From nobody Tue May  8 08:44:56 2018
Return-Path: <pritikin@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 972D512E91F; Tue,  8 May 2018 08:44:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iMk-CbHKLXEC; Tue,  8 May 2018 08:44:52 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3D17126C26; Tue,  8 May 2018 08:44:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11052; q=dns/txt; s=iport; t=1525794291; x=1527003891; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=piZSq4fHXVf8wjvHoyIBGV3AKv5urrmj6WcsHzcxhxk=; b=RcAqHsaqNMTeOmsfS7vfXSZOpUt7R/a5xolI50sH2WmEY7/9Sy8I0VlK Kp/GG86AJLfhsLEb2kWFO+TGqHajdi1u9yezmVfX9KGWaIzPgVK+8IPIO kzsaYzYjo9Mjrns/B2m8TYSDZbDMzAauE/GZxvOLl/8VsygVanUOuEOMa U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0B9AQCIxPFa/4YNJK1cDgsBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQGDQ2F6KAqDZYgCjHSBeYEPkygUgWQLGA2ERwIagkshNBg?= =?us-ascii?q?BAgEBAQEBAQJsHAyFKAEBAQECAQEBFgsROgsFCwIBCA4KAgImAgICJQsVEAI?= =?us-ascii?q?EDgWDTQGBTggPpyqCHIhDgkMFgQmHHIITgQ8jgmiDEQEBAgEBFoEvAYMWMII?= =?us-ascii?q?kAoU7gVqRFQgChWOCUoJlgzGBNYNggl+EbolGhl8CERMBgSQBHDiBUnAVOyo?= =?us-ascii?q?BghiCIBeIWYUEOm+PDQeBJ4EYAQE?=
X-IronPort-AV: E=Sophos;i="5.49,378,1520899200"; d="scan'208";a="389184790"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 May 2018 15:44:50 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id w48FioeQ012769 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 8 May 2018 15:44:50 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 8 May 2018 10:44:49 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1320.000; Tue, 8 May 2018 10:44:49 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
CC: "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "carl@redhoundsoftware.com" <carl@redhoundsoftware.com>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyADRoNAA==
Date: Tue, 8 May 2018 15:44:49 +0000
Message-ID: <682FEF03-A08D-40F7-9F25-4071B7A2143F@cisco.com>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>
In-Reply-To: <1525092187804.38190@cs.auckland.ac.nz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <1D5BDBDFBF4E4542B494E93035F78C58@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/SUfhliN-wlwH7l88omo3gv_XtK8>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 May 2018 15:44:55 -0000

