RAPK/XCzdrzlS9qM/ YGOitqLGD63CGkN9KjW9jHbE1TcfE9CaSwVMbS3K0yKLsPk1fVTktFndAk6l+UlSR7HB fkJMMiFUtifxsbFIaBYXyfx36mat0e6c3er7nXKd3OvvRoukpv6PZsE56bHRvJp/mcv2 5ihQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=wANbxPMRiwHEcw91myaprhDouoB83lwMn0j6YDd+MlY=; b=M2xhstiHo6/ucU36VrafRgX2v57ker9xdMi5wvIykkpRNBPydvY3FErbE9DkZi8vEd +6zhM5UPUXZ68RJtks2rIgUMZe03pI9/i133jtrovx/3gdAasQ0SGaBwhZ0otFK0krf3 Y9TPuPBR0M4thjr07caDt2ilb7zvddGmaOQYo3QTspFvIFj4IB7ukzbSeajRGOmex5eX 8c/ZPy+820FsUG8NYzKtJll1H5Y8QKJ+n1g7RBiNWnwBW98R/oJs361z7xcmkF7ZUC45 /M2+WRTUvnj9U9j+Kk9AwGk45TDegkYGxDhQ0Dwz4pLj4HIq9/qTW+G5fq3pd4Ua7RDS 4R1w==
X-Gm-Message-State: AElRT7EUE/Y0pRkYLbqRH/srrbzREJ8ShGV5esc2Rh24jF5BPtqOD6z3 WawYxi7fOfA9KOpM1CNe8mQi7Erq
X-Google-Smtp-Source: AG47ELsZinNgisMVboFwj77smhQz/UGSIxYG+ipBH9ZddxZzBmjkxaqPCuhVgIcufIEmc+IFiFZJ7A==
X-Received: by 10.223.129.195 with SMTP id 61mr10778529wra.86.1521659335013; Wed, 21 Mar 2018 12:08:55 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:3595:d170:996a:5cd5? ([2001:67c:370:128:3595:d170:996a:5cd5]) by smtp.gmail.com with ESMTPSA id y75sm5086632wme.13.2018.03.21.12.08.54 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 21 Mar 2018 12:08:54 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D1015966-C67A-4571-968E-AC81864ECFBA"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <70670470-DE73-4777-9091-76F741538074@gmail.com>
Date: Wed, 21 Mar 2018 19:08:53 +0000
To: Security Area Advisory Group <saag@ietf.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/SrElvjiFZtMP2nsOPqdQ3r99OkI>
Subject: [saag] ACME Summary
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 19:08:59 -0000

--Apple-Mail=_D1015966-C67A-4571-968E-AC81864ECFBA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

The ACME Working Group met on Wednesday afternoon.
Our main document is finally ready, and Kathleen started the IETF LC =
during the meeting.
ACME-CAA is past WGLC, and will be submitted to the IESG as soon as =
possible.
The telephony and service provider drafts will be merged.
The IP-based drafts still have unresolved issues.
ACME-STAR is probably ready for WGLC



--Apple-Mail=_D1015966-C67A-4571-968E-AC81864ECFBA
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">The ACME Working Group met on Wednesday afternoon.<div class=""><ul class=""><li class="">Our main document is finally ready, and Kathleen started the IETF LC during the meeting.</li><li class="">ACME-CAA is past WGLC, and will be submitted to the IESG as soon as possible.</li><li class="">The telephony and service provider drafts will be merged.</li><li class="">The IP-based drafts still have unresolved issues.</li><li class="">ACME-STAR is probably ready for WGLC</li></ul></div><div class=""><br class=""></div><div class=""><br class=""></div></body></html>
--Apple-Mail=_D1015966-C67A-4571-968E-AC81864ECFBA--


From nobody Wed Mar 21 16:16:35 2018
Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D5CC12E856; Wed, 21 Mar 2018 16:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9fLe79IHE4Xi; Wed, 21 Mar 2018 16:16:32 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A285D129C6E; Wed, 21 Mar 2018 16:16:31 -0700 (PDT)
X-AuditID: 1209190e-d51ff70000004ac5-01-5ab2e7ce83eb
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id E2.78.19141.EC7E2BA5; Wed, 21 Mar 2018 19:16:30 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2LNGTqi001469; Wed, 21 Mar 2018 19:16:29 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2LNGO5r011644 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 21 Mar 2018 19:16:27 -0400
Date: Wed, 21 Mar 2018 18:16:25 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Dr. Pala" <director@openca.org>
Cc: "saag@ietf.org" <saag@ietf.org>
Message-ID: <20180321231624.GK55745@kduck.kaduk.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In-Reply-To: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCKsWRmVeSWpSXmKPExsUixCmqrXvu+aYogyVnNSz2b/CxuHiwyGJK fyeTxbxryQ4sHkuW/GTymD7xPksAUxSXTUpqTmZZapG+XQJXxr6fD1kLJvFUPPo1nbmB8TNn FyMnh4SAicT1/1PZQGwhgcVMEktP+XcxcgHZGxklOk4tZ4JwrjJJfO5dxgRSxSKgKvH6bhsr iM0moCLR0H2ZGcQWAbIXtLxh72Lk4GAWUJY4ftUPJCwsECLx/cAldhCbF2jZ2lc/mSCW2Ups 23+UBSIuKHFy5hMwm1lAS+LGv5dMEGOkJZb/44AIa0ssW/gabBOngJ3Eg9NbGUFsUaBNe/sO sU9gFJyFZNIsJJNmIUyahWTSAkaWVYyyKblVurmJmTnFqcm6xcmJeXmpRbrGermZJXqpKaWb GMEBLsm3g3FSg/chRgEORiUe3oycTVFCrIllxZW5hxglOZiURHnXlQGF+JLyUyozEosz4otK c1KLDzFKcDArifBmPwbK8aYkVlalFuXDpKQ5WJTEed1NtKOEBNITS1KzU1MLUotgsjIcHEoS vKrASBYSLEpNT61Iy8wpQUgzcXCCDOcBGq4CUsNbXJCYW5yZDpE/xajLcePF6zZmIZa8/LxU KXFeTpAiAZCijNI8uDmgxCSRvb/mFaM40FvCvGnPgKp4gEkNbtIroCVMIB/M3ACypCQRISXV wFgz5fXf1kSJFLOMiy/KzrAduHElJOi+6K4Za+e3nqq+sbDEO83arPOULdfnV7Ojiu+unTNR mKPzIMfCkmve6TaTNtzYpv7Q6kT654R8Nnd+X/XHmVXyvZPcD53fvdfInevo8pW3F/R9+Lz0 c/CaKzGPG8XVtr24xu8Rd1PuvWvTPfbsmSIbwo8psRRnJBpqMRcVJwIA1JfBQScDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/EYmP9RNmEOtJsUSAASKgAUqrus4>
Subject: Re: [saag] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Mar 2018 23:16:33 -0000

[spasm and pkix to bcc; please continue discussion on one list only]

Hi Max,

On Wed, Mar 21, 2018 at 01:08:07PM +0000, Dr. Pala wrote:
> Hi all,
>=20
> unfortunately I missed the sec-dispatch session, but I have some
> important considerations about the document. In general, short-lived
> certificates have been around for many years and for many different
> applications (nothing new here), however nobody who have been working
> with PKI long enough would actually made the case that the security
> levels of short-lived-no-revo and any-lived-plus-revo are the same
> (which seems the life-motif of the presentation and the document itself).
>=20
> Other aspects that I think shall be revisited are the lack of
> considerations about the usability of deployed infrastructures (when no
> revocation is assumed) and some wrong considerations in the document
> about validity periods of OCSP Responses and CRLs (that clearly
> undermine the equivalence claim).

It would probably be helpful if you included a description of what
attacker capabilities are present in your mental model.  If the
attacker is modelled as being in control of the network (and
revocation status is carried over HTTP-not-S) then the claim of
equivalence between short-lived certs and "short-lived" OCSP holds
much more weight.  When you say that a second party can get the
valid revocation status information, that implies that the attacker
does *not* have full control over the network -- so what exactly can
and cannot the attacker do?

-Ben


From nobody Thu Mar 22 02:54:35 2018
Return-Path: <ietf@augustcellars.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F1B12D94B for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 02:54:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level: 
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjCcfqdWm8CJ for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 02:54:31 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21B32126D05 for <saag@ietf.org>; Thu, 22 Mar 2018 02:54:24 -0700 (PDT)
Received: from Jude (31.133.136.157) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Thu, 22 Mar 2018 02:52:11 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <saag@ietf.org>
Date: Thu, 22 Mar 2018 09:54:13 +0000
Message-ID: <00f301d3c1c3$bdb8ba60$392a2f20$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdPBw60O5k2ct5MVQPuPuOLM9T6UIA==
Content-Language: en-us
X-Originating-IP: [31.133.136.157]
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ks1IRoBZIfDD5HC24lZKdgS6578>
Subject: [saag] ACE WG Summary from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 09:54:33 -0000

The ACE working group met on Monday in the first session.

The CWT document has gone to the RFC Editor since the last meeting and the
associated POP CWT draft is expected to progress to the IESG before
Montreal.

The WG adopted the EST over CoAP draft after some heavy modifications with
some of the work going to the ANIMA group.

During the week there has been a start at getting some interop testing done
with the OAuth framework using the DTLS profile which has started to show
some promise.  We are going to try to have a couple of virtual interop
events over the next couple of months with the goal of having enough by
Montreal to be able to be comfortable with going to WGLC then.  As part of
this work we will need to look at getting the OSCORE profile tested as well.

There were some non-working (future work) presented dealing with group
messaging authorization scenarios that was presented where some
re-factorization work had been done to combine pieces that are common
between the two drafts.

The WG then has some discussions on a key establishment protocol EDHOC with
comparison of message sizes and numbers between that proposal and using TLS
to do key establishment transporting the TLS messages inside of CoAP.  While
the two protocols have similar results under the UDP scenario, they have
different results when looking at the 6TiSH world where packets are
restricted in size.



From nobody Thu Mar 22 03:12:48 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F2A12D7F5 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 03:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzmuO9yVxCkw for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 03:12:46 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B4E512D7FC for <saag@ietf.org>; Thu, 22 Mar 2018 03:12:46 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id f19so14877202wmc.0 for <saag@ietf.org>; Thu, 22 Mar 2018 03:12:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=F8BOH/nycowuAcjaIp8pzhFfo45E8Yjae0G/uh/E8C8=; b=jPYHFQjEoYSHtu3LtH7NFKz0RCxzaXZUWTWqDeIQ+Vt1HEtgbpvt7zBatRjLoSAWZg t4e3D2HaGQJ4LksCc9LnqNhMDbnLgas5T8LGRQv6OUE6CdhbxvTNE2ELLb65dvDm8fwW VEgRp5WGb+zC1NmOoHfPQEPjQDW/T5JISsbe+4aj9t8+5kGAw6j6tII6Ks2ugN5B0+xg hgyPkg7sq8z0gTD3UsmVKka5Gy8HwzSeHCIGXZTqm6D/zH0YiR7XaFjbs34pkbzzt2v3 D8x4JePBW4lK+rZ8s8P0c1ru8KpoSnNVDXS+VDvjQoP4Njy5eRUo/uyNHv7p1xM0ktiV LdiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=F8BOH/nycowuAcjaIp8pzhFfo45E8Yjae0G/uh/E8C8=; b=Je54M04UvvWwr2G3zdq77j5SXlz1y8csmAXde18Mh41U/9ucO4Izx8ZIr+8TUbBwmb yvp7RQOsIl7GCsAheMf1FvmbghZTjVhqsD8mQxodF575lEW0GXg2dnxHELcMfEhpIY/R cAp6uNi+z0vtMv3p9oE7zSq/gbS0YVWSibQTtj6x+uV18jvub3vmunkKQjFVzaTWVbhH M51a1wC9qOCBB59Q0RB+aXuFb9XG5KXoJHpVQOOOIZ10/fY8DBUwimz//ZcRHJrJk/Ho Fw8p9d/muNZCdcRMXt99fvpCI1EY1RmxFG1U6MfeGxJNxmvtQnBQDl/l5rhQ+CfOrmug lKhw==
X-Gm-Message-State: AElRT7GuEShwDldE7Vddghj3nEftnWPJinnkCP7nevYI7WkUp0tz30dQ /n7HEUp8XwTcVDo8zROBI4rtY7uS
X-Google-Smtp-Source: AG47ELtz+m8Cq6WuCViEYOMSrCS07M/KXjMGuNS4OW3aoNiNw69Ma4sbqcL8vbXAnOdhA8/ZpGFelA==
X-Received: by 10.28.218.14 with SMTP id r14mr5342232wmg.133.1521713564956; Thu, 22 Mar 2018 03:12:44 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:68d9:ddba:b7e1:242a? ([2001:67c:370:128:68d9:ddba:b7e1:242a]) by smtp.gmail.com with ESMTPSA id v191sm2832031wmf.34.2018.03.22.03.12.44 for <saag@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Mar 2018 03:12:44 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Message-Id: <CC5440E4-63C0-49B0-A203-4C70050238DB@gmail.com>
Date: Thu, 22 Mar 2018 10:13:13 +0000
To: Security Area Advisory Group <saag@ietf.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Z7vMSo61wu2Qy-8EHsqlIpwAp-w>
Subject: [saag] I2NSF report from IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 10:12:48 -0000

Hi.

The I2NSF WG met on Wednesday morning.=20

Since last meeting the framework draft was published as RFC 8329.

We have 7 active drafts and are looking at adopting some of the proposed =
data model documents. The chairs and authors are considering =
consolidating some of the Information Model and Data Model drafts.

The SDN-IPsec draft did not get attention at this meeting. We will make =
up for this at the next one.

Linda & Yoav=


From nobody Thu Mar 22 03:45:37 2018
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65777120227 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 03:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level: 
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nNBAb_JKlMZI for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 03:45:35 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E7B41200C1 for <saag@ietf.org>; Thu, 22 Mar 2018 03:45:34 -0700 (PDT)
Received: from [192.168.91.219] ([31.133.155.188]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0M1jKo-1eiwEw0o4A-00tmYm; Thu, 22 Mar 2018 11:45:32 +0100
To: saag <saag@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <2f53672b-b957-75f3-e968-a1ef136dd242@gmx.net>
Date: Thu, 22 Mar 2018 11:45:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:62wTR397WvLSpj/kP2xTuX9qtz0Mnyu4LfV9NMtnHtv7MzBEBdQ +VoWvfFXZw9HG0+7YfE4GS1EDl01qIh+8vKdiCaHWLlMnGqzlJXksXrvA+lroArkKG9E/5D qKtQN2wseLMIpKk6vBXzu6y/PjuA6LV7q6+U2xI/ufrBioz3Z1DISvN8dN3wsz8r+Xi6P2Z L34iMYtGA1SFOQIaQuSRw==
X-UI-Out-Filterresults: notjunk:1;V01:K0:rpQWhklXN+E=:DtuuJCPy/hzjFVDxO/bHux Mugg6GNS2r1q2RevViuTx//979KToDwFlOxS+EB1h24U8FuxXdoWv/qa0KMMe+Kn5JRjGZask tSr8l03CwmgSo9z/hLvilaawsJFqbxS1ZxsXD19gO+exHGeCi5v9w6K9kBkkK+TVe41ykM+G2 Sop13jvFo5+AvkHff+DXuzZ33of+4j9huhxaHiKSdhJs1ILoTDgfrq+sHtCcEsInp6g7Lc9s6 cziCjy0O/EV+Yc+JaYtRFXt6BpzXiCOn2uNjRESJhcJ9Q4niCFSvAi4zxVQf3xp+rfMSTWEMM XILlgR76/hBc/Voyo1VYiOI02nYJuBRGwCqKs0wkXNiALlTUudoyvMK1NF41iYV5VGsfPniCL nwV3opQhkAd6a5gkTLMdLobHPbfiwM8sN9DTCROXlCn/5m/chLViJCXNXihzlMfvxn41MkJtL kggGPVPA/vdWC6LQy7snIPWsyz0zokalzD2gWP+mpU+EEbI4DSzaJY7lRI3oyV3jUrr9VaphY xlE7sixgfNsxRqYGntsg91o77MXVvou0r6TFRMY/JJX69PqnRKPiwcG28q1r/DF/+dsiQscD3 jbfDa1ZnraDNbwekpyUtjRorySjBs6fUqKDpyFDs+kS8C2YJvKu3dapKnCQhwxuveisiIwRAU 5P8FM+vEUFTLBWIICH3/3ghEL4Fi+g7/oqxT0QRyFkckD31nNJjU9+86l+JhH0RrO4uhcnwCG WGMdQG1EXtd0ckp0+OPBlC5O1LZXeTsftspV6Oz0jx7qcM+nGowvefuXbK6KZDT+7NtPlWnz0 feT7RXYaXsAzHp7V3ptX9MzCofnm5LSlhWSw/cJVXATLXieoas=
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/59xaT9W0UdMD0DiPJUUDASTnmAo>
Subject: [saag] OAuth WG Report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 10:45:36 -0000

Here are the 5 highlights:

1) Started WGLC on OAuth MTLS, which will be used in the financial sector
2) We will hold a virtual interim meeting on the topic of audience
restriction/distributed OAuth since there is clearly a need for further
discussions.
3) We will start a WGLC on the JWT BCP. SAAG people should look at this
work.
4) We are planning to schedule a WGLC on the OAuth Security Topics,
which provides security recommendations for OAuth to deal with attacks
we encountered over the years.
5) We had an OAuth Security Workshop in Trento/Italy the week before the
IETF meeting.

A good group making good progress during this London IETF week.

