From nobody Sun Jul 1 04:07:38 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 335C2130E70 for ; Sun, 1 Jul 2018 04:07:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q32pUG6jVTHR for ; Sun, 1 Jul 2018 04:07:33 -0700 (PDT) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EC62130DBE for ; Sun, 1 Jul 2018 04:07:33 -0700 (PDT) Received: by mail-wm0-x235.google.com with SMTP id l15-v6so5468891wmc.1 for ; Sun, 01 Jul 2018 04:07:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=BHDiOqndBy7e+3fqVBVxp/+zvOSMb/WJsJFjUnQ9MOI=; b=mH487uyAN58pnX2YcUW+Dl4jP1/6ZTKH+DFCUNx2l13bQH6EnuiVYY3FTxxFsoGDcz RGi1eZ43uHrzJh2vBe9Z0MfQfTC5hHnyUMk4UMaO9MmMO4aBJO/3ZiQn/tQjEC2jBJdC Exb5fTiF9HjuBA3KccmVqx77VNYJLsAKwmBGHdxRQp0qmwGKcqQSLb6XUWLOs2w9nnHi dxTu8cfbTxA3XMBi/PTYZYpjqM/5kj2Pmiwiz6kbf5Pl34YBItBN43gtctmreib4gLEG Sjs4cBVdZUttvQMrzD/zoI/fGca/MowKdz3OyhyZfCJ87q6F3Rbsi2rt5QgsJO9cEOrc KW6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=BHDiOqndBy7e+3fqVBVxp/+zvOSMb/WJsJFjUnQ9MOI=; b=lXxg9bpzmMTQk0Uq6geV3iGs7ac9nKBIFoBAakfLHUO+Zmc+k4Ba3c7ZVfXWrSEXrI DkisT36iVGu+SlHF9Uo3eGcfFRygikJZoezX4VMxOu+bxq0DyeB19DjeVbQdfoNWbPlO SXMgHFSc8L4U8c3o271KFiD7P2sKUfHdd6MzWrPufuiqoR/QwxfureixsqYowIPEfBG2 fVGqApOE2ggeakHyaiWKz0tHyBNHIAQ7vUcsAnC/e3OKt0WS2YAJFGD/nd9j/AL9pGaX JEkaEyIkXgbrMYXV44l2oJ8dCsAAT5c2bIvlpWG5I90NN6jaolQn7azi7Zo32X1MePor yZHQ== X-Gm-Message-State: APt69E005iecHL+VwBiCZHfR0jroHXlJhWzmIy5nx5Ja13RTHbv8DLEd gDlAyPCQjLEn72Au3G9HM//P3hPA1x0= X-Google-Smtp-Source: AAOMgpcqu8aFFVXVgMSNA1B7pDLOyTy8/8JMGUW3EhgoxhQsZx+ktvFqlcYg9/r+1g7kr9hM88fYFg== X-Received: by 2002:a1c:59c1:: with SMTP id n184-v6mr6245188wmb.125.1530443250449; Sun, 01 Jul 2018 04:07:30 -0700 (PDT) Received: from [192.168.0.232] (host-80-47-7-246.as13285.net. [80.47.7.246]) by smtp.gmail.com with ESMTPSA id l7-v6sm4074099wmh.1.2018.07.01.04.07.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 01 Jul 2018 04:07:29 -0700 (PDT) From: Henry Story Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Message-Id: Date: Sun, 1 Jul 2018 12:07:27 +0100 To: saag@ietf.org X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Jul 2018 11:07:36 -0000 Dear all, Recently the APWG (Anti-Phishing Working Group) reported a 6 fold = increase in 2017=20 of phishing sites located on https servers. The aim of the phishers is = to mislead people=20 into a false sense of confidence by using the green padlock that appears = in some browsers when landing on a site, which is understood to mean "secure". People = misunderstand this to mean they have landed on a legitimate website. With the great = work of letsencrypt.org getting TLS sites is easier and easier, which is good: because that = stops all kinds of man in the middle nonsense. But it reveals what has always been missing. What is missing is the socio-technical piece of the stack that would = allow the icon to mean "legitimate", ie. embedded in a legal system of a country. I = argue in this paper which I am working on as part of my PhD thesis that this requires an = institutional web of trust, which needs the cooperation of some leading nations, the IETF and = W3C. Stopping (https) phishing https://medium.com/@bblfish/stopping-https-phishing-42226ca9e7d9 I'd be interested to hear what issues people here see with the approach = outlines there, so that I can try to address them, or move onto something else :-) Henry Story PhD researcher on SocialMachines and CyberSecurity=20 at Southampton University =20= From nobody Tue Jul 3 03:27:12 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70631130DCE; Tue, 3 Jul 2018 03:27:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OFClbZq4kZUZ; Tue, 3 Jul 2018 03:27:04 -0700 (PDT) Received: from softronics.hoeneisen.ch (softronics.hoeneisen.ch [62.2.86.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D080130E29; Tue, 3 Jul 2018 03:27:03 -0700 (PDT) Received: from localhost ([127.0.0.1]) by softronics.hoeneisen.ch with esmtp (Exim 4.86_2) (envelope-from ) id 1faIWR-0000Hf-U5; Tue, 03 Jul 2018 12:26:59 +0200 Date: Tue, 3 Jul 2018 12:26:59 +0200 (CEST) From: Bernie Hoeneisen X-X-Sender: bhoeneis@softronics.hoeneisen.ch To: saag@ietf.org cc: IETF DISPATCH list Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII X-SA-Exim-Connect-IP: 127.0.0.1 X-SA-Exim-Mail-From: bernie@ietf.hoeneisen.ch X-SA-Exim-Scanned: No (on softronics.hoeneisen.ch); SAEximRunCond expanded to false Archived-At: Subject: [saag] New Internet-Drafts on pEp - Privacy by Default X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jul 2018 10:27:07 -0000 Dear SAAG WG CC DISPATCH WG Please be informed that we have submitted five Internet Drafts (see below) regarding the pEp (pretty Easy privacy) approach, which aims for opportunistic encryption of email and other messaging. The pEp technology is aimed to be as easy as possible for the end user, so that privacy technology will be widely implemented and used. Overview of existing pEp Internet-Drafts: - pEp General: Basic pEp concepts / requirements generally applicable https://tools.ietf.org/html/draft-birk-pep-02 - pEp Email: pEp concepts specifically applied to email communication (automatic generation of key pairs, automatic usage of encryption, privacy enhancements to existing email message formats, etc.) https://tools.ietf.org/html/draft-marques-pep-email-00 Note: This -00 I-D is yet in a "rough" state. - pEp Handshake: Easy process to ensure authentication of communication partners and channels using Trustwords. https://tools.ietf.org/html/draft-marques-pep-handshake-00 - pEp Trustwords: IANA Registration for Trustwords in different languages. https://tools.ietf.org/html/draft-birk-pep-trustwords-02 - pEp Privacy Rating: Definition of different Privacy States (unreliable, encrypted, etc.) and its mapping to a traffic light semantics (red, yellow, green, none) as an intuitive means for presenting the actual Privacy Status to the user. https://tools.ietf.org/html/draft-marques-pep-rating-00 Note: More I-Ds are still in the pipeline, e.g. synchronization of secret keys among different devices of the same user. We are looking forward to your feedback! All the best Bernie -- http://ucom.ch/ Modern Telephony Solutions and Tech Consulting for Internet Technology From nobody Thu Jul 5 22:24:19 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F5C130E1C; Thu, 5 Jul 2018 22:24:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKQMLrj7U3uL; Thu, 5 Jul 2018 22:24:14 -0700 (PDT) Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on060c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::60c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6F7130DEB; Thu, 5 Jul 2018 22:24:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r/RToMR/NHrBoGhUPB0XBNep4RqWtxbYrFTu6rKMAg4=; b=Qz59OrTLNc/BTTPHaZcWBg7zWEEInxHIavDeJdaYycpCyrwT4COjRerzdxS3VMqlh14Nc4BVPKAjUNfj1oNKv0/3J25gXoHnELhinMBopuIPMcEkpZl6seEP7zttafagiKBueqC3lXXpKqv+tfrrdUpMHZ223R4sb8WSjOe05bw= Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1854.eurprd08.prod.outlook.com (10.168.68.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.21; Fri, 6 Jul 2018 05:24:10 +0000 Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db%10]) with mapi id 15.20.0906.026; Fri, 6 Jul 2018 05:24:10 +0000 From: Hannes Tschofenig To: "saag@ietf.org" CC: "eat@ietf.org" Thread-Topic: Bar Bof about Attestation (EAT) Thread-Index: AdQU6TS6CS3YQF5hR0+ABzvpyNQeqQ== Date: Fri, 6 Jul 2018 05:24:10 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; x-originating-ip: [80.92.122.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1854; 7:ZtWCrqel8ZmbGNZUNn/ON4t4sfnfbxU7uTNgyv4lhaNtfWUccI9tSkNG/uXBt6hj/JlEYI98nuaEfdZees+GIn0Eryc/7u2jagdUo3A+gFoObigPrVNfq7Y6fY3ZNQs8DrjINkkt7xGEFGdcmDvTv3eFkjOxYPDCYonBTpby4j0PjyhEzYjzyzBNkGSdxRcneWEi+CJu1ghcD56lSk3FaUEVldjzC4jC2kmnB/mgQp+mBEbE/LgX4BKH6BrRRi38 x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 7f6ae15f-46fb-4f9c-5a0d-08d5e300b41a x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1854; x-ms-traffictypediagnostic: VI1PR0801MB1854: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(223705240517415); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231254)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1854; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1854; x-forefront-prvs: 0725D9E8D0 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(376002)(346002)(366004)(136003)(53754006)(199004)(189003)(40434004)(106356001)(105586002)(2351001)(66066001)(55016002)(81156014)(81166006)(68736007)(8936002)(6916009)(8676002)(1730700003)(7696005)(2906002)(5660300001)(99286004)(256004)(5024004)(14444005)(486006)(476003)(102836004)(26005)(3846002)(6506007)(74316002)(316002)(186003)(7736002)(305945005)(450100002)(4326008)(6116002)(53936002)(25786009)(2501003)(5250100002)(6306002)(5640700003)(9686003)(6436002)(14454004)(966005)(478600001)(2900100001)(97736004)(72206003)(86362001)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1854; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: OeAYPSvLpISP9n3aQHuJxj9wV0JBpC6OTMijR2n3SmZkW58c5CDi93ioqP7UM5/1cnznwiF6v0Gr31j98IXSpBrqKXd/ykTEoA9so6GsSnpa/i2dNDi255XGoeWwFVQ5TUUSTxQTdHZOXrMqMSlKxGeSFEQs7zJ+QSWyfSS71nvnCKGbq29zxKzUr8rooKZgzKhxOwI+PbPyHVYuP4cr9PrHgnlGdskMBynDhW8C9wKwXYz/W+B+GHeeBn86jDYG6zg6jr2Ae9L9hdBkKtEAmtgS5hOoqH95N9MB9o7KmIjGTloOhYPp8F500x0weQUNky7f1Dso/frvF41iw4a8bX5drpTcY0VkUmb/5x+KQ7w= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7f6ae15f-46fb-4f9c-5a0d-08d5e300b41a X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2018 05:24:10.2743 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1854 Archived-At: Subject: [saag] Bar Bof about Attestation (EAT) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2018 05:24:17 -0000 Hi all, Some of you may have not seen that we created a mailing list (see https://w= ww.ietf.org/mailman/listinfo/eat), and announced a Bar BOF at the upcoming = IETF meeting to talk about the attestation token concept described in https= ://tools.ietf.org/html/draft-mandyam-eat-00. The Bar BOF is on Monday, 16th July. The meeting starts at 18:00 after the = afternoon session (which ends 17:50). Here is the original invite: https://www.ietf.org/mail-archive/web/eat/current/msg00005.html Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in = any medium. Thank you. From nobody Fri Jul 6 07:18:15 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC03130E4C for ; Fri, 6 Jul 2018 07:18:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.217 X-Spam-Level: X-Spam-Status: No, score=-3.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pu5qVkduDTFO for ; Fri, 6 Jul 2018 07:18:07 -0700 (PDT) Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7944130EC5 for ; Fri, 6 Jul 2018 07:18:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id w66EI1rX013233 for ; Fri, 6 Jul 2018 16:18:01 +0200 (CEST) Received: from [192.168.217.114] (p5DC7F1FB.dip0.t-ipconnect.de [93.199.241.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 41McJT3twhzDXDX; Fri, 6 Jul 2018 16:18:01 +0200 (CEST) From: Carsten Bormann Content-Type: multipart/alternative; boundary="Apple-Mail=_81CFF35F-F8B4-4860-A80A-CB95142E9E68" X-Mao-Original-Outgoing-Id: 552579479.100091-e78893a097672e54c3745dcf4fb083e0 Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Fri, 6 Jul 2018 16:18:00 +0200 Message-Id: <35392A32-6538-4E1F-A911-0B9F5C8E7000@tzi.org> References: To: saag@ietf.org X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: [saag] Fwd: IETF 102 Remote Attestation Procedures (RATS) Bar BoF Invite X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2018 14:18:14 -0000 --Apple-Mail=_81CFF35F-F8B4-4860-A80A-CB95142E9E68 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 So, just for completeness and to minimize confusion about Bar BoFs in = Montreal: There will be a Bar BoF about remote attestation work at IETF on = Thursday (19th) evening. This is different from, and in addition to, the EAT-shaped one on Monday = (16th). See buried in the thread below. Gr=C3=BC=C3=9Fe, Carsten > Begin forwarded message: >=20 > From: Henk Birkholz > > Subject: Re: IETF 102 Remote Attestation Procedures (RATS) Bar BoF = Invite > Date: July 6, 2018 at 15:52:01 GMT+2 > To: [trimmed], =E2=80=9Crats@ietf.org =E2=80=9D = > >=20 > Hi Hannes, >=20 > thank you for forwarding that invitation! >=20 > =46rom my point of view, attestation really works as a flow. The EAT = token may play a role in such a flow (after a number of technical issues = have been resolved), but there is more to attestation than a token data = format (it wouldn't even be totally wrong to say that there is no actual = attestation in EAT). >=20 > We are going to take a look at the bigger picture of remote = attestation at the Bar BoF on Thursday evening. >=20 > Viele Gr=C3=BC=C3=9Fe, >=20 > Henk >=20 >=20 > On 07/06/2018 07:17 AM, Hannes Tschofenig wrote: >> Hi Henk, >> I fear you missed that Lawrence and I already reserved a room for a = meeting about the attestation work we proposed. Here is the mail: >> https://www.ietf.org/mail-archive/web/eat/current/msg00005.html = >> Ciao >> Hannes >> -----Original Message----- >> From: Henk Birkholz [mailto:henk.birkholz@sit.fraunhofer.de] >> Sent: 05 July 2018 23:52 >> To: DIEGO LOPEZ GARCIA; Xialiang (Frank); Hannes Tschofenig; Jessica = Fitzgerald-McKay; Dave Waltermire; Banghart, Stephen A. (Fed); Shwetha = Bhandari (shwethab); Bill Sulzen (bsulzen); Eric Voit (evoit); Giridhar = Mandyam; Laurence Lundblade; ANTONIO AGUSTIN PASTOR PERALES; Mr. Ned = Smith >> Cc: Laffey, Tom (HPE Networking ATG); Guy Fedorkow; 'Wiseman, Monty = (GE Global Research, US)'; Nancy Cam-Winget (ncamwing); Michael Eckel; = rats@ietf.org >> Subject: IETF 102 Remote Attestation Procedures (RATS) Bar BoF Invite >> Hi *, >> Diego and I are planning to find (or create) an appropriate place for >> remote attestation related work in the IETF with a Bar BoF as a first = step. >> Some context: >> In essence, remote attestation procedures are a tool-set that is >> intended to increase the confidence that an entity other entities >> interact with is a trusted system. >> Remote attestation typically is tied to a type of trust anchor or >> shielded secret, which is - in a sense - a tad bit exotic in the = scope >> of protocols developed in the IETF as those exist and operate "inside >> the box". In contrast, most IETF solutions operate "between boxes". >> While remote attestation procedures require both parts in order to >> provide a value, appropriate network protocols to convey = corresponding >> information between boxes are still very much work in progress. >> The Plan: >> To create appropriate protocols and architectures, unfortunately, is = not >> a trivial task. In order to find out how this "non-trivial" thing can = be >> talked about and how to do that constructively in the IETF, we would >> like to invite you to a Bar BoF. >> The minimum goal is to talk about what remote attestation means >> (semantic), what parts of it would belong in the IETF (scope), how to >> align existing work and how to provide a basis for future work >> (solution). Even better, if we would be able to agree in some of = these >> areas and flock together. >> As a first proposal, we are planning the Bar BoF for: >> *Thursday July 17th, in the evening* >> (exact time TBD, but we think at or after dinner) >> There is a fine Bar at the Venue. So, the current plan is to meet = there, >> in order to make it easier to attend. But we will also scout for an >> appropriate bar when we are on-site. Also, we would like to encourage >> you to "bring a +1" in case you know other individuals, who would be >> interested in this topic. >> Some references of the work in this space that is scattered all over = the >> IETF: >>> = https://datatracker.ietf.org/doc/draft-pastor-i2nsf-nsf-remote-attestation= / >>> https://datatracker.ietf.org/doc/draft-birkholz-i2nsf-tuda/ >>> https://datatracker.ietf.org/doc/draft-mandyam-eat/ >>> https://datatracker.ietf.org/doc/draft-mandyam-tokbind-attest/ >>> = https://datatracker.ietf.org/doc/draft-birkholz-reference-ra-interaction-m= odel/ >>> = https://datatracker.ietf.org/doc/draft-birkholz-yang-basic-remote-attestat= ion/ >>> = https://datatracker.ietf.org/doc/draft-birkholz-attestation-terminology/ >> There also is the rats@ietf.org list (as you can see in the email >> header) and a place at github (https://github.com/ietf-rats). >> All that said, we would welcome you to drop by and are looking = forward >> to a lively discussion. >> Best regards, >> Diego & Henk >> IMPORTANT NOTICE: The contents of this email and any attachments are = confidential and may also be privileged. If you are not the intended = recipient, please notify the sender immediately and do not disclose the = contents to any other person, use it for any purpose, or store or copy = the information in any medium. Thank you. >=20 --Apple-Mail=_81CFF35F-F8B4-4860-A80A-CB95142E9E68 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 So, = just for completeness and to minimize confusion about Bar BoFs in = Montreal:
There will be a Bar BoF about remote = attestation work at IETF on Thursday (19th) evening.
This = is different from, and in addition to, the EAT-shaped one on Monday = (16th).
See buried in the = thread below.

Gr=C3=BC=C3=9Fe, Carsten

Begin forwarded message:

From: = Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Subject: = Re: IETF 102 = Remote Attestation Procedures (RATS) Bar BoF Invite
Date: = July 6, 2018 at 15:52:01 = GMT+2
To: = [trimmed], =E2=80=9Crats@ietf.org=E2=80=9D &= lt;rats@ietf.org>

Hi Hannes,

thank = you for forwarding that invitation!

=46rom = my point of view, attestation really works as a flow. The EAT token may = play a role in such a flow (after a number of technical issues have been = resolved), but there is more to attestation than a token data format (it = wouldn't even be totally wrong to say that there is no actual = attestation in EAT).

We are going to take a = look at the bigger picture of remote attestation at the Bar BoF on = Thursday evening.

Viele Gr=C3=BC=C3=9Fe,

Henk


On 07/06/2018 07:17 AM, Hannes Tschofenig wrote:
Hi Henk,
I = fear you missed that Lawrence and I already reserved a room for a = meeting about the attestation work we proposed. Here is the mail:
https://www.ietf.org/mail-archive/web/eat/current/msg00005.html=
Ciao
Hannes
-----Original = Message-----
From: Henk Birkholz [mailto:henk.birkholz@sit.fraunhofer.de]
Sent:= 05 July 2018 23:52
To: DIEGO LOPEZ GARCIA; Xialiang = (Frank); Hannes Tschofenig; Jessica Fitzgerald-McKay; Dave Waltermire; = Banghart, Stephen A. (Fed); Shwetha Bhandari (shwethab); Bill Sulzen = (bsulzen); Eric Voit (evoit); Giridhar Mandyam; Laurence Lundblade; = ANTONIO AGUSTIN PASTOR PERALES; Mr. Ned Smith
Cc: Laffey, = Tom (HPE Networking ATG); Guy Fedorkow; 'Wiseman, Monty (GE Global = Research, US)'; Nancy Cam-Winget (ncamwing); Michael Eckel; rats@ietf.org
Subject: IETF 102 Remote Attestation Procedures (RATS) Bar = BoF Invite
Hi *,
Diego and I are planning to = find (or create) an appropriate place for
remote = attestation related work in the IETF with a Bar BoF as a first step.
Some context:
In essence, remote attestation = procedures are a tool-set that is
intended to increase the = confidence that an entity other entities
interact with is = a trusted system.
Remote attestation typically is tied to = a type of trust anchor or
shielded secret, which is - in a = sense - a tad bit exotic in the scope
of protocols = developed in the IETF as those exist and operate "inside
the= box". In contrast, most IETF solutions operate "between boxes".
While remote attestation procedures require both parts in = order to
provide a value, appropriate network protocols to = convey corresponding
information between boxes are still = very much work in progress.
The Plan:
To = create appropriate protocols and architectures, unfortunately, is not
a trivial task. In order to find out how this "non-trivial" = thing can be
talked about and how to do that = constructively in the IETF, we would
like to invite you to = a Bar BoF.
The minimum goal is to talk about what remote = attestation means
(semantic), what parts of it would = belong in the IETF (scope), how to
align existing work and = how to provide a basis for future work
(solution). Even = better, if we would be able to agree in some of these
areas = and flock together.
As a first proposal, we are planning = the Bar BoF for:
*Thursday July 17th, in the evening*
(exact time TBD, but we think at or after dinner)
There is a fine Bar at the Venue. So, the current plan is to = meet there,
in order to make it easier to attend. But we = will also scout for an
appropriate bar when we are = on-site. Also, we would like to encourage
you to "bring a = +1" in case you know other individuals, who would be
interested in this topic.
Some references of = the work in this space that is scattered all over the
IETF:
https://datatracker.ietf.org/doc/draft-pastor-i2nsf-nsf-remote-= attestation/
https://datatracker.ietf.org/doc/draft-birkholz-i2nsf-tuda/
https://datatracker.ietf.org/doc/draft-mandyam-eat/
https://datatracker.ietf.org/doc/draft-mandyam-tokbind-attest/<= br = class=3D"">https://datatracker.ietf.org/doc/draft-birkholz-reference-ra-in= teraction-model/
https://datatracker.ietf.org/doc/draft-birkholz-yang-basic-remo= te-attestation/
https://datatracker.ietf.org/doc/draft-birkholz-attestation-ter= minology/
There also is the rats@ietf.org list (as you = can see in the email
header) and a place at github (https://github.com/ietf-rats).
All that = said, we would welcome you to drop by and are looking forward
to a lively discussion.
Best regards,
Diego & Henk
IMPORTANT NOTICE: The contents = of this email and any attachments are confidential and may also be = privileged. If you are not the intended recipient, please notify the = sender immediately and do not disclose the contents to any other person, = use it for any purpose, or store or copy the information in any medium. = Thank you.