DQpUbyByZS1lbmZvcmNlIGEgcG9pbnQgcGV0ZXIgaXMgbWFraW5nIGlubGluZTogdGhlcmUgYXJl
IOKAnGVycm9yc+KAnSBpbiBob3cgU0NFUCB1c2VzIGEgbnVtYmVyIG9mIEhUVFAgZmllbGRzLCBh
bmQg4oCcdW5jbGVhbuKAnSB1c2VzIG9mIHVucmVnaXN0ZXJlZCBNSU1FIHR5cGVzIGFuZCBhIGJ1
bmNoIG9mIG90aGVyIGxpdHRsZSB0aGluZ3MuIFdoYXQgU0NFUCBnb3QgcmlnaHQgd2FzIHNpbXBs
aWNpdHkuIFRoaXMgYWxsb3dlZCBpdCB0byBlbmR1cmUgZm9yIDIweXJzIG9yIHNvLiANCg0KVXBk
YXRpbmcgU0NFUCB0byBtb2Rlcm4gdW5kZXJzdGFuZGluZ3Mgb2YgaG93IGFsbCB0aGlzIHN0dWZm
IHNob3VsZCBiZSB1c2VkICh3aGlsZSBtYWludGFpbmluZyB0aGUgc2ltcGxpY2l0eSkgaXMgd2h5
IEVTVCAoUkZDNzAzMCkgZXhpc3RzLiBJZiBTQ0VQIGhhZCBiZWVuIGFuIFJGQyBJ4oCZZCBzdWdn
ZXN0IHRoYXQgRVNUIOKAnG9ic29sZXRlc+KAnSBpdC4gDQoNCkkgZG9u4oCZdCBzZWUgdGhlIHZh
bHVlIGluIHVwZGF0aW5nIGFsbCB0aGlzIHN0dWZmIGluIFNDRVAgYXQgdGhpcyBwb2ludCDigJQg
ZGVzcGl0ZSBhZ3JlZWluZyB3aXRoIHRoZSBjb25jZXJucy4gRG9pbmcgc28gd291bGQgb25seSBj
cmVhdGUgeWV0IGFub3RoZXIgbmV3IHByb3RvY29sIGluIHRoaXMgYWxyZWFkeSBjcm93ZGVkIHNw
YWNlLiBJIHdvdWxkbuKAmXQgZXZlbiBiZWdpbiB0byBrbm93IGhvdyB0byBleHBsYWluIGFsbCB0
aGlzIHRvIHNvbWVib2R5IG5ldyB0byB0aGUgZmllbGQuICAgDQoNCi0gbWF4DQoNCj4gT24gQXBy
IDMwLCAyMDE4LCBhdCA2OjQzIEFNLCBQZXRlciBHdXRtYW5uIDxwZ3V0MDAxQGNzLmF1Y2tsYW5k
LmFjLm56PiB3cm90ZToNCj4gDQo+IEFwb2xvZ2llcyBmb3IgdGhlIGxvbmcgZGVsYXkgaW4gcmVz
cG9uZGluZywgSSd2ZSBiZWVuIGJ1cmllZCBpbiBvdGhlciB3b3JrLg0KPiBBbHNvLCBJJ20gbm90
IHN1cmUgd2hvIHRvIHNlbmQgdGhpcyB0bywgSSBnb3Qgbm90aWZpZWQgdmlhIGEgZG8tbm90LXJl
cGx5DQo+IGFkZHJlc3MsIEkgYXNzdW1lIGl0IGdvZXMgdG8gdGhlIFNBQUcgbGlzdD8NCj4gDQo+
IEEgZ2VuZXJhbCByZXNwb25zZSB0byB0aGlzLCBJIGRpZG4ndCB3cml0ZSB0aGlzIGRvY3VtZW50
IHNvIGFzIHdpdGggdGhlDQo+IHByZXZpb3VzIHJldmlldyBJJ2xsIGhhdmUgdG8gc2F5ICJpdCB3
YXMgbGlrZSB0aGlzIHdoZW4gSSBnb3QgaGVyZSIgaW4gc2V2ZXJhbA0KPiBjYXNlcywgSSd2ZSBs
ZWZ0IHRoZSBvcmlnaW5hbCBhdXRob3JzJyB0ZXh0IGludGFjdCB3aGVyZXZlciBwb3NzaWJsZSBi
dXQNCj4gd2l0aG91dCByZXdyaXRpbmcgaGFsZiB0aGUgZG9jIGluIG15IG93biB3b3JkcyBJIGNh
bid0IHJlYWxseSBkZWZlbmQgYSBsb3Qgb2YNCj4gdGhlIHRleHQgYmVjYXVzZSBJIGRpZG4ndCB3
cml0ZSBpdC4NCj4gDQo+IEFsc28sIHNvbWUgb2YgdGhlIGNvbW1lbnRzIGFwcGx5IHRvIHRoaW5n
cyB0aGF0IGhhdmUgYWxyZWFkeSBiZWVuIHBpY2tlZCBvdmVyDQo+IGFuZCBjb3JyZWN0ZWQuICBX
aGF0IHdpbGwgaGFwcGVuIGlmIEkgc3RhcnQgbWFraW5nIGFsdGVyYXRpb25zIHRvIHRoZQ0KPiBh
bHRlcmF0aW9ucz8gIFdpbGwgaXQgZ28gdG8gcHVibGljYXRpb24gYWZ0ZXIgdGhhdCwgb3Igd2ls
bCBpdCByZXNldCB0aGUNCj4gY291bnRlciBiYWNrIHRvIHJlcXVpcmluZyBmdXJ0aGVyIGNoYW5n
ZXMgaWYgcGVvcGxlIG9iamVjdCB0byB0aGUgY2hhbmdlcz8NCj4gSSdtIGNvbmNlcm5lZCB0aGF0
IEknbSBnb2luZyB0byBnZXQgY2F1Z2h0IGJldHdlZW4gdHdvIGxvdHMgb2YgZWRpdGluZw0KPiBj
aGFuZ2VzLCBJIHRyaWVkIHRvIGNoYW5nZS9maXggZXZlcnl0aGluZyB0aGF0IHBlb3BsZSBwb2lu
dGVkIG91dCBsYXN0IHRpbWUsDQo+IGJ1dCBpZiBJIG1ha2UgbW9yZSBjaGFuZ2VzIG5vdyBpdCBt
YXkgZW5kIHVwIHVuZG9pbmcgb3IgY2hhbmdpbmcgdGhlIHRoaW5ncw0KPiB0aGF0IHBlb3BsZSB3
YW50ZWQgdGhlIGxhc3QgdGltZSByb3VuZC4NCj4gDQo+PiAxKSBJbiBnZW5lcmFsLCB0aGUgZG9j
dW1lbnQgaXMgdXNpbmcgc2V2ZXJhbCB1bnJlZ2lzdGVyZWQgTUlNRSB0eXBlcyB3aXRoDQo+PiAi
eC0iIHByZWZpeDoNCj4+IA0KPj4gYXBwbGljYXRpb24veC14NTA5LWNhLWNlcnQNCj4+IGFwcGxp
Y2F0aW9uL3gteDUwOS1jYS1yYS1jZXJ0DQo+PiBhcHBsaWNhdGlvbi94LXBraS1tZXNzYWdlDQo+
PiBhcHBsaWNhdGlvbi94LXg1MDktbmV4dC1jYS1jZXJ0DQo+PiANCj4+IFRoZXNlIHNob3VsZCBi
ZSByZWdpc3RlcmVkIGluIHRoZSBJQU5BIENvbnNpZGVyYXRpb25zIGFzIHBlciBBcHBlbmRpeCBB
IG9mDQo+PiBSRkMgNjgzOC4NCj4gDQo+IElzbid0IHRoZSB3aG9sZSBwb2ludCBvZiB0aGUgeC0g
dHlwZSB0aGF0IGl0IGRvZXNuJ3QgbmVlZCB0byBiZSwgYW5kIGluZGVlZA0KPiBjYW4ndCBiZSwg
cmVnaXN0ZXJlZD8gIFJGQyA2ODM4IHNheXM6DQo+IA0KPiAgVHlwZXMgaW4gdGhpcyB0cmVlIGNh
bm5vdCBiZSByZWdpc3RlcmVkIGFuZCBhcmUgaW50ZW5kZWQgZm9yIHVzZSBvbmx5IHdpdGgNCj4g
IHRoZSBhY3RpdmUgYWdyZWVtZW50IG9mIHRoZSBwYXJ0aWVzIGV4Y2hhbmdpbmcgdGhlbS4NCj4g
DQo+PiBhcHBsaWNhdGlvbi94LXg1MDktY2EtY2VydA0KPj4gDQo+PiBIb3cgaXMgdGhpcyBkaWZm
ZXJlbnQgZnJvbSBhcHBsaWNhdGlvbi9wa2l4LWNlcnQgcmVnaXN0ZXJlZCBpbiBSRkMgMjU4NT8N
Cj4gDQo+IE5vIGlkZWEsIGl0IHdhcyBsaWtlIHRoYXQgd2hlbiBJIGdvdCBoZXJlLiAgSSBhc3N1
bWUgb25lIGlzIGEgQ0EgY2VydCBhbmQgdGhlDQo+IG90aGVyIGlzbid0Lg0KPiANCj4+ICAgIkdF
VCIgQ0dJLVBBVEggQ0dJLVBST0cgIj9vcGVyYXRpb249R2V0Q0FDYXBzIg0KPj4gDQo+PiBUaGlz
IGlzIG5vdCBhIGNvcnJlY3QgQUJORiAoaW4gY2FzZSB5b3UgaW50ZW5kZWQgdG8gZGVmaW5lIGEg
Zm9ybWFsIHN5bnRheA0KPj4gaGVyZSkgYW5kIHRoaXMgaXMgbm90IGEgY29ycmVjdCBIVFRQIHJl
cXVlc3QgbGluZS4gUGxlYXNlIG1ha2UgaXQgb25lIG9yDQo+PiBhbm90aGVyLCBvciBjbGFyaWZ5
IHNvbWV3aGVyZSBzeW50YXggdGhhdCB5b3UgdXNlLg0KPiANCj4gV2hhdCBmb3JtIHNob3VsZCBp
dCBiZSBpbj8gIEl0J3MgYmVlbiBsaWtlIHRoaXMgZm9yIGNsb3NlIHRvIHR3ZW50eSB5ZWFycywg
SQ0KPiBqdXN0IGxlZnQgd2hhdCB0aGUgb3JpZ2luYWwgYXV0aG9ycyBoYWQgcHV0IHRoZXJlIGlu
IHBsYWNlLCBJIGhvbmVzdGx5IGRvbid0DQo+IGtub3cgd2hhdCBlbHNlIHRvIHB1dCBpbiB0aGVy
ZS4NCj4gDQo+PiBBbHNvLCBJIGRvbid0IHRoaW5rIENHSS1QQVRIIGFuZCBDR0ktUFJPRyBhcmUg
c2lnbmlmaWNhbnQgZm9yIHRoZSByZXF1ZXN0DQo+IA0KPiBUaGV5IGFyZW4ndCwgdGhhdCdzIHdo
eSBJIHVwZGF0ZWQgdGhlIHRleHQgdG8gbWVudGlvbiB0aGlzLiAgSG93ZXZlciBldmVyeW9uZQ0K
PiBzZWVtcyB0byB1c2UgZml4ZWQgdmFsdWVzIGZvciB0aGVzZSBiYXNlZCBvbiBjbG9zZSB0byAy
MCB5ZWFycyBvZiBkcmFmdCB1c2UsDQo+IHNvIHRoZXkncmUgbm90IHVzZWQgYnV0IHRoZWlyIHBy
ZXNlbmNlIGlzIHJlcXVpcmVkLg0KPiANCj4+IEFnYWluLCB0aGlzIGlzIG5laXRoZXIgY29ycmVj
dCBmb3JtYWwgc3ludGF4IG5vciBjb3JyZWN0IEhUVFAgcmVxdWVzdHMuDQo+IA0KPiBRdWl0ZSBw
cm9iYWJseS4gIFdoYXQgc2hvdWxkIGl0IHNheT8NCj4gDQo+PiBGaXJzdGx5LCBjbGllbnRzIGRv
bid0IGNhcmUgYWJvdXQgSFRUUCBzZXJ2ZXIgdXNpbmcgQ0dJLCB0aGV5IGp1c3QgY2FyZSBhYm91
dA0KPj4ga25vd2luZyB3aGVyZSB0byBzZW5kIFNDRVAgcmVxdWVzdHMuDQo+IA0KPiBTdXJlLCB0
aGF0J3Mgd2h5IEkgc2FpZCBzbyBpbiB0aGUgdXBkYXRlZCBkcmFmdCwganVzdCBoYXJkY29kZSBp
biAiL2NnaS0NCj4gYmluL3BraWNsaWVudC5leGUiIGZvciBjb21wYXRpYmlsaXR5IHdpdGggZXhp
c3RpbmcgaW1wbGVtZW50YXRpb25zLg0KPiANCj4+IFNlY29uZGx5LCBoYXJkY29kZWQgVVJJIHBh
dGhzIGFyZSBpbiB2aW9sYXRpb24gb2YgUkZDIDczMjAuIFlvdSBjYW4gcmVhZCBtb3JlDQo+PiBv
biB0aGlzIGluIFNlY3Rpb24gNC40IG9mDQo+PiANCj4+IDxodHRwczovL2RhdGF0cmFja2VyLmll
dGYub3JnL2RvYy9kcmFmdC1pZXRmLWh0dHBiaXMtYmNwNTZiaXMvP2luY2x1ZGVfdGV4dD0xPg0K
PiANCj4gU0NFUCBwcmVkYXRlcyBSRkMgNzMyMCBieSAxNC0xNSB5ZWFycywgc28gaXQncyBhIGJp
dCBsYXRlIHRvIHRoZSBwYXJ0eS4uLg0KPiANCj4+IEkgdW5kZXJzdGFuZCB0aGF0IHRoaXMgaXMg
YSBkZXBsb3llZCBwcm90b2NvbCBhbmQgdGhlIGRlZmF1bHQgcGF0aCB1c2VkIGlzDQo+PiB1bmxp
a2VseSB0byBjaGFuZ2UuIEhvd2V2ZXIsIEkgZG9uJ3QgdGhpbmsgdGhlIGRvY3VtZW50IHNob3Vs
ZCBwYXkgc28gbXVjaA0KPj4gYXR0ZW50aW9uIHRvIHVzZSBvZiBDR0ktUEFUSC9DR0ktUFJPRy4g
TXkgc3VnZ2VzdGlvbiBpczogYSkgUmVtb3ZlIGFueQ0KPj4gcmVmZXJlbmNlIHRvIENHSS1QUk9H
L0NHSS1QQVRIIGZyb20gdGhlIGRvY3VtZW50IGIpIFJlcGxhY2UgdGhlIGFib3ZlIHNlY3Rpb24N
Cj4+IHdpdGggc29tZXRoaW5nIGxpa2UgdGhpczoNCj4gDQo+IFNlZSBhYm92ZSwgdGhlIHRleHQg
YWxyZWFkeSBzYXlzIHRoYXQgaXQncyBvbmx5IHRoZXJlIGZvciBiYWNrd2FyZHMNCj4gY29tcGF0
aWJpbGl0eS4gIEkgY2FuIGNoYW5nZSBpdCB0byByZW1vdmUgQ0dJLVBST0cvQ0dJLVBBVEggaWYg
cmVxdWlyZWQsIGJ1dA0KPiBJJ20gd29ycmllZCBhYm91dCB0aGlzIHRyaWdnZXJpbmcgYW5vdGhl
ciByb3VuZCBvZiBjb21tZW50cyBhbmQgZWRpdGluZywNCj4gcGFydGljdWxhcmx5IHNpbmNlIHRo
ZXJlIGFyZSBtdWx0aXBsZSBwbGFjZXMgaW4gdGhlIHRleHQgdGhhdCB3aWxsIHJlcXVpcmUNCj4g
Y2hhbmdlcy4NCj4gDQo+PiAxKSBNaXNzaW5nIHJlZmVyZW5jZXM6DQo+IA0KPiBBcmUgdGhlc2Ug
cmVhbGx5IG5lZWRlZD8gIFJlZmVyZW5jZXMgdG8gQUVTIGFuZCBTSEEtMiBhbmQgTERBUD8gIEl0
J3MganVzdA0KPiBnb2luZyB0byBhZGQgYSBsb3Qgb2Ygbm9pc2UgdG8gdGhlIHNwZWMsIHdpbGwg
cGVvcGxlIHJlYWxseSBuZWVkIHRvIGJlIGdpdmVuIGENCj4gcmVmZXJlbmNlIHRvIHRoZSBBRVMg
c3BlYyBpbiBvcmRlciB0byBpbXBsZW1lbnQgU0NFUD8NCj4gDQo+PiAyKSBTaG91bGQgQUNNRSB3
b3JrIGJlIG1lbnRpb25lZCBpbiB0aGUgSW50cm9kdWN0aW9uPw0KPiANCj4gVGhlcmUgYXJlIHF1
aXRlIGEgbG90IG9mIGNlcnQtZW5yb2xtZW50IHByb3RvY29scywgdGhlIG9yaWdpbmFsIFNDRVAg
dGV4dCBvbmx5DQo+IGNvdmVycyBDTVAgYW5kIENNUCB3aGljaCBkYXRlIGZyb20gdGhlIHNhbWUg
dGltZSBhcyBTQ0VQLCBJIGRpZG4ndCB3YW50IHRvIGdldA0KPiBpbnRvIGEgc3VydmV5IG9mIG90
aGVyIHByb3RvY29scyBiZWNhdXNlIGl0J2QgYmUgYSBsb25nIGFuZCBzb21ld2hhdCB0ZWRpb3Vz
DQo+IGxpc3QuDQo+IA0KPj4gQ2xpZW50cyBzaG91bGRuJ3QgY2FyZSB3aGV0aGVyIG9yIG5vdCBT
Q0VQIGlzIHByb3ZpZGVkIGJ5IGEgQ0dJIHByb2dyYW0uDQo+PiBQbGVhc2UgY2hhbmdlIHRoaXMg
dG8gIkNBIEhUVFAgVVJMIHBhdGgiIG9yICJDQSBIVFRQIFVSSSBwYXRoIi4NCj4gDQo+IFNlZSBh
Ym92ZSBhYm91dCBwb3RlbnRpYWwgY2FzY2FkaW5nIGNoYW5nZXMgdGhyb3VnaG91dCB0aGUgdGV4
dCwgSSdkIHJlYWxseQ0KPiBwcmVmZXIgdG8ganVzdCBsZWF2ZSB0aGlzIHN0dWZmIGFsb25lIHNp
bmNlIGl0J3Mgd29ya2VkIE9LIGZvciBuZWFybHkgMjANCj4geWVhcnMuDQo+IA0KPj4gSG93IG9m
dGVuIGFuZCBmb3IgaG93IGxvbmcgc2hvdWxkIGEgY2xpZW50IHBvbGw/IFJlY29tbWVuZGluZyBz
b21lIGRlZmF1bHRzDQo+PiB3b3VsZCBiZSB1c2VmdWwgdG8gc2V0IGV4cGVjdGF0aW9ucy4NCj4g
DQo+IEkgaGF2ZSBubyBpZGVhLi4uIEkgbWVhbiBJIGxpdGVyYWxseSBoYXZlIG5vIGlkZWEsIEkg
ZG9uJ3Qga25vdyB3aGF0DQo+IGltcGxlbWVudGF0aW9ucyBkbyBpbiBwcmFjdGljZS4gIEkga25v
dyB0aGF0IGluIHNvbWUgY2FzZXMgd2l0aCBtYW51YWwNCj4gYXBwcm92YWwgaXQgY2FuIHRha2Ug
aG91cnMsIGJ1dCBJJ20gbm90IHN1cmUgaWYgdGhhdCdzIHR5cGljYWwuICBJdCBjb3VsZCBiZQ0K
PiBzZWNvbmRzLCBtaW51dGVzLCBob3Vycy4uLg0KPiANCj4+IFdoeSBub3QgIk1VU1QgTk9UIiBh
bmQgd2hhdCBhcmUgcG9zc2libGUgaW1wbGljYXRpb25zIG9mIHZpb2xhdGluZyB0aGUgU0hPVUxE
DQo+PiBOT1Q/DQo+IA0KPiBCZWNhdXNlIHNvbWUgaW1wbGVtZW50YXRpb25zIG1heSBjaG9vc2Ug
dG8gcGFyc2UgYXQgbGVhc3QgYSBmZXcgY29tbW9uIGVycm9yDQo+IHN0cmluZ3MuICBUaGV5IHNo
b3VsZG4ndCwgYnV0IHRoZXkgY2FuIGlmIHRoZXkgd2FudCB0by4NCj4gDQo+PiBXaGF0IGRvZXMg
dGhlIGxhc3QgcmVxdWlyZW1lbnQgYWN0dWFsbHkgbWVhbj8gSXMgdGhpcyBkZXNjcmliaW5nIG9y
ZGVyIG9mDQo+PiBjZXJ0aWZpY2F0ZXMgb3IganVzdCBzYXlpbmcgdGhhdCBpdCBpcyBub3QgYW4g
aW50ZXJtZWRpYXRlIGNlcnRpZmljYXRlPw0KPiANCj4gSXQncyBzYXlpbmcgdGhhdCB0aGUgbGVh
ZiBjZXJ0aWZpY2F0ZSBpbiB0aGUgY2hhaW4gaXMgdGhlIGlzc3VlZCBjZXJ0aWZpY2F0ZS4NCj4g
DQo+PiBTbyBqdXN0IHRvIGRvdWJsZSBjaGVjayB0aGF0IEkgdW5kZXJzdG9vZCB0aGlzIGNvcnJl
Y3RseTogdGhlIGNsaWVudCBpcw0KPj4gZ2VuZXJhdGluZyBhIHNlbGYtc2lnbmVkIGNlcnRpZmlj
YXRlIEIgaW4gb3JkZXIgdG8gcmV0cmlldmUgaXRzIGNlcnRpZmljYXRlIEENCj4+IHNpZ25lZCBi
eSBDQT8NCj4gDQo+IFllcy4NCj4gDQo+PiBUaGUgbGFzdCByZXF1aXJlbWVudCBpcyBxdWl0ZSBw
cm9ibGVtYXRpYyBmb3IgZXh0ZW5zaWJpbGl0eS4gSSB1bmRlcnN0YW5kIHdoeQ0KPj4gdGhpcyBz
ZW50ZW5jZSBpcyB0aGVyZSB0aG91Z2guIEFyZSBmdXR1cmUgZXh0ZW5zaW9ucyB0byBTQ0VQIGxp
a2VseT8NCj4gDQo+IFdoeSBpcyBpdCBwcm9ibGVtYXRpYyBmb3IgZXh0ZW5zaWJpbGl0eT8gIFdo
YXQncyByZXR1cm5lZCBpcyBsaW5lcyBvZiB0ZXh0LA0KPiB5b3UgY2FuIGFkZCBhbnkgZnVydGhl
ciBsaW5lcyB5b3UgbGlrZS4NCj4gDQo+PiAgIEEgU0NFUCBDQSBpcyB0aGUgZW50aXR5IHRoYXQg
c2lnbnMgY2xpZW50IGNlcnRpZmljYXRlcy4gIEEgQ0EgTUFZDQo+PiAgIGVuZm9yY2UgYW55IGFy
Yml0cmFyeSBwb2xpY2llcyBhbmQgYXBwbHkgdGhlbSB0byBjZXJ0aWZpY2F0ZQ0KPj4gICByZXF1
ZXN0cywgYW5kIE1BWSByZWplY3QgYSByZXF1ZXN0IGZvciBhbnkgcmVhc29uLg0KPj4gDQo+PiBJ
IHRoaW5rIHRoaXMgaXMgcHJldHR5IG11Y2ggZ3JhbnRlZCBhbmQgZG9lc24ndCBuZWVkIHRvIGJl
IHNhaWQsIGVzcGVjaWFsbHkNCj4+IHRoZSBsYXR0ZXIgcGFydC4NCj4gDQo+IFRoaXMgd2FzIHNv
bWV0aGluZyB0aGF0IHByZXZpb3VzIHBlb3BsZSB3aG8gY29tbWVudGVkIG9uIGl0IHJlcXVlc3Rl
ZCwgc2VlIG15DQo+IGVhcmxpZXIgY29tbWVudCBhYm91dCBiZWluZyBjYXVnaHQgYmV0d2VlbiBj
b25mbGljdGluZyByZXF1ZXN0cyBmb3IgY2hhbmdlcy4NCj4gDQo+PiBXaGVuIHJlZmVybmNpbmcg
UkZDIDQ2NDggeW91IHNob3VsZCBzcGVjaWZ5IHRoZSBzZWN0aW9uIG51bWJlciB0byBhdm9pZCBh
bGwNCj4+IGNvbmZ1c2lvbi4gSSBhc3N1bWUgeW91IG1lYW50IFNlY3Rpb24gND8NCj4gDQo+IFll
cywgSSd2ZSB1cGRhdGVkIHRoZSB0ZXh0IGFsdGhvdWdoIGl0IGFscmVhZHkgcG9pbnRzIG91dCB0
aGF0IGl0J3MgImJhc2U2NCINCj4gYW5kIG5vdCAiYmFzZTY0dXJsIiB0aGF0J3MgdXNlZC4NCj4g
DQo+IFBldGVyLg0KPiANCj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX18NCj4gc2FhZyBtYWlsaW5nIGxpc3QNCj4gc2FhZ0BpZXRmLm9yZw0KPiBodHRwczov
L3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NhYWcNCg0K