Hannes & Rifaat


From nobody Thu Mar 22 04:10:20 2018
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C97751200C5 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 04:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level: 
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJ-S0b9H6ZWf for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 04:10:16 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 922601200C1 for <saag@ietf.org>; Thu, 22 Mar 2018 04:10:15 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id r82so15386017wme.0 for <saag@ietf.org>; Thu, 22 Mar 2018 04:10:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=IYMBN78n+uzeXxKZ/iOdhzwWJfeJ9997ll9mNEgvZ+w=; b=RyNnHpdpcbSCM6ndTp8bRIonx3SfI9iQ1CCk54H5QH08pFhCva3vf5Mq3cLA/ZjzUA 5kgjg5D3xISgPHjCdpotXTy7RMekbIB00Rhzf/ULvhb4p2cxX/1qRdJqcVCQvJsiH0CS 95Gl42yWsP8U4P+PL+ADxpDfIn+iYcbGQQWiUGJ39VlfcI7yIMyeLhd67ajWi5QSmpTQ 6z/GvECxs942xTHJb0o0JYAXyJigbX+QBkt+xtTAXHD2ETLxYak5Zn7TD8lsu5lDGYNa Toz1WbBvrV4PNi9MUkIwKGgYZqTtIofvDmu+IYJTH5q3E2+rS/ybP8VFW4in7z11PgsO f3gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=IYMBN78n+uzeXxKZ/iOdhzwWJfeJ9997ll9mNEgvZ+w=; b=WP70Z5INumNauzyy4/+A6Zoo+TMWYbXIKZEFfnYbPAwtkS2yd0qHso5V5BEW8m9CKi axTfA00bdzw09haX69ro6tETt/zFcAkSzuLwb0P6+ayMOnQ6dTz/0KVpMLrb4QkEUdxB hWfvnQQop8TybItgCDNTDz9R0dlaqt6Nb9LPbziTPNLpQWJR5xZaKWGIgsLzQhC1RFGD U5I8dLe3cNLLGjo8dNPpd2ZJsktaVIZC+ywFFnOjiPK7Z3gUdfd9gLyId4Nxzl/MfFBt cO4Pj4ESExOAZdKtypredFUMXpT2dtvZjPwPOyGnm/TLlUiBrHW++ss5j2JgQMXlQMoh wFLw==
X-Gm-Message-State: AElRT7H8CfHc9CAQSQKHRQII5M+evGZzAr4KTmHn22jJE9yJ7OC+HYVK DML8i3eauKSa6vfJYOeIxv5kL9nA
X-Google-Smtp-Source: AG47ELtnIawoqk5zI9MBpyu8/18R/XG7ZpH6eDhmbk0cmEXyEFtdD6EWGRhjTx3TNZsuvkBkGyhHzQ==
X-Received: by 10.28.3.68 with SMTP id 65mr5297541wmd.17.1521717014006; Thu, 22 Mar 2018 04:10:14 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:68d9:ddba:b7e1:242a? ([2001:67c:370:128:68d9:ddba:b7e1:242a]) by smtp.gmail.com with ESMTPSA id k14sm8284102wrc.62.2018.03.22.04.10.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Mar 2018 04:10:13 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_40F50F80-3D8C-4355-B32A-95D41902FF31"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Thu, 22 Mar 2018 11:10:11 +0000
In-Reply-To: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
Cc: Security Area Advisory Group <saag@ietf.org>
To: "Dr. Pala" <director@openca.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/6SByF9HYD4ziSMhAcB4hf2UH27w>
Subject: Re: [saag] [pkix] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 11:10:19 -0000

--Apple-Mail=_40F50F80-3D8C-4355-B32A-95D41902FF31
Content-Type: multipart/alternative;
	boundary="Apple-Mail=_6098A45B-DE38-4DD1-99EB-B4A0EBFC8574"


--Apple-Mail=_6098A45B-DE38-4DD1-99EB-B4A0EBFC8574
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Keeping only SAAG, because PKIX does not exist yet, and LAMPS will need =
to recharter before taking this on.

> On 21 Mar 2018, at 13:08, Dr. Pala <director@openca.org> wrote:
>=20
> Hi all,
>=20
> unfortunately I missed the sec-dispatch session, but I have some =
important considerations about the document. In general, short-lived =
certificates have been around for many years and for many different =
applications (nothing new here), however nobody who have been working =
with PKI long enough would actually made the case that the security =
levels of short-lived-no-revo and any-lived-plus-revo are the same =
(which seems the life-motif of the presentation and the document =
itself).
>=20
I disagree. The most common use of certificates by sheer volume of =
transactions is server authentication on the web, and some of the most =
popular clients avoid revocation checking on long-lived certificates =
unless the revocation information is supplied via stapling. No =
revocation checking on long-lived certificates is worse than no =
revocation checking on short-lived certificates. I was not making the =
claim that short-lived-no-revo is as good as any-lived-plus-revo, only =
that it is at least as good as the common practice.

When revocation is checked it is still IMO equivalent. More on that =
later.
> Other aspects that I think shall be revisited are the lack of =
considerations about the usability of deployed infrastructures (when no =
revocation is assumed) and some wrong considerations in the document =
about validity periods of OCSP Responses and CRLs (that clearly =
undermine the equivalence claim).
> Equivalence of Short-Lived w/out Rev Support and Any-Lived w/ Rev =
Support
> The statements that made me jump on my seat is the claim that =
short-lived certificates without revocation support (BTW, short-lived =
does not necessarily exclude revocation support) and certificates =
(short-lived or not) vs. any-lived certificates with revocation support =
have the same level of security as long as the validity period of the =
short-lived ones is equal or shorter than CRLs or OCSP validity. I find =
this quite a puzzling statement. For once, there should be =
considerations about the fact that if a key is compromised and it is =
used by a malicious entity to attack/disrupt/etc. another entity, the =
rightful owner of the certificate does not have any possibility to prove =
that someone else did it - there is no authenticated trail (OCSP =
response or CRL) that can be used in this case and this can lead, in =
some environments, to legal implications. I am curious about how do the =
authors address this point, maybe some considerations shall be made =
here.
>=20
> Also the claim that:
>=20
> " it is hard to justify why the CA or a delegate needs to both sign =
blob-1 (the certificate) and also sign blob-2 (the CRL or OCSP response) =
to tell relying parties that blob-1 is still valid."
>=20
> is quite curious and, I might say, misleading. Although the revocation =
status (either in the form of an OCSP or CRL) does not provide =
additional information besides the validity when the certificate is not =
revoked, it does provide quite a lot of useful information when the =
certificate is revoked (e.g., when a compromised happened, the reason =
for revocation - e.g., key compromise, a person has left the =
organization, a HW token is broken, etc.). I would prefer the authors to =
explain what they mean in more extensive and engineering-appropriate =
form. This is another evidence that the two systems are definitely NOT =
equivalent from a security perspective.
>=20
That is a strange property of CRLs (or OCSP responses) in that they are =
objects with multiple consumers. The RP does not need to know the reason =
- the decision for it is binary: the certificate is either valid or =
invalid. Other entities may use it as a slice of the database. The date =
property makes sense if very specific applications where there are =
time-stamped, signed and counter-signed messages. For the common case of =
authenticating entities in TLS or IKE it is irrelevant. I think the =
draft should have some text limiting scope to cases that don=E2=80=99t =
care about revocation time.
> Another example about the fact that some form of revocation is still =
needed comes from the document itself (thus contradicting, IMO, the main =
claim of the document - 5.1):
>=20
> "No matter how short-term these short term certificates are, there is =
a certain window of time when the attacker can use the certificate.  =
This can often be mitigated with application-level measures."
>=20
> this is "application-level measures =3D=3D application-level =
revocation". This means that now, instead of having standardized ways to =
check for the status of certificates, each application need to implement =
a way to deal with it on an ad-hoc basis and being able to distribute =
securely this information to all relying parties. Undoubtedly, for =
anybody who has ever had to deal with such problems this becomes a quite =
costly and intractable problems very quickly. Maybe some considerations =
about this should be added in the document as well.
>=20
> Usability of Deployed Infrastructures
>=20
> One important section that is missing is: how do these no-revocation =
PKIs look like? There are basically two main choices here:
>=20
> Deploy a 2 level-only PKI. That means having a Trust Anchor that =
issues directly the EE certificates. Besides all security considerations =
about TAs being online (as required in short-lived environments), this =
makes it very difficult to deploy. Important considerations should be =
made in this case.
>=20
> Deploy a 3+ level PKIs (current best practices). This approach =
involves having (usually one) intermediate CAs (there can be more). In =
this case, the TAs issue the intermediate CAs' certificates and the last =
intermediate CAs issue the EE ones. Obviously, intermediate CAs can not =
have the same short validity period as the EE certs, therefore the need =
for revocation (at least at the intermediate CAs level) is evident. =
Important considerations shall be made also in this case.
> Wrong Considerations about CRLs and OCSP Responses validity periods
>=20
> In the document, statements like the following shall be fixed and =
expanded for clarity:
>=20
> "If a CRL has a nextUpdate field that is 4 days in the future, a =
typical system will not attempt to fetch a new one before those 4 days =
have elapsed."
>=20
> And then it continue by stating the following:
> "For this reason, moving to STAR certificates provides a similar level =
of security to what is generally practiced on the web."
>=20
> Since the first statement is incomplete and, thus, misleading - the =
second statement does not hold. Let me explain further for the people =
that are not familiar with how CRLs and OCSP are processed. Although =
there is a validity period for revocation information, it is well-known =
that the expiration field indicates the time "within a new revocation =
status information will be made available" and it is NOT "this is the =
revocation status of the target certificate until the expiration" - =
common practice is that when a revocation event occurs, new CRLs and =
OCSP responses for the revoked certificates are made available =
immediately or within few hours at most.
>=20
Sure. As soon as the CA receives a report that a certificate is =
compromised, a new CRL (or OCSP response) is issued. However, assuming =
the RP has downloaded the CRL 1 day earlier, that CRL marked as having a =
nextUpdate 3 days later. The RP will not download the new CRL for 3 more =
days, and will therefore continue to accept the compromised certificate =
for 3 days.

This can be mitigated by the RP having a local policy of refreshing CRLs =
every so often, say every day. This limits the exposure time to 24 =
hours, but does not eliminate it entirely.

OCSP stapling makes this worse. The compromised EE will have a cached =
OCSP response that is valid for 4 days. It will use this in TLS or IKE, =
and the RP will never check it.

That is what I mean by saying that compromised short-lived-no-rev =
certificates are treated as valid for as long as any-lived-with-rev =
certificates if you set the lifetime similarly. The new revocation =
information may be available, but it=E2=80=99s not used.
> It is an important distinction that highlights also why the lack of =
revocation information makes the system less secure. Although it is =
quite evident why and since this is not addressed in the document, it =
might be useful to spell it out.
>=20
> In a multi-party environment, different applications might have (a) =
different strategies when it comes to caching of the revocation =
information and/or (b) check the revocation information at different =
times. Let's make the case of 2 parties checking the rev info for the =
same certificate. If party A accesses OCSP/CRLs at {time1} and caches it =
until {time1 + delta}, party B retrieves it at {time2} and caches it =
until {time2+delta}. Let's assume that time2 > time1 and that new =
revocation status information is already available at {time2}. This =
means that, although party A is still vulnerable until {time1+delta}, =
party B is not. In a short-lived cert environment w/out revocation ALL =
parties are VULNERABLE until the compromised {key+certificate} expires.
>=20
> It seems quite clear that the two environments (short-lived w/ no revo =
and any-lived w/ revo) do not have the same security properties.
>=20
> Therefore I think that the authors ought to demonstrate the =
equivalence of security levels (not just assume it as hypothesis - given =
I just disproved it) or to remove all claims that the two environments =
are actually equivalent from as security perspective and to add specific =
considerations for short-lived-no-revo about the the fact that not =
supporting revocation is inherently weaker because it potentially =
exposes all parties to attacks (e.g., MITM, un-authorized access to =
resources, etc.) that can not be stopped (unless you implement =
application-level revocation.. and, therefore, re-introduce revocation =
from the backdoor in a non-standardized, ad-hoc, hard-to-manage across =
application fashion).
>=20
> Final Considerations
>=20
> I am not opposed at the concept of this document to be considered for =
BCP, however all the above issues MUST, IMO, be addressed before the =
document can be considered further. I think I already raised these =
considerations at the last IETF, but I do not think the authors missed =
or have not considered the provided feedback. I hope that a more =
explicit and written feedback might be taken into considerations.
>=20
When this becomes a LAMPS working group item, it can definitely use all =
the input. This is why the feel of the room in SecDispatch was that this =
document needed a working group and was not appropriate for =
AD-sponsored.
> Just my 2 cents form an old barnacle... :D
>=20
Bah! If you=E2=80=99re an old barnacle, what does this say about me?  =
:-)

Yoav



--Apple-Mail=_6098A45B-DE38-4DD1-99EB-B4A0EBFC8574
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; line-break: after-white-space;" =
class=3D"">Keeping only SAAG, because PKIX does not exist yet, and LAMPS =
will need to recharter before taking this on.<br class=3D""><div><br =
class=3D""><blockquote type=3D"cite" class=3D""><div class=3D"">On 21 =
Mar 2018, at 13:08, Dr. Pala &lt;<a href=3D"mailto:director@openca.org" =
class=3D"">director@openca.org</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
 =20

    <meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dutf-8" class=3D"">
 =20
  <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><p class=3D"">Hi =
all,</p><p class=3D"">unfortunately I missed the sec-dispatch session, =
but I have some
      important considerations about the document. In general,
      short-lived certificates have been around for many years and for
      many different applications (nothing new here), however nobody who
      have been working with PKI long enough would actually made the
      case that the security levels of short-lived-no-revo and
      any-lived-plus-revo are the same (which seems the life-motif of
      the presentation and the document itself).</p><div =
class=3D""></div></div></div></blockquote><div class=3D""><div =
text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><div class=3D"">I =
disagree. The most common use of certificates by sheer volume of =
transactions is server authentication on the web, and some of the most =
popular clients avoid revocation checking on long-lived certificates =
unless the revocation information is supplied via stapling. No =
revocation checking on long-lived certificates is worse than no =
revocation checking on short-lived certificates. I was not making the =
claim that short-lived-no-revo is as good as any-lived-plus-revo, only =
that it is at least as good as the common practice.</div><div =
class=3D""><br class=3D""></div><div class=3D"">When revocation is =
checked it is still IMO equivalent. More on that =
later.</div></div></div><blockquote type=3D"cite" class=3D""><div =
class=3D""><div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><p =
class=3D"">Other aspects that I think shall be revisited are the lack of
      considerations about the usability of deployed infrastructures
      (when no revocation is assumed) and some wrong considerations in
      the document about validity periods of OCSP Responses and CRLs
      (that clearly undermine the equivalence claim).<br class=3D"">
    </p><p class=3D""><u class=3D""><b class=3D"">Equivalence of =
Short-Lived w/out Rev Support and Any-Lived
          w/ Rev Support</b></u><br class=3D"">
    </p><p class=3D"">The statements that made me jump on my seat is the =
claim that
      short-lived certificates without revocation support (BTW,
      short-lived does not necessarily exclude revocation support) and
      certificates (short-lived or not) vs. any-lived certificates with
      revocation support have the same level of security as long as the
      validity period of the short-lived ones is equal or shorter than
      CRLs or OCSP validity. I find this quite a puzzling statement. For
      once, there should be considerations about the fact that if a key
      is compromised and it is used by a malicious entity to
      attack/disrupt/etc. another entity, the rightful owner of the
      certificate does not have any possibility to prove that someone
      else did it - there is no authenticated trail (OCSP response or
      CRL) that can be used in this case and this can lead, in some
      environments, to legal implications. I am curious about how do the
      authors address this point, maybe some considerations shall be
      made here.</p><p class=3D"">Also the claim that:</p>
    <blockquote class=3D""><p class=3D"">" it is hard to justify why the =
CA or a delegate needs to both
        sign blob-1 (the certificate) and also sign blob-2 (the CRL or
        OCSP response) to tell relying parties that blob-1 is still
        valid."</p>
    </blockquote><p class=3D"">is quite curious and, I might say, =
misleading. Although the
      revocation status (either in the form of an OCSP or CRL) does not
      provide additional information besides the validity when the
      certificate is not revoked, it does provide quite a lot of useful
      information when the certificate is revoked (e.g., when a
      compromised happened, the reason for revocation - e.g., key
      compromise, a person has left the organization, a HW token is
      broken, etc.). I would prefer the authors to explain what they
      mean in more extensive and engineering-appropriate form. This is
      another evidence that the two systems are definitely NOT
      equivalent from a security =
perspective.</p></div></div></blockquote><div class=3D""><div =
text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><div class=3D"">That is =
a strange property of CRLs (or OCSP responses) in that they are objects =
with multiple consumers. The RP does not need to know the reason - the =
decision for it is binary: the certificate is either valid or invalid. =
Other entities may use it as a slice of the database. The date property =
makes sense if very specific applications where there are time-stamped, =
signed and counter-signed messages. For the common case of =
authenticating entities in TLS or IKE it is irrelevant. I think the =
draft should have some text limiting scope to cases that don=E2=80=99t =
care about revocation time.</div></div></div><blockquote type=3D"cite" =
class=3D""><div class=3D""><div text=3D"#000000" bgcolor=3D"#FFFFFF" =
class=3D""><p class=3D"">Another example about the fact that some form =
of revocation is
      still needed comes from the document itself (thus contradicting,
      IMO, the main claim of the document - 5.1):</p>
    <blockquote class=3D""><p class=3D"">"No matter how short-term these =
short term certificates are,
        there is a certain window of time when the attacker can use the
        certificate.&nbsp; This can often be mitigated with =
application-level
        measures."</p>
    </blockquote><p class=3D"">this is "application-level measures =3D=3D =
application-level
      revocation". This means that now, instead of having standardized
      ways to check for the status of certificates, each application
      need to implement a way to deal with it on an ad-hoc basis and
      being able to distribute securely this information to all relying
      parties. Undoubtedly, for anybody who has ever had to deal with
      such problems this becomes a quite costly and intractable problems
      very quickly. Maybe some considerations about this should be added
      in the document as well.</p><p class=3D""><u class=3D""><b =
class=3D"">Usability of Deployed Infrastructures</b></u></p><p =
class=3D"">One important section that is missing is: how do these
      no-revocation PKIs look like? There are basically two main choices
      here:</p>
    <ol class=3D"">
      <li class=3D"">Deploy a 2 level-only PKI. That means having a =
Trust Anchor
        that issues directly the EE certificates. Besides all security
        considerations about TAs being online (as required in
        short-lived environments), this makes it very difficult to
        deploy. <b class=3D"">Important considerations should be made in =
this
          case.<br class=3D"">
          <br class=3D"">
        </b></li>
      <li class=3D"">Deploy a 3+ level PKIs (current best practices). =
This approach
        involves having (usually one) intermediate CAs (there can be
        more). In this case, the TAs issue the intermediate CAs'
        certificates and the last intermediate CAs issue the EE ones.
        Obviously, intermediate CAs can not have the same short validity
        period as the EE certs, therefore the need for revocation (at
        least at the intermediate CAs level) is evident. <b =
class=3D"">Important
          considerations shall be made also in this case.</b></li>
    </ol><p class=3D""><b class=3D"">Wrong Considerations about CRLs and =
OCSP Responses validity
        periods</b></p><p class=3D"">In the document, statements like =
the following shall be fixed and
      expanded for clarity:</p>
    <blockquote class=3D""><p class=3D"">"If a CRL has a nextUpdate =
field that is 4 days in the future,
        a typical system will not attempt to fetch a new one before
        those 4 days have elapsed."</p>
    </blockquote><p class=3D"">And then it continue by stating the =
following:<br class=3D"">
    </p>
    <blockquote class=3D""><p class=3D"">"For this reason, moving to =
STAR certificates provides a
        similar level of security to what is generally practiced on the
        web."</p>
    </blockquote><p class=3D"">Since the first statement is incomplete =
and, thus, misleading -
      the second statement does not hold. Let me explain further for the
      people that are not familiar with how CRLs and OCSP are processed.
      Although there is a validity period for revocation information, it
      is well-known that the expiration field indicates the time "within
      a new revocation status information will be made available" and it
      is NOT "this is the revocation status of the target certificate
      until the expiration" - common practice is that when a revocation
      event occurs, new CRLs and OCSP responses for the revoked
      certificates are made available immediately or within few hours at
      most.<br class=3D""></p></div></div></blockquote><div>Sure. As =
soon as the CA receives a report that a certificate is compromised, a =
new CRL (or OCSP response) is issued. However, assuming the RP has =
downloaded the CRL 1 day earlier, that CRL marked as having a nextUpdate =
3 days later. The RP will not download the new CRL for 3 more days, and =
will therefore continue to accept the compromised certificate for 3 =
days.&nbsp;</div><div><br class=3D""></div><div>This can be mitigated by =
the RP having a local policy of refreshing CRLs every so often, say =
every day. This limits the exposure time to 24 hours, but does not =
eliminate it entirely.</div><div><br class=3D""></div><div>OCSP stapling =
makes this worse. The compromised EE will have a cached OCSP response =
that is valid for 4 days. It will use this in TLS or IKE, and the RP =
will never check it.</div><div><br class=3D""></div><div>That is what I =
mean by saying that compromised short-lived-no-rev certificates are =
treated as valid for as long as any-lived-with-rev certificates if you =
set the lifetime similarly. The new revocation information may be =
available, but it=E2=80=99s not used.</div><blockquote type=3D"cite" =
class=3D""><div class=3D""><div text=3D"#000000" bgcolor=3D"#FFFFFF" =
class=3D""><p class=3D"">
    </p><p class=3D"">It is an important distinction that highlights =
also why the lack
      of revocation information makes the system less secure. Although
      it is quite evident why and since this is not addressed in the
      document, it might be useful to spell it out.</p><p class=3D"">In =
a multi-party environment, different applications might have
      (a) different strategies when it comes to caching of the
      revocation information and/or (b) check the revocation information
      at different times. Let's make the case of 2 parties checking the
      rev info for the same certificate. If party A accesses OCSP/CRLs
      at {time1} and caches it until {time1 + delta}, party B retrieves
      it at {time2} and caches it until {time2+delta}. Let's assume that
      time2 &gt; time1 and that new revocation status information is
      already available at {time2}. This means that, although party A is
      still vulnerable until {time1+delta}, party B is not. In a
      short-lived cert environment w/out revocation ALL parties are
      VULNERABLE until the compromised {key+certificate} expires.</p><p =
class=3D"">It seems quite clear that the two environments (short-lived =
w/ no
      revo and any-lived w/ revo) do not have the same security
      properties.</p><p class=3D"">Therefore I think that the authors =
ought to demonstrate the
      equivalence of security levels (not just assume it as hypothesis -
      given I just disproved it) or to remove all claims that the two
      environments are actually equivalent from as security perspective
      and to add specific considerations for short-lived-no-revo about
      the the fact that not supporting revocation is inherently weaker
      because it potentially exposes all parties to attacks (e.g., MITM,
      un-authorized access to resources, etc.) that can not be stopped
      (unless you implement application-level revocation.. and,
      therefore, re-introduce revocation from the backdoor in a
      non-standardized, ad-hoc, hard-to-manage across application
      fashion).</p><p class=3D""><b class=3D"">Final =
Considerations</b></p><p class=3D"">I am not opposed at the concept of =
this document to be considered
      for BCP, however all the above issues MUST, IMO, be addressed
      before the document can be considered further. I think I already
      raised these considerations at the last IETF, but I do not think
      the authors missed or have not considered the provided feedback. I
      hope that a more explicit and written feedback might be taken into
      considerations.</p></div></div></blockquote><div class=3D""><div =
text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><div class=3D"">When =
this becomes a LAMPS working group item, it can definitely use all the =
input. This is why the feel of the room in SecDispatch was that this =
document needed a working group and was not appropriate for =
AD-sponsored.</div></div></div><blockquote type=3D"cite" class=3D""><div =
class=3D""><div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D""><p =
class=3D"">Just my 2 cents form an old barnacle... =
:D</p></div></div></blockquote><div class=3D""><div text=3D"#000000" =
bgcolor=3D"#FFFFFF" class=3D""><div class=3D"">Bah! If you=E2=80=99re an =
old barnacle, what does this say about me? =
&nbsp;:-)</div></div></div><div><br class=3D""></div>Yoav<br =
class=3D""></div><div><br class=3D""></div><br class=3D""></body></html>=