= --Apple-Mail=_81CFF35F-F8B4-4860-A80A-CB95142E9E68-- From nobody Fri Jul 13 01:49:42 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB8F130E0E; Fri, 13 Jul 2018 01:49:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_DWaDfgxJpS; Fri, 13 Jul 2018 01:49:36 -0700 (PDT) Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C54B130E92; Fri, 13 Jul 2018 01:49:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531471776; x=1563007776; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+sr4Rhu8h4WebzGjl0qYvZhBwzbe7xo6vKVclb5BhHw=; b=kDLLpsr+qywBKK3aPdIGXWQSJafOoO8znjpTYJNHbbFNnRr7J+cUM7Uu QxTmmoiKIgoWVJw5xHj41QJW8LP3Qro+rcG5kmOL8X1KH0FhPr53iz5YF JdFv3CBQIjO7Mloq9aHLDM1wPXNs6zE68djQeAnWWIIlTELzPRPlqKzDD XiLgFoNJZZdnZdHgrvnSqCXZXSsOclDDWKvC4dvt5kuu65fdNESWOZ3mO ZZNAm5hbkfHZrSkdqLzMwBDAysgWq/SsJvv6k5aURNy2TBxby1x08A92/ Z37SN9XVcExyq9GYH1O5OOLWrA60EoZsfLKoDcgMTy8/8sYUxyLehyXTS Q==; X-IronPort-AV: E=Sophos;i="5.51,347,1526299200"; d="scan'208";a="21036736" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.5 - Outgoing - Outgoing Received: from uxcn13-tdc-d.uoa.auckland.ac.nz ([10.6.3.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 13 Jul 2018 20:49:29 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 13 Jul 2018 20:49:29 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Fri, 13 Jul 2018 20:49:29 +1200 From: Peter Gutmann To: Alexey Melnikov , "draft-gutmann-scep@ietf.org" , "carl@redhoundsoftware.com" CC: "saag@ietf.org" Thread-Topic: [saag] Comment added to draft-gutmann-scep history Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyAL8YogIBEQ8Vn Date: Fri, 13 Jul 2018 08:49:28 +0000 Message-ID: <1531471734017.88813@cs.auckland.ac.nz> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>, In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2018 08:49:40 -0000 Alexey Melnikov writes:=0A= =0A= >1) I need help with you flagging to me which text was modified in the past= =0A= >due to comment. I might agree or disagree with these changes and they migh= t=0A= >be highlighting sections which might need more work anyway.=0A= =0A= Ahhh... how much of a list do you want? There's an awful lot of emails to = go=0A= through (maybe two years' worth of comments) to sort it all out, and most o= f=0A= it is pretty uninteresting. If you're OK with dealing with it on a case-by= -=0A= case basis (e.g. "this particular bit of text was based on comments about X= =0A= and Y") that would make it easier.=0A= =0A= >If you can convince me that #2 is not an issue, then I suggest adding a no= te=0A= >to the document saying that it is using a bunch of MIME types that are not= =0A= >registered (or have different registered aliases, but used here for histor= ic=0A= >reasons). I am happy to suggest some text.=0A= =0A= That would be good, thanks. Since it's a case of "Types in this tree canno= t=0A= be registered", I don't see how they could be registered without renaming= =0A= them, which breaks compatibility with all existing implementations, and the= =0A= primary goal of the draft was to keep it bits-on-the-wire identical to what= 's=0A= been in use the entire time (modulo single DES + MD5 vs. AES + SHA-2).=0A= =0A= In terms of:=0A= =0A= >2) if I have a general Web Server that happens to return different MIME ty= pes=0A= >here (because there are other already registered MIME types that mean the = same=0A= >thing), is this going to be a problem for SCEP clients?=0A= =0A= I don't think so for two reasons, firstly I'm not aware of anyone actually= =0A= doing SCEP using a standard web server, it's always a standalone SCEP=0A= application that isn't a web server (if anyone is implementing SCEP as a CG= I=0A= for a conventional web server, please speak up, I've never heard of one), a= nd=0A= secondly I don't know if anyone actually looks at the MIME types. I wouldn= 't=0A= want to put money on that, no doubt some client or other will break if you= =0A= change the strings, but I'd say that a lot of clients won't care what the= =0A= value is.=0A= =0A= >I think either ABNF (which is pretty universally used in IETF RFCs) or in= =0A= >free text form which sort of looks like HTTP request line, but isn't. Plea= se=0A= >pick one and I can suggest some small specific edits to reflect that.=0A= =0A= That would be really useful, thanks. I think ABNF is best.=0A= =0A= >I would like to use ABNF terminal for this and only explain that the path = is=0A= >typically as you describe only in one place in the document. =0A= =0A= OK, will that be part of the text above? If you've got some appropriate=0A= wording to put in that'd be helpful.=0A= =0A= >As above: pick between ABNF and free form text and I can suggest some=0A= >specific edits.=0A= =0A= ABNF, thanks.=0A= =0A= >So AES and SHA-2 are absolutely Normative references.=0A= =0A= OK, I've added AES and SHA-2 refs.=0A= =0A= >I am actually Ok with no mentioning ACME, but the text in the introduction= =0A= >reads like it is arguing that SCEP is the best thing since bread and butte= r=0A= >and I don't believe what it is trying to say is accurate.=0A= =0A= Hmm, it's just saying that it's widely used, which is why it's being=0A= documented, it doesn't try and claim it's particularly good... the comparis= ons=0A= to CMP and CMC didn't appear until draft 17, with more changes in wording= =0A= around draft 22. As far as I know this wording was purely political, PKIX= =0A= wanted everyone to use their CMP or CMC protocols and so the references wer= e=0A= added to appease PKIX. Since the market appears to have made their choice= =0A= between { CMP, CMC, SCEP }, it's probably easiest to just remove any mentio= n=0A= of them, so that I don't have to engage in a comparative analysis of who kn= ows=0A= how many different management protocols (there's a lot more than CMC and CM= P=0A= out there now). So I can just remove that entire paragraph apart from the= =0A= first sentence and merge that with the previous paragraph:=0A= =0A= -- Snip --=0A= =0A= X.509 certificates serve as the basis for several standards-based security= =0A= protocols such as TLS, = =0A= S/MIME, and IKE/IPsec. When an X.509= =0A= certificate is issued there typically is a need for a certificate managemen= t=0A= protocol to enable a PKI client to request or renew a certificate from a=0A= Certificate Authority (CA). This specification defines a protocol, Simple= =0A= Certificate Enrolment Protocol (SCEP), for certificate management and=0A= certificate and CRL queries.=0A= =0A= -- Snip --=0A= =0A= That's a pretty basic statement of functionality without trying to get into= a=0A= comparative analysis of a load of different protocols and mechanisms, and o= ne=0A= which will hopefully upset the least number of people.=0A= =0A= >> I have no idea... I mean I literally have no idea, I don't know what=0A= >> implementations do in practice. I know that in some cases with manual= =0A= >> approval it can take hours, but I'm not sure if that's typical. It coul= d be=0A= >> seconds, minutes, hours...=0A= >=0A= >I suspect you will get a blocking DISCUSS comment on this in IESG review. = But=0A= >if you want to take your chances, I am Ok with no change.=0A= =0A= I've added the following, which formalises what's in the above sentence:=0A= =0A= The frequency of the polling operation is a CA/client configuration issue= ,=0A= and may range from seconds or minutes when the issue process is automatic= =0A= but not instantaneous, through to hours or days if the certificate issue= =0A= operation requires manual approval.=0A= =0A= >I think this is unclear, as I don't know what "leaf" means here. =0A= =0A= It's the certificate at the end of the chain, the EE certificate. It's a= =0A= standard PKI term, I've tried to find a definitive reference for it but it'= s=0A= just used without references in other places, e.g. RFC 4043, RFC 7671, non-= =0A= IETF locations like MS Technet, etc.=0A= =0A= >Here is a speculative example: a future extension to SCEP decides to use J= SON=0A= >for returning this information. JSON will have a different media type. If = a=0A= >client ignores it, it might be unable to parse it. Using media type names = for=0A= >signalling payload format is one of the main benefits of using MIME.=0A= =0A= The text there already says:=0A= =0A= The Content-type of the reply SHOULD be "text/plain". Clients SHOULD ign= ore=0A= the Content-type, as older implementations of SCEP may send various Conte= nt-=0A= types.=0A= =0A= Given that implementations have in the past sent all sorts of stuff as the= =0A= content type (GetCACaps appeared in draft 10 but it wasn't until draft 19 t= hat=0A= a content type was specified), and the text says you should ignore it, whic= h=0A= implementations do, it won't matter what anyone puts in there. Up until=0A= revision 19 of the draft there was no content type specified, so you could= =0A= potentially find anything in there. It could be text/plain or text/json or= ...=0A= audio/midi and they'll all be ignored equally. As I mentioned earlier, I= =0A= doubt anyone runs a SCEP server on an actual web server, the MIME types and= =0A= whatnot were presumably just specified because you need to put something in= =0A= there as a content type. So most likely the Content-type will never be use= d=0A= to select an actual content type.=0A= =0A= I could perhaps add a note somewhere at the start saying that SCEP, like an= y=0A= number of other PKI protocols, uses HTTP as a universal substrate, and that= =0A= you shouldn't expect that doing something HTTP-ish like setting a Content-t= ype=0A= will actually have any effect? A reference to RFC 3205/BCP 56 should proba= bly=0A= accompany that.=0A= =0A= Peter.=0A= From nobody Fri Jul 13 20:07:59 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3362D130E97; Fri, 13 Jul 2018 20:07:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fITPdDpHa3K5; Fri, 13 Jul 2018 20:07:55 -0700 (PDT) Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23B7130DD8; Fri, 13 Jul 2018 20:07:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531537675; x=1563073675; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=lj1ltJ257v92wureoECYF0yEp5bKWvXPyu65aQci3hA=; b=QDLl/PW8RVrXcfk5jvFsbaERn8p3NLYmFZYhxhgq0SEi97SFDHOy/Hir AhhWYO6b69Gn4CdajXnpibyEDJabBe7l7BqH6SM5Sy57OEI8IPQCab3Sn lmW+oSD4b+3a6cTDt0HIUHsY6ZmNYXKJfAE0oaRjyInMn9S8MiB3nJtKz Jm9Ek7TmGhU6H4Dpvh5kkPITI+5cW0lMVyfmpJsI8OFpBCHqoD81xM9Pn Ygb+PdCp+wA56ovwCcY7kKUGSrz8fNFGt1FFyXL0GKDSBGbdZlkrLFCCH WDqo1eDZIoKVesTrbLNQ+4ZYIVLbby0JmBOQvORe5RVWO3Ws5GBgmGYl8 A==; X-IronPort-AV: E=Sophos;i="5.51,350,1526299200"; d="scan'208";a="21125198" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.2 - Outgoing - Outgoing Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-tdc-a.UoA.auckland.ac.nz) ([10.6.3.2]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 14 Jul 2018 15:07:49 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-a.UoA.auckland.ac.nz (10.6.3.22) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sat, 14 Jul 2018 15:07:42 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sat, 14 Jul 2018 15:07:42 +1200 From: Peter Gutmann To: Alexey Melnikov , "draft-gutmann-scep@ietf.org" , "carl@redhoundsoftware.com" CC: "saag@ietf.org" Thread-Topic: [saag] Comment added to draft-gutmann-scep history Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyAL8YogIBEQ8VngAE0nSA= Date: Sat, 14 Jul 2018 03:07:42 +0000 Message-ID: <1531537625942.57273@cs.auckland.ac.nz> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz>, , <1531471734017.88813@cs.auckland.ac.nz> In-Reply-To: <1531471734017.88813@cs.auckland.ac.nz> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 03:07:58 -0000 I wrote:=0A= =0A= >I could perhaps add a note somewhere at the start saying that SCEP, like a= ny=0A= >number of other PKI protocols, uses HTTP as a universal substrate, and tha= t=0A= >you shouldn't expect that doing something HTTP-ish like setting a Content-= =0A= >type will actually have any effect? A reference to RFC 3205/BCP 56 should= =0A= >probably accompany that.=0A= =0A= How about this:=0A= =0A= -- Snip --=0A= =0A= Like many other Internet protocols, SCEP uses HTTP as a universal substrate= ,=0A= for more on the implications of this see BCP 56.=0A= While SCEP messages are carried over HTTP transport, neither the client nor= =0A= the server is likely to be a conventional HTTP-speaking web server or clien= t,=0A= providing only the minimum functionality required for HTTP transport, see t= he=0A= "HTTP Considerations" section of RFC 6712 f= or=0A= more on this. Implementations SHOULD NOT use complex HTTP mechanisms such = as=0A= chunked encoding, Expect/Continue, HTTP redirects, and similar facilities.= =0A= =0A= To guard against establishing an erroneous connection to any of the myriad= =0A= other devices and services that speak HTTP, SCEP servers MAY choose to resp= ond=0A= to non-SCEP requests, for example a GET from a web browser, with an HTML=0A= diagnostic message notifying the client that they're talking to the wrong= =0A= server or service. Similarly, clients MAY check for an HTML response from = the=0A= server and report a configuration error, for example that the client is=0A= connecting to the wrong server or port on a server.=0A= =0A= -- Snip --=0A= =0A= The latter is particularly useful, my code has been doing that for quite so= me=0A= time to deal with "the client/server is broken, it's not getting=0A= certificates". The problem invariably is that they've specified the wrong= =0A= server name/IP address, or forgotten to specify a port so the default 80 is= =0A= used, or there's a proxy in the way that redirects the connection to a web= =0A= server on 80 rather than a SCEP server on 80, or something similar.=0A= =0A= Maybe we need an updated BCP 56 that provides info on the general use of HT= TP=0A= as a substrate and how to deal with it that every other HTTP-as-substrate-= =0A= using RFC can refer to (no, I'm not volunteering to write it :-).=0A= =0A= Peter.=0A= From nobody Sat Jul 14 08:15:58 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16E8013109B; Sat, 14 Jul 2018 08:15:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruHM2SqGqSP3; Sat, 14 Jul 2018 08:15:54 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED21130EF9; Sat, 14 Jul 2018 08:15:54 -0700 (PDT) X-AuditID: 1209190e-093ff700000052db-c0-5b4a13a88465 Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 79.10.21211.9A31A4B5; Sat, 14 Jul 2018 11:15:53 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w6EFFqR9008836; Sat, 14 Jul 2018 11:15:52 -0400 Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6EFFlRs018977 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 14 Jul 2018 11:15:50 -0400 Date: Sat, 14 Jul 2018 10:15:47 -0500 From: Benjamin Kaduk To: Peter Gutmann Cc: "draft-gutmann-scep@ietf.org" , "carl@redhoundsoftware.com" , "saag@ietf.org" Message-ID: <20180714151547.GG59001@mit.edu> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1531537625942.57273@cs.auckland.ac.nz> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnleLIzCtJLcpLzFFi42IRYrdT110p7BVtsGkzn8XqxZuYLE5tWs9o 8fLdc1aLKf2dTA4sHhcbDzB5LFnyk8lj34zd7AHMUVw2Kak5mWWpRfp2CVwZtz+tYivYzVxx //EVtgbGu0xdjJwcEgImEtsaF7J0MXJxCAksZpJ48+s4E4SzkVFi17TnbCBVQgJnmSQaL4iA 2CwCqhKdnUvZQWw2ARWJhu7LzCC2iICuxMTexcwgzcwCqxklFi38xAKSEBawl3j4tB2siFdA R2Ld1/OMEBtWMEm8PLOZESIhKHFy5hOwBmYBLYkb/14CncEBZEtLLP/HARLmBDr1yKOfYOWi AsoSe/sOsU9gFJiFpHsWku5ZCN0LGJlXMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Rrr5WaW6KWm lG5iBIUxpyTfDsZJDd6HGAU4GJV4eDes9ogWYk0sK67MPcQoycGkJMp7Y5tntBBfUn5KZUZi cUZ8UWlOavEhRgkOZiUR3iWmQDnelMTKqtSifJiUNAeLkjhv9iLGaCGB9MSS1OzU1ILUIpis DAeHkgTvIiGvaCHBotT01Iq0zJwShDQTByfIcB6g4YwgNbzFBYm5xZnpEPlTjLocf95PncQs xJKXn5cqJc7bA1IkAFKUUZoHNweUfiSy99e8YhQHekuY9y9IFQ8wdcFNegW0hAloiV4HyAfF JYkIKakGRj99s1OHGvaafVx499TCnCltGzTVV8Z991N+v+X7mkhX0RenJWwXO+hxhdx5aBck cvzKO42pe9Oy2IsPfC+oj7vFqe7ysMLZQ8dCl4GtoSX/PM+uLvnuDZXLGao5jn7La1rDfO7N I3GR/+c3LXsXoqxnn3LkxDs5veRsI2Or2ffFMp/LJh/8rcRSnJFoqMVcVJwIAOm3uUkaAwAA Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 15:15:56 -0000 On Sat, Jul 14, 2018 at 03:07:42AM +0000, Peter Gutmann wrote: > > Maybe we need an updated BCP 56 that provides info on the general use of HTTP > as a substrate and how to deal with it that every other HTTP-as-substrate- > using RFC can refer to (no, I'm not volunteering to write it :-). draft-ietf-httpbis-bcp56bis is active in the httpbis WG at the moment -- it would be appropriate to make such suggestions to the WG :) -Ben From nobody Sat Jul 14 10:44:10 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1295130E68 for ; Sat, 14 Jul 2018 10:44:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJ2dbjOqnZAP for ; Sat, 14 Jul 2018 10:44:06 -0700 (PDT) Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C96E127598 for ; Sat, 14 Jul 2018 10:44:05 -0700 (PDT) Received: from [67.219.247.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-4.bemta.az-d.us-east-1.aws.symcld.net id EE/FF-01620-5663A4B5; Sat, 14 Jul 2018 17:44:05 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA1WSWUwTURSGuTPDdDSUjAXkSMClcYmYaVpUwCW VB2OQBMOLL+I22KFtUlrSKRHFREViUEBKBY1VBBU3JGoUohFFrRoVFWMRFBWTKlEgICAqSJQ4 01u3ebj57vnP8p/JZUjVBzqKEXIdgt3KW9T0ROrl9HotZ4hPSdfWDcxNHD71lUgsL91DJBHJV xtmJtfUfCfSiDXBZmuGLXdjsMlXcA1lH0jN9Yw9IXagY8l70USGYotJ+OksJeWLii0loOToWx pfOhH8GHlD7UUTGJrVQvuN+4TM4WwKNPe+UMgcxnJw7sUFBY5roHXQRWGOgydVbf44xc6Cnp4 2f62SXQfO3hPBMqtYPbwv3ufPn8Aug+78ej8jdjKMNNf580k2El51VfkZ2HDwPXtEY46Anvfj wZjV4LnxBWGOAW9VEZIXALaBgMbOMyQWOBisqAhwKjw/+JHCSa8RDH90K7AQCwU1QzR2sRYqh z2BaRaov1cYmLYEhrq9gfhUqC3xBRo1kdDfVRawGg11j/tILFTRcPfEOMI7G6C81kNjwUnClT Ef5USx7n92dUsayVYjGG3uI93+nzYJHh7qonASB9eabpGYp8GV/iMSKyReCvUGHJ0B5UU+BeZ 42N0yRFcjphYtzLCbjSZHFm+2cDqtltPp4rhFXHy8ht/KGTQ5IifwooPTafjNokbckrXJYtBY BcclJL2zIOm7ik6OGjxoCkOoI5StqpR0VWiGzbDFxIumDfYciyB6UDTDqEGZsFDSJtkFo5Cba bZIj/W3DEyIOlx5e4EkK8VsPks0G7HUjBYxn866XCRT/LZcOn8MVLhIFWW1WYWoSOWoXMDKBa Yc6592v5+/F8VEhSmRZFAVki3Ys8yO//VeFMkgdZiyVe4SYrY6/kztlQwRkiFN4UrZkIP/K0X tQKt3+ujlecXbz0H37s93LldeLxvx6FMHjntd1OF57tCtb3bNOfggoVafHrReyzlfzjtvje7o NBWdNiYdsDXaNo13PRUuJPbnB835vr/ROxTaUqhqiLiYvUJR6l41ltdh3GafncrkFxTeXKxn0 wbbY+e7vq026R+al7+rzDxyf8PUHjUlmnhdLGkX+V/Xzccu+QMAAA== X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-2.tower-424.messagelabs.com!1531590243!409160!1 X-Originating-IP: [216.32.180.48] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.9.15; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10974 invoked from network); 14 Jul 2018 17:44:04 -0000 Received: from mail-by2nam03lp0048.outbound.protection.outlook.com (HELO NAM03-BY2-obe.outbound.protection.outlook.com) (216.32.180.48) by server-2.tower-424.messagelabs.com with AES256-SHA256 encrypted SMTP; 14 Jul 2018 17:44:04 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hf+UoSl6PFSlXtFUMkVHqPCe66vWAmCDvY3Xo6e2+as=; b=Sy+pZ6Tj96P0UXq0psoZM68MR63s5HFsZ5trmzlL3szME5xGKiEX28rH9rI6pgybyGPZA1l6trhKbJfPYQwHJ2wwaoJzBCeedVsJ8RqWv+upuPDVVkuHNdIoPlODwFab7L8boeHAwWqHe5jmis+8+LrOK5TJYIcOon9gsxq/owg= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1779.namprd14.prod.outlook.com (10.171.177.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.19; Sat, 14 Jul 2018 17:44:01 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::b914:e52:554d:c7bb%9]) with mapi id 15.20.0930.016; Sat, 14 Jul 2018 17:44:01 +0000 From: Tim Hollebeek To: Henry Story , "saag@ietf.org" Thread-Topic: [saag] stopping (https) phishing Thread-Index: AQHUESvFOKQYkLMovE6Uw5Pe7y8qZKSPDKUw Date: Sat, 14 Jul 2018 17:44:01 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [31.133.155.236] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR14MB1779; 7:fo2/cp8SGnGRrMu1gXJc1WV4xOYEkLBKBwBjhagCuloO9fOGRel4tmUND7J6SW5AcrCjlhpx1aX73MStWtKrRvv+rWGIKNU6+UA/73ck9NeaWzqYOOkEhO+2FQY80qE+kHTDU6fY/Ty9tW/XsoVrRmzMmRwusiSrNC8RGwmXLha1uVzdG+hJtdNPNh8uhga98ZjubJHAkENTmN7cCrF9RoDFOSsJbj/R5qFrbDSSLl/2tb8nBDCv22vUAV7ZrHDL x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 5eb7dc36-7be2-4201-64ee-08d5e9b1629c x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600053)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1779; x-ms-traffictypediagnostic: BN6PR14MB1779: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(262074885356583); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(10201501046)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1779; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1779; x-forefront-prvs: 07334CBCCD x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(376002)(346002)(366004)(136003)(396003)(39860400002)(13464003)(199004)(189003)(110136005)(97736004)(99936001)(6436002)(316002)(106356001)(105586002)(3846002)(6116002)(5660300001)(68736007)(229853002)(33656002)(478600001)(76176011)(6246003)(74316002)(2900100001)(5250100002)(53936002)(2501003)(186003)(14454004)(102836004)(26005)(2906002)(6506007)(53546011)(8936002)(86362001)(14444005)(81166006)(81156014)(66066001)(8676002)(486006)(9686003)(6306002)(55016002)(44832011)(7736002)(7696005)(476003)(446003)(11346002)(305945005)(99286004)(25786009)(256004)(966005)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1779; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: E7So1HHTBGgKKayahEd5PDW810a8at4xrOQFuKUIrUPMwbNamAQ8ECWR27Jqj+UHQib7zApXKns2P/1c0xcYMOgLwRTVWtwgGccvU3t2ODxbyvJGzvAd1oXOVsrcqH+Tcrc/kPieQoIHCuyPbR7FmjmR2NwTYm8WKJZAqcrSW2gUnZwk11gQnNOzFOOT+Z5xNRuUSgnd3Qi+Undu3lMLCKbT43DH9vHwRZ+07WBV/R5BMJ2n8nrFs4EP4tIl3to3rnDHXGSvEVsYgjNsIO0Zzj9A8iv4ELTmUw4itaoE1iTyj55J287JiVZKytWT++9NuUVrBCyerOUebtBSjly4wLGkKbwovUdYDsloHD0aGDU= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0CFA_01D41B78.ACD73F00" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5eb7dc36-7be2-4201-64ee-08d5e9b1629c X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2018 17:44:01.5162 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1779 Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 17:44:09 -0000 ------=_NextPart_000_0CFA_01D41B78.ACD73F00 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit This is a very important problem, and what you referenced is a nice analysis of some of the complexities involved when trying to solve it. It is far from easy and makes a good PhD topic. The one thing that I'd caution you on is that loading external resources asynchronously as part of verifying a page load is pretty much a non-starter. Any solution that has an impact on web performance will not be adopted at scale. Browser validation needs to be able to happen exclusively using information provided by the server. That information needs to be cryptographically signed by others (just as SCTs, OCSP-stapled responses, etc are) so it can be trusted. I would suggest thinking about what sort of additional identity information is useful to stop https phishing, and how it can be securely distributed from authoritative sources to endpoints for use in their trust decisions, with minimal changes to the way things work today. There are lots of aspects to that and you're probably going to have to pick a small subset of the problem and see if you can find useful contributions in a reasonable amount of time ... -Tim > -----Original Message----- > From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Henry Story > Sent: Sunday, July 1, 2018 7:07 AM > To: saag@ietf.org > Subject: [saag] stopping (https) phishing > > Dear all, > > Recently the APWG (Anti-Phishing Working Group) reported a 6 fold increase > in 2017 of phishing sites located on https servers. The aim of the phishers is to > mislead people into a false sense of confidence by using the green padlock > that appears in some browsers when landing on a site, which is understood to > mean "secure". People misunderstand this to mean they have landed on a > legitimate website. With the great work of letsencrypt.org getting TLS sites is > easier and easier, which is good: because that stops all kinds of man in the > middle nonsense. But it reveals what has always been missing. > > What is missing is the socio-technical piece of the stack that would allow the > icon to mean "legitimate", ie. embedded in a legal system of a country. I argue > in this paper which I am working on as part of my PhD thesis that this requires > an institutional web of trust, which needs the cooperation of some leading > nations, the IETF and W3C. > > Stopping (https) phishing > https://medium.com/@bblfish/stopping-https-phishing-42226ca9e7d9 > > I'd be interested to hear what issues people here see with the approach > outlines there, so that I can try to address them, or move onto something else > :-) > > Henry Story > > PhD researcher on SocialMachines and CyberSecurity > at Southampton University > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag ------=_NextPart_000_0CFA_01D41B78.ACD73F00 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTgwNzE0MTc0MzQxWjAvBgkqhkiG9w0BCQQxIgQg1BeWSzR4adBUibetSx3U9BBtxnbq +awEDoRKPHEsCuYwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAB1LDE9ZzHNUBhYNI/iqqydfXLoS9MacUnf7sPRLOzkwIRwYB91O6Kn4m9Nv6fwfR+G+Erw0 604Mz6r15Csffl3wGi/Knjg+2x9/0vtv0tgZ5cUzd+1RzBLVEuqfWVsjql1MPaTDLdIThz7gpdJW uzvsJeaYl7MDUsxViivMOLhPiRpFKqUq2HgOkc8d6h8F4tF16Shi6p8niPlu3B1CHUd2Jujl1g09 1NB46DzphZfDY7uLwiVhxGh3UlBvcA5GKap4/XMxw3ekG3fMH9NzVlaklQF8LwwHAGH91gHVOIXB cxVW7cduLWrhPUmaMHnDIGGhpqdhx1w0L1P/XwmS+fUAAAAAAAA= ------=_NextPart_000_0CFA_01D41B78.ACD73F00-- From nobody Sat Jul 14 11:09:00 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931C2130DD2; Sat, 14 Jul 2018 11:08:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.233 X-Spam-Level: X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDeL3PbmUTqv; Sat, 14 Jul 2018 11:08:53 -0700 (PDT) Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4C9130DE5; Sat, 14 Jul 2018 11:08:53 -0700 (PDT) Received: from mail-oi0-f54.google.com (mail-oi0-f54.google.com [209.85.218.54]) by linode64.ducksong.com (Postfix) with ESMTPSA id 0F76E3A019; Sat, 14 Jul 2018 14:08:51 -0400 (EDT) Received: by mail-oi0-f54.google.com with SMTP id i12-v6so67880984oik.2; Sat, 14 Jul 2018 11:08:51 -0700 (PDT) X-Gm-Message-State: AOUpUlFR059sSNhxBFOPIvWNw7oS9w4DXYLbVo2f6Bk4UKsd3S/5jZvm RLO7XvB4uTWpGSkmtu6DAOxajBa/zWGLpLA93fI= X-Google-Smtp-Source: AAOMgpfawcz9mxgcKsA2/iwt9WiqpATL8bdqjKaFXJk+RmyWtd9SpJVU1CjUg/8eENVbs0MCzbiipguStqw7aBwcOUI= X-Received: by 2002:aca:5a45:: with SMTP id o66-v6mr11054064oib.155.1531591730682; Sat, 14 Jul 2018 11:08:50 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:8a22:0:0:0:0:0 with HTTP; Sat, 14 Jul 2018 11:08:50 -0700 (PDT) In-Reply-To: <20180714151547.GG59001@mit.edu> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz> <20180714151547.GG59001@mit.edu> From: Patrick McManus Date: Sat, 14 Jul 2018 14:08:50 -0400 X-Gmail-Original-Message-ID: Message-ID: To: Benjamin Kaduk Cc: Peter Gutmann , "draft-gutmann-scep@ietf.org" , "saag@ietf.org" Content-Type: multipart/alternative; boundary="0000000000000c5f390570f97d04" Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 18:08:57 -0000 --0000000000000c5f390570f97d04 Content-Type: text/plain; charset="UTF-8" Ben - thanks for flagging this. Referencing BCP56 is probably not a great idea - its not well tuned to the way HTTP evolved. BCP56bis otoh is designed to provide what you need. Its a work in progress and would certainly benefit from review and comments: editors copy: https://httpwg.org/http-extensions/draft-ietf-httpbis-bcp56bis.html current official draft: https://tools.ietf.org/html/draft-ietf-httpbis-bcp56bis-06 github as easy place to leave feedback and suggested edits: https://github.com/httpwg/http-extensions -Patrick On Sat, Jul 14, 2018 at 11:15 AM, Benjamin Kaduk wrote: > On Sat, Jul 14, 2018 at 03:07:42AM +0000, Peter Gutmann wrote: > > > > Maybe we need an updated BCP 56 that provides info on the general use of > HTTP > > as a substrate and how to deal with it that every other > HTTP-as-substrate- > > using RFC can refer to (no, I'm not volunteering to write it :-). > > draft-ietf-httpbis-bcp56bis is active in the httpbis WG at the moment -- it > would be appropriate to make such suggestions to the WG :) > > -Ben > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > --0000000000000c5f390570f97d04 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Ben - thanks for flagging this.