From nobody Thu May 31 02:38:48 2018
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1B9212EA93; Thu, 31 May 2018 02:38:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001,  URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DkiFaou_9bB4; Thu, 31 May 2018 02:38:42 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id A97C912E037; Thu, 31 May 2018 02:38:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1527759522; d=isode.com; s=june2016; i=@isode.com; bh=1mAtU+B9D/CjFtbrGS7yr5vbTZIlbcw+xGjbtQvptzY=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=lwkc0ywDJ82CDMoKHu8VljcWan2SmUcj0V+j1rygNGhhyZRIKFuZMp2YEPU45P5DTSzlI9 SvNGbikuFI//BPdJvonmZcuMA4JkMLhGUbsX+ndFqrZzZ7qsNGGToWkjiWrggwDmo7OkBQ b53Gr1nqjYCHHcxLgd9C7D3lhFWlT3E=;
Received: from [192.168.1.76] (ppp158-255-168-127.pppoe.spdop.ru [158.255.168.127])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <Ww=CnwAFupwC@waldorf.isode.com>; Thu, 31 May 2018 10:38:41 +0100
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "saag@ietf.org" <saag@ietf.org>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <682FEF03-A08D-40F7-9F25-4071B7A2143F@cisco.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <2c8b2388-cf2c-ba87-0761-b7facd672426@isode.com>
Date: Thu, 31 May 2018 12:38:40 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
In-Reply-To: <682FEF03-A08D-40F7-9F25-4071B7A2143F@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/2h8EZLsRdlP3S05MK9fPv3qpORE>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 09:38:46 -0000

Hi Max,

On 08/05/2018 18:44, Max Pritikin (pritikin) wrote:
>=20
> To re-enforce a point peter is making inline: there are =E2=80=9Cerrors=E2=
=80=9D in how SCEP uses a number of HTTP fields, and =E2=80=9Cunclean=E2=80=
=9D uses of unregistered MIME types and a bunch of other little things. What=
 SCEP got right was simplicity. This allowed it to endure for 20yrs or so.=
=20
>=20
> Updating SCEP to modern understandings of how all this stuff should be use=
d (while maintaining the simplicity) is why EST (RFC7030) exists. If SCEP ha=
d been an RFC I=E2=80=99d suggest that EST =E2=80=9Cobsoletes=E2=80=9D it.=
=20
>=20
> I don=E2=80=99t see the value in updating all this stuff in SCEP at this p=
oint =E2=80=94 despite agreeing with the concerns. Doing so would only creat=
e yet another new protocol in this already crowded space. I wouldn=E2=80=99t=
 even begin to know how to explain all this to somebody new to the field.  =
=20

I understand that this exercise is mostly about documenting a protocol
which was in use for a long time. So I don't expect SCEP to change on
the wire. However I don't think publishing an RFC that seem to bless
incorrect or outdated use of HTTP and MIME is a good idea. I would like
to have very clear disclaimers in the document, either at the beginning
or in specific cases where it deviates from best current practices. This
is not a big ask and this is not hard to do.

Best Regards,
Alexey

> - max
>=20
>> On Apr 30, 2018, at 6:43 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wr=
ote:
>>
>> Apologies for the long delay in responding, I've been buried in other wor=
k.
>> Also, I'm not sure who to send this to, I got notified via a do-not-reply
>> address, I assume it goes to the SAAG list?
>>
>> A general response to this, I didn't write this document so as with the
>> previous review I'll have to say "it was like this when I got here" in se=
veral
>> cases, I've left the original authors' text intact wherever possible but
>> without rewriting half the doc in my own words I can't really defend a lo=
t of
>> the text because I didn't write it.
>>
>> Also, some of the comments apply to things that have already been picked =
over
>> and corrected.  What will happen if I start making alterations to the
>> alterations?  Will it go to publication after that, or will it reset the
>> counter back to requiring further changes if people object to the changes=
?
>> I'm concerned that I'm going to get caught between two lots of editing
>> changes, I tried to change/fix everything that people pointed out last ti=
me,
>> but if I make more changes now it may end up undoing or changing the thin=
gs
>> that people wanted the last time round.
>>
>>> 1) In general, the document is using several unregistered MIME types wit=
h
>>> "x-" prefix:
>>>
>>> application/x-x509-ca-cert
>>> application/x-x509-ca-ra-cert
>>> application/x-pki-message
>>> application/x-x509-next-ca-cert
>>>
>>> These should be registered in the IANA Considerations as per Appendix A =
of
>>> RFC 6838.
>>
>> Isn't the whole point of the x- type that it doesn't need to be, and inde=
ed
>> can't be, registered?  RFC 6838 says:
>>
>>  Types in this tree cannot be registered and are intended for use only wi=
th
>>  the active agreement of the parties exchanging them.
>>
>>> application/x-x509-ca-cert
>>>
>>> How is this different from application/pkix-cert registered in RFC 2585?
>>
>> No idea, it was like that when I got here.  I assume one is a CA cert and=
 the
>> other isn't.
>>
>>>   "GET" CGI-PATH CGI-PROG "?operation=3DGetCACaps"
>>>
>>> This is not a correct ABNF (in case you intended to define a formal synt=
ax
>>> here) and this is not a correct HTTP request line. Please make it one or
>>> another, or clarify somewhere syntax that you use.
>>
>> What form should it be in?  It's been like this for close to twenty years=
, I
>> just left what the original authors had put there in place, I honestly do=
n't
>> know what else to put in there.
>>
>>> Also, I don't think CGI-PATH and CGI-PROG are significant for the reques=
t
>>
>> They aren't, that's why I updated the text to mention this.  However ever=
yone
>> seems to use fixed values for these based on close to 20 years of draft u=
se,
>> so they're not used but their presence is required.
>>
>>> Again, this is neither correct formal syntax nor correct HTTP requests.
>>
>> Quite probably.  What should it say?
>>
>>> Firstly, clients don't care about HTTP server using CGI, they just care =
about
>>> knowing where to send SCEP requests.
>>
>> Sure, that's why I said so in the updated draft, just hardcode in "/cgi-
>> bin/pkiclient.exe" for compatibility with existing implementations.
>>
>>> Secondly, hardcoded URI paths are in violation of RFC 7320. You can read=
 more
>>> on this in Section 4.4 of
>>>
>>> <https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?include_t=
ext=3D1>
>>
>> SCEP predates RFC 7320 by 14-15 years, so it's a bit late to the party...
>>
>>> I understand that this is a deployed protocol and the default path used =
is
>>> unlikely to change. However, I don't think the document should pay so mu=
ch
>>> attention to use of CGI-PATH/CGI-PROG. My suggestion is: a) Remove any
>>> reference to CGI-PROG/CGI-PATH from the document b) Replace the above se=
ction
>>> with something like this:
>>
>> See above, the text already says that it's only there for backwards
>> compatibility.  I can change it to remove CGI-PROG/CGI-PATH if required, =
but
>> I'm worried about this triggering another round of comments and editing,
>> particularly since there are multiple places in the text that will requir=
e
>> changes.
>>
>>> 1) Missing references:
>>
>> Are these really needed?  References to AES and SHA-2 and LDAP?  It's jus=
t
>> going to add a lot of noise to the spec, will people really need to be gi=
ven a
>> reference to the AES spec in order to implement SCEP?
>>
>>> 2) Should ACME work be mentioned in the Introduction?
>>
>> There are quite a lot of cert-enrolment protocols, the original SCEP text=
 only
>> covers CMP and CMP which date from the same time as SCEP, I didn't want t=
o get
>> into a survey of other protocols because it'd be a long and somewhat tedi=
ous
>> list.
>>
>>> Clients shouldn't care whether or not SCEP is provided by a CGI program.
>>> Please change this to "CA HTTP URL path" or "CA HTTP URI path".
>>
>> See above about potential cascading changes throughout the text, I'd real=
ly
>> prefer to just leave this stuff alone since it's worked OK for nearly 20
>> years.
>>
>>> How often and for how long should a client poll? Recommending some defau=
lts
>>> would be useful to set expectations.
>>
>> I have no idea... I mean I literally have no idea, I don't know what
>> implementations do in practice.  I know that in some cases with manual
>> approval it can take hours, but I'm not sure if that's typical.  It could=
 be
>> seconds, minutes, hours...
>>
>>> Why not "MUST NOT" and what are possible implications of violating the S=
HOULD
>>> NOT?
>>
>> Because some implementations may choose to parse at least a few common er=
ror
>> strings.  They shouldn't, but they can if they want to.
>>
>>> What does the last requirement actually mean? Is this describing order o=
f
>>> certificates or just saying that it is not an intermediate certificate?
>>
>> It's saying that the leaf certificate in the chain is the issued certific=
ate.
>>
>>> So just to double check that I understood this correctly: the client is
>>> generating a self-signed certificate B in order to retrieve its certific=
ate A
>>> signed by CA?
>>
>> Yes.
>>
>>> The last requirement is quite problematic for extensibility. I understan=
d why
>>> this sentence is there though. Are future extensions to SCEP likely?
>>
>> Why is it problematic for extensibility?  What's returned is lines of tex=
t,
>> you can add any further lines you like.
>>
>>>   A SCEP CA is the entity that signs client certificates.  A CA MAY
>>>   enforce any arbitrary policies and apply them to certificate
>>>   requests, and MAY reject a request for any reason.
>>>
>>> I think this is pretty much granted and doesn't need to be said, especia=
lly
>>> the latter part.
>>
>> This was something that previous people who commented on it requested, se=
e my
>> earlier comment about being caught between conflicting requests for chang=
es.
>>
>>> When referncing RFC 4648 you should specify the section number to avoid =
all
>>> confusion. I assume you meant Section 4?
>>
>> Yes, I've updated the text although it already points out that it's "base=
64"
>> and not "base64url" that's used.
>>
>> Peter.
>>
>> _______________________________________________
>> saag mailing list
>> saag@ietf.org
>> https://www.ietf.org/mailman/listinfo/saag
>=20
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>=20