--Apple-Mail=_6098A45B-DE38-4DD1-99EB-B4A0EBFC8574--

--Apple-Mail=_40F50F80-3D8C-4355-B32A-95D41902FF31
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE9OWnAqT2UIzvSbaAuEkLFQpYzJkFAlqzjxMACgkQuEkLFQpY
zJnSwAgAh/tUzMJZMW3K40m6mw1Sa0qypv8g5/VoGnR39hfYDA6/pkJ+Ct/q5uTh
4qLmjmIV8mnxxtYthLSpQNaQ8daVszyE89mD9ppXMrcyEv7ISump2SO6S6yB5vGG
UDuxHOz79SYoC9IMXyU49fmqn2F3jhgWXlXqV3F68OwkrxoPMYxZAIjJaahYL6GS
vndjXRRDnpDYvhmgoNZFQuDn8SdMOEtOOYgBUZXE7rHhDHpbgA4HCQd9/EQLwbAq
nu/yz5mACZlb1N5HYSIFZ3DME4YLJ5yl12LoqjpsD0xvsSwBVLiIpEul46suatmq
4EDWYzYPirKlQtNyiWNCpc5Gg1+xxA==
=HR7y
-----END PGP SIGNATURE-----

--Apple-Mail=_40F50F80-3D8C-4355-B32A-95D41902FF31--


From nobody Thu Mar 22 05:32:02 2018
Return-Path: <takeshi_takahashi@nict.go.jp>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7BFD1272E1 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 05:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id th8yCH1BQtV8 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 05:31:57 -0700 (PDT)
Received: from ns2.nict.go.jp (ns2.nict.go.jp [IPv6:2001:df0:232:300::2]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3421200F1 for <saag@ietf.org>; Thu, 22 Mar 2018 05:31:56 -0700 (PDT)
Received: from gw2.nict.go.jp (gw2.nict.go.jp [133.243.18.251]) by ns2.nict.go.jp  with ESMTP id w2MCVsfm081559 for <saag@ietf.org>; Thu, 22 Mar 2018 21:31:54 +0900 (JST)
Received: from LAPTOP9DLCDU5S (ssh1.nict.go.jp [133.243.3.49]) by gw2.nict.go.jp  with ESMTP id w2MCVruU081541 for <saag@ietf.org>; Thu, 22 Mar 2018 21:31:53 +0900 (JST)
From: "Takeshi Takahashi" <takeshi_takahashi@nict.go.jp>
To: <saag@ietf.org>
Date: Thu, 22 Mar 2018 21:31:51 +0900
Message-ID: <0d1a01d3c1d9$c22dc5c0$46895140$@nict.go.jp>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0D1B_01D3C225.3215E2F0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdPB2VuE+/slnkz9TmeAqlO1SYtzlg==
Content-Language: ja
X-MS-TNEF-Correlator: 00000000A2F7E319ADF98E43BB60B0B285C090F324902800
X-Virus-Scanned: clamav-milter 0.99.3 at zenith2
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/4wkZ6b_RpGRTg__kRZZiQI1UAxI>
Subject: [saag] MILE report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 12:32:02 -0000

This is a multipart message in MIME format.

------=_NextPart_000_0D1B_01D3C225.3215E2F0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

MILE will be meeting on Thursday (18:10-19:10), after SAAG.

Prior to IETF101, the ROLIE Core draft was published as RFC 8322 in
February.
This time, we will discuss on the following WG drafts.

1. ROLIE CSIRT: Definition of ROLIE CSIRT Extension
  draft-banghart-mile-rolie-csirt-03
2. XMPP-grid: Using XMPP for Security Information Exchange
  draft-ietf-mile-xmpp-grid-05
3. JSON IODEF: JSON binding of IODEF
  draft-ietf-mile-jsoniodef-03

Everyone is welcome to join the discussion.


------=_NextPart_000_0D1B_01D3C225.3215E2F0
Content-Type: application/ms-tnef;
	name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="winmail.dat"

eJ8+IjUMAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAApAMAAAAAAACnAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQOQBgBIBwAAJAAAAAsAAgABAAAAAwAmAAAAAAALACkAAAAAAB4A
cAABAAAADAAAAE1JTEUgcmVwb3J0AAIBcQABAAAAFgAAAAHTwdlbhPv7JZ5M/U5ngKpTtUmLc5YA
AAsAAQ4AAAAAAgEKDgEAAAAYAAAAAAAAAKL34xmt+Y5Du2CwsoXAkPPCgAAAAwAUDgEAAAAeACgO
AQAAAFEAAAAwMDAwMDAwNgF0YWtlc2hpX3Rha2FoYXNoaUBuaWN0LmdvLmpwAXRha2VzaGlfdGFr
YWhhc2hpQG5pY3QuZ28uanAgdmlhIGxvY2FsaG9zdAAAAAAeACkOAQAAAFEAAAAwMDAwMDAwNgF0
YWtlc2hpX3Rha2FoYXNoaUBuaWN0LmdvLmpwAXRha2VzaGlfdGFrYWhhc2hpQG5pY3QuZ28uanAg
dmlhIGxvY2FsaG9zdAAAAAADAN4/n04AAAMA8T8RBAAAAwAJWQEAAAALABCACCAGAAAAAADAAAAA
AAAARgAAAAADhQAAAAAAAAMAEoAIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAACwCpgAggBgAA
AAAAwAAAAAAAAEYAAAAABoUAAAAAAAADAKqACCAGAAAAAADAAAAAAAAARgAAAAABhQAAAAAAAAsA
soAIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwC1gAggBgAAAAAAwAAAAAAAAEYAAAAAGIUA
AAAAAAACAbuACCAGAAAAAADAAAAAAAAARgAAAAAghQAAAQAAADwBAAACAQQAAAAAAAAABJXUkE0I
SVBNLk5vdGUKg4GDYoNagVuDVwJSRQUAAAAAAAAAAAEAAAAAAAAAAgAAAGYAAAACAAAAAQAAAAqR
U4j1gtaV1JBNCElQTS5Ob3RlCoOBg2KDWoFbg1cCUkUFAAAAAAAAAAABAAAAAAAAAAIAAABnAAAA
AwAAAAIAAAAEk12RlwhJUE0uTm90ZQqDgYNig1qBW4NXAkZXBQAAAAAAAAAAAQAAAAAAAAACAAAA
aAAAAAQAAAADAAAAEIN0g0iDi4NfgVuC1pOKjWUISVBNLlBvc3QEk4qNZQAFAAAAAAAAAAABAAAA
AAAAAAIAAABsAAAACAAAAAQBAtSP4U8CUgBFAAVoUeFUeDDUj+FPAlIARQAC4o4BkAJGAFcACNUw
qTDrMMAw/DB4MJViP3oACwDKgAggBgAAAAAAwAAAAAAAAEYAAAAAgoUAAAEAAAADAACBCCAGAAAA
AADAAAAAAAAARgAAAADrhQAAEQQAAAsAHw4BAAAAAgH4DwEAAAAQAAAAovfjGa35jkO7YLCyhcCQ
8wIB+g8BAAAAEAAAAKL34xmt+Y5Du2CwsoXAkPMDAP4PBQAAAAIBCRABAAAAMAIAACwCAAA3AwAA
TFpGdaFaKYADAAoAcmNwZzEyNSIyA0N0ZXgFQmJp/mQEAAMwAQMB9wqAAqQD5P8HEwKAEHMAUARW
CFUHshGlJw5RAwECAGNoCsBzZdx0MgYABsMRpTMERhQ33jASrBGzCO8J9zsYnw4wdjURogxgYwBQ
CwkBZDMONhbQC6YF0ElMRSDFA/BsAyBiZSAHgBSgiQuAZyACICBUaAhwAHNkYXkgKDE4QDoxMC0x
OR+xKRgsIGEBgBMBU0FB3EcuCqIKhAqAUAUQBbGAdG8gSUVURh/AEjEgUHRoHiBST0zHInASoRig
IGRyIHEdsHJhBCBwdQJgBAAjEGQDIGAEIFJGQyA4MwYyFMALgCBGZWJy+nUKwHkhFR7wD1EecAeA
nSBQdx4gHcMPQWN1BBFvHsEjAgIQHeBvA/AekVdKRyPkcyEbMS4jNlPASVJUOiBEARALgCZpHnAe
wW9mK1ogRV8O0AnwAJACICEkICPkLVpiAHBnFGEvIG0DEGVuLQNgJMAwAGMAkC+hMAsVsCEzMitA
WE1QUO4tCcAPMCwQVQCQHpExki8pISCxBZAIcXQfYEluvzLxAMAsky3QFFEekGUubIcIkAAwL8R4
bXBwMdMVMNA1ISQzK0BKU0/CTiJgT0RFRiwQN9P9DyBuD0AekizwOCM1DzYVfGpzAiAiAAEBMNch
JEV6dgSQeQIgHiAPUSfAbOcFoAeAIjJqbyXxIwIoRQssoSEbfUBgAwANNP0/pQ4DAA80/T+lDgIB
FDQBAAAAEAAAAE5JVEH5v7gBAKoAN9luAAACAX8AAQAAADEAAAAwMDAwMDAwMEEyRjdFMzE5QURG
OThFNDNCQjYwQjBCMjg1QzA5MEYzMjQ5MDI4MDAAAAAAAwAGEMtxsaEDAAcQlQEAAAMAEBAAAAAA
AwAREAEAAAAeAAgQAQAAAGUAAABNSUxFV0lMTEJFTUVFVElOR09OVEhVUlNEQVkoMTg6MTAtMTk6
MTApLEFGVEVSU0FBR1BSSU9SVE9JRVRGMTAxLFRIRVJPTElFQ09SRURSQUZUV0FTUFVCTElTSEVE
QVNSRkM4AAAAAPao

------=_NextPart_000_0D1B_01D3C225.3215E2F0--


From nobody Thu Mar 22 06:01:21 2018
Return-Path: <odonoghue@isoc.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87EDA126CD8 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 06:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.496
X-Spam-Level: 
X-Spam-Status: No, score=-0.496 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JrICSsLj8qP9 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 06:01:13 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0051.outbound.protection.outlook.com [104.47.33.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DCBF126CBF for <saag@ietf.org>; Thu, 22 Mar 2018 06:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1;  h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BbG1JbTM0eGUxm4tEYANufOoiLIB2v0JaMymsTMoPMI=; b=Rz0JohnOBXcKm4v/OZkfCswfNOTpN/bI8L7PWPkvi4D+ZxCae+ZbbYihIOGO8K0vSkpP+lS0w5DiirMKqAejpuElEDclg4E/ZXg1SQg+xXcUCxasZaOsTAQwyqCWWCmhYrrS6HmA4UNcgXZlmSWN2zLlUp8ElAjvDgaZOQSiyk0=
Received: from MWHPR06MB3117.namprd06.prod.outlook.com (10.174.175.166) by MWHPR06MB3102.namprd06.prod.outlook.com (10.174.175.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.588.14; Thu, 22 Mar 2018 13:01:01 +0000
Received: from MWHPR06MB3117.namprd06.prod.outlook.com ([fe80::fc73:9f4b:b346:6514]) by MWHPR06MB3117.namprd06.prod.outlook.com ([fe80::fc73:9f4b:b346:6514%13]) with mapi id 15.20.0588.017; Thu, 22 Mar 2018 13:01:01 +0000
From: Karen O'Donoghue <odonoghue@isoc.org>
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: SACM @ IETF 101
Thread-Index: AQHTwd3Un0CEDI8jJkSvgbPozbwMMA==
Date: Thu, 22 Mar 2018 13:01:01 +0000
Message-ID: <62B12254-53EF-4EE9-9498-A79BB3E4FEFF@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [2001:67c:1232:144:b496:b33d:d359:b40]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR06MB3102; 7:r9WAsM+DOuMwtnepcCv99ykcFwNUz5x06N5Vtznb4xOPXH7HSkKNxyqlvioRU5wchCQ2YEeFgjz6zIoRTgOz+Rg5AMbrf2gDShHuiGHl+6tBnlRlIoBk+W3m7xumFhHmyx2FSTWOFc+v5cNoRMw2xjvGmCyeRhYwC6385wmsl3Im79fxykjQ2bYJSsck8m7+ttx+X0RcszqIfi1NH7WJQNqgt5Sar+fn+d4zhMEmhDeYY2plIj/UeTnI1LwsAukJ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: cd63312d-3690-4334-7ec4-08d58ff4f6a1
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR06MB3102; 
x-ms-traffictypediagnostic: MWHPR06MB3102:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=odonoghue@isoc.org; 
x-microsoft-antispam-prvs: <MWHPR06MB3102CFE40DCC955FF46AC2EFC2A90@MWHPR06MB3102.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231221)(944501327)(52105095)(93006095)(93001095)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(6072148)(201708071742011); SRVR:MWHPR06MB3102; BCL:0; PCL:0; RULEID:; SRVR:MWHPR06MB3102; 
x-forefront-prvs: 0619D53754
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(376002)(39380400002)(396003)(366004)(39850400004)(346002)(189003)(199004)(83716003)(81166006)(81156014)(1730700003)(8936002)(5640700003)(316002)(3280700002)(6486002)(6436002)(36756003)(53936002)(8676002)(2351001)(5660300001)(2900100001)(105586002)(86362001)(106356001)(3660700001)(25786009)(14454004)(478600001)(99286004)(5250100002)(33656002)(2501003)(305945005)(97736004)(68736007)(2906002)(46003)(7736002)(6506007)(82746002)(6306002)(6512007)(6116002)(186003)(102836004)(6916009)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:MWHPR06MB3102; H:MWHPR06MB3117.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  MX:1; A:1; LANG:en; 
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
x-microsoft-antispam-message-info: FnxXINPMH1uCtLJTP9027OOPSdUsYJCmKwVMCaBNg3wYutOz6RM7qO5c4vJ7nzEzbvVNa68rodvIqUgqrs03Wyy1P9Ar+/XgQqkQsdtnOY8d2WsBJ9GrKXMCgeW3jo5ZeIEWpPHoiwDjUUYQs5LBvZBhPcb+Un9wwfdIBKmx7xKX3tdc11O7PNUXCd3vc3jSAVhNLnOCzerHUrIdbXlpZHwHoGC/QVFiXa8a9m16DeMVtnQtTi16V8SZujGWj6LJqcU9XDQvjbUiBnxKRKFN7hLZo0dgWiTfvmb6KF3WgH6QK2WE/JDkVP9leatxNVO94WiqM+1GXLEdHJhAClkjQg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FF60FEB0EACB394EA7BDC09286B5AB6A@namprd06.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-Network-Message-Id: cd63312d-3690-4334-7ec4-08d58ff4f6a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2018 13:01:01.3645 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR06MB3102
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/R9OX9hPppwVl7Iw5O66Qrc4MrSY>
Subject: [saag] SACM @ IETF 101
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 13:01:19 -0000