<= div>Referencing BCP56 is probably not a great idea - its not well tuned to = the way HTTP evolved.

BCP56bis otoh is designed to= provide what you need. Its a work in progress and would certainly benefit = from review and comments:

current official draft: https://tools.ietf.org/html/draft-ietf-httpbis-bcp56b= is-06
github as easy place to leave feedback and suggested ed= its: https://github.c= om/httpwg/http-extensions

-Patrick
<= br>


On Sat, Jul 14, 2018 at 11:15 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
On = Sat, Jul 14, 2018 at 03:07:42AM +0000, Peter Gutmann wrote:
>
> Maybe we need an updated BCP 56 that provides info on the general use = of HTTP
> as a substrate and how to deal with it that every other HTTP-as-substr= ate-
> using RFC can refer to (no, I'm not volunteering to write it :-).<= br>
draft-ietf-httpbis-bcp56bis is active in the httpbis WG at the momen= t -- it
would be appropriate to make such suggestions to the WG :)

-Ben

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


--0000000000000c5f390570f97d04-- From nobody Sat Jul 14 17:44:29 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC3B131113 for ; Sat, 14 Jul 2018 17:44:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.751 X-Spam-Level: X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=qf5wQ6pl; dkim=pass (1536-bit key) header.d=taugh.com header.b=auapFFtH Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkxhaCRclbF6 for ; Sat, 14 Jul 2018 17:44:23 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C805E1292AD for ; Sat, 14 Jul 2018 17:44:22 -0700 (PDT) Received: (qmail 53003 invoked from network); 15 Jul 2018 00:44:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=cf09.5b4a98e5.k1807; bh=LqckOvXML7eZpJsjF8k7i0hwShJjBUIDMuZYJ5YA7Vw=; b=qf5wQ6plKwqTOBNP7gESukx0mjnoZiByYlXFUSaXdIKPRGsrHr+KFhH7vqzJCXrzdocmEOjQnOTOjRXMpQ1MsYWKM+IRFoRekCUaXjoNFSvLq/kxvnOZ1fxC6A/6ojHvNgU2p7txYBd+hfiVxVafM2exoQT5quFzAtD26OATjArIrHSAM3JKiF7JtOWzuHsLKRm32ELmrspj+Pks+4TXyTwtAd48FbgXs4GMXolyMXO7xVZNBFaXzd4uON7N0fww DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=cf09.5b4a98e5.k1807; bh=LqckOvXML7eZpJsjF8k7i0hwShJjBUIDMuZYJ5YA7Vw=; b=auapFFtHpyCDuYDldymfOwnaKqMM7Yf9MHxaAKU6UMmpHQMEV0XERZrZ3gez2nCeW71BKu2C2EAPxOxT2HZMvNbfdP9sJHpPcpIzPEO4kJ2UB2xaSHmvbtBrKhX795dFlmc2XF0dPMDxes+OB7rbPnm0tGL7nonDHMHZj1zH4BfwAZQy3XXUUlyzUQ7YaaxHy1JeZWagot1iwCcJbcYgf9e6voIjXjLN3aIrjptocmuqX1uJcB9uhGQCyvnUqlKq Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 15 Jul 2018 00:44:21 -0000 Received: by ary.qy (Postfix, from userid 501) id 246C720024FBA4; Sat, 14 Jul 2018 20:44:20 -0400 (EDT) Date: 14 Jul 2018 20:44:20 -0400 Message-Id: <20180715004421.246C720024FBA4@ary.qy> From: "John Levine" To: saag@ietf.org In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 00:44:25 -0000 In article you write: >I would suggest thinking about what sort of additional identity information >is useful to stop https phishing, and how it can be securely distributed >from authoritative sources to endpoints for use in their trust decisions, >with minimal changes to the way things work today. This is a really hard problem for a variety or reasons. One is that this is a user interface issue, and the IETF is notably clueless about UI. A long time ago, I suggested industry-specific CAs tied to regulators or trade associations, with the logo of the CA in the cert that can be displayed in a distinctive place in the browser. For example, for banks in the US the CA would be associated with the FDIC and the cert would show the FDIC logo, like the sticker on the door of your bank branch. I don't know how well this would work in practice, since users are not very good at understanding that a marker (lock, logo, whatever) in the chrome is different from the same marker in the window, but given that anyone can get https for free these days, we need a different way to mark high-value phish targets. R's, John From nobody Sat Jul 14 18:51:35 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D4CC130E99 for ; Sat, 14 Jul 2018 18:51:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yrDTIjQ5UScc for ; Sat, 14 Jul 2018 18:51:31 -0700 (PDT) Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85FE2130E90 for ; Sat, 14 Jul 2018 18:51:31 -0700 (PDT) Received: by straasha.imrryr.org (Postfix, from userid 1001) id F044B29BA6C; Sat, 14 Jul 2018 21:51:27 -0400 (EDT) Date: Sat, 14 Jul 2018 21:51:27 -0400 From: Viktor Dukhovni To: saag@ietf.org Message-ID: <20180715015127.GH33554@straasha.imrryr.org> Reply-To: saag@ietf.org References: <20180715004421.246C720024FBA4@ary.qy> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20180715004421.246C720024FBA4@ary.qy> User-Agent: Mutt/1.9.4 (2018-02-28) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 01:51:34 -0000 On Sat, Jul 14, 2018 at 08:44:20PM -0400, John Levine wrote: > I don't know how well this would work in practice, since users are not > very good at understanding that a marker (lock, logo, whatever) in the > chrome is different from the same marker in the window, but given that > anyone can get https for free these days, we need a different way to > mark high-value phish targets. My personal preference would be for the browser to associate *personal* visual clues with previously visited and well known sites, and to issue warnings for domains with a low edit distance from such sites. In late June, hastily packing for a trip, I was rebuilding a MacOS image from scratch, while not wearing my reading glasses. I tried to use the bundled browser to download Firefox, from (not quite the right site): moizlla.com. This prompted for a Flash update, which sadly in that context did not seem too suspicious (did Safari in the OS image perhaps bundle a slightly stale copy of Flash?). Quickly realized that was a mistake. Erased the filesystem and re-installed. Illusions that this can never happen to an old salt like me now in tatters. :-( Not an easy problem to solve, but I don't think that centralized systems alone can solve it. Solutions are necessarily incomplete, multi-faceted and coëvolving with the attacks. -- Viktor. From nobody Sat Jul 14 20:32:31 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166B1130F0F; Sat, 14 Jul 2018 20:32:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LrpN__ZIEb3p; Sat, 14 Jul 2018 20:32:26 -0700 (PDT) Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18BEE124C04; Sat, 14 Jul 2018 20:32:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531625546; x=1563161546; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=fB+v16vQXVwRfHAJKS7mAS5XGSFlK0q21ZLlIRCxsNo=; b=QZ2GMW7OUDtOtyeOqL+RkuWpV4t4+S1z47Tnvm4YJ0MChfBNRGn9MzLW ZqRUgRgR67g5rfZ96igHVxhdwQCCQS9X1bjVxR3SjIBEcQEHKUhHGlwMc FsiRHQPp7N/8QSONowxN3ouRnVHl8rFu7FS45uwtHWBcuzIiCDX2RNkkk /A42SoQ6Z3zr2Kdki0eIbtr2v6fQJqShnzK2Spjthm9dOeAXjfWSfF/xd F/6B61XQZ7aHWDwkK6Z79mX7soOXsdOs/raWhw5l5XrW+YbS/1EySwshZ KbqfjoJtWs3GJMZj1MZ0gQm4JiqQn+0jq+LOASuasW22H5OVC3nH4ZYtj Q==; X-IronPort-AV: E=Sophos;i="5.51,355,1526299200"; d="scan'208";a="21232711" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.3 - Outgoing - Outgoing Received: from uxcn13-tdc-b.uoa.auckland.ac.nz ([10.6.3.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 15 Jul 2018 15:32:20 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.23) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 15 Jul 2018 15:32:20 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sun, 15 Jul 2018 15:32:20 +1200 From: Peter Gutmann To: Benjamin Kaduk CC: "draft-gutmann-scep@ietf.org" , "carl@redhoundsoftware.com" , "saag@ietf.org" Thread-Topic: [FORGED] Re: [saag] Comment added to draft-gutmann-scep history Thread-Index: AQHTx0JalykNlRFNLEeHWmw80fOk66PxVi1qgCgcEDyAL8YogIBEQ8VngAE0nSCAAAKfgIABliZe Date: Sun, 15 Jul 2018 03:32:19 +0000 Message-ID: <1531625539732.37408@cs.auckland.ac.nz> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz>,<20180714151547.GG59001@mit.edu> In-Reply-To: <20180714151547.GG59001@mit.edu> Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] [FORGED] Re: Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 03:32:29 -0000 Benjamin Kaduk writes:=0A= =0A= >draft-ietf-httpbis-bcp56bis is active in the httpbis WG at the moment -- i= t=0A= >would be appropriate to make such suggestions to the WG :)=0A= =0A= That's exactly what I need, thanks! Just grabbing a copy now. And RFC 732= 2=0A= allows referencing drafts as Informative refs, so I'm clear there as well.= =0A= =0A= Peter.=0A= From nobody Sat Jul 14 20:46:52 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A271713102E; Sat, 14 Jul 2018 20:46:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mEYhl0vp3oof; Sat, 14 Jul 2018 20:46:39 -0700 (PDT) Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07FC2131122; Sat, 14 Jul 2018 20:46:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1531626399; x=1563162399; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RbmCFd3C4N1bLlLpjb904GQoKQR1ePPi78aTxH1XUTo=; b=M3jG+BNx0s/siOArb1x72SLS3iof+Krb5KsXennGTBA7SVw7qNlp3v21 tdS9bhzXskFhvftQgMVSjygMtEIb/NUteDrQk538ZeyHjSss4oLvnLWPI imjXzpQoFAUL8L8LVGs2fbPTtEXHM3XX1YqNhTAOED4ywOan49aHYLzzJ 5uajbhk3VtPS/gEoHjUzhBBKI2af0M8rykiUlC5AnyjOLdCLbxWrVwZjw eUkCh684pYZdg7wXC2ip7023E8+5nc60BODaapSXvOYdjo1g7pSBRfV02 GhxnRaHRYCgutseMDizunFg798fW+vlK405+3/FocUwPCpgLGodE+c0p5 Q==; X-IronPort-AV: E=Sophos;i="5.51,355,1526299200"; d="scan'208";a="21233911" X-Ironport-HAT: MAIL-SERVERS - $RELAYED X-Ironport-Source: 10.6.3.3 - Outgoing - Outgoing Received: from uxcn13-tdc-b.uoa.auckland.ac.nz ([10.6.3.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 15 Jul 2018 15:46:37 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-tdc-b.UoA.auckland.ac.nz (10.6.3.23) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 15 Jul 2018 15:46:36 +1200 Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Sun, 15 Jul 2018 15:46:36 +1200 From: Peter Gutmann To: Patrick McManus , Benjamin Kaduk CC: "draft-gutmann-scep@ietf.org" , "saag@ietf.org" Thread-Topic: [saag] Comment added to draft-gutmann-scep history Thread-Index: AQHUG52+rEKLLutgkkmzx9TRChvl0qSPpFv6 Date: Sun, 15 Jul 2018 03:46:36 +0000 Message-ID: <1531626396613.5059@cs.auckland.ac.nz> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz> <20180714151547.GG59001@mit.edu>, In-Reply-To: Accept-Language: en-NZ, en-GB, en-US Content-Language: en-NZ X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [130.216.158.4] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 03:46:51 -0000 Patrick McManus writes:=0A= =0A= >Its a work in progress and would certainly benefit from review and comment= s:=0A= >=0A= >github as easy place to leave feedback and suggested edits:=0A= >https://github.com/httpwg/http-extensions=0A= =0A= Is there a preferred forum specifically for discussing this document rather= =0A= than the high-volume HTTP list? In terms of github, I've never been convin= ced=0A= that a PR is the best substitute for a discussion list thread...=0A= =0A= I've got some specific suggestions about wording around the (mis-)use of GE= T,=0A= which early versions of SCEP did (and some still do *cough*Microsoft*cough*= ),=0A= creating non-idempotent GET requests containing multiple kB of base64-encod= ed=0A= binary gunk. SCEP has provided a good litmus test for how many ways this= =0A= breaks in the presence of proxies, caches, and a wide range of server types= ,=0A= being able to reference 56bis on this would mean I could remove a pile of t= ext=0A= from the draft.=0A= =0A= Peter.=0A= From nobody Sun Jul 15 06:10:59 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADC2130E21; Sun, 15 Jul 2018 06:10:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.234 X-Spam-Level: X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oC-5fazk9IYb; Sun, 15 Jul 2018 06:10:55 -0700 (PDT) Received: from linode64.ducksong.com (linode6only.ducksong.com [IPv6:2600:3c02::f03c:91ff:fe6e:e8da]) by ietfa.amsl.com (Postfix) with ESMTP id 104A5130DEC; Sun, 15 Jul 2018 06:10:55 -0700 (PDT) Received: from mail-oi0-f49.google.com (mail-oi0-f49.google.com [209.85.218.49]) by linode64.ducksong.com (Postfix) with ESMTPSA id CBA523A032; Sun, 15 Jul 2018 09:10:53 -0400 (EDT) Received: by mail-oi0-f49.google.com with SMTP id i12-v6so70105514oik.2; Sun, 15 Jul 2018 06:10:53 -0700 (PDT) X-Gm-Message-State: AOUpUlGsWPG+UOy1torKMj51de5y0C2ubEajUbLPf+RGqbjwiFp7kUUX T5agrAiyriwqdPnMGkfIOzKPkvLWZ3WOcAsQB8k= X-Google-Smtp-Source: AAOMgpdGBQufWthvpD3j6ipxceJ5SL40Ap+7CM+HWat0J1plbtbxG7DLIq/33jk0nV7iNXz/6kb7ot60Qfd1WLY/E7E= X-Received: by 2002:aca:5f0a:: with SMTP id t10-v6mr13364787oib.337.1531660253525; Sun, 15 Jul 2018 06:10:53 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a4a:8a22:0:0:0:0:0 with HTTP; Sun, 15 Jul 2018 06:10:52 -0700 (PDT) In-Reply-To: <1531626396613.5059@cs.auckland.ac.nz> References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz> <20180714151547.GG59001@mit.edu> <1531626396613.5059@cs.auckland.ac.nz> From: Patrick McManus Date: Sun, 15 Jul 2018 09:10:52 -0400 X-Gmail-Original-Message-ID: Message-ID: To: Peter Gutmann Cc: Patrick McManus , Benjamin Kaduk , "draft-gutmann-scep@ietf.org" , "saag@ietf.org" Content-Type: multipart/alternative; boundary="00000000000053ff080571097118" Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 13:10:57 -0000 --00000000000053ff080571097118 Content-Type: text/plain; charset="UTF-8" I'm sorry I don't have any other approach to offer - github and the mailing list are the normal mechanisms. Github works quite well for our working group. If you'd like to substitute for a discussion thread I would suggesting opening an issue rather than a PR (or perhaps in addition to). in extremis you could of course mail the author or chair directly rather than participating in the WG. That of course doesn't really scale. On Sat, Jul 14, 2018 at 11:46 PM, Peter Gutmann wrote: > Patrick McManus writes: > > >Its a work in progress and would certainly benefit from review and > comments: > > > >github as easy place to leave feedback and suggested edits: > >https://github.com/httpwg/http-extensions > > Is there a preferred forum specifically for discussing this document rather > than the high-volume HTTP list? In terms of github, I've never been > convinced > that a PR is the best substitute for a discussion list thread... > > I've got some specific suggestions about wording around the (mis-)use of > GET, > which early versions of SCEP did (and some still do > *cough*Microsoft*cough*), > creating non-idempotent GET requests containing multiple kB of > base64-encoded > binary gunk. SCEP has provided a good litmus test for how many ways this > breaks in the presence of proxies, caches, and a wide range of server > types, > being able to reference 56bis on this would mean I could remove a pile of > text > from the draft. > > Peter. > --00000000000053ff080571097118 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm sorry I don't have any other approach to = offer - github and the mailing list are the normal mechanisms. Github works= quite well for our working group. If you'd like to substitute for a di= scussion thread I would suggesting opening an issue rather than a PR (or pe= rhaps in addition to).

in extremis you could of co= urse mail the author or chair directly rather than participating in the WG.= That of course doesn't really scale.