From nobody Thu May 31 03:00:43 2018
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D18412EB2D for <saag@ietfa.amsl.com>; Thu, 31 May 2018 03:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level: 
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=ESZtpYM4; dkim=pass (1024-bit key) header.d=ericsson.com header.b=Pcn1SlqW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t9z7j4crZQl8 for <saag@ietfa.amsl.com>; Thu, 31 May 2018 03:00:40 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D1CD12EB6F for <saag@ietf.org>; Thu, 31 May 2018 03:00:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1527760837; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=gcmi5q3T6iF+cXTY++yUfSBNjJ+ZCVPjOZqnnjmJE6A=; b=ESZtpYM4/v/uIfgovDfo0Gq8gFJ6fCa4dczi1xpLFC0mBh1/SuVNdFfXguJKLMJP wsPPKfM/1i12p+/6kNHgEXY2JLYV7KjMVZQYQlc/4eDgSikdWSjwdEuVNY4UpeMe op3SjrQF2Hm5qsquEEuQBBRl4ciYmxDXdfSxydhApNM=;
X-AuditID: c1b4fb30-36b839c0000002c8-a9-5b0fc7c57185
Received: from ESESSHC010.ericsson.se (Unknown_Domain [153.88.183.48]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id C1.2D.00712.5C7CF0B5; Thu, 31 May 2018 12:00:37 +0200 (CEST)
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESSHC010.ericsson.se (153.88.183.48) with Microsoft SMTP Server (TLS) id 14.3.382.0; Thu, 31 May 2018 12:00:17 +0200
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 31 May 2018 12:00:17 +0200
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 31 May 2018 12:00:17 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gcmi5q3T6iF+cXTY++yUfSBNjJ+ZCVPjOZqnnjmJE6A=; b=Pcn1SlqW5XexKvmd0FmXrvFJsvk1Y0Q3juuaqoe2NZzNEv58w4VVnCpqG3ITWVRAEI/xV7Jpb1nnibv626ZGuyLxihMJWC4LpGrfeIxLRa324sOGGO2IagKOepddMKtAJmtW5P6cFYlPVsyyGsC32y6kDLN3qiu3S7KGbYPYXs8=
Received: from AM0PR07MB4388.eurprd07.prod.outlook.com (52.133.61.33) by AM0PR07MB4067.eurprd07.prod.outlook.com (52.134.83.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.820.5; Thu, 31 May 2018 10:00:16 +0000
Received: from AM0PR07MB4388.eurprd07.prod.outlook.com ([fe80::90a8:de33:14cd:6e5b]) by AM0PR07MB4388.eurprd07.prod.outlook.com ([fe80::90a8:de33:14cd:6e5b%3]) with mapi id 15.20.0820.005; Thu, 31 May 2018 10:00:16 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: TLS 1.3 mandatory to support in 3GPP 5G
Thread-Index: AQHT+MYs13E+ckh9d0SHDSYi4Q3H6g==
Date: Thu, 31 May 2018 10:00:16 +0000
Message-ID: <ACF840A5-B506-43E1-BD1F-3FAD76AE7B84@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-originating-ip: [192.176.1.81]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM0PR07MB4067; 7:RJW9kTTMMebVEuCVdzoTiKWCMpZwMp2mhAIiqPdFV5vPlQxIw2ZsPebiTjS0edqcgOfD8vwsklbJVPiLLSs3VxX3iw0WE7oIU4bFdb2UNgnBPIX5BeKIVYu7PIGX4POwt4Tv/vaknNubnkZUKPMp0ClI0o83EhVflWNGev9cRF9h7a3OlNPntuNNvkU7ZVktCPpErctK94vXnlSwSTM/Tq7TmEm2n2K194eWy9H5Lfa4+xs91sUtnO3gbW9rWjSV
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:AM0PR07MB4067; 
x-ms-traffictypediagnostic: AM0PR07MB4067:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com; 
x-microsoft-antispam-prvs: <AM0PR07MB4067A7795ECCF6A0355B83C889630@AM0PR07MB4067.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:AM0PR07MB4067; BCL:0; PCL:0; RULEID:; SRVR:AM0PR07MB4067; 
x-forefront-prvs: 06891E23FB
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(396003)(39380400002)(376002)(346002)(189003)(199004)(97736004)(3660700001)(5660300001)(99286004)(36756003)(966005)(6486002)(66066001)(86362001)(450100002)(7736002)(58126008)(305945005)(14454004)(6436002)(478600001)(110136005)(105586002)(102836004)(53936002)(8676002)(316002)(5250100002)(186003)(81156014)(81166006)(83716003)(26005)(106356001)(6512007)(2616005)(44832011)(2900100001)(82746002)(6506007)(6306002)(8558605004)(486006)(3846002)(6116002)(3280700002)(476003)(59450400001)(68736007)(2501003)(25786009)(33656002)(2201001)(2906002)(8936002)(583454002)(19623455009); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4067; H:AM0PR07MB4388.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; 
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: FPiLj3Fd/mrggZUBTEPWbJIBIAB3TFzlXjqmGnAZFk0wOBRW5kaJRGpRrdKB7x6iLHzKnduyfuDmKac9bIiPa6nPEfg6HPCK4WuUyBMOtzNf6bZI8kUE/lt3HhYHE4X6fUSTSe/LusGzVoBRLzn6V/k4NwDtvNjvq+uYgWpO5zO5lUsSnE3ApvXjfmNUszh5
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <7D1BC2D7043F194083B91D53B47EA84C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 4251a61d-f3ef-4450-6d1a-08d5c6dd4f55
X-MS-Exchange-CrossTenant-Network-Message-Id: 4251a61d-f3ef-4450-6d1a-08d5c6dd4f55
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 May 2018 10:00:16.2301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4067
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUiTURTHubvP5uN0+bhmHmxqDUIUnNMKFkQaFexTaRCI0svUhynqlG2O tIKBrHxJt0RRh7aBQr4spFwvhJXO6cpBZvYlaYHvqJFiWq4i27wKffud/7nnnP85XBoL67lR dIFax2rUyiIJj0+1Zj6TJY64w7JlDUaxvNFUzZGvj9cg+dhIJUrDis5OHycdZfFP5rFFBXpW k3TqGj/f09sTVGqgr2/c92EDmguqQcE0MMfA+muWV4P4tJBxIfjsbeaSwIFg7V4tJsEPBPaH 1YgEnRxwf3yEA/UUY8aw8imdJEwccPZPcQMJITODwLUYFmAeI4P2AQMvwCImFyZHq/3DaXq/ X2+xhRL5OExMvMaEpWBb6qdI/yMwvWxHARYwqVDv9u74RswB+Dlm5wQYM5EwNWflkH0Y6BwY x4QjYGn2LzcwKsLfs2FQR+RDMNrSTRGOhg/WWkTYwYHbpjjCibDW1LSzPDBPEYzaZ3cLEmB1 ax0TD5fBaGzmEr0QfNt1eO9Nlcuy6ycGeuqmd2tfYTCt6gmL4cm7Dp4ZJVv+W8Hit4qZeOh7 kURkBVRNLCDCh6GxdjrIsnOJcHjbOkfZELcHRWhZbU6xKiVFymoKcrXaErVUzeoeI/8vGXL8 lj1HS4unnYihkSRUkDkYli3kKvXa8mInAhpLRIJGvV8S5CnLK1hNyVVNWRGrdaKDNCWJFMjP 92cJGZVSxxaybCmr2cty6OAoA8rZ9yVV3O32Dp1NLD63sSrqst5irOwNxcupO5eGdAqblP66 femuLrkjJOO9Z4Eyhasi8cVha+y3FUt+Vk6mcV61HN2mWxFLFW9EvTjO4wppq5zU9G1daT3a Zd7cNLcXRnNPXEjzes6U+RwDMxWOxdA/pTE3tzMe8IZj5+O/SyhtvjI5AWu0yn+azrztIQMA AA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/1idEBoqjeebH-eRx1O88vEMFXu8>
Subject: [saag] TLS 1.3 mandatory to support in 3GPP 5G
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 10:00:43 -0000