The SACM WG met Thursday 22 February 2018 9:30 - 12:00. There was a report =
out from the Hackathon team about progress from that activity. The SWIMA do=
c (https://datatracker.ietf.org/doc/draft-ietf-sacm-nea-swima-patnc/) has p=
assed the IESG and is the RFC editor queue. The remaining working group dra=
fts were discussed including architecture, yang modules, ECP, CoSWID, and R=
OLIE software descriptors. There was consensus to plan a virtual interim so=
metime after RSA.=20



From nobody Thu Mar 22 06:29:18 2018
Return-Path: <wseltzer@w3.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E92F312D872 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 06:29:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnL3aZC5dic6 for <saag@ietfa.amsl.com>; Thu, 22 Mar 2018 06:29:12 -0700 (PDT)
Received: from raoul.w3.org (raoul.w3.org [128.30.52.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A2791200C5 for <saag@ietf.org>; Thu, 22 Mar 2018 06:29:12 -0700 (PDT)
Received: from dhcp-9061.meeting.ietf.org ([31.133.144.97]) by raoul.w3.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <wseltzer@w3.org>) id 1ez0HB-0007lF-6W; Thu, 22 Mar 2018 13:29:05 +0000
To: saag@ietf.org
From: Wendy Seltzer <wseltzer@w3.org>
Organization: W3C
Cc: Samuel Weiler <weiler@w3.org>, Christine Runnegar <runnegar@isoc.org>
Message-ID: <dabbde76-1603-012d-243b-9fc9dac635de@w3.org>
Date: Thu, 22 Mar 2018 09:29:01 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Vovz_wBjx8SyFIwkx8Yf9MeZoEQ>
Subject: [saag] W3C update for IETF 101 SAAG
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Mar 2018 13:29:17 -0000

Brief update on W3C security-related activities:

Web Authentication: An API for accessing Public Key Credentials, has
reached Candidate Recommendation,
https://www.w3.org/TR/2018/CR-webauthn-20180320/

Security and Privacy reviewers welcome: Sam Weiler is helping the Web
Security IG to coordinate security reviews of specs; while Christine
Runnegar and Tara Whalen co-chair the Privacy Interest Group (PING)
conducting privacy reviews.
https://www.w3.org/Security/wiki/IG
https://www.w3.org/Privacy/

Thanks!
--Wendy


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)


From nobody Fri Mar 23 03:46:26 2018
Return-Path: <valery@smyslov.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B8312D7F5 for <saag@ietfa.amsl.com>; Fri, 23 Mar 2018 03:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.109
X-Spam-Level: 
X-Spam-Status: No, score=0.109 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=smyslov.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T9OJo0pUeN05 for <saag@ietfa.amsl.com>; Fri, 23 Mar 2018 03:46:23 -0700 (PDT)
Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4871205D3 for <saag@ietf.org>; Fri, 23 Mar 2018 03:46:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=QAQhQu9aC+LYX1luYkK1Tx3VNcD4f72tw8/AMut8ozU=; b=W8050nu9s4QDaVHzD/ikRypQsN 5h6jal5ejCSVQtTIfB0Z7Pjcge6OwV7Jq0aSEj8uc6VCL4y/jH1VxD8EzTCG7rqYHRlqIcFjS78X7 41aY4SevNN1Pi3pzgRBla2b9FbYC5A2JtmgWWeKlSAt8Gq9EaApdeYcFf79trXyceH6oz+W1HniAj w7b/GvYRPdKIbdwtk9i+o9+D/D7cBUftdbEyu9gliMLIafZavwnQpvxZZKh0dia7TSCxMLC6MOWVj 8Py202DtQNdhnp5LUePpHy9h+SpMI4waHW41VZ0F3EuuI0hRm1dZIgs/XGT0MLX77DTj5oFJofj+r ABan1zRQ==;
Received: from dhcp-8706.meeting.ietf.org ([31.133.135.6]:54481 helo=svannotebook) by direct.host-care.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from <valery@smyslov.net>) id 1ezKDD-0007NH-NC; Fri, 23 Mar 2018 06:46:20 -0400
From: "Valery Smyslov" <valery@smyslov.net>
To: <saag@ietf.org>
Cc: "'Leif Johansson'" <leifj@sunet.se>
Date: Fri, 23 Mar 2018 10:46:16 -0000
Message-ID: <02df01d3c294$2ca92fb0$85fb8f10$@smyslov.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdPClCs26tMzPjYuQsy16MMG1sw51g==
Content-Language: ru
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - direct.host-care.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - smyslov.net
X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net
X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net
X-Source: 
X-Source-Args: 
X-Source-Dir: 
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/mcd2lqkLZA5RWiz8ZqEWC3ZBiPI>
Subject: [saag] UTA WG report
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2018 10:46:25 -0000

UTA met on Thursday 22 March, 18:10-19:10.

Since last meeting in Singapore we published RFC 8314 (former =
draft-ietf-uta-email-deep).

Currently we have two drafts submitted for publication - =
draft-ietf-uta-smtp-
tlsrpt is in IETF LC and draft-ietf-uta-mta-sts is in AD Evaluation =
state.

We have one more active draft - draft-ietf-uta-smtp-require-tls, which =
needs
more discussion and reviews.

We had very lively and fruitful discussion in London on mta-sts and =
requiretls
drafts.

Leif & Valery


From nobody Sat Mar 24 14:04:53 2018
Return-Path: <director@openca.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9AE126BF7 for <saag@ietfa.amsl.com>; Sat, 24 Mar 2018 14:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level: 
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXB1SXm-OcGn for <saag@ietfa.amsl.com>; Sat, 24 Mar 2018 14:04:50 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 3D2E31204DA for <saag@ietf.org>; Sat, 24 Mar 2018 14:04:50 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 0010D3741029; Sat, 24 Mar 2018 21:04:49 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id mXY7pgphRkKA; Sat, 24 Mar 2018 17:04:49 -0400 (EDT)
Received: from Maxs-MBP.hsd1.co.comcast.net (c-71-196-235-197.hsd1.co.comcast.net [71.196.235.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id CCB9E3741012; Sat, 24 Mar 2018 17:04:48 -0400 (EDT)
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: "saag@ietf.org" <saag@ietf.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org>
Date: Sat, 24 Mar 2018 15:04:48 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <20180321231624.GK55745@kduck.kaduk.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020202040402080502030001"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/gjdU3XALgi2dTFFAo0uMPUZ97Sw>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 21:04:52 -0000

This is a cryptographically signed message in MIME format.

--------------ms020202040402080502030001
Content-Type: multipart/alternative;
 boundary="------------7549F305AE5A3BD2B14AFE26"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------7549F305AE5A3BD2B14AFE26
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Ben,


On 3/21/18 5:16 PM, Benjamin Kaduk wrote:
> [...]
> It would probably be helpful if you included a description of what
> attacker capabilities are present in your mental model.  If the
> attacker is modelled as being in control of the network (and
> revocation status is carried over HTTP-not-S) then the claim of
> equivalence between short-lived certs and "short-lived" OCSP holds
> much more weight.  When you say that a second party can get the
> valid revocation status information, that implies that the attacker
> does *not* have full control over the network -- so what exactly can
> and cannot the attacker do?
I think that the case you describe was already discussed in my brief
feedback for the document, however let me clarify a bit more.

The equivalence in the security level between the two environments would
be if and only if an attacker controls (active attacker) any possible
path to the revocation information (i.e., not just one client, but all
the clients that might retrieve the rev info are affected). On the open
internet, that would be to control all redundant links to where the
services are provided (e.g., full control over CNDs redundant links).=C2=A0=

In the short-lived certificates case, instead, once the keys are
compromised, they are compromised for EVERY client relying on those
certificates without the need for an attacker to have active-attacker
properties over the entire network.

Putting it in a different way: for the case with revocation information,
the attacker not only need to be able to compromise the private key, but
it also need to own all possible paths to the revocation information
whilst for the short-revo case, the compromise of the key is a
sufficient condition to successfully carry out the attack. Don't you
agree ? So, from this point of view, you need a more powerful attacker
for the case that make use of revocation information - therefore I
really do not see the equivalence. Deploying a revocation infrastructure
actually increases the resources needed by an attacker, therefore
decreasing the risk factors and increasing the security level.

Even when using formal verification methods, these two attackers really
look different. I really do not think you can carry out the same attack
with the least powerful attacker on both scenarios. If I am wrong, can
you please let me know=C2=A0 why this distinction in the needed resources=
 for
an attacker does not affect your perception of equivalence?

Cheers,

--=20
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

--------------7549F305AE5A3BD2B14AFE26
Content-Type: multipart/related;
 boundary="------------BD5E05BBE215E35495AD1F41"


--------------BD5E05BBE215E35495AD1F41
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Hi Ben,<br>
    </p>
    <br>
    <div class=3D"moz-cite-prefix">On 3/21/18 5:16 PM, Benjamin Kaduk
      wrote:<br>
    </div>
    <blockquote type=3D"cite"
      cite=3D"mid:20180321231624.GK55745@kduck.kaduk.org">[...]
      <pre wrap=3D"">It would probably be helpful if you included a descr=
iption of what
attacker capabilities are present in your mental model.  If the
attacker is modelled as being in control of the network (and
revocation status is carried over HTTP-not-S) then the claim of
equivalence between short-lived certs and "short-lived" OCSP holds
much more weight.  When you say that a second party can get the
valid revocation status information, that implies that the attacker
does *not* have full control over the network -- so what exactly can
and cannot the attacker do?
</pre>
    </blockquote>
    I think that the case you describe was already discussed in my brief
    feedback for the document, however let me clarify a bit more.<br>
    <br>
    The equivalence in the security level between the two environments
    would be if and only if an attacker controls (active attacker) any
    possible path to the revocation information (i.e., not just one
    client, but all the clients that might retrieve the rev info are
    affected). On the open internet, that would be to control all
    redundant links to where the services are provided (e.g., full
    control over CNDs redundant links).=C2=A0 In the short-lived certific=
ates
    case, instead, once the keys are compromised, they are compromised
    for EVERY client relying on those certificates without the need for
    an attacker to have active-attacker properties over the entire
    network.<br>
    <br>
    Putting it in a different way: for the case with revocation
    information, the attacker not only need to be able to compromise the
    private key, but it also need to own all possible paths to the
    revocation information whilst for the short-revo case, the
    compromise of the key is a sufficient condition to successfully
    carry out the attack. Don't you agree ? So, from this point of view,
    you need a more powerful attacker for the case that make use of
    revocation information - therefore I really do not see the
    equivalence. Deploying a revocation infrastructure actually
    increases the resources needed by an attacker, therefore decreasing
    the risk factors and increasing the security level.<br>
    <br>
    Even when using formal verification methods, these two attackers
    really look different. I really do not think you can carry out the
    same attack with the least powerful attacker on both scenarios. If I
    am wrong, can you please let me know=C2=A0 why this distinction in th=
e
    needed resources for an attacker does not affect your perception of
    equivalence?<br>
    <br>
    Cheers,<br>
    <br>
    <div class=3D"moz-signature">-- <br>
      <div style=3D"color: black; margin-top: 10px;">
        Best Regards,
        <div style=3D"margin-top: 5px; margin-left: 0px; ">
          Massimiliano Pala, Ph.D.<br>
          OpenCA Labs Director<br>
        </div>
        <img src=3D"cid:part1.7436D889.DBC238E7@openca.org"
          style=3D"vertical-align: 0px; margin-top: 10px; margin-left:
          0px;" alt=3D"OpenCA Logo"><br>
      </div>
    </div>
  </body>
</html>

--------------BD5E05BBE215E35495AD1F41
Content-Type: image/png;
 name="clncfbjdnohlggea.png"
Content-Transfer-Encoding: base64
Content-ID: <part1.7436D889.DBC238E7@openca.org>
Content-Disposition: inline;
 filename="clncfbjdnohlggea.png"

iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoX
BwESCQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAq
MjpXKgs/MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1
SGdDR0lDSFJfRDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27
PgCaSANtUT57VBerSQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXae
VR+lVRZrYld1ZiB7YEuSYQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDV
WQJ1blapYjbXWgDRXACMaU6WbgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3Wq
aS6BcGeobwndXwzkXwLgYgDaYwyMeCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuv
cEPrZQDQaSyockrFbSvmZwnabQLvZwDpaQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7
gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqKgnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXl
eSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQiwCximixim/EkAORkZGVkYrOh0rPiVL5
giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvKlGqpnJLdlF2boKy+m324nImkoZ+e
o6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/SrI7dq4bqqXTOrpWttL+6s6uw
tbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfRwbXFyMvbxbPNyMP8zgTc
zMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp7/Hy9PHw9fj6/v3Y
ktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPXGT6E+l9BZ0EF
sTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+USgFL4r9g
EaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqESrMp
lYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE
y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75U
jLZfp6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/
85sH2KeXvj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf
70RPUPjxLouBEgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxc
AwyWTbacW0sTDGoJen4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+N
puKpq32qLVaexOCCJB91aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq
1LzUMQ4uxxycjl0LWO1bBsY6yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XO
cajZb6GDu7PTFEdPkVu0k4vQyd3Jc/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM
9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRb
juxtfqRypNACK28+j3FsqcilAD0ADuIWCt0yRa7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9
wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX
3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxarlr0grlQn92DQt1vBUk+nUFeHGZme
gUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJo+2PGLb2d9WE5bw1L4DcnOco
9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bFzhw3eZylM2dgwkbWW3Iy
Jp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwdElJmarxedr/u3P6C
Nn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivoBjrfUgNB69zf
b6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toVEevCi9/f
fmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzSY3Fu
BkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW
hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/d
Y1p7qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1R
grYlfrReSqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxH
dRJFGJkhfKxgmM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3lu
aLNe1F++bjXGyWyzZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCm
GIzpqKlm27KTSWUcAX1goBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJC
BVkrrBJ1BewMmlVpgRUQF7wpItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQY
IOhklDKzo2C1IV2sijzdhjorqwefNdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41q
KFl02YaswYNkULTeLC9CFFK4bDHDMmZbhnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYv
JpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkcHz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkh
mt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlCXaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/
JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7WfgZOv4uLLl0w8wUah71QLBpJeXq/eM
VVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6vjt1z/ghMehVKiUpyt1VYBXC
N6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oEDQ6jB9Wc3Z6bm6zLTtLl
gLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgXs2kV4WUC0YR/KOLv
Pby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP7LnTfsd42at3
+B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw901G+ttVlT
Ja34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K+f59
qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd
XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a
8XoAAAAASUVORK5CYII=
--------------BD5E05BBE215E35495AD1F41--

--------------7549F305AE5A3BD2B14AFE26--

--------------ms020202040402080502030001
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CyAwggUyMIIEGqADAgECAhEAu2YCW4tRQdGHMc0S/FQsNDANBgkqhkiG9w0BAQsFADCBlzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg
Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcxMjAxMDAw
MDAwWhcNMTgxMjAxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkaXJlY3RvckBvcGVuY2Eu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEDKYfy+DFhtDn8bIXyP25Xe
DjUIkMQDm90A1JPoQ4tuTk6kXwulPvAmvtLGuRAzEqFpV/fqz4sAlx8FgxvRZ5PunZ1H1/lJ
CNEdir53Xv8TEf+R/n+Ca5RNUR+GhS72zhp9xx8uDRZds2DeXvW9uhYp9nsbX6rWIFT5YfWF
1SukFXwXSnHuXc9nDT6p0Kp6UNzusn/lMhXhIwgpNA26/mHAdScYyMoB4yaZeMpdZN75XGWO
slhXcXdeGJo93E48kffdu0yo4WTbpLwhs/IrkG4OXB1N3Bf+9oHZwVun1hlCZEfuSit0mvrx
x8wzPCPiggXu6j6VqPoJqecV6xKCHwIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF
/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFEPV9allspkmYqkQRx2BlAdbOrjhMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMF
AjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggr
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2g
S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRp
b25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklo
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu
ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j
b20wHgYDVR0RBBcwFYETZGlyZWN0b3JAb3BlbmNhLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEA
g+REupW946f7esdYmE1QxsYlkubErxz8JLovVDSKTHwxR1/VxF/B7rGeiSPBHTmKQYwlWCrp
eHZNfzaDDkDamwLXm7v4+brNfQKRpOLnYPQQffp7xim72INakLgts8d5I7bic785dj4M5JP4
XA2qUD9wduwNwquua6v7zM3chpoRjapumzLNDDr47GccOKAZYaaqFwbpwJPQYuiC07WWnn7g
FzdNKYN6VM6Re6wVEHP6fEvNrleV0pf1iFjLKugnriGKL9wj6xX25JsMmGmqZcfdpnkTE4Zf
eQBEZVnn8s7HBX+MA/K+YnHxRwA2c5XwNbEhZ2rvh2uFIMXBDlt+tDCCBeYwggPOoAMCAQIC
EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdC
MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV
BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQ
PTRI5Or1u6zf+bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivl
JTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG
9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoS
WY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQAB
o4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKv
bIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEA
MBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFk
ZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJ
KoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo
7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaB
Q+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKS
TvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY
+hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5td
hYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4
jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJ
M/1tyZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJU
mpvVdZ4ognzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTK
TlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIEODCCBDQCAQEw
ga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01P
RE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAu2YC
W4tRQdGHMc0S/FQsNDANBglghkgBZQMEAgEFAKCCAlswGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwMzI0MjEwNDQ4WjAvBgkqhkiG9w0BCQQxIgQgcx/2
JM+wTk5N/4WsxYIIyvx05qcJAEeYR77lcXD6ucYwbAYJKoZIhvcNAQkPMV8wXTALBglghkgB
ZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBvgYJKwYBBAGCNxAEMYGwMIGtMIGX
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJT
QSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHR
hzHNEvxULDQwgcAGCyqGSIb3DQEJEAILMYGwoIGtMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UE
CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
RE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRp
b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHRhzHNEvxULDQwDQYJKoZIhvcNAQEB
BQAEggEAlZ/NMC2MqPlFw4fHyzYkoViB+jLqWRUj/UfI0u7AgoUK9zQBDGTb/EEmDQojYfTU
tPP3LLSb6fHaGg5wApZjqgdY4T14ePA41OFVc+xpjlwWOzQ2aBCulqHXH0KCaxXmYc/JXmsR
GOlk1NMHxazfWQfW9/9xv/UBAxwIQW9PdvRQ+d8p5XmwfemWZt94or+9itWvIrleTlW4AR/6
TCfermDv5z1N6NdzyvZTJwyaIweJkI+tggq8OVr3LkhDldM2HIhxuLf039Fb7E0UHCVTNpUe
Av2nLVEnVO5YPEfuYH++0OLU/XUjeYHJ3Gm7maEFbH5yso5r2eO42cR1b+fjjwAAAAAAAA==
--------------ms020202040402080502030001--