=


O= n Sat, Jul 14, 2018 at 11:46 PM, Peter Gutmann <pgut001@cs.aucklan= d.ac.nz> wrote:
Patrick McManus <pmcmanus@= mozilla.com> writes:

>Its a work in progress and would certainly benefit from review and comm= ents:
>
>github as easy place to leave feedback and sugg= ested edits:
>https://github.com/httpwg/http-extensions

Is there a preferred forum specifically for discussing this document= rather
than the high-volume HTTP list?=C2=A0 In terms of github, I've never be= en convinced
that a PR is the best substitute for a discussion list thread...

I've got some specific suggestions about wording around the (mis-)use o= f GET,
which early versions of SCEP did (and some still do *cough*Microsoft*cough*= ),
creating non-idempotent GET requests containing multiple kB of base64-encod= ed
binary gunk.=C2=A0 SCEP has provided a good litmus test for how many ways t= his
breaks in the presence of proxies, caches, and a wide range of server types= ,
being able to reference 56bis on this would mean I could remove a pile of t= ext
from the draft.

Peter.

--00000000000053ff080571097118-- From nobody Sun Jul 15 06:12:47 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0FB130DC0 for ; Sun, 15 Jul 2018 06:12:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3igMXAdIzvs for ; Sun, 15 Jul 2018 06:12:42 -0700 (PDT) Received: from mail1.bemta23.messagelabs.com (mail1.bemta23.messagelabs.com [67.219.246.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83A7D130DEC for ; Sun, 15 Jul 2018 06:12:42 -0700 (PDT) Received: from [67.219.246.100] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-3.bemta.az-b.us-east-1.aws.symcld.net id 32/03-01621-9484B4B5; Sun, 15 Jul 2018 13:12:41 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA1WSf0gTYRjHfe/O7bJdnFPzaWXoIpLVHZuQFFQ URGQaFUVEFnW2yy22KbtZJkEq/shc+QM1W4RGmmlR9PsHzT9WEVpJ09TQUiTNWlGKUVZq3e3W r/ePl8/7fL/P8z7vy0Pi6pcKDclnOni7jbNoFSHEi+gbl5mEtYnJ+vE+eklFSRG2Eq2tq/uGb UTbg822lLTM3cGmYt8Ukd69KbPM1YJlo6KkoyiEJGgnDi3uC0rpoKZLMMhurFYcRdPEQz+CB2 P7JFbQeuhyP8IkDqfnQcPEsFLiMJqBC92XlXKchY6RckLmNXDl7SQuMUHPh7azeUhiit4J1QW 9hFz/GoLxe36eRi+Fp958f31Ez4SvrRf9jNOR0DNY42egw2HA+1ghcwS8ez0VLPt3wOkxTyCu BY/7M5I5CtpripH0MKBvYOC+6AoIDIxUVuIyr4ea4R6FbOpFUNjpDQg6OFX9ipDZAjljHjGZF DkJ6jtS5fBcaDo2QMi5zTi05X4I+OdAzqk7AcGpgMIvvsCXGqGiyRO4rRSHqvFOrBTpXP881S VqOF2LoOZkPXL5/ywUWk4OErJJB3W5P5UyL4RzZ97jLqQUeRlcN8rRGKgoHgg44qGgbVRRi8g mFJ9iN6eaHFbObGEMej1jMMQx0q5nuSwmhc0QGJ4THIyB5Q4IrHDQusdiZG284yoSpytIXLfR RxfvQbNITBtBleWtS1bPSEkzHjRxgmmXPcPCCx40hyS1QHWtSUxWh9r5VD5zr9kijuhvGUiVN pzqlGRKSOesgjlVllrRUvJjY3k5Tjr7KsR94lNlOa4mbGk2XhNJPZESaCnBlGH7U+730LejKE 0YhcQG1ap03m41O/7XfSiSRNowyiFVUZltjj+3+sSGMLEh9kiC1JCD+ytpslFh9I9vHWkrDjU u8ppKNzy8qWNPrHoeG3+geD89GbogKN9atPW7L0ajMl//emUoa5v3mn1rvXPYsuLS9NHYur3o 8JtdY0TS52Dn/cScgtV9bYkL8t1btMe7q2bdSngWvVnfsDwIC8LUqsWrzlcO3Ju95+4tdmdzn HqZ7jvVn5c1ZGzWEoKJM+hwu8D9AkqrdejvAwAA X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-29.tower-384.messagelabs.com!1531660360!803523!1 X-Originating-IP: [216.32.181.175] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.9.15; banners=-,-,- X-VirusChecked: Checked Received: (qmail 3270 invoked from network); 15 Jul 2018 13:12:41 -0000 Received: from mail-by2nam01lp0175.outbound.protection.outlook.com (HELO NAM01-BY2-obe.outbound.protection.outlook.com) (216.32.181.175) by server-29.tower-384.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 15 Jul 2018 13:12:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3bMlo92TOTTnh/leXWeIsz6mU4CymvQgDBfaJzO1w/U=; b=dI+xb/h2RGzKOHkJh1OgFpW/DTpz2ewnA38XukTCUuGWh3TvcBt/Ny1bTC6SCDe+Vf2q2+onQLSpCKE3AgyO8f2YmbAbmM/0zhv9lkz5jEfkdngj2f6Oy4ptlY36Z4V3GZcfUr2aVJxfTe/Rt6Op/BHMwATQEym/6AzYbY1yKzs= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1123.namprd14.prod.outlook.com (10.173.161.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.18; Sun, 15 Jul 2018 13:12:38 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960%6]) with mapi id 15.20.0952.021; Sun, 15 Jul 2018 13:12:38 +0000 From: Tim Hollebeek To: "saag@ietf.org" Thread-Topic: [saag] stopping (https) phishing Thread-Index: AQHUESvFOKQYkLMovE6Uw5Pe7y8qZKSPDKUwgAB68gCAABLBgIAAu3GQ Date: Sun, 15 Jul 2018 13:12:38 +0000 Message-ID: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> In-Reply-To: <20180715015127.GH33554@straasha.imrryr.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [31.133.155.236] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR14MB1123; 7:zTa9GGAhl7SPto3n/mLcXhpZt3F8/qzoSa7GVDLEhno+AwkdqQxl2vz3eUD5haJkXd8JWDB/i+ukeKFz8ptpPaABpDhe67ekuVpUJ+oN2E6UHELNnqIIRG5ZWXF46GdaphTq4onw+Hbu1Z21AoVJumWnQCmXUNWE7G0Q+QXpsxS0gQz4fgoUgiY72WkkAkoystCqNRn2zr/n0nL89Wwe9PZAr9dD2oHSb3j9k2IIKzlTws/DZxfi1Y+yfe0IRJ6/ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 7ef014a7-f731-477a-af20-08d5ea54a3b3 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1123; x-ms-traffictypediagnostic: BN6PR14MB1123: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(278428928389397)(192374486261705); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123564045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1123; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1123; x-forefront-prvs: 07349BFAD2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(376002)(346002)(396003)(136003)(13464003)(199004)(189003)(68736007)(2900100001)(6436002)(186003)(316002)(81166006)(26005)(6116002)(106356001)(5640700003)(55016002)(9686003)(2906002)(14454004)(105586002)(1730700003)(6306002)(33656002)(3846002)(8676002)(99936001)(305945005)(74316002)(7736002)(8936002)(5250100002)(66066001)(486006)(446003)(53546011)(11346002)(229853002)(76176011)(7696005)(25786009)(2351001)(478600001)(2501003)(44832011)(53936002)(5660300001)(6246003)(86362001)(6506007)(476003)(6916009)(966005)(256004)(102836004)(81156014)(14444005)(99286004)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1123; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 6LlAjNMvd/M56Xsv++0SlFSzJsdw+kikcmmKgsvZ80TnxiLuInrkOw65aeVdeLgrbOQVOOlAoJZw613AQEf1p9uJ5KmyslYpfbVByfke63iv48aKJ2zKn5iv2YiyvhQpse/l6Dd1Z5oFcO5G5SMkr9xr8kUyvKmp9gE2HlW/5uuayJgX3bhu8Cno4xmNl8ClXRNtxV9hT5P3z4IYhGs5zoHIeRb+yuvqLMwYF/Eq1Ob/nd36jxZ+p+12rszlainxB96eMp/PQH3Vg6uL4sjWm9+Npok/RBuGc64UtRK7eFP7tDbDBdSh+x+kqZLY2HUlGXw0/NH7cb9Z58Yc/PSArBVRCl0IUbr2/DiWhoJQUtA= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0D1F_01D41C1B.EDCE4500" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7ef014a7-f731-477a-af20-08d5ea54a3b3 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2018 13:12:38.6626 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1123 Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 13:12:45 -0000 ------=_NextPart_000_0D1F_01D41C1B.EDCE4500 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable So, I would make three points: 1. UI solutions and problems have been discussed for about ten years, with no progress either on the PKI side or the UI side. Improvements = along=20 the lines of what Viktor mentions are in my mind overdue, and I would=20 urge browser UX teams and researchers to give serious attention to them. I get very frustrated when security systems we rely upon do not improve=20 for a decade or more. 2. There is a fraction of users that could consume UI information, but = the UI has to be willing to teach/train them. It's fairly clear that = untrained users cannot consume security UI. Some of the "privacy review" and "security review" training that some applications and sites offer is = perhaps something to look at. There are users who *want* to be able to consume security UI, and are willing to spend some time learning best practices = and what to look for. 3. Identity information has value *beyond* the UI. Increasingly, there = are researchers, automated systems, and security systems that could consume validated identities. They may benefit from richer and better vetted identity information, with clear and auditable rules about how such identities were verified, so they can be used in trust decisions. There = are various classes of identity information like GLEIF, and various ETSI = standards for including validated identity information in certificates that I wish = I understood better than I do. I was actually a Research Scientist for almost a decade, so if anyone = wants to brainstorm about these issues, feel free to track me down in = Montreal. -Tim -Tim > -----Original Message----- > From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Viktor Dukhovni > Sent: Saturday, July 14, 2018 9:51 PM > To: saag@ietf.org > Subject: Re: [saag] stopping (https) phishing >=20 > On Sat, Jul 14, 2018 at 08:44:20PM -0400, John Levine wrote: >=20 > > I don't know how well this would work in practice, since users are = not > > very good at understanding that a marker (lock, logo, whatever) in = the > > chrome is different from the same marker in the window, but given = that > > anyone can get https for free these days, we need a different way to > > mark high-value phish targets. >=20 > My personal preference would be for the browser to associate > *personal* visual clues with previously visited and well known sites, = and to > issue warnings for domains with a low edit distance from such sites. >=20 > In late June, hastily packing for a trip, I was rebuilding a MacOS = image from > scratch, while not wearing my reading glasses. I tried to use the = bundled > browser to download Firefox, from (not quite the right site): = moizlla.com. This > prompted for a Flash update, which sadly in that context did not seem = too > suspicious (did Safari in the OS image perhaps bundle a slightly stale = copy of > Flash?). > Quickly realized that was a mistake. Erased the filesystem and = re-installed. > Illusions that this can never happen to an old salt like me now in = tatters. :-( >=20 > Not an easy problem to solve, but I don't think that centralized = systems alone > can solve it. Solutions are necessarily incomplete, multi-faceted and > co=C3=ABvolving with the attacks. >=20 > -- > Viktor. >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag ------=_NextPart_000_0D1F_01D41C1B.EDCE4500 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTgwNzE1MTMxMjE4WjAvBgkqhkiG9w0BCQQxIgQgym9q04ZrhHg/RUeI0cEAQ2Tnwogg ygFkSHREz90I3vwwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAEUMzI2fajdHg2mm4Vr2wJTqvYFbqjYEbeofg/7laIzBHiLhs3i2ECblFGhol4pQx7hFIlDa aGNMm88tdmJ7osNeAzvQZqRhzFoHNVZ65qoytBTEfP0/hOLRcWiAITrQgkfXEudCriR2GAbicCgn 6P3HZjUoYcLumPp3M3/b311hX0d4Zmr2Z6baFtnewiOX1+6g3horhvOXlf1rOpzMVXFci2TWt/Gw u2wM6jPzW1A8n4gosqMZjXRTWcNGV5wVCHbr3yqe/VB0z/B5tNj+7VHqhbJYns/wnsh3B8HlUgpt EyEI7TWX6wDLwikx90YDeJQYZufHCJA52ymMpzdSFokAAAAAAAA= ------=_NextPart_000_0D1F_01D41C1B.EDCE4500-- From nobody Sun Jul 15 10:56:22 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89E0D130ECD for ; Sun, 15 Jul 2018 10:56:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoYwymqPw7aq for ; Sun, 15 Jul 2018 10:56:12 -0700 (PDT) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537DD130E55 for ; Sun, 15 Jul 2018 10:56:10 -0700 (PDT) Received: by mail-wm0-x22c.google.com with SMTP id n17-v6so13617375wmh.2 for ; Sun, 15 Jul 2018 10:56:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=RuE7dgde/k0nAF+mWq0WLABU01mBq8KAS9Vh1T0ne4A=; b=pVi1p3fGTfS6/ItIK6RaCg5n0tlALFLQ/bnEGuUNKVCEjuN53BIdJlrRRPqII3/jvE Y0l2SCRwRY1S4oGJaz4GZ6+UsOso6ewG3mocA3JVSYsZO1yRQvMMkPzi7vB2hDu4rwf+ BZ4x6qcSxpd917b+fhcakhxh9PaInnptHSdkGJRZs9DEAN3tZ9S+6aG0PAkuJYxp3y2h BehDvIkitWg+8eHoSnHMGuUI+x8xW/qINpamRSLGXpqdNoYi1H5kYk2s0naFCwoNthYn TWC7IiBtQvIGTttO5mk0YyIbruI6BbnY7igwLVeH1vThDvhgsXFhRflpUdZN2bIvAfln Sc9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=RuE7dgde/k0nAF+mWq0WLABU01mBq8KAS9Vh1T0ne4A=; b=Yv0Z3aqMBs75ICEoGc5RpbDVWLorgFRQpZqKvdhQcezORZvPfoVpwjz57KZS5zgAMS b03fU7KKbVS+07250sCCb1s6frB50F/05FepHY0IE3sTCNnNHg8TKpjM4h4M5pKuKlFJ d8uYxgSyzEIgPdweY+OAf3KPSsmYjgZ/E0Z3gRaX8sYPal/P3sbpsVUw+Y24sFNLgQiE MttYSuZ5R95ysSL7/Kh7BZLw+q3mASTDSpvmaDL3Lo878q5b2/vTIzqTQRLDQgrGRtZD +DiPYaVuPjBcbH3oe5AOi7fAv1d2BxAFqX3QIeDFg0+Ju6L1+DhtfSJlGIYx7VfpA+7Y K8Ig== X-Gm-Message-State: AOUpUlFZVdY7W8S3kdKNDMX2SXXCAna9UfZ1olStm+f/JmGbarT0bBT6 hrfkh9SS095zdPRX5s4XS8zM3Q== X-Google-Smtp-Source: AAOMgpdTwGOjn8/uU1k0espKOez/DIYDyeJ9fv5hIM2HU2NuVOSblmUSFO8fbacNOmamnUd9FWJeyw== X-Received: by 2002:a1c:c60a:: with SMTP id w10-v6mr7950847wmf.26.1531677368592; Sun, 15 Jul 2018 10:56:08 -0700 (PDT) Received: from [192.168.43.209] ([80.12.27.71]) by smtp.gmail.com with ESMTPSA id 131-v6sm19816808wmm.31.2018.07.15.10.56.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jul 2018 10:56:07 -0700 (PDT) From: Henry Story Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_502D4D76-75FE-4822-8BD3-82A326D9E82B" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sun, 15 Jul 2018 19:56:04 +0200 In-Reply-To: Cc: "saag@ietf.org" To: Tim Hollebeek References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 17:56:18 -0000 --Apple-Mail=_502D4D76-75FE-4822-8BD3-82A326D9E82B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi,=20 I just wrote up some ideas on UI and security that came (back) to me = reading=20 this thread and other interesting papers on security. "Phishing in Context -- Epistemology on the screen" https://medium.com/@bblfish/phishing-in-context-9c84ca451314 = This gives a (psycho)logical analysis of UI elements of phishing and=20 a proposal for how to answer that using a great idea by Apple .... I think it meshes quite well with the points made in this thread. > On 15 Jul 2018, at 15:12, Tim Hollebeek > wrote: >=20 > So, I would make three points: >=20 > 1. UI solutions and problems have been discussed for about ten years, > with no progress either on the PKI side or the UI side. Improvements = along=20 > the lines of what Viktor mentions are in my mind overdue, and I would=20= > urge browser UX teams and researchers to give serious attention to = them. > I get very frustrated when security systems we rely upon do not = improve=20 > for a decade or more. I think I just spotted a major possibility related to a recent (but not = so recent) innovation by Apple... >=20 > 2. There is a fraction of users that could consume UI information, but = the > UI has to be willing to teach/train them. It's fairly clear that = untrained > users cannot consume security UI. Some of the "privacy review" and > "security review" training that some applications and sites offer is = perhaps > something to look at. There are users who *want* to be able to = consume > security UI, and are willing to spend some time learning best = practices and > what to look for. yes, so there I think if the information is richer then it is possible = to=20 give the user something interesting to look at. The fixed headquarters = address that exists currently in DV certificates is useless: nobody understands = why they would need to look at that - expcept perhaps for security specialists = who understand that the headquarters are useful for legal reasons... The reason an institutional web of trust can bring a lot richer = information that can change, is that it can be served in real time by an agency. = Some information can be unchanging in a cert, but other information can be = available live from a server, which with the future Quic protocol could be very = light weight. I think in any case one could mix and match. But what is sure: with the current cert info there was nothing a = designer could do to make it appealing. So I think more intelligent information that = can change would give Designers something to make security appealing. >=20 > 3. Identity information has value *beyond* the UI. Increasingly, = there are > researchers, automated systems, and security systems that could = consume > validated identities. They may benefit from richer and better vetted > identity information, with clear and auditable rules about how such > identities were verified, so they can be used in trust decisions. = There are > various classes of identity information like GLEIF, and various ETSI = standards > for including validated identity information in certificates that I = wish I > understood better than I do. Certainly. And I think because it is such a big field with so much = potential,=20 we need to be prepared to accept that we will step into the logical = mirror of functional thinking. Weirdly enough the category of finite Boolean = algebras=20 is dual to that of sets and functions = https://math.stackexchange.com/questions/980933/what-is-the-opposite-categ= ory-of-set = >=20 > I was actually a Research Scientist for almost a decade, so if anyone = wants > to brainstorm about these issues, feel free to track me down in = Montreal. Currently I am on a low student budget in the mountains of Germany = (Garmisch-Partenkirchen). Always happy to chat around here. Perhaps I'll be at W3C TPAC in Lyon = too. >=20 > -Tim >=20 > -Tim >=20 >> -----Original Message----- >> From: saag [mailto:saag-bounces@ietf.org = ] On Behalf Of Viktor Dukhovni >> Sent: Saturday, July 14, 2018 9:51 PM >> To: saag@ietf.org >> Subject: Re: [saag] stopping (https) phishing >>=20 >> On Sat, Jul 14, 2018 at 08:44:20PM -0400, John Levine wrote: >>=20 >>> I don't know how well this would work in practice, since users are = not >>> very good at understanding that a marker (lock, logo, whatever) in = the >>> chrome is different from the same marker in the window, but given = that >>> anyone can get https for free these days, we need a different way to >>> mark high-value phish targets. >>=20 >> My personal preference would be for the browser to associate >> *personal* visual clues with previously visited and well known sites, = and to >> issue warnings for domains with a low edit distance from such sites. >>=20 >> In late June, hastily packing for a trip, I was rebuilding a MacOS = image from >> scratch, while not wearing my reading glasses. I tried to use the = bundled >> browser to download Firefox, from (not quite the right site): = moizlla.com . This >> prompted for a Flash update, which sadly in that context did not seem = too >> suspicious (did Safari in the OS image perhaps bundle a slightly = stale copy of >> Flash?). >> Quickly realized that was a mistake. Erased the filesystem and = re-installed. >> Illusions that this can never happen to an old salt like me now in = tatters. :-( >>=20 >> Not an easy problem to solve, but I don't think that centralized = systems alone >> can solve it. Solutions are necessarily incomplete, multi-faceted = and >> co=C3=ABvolving with the attacks. >>=20 >> -- >> Viktor. >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_502D4D76-75FE-4822-8BD3-82A326D9E82B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hi, 

   I = just wrote up some ideas on UI and security that came (back) to me = reading 
this thread and = other interesting papers on security.

"Phishing in = Context -- Epistemology on the screen"
 https://medium.com/@bblfish/phishing-in-context-9c84ca451314

This gives a (psycho)logical analysis of UI elements = of phishing and 
a proposal for how = to answer that using a great idea by Apple ....

I think it meshes quite = well with the points made in this thread.


On 15 Jul 2018, at 15:12, Tim Hollebeek = <tim.hollebeek@digicert.com> wrote:

So, = I would make three points:

1. UI solutions = and problems have been discussed for about ten years,
with = no progress either on the PKI side or the UI side.  Improvements = along 
the= lines of what Viktor mentions are in my mind overdue, and I would 
urge browser = UX teams and researchers to give serious attention to them.
I get very frustrated when security systems we rely upon do = not improve 
for a decade or more.