SSBhbSBoYXBweSB0byBhbm5vdW5jZSB0aGF0IFRMUyAxLjMgaXMgYWxyZWFkeSBtYW5kYXRvcnkg
dG8gc3VwcG9ydCBmb3IgYWxsIHVzZXMgb2YgVExTIGluIDNHUFAgNUcgKGFuZCBhbHNvIExURSwg
M0cgc3lzdGVtcyB0aGF0IGFyZSB1cGRhdGVkIHRvIHRoZSBsYXRlc3QgcmVsZWFzZSkuIFJlbGVh
c2UgMTUgbWFrZXMgVExTIDEuMyBtYW5kYXRvcnkgZm9yIG5ldHdvcmtzIGFuZCBSZWxlYXNlIDE2
IG1ha2VzIFRMUyAxLjMgbWFuZGF0b3J5IGFsc28gZm9yIE1FcyAoaS5lLiBtb2JpbGUgcGhvbmVz
KSB3aGlsZSByZW1vdmluZyBzdXBwb3J0IGZvciBUTFMgMS4xLg0KDQpDaGVlcnMsDQpKb2huDQoN
CjNHUFAgVGVjaG5pY2FsIFNwZWNpZmljYXRpb24gMzMuMzEwLCBsYXRlc3QgdmVyc2lvbg0KaHR0
cDovL3d3dy4zZ3BwLm9yZy9mdHAvL1NwZWNzL2FyY2hpdmUvMzNfc2VyaWVzLzMzLjMxMC8zMzMx
MC1lMDAuemlwDQoNClMzLTE4MjA1NiAoRXJpY3Nzb24pIC0gQWdyZWVkIFJlbC0xNSBDaGFuZ2Ug
UmVxdWVzdA0KaHR0cDovL3d3dy4zZ3BwLm9yZy9mdHAvdHNnX3NhL1dHM19TZWN1cml0eS9UU0dT
M185MUJpc19MYUpvbGxhL2RvY3MvUzMtMTgyMDU2LnppcA0KDQpTMy0xODIwNTcgKEVyaWNzc29u
KSAtIEFncmVlZCBSZWwtMTYgQ2hhbmdlIFJlcXVlc3QNCmh0dHA6Ly93d3cuM2dwcC5vcmcvZnRw
L3RzZ19zYS9XRzNfU2VjdXJpdHkvVFNHUzNfOTFCaXNfTGFKb2xsYS9kb2NzL1MzLTE4MjA1Ny56
aXANCg0K


From nobody Thu May 31 03:13:43 2018
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4AB6126C2F; Thu, 31 May 2018 03:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001,  URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TAlH27iqtjiw; Thu, 31 May 2018 03:13:38 -0700 (PDT)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 695E912EB94; Thu, 31 May 2018 03:13:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1527761617; d=isode.com; s=june2016; i=@isode.com; bh=+rf2GzI2kCwfN6E85kB4js3kr0DX/vqoX9oKD/Nol44=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=NF5uAn4Sm0hjAAT7vPE7jbYvdo2KGaU7/gHKZ6ShFs7ZjIFqCKNpwGcxpTlmdbUGxpJwG7 Hkoqu11Ak1QcPJ1qsO8WWEuMa+vuC6OaT57DCSlO9AucIlCptfiotO6l4ckQtQNZnu6Zpl ZBLnknQhY/5AUpEXocpS6a6Gs/rcNPw=;
Received: from [192.168.1.76] (ppp158-255-168-127.pppoe.spdop.ru [158.255.168.127])  by waldorf.isode.com (submission channel) via TCP with ESMTPSA  id <Ww=K0AAFulVa@waldorf.isode.com>; Thu, 31 May 2018 11:13:37 +0100
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "carl@redhoundsoftware.com" <carl@redhoundsoftware.com>
Cc: "saag@ietf.org" <saag@ietf.org>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <bcb96609-a4fd-faf6-cf07-12b9f1fe7df0@isode.com>
Date: Thu, 31 May 2018 13:13:37 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
In-Reply-To: <1525092187804.38190@cs.auckland.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/7DjzB4uMcaJq-9mDDZ6vUwSHVEY>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 10:13:42 -0000

Hi Peter,

On 30/04/2018 15:43, Peter Gutmann wrote:
> Apologies for the long delay in responding, I've been buried in other work=
.
> Also, I'm not sure who to send this to, I got notified via a do-not-reply
> address, I assume it goes to the SAAG list?
>=20
> A general response to this, I didn't write this document so as with the
> previous review I'll have to say "it was like this when I got here" in sev=
eral
> cases, I've left the original authors' text intact wherever possible but
> without rewriting half the doc in my own words I can't really defend a lot=
 of
> the text because I didn't write it.

Understood.

> Also, some of the comments apply to things that have already been picked o=
ver
> and corrected.  What will happen if I start making alterations to the
> alterations?  Will it go to publication after that, or will it reset the
> counter back to requiring further changes if people object to the changes?

I think it depends on how the changes look like at the end.

> I'm concerned that I'm going to get caught between two lots of editing
> changes, I tried to change/fix everything that people pointed out last tim=
e,
> but if I make more changes now it may end up undoing or changing the thing=
s
> that people wanted the last time round.

Two comments on this:

1) I need help with you flagging to me which text was modified in the
past due to comment. I might agree or disagree with these changes and
they might be highlighting sections which might need more work anyway.

2) The argument "I am not going to modify this, because I already
modified this text" is generally not sufficient on my book. You need to
engage in a discussion about why the text is this way and whether it can
be made correct or clear.

>> 1) In general, the document is using several unregistered MIME types with
>> "x-" prefix:
>>
>> application/x-x509-ca-cert
>> application/x-x509-ca-ra-cert
>> application/x-pki-message
>> application/x-x509-next-ca-cert
>>
>> These should be registered in the IANA Considerations as per Appendix A o=
f
>> RFC 6838.
>=20
> Isn't the whole point of the x- type that it doesn't need to be, and indee=
d
> can't be, registered?  RFC 6838 says:
>=20
>   Types in this tree cannot be registered and are intended for use only wi=
th
>   the active agreement of the parties exchanging them.
>=20
>> application/x-x509-ca-cert
>>
>>  How is this different from application/pkix-cert registered in RFC 2585?
>=20
> No idea, it was like that when I got here.  I assume one is a CA cert and =
the
> other isn't.

To elaborate on my concern here:

1) using undocumented MIME types is like having an underspecified
protocol. Registering everything is my first preference.

2) if I have a general Web Server that happens to return different MIME
types here (because there are other already registered MIME types that
mean the same thing), is this going to be a problem for SCEP clients?

If you can convince me that #2 is not an issue, then I suggest adding a
note to the document saying that it is using a bunch of MIME types that
are not registered (or have different registered aliases, but used here
for historic reasons). I am happy to suggest some text.

>=20
>>    "GET" CGI-PATH CGI-PROG "?operation=3DGetCACaps"
>>
>> This is not a correct ABNF (in case you intended to define a formal synta=
x
>> here) and this is not a correct HTTP request line. Please make it one or
>> another, or clarify somewhere syntax that you use.
>=20
> What form should it be in?  It's been like this for close to twenty years,=
 I
> just left what the original authors had put there in place, I honestly don=
't
> know what else to put in there.

I think either ABNF (which is pretty universally used in IETF RFCs) or
in free text form which sort of looks like HTTP request line, but isn't.
Please pick one and I can suggest some small specific edits to reflect that.

>> Also, I don't think CGI-PATH and CGI-PROG are significant for the request
>=20
> They aren't, that's why I updated the text to mention this.  However every=
one
> seems to use fixed values for these based on close to 20 years of draft us=
e,
> so they're not used but their presence is required.

I would like to use ABNF terminal for this and only explain that the
path is typically as you describe only in one place in the document.
There are at least 2 instances of this in the document which make it
look like it is Ok to hardcode HTTP URL paths in documents. As I
explained earlier in my reply, I don't like this document to be used a
precedent to violate best current practices.

>> Again, this is neither correct formal syntax nor correct HTTP requests.
>=20
> Quite probably.  What should it say?

As above: pick between ABNF and free form text and I can suggest some
specific edits.

>> Firstly, clients don't care about HTTP server using CGI, they just care a=
bout
>> knowing where to send SCEP requests.
>=20
> Sure, that's why I said so in the updated draft, just hardcode in "/cgi-
> bin/pkiclient.exe" for compatibility with existing implementations.
>=20
>> Secondly, hardcoded URI paths are in violation of RFC 7320. You can read =
more
>> on this in Section 4.4 of
>>
>> <https://datatracker.ietf.org/doc/draft-ietf-httpbis-bcp56bis/?include_te=
xt=3D1>
>=20
> SCEP predates RFC 7320 by 14-15 years, so it's a bit late to the party...
>=20
>> I understand that this is a deployed protocol and the default path used i=
s
>> unlikely to change. However, I don't think the document should pay so muc=
h
>> attention to use of CGI-PATH/CGI-PROG. My suggestion is: a) Remove any
>> reference to CGI-PROG/CGI-PATH from the document b) Replace the above sec=
tion
>> with something like this:
>=20
> See above, the text already says that it's only there for backwards
> compatibility.  I can change it to remove CGI-PROG/CGI-PATH if required, b=
ut
> I'm worried about this triggering another round of comments and editing,

I don't think this is avoidable. Don't make it painful for yourself ;-)

> particularly since there are multiple places in the text that will require
> changes.
>=20
>> 1) Missing references:
>=20
> Are these really needed?  References to AES and SHA-2 and LDAP?

Yes.

> It's just
> going to add a lot of noise to the spec,

Seriously?

> will people really need to be given a
> reference to the AES spec in order to implement SCEP?

Yes, because it is a required part of implementing SCEP and people
shouldn't just try to Google to find the right spec and end up finding a
wrong one. So AES and SHA-2 are absolutely Normative references.

>> 2) Should ACME work be mentioned in the Introduction?
>=20
> There are quite a lot of cert-enrolment protocols, the original SCEP text =
only
> covers CMP and CMP which date from the same time as SCEP, I didn't want to=
 get
> into a survey of other protocols because it'd be a long and somewhat tedio=
us
> list.

I am actually Ok with no mentioning ACME, but the text in the
introduction reads like it is arguing that SCEP is the best thing since
bread and butter and I don't believe what it is trying to say is accurate.

>> Clients shouldn't care whether or not SCEP is provided by a CGI program.
>> Please change this to "CA HTTP URL path" or "CA HTTP URI path".
>=20
> See above about potential cascading changes throughout the text, I'd reall=
y
> prefer to just leave this stuff alone since it's worked OK for nearly 20
> years.

I am really resisting not to have a sarcastic reply here, but I wouldn't.

>> How often and for how long should a client poll? Recommending some defaul=
ts
>> would be useful to set expectations.
>=20
> I have no idea... I mean I literally have no idea, I don't know what
> implementations do in practice.  I know that in some cases with manual
> approval it can take hours, but I'm not sure if that's typical.  It could =
be
> seconds, minutes, hours...

I suspect you will get a blocking DISCUSS comment on this in IESG
review. But if you want to take your chances, I am Ok with no change.

>> Why not "MUST NOT" and what are possible implications of violating the SH=
OULD
>> NOT?
>=20
>=20Because some implementations may choose to parse at least a few common e=
rror
> strings.  They shouldn't, but they can if they want to.

People can violate any kind of requirement. I think the question here is
whether the document should encourage that.

I am Ok with leaving this as is, but be prepared to answer this question
in IESG review.

>> What does the last requirement actually mean? Is this describing order of
>> certificates or just saying that it is not an intermediate certificate?
>=20
> It's saying that the leaf certificate in the chain is the issued certifica=
te.

I think this is unclear, as I don't know what "leaf" means here. Is it
the first or the last? If the order doesn't matter, than delete
everything starting from ", but the issued certificate MUST be" in this
sentence.

>> So just to double check that I understood this correctly: the client is
>> generating a self-signed certificate B in order to retrieve its certifica=
te A
>> signed by CA?
>=20
> Yes.
>=20
>> The last requirement is quite problematic for extensibility. I understand=
 why
>> this sentence is there though. Are future extensions to SCEP likely?
>=20
> Why is it problematic for extensibility?  What's returned is lines of text=
,
> you can add any further lines you like.

I think you are missing my point.

Here is a speculative example: a future extension to SCEP decides to use
JSON for returning this information. JSON will have a different media
type. If a client ignores it, it might be unable to parse it. Using
media type names for signalling payload format is one of the main
benefits of using MIME.