From nobody Sat Mar 24 14:26:21 2018
Return-Path: <director@openca.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E0D124207 for <saag@ietfa.amsl.com>; Sat, 24 Mar 2018 14:26:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.869
X-Spam-Level: 
X-Spam-Status: No, score=-0.869 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aAv7zanq-JV for <saag@ietfa.amsl.com>; Sat, 24 Mar 2018 14:26:17 -0700 (PDT)
Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8991204DA for <saag@ietf.org>; Sat, 24 Mar 2018 14:26:17 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 4D58E3741015 for <saag@ietf.org>; Sat, 24 Mar 2018 21:26:17 +0000 (UTC)
X-Virus-Scanned: amavisd-new at katezarealty.com
Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id VKnmqeNzi5p2 for <saag@ietf.org>; Sat, 24 Mar 2018 17:26:16 -0400 (EDT)
Received: from Maxs-MBP.hsd1.co.comcast.net (c-71-196-235-197.hsd1.co.comcast.net [71.196.235.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id C01773741012 for <saag@ietf.org>; Sat, 24 Mar 2018 17:26:15 -0400 (EDT)
Cc: Security Area Advisory Group <saag@ietf.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com>
From: "Dr. Pala" <director@openca.org>
Organization: OpenCA Labs
Message-ID: <93692396-1346-675a-b77a-771c52bfb8bc@openca.org>
Date: Sat, 24 Mar 2018 15:26:15 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms060706070103000306010404"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/7QTIVHIjlzJGGQgsDkCD1H4yyiw>
Subject: Re: [saag] [pkix] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 21:26:19 -0000

This is a cryptographically signed message in MIME format.

--------------ms060706070103000306010404
Content-Type: multipart/alternative;
 boundary="------------63474C9DE00F4788467116EB"
Content-Language: en-US

This is a multi-part message in MIME format.
--------------63474C9DE00F4788467116EB
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Yoav,

responses inline..


On 3/22/18 5:10 AM, Yoav Nir wrote:
> [...]
> I disagree. The most common use of certificates by sheer volume of
> transactions is server authentication on the web, and some of the most
> popular clients
> avoid revocation checking on long-lived certificates unless the
> revocation information is supplied via stapling. No revocation
> checking on long-lived
That is an application-level choice that might be ok in some
environments but not all. For example, many environments (not browsers,
which are not the greatest examples when it comes to security) mandate
for checking revocation information or terminating the connections
(e.g., OCF, CMI, MulteFire, etc.) If the document is limited to a
specific scope, then it should be clearly stated - but the scope, IMHO,
is not well defined.

I guess you are restricting the use-case for TLS only, correct? I do not
think I saw this anywhere in the document.
> certificates is worse than no revocation checking on short-lived
> certificates. I was not making the claim that short-lived-no-revo is
> as good as any-lived-plus-revo, only that it is at least as good as
> the common practice.
I am a little confused, I thought that the web, because of certificate
transparency, was NOT a good use-case for short-lived certs.
> [...]
> That is a strange property of CRLs (or OCSP responses) in that they
> are objects with multiple consumers. The RP does not need to know the
> reason - the decision for it is binary: the certificate is either
> valid or invalid. Other entities may use it as a slice of the
> database. The date property makes sense if very specific applications
> where there are time-stamped, signed and counter-signed messages. For
> the common case of authenticating entities in TLS or IKE it is
> irrelevant. I think the draft should have some text limiting scope to
> cases that don=E2=80=99t care about revocation time.
So, this document's scope is TLS or IKE only ?
>> [...]
> Sure. As soon as the CA receives a report that a certificate is
> compromised, a new CRL (or OCSP response) is issued. However, assuming
> the RP has downloaded the CRL 1 day earlier, that CRL marked as having
> a nextUpdate 3 days later. The RP will not download the new CRL for 3
> more days, and will therefore continue to accept the compromised
> certificate for 3 days.
Maybe also here I was not really clear enough - sorry. What you are
saying is true for ONE RP, but when there are multiple RPs that might
access the revocation information at different times, what you describe
is actually a limited view of the problem.
> This can be mitigated by the RP having a local policy of refreshing
> CRLs every so often, say every day. This limits the exposure time to
> 24 hours, but does not eliminate it entirely.
It does not, however this takes off the table the equivalency in the
security of the two environments (revo vs. non-revo). Don't you agree?
> OCSP stapling makes this worse. The compromised EE will have a cached
> OCSP response that is valid for 4 days. It will use this in TLS or
> IKE, and the RP will never check it.
Actually that is not entirely true - you assume that applications all
behave like browsers. Even when the OCSP is stapled, if the
application's policy is to have < 1d old revo info available, it will
retrieve the OCSP if the stapled ones are not fresh - if no access to
the rev-info is available, then the connection shall be terminated
because the trust settings are not satisfied by the connection / validati=
on.

Therefore "will never check it" is a limited vision, IMHO.
> That is what I mean by saying that compromised short-lived-no-rev
> certificates are treated as valid for as long as any-lived-with-rev
> certificates if you set the lifetime similarly. The new revocation
> information may be available, but it=E2=80=99s not used.
Again, it MAY be equivalent ONLY IF new revocation information is not
checked. This is a big difference than the blank statements that are in
the draft today.
>>
>> [...]
> When this becomes a LAMPS working group item, it can definitely use
> all the input. This is why the feel of the room in SecDispatch was
> that this document needed a working group and was not appropriate for
> AD-sponsored.
>>
>> Just my 2 cents form an old barnacle... :D
>>
> Bah! If you=E2=80=99re an old barnacle, what does this say about me? =C2=
=A0:-)
I am not sure, but I have been dealing w/ PKIs from all aspects
(implementations, deployment, research, etc.) for almost 30yrs now..
Maybe we can be barnacles together! Yeah! Power to the banacles!!!!

Cheers,
Max

P.S.: There are many other points that I raised in the original feedback
- I would like them to be discussed too, if possible :D I guess that
will happen in LAMPS, at some point :D

--=20
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
OpenCA Logo

--------------63474C9DE00F4788467116EB
Content-Type: multipart/related;
 boundary="------------B5D3F077D05D84D88DABBF94"


--------------B5D3F077D05D84D88DABBF94
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf=
-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Hi Yoav,</p>
    <p>responses inline..<br>
    </p>
    <br>
    <div class=3D"moz-cite-prefix">On 3/22/18 5:10 AM, Yoav Nir wrote:<br=
>
    </div>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Du=
tf-8">
      [...]
      <div>
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D"">I disagree. The most common use of
              certificates by sheer volume of transactions is server
              authentication on the web, and some of the most popular
              clients<br>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D""> avoid revocation checking on long-lived
              certificates unless the revocation information is supplied
              via stapling. No revocation checking on long-lived </div>
          </div>
        </div>
      </div>
    </blockquote>
    That is an application-level choice that might be ok in some
    environments but not all. For example, many environments (not
    browsers, which are not the greatest examples when it comes to
    security) mandate for checking revocation information or terminating
    the connections (e.g., OCF, CMI, MulteFire, etc.) If the document is
    limited to a specific scope, then it should be clearly stated - but
    the scope, IMHO, is not well defined.<br>
    <br>
    I guess you are restricting the use-case for TLS only, correct? I do
    not think I saw this anywhere in the document.<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D"">certificates is worse than no revocation
              checking on short-lived certificates. I was not making the
              claim that short-lived-no-revo is as good as
              any-lived-plus-revo, only that it is at least as good as
              the common practice.</div>
          </div>
        </div>
      </div>
    </blockquote>
    I am a little confused, I thought that the web, because of
    certificate transparency, was NOT a good use-case for short-lived
    certs.<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>[...]
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D"">That is a strange property of CRLs (or OCSP
              responses) in that they are objects with multiple
              consumers. The RP does not need to know the reason - the
              decision for it is binary: the certificate is either valid
              or invalid. Other entities may use it as a slice of the
              database. The date property makes sense if very specific
              applications where there are time-stamped, signed and
              counter-signed messages. For the common case of
              authenticating entities in TLS or IKE it is irrelevant. I
              think the draft should have some text limiting scope to
              cases that don=E2=80=99t care about revocation time.</div>
          </div>
        </div>
      </div>
    </blockquote>
    So, this document's scope is TLS or IKE only ?<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <blockquote type=3D"cite" class=3D"">
          <div class=3D"">
            <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">[...]</d=
iv>
          </div>
        </blockquote>
        <div>Sure. As soon as the CA receives a report that a
          certificate is compromised, a new CRL (or OCSP response) is
          issued. However, assuming the RP has downloaded the CRL 1 day
          earlier, that CRL marked as having a nextUpdate 3 days later.
          The RP will not download the new CRL for 3 more days, and will
          therefore continue to accept the compromised certificate for 3
          days.</div>
      </div>
    </blockquote>
    Maybe also here I was not really clear enough - sorry. What you are
    saying is true for ONE RP, but when there are multiple RPs that
    might access the revocation information at different times, what you
    describe is actually a limited view of the problem.<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <div>This can be mitigated by the RP having a local policy of
          refreshing CRLs every so often, say every day. This limits the
          exposure time to 24 hours, but does not eliminate it entirely.<=
/div>
      </div>
    </blockquote>
    It does not, however this takes off the table the equivalency in the
    security of the two environments (revo vs. non-revo). Don't you
    agree?<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <div>OCSP stapling makes this worse. The compromised EE will
          have a cached OCSP response that is valid for 4 days. It will
          use this in TLS or IKE, and the RP will never check it.</div>
      </div>
    </blockquote>
    Actually that is not entirely true - you assume that applications
    all behave like browsers. Even when the OCSP is stapled, if the
    application's policy is to have &lt; 1d old revo info available, it
    will retrieve the OCSP if the stapled ones are not fresh - if no
    access to the rev-info is available, then the connection shall be
    terminated because the trust settings are not satisfied by the
    connection / validation.<br>
    <br>
    Therefore "will never check it" is a limited vision, IMHO.<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <div>That is what I mean by saying that compromised
          short-lived-no-rev certificates are treated as valid for as
          long as any-lived-with-rev certificates if you set the
          lifetime similarly. The new revocation information may be
          available, but it=E2=80=99s not used.</div>
      </div>
    </blockquote>
    Again, it MAY be equivalent ONLY IF new revocation information is
    not checked. This is a big difference than the blank statements that
    are in the draft today.<br>
    <blockquote type=3D"cite"
      cite=3D"mid:CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com">
      <div>
        <blockquote type=3D"cite" class=3D"">
          <div class=3D"">
            <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
              <p class=3D""> </p>
              [...]</div>
          </div>
        </blockquote>
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D"">When this becomes a LAMPS working group item,=

              it can definitely use all the input. This is why the feel
              of the room in SecDispatch was that this document needed a
              working group and was not appropriate for AD-sponsored.</di=
v>
          </div>
        </div>
        <blockquote type=3D"cite" class=3D"">
          <div class=3D"">
            <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
              <p class=3D"">Just my 2 cents form an old barnacle... :D</p=
>
            </div>
          </div>
        </blockquote>
        <div class=3D"">
          <div text=3D"#000000" bgcolor=3D"#FFFFFF" class=3D"">
            <div class=3D"">Bah! If you=E2=80=99re an old barnacle, what =
does this
              say about me? =C2=A0:-)</div>
          </div>
        </div>
      </div>
    </blockquote>
    I am not sure, but I have been dealing w/ PKIs from all aspects
    (implementations, deployment, research, etc.) for almost 30yrs now..
    Maybe we can be barnacles together! Yeah! Power to the banacles!!!!<b=
r>
    <br>
    Cheers,<br>
    Max<br>
    <br>
    P.S.: There are many other points that I raised in the original
    feedback - I would like them to be discussed too, if possible :D I
    guess that will happen in LAMPS, at some point :D<br>
    <br>
    <div class=3D"moz-signature">-- <br>
      <div style=3D"color: black; margin-top: 10px;">
        Best Regards,
        <div style=3D"margin-top: 5px; margin-left: 0px; ">
          Massimiliano Pala, Ph.D.<br>
          OpenCA Labs Director<br>
        </div>
        <img src=3D"cid:part1.EEF5099C.2CB2E386@openca.org"
          style=3D"vertical-align: 0px; margin-top: 10px; margin-left:
          0px;" alt=3D"OpenCA Logo"><br>
      </div>
    </div>
  </body>
</html>

--------------B5D3F077D05D84D88DABBF94
Content-Type: image/png;
 name="encbghinhimpjohe.png"
Content-Transfer-Encoding: base64
Content-ID: <part1.EEF5099C.2CB2E386@openca.org>
Content-Disposition: inline;
 filename="encbghinhimpjohe.png"

iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoX
BwESCQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAq
MjpXKgs/MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1
SGdDR0lDSFJfRDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27
PgCaSANtUT57VBerSQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXae
VR+lVRZrYld1ZiB7YEuSYQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDV
WQJ1blapYjbXWgDRXACMaU6WbgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3Wq
aS6BcGeobwndXwzkXwLgYgDaYwyMeCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuv
cEPrZQDQaSyockrFbSvmZwnabQLvZwDpaQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7
gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqKgnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXl
eSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQiwCximixim/EkAORkZGVkYrOh0rPiVL5
giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvKlGqpnJLdlF2boKy+m324nImkoZ+e
o6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/SrI7dq4bqqXTOrpWttL+6s6uw
tbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfRwbXFyMvbxbPNyMP8zgTc
zMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp7/Hy9PHw9fj6/v3Y
ktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPXGT6E+l9BZ0EF
sTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+USgFL4r9g
EaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqESrMp
lYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE
y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75U
jLZfp6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/
85sH2KeXvj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf
70RPUPjxLouBEgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxc
AwyWTbacW0sTDGoJen4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+N
puKpq32qLVaexOCCJB91aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq
1LzUMQ4uxxycjl0LWO1bBsY6yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XO
cajZb6GDu7PTFEdPkVu0k4vQyd3Jc/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM
9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRb
juxtfqRypNACK28+j3FsqcilAD0ADuIWCt0yRa7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9
wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX
3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxarlr0grlQn92DQt1vBUk+nUFeHGZme
gUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJo+2PGLb2d9WE5bw1L4DcnOco
9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bFzhw3eZylM2dgwkbWW3Iy
Jp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwdElJmarxedr/u3P6C
Nn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivoBjrfUgNB69zf
b6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toVEevCi9/f
fmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzSY3Fu
BkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW
hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/d
Y1p7qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1R
grYlfrReSqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxH
dRJFGJkhfKxgmM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3lu
aLNe1F++bjXGyWyzZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCm
GIzpqKlm27KTSWUcAX1goBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJC
BVkrrBJ1BewMmlVpgRUQF7wpItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQY
IOhklDKzo2C1IV2sijzdhjorqwefNdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41q
KFl02YaswYNkULTeLC9CFFK4bDHDMmZbhnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYv
JpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkcHz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkh
mt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlCXaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/
JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7WfgZOv4uLLl0w8wUah71QLBpJeXq/eM
VVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6vjt1z/ghMehVKiUpyt1VYBXC
N6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oEDQ6jB9Wc3Z6bm6zLTtLl
gLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgXs2kV4WUC0YR/KOLv
Pby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP7LnTfsd42at3
+B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw901G+ttVlT
Ja34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K+f59
qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd
XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a
8XoAAAAASUVORK5CYII=
--------------B5D3F077D05D84D88DABBF94--