I think I just spotted a major = possibility related to a recent (but not so recent)
innovation by Apple...


2.= There is a fraction of users that could consume UI information, but = the
UI has to be willing to teach/train them.  It's = fairly clear that untrained
users cannot consume security = UI.  Some of the "privacy review" and
"security = review" training that some applications and sites offer is perhaps
something to look at.  There are users who *want* to be = able to consume
security UI, and are willing to spend some = time learning best practices and
what to look for.

yes, so there I think if the = information is richer then it is possible to 
give the user something interesting to look at. The fixed = headquarters address
that exists currently in DV = certificates is useless: nobody understands why they
would need to look at that - expcept perhaps for security = specialists who understand
that the headquarters = are useful for legal reasons...

The reason an institutional web of = trust can bring a lot richer information
that can = change, is that it can be served in real time by an agency. = Some
information can be unchanging in a  cert, = but other information can be available
live from a = server, which with the future Quic protocol could be very light = weight.
I think in any case one could mix and = match.

But = what is sure: with the current cert info there was nothing a designer = could
do to make it appealing. So I think more = intelligent information that can change
would give = Designers something to make security appealing.


3. Identity information has value *beyond* the = UI.  Increasingly, there are
researchers, automated = systems, and security systems that could consume
validated = identities.  They may benefit from richer and better vetted
identity information, with clear and auditable rules about = how such
identities were verified, so they can be used in = trust decisions.  There are
various classes of = identity information like GLEIF, and various ETSI standards
for including validated identity information in certificates = that I wish I
understood better than I = do.

Certainly. And I think because it is such a big field with so = much potential, 
we need to be prepared to = accept that we will step into the logical mirror of
functional thinking. Weirdly enough the category of finite = Boolean algebras 
is dual to that of sets and = functions

https://math.stackexchange.com/questions/980933/what-is-the-opp= osite-category-of-set


I was actually = a Research Scientist for almost a decade, so if anyone wants
to brainstorm about these issues, feel free to track me down = in Montreal.

Currently I am on a low student budget = in the mountains of Germany (Garmisch-Partenkirchen).
Always happy to chat around here. Perhaps I'll be at W3C TPAC = in Lyon too.


-Tim

-Tim

-----Original Message-----
From: saag [mailto:saag-bounces@ietf.org] On Behalf Of Viktor = Dukhovni
Sent: Saturday, July 14, 2018 9:51 PM
To: saag@ietf.org
Subject: Re: [saag] stopping (https) phishing
On Sat, Jul 14, 2018 at 08:44:20PM -0400, John Levine = wrote:

I= don't know how well this would work in practice, since users are not
very good at understanding that a marker (lock, logo, = whatever) in the
chrome is different from the same marker = in the window, but given that
anyone can get https for = free these days, we need a different way to
mark = high-value phish targets.

My = personal preference would be for the browser to associate
*personal* visual clues with previously visited and well = known sites, and to
issue warnings for domains with a low = edit distance from such sites.

In late = June, hastily packing for a trip, I was rebuilding a MacOS image from
scratch, while not wearing my reading glasses.  I tried = to use the bundled
browser to download Firefox, from (not = quite the right site): moizlla.com.  This
prompted for a Flash update, which sadly in that context did = not seem too
suspicious (did Safari in the OS image = perhaps bundle a slightly stale copy of
Flash?).
Quickly realized that was a mistake.  Erased the = filesystem and re-installed.
Illusions that this can never = happen to an old salt like me now in tatters. :-(

Not an easy problem to solve, but I don't think that = centralized systems alone
can solve it.  Solutions = are necessarily incomplete, multi-faceted and
co=C3=ABvolvin= g with the attacks.

--
= Viktor.

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
= --Apple-Mail=_502D4D76-75FE-4822-8BD3-82A326D9E82B-- From nobody Sun Jul 15 13:34:58 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 167EC130E48 for ; Sun, 15 Jul 2018 13:34:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.51 X-Spam-Level: X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JxyGUpotYcYf for ; Sun, 15 Jul 2018 13:34:54 -0700 (PDT) Received: from mail-it0-x22c.google.com (mail-it0-x22c.google.com [IPv6:2607:f8b0:4001:c0b::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9F98130DDC for ; Sun, 15 Jul 2018 13:34:54 -0700 (PDT) Received: by mail-it0-x22c.google.com with SMTP id s7-v6so18077179itb.4 for ; Sun, 15 Jul 2018 13:34:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=swh6ENDkvxr/tmnOjSDZvCWVikxyFC3Sh0PJEaxE6ic=; b=bEOZFofAx/KXzxAdamoFw6FuGWv69juaZn+kby2eouVIh5vRexR+e4oPQGa7b59zST tQI6KBOnAMb7HImWIvl+IpsyN8PglW2ts0PVDSJZZ/dUJYGqcESbn8L+8PZk3WsCrSJ6 Wx6LaJQxoAysCaT7t6fCEsGd69DfaZJW6/sYrccKnZrxlh/5TlVW6Yf2N19clEaBHQyW 0KJgO9sNH9sJy4gfMVzHZ1wUR8NszPM6Ng5WZihlzKZsO9LEwj+goC9aAbquXcgz6ZzX hOA+TZpCsRaG4icfxOniLw1B+yiCiRXTl8ww2WEXaVWVeYDtEYLTgpOz61mh1Mn6X63x 1KRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=swh6ENDkvxr/tmnOjSDZvCWVikxyFC3Sh0PJEaxE6ic=; b=hFzWdrB0zBnpIK0lOq7Nz+4gWJWzkw0RAF4QMeZCDgoexfYNLwTYlofqfb/EySdnuJ Nk99HjCdJwiqKa7ToehiHgnYkVvPwOW3uxPUOQN4vavkz3TF5eQzUQAbtBNn/GP1sGKo 8vqJ/8MQ+EWJIinQDRMl+iR0u+2uCihX1U0rmQYZF6dT1+xjxoCgu4OLfHWOXuCvHk+d kFgpXesAPPIt2dJhBzKnLoi4MI0bvQBNYedN85FTCl4Ss6Fl/CxNvRODiCY1XTqCheFH 5YqwtyNWA8kUxA4rGRTI4hfsNVbKLpmjyxTAQ+oNnggBNHem/8ajAhjlBVxc7PGUcX7/ IzaQ== X-Gm-Message-State: AOUpUlHj/YnYFhuWAunarOw3mICInj5fvqP1BF4GOfBtvZH1eb0MdTrf 6dkeB7EXNLs1/Ae5gjWE9KTuzpdCM89IY99WOddbhQ== X-Google-Smtp-Source: AAOMgpfduCrz8hItKvyAjOYNJ0EPcVJelxUDVEEhCgKdua8kMqmEVwHhCLMGp72/V4P8Bhg9Arv8Y7IIZf0xJEt6tLU= X-Received: by 2002:a24:2b56:: with SMTP id h83-v6mr10164979ita.94.1531686893708; Sun, 15 Jul 2018 13:34:53 -0700 (PDT) MIME-Version: 1.0 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> In-Reply-To: From: Ben Laurie Date: Sun, 15 Jul 2018 21:34:41 +0100 Message-ID: To: Story Henry Cc: tim.hollebeek@digicert.com, saag@ietf.org Content-Type: multipart/alternative; boundary="000000000000357fde05710fa572" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 20:34:57 -0000 --000000000000357fde05710fa572 Content-Type: text/plain; charset="UTF-8" On Sun, 15 Jul 2018 at 18:56, Henry Story wrote: > Hi, > > I just wrote up some ideas on UI and security that came (back) to me > reading > this thread and other interesting papers on security. > > "Phishing in Context -- Epistemology on the screen" > https://medium.com/@bblfish/phishing-in-context-9c84ca451314 > You have reinvented the Secure Attention Key. It hasn't work out that well, so far. --000000000000357fde05710fa572 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Sun= , 15 Jul 2018 at 18:56, Henry Story <henry.story@bblfish.net> wrote:
Hi,=C2=A0

=C2=A0 =C2=A0I just wrote up some ideas on U= I and security that came (back) to me reading=C2=A0
this thread and other interesting papers on security.

"Phishing in Context --=C2=A0Epistemology on the screen= "

You have reinvented the Secure Attention Key= . It hasn't work out that well, so far.
=C2=A0
--000000000000357fde05710fa572-- From nobody Sun Jul 15 14:43:26 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59257130E4F for ; Sun, 15 Jul 2018 14:43:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NIIb46_eZc5L for ; Sun, 15 Jul 2018 14:43:23 -0700 (PDT) Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2D67130E4A for ; Sun, 15 Jul 2018 14:43:22 -0700 (PDT) Received: by mail-wm0-x244.google.com with SMTP id z6-v6so8521676wma.0 for ; Sun, 15 Jul 2018 14:43:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tzHfgcMqQssvPTQMjC5q+/4dh2PVGvlqQQtEJW5Lgew=; b=Gq9P7foaLMzRgvnhG+AOyCP8TdvumcFs7TFv5lHphhOy3IBboVcSnNO09B4pfNo0D6 1EOQf/9mZLkJZNLDmXiT2T7Djo4SMQOW/GxRaymoIjDiz2SVQvZztQQWbpk+U5SOe/Et v0Svv6RIzj2SVva9QlxTarIpCC+ufZemzJE4F79L4hkYDEzJydqPEKCD3JhXQgWxRoD9 /2VBEa3A0MpAfR5J/7rZIjztgk8wAmG+Oh/pVdtmA5dW7GajIac4Qq+aTIop3W0TZNeY iRM5FsNVgsLWhQt5iQsZbGE/EEYJop5ARTL6rtVazOVKCV01HvYKIpcQTH8EstWRfwem EduQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tzHfgcMqQssvPTQMjC5q+/4dh2PVGvlqQQtEJW5Lgew=; b=USotG/hhy/wGFXPpFNQijPZ9txwxOAzasmRQoZDtb6W8eQCpBvsyduCEbo5UfSroDm lBSOH3zTYTFotVc6dL/15t3Va/Ov07l7LxNlUpuO3S0FdTf3oLccM94ZlfDiVVerHkbe EGvcdHYbn+IA+Ic+gEDvwFKU0XY8HE1Dz88i3Oymo/Nn+98+G/HN+u4qBLmqVZm1/sPa LPmhn98nK3rEq4Vot5eANKcciHzd3EU1xCe7Ta4Ry6+XGXAaz7bGLXKAAboFgskppSlu mat8I0DvGFL4u0gb3iRBzoa5jTpch0NmbSRqDAjulTfzYWWC1qnXIP84AI7CHAXfU0Ur c7fw== X-Gm-Message-State: AOUpUlEUinIAcEK+iO1Je73lPMJXhsP11ZY9Rnkk59JErmclj9nVbyV7 tOrTg4+59R7ZgRlXMrO1hNkOGA== X-Google-Smtp-Source: AAOMgpdFz3PHF/TQN2wkW2HBsREnDtY/RsmaamrhtcLPmwZvNRviVmNi600BgJiZ0ZnNuGEb8CvPdg== X-Received: by 2002:a1c:5e48:: with SMTP id s69-v6mr7958479wmb.19.1531691000900; Sun, 15 Jul 2018 14:43:20 -0700 (PDT) Received: from [192.168.44.190] (vpn27.hotsplots.net. [185.46.137.14]) by smtp.gmail.com with ESMTPSA id p1-v6sm14341662wrp.63.2018.07.15.14.43.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jul 2018 14:43:20 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Henry Story In-Reply-To: Date: Sun, 15 Jul 2018 23:43:18 +0200 Cc: Tim Hollebeek , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> To: Ben Laurie X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 21:43:26 -0000 > On 15 Jul 2018, at 22:34, Ben Laurie wrote: >=20 >=20 >=20 > On Sun, 15 Jul 2018 at 18:56, Henry Story = wrote: > Hi,=20 >=20 > I just wrote up some ideas on UI and security that came (back) to = me reading=20 > this thread and other interesting papers on security. >=20 > "Phishing in Context -- Epistemology on the screen" > https://medium.com/@bblfish/phishing-in-context-9c84ca451314 >=20 > You have reinvented the Secure Attention Key. It hasn't work out that = well, so far. >=20 Do you mean what they describe on wikipedia here ? https://en.wikipedia.org/wiki/Secure_attention_key=20 "A secure attention key (SAK) or secure attention sequence (SAS) is a = special key or key combination to be pressed on a computer keyboard = before a login screen which must, to the user, be completely = trustworthy. The operating system kernel, which interacts directly with = the hardware, is able to detect whether the secure attention key has = been pressed. When this event is detected, the kernel starts the trusted = login processing." That would be to authenticate the user of the computer, which is I = suppose a=20 predecessor of what the fingerprint button on new MacBook Pro laptops is = about=20 (I don't know, as I don't have them). They call it Touch Id=20 https://support.apple.com/en-us/HT207054 But that is not what I am talking about in the article. There I am = speaking of server or application authentication, and I am arguing that to be secure this = needs two screens the second screen being what Apple calls the Touch Bar. There is a video = here describing it https://youtu.be/DhCJuJoE6wM?t=3D170 But I am sure you'll find many more. (Btw. the new Mac Book Pro is out = today!) I would guess that parts of the Touch Bar must be OS secured, or else an = app could get your fingerprints? In any case I am saying that there = should be a couple more buttons on the Touch Bar that are controlled by = the OS. 1) the icon of the App that is in the foreground ( which would be = retrieved from the institutional web of trust 2) the icon of the favicon of the web page also retrieved from the = institutional web of trust clickin those would give you more information about the app in 1) and = more info about the page in 2). But not just the address of the headquarters, but something a lot = richer.... But I may have misunderstood you...? Henry From nobody Sun Jul 15 14:46:10 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9CD6130E4F for ; Sun, 15 Jul 2018 14:46:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.5 X-Spam-Level: X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZdJ7y7RJwOtv for ; Sun, 15 Jul 2018 14:46:02 -0700 (PDT) Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C6C6130E4A for ; Sun, 15 Jul 2018 14:46:02 -0700 (PDT) Received: by mail-it0-x231.google.com with SMTP id p17-v6so18492351itc.2 for ; Sun, 15 Jul 2018 14:46:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f4kuudxdWoSNT9lK4dSKE8UdDOoedIDL3+zdLAouCMM=; b=inQjwD8uSL+5HsB7kEerynP8tVcyHp49U3Hv7NmUJCQUrjHobQ+Cp1ZIdupgJgFrNw RHVanWc2SfuDMz9ySUxsSFhzbP/zjW/UUfh7CCy1ipnw6k5jjA1nTNylzJ318i2Aqpqf ZIZiVm5INgsM2KHXuHKiAcVVP0oRfYLeKEmqgo8ba7r0P9kA6WoqCyUHzU1RJANm39Mq EXXu4HwGJabRx345t+PdeSEcpSyEK4k7IWvAyedaqJt+51wHWWtpAZXKMIXPquLhUw4R aTREuggTRH5wdceRniCmBFKW7ejWCz/8L69iQdD/oy6lMDS+OLnjI5HjyYi0NwdBOVS1 PzhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f4kuudxdWoSNT9lK4dSKE8UdDOoedIDL3+zdLAouCMM=; b=mhCMR/Q71cWQ2+CpaqRVrwU8Nbg3DpakIunmE3185O9V1e6w92Js3ycoGei++5daHB tsSHi2eRmWwB4grHsTxaLNYLL3kFu41jYuHoKcLNAxX18LypdmEIR7pBZPe3aatHeMPr iK3h/pv1dOXIppi6W2SWds4Qd5T4GLjArDKL6C3MNLB+jtRF5hvXUt6JGqtziI5wCAMG +jeRotlGwYpvSBESpBWqpPZL7o2iWxy1XNVmgoqXUqjLCG25T5ZGTYILllcQS2ue/I5J rcqE6waCymgX+Eplz+epidDwGM1uylXhtATuAvLf5GX8FQBHRZHLo+7URlCFTwTkgHad 09Og== X-Gm-Message-State: AOUpUlFFN1RNPEfIKwTrvT5Jo90viRCJp//c6uctUThXXUv/G48X9/Pu u13u9K1lQut64DxlU3fuw652AP1uX/2nNWqkxMYhng== X-Google-Smtp-Source: AAOMgpfC0RbwDSToOmAbKOO3TXhTYVobx3GPAN8wTbTN5tf4H0v2/bsRxZNgR4rcWlLnlhEmoZqatSWVDFaN5Wj1etg= X-Received: by 2002:a24:edce:: with SMTP id r197-v6mr10462950ith.23.1531691161573; Sun, 15 Jul 2018 14:46:01 -0700 (PDT) MIME-Version: 1.0 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> In-Reply-To: <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> From: Ben Laurie Date: Sun, 15 Jul 2018 22:45:49 +0100 Message-ID: To: Story Henry Cc: tim.hollebeek@digicert.com, saag@ietf.org Content-Type: multipart/alternative; boundary="000000000000980d4d057110a3b6" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 21:46:08 -0000 --000000000000980d4d057110a3b6 Content-Type: text/plain; charset="UTF-8" No, I mean in the more general sense that its a way to invoke "the system", guaranteed, no messing. It has a noble history of not working very well. Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it is more than login. On Sun, 15 Jul 2018 at 22:43, Henry Story wrote: > > > > On 15 Jul 2018, at 22:34, Ben Laurie wrote: > > > > > > > > On Sun, 15 Jul 2018 at 18:56, Henry Story > wrote: > > Hi, > > > > I just wrote up some ideas on UI and security that came (back) to me > reading > > this thread and other interesting papers on security. > > > > "Phishing in Context -- Epistemology on the screen" > > https://medium.com/@bblfish/phishing-in-context-9c84ca451314 > > > > You have reinvented the Secure Attention Key. It hasn't work out that > well, so far. > > > > Do you mean what they describe on wikipedia here ? > https://en.wikipedia.org/wiki/Secure_attention_key > > "A secure attention key (SAK) or secure attention sequence (SAS) is a > special key or key combination to be pressed on a computer keyboard before > a login screen which must, to the user, be completely trustworthy. The > operating system kernel, which interacts directly with the hardware, is > able to detect whether the secure attention key has been pressed. When this > event is detected, the kernel starts the trusted login processing." > > That would be to authenticate the user of the computer, which is I suppose > a > predecessor of what the fingerprint button on new MacBook Pro laptops is > about > (I don't know, as I don't have them). They call it Touch Id > https://support.apple.com/en-us/HT207054 > > But that is not what I am talking about in the article. There I am > speaking of server > or application authentication, and I am arguing that to be secure this > needs two screens > the second screen being what Apple calls the Touch Bar. There is a video > here describing it > https://youtu.be/DhCJuJoE6wM?t=170 > But I am sure you'll find many more. (Btw. the new Mac Book Pro is out > today!) > > I would guess that parts of the Touch Bar must be OS secured, or else an > app could get your fingerprints? In any case I am saying that there should > be a couple more buttons on the Touch Bar that are controlled by the OS. > 1) the icon of the App that is in the foreground ( which would be > retrieved from the institutional web of trust > 2) the icon of the favicon of the web page also retrieved from the > institutional web of trust > > clickin those would give you more information about the app in 1) and more > info about the page in 2). > But not just the address of the headquarters, but something a lot > richer.... > > > But I may have misunderstood you...? > > Henry > > --000000000000980d4d057110a3b6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
No, I mean in the more general sense that its a way to inv= oke "the system", guaranteed, no messing.

It h= as a noble history of not working very well.

Windows= uses ctl-alt-del as a SAK. It doesn't let you do much, but it is more = than login.

On Sun, 15 Jul 2018 at 22:43, Henry Story <henry.story@bblfish.net> wrote:


> On 15 Jul 2018, at 22:34, Ben Laurie <benl@google.com> wrote:
>
>
>
> On Sun, 15 Jul 2018 at 18:56, Henry Story <henry.story@bblfish.net> wrote:=
> Hi,
>
>=C2=A0 =C2=A0 I just wrote up some ideas on UI and security that came (= back) to me reading
> this thread and other interesting papers on security.
>
> "Phishing in Context -- Epistemology on the screen"
>=C2=A0 https://medium.com/@bblfish/p= hishing-in-context-9c84ca451314
>
> You have reinvented the Secure Attention Key. It hasn't work out t= hat well, so far.
>

Do you mean what they describe on wikipedia here ?
https://en.wikipedia.org/wiki/Secure_attention_key=

"A secure attention key (SAK) or secure attention sequence (SAS) is a = special key or key combination to be pressed on a computer keyboard before = a login screen which must, to the user, be completely trustworthy. The oper= ating system kernel, which interacts directly with the hardware, is able to= detect whether the secure attention key has been pressed. When this event = is detected, the kernel starts the trusted login processing."

That would be to authenticate the user of the computer, which is I suppose = a
predecessor of what the fingerprint button on new MacBook Pro laptops is ab= out
(I don't know, as I don't have them). They call it Touch Id
https://support.apple.com/en-us/HT207054

But that is not what I am talking about in the article. There I am speaking= of server
or application authentication, and I am arguing that to be secure this need= s two screens
the second screen being what Apple calls the Touch Bar. There is a video he= re describing it
=C2=A0 =C2=A0 https://youtu.be/DhCJuJoE6wM?t=3D170
But I am sure you'll find many more. (Btw. the new Mac Book Pro is out = today!)

I would guess that parts of the Touch Bar must be OS secured, or else an ap= p could get your fingerprints? In any case I am saying that there should be= a couple more buttons on the Touch Bar that are controlled by the OS.
1) the icon of the App that is in the foreground ( which would be retrieved= from the institutional web of trust
2) the icon of the favicon of the web page also retrieved from the institut= ional web of trust

clickin those would give you more information about the app in 1) and more = info about the page in 2).
But not just the address of the headquarters, but something a lot richer...= .


But I may have misunderstood you...?