Ok, if you say nobody should extend SCEP in such a way, you should say
so in the document.

>>    A SCEP CA is the entity that signs client certificates.  A CA MAY
>>    enforce any arbitrary policies and apply them to certificate
>>    requests, and MAY reject a request for any reason.
>>
>> I think this is pretty much granted and doesn't need to be said, especial=
ly
>> the latter part.
>=20
> This was something that previous people who commented on it requested, see=
 my
> earlier comment about being caught between conflicting requests for change=
s.

Fine with me.

>> When referncing RFC 4648 you should specify the section number to avoid a=
ll
>> confusion. I assume you meant Section 4?
>=20
> Yes, I've updated the text although it already points out that it's "base6=
4"
> and not "base64url" that's used.
>=20
> Peter.
>=20
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>=20


From nobody Thu May 31 15:40:52 2018
Return-Path: <pritikin@cisco.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA4BF12E3AE; Thu, 31 May 2018 15:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level: 
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQnh8T_8vW5G; Thu, 31 May 2018 15:40:46 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7888E13182A; Thu, 31 May 2018 15:40:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13372; q=dns/txt; s=iport; t=1527806446; x=1529016046; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=pAcbZKnTDGM0id4pRFN6hZLDCXI8wVnKEU8KMMu4PnU=; b=kmgzaF2H2/LXgsHquFr5v76dL8D+MfnZkEVtOEWmTXieU05Bq8zFpjON PmdPh7nPgmK4MoMoqqheF5ycGDV+40MPRnZdDsXDKPCtnWRu7QHRCQSnp M9LmNXsmMSE0FMknWsVDforFnX73Zex708pdUICdjW+a+Cfz/o0UJ1i57 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CmAADFeBBb/5hdJa1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYNEYn8oCoNtiASMZYF5gQ+TPBSBZAsYDYRHAheBbSE0GAE?= =?us-ascii?q?CAQEBAQEBAmwcDIUoAQEBAwEBARYLEToLBQsCAQgYAgImAgICJQsVEAIEDgW?= =?us-ascii?q?DIgKBdwgPpzaCHIhBgWMFgQqGMoEFghOBDySCaYMRAQECAQEWgS8BLYJpMII?= =?us-ascii?q?kAoVEgWAlkSAJAoVqgliCaIM1gTyDdYJjhH+JcYZ9AhETAYEkHTiBUnAVOyo?= =?us-ascii?q?BghiCIBeIWYU+b40JB4EngRkBAQ?=
X-IronPort-AV: E=Sophos;i="5.49,464,1520899200"; d="scan'208";a="123168018"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 31 May 2018 22:40:45 +0000
Received: from XCH-RCD-015.cisco.com (xch-rcd-015.cisco.com [173.37.102.25]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w4VMej8A026306 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 31 May 2018 22:40:45 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-015.cisco.com (173.37.102.25) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Thu, 31 May 2018 17:40:44 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1320.000; Thu, 31 May 2018 17:40:44 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, "draft-gutmann-scep@ietf.org" <draft-gutmann-scep@ietf.org>, "saag@ietf.org" <saag@ietf.org>
Thread-Topic: [saag] Comment added to draft-gutmann-scep history
Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyADRoNAIAjv1MAgADagIA=
Date: Thu, 31 May 2018 22:40:44 +0000
Message-ID: <B6E084E5-9B9F-440F-8F2F-5BA7C2A68CEE@cisco.com>
References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <682FEF03-A08D-40F7-9F25-4071B7A2143F@cisco.com> <2c8b2388-cf2c-ba87-0761-b7facd672426@isode.com>
In-Reply-To: <2c8b2388-cf2c-ba87-0761-b7facd672426@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9DA7B45083593247AEB6FCF775D2031C@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IwR4OcXP5M0KFU2uNqotnr0C8pQ>
Subject: Re: [saag] Comment added to draft-gutmann-scep history
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 May 2018 22:40:50 -0000