--------------63474C9DE00F4788467116EB--

--------------ms060706070103000306010404
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CyAwggUyMIIEGqADAgECAhEAu2YCW4tRQdGHMc0S/FQsNDANBgkqhkiG9w0BAQsFADCBlzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg
Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcxMjAxMDAw
MDAwWhcNMTgxMjAxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkaXJlY3RvckBvcGVuY2Eu
b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEDKYfy+DFhtDn8bIXyP25Xe
DjUIkMQDm90A1JPoQ4tuTk6kXwulPvAmvtLGuRAzEqFpV/fqz4sAlx8FgxvRZ5PunZ1H1/lJ
CNEdir53Xv8TEf+R/n+Ca5RNUR+GhS72zhp9xx8uDRZds2DeXvW9uhYp9nsbX6rWIFT5YfWF
1SukFXwXSnHuXc9nDT6p0Kp6UNzusn/lMhXhIwgpNA26/mHAdScYyMoB4yaZeMpdZN75XGWO
slhXcXdeGJo93E48kffdu0yo4WTbpLwhs/IrkG4OXB1N3Bf+9oHZwVun1hlCZEfuSit0mvrx
x8wzPCPiggXu6j6VqPoJqecV6xKCHwIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF
/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFEPV9allspkmYqkQRx2BlAdbOrjhMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMF
AjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggr
BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2g
S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRp
b25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklo
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu
ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j
b20wHgYDVR0RBBcwFYETZGlyZWN0b3JAb3BlbmNhLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEA
g+REupW946f7esdYmE1QxsYlkubErxz8JLovVDSKTHwxR1/VxF/B7rGeiSPBHTmKQYwlWCrp
eHZNfzaDDkDamwLXm7v4+brNfQKRpOLnYPQQffp7xim72INakLgts8d5I7bic785dj4M5JP4
XA2qUD9wduwNwquua6v7zM3chpoRjapumzLNDDr47GccOKAZYaaqFwbpwJPQYuiC07WWnn7g
FzdNKYN6VM6Re6wVEHP6fEvNrleV0pf1iFjLKugnriGKL9wj6xX25JsMmGmqZcfdpnkTE4Zf
eQBEZVnn8s7HBX+MA/K+YnHxRwA2c5XwNbEhZ2rvh2uFIMXBDlt+tDCCBeYwggPOoAMCAQIC
EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYD
VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP
TU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdC
MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV
BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo
ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQ
PTRI5Or1u6zf+bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivl
JTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG
9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoS
WY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQAB
o4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKv
bIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEA
MBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k
b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFk
ZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJ
KoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo
7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaB
Q+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKS
TvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY
+hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5td
hYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4
jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJ
M/1tyZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJU
mpvVdZ4ognzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTK
TlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIEODCCBDQCAQEw
ga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01P
RE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAu2YC
W4tRQdGHMc0S/FQsNDANBglghkgBZQMEAgEFAKCCAlswGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwMzI0MjEyNjE1WjAvBgkqhkiG9w0BCQQxIgQgtmk8
wDdqIQhE4rXNEGJ+3oKiVo0H15lVve0x2+EqpYQwbAYJKoZIhvcNAQkPMV8wXTALBglghkgB
ZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG
9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBvgYJKwYBBAGCNxAEMYGwMIGtMIGX
MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT
YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJT
QSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHR
hzHNEvxULDQwgcAGCyqGSIb3DQEJEAILMYGwoIGtMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UE
CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P
RE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRp
b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHRhzHNEvxULDQwDQYJKoZIhvcNAQEB
BQAEggEAQVL12fSS6IGvIi0IefU+iIeo6LPYrAEQiGTu3itr02Z/8DR1Hq3YHY0cdsyBOmdy
3QqxoTt8B313PX+BssNdlN4D3YOSBCUoIsyR5R/YVNJnLpfLQ+0oHLipkvXO8QHYwSUKmgFE
VsT4u3XJmJFpE8o/Ab7gwu7bUCsBBZkBpmeRFg59zdODSqjUrEEsqakB0wdpJm91JJhu/vj5
8TazxyTCoTRLmWZLPYCCCunuX3UcApnQJRP1XGRrwcLjoRPSGQvgZ6H+eUwetPAfbAFZSFdy
Z/FFZe/Q9KurWmr/oa0LvZ5a55P8tjfX0H6JVulPMZzME1OHw7MPd3ARhPQAYgAAAAAAAA==
--------------ms060706070103000306010404--


From nobody Mon Mar 26 08:45:10 2018
Return-Path: <kaduk@mit.edu>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75282126C89 for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 08:45:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level: 
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdxG6D5RC81w for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 08:45:06 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 173E21252BA for <saag@ietf.org>; Mon, 26 Mar 2018 08:45:05 -0700 (PDT)
X-AuditID: 1209190f-1fdff7000000676b-7e-5ab91580fc93
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 6D.E6.26475.08519BA5; Mon, 26 Mar 2018 11:45:05 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id w2QFj3Jw018078; Mon, 26 Mar 2018 11:45:04 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2QFj0tk018972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 26 Mar 2018 11:45:03 -0400
Date: Mon, 26 Mar 2018 10:45:00 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Dr. Pala" <director@openca.org>
Cc: ;, Security Area Advisory Group <saag@ietf.org>
Message-ID: <20180326154500.GF44086@kduck.kaduk.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <CF306EF7-1C3A-4319-8B52-4F4D5DFC1B92@gmail.com> <93692396-1346-675a-b77a-771c52bfb8bc@openca.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <93692396-1346-675a-b77a-771c52bfb8bc@openca.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMIsWRmVeSWpSXmKPExsUixCmqrdsoujPKYM1KNov9G3wspvR3Mjkw eSxZ8pPJY/rE+ywBTFFcNimpOZllqUX6dglcGYtaprMWvGavWHotuIFxClsXIyeHhICJxJ99 a1lAbCGBxUwSVz/pQNgbGSVOr6rqYuQCsq8ySdx+9pIJJMEioCqxYOVRsGY2ARWJhu7LzCC2 CJC9oOUNexcjBwezgLHEnMslIGFhgWiJP6+7GUFsXqBdi3+8YYKYuYRR4lvTLHaIhKDEyZlP wI5gFtCSuPEPZBfIHGmJ5f84QMKcAnYS79e9BSsRFVCW2Nt3iH0Co8AsJN2zkHTPQuhewMi8 ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdELzezRC81pXQTIzg8Jfl3MM5p8D7EKMDBqMTDO4Nj Z5QQa2JZcWXuIUZJDiYlUd4J/3ZECfEl5adUZiQWZ8QXleakFh9ilOBgVhLh5ZsPlONNSays Si3Kh0lJc7AoifO6m2hHCQmkJ5akZqemFqQWwWRlODiUJHjLRID2CBalpqdWpGXmlCCkmTg4 QYbzAA2/LQxUw1tckJhbnJkOkT/FqMtx48XrNmYhlrz8vFQpcd5skEECIEUZpXlwc0BpRSJ7 f80rRnGgt4R5r4NU8QBTEtykV0BLmICWbGsC+aC4JBEhJdXAGLCzNej82Q+BtUcK/P8aG3ME mT0Tstu94ZbWufL+Un31Dexfbp+0s1+25FXw8sRZxQo71k+aUfZB1mBRcNeSZK/odc/T/kWY SL2NTFzb22P8+33VWjmjXZ1b77x7Oe3dO5l+blNGt72usjabzhdIzObZ2sPNmPHFRmjPhx27 G6omZT2UPMG9W4mlOCPRUIu5qDgRAP4kj28GAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/GPFNqiia2hOHaD9OzgEzHM-Nf1I>
Subject: Re: [saag] [pkix] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 15:45:07 -0000

On Sat, Mar 24, 2018 at 03:26:15PM -0600, Dr. Pala wrote:
> On 3/22/18 5:10 AM, Yoav Nir wrote:
> > Sure. As soon as the CA receives a report that a certificate is
> > compromised, a new CRL (or OCSP response) is issued. However, assuming
> > the RP has downloaded the CRL 1 day earlier, that CRL marked as having
> > a nextUpdate 3 days later. The RP will not download the new CRL for 3
> > more days, and will therefore continue to accept the compromised
> > certificate for 3 days.
> Maybe also here I was not really clear enough - sorry. What you are
> saying is true for ONE RP, but when there are multiple RPs that might
> access the revocation information at different times, what you describe
> is actually a limited view of the problem.

That depends on the security model and what capabilities you are
willing to grant to the attacker.  Which relates directly to the
question I asked in my previous message on this thread -- are you
planning to reply to it?

Thanks,

Ben


From nobody Mon Mar 26 10:45:24 2018
Return-Path: <kivinen@iki.fi>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13BF1120227 for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 10:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level: 
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UouJVUFQZFFo for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 10:45:18 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [212.16.101.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0217126B6E for <saag@ietf.org>; Mon, 26 Mar 2018 10:45:17 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w2QHjA5I004865 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 26 Mar 2018 20:45:14 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w2QHj51I008847; Mon, 26 Mar 2018 20:45:05 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23225.12705.274706.848829@fireball.acr.fi>
Date: Mon, 26 Mar 2018 20:45:05 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Dr. Pala" <director@openca.org>
Cc: Benjamin Kaduk <kaduk@mit.edu>, "saag\@ietf.org" <saag@ietf.org>
In-Reply-To: <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 6 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/lhhSuLfVEVF8kpY6gjvs4kyPcEc>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 17:45:20 -0000

Dr. Pala writes:
> Putting it in a different way: for the case with revocation
> information, the attacker not only need to be able to compromise the
> private key, but it also need to own all possible paths to the
> revocation information whilst for the short-revo case, the
> compromise of the key is a sufficient condition to successfully
> carry out the attack. Don't you agree ?

In most protocols there is a way to provide the revocation status
(OCSP, CRLs etc) inband in side the protocol itself, thus attacker
does not need to control anything in the network, it simply send the
certificate and the revocation information to the received, and as
long as the revocation information is still valid the receiver will
accept it and do not even try to fetch anything from the network. This
means that attacker can usually even force the receiver to accept CRLs
or OCSP responses as long as they are valid, even if there would be
new ones created already.

For the receiver point of view he will get valid certificate and
signed revocation information telling that certificate is still valid
until nextUpdate time, so why should it fetch anything from the net.
Attacker of course does not include the latest revocation information
which marks certificate revoced, but the old one which did not do that
yet, as long as the nextUpdate is not in the past.
-- 
kivinen@iki.fi


From nobody Mon Mar 26 14:47:01 2018
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BCB126D3F for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 14:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level: 
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9rQ29E33nku0 for <saag@ietfa.amsl.com>; Mon, 26 Mar 2018 14:46:59 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5B5E126CF6 for <saag@ietf.org>; Mon, 26 Mar 2018 14:46:58 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 1F7A720090; Mon, 26 Mar 2018 17:56:16 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id CCD5A80AF9; Mon, 26 Mar 2018 17:46:57 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "saag\@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <23225.12705.274706.848829@fireball.acr.fi>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi>
X-Mailer: MH-E 8.6; nmh 1.7-RC3; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Mon, 26 Mar 2018 17:46:57 -0400
Message-ID: <8550.1522100817@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/H1Sk3m-8ilNr5a8OtSvS__Q2CgA>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 21:47:01 -0000

--=-=-=
Content-Type: text/plain


{BTW: I read the document, and I like it a lot. Should I be Reply-To:
lamps at this point}

Tero Kivinen <kivinen@iki.fi> wrote:
    > In most protocols there is a way to provide the revocation status
    > (OCSP, CRLs etc) inband in side the protocol itself, thus attacker
    > does not need to control anything in the network, it simply send the
    > certificate and the revocation information to the received, and as
    > long as the revocation information is still valid the receiver will
    > accept it and do not even try to fetch anything from the network. This
    > means that attacker can usually even force the receiver to accept CRLs
    > or OCSP responses as long as they are valid, even if there would be
    > new ones created already.

And just to add: this is an intended *feature* of CRLs and certificates.
They can be used offline, and they do not cause traffic or dependancy
upon the certificate authority.  The CA can be entirely offline if
CRLs can be delivered out-of-band.

(BUT: I thought OCSP was always supposed to be "online", never in-band?
Perhaps there are things about OCSP which I'm simply ignorant)

    > For the receiver point of view he will get valid certificate and
    > signed revocation information telling that certificate is still valid
    > until nextUpdate time, so why should it fetch anything from the net.
    > Attacker of course does not include the latest revocation information
    > which marks certificate revoced, but the old one which did not do that
    > yet, as long as the nextUpdate is not in the past.
    > --
    > kivinen@iki.fi

    > _______________________________________________
    > saag mailing list
    > saag@ietf.org
    > https://www.ietf.org/mailman/listinfo/saag

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-




--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlq5alEACgkQgItw+93Q
3WU+ZggAnbZaidQbqPin9WjgV7TUbM0haCxnKB8HjtiEoxVJFmD5WB2ysBQjoRqL
JYz7BuBF6j6b3gRtN4TroHjtIhQwNQ2NZdMMzV1gzrU48ih6/K5+iasIDox3Z+g0
vYz9V6aiNUX+eIv0KS/Bm/4/hLnhd55To+lkA0nuhv83ZsZ0mktUlRW12EB4bCB2
HmhSYAzm3XQqaqCrjKgxXJb2R7Y3naTpkGP2YQ3h8+nq971k55FUEMgZdXWcMm/X
/Mf+LfKepttOISX5v+np9IOfGV7P6FyNwxLy1dGBa+txwPMovXz5KWpMAFEqtJjC
ikcV+0NHIbnm21tB4d7sQjo7VXLX+w==
=wTH5
-----END PGP SIGNATURE-----
--=-=-=--


From nobody Tue Mar 27 07:00:34 2018
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3F712DA12 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level: 
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q9ighF8o5SCl for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:00:27 -0700 (PDT)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8798D12DA11 for <saag@ietf.org>; Tue, 27 Mar 2018 07:00:27 -0700 (PDT)
Received: from [216.82.242.36] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-13.bemta-8.messagelabs.com id 09/60-08494-97E4ABA5; Tue, 27 Mar 2018 14:00:25 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSWUwTURSGvTPT6UComRaUY8WgdYtLG9CIGGM k+mBNlBCJPuA66EgrXUinaHlRQCUKKi64EbBVcAmikUXEoihVlEUhoDGKS0QwhaoIMQSFaOz0 Fpd5+u75/zn3PzeHIRVvaSXD26y8xcQZVHQg1aopilTbYp0JERldmuj6VjcdfciVK43Oyz1Ix JDa4uIfhPbB4HlKu6/gDhlHJkj0pkSzbYtEl2E/QaQMLbWV1lyWpiPnkmwUyFDsVwLKDz0ixY OCPUXAQ0c2gQ/vEVQUlUiyUQBDsxHw4u5jQuQQ1gwVvRlI5GB2PTjeD9O4vgH6Rx4izMugYaD HV6fY6ZBT2yYVWeb1XHz3wldXsH0Iqo9oRA5g58HlzBpKZMSOh6GmUt9dJBsKHd12HwMbAp1t zTTmcdDb9UuC/Rug8JvLX1fB9c9v/P5J0G7PQeIwwFYSUFjX6Depof/kSRLzavCk10iwqR3Bq dyrfmE2HP7e5++UDJ3H90oxr4L0N04S/1BMwv7afgoLYfDTXU5goUMC7uZCAs+5DfJKRvONEP CsbAp+OyW8fX4QHUWz8v8ZFbMdwZVzO/J9TyaHxrPdFK6rwVl7n8QcDre+FPh5MZwZrqMxT4G 8nE4p5gXwqX4AORBTgmYKvGUnb1Ev1CRa9Ek6q5HTG9SREdEaIy8IXBJv4BIFzVazsRx5l2yM 96tGDSeWu9AEhlCNkz3VOhMUYxPN29J0nKDbbEk18IILhTGMCmR5q72a3MIn8bbteoN3U0dlY IJUIbIzoiwTUjijoE/CUhOaz1SedmeRzMueT1mkgjKZTbwyVOYQraxo1aWa/jQa3fp2NEkZLE PeaIqgFN5i1Fv/1z0olEGqYNkrsUuQ3mT9c5/HG4XwRqnKrBajWLm/kjIdpVXdSPlQRNG9C2/ P03r0wUNXjOEl9msda7WZA335x0xPdtMT5YsuHOmLrDvK7ZJ/jWpp/t7VdGlafnKLfSXJe+I7 YzdNi9qzJqbsS3Om7eOBwWfxt1wzVsTVTQ3sGjP5c+DgxqpvAesmOnrmFJoamu5p97tLC17fl LjKK6TU3MkJchUl6LjI2aRF4H4D/caqyPADAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-9.tower-94.messagelabs.com!1522159223!186136272!1
X-Originating-IP: [207.46.163.49]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received: 
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 119866 invoked from network); 27 Mar 2018 14:00:24 -0000
Received: from mail-cys01nam02lp0049.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (207.46.163.49) by server-9.tower-94.messagelabs.com with AES256-SHA256 encrypted SMTP; 27 Mar 2018 14:00:24 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=F3aECbMlDtbogNUauG1bqcoh4lD74fz1O/YF0Y8cK+8=; b=lS6WPPAyeeVgVJwxNNewtstLdqfAXnKqOUf3bJ7xW1dTZEZgIDNvT1hqNSLpDWEGM6Xogh+w2xrHQRqHC4TSEiQ1hMEv2d1RQd6R0FpDCfqzzpx4IhHUglwi4w+M9PbW2eait5m3pfvvTKWt6ZC6e6APPBhRg2SwCyKLOPGU/Ow=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1550.namprd14.prod.outlook.com (10.173.233.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Tue, 27 Mar 2018 14:00:21 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd%17]) with mapi id 15.20.0609.012; Tue, 27 Mar 2018 14:00:21 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
Thread-Index: AQHTw7PI4q+7c2s7ckerQUuOBJNIsKPizPGAgABDlICAAQ25oA==
Date: Tue, 27 Mar 2018 14:00:21 +0000
Message-ID: <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi> <8550.1522100817@obiwan.sandelman.ca>
In-Reply-To: <8550.1522100817@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [98.111.253.132]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1550; 7:t4Stg6/DRRHeOBgyVEL0r1q3hvQy/IWILKO0VdmiONMRPZ1RV0DpF+eplxcZ5d9RhZGHcfaRkKvJojm30ZE5BL21l3vjLy2jpHDq0ofB6vRC3O9YHyfHEgV4VV33AACSOZA+3Mv+M/btLAQsHoQhleWwsZ6c8vLJHnsIs0JWxfg32rHuLeQm1qac53887bs9DpAcu33JJlCSyX68eIYqD583kZdIMyNdj4keL9wGC0SbMZG12WNy9/YOCuLI97TF
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b89b6035-4d5c-41d2-0dff-08d593eb14c2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1550; 
x-ms-traffictypediagnostic: MWHPR14MB1550:
x-microsoft-antispam-prvs: <MWHPR14MB1550DC14B225694FDFF4479B83AC0@MWHPR14MB1550.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(209352067349851);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231221)(944501327)(52105095)(6041310)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:MWHPR14MB1550; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1550; 
x-forefront-prvs: 0624A2429E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(366004)(39380400002)(346002)(376002)(199004)(189003)(5250100002)(105586002)(26005)(6116002)(106356001)(6246003)(68736007)(33656002)(3846002)(102836004)(99936001)(66066001)(53936002)(2501003)(2900100001)(55016002)(9686003)(97736004)(7736002)(305945005)(74316002)(478600001)(25786009)(93886005)(316002)(110136005)(11346002)(3660700001)(229853002)(6506007)(86362001)(5660300001)(14454004)(8936002)(81166006)(81156014)(2906002)(8676002)(76176011)(7696005)(3280700002)(186003)(99286004)(486005)(6436002)(476003)(486005)(446003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1550; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: zKXCc0+FKs4urlrVCneGCj1benB+VGMF9WE9t93MsI8XlEFQXCcdyi9/3pfWvEJihcPWduINmvzMyKh0MWxKKney6T+OIJN0zyZBDG1Uqmc9GqGZ47Xvi+rixUz5Ir/4vVpDaHUwDLATIMUVsL+cPaYJifo+1vKw9Wdv6x8FueU3YHRq074OQutJj2mGm1HFBHxpEn+amlaKInTy+l6IN/JUlJFj634PF4ZiqIbKu7I4APbXFsoKUXT9+9ucIiSCa5ukBnBfgk+7gWvh3p9IxvP1EV1aVwPyMO1ARE8VDlj6N/kRafHKHr70UXIuhT6UiSbLKH/VoqdD+hKCXfw0vQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0132_01D3C5B2.699C2E10"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b89b6035-4d5c-41d2-0dff-08d593eb14c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2018 14:00:21.6715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1550
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/1QUy-u8ShaqtTzysGcsxp03dax4>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:00:32 -0000

------=_NextPart_000_0132_01D3C5B2.699C2E10
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit


> (BUT: I thought OCSP was always supposed to be "online", never in-band?
> Perhaps there are things about OCSP which I'm simply ignorant)

OCSP is actually a bit of a misnomer.  The "online" part just means you can
query for only the certificate you want, when you want, instead of having 
to download and process the entire CRL.  How you get the signed OCSP 
response doesn't really matter.  This is why OCSP stapling works (well,
sort of works; webservers need to improve their support for it), where the
server fetches the OCSP response for you, and includes it in the protocol.