Henry

--000000000000980d4d057110a3b6-- From nobody Sun Jul 15 14:57:59 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CACF7130E57; Sun, 15 Jul 2018 14:57:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.01 X-Spam-Level: X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fey90hIo1IWj; Sun, 15 Jul 2018 14:57:46 -0700 (PDT) Received: from GCC01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0115.outbound.protection.outlook.com [23.103.200.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EFFD128BAC; Sun, 15 Jul 2018 14:57:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TlSA8FTfqlY/NNBGCOH6OVxLMSS3ThjiuIHrEEPsJ5w=; b=enMF9eAqIJJSzWdrCnalgV42CuK9craFn09Uqf/IAb9z7Y2m6MzaVXcnKulWTiaZvadp2+LLu7f7CM17nYChwkqZdwiaDOJHTUgjn6rRZcj4VNYJSWgJff7Lvb0ki+jaykQU43bdu4L6sKfhQ7ExG9cSc8YQ0de3CIeshLM2QUo= Received: from BL0PR0901MB2306.namprd09.prod.outlook.com (52.132.18.148) by BL0PR0901MB2307.namprd09.prod.outlook.com (52.132.18.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.17; Sun, 15 Jul 2018 21:57:41 +0000 Received: from BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::90d9:a6c1:597f:189f]) by BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::90d9:a6c1:597f:189f%4]) with mapi id 15.20.0952.021; Sun, 15 Jul 2018 21:57:41 +0000 From: "Waltermire, David A. (Fed)" To: "saag@ietf.org" , "cfrg@ietf.org" , "acvp@ietf.org" CC: "apostol.vassilev@gmail.com" Thread-Topic: SAAG Presentation: Automated Cryptographic Validation Protocol (ACVP) and Side Meeting Thread-Index: AQHUHIM3KAmpDI+r5UWVfjUCTI4BAQ== Date: Sun, 15 Jul 2018 21:57:40 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov; x-originating-ip: [129.6.222.63] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BL0PR0901MB2307; 7:iF/4wma24QJLC4F5CDYAaRAKDjI0lSke4s1r8PCiKmU/P77/e4oqiJTGzqSOwbwjpxh5hpycKybWVIOHKE4r3zqSvF3YYaCQ9tugHf6L/u8FlOuTOsCxwCaRgf1yw5TdGTPCBe97He12Y8v5WLaPYABmktLO73knCT+A4UlWTOVhowoPMGkfyMkpKUwpOlRiHgKB5okq50F4s8vJvap/pdjhdXgisrxOX0EgW5ZZzdq7EfDSrhWxJMYmOpGHGqY/ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 3ff4f967-ba73-49b3-8fe2-08d5ea9dfc9f x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600053)(711020)(48565401081)(2017052603328)(7153060)(7193020); SRVR:BL0PR0901MB2307; x-ms-traffictypediagnostic: BL0PR0901MB2307: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(231250463719595); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BL0PR0901MB2307; BCL:0; PCL:0; RULEID:; SRVR:BL0PR0901MB2307; x-forefront-prvs: 07349BFAD2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(396003)(136003)(376002)(346002)(189003)(199004)(236005)(54896002)(9686003)(2201001)(86362001)(55016002)(6306002)(2900100001)(476003)(486006)(19627405001)(6506007)(2501003)(5250100002)(966005)(33656002)(6606003)(14454004)(8936002)(6436002)(5660300001)(478600001)(39060400002)(186003)(8676002)(81156014)(81166006)(2906002)(3846002)(6116002)(102836004)(7696005)(26005)(97736004)(53936002)(68736007)(99286004)(4326008)(66066001)(74316002)(316002)(110136005)(256004)(25786009)(7736002)(105586002)(106356001)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR0901MB2307; H:BL0PR0901MB2306.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-microsoft-antispam-message-info: BH56Ly8JtOtY+ViUB1xFGe5mtRKn5Febp/uRwgBxNeFvg47qyXP/IFPayMZVQE/EYfxu2M8Qmqq05yH8KT0dStSI2OIMT3J9wPlpYOQkhTEsOmkQ8YBp9/EEMuuHzhgjhsWWgUCl2rKi7SujxjmfHGixqx3zFWtBqi3SyeErx50X4P8NXsUOFLsexpUJtwuq4Dolvu9FuLTEdfy6iVrAGOEhiW/sGvSn0j/s5/DNBgoa+kg4kzsCWIg/nibU9CzFs7yyHpOSIxErdwRgZ7ES3Lx9JbC9rJ48hivI+ztzPXa/SmEgi9Y9C7tbGgbYVKxkfmlDXZHaKhxs1AF2zNYaf093cOM/A6vuT2QnN3XU9Ro= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BL0PR0901MB23060380F60C515EF4DCE700F05E0BL0PR0901MB2306_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 3ff4f967-ba73-49b3-8fe2-08d5ea9dfc9f X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jul 2018 21:57:40.9742 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB2307 Archived-At: Subject: [saag] SAAG Presentation: Automated Cryptographic Validation Protocol (ACVP) and Side Meeting X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 21:57:51 -0000 --_000_BL0PR0901MB23060380F60C515EF4DCE700F05E0BL0PR0901MB2306_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable At SAAG this week, there will be a presentation on the Automated Cryptograp= hic Validation Protocol (ACVP). This effort is focused on a protocol for va= lidating cryptographic implementations against cryptographic standards. Thi= s protocol can be used as part of government and industry cryptographic tes= ting programs. Additionally, a side meeting will be held on Thursday evening at 7:30pm EDT= to engage in further discussion around this work. A live demo and in-depth= look at the protocol internals will be provided for context. A focus of th= e discussion will be around interest in collaboration on this protocol with= in the IETF community. The specific location of this meeting will be announ= ced later this week once a room has been reserved. There is also a non-working group IETF mailing list to support ongoing conv= ersation on this topic. To join the ACVP IETF mailing list, please visit: h= ttps://www.ietf.org/mailman/listinfo/acvp. We are looking forward to seeing you at the SAAG meeting and ACVP side meet= ing. Regards, ACVP Team --_000_BL0PR0901MB23060380F60C515EF4DCE700F05E0BL0PR0901MB2306_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

At SAAG this week, there = will be a presentation on the Automated Cryptographic Validation Protocol (ACVP). This effort is fo= cused on a protocol for validating cryptographic implementations against cr= yptographic standards. This protocol can be used as part of government and = industry cryptographic testing programs.


Additionally, a sid= e meeting will be held on Thursday evening at 7:30pm EDT to engage in furth= er discussion around this work. A live demo and in-depth look at the p= rotocol internals will be provided for context. A focus of the discussion will be around interest in co= llaboration on this protocol within the IETF community. The specific locati= on of this meeting will be announced later this week once a room has been r= eserved.


There is = also a non-working group IETF mailing list to support ongoing conversa= tion on this topic. To join the ACVP IETF mailing list, please visit: https://www.ietf.org/mailman/listinfo/acvp.


We are lookin= g forward to seeing you at the SAAG meeting and ACVP side meeting.


Regards,

ACVP Team


--_000_BL0PR0901MB23060380F60C515EF4DCE700F05E0BL0PR0901MB2306_-- From nobody Sun Jul 15 15:21:49 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3E9D130E89 for ; Sun, 15 Jul 2018 15:21:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JeRFfNd-SSXq for ; Sun, 15 Jul 2018 15:21:45 -0700 (PDT) Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE3FF130E8C for ; Sun, 15 Jul 2018 15:21:44 -0700 (PDT) Received: by mail-wm0-x242.google.com with SMTP id f21-v6so1118127wmc.5 for ; Sun, 15 Jul 2018 15:21:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Mb/uorW6wzCfONQZ/7SsA+aeZrEPoZ2arNRNn4cva1U=; b=1ij+ktPSXJAzHDTTr3uLIIbtupT+l+wy9CfEeSQzMIMfRCe2LYkxtUqtCZO0b6ABam MPi5RJaswQa4NitfuBrGr/+kQ3R2ZuQxGRZT963NIbAmxsXxBYB/q3TsXCWKB4Rxkw82 SaS64A1Mq1PnV435nbRyIEjSx1o3/dmlj/LPfo5SQd4ZbBAbnPtNSGw/ops1XrNmOQhh nVBMRmF7Z8QTZHISxvTb4wOr7wOGej8pq+CSRwfKRFwbmfiCPXXobp469AnXHaT23tJs OAjY5xz67gOpoHsk/8KHQCwDwox5hQqogtD1PPYxjuavZSthq5lf5O7ZqpcbP8S1iAl6 IfQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Mb/uorW6wzCfONQZ/7SsA+aeZrEPoZ2arNRNn4cva1U=; b=tR8Iv0h8DhH8+eLOtSvtl4il4MFDb2PR5IhIY8WbRRBXBNxX/5PHZME/awt2XhfRxU rZXQO3JsaP2To3k9+OwlAMWABtRFu/CrG/SBvOL9q78WJy2sH8MjbmRuGtcnxioXmTnt w+zTfJuAaEEu3x7xv7CbkXUeFd/XlyF2ON/KEnTzkKmraEPQ4UIrAxsPnOxcoHWXnwNT 84VD2CgJLz58c/6VkBPSwTiYN1FsEeVVWMMXl4cqyN+hP8SGV/EewAC9zXltZxFAwWOH 3ZSaufIVkRZaQjJNeS+50+4OGe/wBd2QvNiguJbTkdsJ3yHSVZaqF/xsLh9kXWFRneo5 Rayg== X-Gm-Message-State: AOUpUlGaMELl8mOpCET7bLQKFiqw0LW8zFEbcK5qSCSIEZxN5VyYcLhl Yq6S9M2MuOmxIHe+Bvn5TvsIXA== X-Google-Smtp-Source: AAOMgpeBTzNj70b0gfcvPex4Ez6zEEYByatsJN17aY/nHJzJ7CdW3Ajv6LFGbyy7Vc1u6db+myxLzQ== X-Received: by 2002:a1c:8e8c:: with SMTP id q134-v6mr6244911wmd.3.1531693303156; Sun, 15 Jul 2018 15:21:43 -0700 (PDT) Received: from [192.168.44.190] (vpn27.hotsplots.net. [185.46.137.14]) by smtp.gmail.com with ESMTPSA id e71-v6sm5458399wmg.36.2018.07.15.15.21.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 15 Jul 2018 15:21:41 -0700 (PDT) From: Henry Story Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_E163B1B8-8096-4206-99CC-F0A4055BB803" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 16 Jul 2018 00:21:39 +0200 In-Reply-To: Cc: Tim Hollebeek , saag@ietf.org To: Ben Laurie References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jul 2018 22:21:48 -0000 --Apple-Mail=_E163B1B8-8096-4206-99CC-F0A4055BB803 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 15 Jul 2018, at 23:45, Ben Laurie wrote: >=20 > No, I mean in the more general sense that its a way to invoke "the = system", guaranteed, no messing. >=20 > It has a noble history of not working very well. >=20 > Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it = is more than login. Over my life working with computers from 1980ies onwards, I have seen = many attempts of ideas that failed, and then when the time was right and the pieces = came together things started working. To witL The Minitel gave the French a great view into the = future of hypertext, but not being open was a key limitation. I can just imagine people wondering how = would open software and standards be a deal breaker on hypertext? My argument in this case is one that comes from mathematical doxastic = logic. There has to be a way to know who said what. Which app is controlling the screen? What page is = the app showing? These are key logical features that a single screen cannot provide, as = it is always possible to fool the user by duplicating the experience. Hence you need two = screen, just as in logic you need to distinguish between the content and the agent asserting the content. = In RDF this is the shift between triples and quads. Now Apple actually ships laptops with two screens.... They don't seem to = be using it the right=20 way for me, but then the institutional web of trust I describe in the = original article of this thread is not=20 there yet either... It's just a matter of time thought until it is = realized. You cannot argue from an idea has not succeeded that it will never = succeed, in the same way=20 but in reverse that Bertrand Russell's chicken would be foolish to go = from the friendliness of the=20 farmer today to his friendliness tomorrow. Henry >=20 > On Sun, 15 Jul 2018 at 22:43, Henry Story > wrote: >=20 >=20 > > On 15 Jul 2018, at 22:34, Ben Laurie > wrote: > >=20 > >=20 > >=20 > > On Sun, 15 Jul 2018 at 18:56, Henry Story > wrote: > > Hi,=20 > >=20 > > I just wrote up some ideas on UI and security that came (back) to = me reading=20 > > this thread and other interesting papers on security. > >=20 > > "Phishing in Context -- Epistemology on the screen" > > https://medium.com/@bblfish/phishing-in-context-9c84ca451314 = > >=20 > > You have reinvented the Secure Attention Key. It hasn't work out = that well, so far. > >=20 >=20 > Do you mean what they describe on wikipedia here ? > https://en.wikipedia.org/wiki/Secure_attention_key = =20 >=20 > "A secure attention key (SAK) or secure attention sequence (SAS) is a = special key or key combination to be pressed on a computer keyboard = before a login screen which must, to the user, be completely = trustworthy. The operating system kernel, which interacts directly with = the hardware, is able to detect whether the secure attention key has = been pressed. When this event is detected, the kernel starts the trusted = login processing." >=20 > That would be to authenticate the user of the computer, which is I = suppose a=20 > predecessor of what the fingerprint button on new MacBook Pro laptops = is about=20 > (I don't know, as I don't have them). They call it Touch Id=20 > https://support.apple.com/en-us/HT207054 = >=20 > But that is not what I am talking about in the article. There I am = speaking of server > or application authentication, and I am arguing that to be secure this = needs two screens > the second screen being what Apple calls the Touch Bar. There is a = video here describing it > https://youtu.be/DhCJuJoE6wM?t=3D170 = > But I am sure you'll find many more. (Btw. the new Mac Book Pro is out = today!) >=20 > I would guess that parts of the Touch Bar must be OS secured, or else = an app could get your fingerprints? In any case I am saying that there = should be a couple more buttons on the Touch Bar that are controlled by = the OS. > 1) the icon of the App that is in the foreground ( which would be = retrieved from the institutional web of trust > 2) the icon of the favicon of the web page also retrieved from the = institutional web of trust >=20 > clickin those would give you more information about the app in 1) and = more info about the page in 2). > But not just the address of the headquarters, but something a lot = richer.... >=20 >=20 > But I may have misunderstood you...? >=20 > Henry >=20 --Apple-Mail=_E163B1B8-8096-4206-99CC-F0A4055BB803 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 15 Jul 2018, at 23:45, Ben Laurie <benl@google.com> = wrote:

No, I mean in the more general sense that its a = way to invoke "the system", guaranteed, no messing.

It has a noble history of not working = very well.

Windows uses ctl-alt-del as a SAK. It doesn't let you do = much, but it is more than = login.

Over my life working with computers from 1980ies = onwards, I have seen many attempts
of ideas that failed, and = then when the time was right and the pieces came together things = started
working. To witL The Minitel gave the French a great = view into the future of hypertext, but not
being open was a = key limitation. I can just imagine people wondering how would open = software
and standards be a deal breaker on = hypertext?

My argument in this case = is one that comes from mathematical doxastic logic. There has to be a = way
to know who said what. Which app is controlling the = screen? What page is the app showing?
These are key logical = features that a single screen cannot provide, as it is always = possible
to fool the user by duplicating the experience. Hence = you need two screen, just as in logic you need
to distinguish = between the content and the agent asserting the content. In RDF this is = the shift
between triples and quads.

Now Apple actually ships laptops with two = screens.... They don't seem to be using it the right 
way = for me, but then the institutional web of trust I describe in the = original article of this thread is not 
there yet = either... It's just a matter of time thought until it is = realized.

You cannot argue from an = idea has not succeeded that it will never succeed, in the same = way 
but in reverse that Bertrand Russell's chicken would = be foolish to go from the friendliness of the 
farmer = today  to his friendliness tomorrow.

Henry




On Sun, 15 Jul 2018 at 22:43, Henry Story <henry.story@bblfish.net> wrote:


> On 15 Jul 2018, at 22:34, Ben Laurie <benl@google.com> wrote:
>
>
>
> On Sun, 15 Jul 2018 at 18:56, Henry Story <henry.story@bblfish.net> wrote:
> Hi,
>
>    I just wrote up some ideas on UI and security that = came (back) to me reading
> this thread and other interesting papers on security.
>
> "Phishing in Context -- Epistemology on the screen"
https://medium.com/@bblfish/phishing-in-context-9c84ca451314
>
> You have reinvented the Secure Attention Key. It hasn't work out = that well, so far.
>

Do you mean what they describe on wikipedia here ?
https://en.wikipedia.org/wiki/Secure_attention_key

"A secure attention key (SAK) or secure attention sequence (SAS) is a = special key or key combination to be pressed on a computer keyboard = before a login screen which must, to the user, be completely = trustworthy. The operating system kernel, which interacts directly with = the hardware, is able to detect whether the secure attention key has = been pressed. When this event is detected, the kernel starts the trusted = login processing."

That would be to authenticate the user of the computer, which is I = suppose a
predecessor of what the fingerprint button on new MacBook Pro laptops is = about
(I don't know, as I don't have them). They call it Touch Id
https://support.apple.com/en-us/HT207054

But that is not what I am talking about in the article. There I am = speaking of server
or application authentication, and I am arguing that to be secure this = needs two screens
the second screen being what Apple calls the Touch Bar. There is a video = here describing it
    https://youtu.be/DhCJuJoE6wM?t=3D170
But I am sure you'll find many more. (Btw. the new Mac Book Pro is out = today!)

I would guess that parts of the Touch Bar must be OS secured, or else an = app could get your fingerprints? In any case I am saying that there = should be a couple more buttons on the Touch Bar that are controlled by = the OS.
1) the icon of the App that is in the foreground ( which would be = retrieved from the institutional web of trust
2) the icon of the favicon of the web page also retrieved from the = institutional web of trust

clickin those would give you more information about the app in 1) and = more info about the page in 2).
But not just the address of the headquarters, but something a lot = richer....


But I may have misunderstood you...?