DQoNCj4gT24gTWF5IDMxLCAyMDE4LCBhdCAzOjM4IEFNLCBBbGV4ZXkgTWVsbmlrb3YgPGFsZXhl
eS5tZWxuaWtvdkBpc29kZS5jb20+IHdyb3RlOg0KPiANCj4gSGkgTWF4LA0KPiANCj4gT24gMDgv
MDUvMjAxOCAxODo0NCwgTWF4IFByaXRpa2luIChwcml0aWtpbikgd3JvdGU6DQo+PiANCj4+IFRv
IHJlLWVuZm9yY2UgYSBwb2ludCBwZXRlciBpcyBtYWtpbmcgaW5saW5lOiB0aGVyZSBhcmUg4oCc
ZXJyb3Jz4oCdIGluIGhvdyBTQ0VQIHVzZXMgYSBudW1iZXIgb2YgSFRUUCBmaWVsZHMsIGFuZCDi
gJx1bmNsZWFu4oCdIHVzZXMgb2YgdW5yZWdpc3RlcmVkIE1JTUUgdHlwZXMgYW5kIGEgYnVuY2gg
b2Ygb3RoZXIgbGl0dGxlIHRoaW5ncy4gV2hhdCBTQ0VQIGdvdCByaWdodCB3YXMgc2ltcGxpY2l0
eS4gVGhpcyBhbGxvd2VkIGl0IHRvIGVuZHVyZSBmb3IgMjB5cnMgb3Igc28uIA0KPj4gDQo+PiBV
cGRhdGluZyBTQ0VQIHRvIG1vZGVybiB1bmRlcnN0YW5kaW5ncyBvZiBob3cgYWxsIHRoaXMgc3R1
ZmYgc2hvdWxkIGJlIHVzZWQgKHdoaWxlIG1haW50YWluaW5nIHRoZSBzaW1wbGljaXR5KSBpcyB3
aHkgRVNUIChSRkM3MDMwKSBleGlzdHMuIElmIFNDRVAgaGFkIGJlZW4gYW4gUkZDIEnigJlkIHN1
Z2dlc3QgdGhhdCBFU1Qg4oCcb2Jzb2xldGVz4oCdIGl0LiANCj4+IA0KPj4gSSBkb27igJl0IHNl
ZSB0aGUgdmFsdWUgaW4gdXBkYXRpbmcgYWxsIHRoaXMgc3R1ZmYgaW4gU0NFUCBhdCB0aGlzIHBv
aW50IOKAlCBkZXNwaXRlIGFncmVlaW5nIHdpdGggdGhlIGNvbmNlcm5zLiBEb2luZyBzbyB3b3Vs
ZCBvbmx5IGNyZWF0ZSB5ZXQgYW5vdGhlciBuZXcgcHJvdG9jb2wgaW4gdGhpcyBhbHJlYWR5IGNy
b3dkZWQgc3BhY2UuIEkgd291bGRu4oCZdCBldmVuIGJlZ2luIHRvIGtub3cgaG93IHRvIGV4cGxh
aW4gYWxsIHRoaXMgdG8gc29tZWJvZHkgbmV3IHRvIHRoZSBmaWVsZC4gICANCj4gDQo+IEkgdW5k
ZXJzdGFuZCB0aGF0IHRoaXMgZXhlcmNpc2UgaXMgbW9zdGx5IGFib3V0IGRvY3VtZW50aW5nIGEg
cHJvdG9jb2wNCj4gd2hpY2ggd2FzIGluIHVzZSBmb3IgYSBsb25nIHRpbWUuIFNvIEkgZG9uJ3Qg
ZXhwZWN0IFNDRVAgdG8gY2hhbmdlIG9uDQo+IHRoZSB3aXJlLiBIb3dldmVyIEkgZG9uJ3QgdGhp
bmsgcHVibGlzaGluZyBhbiBSRkMgdGhhdCBzZWVtIHRvIGJsZXNzDQo+IGluY29ycmVjdCBvciBv
dXRkYXRlZCB1c2Ugb2YgSFRUUCBhbmQgTUlNRSBpcyBhIGdvb2QgaWRlYS4gSSB3b3VsZCBsaWtl
DQo+IHRvIGhhdmUgdmVyeSBjbGVhciBkaXNjbGFpbWVycyBpbiB0aGUgZG9jdW1lbnQsIGVpdGhl
ciBhdCB0aGUgYmVnaW5uaW5nDQo+IG9yIGluIHNwZWNpZmljIGNhc2VzIHdoZXJlIGl0IGRldmlh
dGVzIGZyb20gYmVzdCBjdXJyZW50IHByYWN0aWNlcy4gVGhpcw0KPiBpcyBub3QgYSBiaWcgYXNr
IGFuZCB0aGlzIGlzIG5vdCBoYXJkIHRvIGRvLg0KDQpZb3UgYWNjdXJhdGVseSBzdW1tYXJpemUg
cGFydCBvZiB3aHkgdGhlIGRvY3VtZW50IGlzIGluIHRoZSBjdXJyZW50IHN0YXRlLiDigJxJbmZv
cm1hdGlvbmFs4oCdIG9yIOKAnEhpc3Rvcmlj4oCdIGlzIGEgc29saWQgd2F5IHRvIGRvY3VtZW50
IHdoZW4gd2Ug4oCcZG9u4oCZdCBleHBlY3QgU0NFUCB0byBjaGFuZ2Ugb24gdGhlIHdpcmXigJ0g
YW5kIHRvIGFja25vd2xlZGdlIHRoYXQgaXQgaXNu4oCZdCB1cCB0byBzbnVmZi4gSXQgYWxzbyBw
cm92aWRlcyB0aGF0IGNsZWFyIGRpc2NsYWltZXIgeW914oCZcmUgbG9va2luZyBmb3IuIFN0cmVu
Z3RoZW5pbmcgdGhlIGRpc2N1c3Npb24gdG8geW91ciBwb2ludCBpbiBzMSBJbnRyb2R1Y3Rpb24g
dG8gcmVjb21tZW5kIFJGQzcwMzAgbWlnaHQgZ28gZnVydGhlci4gKEN1cnJlbnQgbGFuZ3VhZ2Ug
aXMg4oCcTUFZ4oCdLCB3aGljaCBtaWdodCBub3QgYmUgYXMgY2xlYXIgYXMgeW914oCZcmUgbG9v
a2luZyBmb3IpLiANCg0KLSBtYXgNCg0KPiANCj4gQmVzdCBSZWdhcmRzLA0KPiBBbGV4ZXkNCj4g
DQo+PiAtIG1heA0KPj4gDQo+Pj4gT24gQXByIDMwLCAyMDE4LCBhdCA2OjQzIEFNLCBQZXRlciBH
dXRtYW5uIDxwZ3V0MDAxQGNzLmF1Y2tsYW5kLmFjLm56PiB3cm90ZToNCj4+PiANCj4+PiBBcG9s
b2dpZXMgZm9yIHRoZSBsb25nIGRlbGF5IGluIHJlc3BvbmRpbmcsIEkndmUgYmVlbiBidXJpZWQg
aW4gb3RoZXIgd29yay4NCj4+PiBBbHNvLCBJJ20gbm90IHN1cmUgd2hvIHRvIHNlbmQgdGhpcyB0
bywgSSBnb3Qgbm90aWZpZWQgdmlhIGEgZG8tbm90LXJlcGx5DQo+Pj4gYWRkcmVzcywgSSBhc3N1
bWUgaXQgZ29lcyB0byB0aGUgU0FBRyBsaXN0Pw0KPj4+IA0KPj4+IEEgZ2VuZXJhbCByZXNwb25z
ZSB0byB0aGlzLCBJIGRpZG4ndCB3cml0ZSB0aGlzIGRvY3VtZW50IHNvIGFzIHdpdGggdGhlDQo+
Pj4gcHJldmlvdXMgcmV2aWV3IEknbGwgaGF2ZSB0byBzYXkgIml0IHdhcyBsaWtlIHRoaXMgd2hl
biBJIGdvdCBoZXJlIiBpbiBzZXZlcmFsDQo+Pj4gY2FzZXMsIEkndmUgbGVmdCB0aGUgb3JpZ2lu
YWwgYXV0aG9ycycgdGV4dCBpbnRhY3Qgd2hlcmV2ZXIgcG9zc2libGUgYnV0DQo+Pj4gd2l0aG91
dCByZXdyaXRpbmcgaGFsZiB0aGUgZG9jIGluIG15IG93biB3b3JkcyBJIGNhbid0IHJlYWxseSBk
ZWZlbmQgYSBsb3Qgb2YNCj4+PiB0aGUgdGV4dCBiZWNhdXNlIEkgZGlkbid0IHdyaXRlIGl0Lg0K
Pj4+IA0KPj4+IEFsc28sIHNvbWUgb2YgdGhlIGNvbW1lbnRzIGFwcGx5IHRvIHRoaW5ncyB0aGF0
IGhhdmUgYWxyZWFkeSBiZWVuIHBpY2tlZCBvdmVyDQo+Pj4gYW5kIGNvcnJlY3RlZC4gIFdoYXQg
d2lsbCBoYXBwZW4gaWYgSSBzdGFydCBtYWtpbmcgYWx0ZXJhdGlvbnMgdG8gdGhlDQo+Pj4gYWx0
ZXJhdGlvbnM/ICBXaWxsIGl0IGdvIHRvIHB1YmxpY2F0aW9uIGFmdGVyIHRoYXQsIG9yIHdpbGwg
aXQgcmVzZXQgdGhlDQo+Pj4gY291bnRlciBiYWNrIHRvIHJlcXVpcmluZyBmdXJ0aGVyIGNoYW5n
ZXMgaWYgcGVvcGxlIG9iamVjdCB0byB0aGUgY2hhbmdlcz8NCj4+PiBJJ20gY29uY2VybmVkIHRo
YXQgSSdtIGdvaW5nIHRvIGdldCBjYXVnaHQgYmV0d2VlbiB0d28gbG90cyBvZiBlZGl0aW5nDQo+
Pj4gY2hhbmdlcywgSSB0cmllZCB0byBjaGFuZ2UvZml4IGV2ZXJ5dGhpbmcgdGhhdCBwZW9wbGUg
cG9pbnRlZCBvdXQgbGFzdCB0aW1lLA0KPj4+IGJ1dCBpZiBJIG1ha2UgbW9yZSBjaGFuZ2VzIG5v
dyBpdCBtYXkgZW5kIHVwIHVuZG9pbmcgb3IgY2hhbmdpbmcgdGhlIHRoaW5ncw0KPj4+IHRoYXQg
cGVvcGxlIHdhbnRlZCB0aGUgbGFzdCB0aW1lIHJvdW5kLg0KPj4+IA0KPj4+PiAxKSBJbiBnZW5l
cmFsLCB0aGUgZG9jdW1lbnQgaXMgdXNpbmcgc2V2ZXJhbCB1bnJlZ2lzdGVyZWQgTUlNRSB0eXBl
cyB3aXRoDQo+Pj4+ICJ4LSIgcHJlZml4Og0KPj4+PiANCj4+Pj4gYXBwbGljYXRpb24veC14NTA5
LWNhLWNlcnQNCj4+Pj4gYXBwbGljYXRpb24veC14NTA5LWNhLXJhLWNlcnQNCj4+Pj4gYXBwbGlj
YXRpb24veC1wa2ktbWVzc2FnZQ0KPj4+PiBhcHBsaWNhdGlvbi94LXg1MDktbmV4dC1jYS1jZXJ0
DQo+Pj4+IA0KPj4+PiBUaGVzZSBzaG91bGQgYmUgcmVnaXN0ZXJlZCBpbiB0aGUgSUFOQSBDb25z
aWRlcmF0aW9ucyBhcyBwZXIgQXBwZW5kaXggQSBvZg0KPj4+PiBSRkMgNjgzOC4NCj4+PiANCj4+
PiBJc24ndCB0aGUgd2hvbGUgcG9pbnQgb2YgdGhlIHgtIHR5cGUgdGhhdCBpdCBkb2Vzbid0IG5l
ZWQgdG8gYmUsIGFuZCBpbmRlZWQNCj4+PiBjYW4ndCBiZSwgcmVnaXN0ZXJlZD8gIFJGQyA2ODM4
IHNheXM6DQo+Pj4gDQo+Pj4gVHlwZXMgaW4gdGhpcyB0cmVlIGNhbm5vdCBiZSByZWdpc3RlcmVk
IGFuZCBhcmUgaW50ZW5kZWQgZm9yIHVzZSBvbmx5IHdpdGgNCj4+PiB0aGUgYWN0aXZlIGFncmVl
bWVudCBvZiB0aGUgcGFydGllcyBleGNoYW5naW5nIHRoZW0uDQo+Pj4gDQo+Pj4+IGFwcGxpY2F0
aW9uL3gteDUwOS1jYS1jZXJ0DQo+Pj4+IA0KPj4+PiBIb3cgaXMgdGhpcyBkaWZmZXJlbnQgZnJv
bSBhcHBsaWNhdGlvbi9wa2l4LWNlcnQgcmVnaXN0ZXJlZCBpbiBSRkMgMjU4NT8NCj4+PiANCj4+
PiBObyBpZGVhLCBpdCB3YXMgbGlrZSB0aGF0IHdoZW4gSSBnb3QgaGVyZS4gIEkgYXNzdW1lIG9u
ZSBpcyBhIENBIGNlcnQgYW5kIHRoZQ0KPj4+IG90aGVyIGlzbid0Lg0KPj4+IA0KPj4+PiAgIkdF
VCIgQ0dJLVBBVEggQ0dJLVBST0cgIj9vcGVyYXRpb249R2V0Q0FDYXBzIg0KPj4+PiANCj4+Pj4g
VGhpcyBpcyBub3QgYSBjb3JyZWN0IEFCTkYgKGluIGNhc2UgeW91IGludGVuZGVkIHRvIGRlZmlu
ZSBhIGZvcm1hbCBzeW50YXgNCj4+Pj4gaGVyZSkgYW5kIHRoaXMgaXMgbm90IGEgY29ycmVjdCBI
VFRQIHJlcXVlc3QgbGluZS4gUGxlYXNlIG1ha2UgaXQgb25lIG9yDQo+Pj4+IGFub3RoZXIsIG9y
IGNsYXJpZnkgc29tZXdoZXJlIHN5bnRheCB0aGF0IHlvdSB1c2UuDQo+Pj4gDQo+Pj4gV2hhdCBm
b3JtIHNob3VsZCBpdCBiZSBpbj8gIEl0J3MgYmVlbiBsaWtlIHRoaXMgZm9yIGNsb3NlIHRvIHR3
ZW50eSB5ZWFycywgSQ0KPj4+IGp1c3QgbGVmdCB3aGF0IHRoZSBvcmlnaW5hbCBhdXRob3JzIGhh
ZCBwdXQgdGhlcmUgaW4gcGxhY2UsIEkgaG9uZXN0bHkgZG9uJ3QNCj4+PiBrbm93IHdoYXQgZWxz
ZSB0byBwdXQgaW4gdGhlcmUuDQo+Pj4gDQo+Pj4+IEFsc28sIEkgZG9uJ3QgdGhpbmsgQ0dJLVBB
VEggYW5kIENHSS1QUk9HIGFyZSBzaWduaWZpY2FudCBmb3IgdGhlIHJlcXVlc3QNCj4+PiANCj4+
PiBUaGV5IGFyZW4ndCwgdGhhdCdzIHdoeSBJIHVwZGF0ZWQgdGhlIHRleHQgdG8gbWVudGlvbiB0
aGlzLiAgSG93ZXZlciBldmVyeW9uZQ0KPj4+IHNlZW1zIHRvIHVzZSBmaXhlZCB2YWx1ZXMgZm9y
IHRoZXNlIGJhc2VkIG9uIGNsb3NlIHRvIDIwIHllYXJzIG9mIGRyYWZ0IHVzZSwNCj4+PiBzbyB0