It's also worth mentioning that if you are worried about people giving you
still valid but not fresh OCSP responses, the OCSP protocol does support
sending a nonce to the OCSP server.

There are a variety of ways of handling revocation, and short lived 
certificates are just one possible answer.  One of the problems with
the document is that instead of explaining in a balanced way the
advantages of short-lived certificates, it tries to go overboard and claim
that all other revocation methods are inferior in all circumstances,
which isn't true.

-Tim




------=_NextPart_000_0132_01D3C5B2.699C2E10
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw
ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi
BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx
MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71
IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS
Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+
WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh
5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y
d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr
oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG
SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS
TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ
s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx
vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76
jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ
Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy
dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw
CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl
cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw
05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW
sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF
YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP
QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn
AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T
AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9
bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E
gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ
RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz
c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k
76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX
mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP
KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx
e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5
oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN
AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz
MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD
ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB
MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A
J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+
yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo
8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh
rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy
czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA
ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0
AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA
ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh
AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA
YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg
AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP
2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN
AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ
pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI
EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB
VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG
QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ
BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes
EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTgwMzI3MTQwMDE5WjAvBgkqhkiG9w0BCQQxIgQg/MYcqvePEQL93JA7+wotuvQGwP6q
FdM5lp0Ci5h1kGwwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg
U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw
ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj
ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth
tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq
hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG
SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA
BIIBAA55tWAbhSUhtdCdbk7bm5qQD3Tn5b0WlNtJky8NpwnY0P9wuZTiua7fdb2tMd1SqvPrL9/t
2qrdUWm128oSNNppQlJmoFc4H5/wrDpOQti7bxu0PeqgSqGA/BC4uuw0pM4SxShCxtjohOGKcljM
btfquM02mjgkK51r8HVB3fMQ42nyY+KBsZYrlXb/1IW/9Nv6B+fm4zxxvtN8rkc2yBe/TpnUQRXI
9FCiztudD5eTgqXexouZ5XC0+HkL24z6iTkGJS4N8R50Pxkx88GG9jN1MWAWN11Fcp+LrzosLpS8
F2OS/lwNrpfB0nsQcxyzbuNiiN/6RKWgZbd7OP9mkBcAAAAAAAA=

------=_NextPart_000_0132_01D3C5B2.699C2E10--


From nobody Tue Mar 27 07:19:24 2018
Return-Path: <rsalz@akamai.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A79F120713 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id spyBDcf67Nj3 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:19:20 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 144DF1274D2 for <saag@ietf.org>; Tue, 27 Mar 2018 07:19:19 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2REEltx017380; Tue, 27 Mar 2018 15:19:17 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=UwgnMW4RI8kgyIUowLWaPTaFET6g0umV3xtCJ+P0/0s=; b=IHRqxRPn8+cqRZlunxRO49CovG+FVrTfcAFnVeShkwMm6cBTXUayeJ2/JaHnaqwzw7qt eqxyqI50lP1C8Dd+Me4AVWqdOHCC4wrXwuhaMUlmnD7848blPfO35aw7HSXTbNgsWnLE 8E4WB/As0xNBkaw6SL6lKU6Ou6k7zef3C70/JfKB3+fF9G62Z9wkL8OILq6R8QwJ7UzQ HvQ+SlJcJFHsLzQ5+oQHb9/iTD4NjXa0zs6trr4eqh9wg6n5UdbDMo99DMNYl7nVXjPg G648TP8unce3EAYkYoBrqFpI31tay+T4c45eidQBJqZI+Me5wBsfMikirywQQOAUtcEn kg== 
Received: from prod-mail-ppoint4 ([96.6.114.87]) by mx0b-00190b01.pphosted.com with ESMTP id 2gwjufesya-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Mar 2018 15:19:17 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2REGReN030797; Tue, 27 Mar 2018 10:19:16 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.53]) by prod-mail-ppoint4.akamai.com with ESMTP id 2gwj0wajxq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 27 Mar 2018 10:19:16 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 27 Mar 2018 10:19:08 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1263.000; Tue, 27 Mar 2018 10:19:08 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
Thread-Index: AQHTw7PHppzS/fcZ50e+VRfbxJFjV6PjD/+AgABDlICAAQ/3gP//wgkA
Date: Tue, 27 Mar 2018 14:19:08 +0000
Message-ID: <D439F6E5-8A38-40B1-93CF-47219DD1F17E@akamai.com>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi> <8550.1522100817@obiwan.sandelman.ca> <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
In-Reply-To: <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.37.125]
Content-Type: text/plain; charset="utf-8"
Content-ID: <452634493D2E854C9AA19AA1761E1BFF@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-27_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=443 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803270145
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-27_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=372 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803270144
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/_pzNBWdLfybhRt6hrH_bCm_8m_g>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:19:22 -0000

PiAgICBJdCdzIGFsc28gd29ydGggbWVudGlvbmluZyB0aGF0IGlmIHlvdSBhcmUgd29ycmllZCBh
Ym91dCBwZW9wbGUgZ2l2aW5nIHlvdQ0KICAgIHN0aWxsIHZhbGlkIGJ1dCBub3QgZnJlc2ggT0NT
UCByZXNwb25zZXMsIHRoZSBPQ1NQIHByb3RvY29sIGRvZXMgc3VwcG9ydA0KICAgIHNlbmRpbmcg
YSBub25jZSB0byB0aGUgT0NTUCBzZXJ2ZXIuDQogIA0KWWVzLCBidXQgaXQncyBhbHNvIHdvcnRo
IG1lbnRpb25pbmcgdGhhdCB0aGlzIGlzIG5vdCBzdXBwb3J0ZWQgYnkgbWFueSBvZiB0aGUgYmln
Z2VzdCBPQ1NQIHJlc3BvbmRlcnMuDQoNCg0K


From nobody Tue Mar 27 07:27:13 2018
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D52312E8D4 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtusohLqBEwK for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:27:05 -0700 (PDT)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D799B12E876 for <saag@ietf.org>; Tue, 27 Mar 2018 07:27:03 -0700 (PDT)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-6.bemta-12.messagelabs.com id 1E/3A-27145-7B45ABA5; Tue, 27 Mar 2018 14:27:03 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTa0zTUBiGPW3XlbmaMkA+JwRdNCrJECQoCQm a8GcxwWi8/ECNFqlscRtLOwUSjXiNoIDITYeGkcw/RJAgAuIligwUNURChKgoKAoMryFAHCK2 6/DSX8933ve833dOTilcM0pqKS7LzvFW1qwjVUTfkoY4feO2lpToY7MR8e6uYTL+XGuhMn62I ZeILynMxTYQhuI2J25wuX5ghocTVYTh5OU7+GYiRWGypmZk7VUYb01cRbb8xKyBwWJlDvIm5C EVRTBfMeiorcClQsOUYTBZ5UVyMYCgt84lKgEUyUTDi7sdmCQEM0UIOqbKCEkIYnaCc8BLShz M7IJv021I5k3Q476mlJhglkPB41eYxLTomazN97cbx6CiuMbXIYBJhDcj7b5QxCyEqc5rvg04 Ewovhyp9DEwwDD5/QsocAqPvfylk/y64Mt7qX9dB7afXfn84dFee9R0HmAYMbt7/qZAFPXwrL cVlToZ70z2YbOpGcKXqlD8pEibyPKKJEvkAvHu5eG75TJvD38CFg7dRJXMYzAzX+3O+KODud7 evgYZJg5LquemmMXhfdlS+Oi309+Si82iV45+DOsT9OFOJYPKNU+nwXVkgPL40RMimSCit8fg 5Apo+X8ZlToCL3gekzEuh5OygUuY4GHN/R05EVaOVAscf4nh9zJqoVN6UbrRbWJNZHyOWFk4Q 2HTOzKYKUfsyLPVIfHDzxK8ZdZUltaJFFKYLoZ8ZWlI0C1Iz0rKNrGDcwx80c0IrCqMoHdDDW 0UtkOfSuaz9JrP4audkoNS6YHpUkmnBxloEU7osdaJYqqd8+DRO9Y2MncY1hDXDymlD6QbJyk hW40Hrn6C5P6AbhWuDaCSOplHbON5isv+ve1AohXRB9GEpRW2y2v/084ijYOIojcebpVHs7F9 Jm4PIvsy2HXZLXfvtpsSvCexU3akh+kT5nrinNaolzrTVRW/dJZ5tuzfWHbLdXlGc/bw/7CaZ 9ihT/WF+cqwjqaKXsW9vjqnpHBCaCl31FddPfh4PSJldd+P+x/URuxXGlryq0b22tV59R4Krb 2vcFl5F1PdOqbFlRbGW9iP9BRdmAnWEYGRjInFeYH8DuBbUXPwDAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-6.tower-219.messagelabs.com!1522160822!186961396!1
X-Originating-IP: [216.32.180.53]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received: 
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 11995 invoked from network); 27 Mar 2018 14:27:02 -0000
Received: from mail-by2nam03lp0053.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) (216.32.180.53) by server-6.tower-219.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 27 Mar 2018 14:27:02 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ec4jMGDqJVwAjNsXLJMQxlFyPxQvMofyeYKEQs3Nk+M=; b=tgIWT/X02dJvdRo7nATTCo935lvLqACcIxMHYjPk+t6nUYTtdx7UZ8WQNC8iRjo8czQ63kTpUWxrOHw7Uc6XDQNFXLF06VS5mHhr6o5xJZ1U4MUEN9Q5htx0P+dj0H8OX6JF9l+XnAEM8JgedgrkEtJT7WQ7SSd9qWP1hUF/Txs=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1773.namprd14.prod.outlook.com (10.171.147.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Tue, 27 Mar 2018 14:27:00 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd%17]) with mapi id 15.20.0609.012; Tue, 27 Mar 2018 14:27:00 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: "Salz, Rich" <rsalz@akamai.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
Thread-Index: AQHTw7PI4q+7c2s7ckerQUuOBJNIsKPizPGAgABDlICAAQ25oIAAB30AgAAAULA=
Date: Tue, 27 Mar 2018 14:27:00 +0000
Message-ID: <MWHPR14MB13764149B14672894BC1B6BD83AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi> <8550.1522100817@obiwan.sandelman.ca> <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com> <D439F6E5-8A38-40B1-93CF-47219DD1F17E@akamai.com>
In-Reply-To: <D439F6E5-8A38-40B1-93CF-47219DD1F17E@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [98.111.253.132]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1773; 7:fwJv36hbk4c3eUqsRyUcjzBRK2QpW4QKbPPHMVWGChAJl9nDP5PaML3Cs1DDFYzRdn8rXFmCUKxxGbT+iLy1aIFFc7BEkWNY19rHlWFQDPUxkta1yc1ygIe1ogfvMV1e2FJzyoqIhNMsNxc+vMGQ8qHgXM7P0mHY3E8/dCLJQ9ASrvkNkDNZOGEyllvofRAFqJpm9DHtvDSHOX8B0ZlFkjmqCNjTVl6X6R5LoRu5k2VVG04gqDFEfu8kEx5P7F7B
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c70e12ce-b253-487f-9ee2-08d593eecdbf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1773; 
x-ms-traffictypediagnostic: MWHPR14MB1773:
x-microsoft-antispam-prvs: <MWHPR14MB177371BBFB88C23E8718065183AC0@MWHPR14MB1773.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(3231221)(944501327)(52105095)(93006095)(93001095)(10201501046)(3002001)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011); SRVR:MWHPR14MB1773; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1773; 
x-forefront-prvs: 0624A2429E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39380400002)(39860400002)(366004)(396003)(376002)(13464003)(199004)(189003)(5250100002)(93886005)(105586002)(2501003)(3280700002)(7736002)(7696005)(81166006)(81156014)(102836004)(486005)(5660300001)(3660700001)(6436002)(486005)(74316002)(478600001)(305945005)(8676002)(8936002)(106356001)(55016002)(186003)(86362001)(2900100001)(26005)(9686003)(99936001)(97736004)(99286004)(3846002)(2906002)(6116002)(6246003)(53936002)(66066001)(14454004)(76176011)(33656002)(25786009)(110136005)(6506007)(476003)(11346002)(53546011)(316002)(68736007)(229853002)(446003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1773; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  A:1; MX:1; LANG:en; 
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: yXl2+gCkcx4gx6z7I9x1r12DBGioIs0hIyyjgd2YVUAIbyHPxUXMZdbpWn5OVfpYM9Jo8XkFKI1VIuBJfdUIbgud2pzZO5fh0z2vJ3/U4M1VRHmE8zV+A92iq0uaiXjOplETJHlCzmtGncQU4m4sC6brFSsjjARM+BPkdDA0Mjo9GP91yhWaa5auYzjHaBAC1dsrpTrLTwBjOQGmodPtyP4g4jCHiCVq0rpnUxFybeuOgDSSfN9X1eKdKfM0aCluj0ckUWzNEZKWPXf57QXH97kzG3ETgRUo5k69XarD2mGKNQN3vDP3wkNWLZQcoEBGn4cu8nFnZHY+gdVNSQzv9Q==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0137_01D3C5B6.22077470"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c70e12ce-b253-487f-9ee2-08d593eecdbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2018 14:27:00.5086 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1773
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/W2Wl2cpEv9-pj7VxV152sk9dxFY>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:27:12 -0000

------=_NextPart_000_0137_01D3C5B6.22077470
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 7bit

True.  This is largely because it is difficult to support with CDN 
configurations.
Although one of the top ten CAs used to do it.

It's something I'd like us to optionally support in the future, for those who
want to use it.

-Tim

> -----Original Message-----
> From: Salz, Rich [mailto:rsalz@akamai.com]
> Sent: Tuesday, March 27, 2018 10:19 AM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>; Michael Richardson
> <mcr+ietf@sandelman.ca>; saag@ietf.org; Tero Kivinen <kivinen@iki.fi>
> Subject: Re: [saag] [lamps] Considerations and Clarifications about 
> draft-nir-
> saag-star-01
>
> >    It's also worth mentioning that if you are worried about people giving 
> > you
>     still valid but not fresh OCSP responses, the OCSP protocol does support
>     sending a nonce to the OCSP server.
>
> Yes, but it's also worth mentioning that this is not supported by many of 
> the
> biggest OCSP responders.
>


------=_NextPart_000_0137_01D3C5B6.22077470
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw
ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi
BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx
MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71
IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS
Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+
WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh
5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y
d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr
oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG
SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS
TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ
s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx
vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76
jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ
Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy
dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw
CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl
cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw
05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW
sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF
YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP
QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn
AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T
AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9
bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E
gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ
RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz
c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k
76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX
mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP
KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx
e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5
oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN
AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz
MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD
ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB
MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A
J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+
yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo
8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh
rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy
czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA
ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0
AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA
ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh
AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA
YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg
AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP
2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN
AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ
pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI
EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB
VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG
QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ
BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes
EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTgwMzI3MTQyNjU2WjAvBgkqhkiG9w0BCQQxIgQgOJhOQqJz0GBcjyJytDyqxRUl562x
TqL3lAbynRUDgFYwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg
U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw
ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj
ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth
tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq
hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG
SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA
BIIBAJFK1FZPNObp5MjFQshy4zJjCSy66dg5LeH4Fn8jv+BcpDBxZCdWU7pxNDhuebbh5lJ5/6m3
Zeeh4RiG6A9MQ3LF0uh7twlFIVrtD18VJt+eszkRmr3NtUbQRmSgYnAieVSZPzhcC/NZ+P+md6YK
yHRJ4C2HTnFeS8uQj4VO3iLEvA3+wMCQaw1mp2xx5ObeAQDSBtvmFacShZcTv3QiD6sFyjGso6as
2x4FIiHf1nD2UkWj2M+XTdYC4sGb8tLJ5CVm1p/tsp1Zh/PWXmlzQem10nRS9Uv7R4fvhgbVl/Lt
ocFF2FQhTgbGZi7UL7SohFG0VpoQzzUWdg4Ni+yYPhkAAAAAAAA=