aGV5J3JlIG5vdCB1c2VkIGJ1dCB0aGVpciBwcmVzZW5jZSBpcyByZXF1aXJlZC4NCj4+PiANCj4+
Pj4gQWdhaW4sIHRoaXMgaXMgbmVpdGhlciBjb3JyZWN0IGZvcm1hbCBzeW50YXggbm9yIGNvcnJl
Y3QgSFRUUCByZXF1ZXN0cy4NCj4+PiANCj4+PiBRdWl0ZSBwcm9iYWJseS4gIFdoYXQgc2hvdWxk
IGl0IHNheT8NCj4+PiANCj4+Pj4gRmlyc3RseSwgY2xpZW50cyBkb24ndCBjYXJlIGFib3V0IEhU
VFAgc2VydmVyIHVzaW5nIENHSSwgdGhleSBqdXN0IGNhcmUgYWJvdXQNCj4+Pj4ga25vd2luZyB3
aGVyZSB0byBzZW5kIFNDRVAgcmVxdWVzdHMuDQo+Pj4gDQo+Pj4gU3VyZSwgdGhhdCdzIHdoeSBJ
IHNhaWQgc28gaW4gdGhlIHVwZGF0ZWQgZHJhZnQsIGp1c3QgaGFyZGNvZGUgaW4gIi9jZ2ktDQo+
Pj4gYmluL3BraWNsaWVudC5leGUiIGZvciBjb21wYXRpYmlsaXR5IHdpdGggZXhpc3RpbmcgaW1w
bGVtZW50YXRpb25zLg0KPj4+IA0KPj4+PiBTZWNvbmRseSwgaGFyZGNvZGVkIFVSSSBwYXRocyBh
cmUgaW4gdmlvbGF0aW9uIG9mIFJGQyA3MzIwLiBZb3UgY2FuIHJlYWQgbW9yZQ0KPj4+PiBvbiB0
aGlzIGluIFNlY3Rpb24gNC40IG9mDQo+Pj4+IA0KPj4+PiA8aHR0cHM6Ly9kYXRhdHJhY2tlci5p
ZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi1odHRwYmlzLWJjcDU2YmlzLz9pbmNsdWRlX3RleHQ9MT4N
Cj4+PiANCj4+PiBTQ0VQIHByZWRhdGVzIFJGQyA3MzIwIGJ5IDE0LTE1IHllYXJzLCBzbyBpdCdz
IGEgYml0IGxhdGUgdG8gdGhlIHBhcnR5Li4uDQo+Pj4gDQo+Pj4+IEkgdW5kZXJzdGFuZCB0aGF0
IHRoaXMgaXMgYSBkZXBsb3llZCBwcm90b2NvbCBhbmQgdGhlIGRlZmF1bHQgcGF0aCB1c2VkIGlz
DQo+Pj4+IHVubGlrZWx5IHRvIGNoYW5nZS4gSG93ZXZlciwgSSBkb24ndCB0aGluayB0aGUgZG9j
dW1lbnQgc2hvdWxkIHBheSBzbyBtdWNoDQo+Pj4+IGF0dGVudGlvbiB0byB1c2Ugb2YgQ0dJLVBB
VEgvQ0dJLVBST0cuIE15IHN1Z2dlc3Rpb24gaXM6IGEpIFJlbW92ZSBhbnkNCj4+Pj4gcmVmZXJl
bmNlIHRvIENHSS1QUk9HL0NHSS1QQVRIIGZyb20gdGhlIGRvY3VtZW50IGIpIFJlcGxhY2UgdGhl
IGFib3ZlIHNlY3Rpb24NCj4+Pj4gd2l0aCBzb21ldGhpbmcgbGlrZSB0aGlzOg0KPj4+IA0KPj4+
IFNlZSBhYm92ZSwgdGhlIHRleHQgYWxyZWFkeSBzYXlzIHRoYXQgaXQncyBvbmx5IHRoZXJlIGZv
ciBiYWNrd2FyZHMNCj4+PiBjb21wYXRpYmlsaXR5LiAgSSBjYW4gY2hhbmdlIGl0IHRvIHJlbW92
ZSBDR0ktUFJPRy9DR0ktUEFUSCBpZiByZXF1aXJlZCwgYnV0DQo+Pj4gSSdtIHdvcnJpZWQgYWJv
dXQgdGhpcyB0cmlnZ2VyaW5nIGFub3RoZXIgcm91bmQgb2YgY29tbWVudHMgYW5kIGVkaXRpbmcs
DQo+Pj4gcGFydGljdWxhcmx5IHNpbmNlIHRoZXJlIGFyZSBtdWx0aXBsZSBwbGFjZXMgaW4gdGhl
IHRleHQgdGhhdCB3aWxsIHJlcXVpcmUNCj4+PiBjaGFuZ2VzLg0KPj4+IA0KPj4+PiAxKSBNaXNz
aW5nIHJlZmVyZW5jZXM6DQo+Pj4gDQo+Pj4gQXJlIHRoZXNlIHJlYWxseSBuZWVkZWQ/ICBSZWZl
cmVuY2VzIHRvIEFFUyBhbmQgU0hBLTIgYW5kIExEQVA/ICBJdCdzIGp1c3QNCj4+PiBnb2luZyB0
byBhZGQgYSBsb3Qgb2Ygbm9pc2UgdG8gdGhlIHNwZWMsIHdpbGwgcGVvcGxlIHJlYWxseSBuZWVk
IHRvIGJlIGdpdmVuIGENCj4+PiByZWZlcmVuY2UgdG8gdGhlIEFFUyBzcGVjIGluIG9yZGVyIHRv
IGltcGxlbWVudCBTQ0VQPw0KPj4+IA0KPj4+PiAyKSBTaG91bGQgQUNNRSB3b3JrIGJlIG1lbnRp
b25lZCBpbiB0aGUgSW50cm9kdWN0aW9uPw0KPj4+IA0KPj4+IFRoZXJlIGFyZSBxdWl0ZSBhIGxv
dCBvZiBjZXJ0LWVucm9sbWVudCBwcm90b2NvbHMsIHRoZSBvcmlnaW5hbCBTQ0VQIHRleHQgb25s
eQ0KPj4+IGNvdmVycyBDTVAgYW5kIENNUCB3aGljaCBkYXRlIGZyb20gdGhlIHNhbWUgdGltZSBh
cyBTQ0VQLCBJIGRpZG4ndCB3YW50IHRvIGdldA0KPj4+IGludG8gYSBzdXJ2ZXkgb2Ygb3RoZXIg
cHJvdG9jb2xzIGJlY2F1c2UgaXQnZCBiZSBhIGxvbmcgYW5kIHNvbWV3aGF0IHRlZGlvdXMNCj4+
PiBsaXN0Lg0KPj4+IA0KPj4+PiBDbGllbnRzIHNob3VsZG4ndCBjYXJlIHdoZXRoZXIgb3Igbm90
IFNDRVAgaXMgcHJvdmlkZWQgYnkgYSBDR0kgcHJvZ3JhbS4NCj4+Pj4gUGxlYXNlIGNoYW5nZSB0
aGlzIHRvICJDQSBIVFRQIFVSTCBwYXRoIiBvciAiQ0EgSFRUUCBVUkkgcGF0aCIuDQo+Pj4gDQo+
Pj4gU2VlIGFib3ZlIGFib3V0IHBvdGVudGlhbCBjYXNjYWRpbmcgY2hhbmdlcyB0aHJvdWdob3V0
IHRoZSB0ZXh0LCBJJ2QgcmVhbGx5DQo+Pj4gcHJlZmVyIHRvIGp1c3QgbGVhdmUgdGhpcyBzdHVm
ZiBhbG9uZSBzaW5jZSBpdCdzIHdvcmtlZCBPSyBmb3IgbmVhcmx5IDIwDQo+Pj4geWVhcnMuDQo+
Pj4gDQo+Pj4+IEhvdyBvZnRlbiBhbmQgZm9yIGhvdyBsb25nIHNob3VsZCBhIGNsaWVudCBwb2xs
PyBSZWNvbW1lbmRpbmcgc29tZSBkZWZhdWx0cw0KPj4+PiB3b3VsZCBiZSB1c2VmdWwgdG8gc2V0
IGV4cGVjdGF0aW9ucy4NCj4+PiANCj4+PiBJIGhhdmUgbm8gaWRlYS4uLiBJIG1lYW4gSSBsaXRl
cmFsbHkgaGF2ZSBubyBpZGVhLCBJIGRvbid0IGtub3cgd2hhdA0KPj4+IGltcGxlbWVudGF0aW9u
cyBkbyBpbiBwcmFjdGljZS4gIEkga25vdyB0aGF0IGluIHNvbWUgY2FzZXMgd2l0aCBtYW51YWwN
Cj4+PiBhcHByb3ZhbCBpdCBjYW4gdGFrZSBob3VycywgYnV0IEknbSBub3Qgc3VyZSBpZiB0aGF0
J3MgdHlwaWNhbC4gIEl0IGNvdWxkIGJlDQo+Pj4gc2Vjb25kcywgbWludXRlcywgaG91cnMuLi4N
Cj4+PiANCj4+Pj4gV2h5IG5vdCAiTVVTVCBOT1QiIGFuZCB3aGF0IGFyZSBwb3NzaWJsZSBpbXBs
aWNhdGlvbnMgb2YgdmlvbGF0aW5nIHRoZSBTSE9VTEQNCj4+Pj4gTk9UPw0KPj4+IA0KPj4+IEJl
Y2F1c2Ugc29tZSBpbXBsZW1lbnRhdGlvbnMgbWF5IGNob29zZSB0byBwYXJzZSBhdCBsZWFzdCBh
IGZldyBjb21tb24gZXJyb3INCj4+PiBzdHJpbmdzLiAgVGhleSBzaG91bGRuJ3QsIGJ1dCB0aGV5
IGNhbiBpZiB0aGV5IHdhbnQgdG8uDQo+Pj4gDQo+Pj4+IFdoYXQgZG9lcyB0aGUgbGFzdCByZXF1
aXJlbWVudCBhY3R1YWxseSBtZWFuPyBJcyB0aGlzIGRlc2NyaWJpbmcgb3JkZXIgb2YNCj4+Pj4g
Y2VydGlmaWNhdGVzIG9yIGp1c3Qgc2F5aW5nIHRoYXQgaXQgaXMgbm90IGFuIGludGVybWVkaWF0
ZSBjZXJ0aWZpY2F0ZT8NCj4+PiANCj4+PiBJdCdzIHNheWluZyB0aGF0IHRoZSBsZWFmIGNlcnRp
ZmljYXRlIGluIHRoZSBjaGFpbiBpcyB0aGUgaXNzdWVkIGNlcnRpZmljYXRlLg0KPj4+IA0KPj4+
PiBTbyBqdXN0IHRvIGRvdWJsZSBjaGVjayB0aGF0IEkgdW5kZXJzdG9vZCB0aGlzIGNvcnJlY3Rs
eTogdGhlIGNsaWVudCBpcw0KPj4+PiBnZW5lcmF0aW5nIGEgc2VsZi1zaWduZWQgY2VydGlmaWNh
dGUgQiBpbiBvcmRlciB0byByZXRyaWV2ZSBpdHMgY2VydGlmaWNhdGUgQQ0KPj4+PiBzaWduZWQg
YnkgQ0E/DQo+Pj4gDQo+Pj4gWWVzLg0KPj4+IA0KPj4+PiBUaGUgbGFzdCByZXF1aXJlbWVudCBp
cyBxdWl0ZSBwcm9ibGVtYXRpYyBmb3IgZXh0ZW5zaWJpbGl0eS4gSSB1bmRlcnN0YW5kIHdoeQ0K
Pj4+PiB0aGlzIHNlbnRlbmNlIGlzIHRoZXJlIHRob3VnaC4gQXJlIGZ1dHVyZSBleHRlbnNpb25z
IHRvIFNDRVAgbGlrZWx5Pw0KPj4+IA0KPj4+IFdoeSBpcyBpdCBwcm9ibGVtYXRpYyBmb3IgZXh0
ZW5zaWJpbGl0eT8gIFdoYXQncyByZXR1cm5lZCBpcyBsaW5lcyBvZiB0ZXh0LA0KPj4+IHlvdSBj
YW4gYWRkIGFueSBmdXJ0aGVyIGxpbmVzIHlvdSBsaWtlLg0KPj4+IA0KPj4+PiAgQSBTQ0VQIENB
IGlzIHRoZSBlbnRpdHkgdGhhdCBzaWducyBjbGllbnQgY2VydGlmaWNhdGVzLiAgQSBDQSBNQVkN
Cj4+Pj4gIGVuZm9yY2UgYW55IGFyYml0cmFyeSBwb2xpY2llcyBhbmQgYXBwbHkgdGhlbSB0byBj
ZXJ0aWZpY2F0ZQ0KPj4+PiAgcmVxdWVzdHMsIGFuZCBNQVkgcmVqZWN0IGEgcmVxdWVzdCBmb3Ig
YW55IHJlYXNvbi4NCj4+Pj4gDQo+Pj4+IEkgdGhpbmsgdGhpcyBpcyBwcmV0dHkgbXVjaCBncmFu
dGVkIGFuZCBkb2Vzbid0IG5lZWQgdG8gYmUgc2FpZCwgZXNwZWNpYWxseQ0KPj4+PiB0aGUgbGF0
dGVyIHBhcnQuDQo+Pj4gDQo+Pj4gVGhpcyB3YXMgc29tZXRoaW5nIHRoYXQgcHJldmlvdXMgcGVv
cGxlIHdobyBjb21tZW50ZWQgb24gaXQgcmVxdWVzdGVkLCBzZWUgbXkNCj4+PiBlYXJsaWVyIGNv
bW1lbnQgYWJvdXQgYmVpbmcgY2F1Z2h0IGJldHdlZW4gY29uZmxpY3RpbmcgcmVxdWVzdHMgZm9y
IGNoYW5nZXMuDQo+Pj4gDQo+Pj4+IFdoZW4gcmVmZXJuY2luZyBSRkMgNDY0OCB5b3Ugc2hvdWxk
IHNwZWNpZnkgdGhlIHNlY3Rpb24gbnVtYmVyIHRvIGF2b2lkIGFsbA0KPj4+PiBjb25mdXNpb24u
IEkgYXNzdW1lIHlvdSBtZWFudCBTZWN0aW9uIDQ/DQo+Pj4gDQo+Pj4gWWVzLCBJJ3ZlIHVwZGF0
ZWQgdGhlIHRleHQgYWx0aG91Z2ggaXQgYWxyZWFkeSBwb2ludHMgb3V0IHRoYXQgaXQncyAiYmFz
ZTY0Ig0KPj4+IGFuZCBub3QgImJhc2U2NHVybCIgdGhhdCdzIHVzZWQuDQo+Pj4gDQo+Pj4gUGV0
ZXIuDQo+Pj4gDQo+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX18NCj4+PiBzYWFnIG1haWxpbmcgbGlzdA0KPj4+IHNhYWdAaWV0Zi5vcmcNCj4+PiBodHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NhYWcNCj4+IA0KPj4gX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCj4+IHNhYWcgbWFpbGluZyBs
aXN0DQo+PiBzYWFnQGlldGYub3JnDQo+PiBodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL3NhYWcNCj4+IA0KPiANCg0K