------=_NextPart_000_0137_01D3C5B6.22077470--


From nobody Tue Mar 27 07:30:48 2018
Return-Path: <rsalz@akamai.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8306B1274D2 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:30:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDAi2uZgyvjW for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:30:45 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 587F312DA23 for <saag@ietf.org>; Tue, 27 Mar 2018 07:30:40 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w2RESB4R021344; Tue, 27 Mar 2018 15:30:37 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=UXvtJDQEnSsKO+V579mgLNRB636jtiLXrbjCqQtfXW4=; b=o+LBSk1kf+rR5sVxSOBCwSh0FoFfx3ZhzfWIfqgDcrTV4NfxwDOPQi1R3r8HobPBdO5r h48GWjg3DqiXv0BoFs2VTIz5PyRUdLmbP0/WJAIjVD69CAXtTAlxXhp6MIeH7GQmV8J3 503rzE31+f4/0FBkuF47lXWzGcM9vfJ4+/Q+meCcugoe4+k7LNWJp4F53+fd+Jw5jegj xCGkuO9iIGZ4tYMAiryzNCKIXjBdSlknyKOK2O9Jbo0r6rclfWWAr6Fq7PI/rTJO9xXz CMA7CdbFVHbgObI4Y9zx0TxRk92KfySDygWAF77ri2BNglGlKHqpNJP4CDUmj6pq/sAj Og== 
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by m0050102.ppops.net-00190b01. with ESMTP id 2gwk8xqey5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Mar 2018 15:30:37 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w2REQZls009863; Tue, 27 Mar 2018 10:30:36 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint1.akamai.com with ESMTP id 2gwj0vga42-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 27 Mar 2018 10:30:36 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com (172.27.123.103) by usma1ex-dag1mb1.msg.corp.akamai.com (172.27.123.101) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 27 Mar 2018 10:30:36 -0400
Received: from USMA1EX-DAG1MB3.msg.corp.akamai.com ([172.27.123.103]) by usma1ex-dag1mb3.msg.corp.akamai.com ([172.27.123.103]) with mapi id 15.00.1263.000; Tue, 27 Mar 2018 10:30:35 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Tim Hollebeek <tim.hollebeek@digicert.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
Thread-Index: AQHTw7PHppzS/fcZ50e+VRfbxJFjV6PjD/+AgABDlICAAQ/3gP//wgkAgABFaQD//73ygA==
Date: Tue, 27 Mar 2018 14:30:35 +0000
Message-ID: <FD2D9AE8-797F-465A-96B0-81E4FC12BEE9@akamai.com>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi> <8550.1522100817@obiwan.sandelman.ca> <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com> <D439F6E5-8A38-40B1-93CF-47219DD1F17E@akamai.com> <MWHPR14MB13764149B14672894BC1B6BD83AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
In-Reply-To: <MWHPR14MB13764149B14672894BC1B6BD83AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.b.0.180311
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.37.125]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2248FA5163CAD944992E901544ABD1BA@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-27_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=452 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803270146
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-27_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=385 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803270146
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zPjV8JWeXW8eTxTzrEMblytpBCw>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:30:46 -0000

PiAgICBUcnVlLiAgVGhpcyBpcyBsYXJnZWx5IGJlY2F1c2UgaXQgaXMgZGlmZmljdWx0IHRvIHN1
cHBvcnQgd2l0aCBDRE4gDQogICAgY29uZmlndXJhdGlvbnMuDQoNCk5haCwgdGhlIENETiBpc24n
dCB0aGUgaXNzdWUuICBJdCdzIGhhdmluZyB0aGUgT0NTUCByZXNwb25kZXIgb25saW5lIGFuZCBh
dmFpbGFibGUgYWxsIHRoZSB0aW1lIHRoYXQncyB0aGUgaXNzdWUuDQoNCg0K


From nobody Tue Mar 27 07:33:45 2018
Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D4912DA23 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIXce_RuIBe9 for <saag@ietfa.amsl.com>; Tue, 27 Mar 2018 07:33:42 -0700 (PDT)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C1571274D2 for <saag@ietf.org>; Tue, 27 Mar 2018 07:33:42 -0700 (PDT)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-16.bemta-12.messagelabs.com id 83/74-08484-6465ABA5; Tue, 27 Mar 2018 14:33:42 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WTe0hTURzHd+69u7uKq+uc+msk0UIqY6tl0cp eIMEgNP8oKzPrWjc32kN2pyyiMpPArDR1acvSmkGUGZnlq4JWFtlDkt5lOSxXMyuxqMweu7vr 9d/n3M/3d36/cziXwmX9pIJi7TbWamaMSjKU6FS7lqoWpbamTXM9obXtnV5Su9tdLNH+bCwkt OXFhdhCQld2tQbX1dZ+xXRXPh0hdAVVF/AUIk1sMGda7GvF+gqfD2V/n2sfcfahPFSUsAuFUg T9HoMzRbcl/EJGOzC447qGC4seBG1tQ8QuFEKR9DR4cPE6xgs5vQ/B9c/7AyKCXgU1PcMkz3I 6HT58u4oEToNjzqcSngk6FnrrT+M8S/2ZBreLFDp8wWHw8jMxL0Lo+TBUWRMoQHQUfO6ow3jG 6Wh48rI6wEDLwXP3JilwJLzp/SEW8ulwaMgd/K6E+rfPgvkY6KouQgI3YvDpTLrAKvjgcOACJ 0FT38nAkYHuQnBh35FgcRzkbX8rEXgjlDr3BjkBdpz3kkJBLQ6OUk9wp7Hw3duACeKdGIp7rg Vay+j1UH7CHaz4hsHphofBy1NA971CVIImO/85qtOfw+lqBKWubokzcGnhcOPAS0IIxYHjlC/ I46BpoAoXOAEqhy+TAo+H8iKPROCZ0N8+iGoQdQJN4lhrLmtVxWvUmVZDlt5mYgxGlUYzXW1i OY7JYo1MJqdeZzE1IP+T2yYSoWY08jHJjcZQmDJSelvXmiYblWlZv0nPcPo11hwjy7nRWIpSg vTRUr8Lt7JZrH2Dweh/t781UGFKuXQir6VcNmPiDFmC6kDxVGOFdydOPXrdvxOXEWaLmVVES2 OW+aM0H9XnmP9s9Psf6EIxiggpEolEsrBs1moy2P73PhRNIWWENIPfJcxgtv3p5/OPgvlHOZ/ fzI9iY/4qRR5a9nh80/3aL5IS+Qgx5Sy5egE3f9CSn7xy9uaMSpcm/FxndMHW9tDlOfl3BnK7 EodXHaxqya0ojp0QFZv8PMqTol6hWrzEdFcxb5Zlzmj9w5uvkpNu5Su3bhn2HG6x2TfPatcs7 BkqS71Ulhg/O7SgtU6xx310RuSLMSenxnqbjmtTy5QEp2c0cbiVY34BTmtW6f4DAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-7.tower-219.messagelabs.com!1522161220!184082487!1
X-Originating-IP: [207.46.163.84]
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-StarScan-Received: 
X-StarScan-Version: 9.9.15; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 15784 invoked from network); 27 Mar 2018 14:33:41 -0000
Received: from mail-bl2nam02lp0084.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.84) by server-7.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 27 Mar 2018 14:33:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ry8g6atiElqGWxhmR0yPvUt/TM9f+Wt6RHmz0uhHYqg=; b=AXTQXds48n7UKxZUl9VybFdDNkrAofZzCMMUoFKPLT4ANQrGlHb6Wro0fqYHnPJ4vsAin/ALc4CVer6QcOoBDEDlx/w9cMUsNNdJ2swl1iyciiRNco2X9XJxknxL6Hgp3br/imFNAP7GVM96a0/d8gB91b4yaVsaNfxN+5T0rrg=
Received: from MWHPR14MB1376.namprd14.prod.outlook.com (10.173.232.139) by MWHPR14MB1134.namprd14.prod.outlook.com (10.173.101.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Tue, 27 Mar 2018 14:33:38 +0000
Received: from MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd]) by MWHPR14MB1376.namprd14.prod.outlook.com ([fe80::ad66:bb50:b8e8:9dfd%17]) with mapi id 15.20.0609.012; Tue, 27 Mar 2018 14:33:37 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: "Salz, Rich" <rsalz@akamai.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "saag@ietf.org" <saag@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
Thread-Index: AQHTw7PI4q+7c2s7ckerQUuOBJNIsKPizPGAgABDlICAAQ25oIAAB30AgAAAULCAAALjgIAAAEKQ
Date: Tue, 27 Mar 2018 14:33:37 +0000
Message-ID: <MWHPR14MB13761D2127E388ACAEA6C01E83AC0@MWHPR14MB1376.namprd14.prod.outlook.com>
References: <bec28481-d4ff-5e6f-48bc-59c55c385321@openca.org> <20180321231624.GK55745@kduck.kaduk.org> <820a1cb3-5bc8-7903-b3eb-9b09dddff6b8@openca.org> <23225.12705.274706.848829@fireball.acr.fi> <8550.1522100817@obiwan.sandelman.ca> <MWHPR14MB1376A884355FD44842C7995383AC0@MWHPR14MB1376.namprd14.prod.outlook.com> <D439F6E5-8A38-40B1-93CF-47219DD1F17E@akamai.com> <MWHPR14MB13764149B14672894BC1B6BD83AC0@MWHPR14MB1376.namprd14.prod.outlook.com> <FD2D9AE8-797F-465A-96B0-81E4FC12BEE9@akamai.com>
In-Reply-To: <FD2D9AE8-797F-465A-96B0-81E4FC12BEE9@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: 
x-originating-ip: [98.111.253.132]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR14MB1134; 7:xLIloN0GDPChB3B2F9L8KkzXqMnQdDgU4kpWGeY9UBPlN4E42E9DAEOzHWNDa9+VKld+UlN7LgsvlQrkSwR5wN8KUsj4u3Y4J4InvG9QA04BErhGbOOJfQa4a/QcQ91D0Z/DMeKTd5pmGeTUnq6khObCEaPiLjyM3PE2hRlAOeMpLpQB03Dh/S3DnepoIg2m91X5cb+MqxOFQdMAtfsm2EGC3UZIizJzO4dI/FX6a6SC8nm++q/PISwLQcpFxMa3
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5b295283-5856-499b-3ac0-08d593efba8b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(49563074)(7193020); SRVR:MWHPR14MB1134; 
x-ms-traffictypediagnostic: MWHPR14MB1134:
x-microsoft-antispam-prvs: <MWHPR14MB1134A4D3FEE94FE9B59D39B683AC0@MWHPR14MB1134.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(209352067349851);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(3231221)(944501327)(52105095)(6041310)(20161123558120)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(6072148)(201708071742011); SRVR:MWHPR14MB1134; BCL:0; PCL:0; RULEID:; SRVR:MWHPR14MB1134; 
x-forefront-prvs: 0624A2429E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39380400002)(396003)(39860400002)(376002)(366004)(13464003)(189003)(199004)(8676002)(3660700001)(6116002)(3846002)(6246003)(81166006)(3280700002)(8936002)(53936002)(2900100001)(2906002)(186003)(105586002)(6436002)(26005)(74316002)(446003)(7736002)(486005)(66066001)(106356001)(486005)(7696005)(53546011)(11346002)(102836004)(76176011)(5660300001)(6506007)(305945005)(86362001)(229853002)(93886005)(97736004)(99286004)(14454004)(99936001)(25786009)(33656002)(110136005)(68736007)(55016002)(81156014)(476003)(2501003)(5250100002)(9686003)(316002)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR14MB1134; H:MWHPR14MB1376.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords;  MX:1; A:1; LANG:en; 
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: CcKGjih8cz2jTyXTlEKuPlXH5n8OPDfPS/RjhmLQnZd6c8He3mH+chyRPXvAD4c7UgI8NT1Z//279dBiVBBBU54Vvfzh7kkzhdgvgRHOPIQBBuK1f0Bv2lqU+04IEPofuMs1rReW+ipnYF8l7NPrbk/9WyN6ELFriVsF0nGi6lvj32ixdqD82GM0+TQ9+FtZd/psnQQxv7plkfGxLfjF8QSbc5thRIZRnjJdZg4vJjW56mk4S7VCnkXL0lkqfvsRl9fDkKjeaSEYNGysjPGFCW867NzoQAjgopplRLb55nw5Tf0PQrOPGCWSi/kuqYGfa1GqIkH3/M3eOVYWjc1BTA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_013B_01D3C5B7.0F79BD80"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5b295283-5856-499b-3ac0-08d593efba8b
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2018 14:33:37.7853 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR14MB1134
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/ivfTtd84xsYwTo6B9fTNtIB0wXs>
Subject: Re: [saag] [lamps] Considerations and Clarifications about draft-nir-saag-star-01
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 14:33:44 -0000

------=_NextPart_000_013B_01D3C5B7.0F79BD80
Content-Type: text/plain;
	charset="utf-8"
Content-Transfer-Encoding: 7bit

Having worked at the company that stopped doing it, I can assure you the
CDN was in fact the issue.  Specifically, the issue was not wanting to have
an OCSP signing key on a CDN server.

-Tim

> -----Original Message-----
> From: Salz, Rich [mailto:rsalz@akamai.com]
> Sent: Tuesday, March 27, 2018 10:31 AM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>; Michael Richardson
> <mcr+ietf@sandelman.ca>; saag@ietf.org; Tero Kivinen <kivinen@iki.fi>
> Subject: Re: [saag] [lamps] Considerations and Clarifications about 
> draft-nir-
> saag-star-01
>
> >    True.  This is largely because it is difficult to support with CDN
>     configurations.
>
> Nah, the CDN isn't the issue.  It's having the OCSP responder online and
> available all the time that's the issue.
>


------=_NextPart_000_013B_01D3C5B7.0F79BD80
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw
ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT
AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi
BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx
MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT
EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71
IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS
Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+
WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh
5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y
d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr
oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG
SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS
TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ
s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx
vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76
jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ
Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM
RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy
dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw
CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl
cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw
05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW
sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF
YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP
QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn
AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T
AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9
bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E
gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ
RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz
c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp
Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k
76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX
mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP
KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx
e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5
oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN
AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz
MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD
ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB
MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A
J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+
yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo
8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh
rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy
czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV
HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp
Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME
MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA
ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0
AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA
ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh
AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA
YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg
AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP
2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN
AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ
pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI
EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB
VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG
QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ
BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes
EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTgwMzI3MTQzMzM1WjAvBgkqhkiG9w0BCQQxIgQg0KQ/WPHPRxiR5JStidJk4AEVoVqG
SKIvC/wgJnhNlwAwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp
Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg
U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw
ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj
ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth
tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq
hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG
SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA
BIIBADiTFQr4AxGAQFdKFmKzax7SxbKWbAJ0CSh2ptWpEXFOnF+vYsYGawxndlQYmwpg4EesW1yp
1+Bp5WkpuQOix/4yeyG6SWKKe6TqPr0SXtAtXwRpCQnWgLmkLIy8iN9o3zDAaDl4uZzWzrn6fSjq
qEwzA47aBWjihRkEUPaUh67QezMPma7fvz2RESfa7Gw1cYyA3A4RGOfYr+3cv04vSaST63AB0ldw
45AfL35B+qZNCGYFP5k8e2jE+Mx8kESH1GrTpOHMwzbVpgr6ms6LL3PG21m/o9dkf9AS0dGKSiTY
dG/RMZQGa5smfo+e6sgJNpN1wpoU4uVUeNJlPnGrmsMAAAAAAAA=

------=_NextPart_000_013B_01D3C5B7.0F79BD80--


From nobody Thu Mar 29 13:27:56 2018
Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171A512741D; Thu, 29 Mar 2018 13:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level: 
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZN_eWNb9nUO; Thu, 29 Mar 2018 13:27:44 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20976126B6E; Thu, 29 Mar 2018 13:27:44 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id z184so7336444qkc.1; Thu, 29 Mar 2018 13:27:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:from:date:message-id:subject:to; bh=6rL1QyevSF8O+IkfRWC5dTRqInJZUFIqJlilseo5kdw=; b=OOwYBs2mNmADDGkzXDidkgCCpFOJrlq3bVTlq3S0Jn5iP6C76e4If8fs1Bo2fFLgN2 Z40+LaOD0epIpfsXo/lUmcdz37X2n1TvttS2LODrbP3VPKN9mHvNJgXGNcnSvFRevW07 vSR3vKVR140fcxOCnb1jGqjwg3UH9Nc8a6FtWxEewPsTHGmgdIJRzN7Df8EOMk32gRC2 VtmFiOOBmNYDEaMnGQLOj+xg8X1hqzHvssV2c05HS1Qm47gxUMIcc+b1UNfJgABnJPw4 joBJUR5fpSnYaop2IWJSAY/RV0MFqmWME8MkhiE1TgCFTW/wTufXjg9gAEaV2BPuAhNQ JCmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=6rL1QyevSF8O+IkfRWC5dTRqInJZUFIqJlilseo5kdw=; b=IaJaF0KKVq6GZLpwbVcU7R7vVqJpqGa1EI88u/vPaelEzDTlXb42/rTl+E5VoiwSmY RAusU60tUvenBdFcRje10AXVoJv4JRz5fKx/ARIl/JYZADSeTd/GRQMoUvPf8wAvk9jV RXFoWQ9oNDpHViPqFtkcuU5lhE7Q4/P3rrL2f7ZsHW6tVIz3vMW6yH3QSvWqNVy8rYey 8HwdAGI494d/hjvqOmskkTkCM99wiWnZm8NB8QDpwryGgI5s/ZdVif3+Ots4Pf9PBiiC Q7oLObSU49eF2FC2Aa1DT0ck2RX+GFhGOI4bw/4ca8H5SJQjlaYHMAqTBLRAcyNAy2b+ gW/Q==
X-Gm-Message-State: ALQs6tDQNC+rl39StC/wcjrkRH6r8Jakmy/O8d5T8FApjlO7kI4o9L8c TXb86R1uszkjvoHMP+pHnq/wmGeOo8CxmZ9tJjvRxtUz
X-Google-Smtp-Source: AIpwx49y/w4+RIjaI2fH9FFMgiesPn/9WU6trLz9foLitIN5eilUcXSOGaeH+RuxaOpm8EmNf+1pR/ohvA1C1azvV6g=
X-Received: by 10.55.176.193 with SMTP id z184mr3760288qke.120.1522355262803;  Thu, 29 Mar 2018 13:27:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.12.152.225 with HTTP; Thu, 29 Mar 2018 13:27:42 -0700 (PDT)
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 29 Mar 2018 13:27:42 -0700
Message-ID: <CACsn0cmy=svmvAoTXqH1uE+DOMA+aWaLhyNRtwf_zSegxZpHcg@mail.gmail.com>
To: "<iesg@ietf.org>" <iesg@ietf.org>, saag@ietf.org,  draft-hoffman-dns-in-json.all@tools.ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/pZrC0qjkFdiT9P1arbBup2HwBhI>
Subject: [saag] SECDIR review of draft-hoffman-dns-in-json
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 20:27:46 -0000

Dear all,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is ready with issues.

I have some very strong reservations about defining a data format
without some strong round-tripping guarantees and with as much
flexibility as this one. The JSON format for DNS packets is intended
to permit representation of malformed packets, and has a high degree
of flexibility, with an intent that applications define profiles of it
for themselves.

There are considerable security implications to doing this not
addressed in the Security Implications section, in addition to obvious
interoperability issues. For example, if we have a filter for JSON
representations of DNS packets, this filter must share the same
semantics for the output JSON as the consumer, even in the face of
such bizzarities as HEX and regular fields with different contents,
malformed length fields, etc. etc. I expect that this can and will
cause serious issues.

I would suggest we not represent invalid packets and ensure all valid
packets have a unique representation. Failing that the security
consideration should at minimum be amended to include a discussion of
these issues. A schema that can be used to validate DNS packets
represented in JSON could also help address these problems.

Sincerely,
Watson Ladd