Henry


= --Apple-Mail=_E163B1B8-8096-4206-99CC-F0A4055BB803-- From nobody Mon Jul 16 01:48:20 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA2F1130E68 for ; Mon, 16 Jul 2018 01:48:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1ur0isV285zU for ; Mon, 16 Jul 2018 01:48:16 -0700 (PDT) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CACEF130E15 for ; Mon, 16 Jul 2018 01:48:15 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id s11-v6so30979148wra.13 for ; Mon, 16 Jul 2018 01:48:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:content-transfer-encoding:mime-version:subject:date:references :to:in-reply-to:message-id; bh=v1aKbGwEfoAhnNuGVnLxkak0EGOS+Jl0NKq0jK9D2Xg=; b=UEIwVgyVJXiinVLe+JVID4ExQ5XxmP0y5su/RkywHFIDlca+n47tp3d1uOwtBimC/O /4ICzoemAMObljwp4l7rM9tV8xsPWwXspxrMybi87ugWC39MpukKdKArKrxDfeBgd4UB ruDaCazN4liqBcKsLIcWrw8tizfSxYbb4VcMdYHjdegK/bXmo5FCw3g4C/Vj68yaBtsQ Qt5WtxO3Gc4B+Aq0dL9axAUtfp867Mtb3SsFXw0+7fQ9DdfEXwxkpsbeZGP8foNdp/LJ JpxXztSTfUXXjjjlMtZNQ+fqZWsK/aW0wtKZ6Tz7n4p2VWxEJhyy1Jx+NpTrIAstpu9z iEgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:date:references:to:in-reply-to:message-id; bh=v1aKbGwEfoAhnNuGVnLxkak0EGOS+Jl0NKq0jK9D2Xg=; b=Py1CT+OAhw8t9xamxoSBoBi9vnC8/ZlEPsBRIkFAO0BiBV5RuWjfa6x6VQiA6glzSy ii/QopyBJD5mapX1geWGL5+j17HgmJR2s2BZ2l2UN0rx7q0NE2KdPNe/1n41FyZSI1bY 0qYprb4HTOgtc8eXGvsb3LoSmFwR38bOYCBBo9U9LyyXnn1M/F3oKl8wx0H2t+6rX0GA CTntKNI8rwJ4lYVpG9xmNn17h1/y0Sly4Z7FvvI+/g6OlBOHJXOHR87xNhotucJ6WkJr DMUvMqw1xIIaSml+l/+6pTBGzi9WxCL+bzBaqe8/nm+R5MNf1Dflb7xmhRcwd3MdvABE qTvA== X-Gm-Message-State: AOUpUlEdTN4d1CxUnNdT8GajF3PBxN0NF4NgGkx4hXK/mluf05GL7NSc DDxUJbeKqbw3IlyyulGVoqPFpmfr6OQ= X-Google-Smtp-Source: AAOMgpd0MTrAnufAyFCLaqr6VHJ6fRPhlZgDrfL5ki620akwIlfSeA35DQjiHiFrJd8fkpD7UY4YmA== X-Received: by 2002:adf:a197:: with SMTP id u23-v6mr12185462wru.50.1531730894057; Mon, 16 Jul 2018 01:48:14 -0700 (PDT) Received: from [192.168.44.193] (ipbcc1f51b.dynamic.kabel-deutschland.de. [188.193.245.27]) by smtp.gmail.com with ESMTPSA id x6-v6sm34407817wrd.57.2018.07.16.01.48.12 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Jul 2018 01:48:12 -0700 (PDT) From: Henry Story Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 16 Jul 2018 10:48:10 +0200 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> To: saag@ietf.org In-Reply-To: <20180715015127.GH33554@straasha.imrryr.org> Message-Id: <229CBFEA-8A78-4275-91C7-B1219398CCED@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2018 08:48:19 -0000 > On 15 Jul 2018, at 03:51, Viktor Dukhovni = wrote: >=20 > On Sat, Jul 14, 2018 at 08:44:20PM -0400, John Levine wrote: >=20 >> I don't know how well this would work in practice, since users are = not >> very good at understanding that a marker (lock, logo, whatever) in = the >> chrome is different from the same marker in the window, but given = that >> anyone can get https for free these days, we need a different way to >> mark high-value phish targets. Yes, so that is what I looked at in the short 6 minute read blog post I wrote up over the weekend.=20 "Phishing in Context" https://medium.com/@bblfish/phishing-in-context-9c84ca451314 I start with the 2002 Usenix paper "Trusted paths for Browsers" where the authors where able to completely take over the Chrome. How can one stop that!? I think the idea that nothing can be done in UI space stems from the medusing stare of that possibility. > My personal preference would be for the browser to associate > *personal* visual clues with previously visited and well known > sites, and to issue warnings for domains with a low edit distance > from such sites. Yep, I think that can also be added. >=20 > In late June, hastily packing for a trip, I was rebuilding a MacOS > image from scratch, while not wearing my reading glasses. I tried > to use the bundled browser to download Firefox, from (not quite the > right site): moizlla.com. This prompted for a Flash update, which > sadly in that context did not seem too suspicious (did Safari in > the OS image perhaps bundle a slightly stale copy of Flash?). > Quickly realized that was a mistake. Erased the filesystem and > re-installed. Illusions that this can never happen to an old salt > like me now in tatters. :-( yes, so in the proposal since you would never have gone to moizilla.com before you would have first gotten your browser to open a Moizilla=20 information site that would presumably contain mostly question marks, since it is unlikely that they would want to tie themselves to a legal=20= system of institutional trust. That or they would try to base their = company in a location known to be unreliable (according to your trust source),=20= and the UI would have been in red to highlight a danger zone.=20 But even if you had downloaded it, the icon on your Touch Bar would have been one that would not match the one you were used to from Firefox. And if someone anywhere were to work out the scam, then you could get an official news info on your Touch Bar to warn=20 you about the software. The importance of that second screen can not be underestimated. It really has the feeling of a being an engineering embodiment of a logical necessity. > Not an easy problem to solve, but I don't think that centralized > systems alone can solve it. Solutions are necessarily incomplete, > multi-faceted and co=C3=ABvolving with the attacks. yes!=20 The institutional web of trust is both actually. It has a peer to peer side that is the relation between the states, and a hierarchical relation between organizations inside a state. I am reading a recent paper just now that is following up on some = similar=20 architectural ideas under the name of Bridge Certification Authorities, = ...=20 But those look from a distance to be brittle because they tie themselves = to X509=20 certificates where I think one needs to be able to swerve elegantly = between signed=20 certificates and data on the web. But I have to get a better = understanding of=20 Trust Brokers to see what is going on there... https://www.hindawi.com/journals/scn/2017/6907146/abs/ >=20 > --=20 > Viktor. >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Mon Jul 16 07:16:59 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E847130EDE for ; Mon, 16 Jul 2018 07:16:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aA01lF_QAlAN for ; Mon, 16 Jul 2018 07:16:54 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CA85130EAE for ; Mon, 16 Jul 2018 07:16:53 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 01FF82008C; Mon, 16 Jul 2018 10:32:33 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id 79F832686; Mon, 16 Jul 2018 10:12:19 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7782A267E; Mon, 16 Jul 2018 10:12:19 -0400 (EDT) From: Michael Richardson To: saag@ietf.org, Ben Laurie In-Reply-To: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2018 14:16:57 -0000 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Ben Laurie wrote: > No, I mean in the more general sense that its a way to invoke "the > system", guaranteed, no messing. > It has a noble history of not working very well. > Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it > is more than login. Yes, that's just it: it doesn't do that much. That's why it was a failure. Also lack of any kind of tutorial. And since it used to reboot the computer, so most people habitually avoid i= t. It's probably time to try it again. >> On 15 Jul 2018, at 22:34, Ben Laurie wrote: >>=20 >>=20 >>=20 >> On Sun, 15 Jul 2018 at 18:56, Henry Story > wrote: >> Hi,=20 >>=20 >> I just wrote up some ideas on UI and security that came (back) > to me reading=20 >> this thread and other interesting papers on security. >>=20 >> "Phishing in Context -- Epistemology on the screen" >> https://medium.com/@bblfish/phishing-in-context-9c84ca451314 >>=20 >> You have reinvented the Secure Attention Key. It hasn't work out > that well, so far. >>=20 =20=20=20=20 > Do you mean what they describe on wikipedia here ? > https://en.wikipedia.org/wiki/Secure_attention_key=20 =20=20=20=20 > "A secure attention key (SAK) or secure attention sequence (SAS) > is a special key or key combination to be pressed on a computer > keyboard before a login screen which must, to the user, be > completely trustworthy. The operating system kernel, which > interacts directly with the hardware, is able to detect whether > the secure attention key has been pressed. When this event is > detected, the kernel starts the trusted login processing." =20=20=20=20 > That would be to authenticate the user of the computer, which is I > suppose a=20 > predecessor of what the fingerprint button on new MacBook Pro > laptops is about=20 > (I don't know, as I don't have them). They call it Touch Id=20 > https://support.apple.com/en-us/HT207054 =20=20=20=20 > But that is not what I am talking about in the article. There I am > speaking of server > or application authentication, and I am arguing that to be secure > this needs two screens > the second screen being what Apple calls the Touch Bar. There is a > video here describing it > https://youtu.be/DhCJuJoE6wM?t=3D170 > But I am sure you'll find many more. (Btw. the new Mac Book Pro is > out today!) =20=20=20=20 > I would guess that parts of the Touch Bar must be OS secured, or > else an app could get your fingerprints? In any case I am saying > that there should be a couple more buttons on the Touch Bar that > are controlled by the OS. > 1) the icon of the App that is in the foreground ( which would be > retrieved from the institutional web of trust > 2) the icon of the favicon of the web page also retrieved from the > institutional web of trust =20=20=20=20 > clickin those would give you more information about the app in 1) > and more info about the page in 2). > But not just the address of the headquarters, but something a lot > richer..... =20=20=20=20 =20=20=20=20 > But I may have misunderstood you...? =20=20=20=20 > Henry =20=20=20=20 =20=20=20=20 > ---------------------------------------------------- > Alternatives: > ---------------------------------------------------- > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag =2D-=20 Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBW0ynv4CLcPvd0N1lAQIZoQgApt3QsmM/qddLLyZPMniB6fhFw+jKIh10 UeLKIlmRv5w6JILzqyLbmhVklV/d9qITGsPwyLxv0Nqa2mXyPwqiBZprNFYcyT2v 0QRHHIXUEupEj0UyxwSBGpoJ25pmSRae+WZSeCmc1D5S0pzqHz5knEKHZcXcm0Wx pNd2qekDXVvwQu2vOmOJqaqcJGvkxiu65lc0Efzc20OfvGf8j97GkGdgAiFlMAQ5 OPsmqytMeZaPl0XINkauWSo+LL5Yt57t2atj6AZTrX2ExsJUt0BJbCqcy1G2mXva 9IHxIxg7V3k9/jKozp+spzkc6/Y3Rd5gVFhTy2POH17tJgeG7xFK0w== =4BOl -----END PGP SIGNATURE----- --=-=-=-- From nobody Mon Jul 16 13:33:24 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EDC1130EBA for ; Mon, 16 Jul 2018 13:33:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nightwatchcybersecurity-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QT_HpV9Xt7Nm for ; Mon, 16 Jul 2018 13:33:19 -0700 (PDT) Received: from mail-pg1-x544.google.com (mail-pg1-x544.google.com [IPv6:2607:f8b0:4864:20::544]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C42DC130E03 for ; Mon, 16 Jul 2018 13:33:19 -0700 (PDT) Received: by mail-pg1-x544.google.com with SMTP id y5-v6so7957255pgv.1 for ; Mon, 16 Jul 2018 13:33:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nightwatchcybersecurity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=EZndhtcEE3VMB4V6fQhghULgrwdctR5HKQmC+gC6We4=; b=GebOKyk0j0vTNukKrisKM8EPDq6iJdlUPt6uMvGhDuFeHV/43Vc95zjMyqeAifxlOq E/dm4/yY5WccPGyHyEoicceaRqweORmBIkTHKxXEm2XkGeBZtlk/XSWmV+k3kq0pvJUy rcIJw3yZmOfZMyXoxDj5M+denY7mbXvjNiclHvnVoq5NcdZRE01wNAzl0hdTcrsdDYDl 4cgzzrTB8uPdggAGyhQ0unlFHiLnZsLEBUs9s9pbL0cNZ8W5Om1BE42cGh7U5B1TanA+ nqEJWmfvtdKxmOmlBMemKtmGqHgsrD7AVw6E9P2Av+iQiEe2yZ4KwGYIy34e8vVwEHIX h+nA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=EZndhtcEE3VMB4V6fQhghULgrwdctR5HKQmC+gC6We4=; b=X6y18gJxi+WFmbf0pz3teEQFvqYoPpVF1G4r08wLG/kz99MFPkKRo40AbOf7U2xsYt 5GGihsuX0azI8TiMo77VvHdF8mo8E+CYLIQ4IzdbKUxz3Zqv2EJgbnB8rchnBSgap6sH Qlv6UT5o75vtgPX+6/f2Q4uIwHXE0Pf6+oDhs8P3uTHpEet14lYImJ6S3/2gqdhj3T9F DAF1Qibb9LdxdFBmeipzZZrUGVrCGmB8JLQt8adA3Ep9TS3dAFOfH31kX/MoR5gg1WxY BErHsXzRUJ2mQWH1yv5nS5wPB6Lx3dNQasMwEoQAOmjnuimaYZ66+DhiPu/2pi4XusL2 n5Lg== X-Gm-Message-State: AOUpUlHHumEz753n3QpT5R7VzBlGebGeAPG7bWe7FhFVrDMqkA0TR511 QXMNPiS5aKi9Do9Sq0fWAl2Ae2Ogcp+2oBvkDdKE7KIb X-Google-Smtp-Source: AAOMgpe6y1XEYC3GBMy4xs8PWcCIYWGzfj6kdT9ludQoY0n/CPhXv+cf0mtLlbHa3vEkJixmsr5myvL5CHKIPKG+708= X-Received: by 2002:a63:f14f:: with SMTP id o15-v6mr5861320pgk.306.1531773198817; Mon, 16 Jul 2018 13:33:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:ae18:0:0:0:0 with HTTP; Mon, 16 Jul 2018 13:32:38 -0700 (PDT) In-Reply-To: <153175762490.21882.4224015836645470223.idtracker@ietfa.amsl.com> References: <153175762490.21882.4224015836645470223.idtracker@ietfa.amsl.com> From: Yakov Shafranovich Date: Mon, 16 Jul 2018 16:32:38 -0400 Message-ID: To: Security Area Advisory Group Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: [saag] Fwd: New Version Notification for draft-foudil-securitytxt-04.txt X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2018 20:33:22 -0000 ---------- Forwarded message ---------- From: Date: Mon, Jul 16, 2018 at 12:13 PM Subject: New Version Notification for draft-foudil-securitytxt-04.txt To: Edwin Foudil , Yakov Shafranovich A new version of I-D, draft-foudil-securitytxt-04.txt has been successfully submitted by Edwin Foudil and posted to the IETF repository. Name: draft-foudil-securitytxt Revision: 04 Title: A Method for Web Security Policies Document date: 2018-07-15 Group: Individual Submission Pages: 19 URL: https://www.ietf.org/internet-drafts/draft-foudil-securitytxt-04.txt Status: https://datatracker.ietf.org/doc/draft-foudil-securitytxt/ Htmlized: https://tools.ietf.org/html/draft-foudil-securitytxt-04 Htmlized: https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt Diff: https://www.ietf.org/rfcdiff?url2=draft-foudil-securitytxt-04 Abstract: When security risks are discovered by independent security researchers, they often lack the channels to disclose them properly. As a result, security issues may be left unreported. This document defines a standard ("security.txt") to help organizations describe the process for security researchers to follow in order to disclose security vulnerabilities securely. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat From nobody Tue Jul 17 08:16:37 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22A51130F1F for ; Tue, 17 Jul 2018 08:16:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZnpQFjG_F--d for ; Tue, 17 Jul 2018 08:16:07 -0700 (PDT) Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2C4130E58 for ; Tue, 17 Jul 2018 08:16:07 -0700 (PDT) Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w6HFG6sE024366 for ; Tue, 17 Jul 2018 11:16:06 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w6HFG6sE024366 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1531840566; bh=tEfzL7toVEq/3NyOQ1TOLCiSMJPDEGDxfL6jEq0FoNk=; h=From:To:Subject:Date:From; b=QxPUfvhB8s5y4T5bDk5siWHfbKzIX4wIjGryhA5W7cs4zkJabBIsnElTk941p0Av7 9+UVgZEG7wMOC8Aa66MwnHKRmPyGhlTgvfFgT0CPPHDQPVl0PpUiTrWzXAslBf58p0 Qi04DG38Lavdq+eWMCVtoSs/eKtH3r+KirwYbUN8= Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w6HFG20r016350 for ; Tue, 17 Jul 2018 11:16:02 -0400 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0399.000; Tue, 17 Jul 2018 11:16:02 -0400 From: Roman Danyliw To: "saag@ietf.org" Thread-Topic: SECDISPATCH WG Summary from IETF 102 Thread-Index: AdQd0n0Kx45hGDd8T86iEpolhiwK/w== Date: Tue, 17 Jul 2018 15:16:00 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C403D63@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [saag] SECDISPATCH WG Summary from IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 15:16:23 -0000 The SECDISPATCH WG met on Monday morning. The items were dispatched as fol= lows: (1) draft-birkholz-attestation-terminology-02 -- convene a BoF (sufficient = interest; no obvious fit into an existing WG) (2) draft-mandyam-eat-00 -- convene a BoF (sufficient interest; no obvious = fit into an existing WG) (3) draft-sheffer-acme-star-request-02 -- bring to ACME WG (4) draft-jholland-mboned-ambi-00 -- clarify use case and frame approach ar= ound this use case to determine next steps (5) draft-mavrogiannopoulos-pkcs8-validated-parameters-02 -- WG consensus = to publish draft as-is with ISE (6) draft-hallambaker-dare-message-00, draft-hallambaker-dare-container-00 = and draft-hallambaker-jsonbcd-12 -- more discussion is required to determin= e next steps (7) draft-jones-webauthn-secp256k1-00 -- update the appropriate COSE/JOSE = IANA registries referenced in this document using 2-byte identifiers (since= this action would be "specification required") From nobody Tue Jul 17 12:35:31 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65363130E21; Tue, 17 Jul 2018 12:35:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.89 X-Spam-Level: X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_DR=0.01] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sBSDTfy_Erls; Tue, 17 Jul 2018 12:35:21 -0700 (PDT) Received: from mail.katezarealty.com (mail.katezarealty.com [104.168.158.213]) by ietfa.amsl.com (Postfix) with ESMTP id B5A2C12F295; Tue, 17 Jul 2018 12:35:20 -0700 (PDT) Received: from localhost (unknown [127.0.0.1]) by mail.katezarealty.com (Postfix) with ESMTP id 6DC393741029; Tue, 17 Jul 2018 19:35:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at katezarealty.com Received: from mail.katezarealty.com ([127.0.0.1]) by localhost (mail.katezarealty.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 4EXKXxUMFHuY; Tue, 17 Jul 2018 15:35:06 -0400 (EDT) Received: from dhcp-8f30.meeting.ietf.org (dhcp-8f30.meeting.ietf.org [31.133.143.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.katezarealty.com (Postfix) with ESMTPSA id 442B93740FF1; Tue, 17 Jul 2018 15:35:06 -0400 (EDT) To: "saag@ietf.org" , PKIX , "cfrg@irtf.org" From: "Dr. Pala" Organization: OpenCA Labs Message-ID: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> Date: Tue, 17 Jul 2018 15:35:05 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms010402040602000007050205" Archived-At: Subject: [saag] Applied Quantum Resistant Crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 19:35:26 -0000 This is a cryptographically signed message in MIME format. --------------ms010402040602000007050205 Content-Type: multipart/alternative; boundary="------------3A716116B98A63739D17D6BD" Content-Language: en-US This is a multi-part message in MIME format. --------------3A716116B98A63739D17D6BD Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi all, I was wondering if there are people interested in setting up some sort of discussion forum where to discuss the deployment (from a practical point of view) for QRC in their systems. The intent here would be to share the experiences, provide feedback, and possibly even share implementations/references/etc. Moreover, being this quite a new field when it comes to real-world applications, it would be interesting to understand the new requirements so that we can plan for algorithm agility correctly and not having to go through what we suffered in the past (and in some cases with current protocols) to upgrade/switch among different schemes/algorithms. For example, some of the topics might include: * How to deploy PKI services * Mixed environments considerations (QRC and "Traditional" Crypto) * Mixed environments (stateful vs. stateless) * Encryption and Key-Exchange for QRC - what are the options there (it seems auth is well understood, but other problems are still open)? * Are there implications for the deployment of PKIs we need to be aware of and are not currently mentioned/addressed? * Any real-world deployment out there (or plans for it)? * Algorithm Agility, what to plan for? * Applicability to Revocation Services Most of the activities to standardize QRC in CMS/SecFirmware/etc. that I can see are related to the use of Stateful HASHSIG and I have not seen any "standardization" activities around stateless schemes (e.g., SPHINCS), but if I am wrong, please let me know (and if you could provide some interesting links, that would be great). I think it would be useful to understand how to practically deploy these new schemes and how to refine / provide the building blocks required for their implementation and deployment. Here's some references: Merkle Tree Signatures (Stateful): * https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/ * https://datatracker.ietf.org/doc/draft-housley-cms-mts-hash-sig/ * https://www.ietf.org/id/draft-housley-suit-cose-hash-sig-04.txt * https://datatracker.ietf.org/doc/rfc8391/ (XMSS) * https://eprint.iacr.org/2018/063 (Viability of Post Quantum X.509 Certs Paper) * Implementations: o https://github.com/cisco/hash-sigs SPHINCS Related (Stateless): * https://sphincs.org/ * Implementations: o https://sphincs.org/data/sphincs+-reference-implementation-201803= 13.tar.bz2 Other Relevant Links: * https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq-hybrid-x50= 9/ * https://csrc.nist.gov/Projects/Post-Quantum-Cryptography * http://test-pqpki.com/ I guess this is all for now - you can reply privately at the following addresses: =C2=A0=C2=A0=C2=A0 director@openca.org =C2=A0=C2=A0=C2=A0 m.pala@cablelabs.com Thanks, Max --=20 Best Regards, Massimiliano Pala, Ph.D. OpenCA Labs Director OpenCA Logo --------------3A716116B98A63739D17D6BD Content-Type: multipart/related; boundary="------------5905E279D919450B3A995CE2" --------------5905E279D919450B3A995CE2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable

Hi all,

I was wondering if there are people interested in setting up some sort of discussion forum where to discuss the deployment (from a practical point of view) for QRC in their systems. The intent here would be to share the experiences, provide feedback, and possibly even share implementations/references/etc.

Moreover, being this quite a new field when it comes to real-world applications, it would be interesting to understand the new requirements so that we can plan for algorithm agility correctly and not having to go through what we suffered in the past (and in some cases with current protocols) to upgrade/switch among different schemes/algorithms.

For example, some of the topics might include:

  • How to deploy PKI services
  • Mixed environments considerations (QRC and "Traditional" Crypto)
  • Mixed environments (stateful vs. stateless)
  • Encryption and Key-Exchange for QRC - what are the options there (it seems auth is well understood, but other problems are still open)?
  • Are there implications for the deployment of PKIs we need to be aware of and are not currently mentioned/addressed?
  • Any real-world deployment out there (or plans for it)?
  • Algorithm Agility, what to plan for?
  • Applicability to Revocation Services

Most of the activities to standardize QRC in CMS/SecFirmware/etc. that I can see are related to the use of Stateful HASHSIG and I have not seen any "standardization" activities around stateless schemes (e.g., SPHINCS), but if I am wrong, please let me know (and if you could provide some interesting links, that would be great). I think it would be useful to understand how to practically deploy these new schemes and how to refine / provide the building blocks required for their implementation and deployment.

Here's some references:

Merkle Tree Signatures (Stateful):

SPHINCS Related (Stateless):

Other Relevant Links:

I guess this is all for now - you can reply privately at the following addresses:

=C2=A0=C2=A0=C2=A0 director@openca.org
=C2=A0=C2=A0=C2=A0 m.pala@cablelabs.com

Thanks,
Max

--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
3D"OpenCA
--------------5905E279D919450B3A995CE2 Content-Type: image/png; name="pmcbhebgdaofbblo.png" Content-Transfer-Encoding: base64 Content-ID: Content-Disposition: inline; filename="pmcbhebgdaofbblo.png" iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoX BwESCQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAq MjpXKgs/MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1 SGdDR0lDSFJfRDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27 PgCaSANtUT57VBerSQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXae VR+lVRZrYld1ZiB7YEuSYQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDV WQJ1blapYjbXWgDRXACMaU6WbgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3Wq aS6BcGeobwndXwzkXwLgYgDaYwyMeCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuv cEPrZQDQaSyockrFbSvmZwnabQLvZwDpaQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7 gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqKgnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXl eSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQiwCximixim/EkAORkZGVkYrOh0rPiVL5 giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvKlGqpnJLdlF2boKy+m324nImkoZ+e o6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/SrI7dq4bqqXTOrpWttL+6s6uw tbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfRwbXFyMvbxbPNyMP8zgTc zMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp7/Hy9PHw9fj6/v3Y ktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPXGT6E+l9BZ0EF sTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+USgFL4r9g EaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqESrMp lYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75U jLZfp6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/ 85sH2KeXvj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf 70RPUPjxLouBEgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxc AwyWTbacW0sTDGoJen4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+N puKpq32qLVaexOCCJB91aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq 1LzUMQ4uxxycjl0LWO1bBsY6yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XO cajZb6GDu7PTFEdPkVu0k4vQyd3Jc/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM 9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRb juxtfqRypNACK28+j3FsqcilAD0ADuIWCt0yRa7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9 wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX 3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxarlr0grlQn92DQt1vBUk+nUFeHGZme gUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJo+2PGLb2d9WE5bw1L4DcnOco 9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bFzhw3eZylM2dgwkbWW3Iy Jp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwdElJmarxedr/u3P6C Nn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivoBjrfUgNB69zf b6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toVEevCi9/f fmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzSY3Fu BkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/d Y1p7qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1R grYlfrReSqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxH dRJFGJkhfKxgmM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3lu aLNe1F++bjXGyWyzZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCm GIzpqKlm27KTSWUcAX1goBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJC BVkrrBJ1BewMmlVpgRUQF7wpItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQY IOhklDKzo2C1IV2sijzdhjorqwefNdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41q KFl02YaswYNkULTeLC9CFFK4bDHDMmZbhnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYv JpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkcHz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkh mt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlCXaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/ JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7WfgZOv4uLLl0w8wUah71QLBpJeXq/eM VVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6vjt1z/ghMehVKiUpyt1VYBXC N6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oEDQ6jB9Wc3Z6bm6zLTtLl gLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgXs2kV4WUC0YR/KOLv Pby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP7LnTfsd42at3 +B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw901G+ttVlT Ja34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K+f59 qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a 8XoAAAAASUVORK5CYII= --------------5905E279D919450B3A995CE2-- --------------3A716116B98A63739D17D6BD-- --------------ms010402040602000007050205 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CyAwggUyMIIEGqADAgECAhEAu2YCW4tRQdGHMc0S/FQsNDANBgkqhkiG9w0BAQsFADCBlzEL MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTcxMjAxMDAw MDAwWhcNMTgxMjAxMjM1OTU5WjAkMSIwIAYJKoZIhvcNAQkBFhNkaXJlY3RvckBvcGVuY2Eu b3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyEDKYfy+DFhtDn8bIXyP25Xe DjUIkMQDm90A1JPoQ4tuTk6kXwulPvAmvtLGuRAzEqFpV/fqz4sAlx8FgxvRZ5PunZ1H1/lJ CNEdir53Xv8TEf+R/n+Ca5RNUR+GhS72zhp9xx8uDRZds2DeXvW9uhYp9nsbX6rWIFT5YfWF 1SukFXwXSnHuXc9nDT6p0Kp6UNzusn/lMhXhIwgpNA26/mHAdScYyMoB4yaZeMpdZN75XGWO slhXcXdeGJo93E48kffdu0yo4WTbpLwhs/IrkG4OXB1N3Bf+9oHZwVun1hlCZEfuSit0mvrx x8wzPCPiggXu6j6VqPoJqecV6xKCHwIDAQABo4IB6TCCAeUwHwYDVR0jBBgwFoAUgq9sjPjF /pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFEPV9allspkmYqkQRx2BlAdbOrjhMA4GA1UdDwEB /wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMF AjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggr BgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwWgYDVR0fBFMwUTBPoE2g S4ZJaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGljYXRp b25hbmRTZWN1cmVFbWFpbENBLmNybDCBiwYIKwYBBQUHAQEEfzB9MFUGCCsGAQUFBzAChklo dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFu ZFNlY3VyZUVtYWlsQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5j b20wHgYDVR0RBBcwFYETZGlyZWN0b3JAb3BlbmNhLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEA g+REupW946f7esdYmE1QxsYlkubErxz8JLovVDSKTHwxR1/VxF/B7rGeiSPBHTmKQYwlWCrp eHZNfzaDDkDamwLXm7v4+brNfQKRpOLnYPQQffp7xim72INakLgts8d5I7bic785dj4M5JP4 XA2qUD9wduwNwquua6v7zM3chpoRjapumzLNDDr47GccOKAZYaaqFwbpwJPQYuiC07WWnn7g FzdNKYN6VM6Re6wVEHP6fEvNrleV0pf1iFjLKugnriGKL9wj6xX25JsMmGmqZcfdpnkTE4Zf eQBEZVnn8s7HBX+MA/K+YnHxRwA2c5XwNbEhZ2rvh2uFIMXBDlt+tDCCBeYwggPOoAMCAQIC EGqb4Tg7/ytrnwHV2binUlYwDQYJKoZIhvcNAQEMBQAwgYUxCzAJBgNVBAYTAkdCMRswGQYD VQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNP TU9ETyBDQSBMaW1pdGVkMSswKQYDVQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0 aG9yaXR5MB4XDTEzMDExMDAwMDAwMFoXDTI4MDEwOTIzNTk1OVowgZcxCzAJBgNVBAYTAkdC MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNV BAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRo ZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAvrOeV6wodnVAFsc4A5jTxhh2IVDzJXkLTLWg0X06WD6cpzEup/Y0dtmEatrQ PTRI5Or1u6zf+bGBSyD9aH95dDSmeny1nxdlYCeXIoymMv6pQHJGNcIDpFDIMypVpVSRsivl JTRENf+RKwrB6vcfWlP8dSsE3Rfywq09N0ZfxcBa39V0wsGtkGWC+eQKiz4pBZYKjrc5NOpG 9qrxpZxyb4o4yNNwTqzaaPpGRqXB7IMjtf7tTmU2jqPMLxFNe1VXj9XB1rHvbRikw8lBoNoS WY66nJN/VCJv5ym6Q0mdCbDKCMPybTjoNCQuelc0IAaO4nLUXk0BOSxSxt8kCvsUtQIDAQAB o4IBPDCCATgwHwYDVR0jBBgwFoAUu69+Aj36pvE8hI6t7jiY7NkyMtQwHQYDVR0OBBYEFIKv bIz4xf6WYXzoHz0rcUhexIvAMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEA MBEGA1UdIAQKMAgwBgYEVR0gADBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9k b2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFk ZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJ KoZIhvcNAQEMBQADggIBAHhcsoEoNE887l9Wzp+XVuyPomsX9vP2SQgG1NgvNc3fQP7TcePo 7EIMERoh42awGGsma65u/ITse2hKZHzT0CBxhuhb6txM1n/y78e/4ZOs0j8CGpfb+SJA3GaB Q+394k+z3ZByWPQedXLL1OdK8aRINTsjk/H5Ns77zwbjOKkDamxlpZ4TKSDMKVmU/PUWNMKS TvtlenlxBhh7ETrN543j/Q6qqgCWgWuMAXijnRglp9fyadqGOncjZjaaSOGTTFB+E2pvOUtY +hPebuPtTbq7vODqzCM6ryEhNhzf+enm0zlpXK7q332nXttNtjv7VFNYG+I31gnMrwfHM5td hYF/8v5UY5g2xANPECTQdu9vWPoqNSGDt87b3gXb1AiGGaI06vzgkejL580ul+9hz9D0S0U4 jkhJiA7EuTecP/CFtR72uYRBcunwwH3fciPjviDDAI9SnC/2aPY8ydehzuZutLbZdRJ5PDEJ M/1tyZR2niOYihZ+FCbtf3D9mB12D4ln9icgc7CwaxpNSCPt8i/GqK2HsOgkL3VYnwtx7cJU mpvVdZ4ognzgXtgtdk3ShrtOS1iAN2ZBXFiRmjVzmehoMof06r1xub+85hFQzVxZx5/bRaTK TlL8YXLI8nAbR9HWdFqzcOoB/hxfEyIQpx9/s81rgzdEZOofSlZHynoSMYIEODCCBDQCAQEw ga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01P RE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEAu2YC W4tRQdGHMc0S/FQsNDANBglghkgBZQMEAgEFAKCCAlswGAYJKoZIhvcNAQkDMQsGCSqGSIb3 DQEHATAcBgkqhkiG9w0BCQUxDxcNMTgwNzE3MTkzNTA1WjAvBgkqhkiG9w0BCQQxIgQgtIQq OYAt5FN4k+k3zzeM3Dn3Om/mQ7/SpwWYNUc9k1QwbAYJKoZIhvcNAQkPMV8wXTALBglghkgB ZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG 9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBvgYJKwYBBAGCNxAEMYGwMIGtMIGX MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdT YWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJT QSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHR hzHNEvxULDQwgcAGCyqGSIb3DQEJEAILMYGwoIGtMIGXMQswCQYDVQQGEwJHQjEbMBkGA1UE CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01P RE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RPIFJTQSBDbGllbnQgQXV0aGVudGljYXRp b24gYW5kIFNlY3VyZSBFbWFpbCBDQQIRALtmAluLUUHRhzHNEvxULDQwDQYJKoZIhvcNAQEB BQAEggEAtzqL+8mICF2K2Mu3eCqETMJtdfW30asbjTgWMi/e1cvB3eHVDt2Ifix5EbkDvopl pz2DTfJ2kC1/36Vx+JsHjsYE+tB89BrWTzwDxhHCoaaTUn1iLPsrg6QukVbVo4UyRkrU/Zu7 qZ3TfE9s/EgeQpdFG6N3chuwd+f5IXVO9fBEW8mP8Tftj6awH2u/G1gEp6NC5jiqBSdIQSaU evwqpKsWUZHWFlWjDeP1UwugXQZ/kfD87nVnHjXWYD4+ZxkO8IO0RDOMzjw7hMDI2T6DEMPj mNXODFspDX46yj4MX2d9NQq+Rfh1naIUEVwbdxp/6vJ4aj0hBPE7yw8e7ov/bwAAAAAAAA== --------------ms010402040602000007050205-- From nobody Tue Jul 17 13:08:35 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E08130F13 for ; Tue, 17 Jul 2018 13:08:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=post-quantum-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L06nLbr4IwfT for ; Tue, 17 Jul 2018 13:08:29 -0700 (PDT) Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA24130E62 for ; Tue, 17 Jul 2018 13:08:28 -0700 (PDT) Received: by mail-oi0-x22b.google.com with SMTP id 13-v6so4447152ois.1 for ; Tue, 17 Jul 2018 13:08:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=post-quantum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xRBSN/TKOQuGSc2Z1D3fHTvr6n3vJhEPBQplEN6u0qk=; b=WvgvR0Wg5XlaeS2Ofqq8OR+EdwpfMK5dlx72+gaXZUr3+Sww7YUTOLqMSOO4Rlj1dC CW1ig2Qozxo/FiGsT0PGcRWUkrjfg0wnw+yYSHSFtir3bcw9gu4COClw5TtDMngLyPer u87GyiKIISi46LdWuR6K3YOGQ+IN/0RacT5VW2OOn6W1uKPWBFn1tABPku85azD5CB6X RJLGWGDM6MjtMYoecfSmJ5nVcomuOJRotuL1zkQ3814aD+V8yaYx6aWvkR3ZNhGO2ScF ij+3saRVrMKIXcqq0Fv1qjaVFVwqSNgqq3PT4uTlpqeeFMFVyA8hY69v8+nKXNDCR0qf /thg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xRBSN/TKOQuGSc2Z1D3fHTvr6n3vJhEPBQplEN6u0qk=; b=kFD1BRRcAdAEm25TYVQL0txQWL1CuzPH31etdXSYDm7vXyRjpBoPy3pGEwRFgkKSHx KdLwvedRtvmYySTq1hxRRMdHVP3QtcZYeVXefDdIrnEHe80EX1pdK4y2YT56evR4WX3o vQ1WehpiWjBbSLw34RHWrnbfIWTDixxq10JYX4tGhW7HH84HuR4quku0qLGZ/g+ntvcu Y+euP+W0H4SBnAAzyME25m405D+JXn/KPmOdgaTdSghvmrniOfQwDB9nAfyLay6BzwiH 1FxaS2xt2IZp7ELkTtCeGS4pPLJ3IQP3HTtptDQkZZq1qWtwZPHfIQxw5KOZSXUzlcGf J2QA== X-Gm-Message-State: AOUpUlEEdtJQ6DsNsr+QKai11JY/oQs66osG7kFuFelG6fn/2L7IGk42 cMensW/qTxMB19hm8bY+cL1nfSe05gBACngAmo7fug== X-Google-Smtp-Source: AAOMgpcLDj316OhAeAgkQfyZsM0VkB/n5X5r1Q0KFqJzlBJerRkTi38UjGjgTr9cJ8cFicwPPJrvS+I4LhvFrrtBdnw= X-Received: by 2002:aca:5d86:: with SMTP id r128-v6mr2974467oib.243.1531858107354; Tue, 17 Jul 2018 13:08:27 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:787:0:0:0:0:0 with HTTP; Tue, 17 Jul 2018 13:08:26 -0700 (PDT) In-Reply-To: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> References: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> From: CJ Tjhai Date: Tue, 17 Jul 2018 21:08:26 +0100 Message-ID: To: "Dr. Pala" Cc: "saag@ietf.org" , PKIX , "cfrg@irtf.org" Content-Type: multipart/related; boundary="0000000000005603ff0571378208" Archived-At: Subject: Re: [saag] [Cfrg] Applied Quantum Resistant Crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 20:08:33 -0000 --0000000000005603ff0571378208 Content-Type: multipart/alternative; boundary="0000000000005603fd0571378207" --0000000000005603fd0571378207 Content-Type: text/plain; charset="UTF-8" Hi Max, There is also an experimental work on hybrid post-quantum key-exchange for IKEv2 VPN. The work was done on a forked of strongSwan and it is available here: https://github.com/post-quantum/strongswan/commits/qske and it works on Linux, Android and OS X. It relies on the post-quantum libraries that is available at this repository: https://github.com/post-quantum/nistpqc, which contains a number of post-quantum algorithms submitted as part of NIST standardization. Not all submitted algorithms are included, but it's pretty straightforward to add additional ones. This experimental work implements version 00 of this IETF draft: https://datatracker.ietf.org/doc/draft-tjhai-ipsecme-hybrid-qske-ikev2/. We hope to update the experimental work once the draft is in a more mature state. Best regards, CJ On 17 July 2018 at 20:35, Dr. Pala wrote: > Hi all, > > I was wondering if there are people interested in setting up some sort of > discussion forum where to discuss the deployment (from a practical point of > view) for QRC in their systems. The intent here would be to share the > experiences, provide feedback, and possibly even share > implementations/references/etc. > > Moreover, being this quite a new field when it comes to real-world > applications, it would be interesting to understand the new requirements so > that we can plan for algorithm agility correctly and not having to go > through what we suffered in the past (and in some cases with current > protocols) to upgrade/switch among different schemes/algorithms. > > For example, some of the topics might include: > > - How to deploy PKI services > - Mixed environments considerations (QRC and "Traditional" Crypto) > - Mixed environments (stateful vs. stateless) > - Encryption and Key-Exchange for QRC - what are the options there (it > seems auth is well understood, but other problems are still open)? > - Are there implications for the deployment of PKIs we need to be > aware of and are not currently mentioned/addressed? > - Any real-world deployment out there (or plans for it)? > - Algorithm Agility, what to plan for? > - Applicability to Revocation Services > > Most of the activities to standardize QRC in CMS/SecFirmware/etc. that I > can see are related to the use of Stateful HASHSIG and I have not seen any > "standardization" activities around stateless schemes (e.g., SPHINCS), but > if I am wrong, please let me know (and if you could provide some > interesting links, that would be great). I think it would be useful to > understand how to practically deploy these new schemes and how to refine / > provide the building blocks required for their implementation and > deployment. > > Here's some references: > > Merkle Tree Signatures (Stateful): > > - https://datatracker.ietf.org/doc/draft-mcgrew-hash-sigs/ > - https://datatracker.ietf.org/doc/draft-housley-cms-mts-hash-sig/ > - https://www.ietf.org/id/draft-housley-suit-cose-hash-sig-04.txt > - https://datatracker.ietf.org/doc/rfc8391/ (XMSS) > - https://eprint.iacr.org/2018/063 (Viability of Post Quantum X.509 > Certs Paper) > > - Implementations: > - https://github.com/cisco/hash-sigs > > SPHINCS Related (Stateless): > > - https://sphincs.org/ > > - Implementations: > - https://sphincs.org/data/sphincs+-reference- > implementation-20180313.tar.bz2 > > > Other Relevant Links: > > - https://datatracker.ietf.org/doc/draft-truskovsky-lamps-pq- > hybrid-x509/ > - https://csrc.nist.gov/Projects/Post-Quantum-Cryptography > - http://test-pqpki.com/ > > I guess this is all for now - you can reply privately at the following > addresses: > > director@openca.org > m.pala@cablelabs.com > > Thanks, > Max > -- > Best Regards, > Massimiliano Pala, Ph.D. > OpenCA Labs Director > [image: OpenCA Logo] > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg > > --0000000000005603fd0571378207 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Max,

There is also an experimental w= ork on hybrid post-quantum key-exchange for IKEv2 VPN. The work was done on= a forked of strongSwan and it is available here:=C2=A0https://github.com/post-qua= ntum/strongswan/commits/qske and it works on Linux, Android and OS X. I= t relies on the post-quantum libraries that is available at this repository= :=C2=A0https://github.c= om/post-quantum/nistpqc, which contains a number of post-quantum algori= thms submitted as part of NIST standardization. Not all submitted algorithm= s are included, but it's pretty straightforward to add additional ones.=

This experimental work implements version 00 of t= his IETF draft:=C2=A0https://datatracker.ietf.org/doc/draft-tjhai-= ipsecme-hybrid-qske-ikev2/. We hope to update the experimental work onc= e the draft is in a more mature state.

Best regard= s,
CJ



On 17 July 2018 at 20:35, Dr. Pala = <director@openca.org> wrote:
=20 =20 =20

Hi all,

I was wondering if there are people interested in setting up some sort of discussion forum where to discuss the deployment (from a practical point of view) for QRC in their systems. The intent here would be to share the experiences, provide feedback, and possibly even share implementations/references/etc.

Moreover, being this quite a new field when it comes to real-world applications, it would be interesting to understand the new requirements so that we can plan for algorithm agility correctly and not having to go through what we suffered in the past (and in some cases with current protocols) to upgrade/switch among different schemes/algorithms.

For example, some of the topics might include:

  • How to deploy PKI services
  • Mixed environments considerations (QRC and "Traditional"= ; Crypto)
  • Mixed environments (stateful vs. stateless)
  • Encryption and Key-Exchange for QRC - what are the options there (it seems auth is well understood, but other problems are still open)?
  • Are there implications for the deployment of PKIs we need to be aware of and are not currently mentioned/addressed?
  • Any real-world deployment out there (or plans for it)?
  • Algorithm Agility, what to plan for?
  • Applicability to Revocation Services

Most of the activities to standardize QRC in CMS/SecFirmware/etc. that I can see are related to the use of Stateful HASHSIG and I have not seen any "standardization" activities around state= less schemes (e.g., SPHINCS), but if I am wrong, please let me know (and if you could provide some interesting links, that would be great). I think it would be useful to understand how to practically deploy these new schemes and how to refine / provide the building blocks required for their implementation and deployment.

Here's some references:

Merkle Tree Signatures (Stateful):

SPHINCS Related (Stateless):

Other Relevant Links:

I guess this is all for now - you can reply privately at the following addresses:

=C2=A0=C2=A0=C2=A0 director@ope= nca.org
=C2=A0=C2=A0=C2=A0 m.pala@cable= labs.com

Thanks,
Max

--
Best Regards,
Massimiliano Pala, Ph.D.
OpenCA Labs Director
3D"OpenCA

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg


--0000000000005603fd0571378207-- --0000000000005603ff0571378208 Content-Type: image/png; name="pmcbhebgdaofbblo.png" Content-Disposition: inline; filename="pmcbhebgdaofbblo.png" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f10c43d7f11a9f08_0.0.0.1.1 iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoXBwES CQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAqMjpXKgs/ MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1SGdDR0lDSFJf RDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27PgCaSANtUT57VBer SQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXaeVR+lVRZrYld1ZiB7YEuS YQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDVWQJ1blapYjbXWgDRXACMaU6W bgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3WqaS6BcGeobwndXwzkXwLgYgDaYwyM eCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuvcEPrZQDQaSyockrFbSvmZwnabQLvZwDp aQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqK gnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXleSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQ iwCximixim/EkAORkZGVkYrOh0rPiVL5giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvK lGqpnJLdlF2boKy+m324nImkoZ+eo6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/S rI7dq4bqqXTOrpWttL+6s6uwtbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfR wbXFyMvbxbPNyMP8zgTczMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp 7/Hy9PHw9fj6/v3YktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPX GT6E+l9BZ0EFsTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+U SgFL4r9gEaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqE SrMplYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75UjLZf p6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/85sH2KeX vj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf70RPUPjxLouB EgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxcAwyWTbacW0sTDGoJ en4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+NpuKpq32qLVaexOCCJB91 aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq1LzUMQ4uxxycjl0LWO1bBsY6 yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XOcajZb6GDu7PTFEdPkVu0k4vQyd3J c/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV 2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRbjuxtfqRypNACK28+j3FsqcilAD0ADuIWCt0y Ra7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7 QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxar lr0grlQn92DQt1vBUk+nUFeHGZmegUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJ o+2PGLb2d9WE5bw1L4DcnOco9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bF zhw3eZylM2dgwkbWW3IyJp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwd ElJmarxedr/u3P6CNn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivo BjrfUgNB69zfb6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toV EevCi9/ffmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzS Y3FuBkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/dY1p7 qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1RgrYlfrRe SqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxHdRJFGJkhfKxg mM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3luaLNe1F++bjXGyWyz ZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCmGIzpqKlm27KTSWUcAX1g oBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJCBVkrrBJ1BewMmlVpgRUQF7wp ItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQYIOhklDKzo2C1IV2sijzdhjorqwef NdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41qKFl02YaswYNkULTeLC9CFFK4bDHDMmZb hnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYvJpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkc Hz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkhmt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlC XaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7Wfg ZOv4uLLl0w8wUah71QLBpJeXq/eMVVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6 vjt1z/ghMehVKiUpyt1VYBXCN6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oE DQ6jB9Wc3Z6bm6zLTtLlgLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgX s2kV4WUC0YR/KOLvPby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP 7LnTfsd42at3+B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw90 1G+ttVlTJa34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K +f59qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a8XoA AAAASUVORK5CYII= --0000000000005603ff0571378208-- From nobody Tue Jul 17 13:50:27 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C6C130E13; Tue, 17 Jul 2018 13:50:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telefonicacorp.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nuyqUNYA_e5U; Tue, 17 Jul 2018 13:50:06 -0700 (PDT) Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-he1eur02on0724.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe05::724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08136131058; Tue, 17 Jul 2018 13:49:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telefonicacorp.onmicrosoft.com; s=selector1-telefonica-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UKBEN4wdqH3LdXBwwUiTTTQTehVjKIshxPXErGjh8/A=; b=KKrjfrssTuXZSR7Ou9yF5YV7Q+qLAboKDMnxRXFBBgYxHuu3iICG0yZmlfY+uIQp+kAk0sjGccEx99vlOmNyTZXPMfDKDTfgM98cdO+L8war2urCdBkGzbHuOjblbTU/OCkBKaKVG6u5pA7loDwNzkLLwRifKatRSIYy1OfUMPk= Received: from DB3PR0602MB3788.eurprd06.prod.outlook.com (52.134.70.148) by DB3PR0602MB3675.eurprd06.prod.outlook.com (52.134.73.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.18; Tue, 17 Jul 2018 20:49:50 +0000 Received: from DB3PR0602MB3788.eurprd06.prod.outlook.com ([fe80::d8e6:efcd:7512:d84c]) by DB3PR0602MB3788.eurprd06.prod.outlook.com ([fe80::d8e6:efcd:7512:d84c%2]) with mapi id 15.20.0952.021; Tue, 17 Jul 2018 20:49:50 +0000 From: "Diego R. Lopez" To: "Dr. Pala" , "saag@ietf.org" , PKIX , "cfrg@irtf.org" CC: ALEJANDRO AGUADO MARTIN , ANTONIO AGUSTIN PASTOR PERALES , Vicente Martin Thread-Topic: [saag] Applied Quantum Resistant Crypto Thread-Index: AQHUHgVu3hmSIMpoF0yjiFG8TaLTU6SToE6A Date: Tue, 17 Jul 2018 20:49:50 +0000 Message-ID: <7A32408B-4AF5-4558-9F5E-5DFB5FEDFA39@telefonica.com> References: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> In-Reply-To: <42efe1a4-0532-dbb0-a21a-10120f6656b3@openca.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.f.0.180709 authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com; x-originating-ip: [2001:67c:370:128:88df:b867:43a1:7968] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DB3PR0602MB3675; 7:i72M4fpp6ymCahKUJcZgcfZVFIlUypYaxzQvdTRALSs2aj3wf0JxjvVPlK9TL5GPGPghQZIFzRCQS14FF10ImKeMsXHgMZTNxXHrkq2cX7eKdDU9OiW6c7yN1bytDTz6zANEjHK3nC3WCoZDXg6m8YtfYEg+ookdUGszXEz1zpS5v/apFN2m0YVj21M1i6T+zcHCdu/Sl85TQuu96rLas6NM7nyE7ijP/FeLKPFIjrB2RrIWqp2GeFvAGac/PXV+ x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR; x-ms-office365-filtering-correlation-id: 519acac1-1d8e-46de-21cc-08d5ec26d705 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:(40392960112811); BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(49563074)(7193020); SRVR:DB3PR0602MB3675; x-ms-traffictypediagnostic: DB3PR0602MB3675: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(40392960112811)(65766998875637)(278428928389397)(120809045254105)(166708455590820)(223705240517415)(128460861657000)(131022147185803)(21748063052155); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(102415395)(6040522)(2401047)(5005006)(8121501046)(3002001)(10201501046)(3231311)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:DB3PR0602MB3675; BCL:0; PCL:0; RULEID:; SRVR:DB3PR0602MB3675; x-forefront-prvs: 073631BD3D x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(136003)(39860400002)(396003)(346002)(366004)(25724002)(53754006)(189003)(199004)(252514010)(40134004)(6506007)(186003)(58126008)(68736007)(76176011)(106356001)(105586002)(53546011)(316002)(486006)(99286004)(2616005)(102836004)(110136005)(786003)(33656002)(478600001)(54906003)(476003)(45080400002)(99936001)(7736002)(46003)(446003)(11346002)(6116002)(790700001)(36756003)(8676002)(81156014)(8936002)(5660300001)(81166006)(6486002)(14454004)(966005)(97736004)(2906002)(82746002)(53936002)(4326008)(25786009)(236005)(54896002)(6306002)(54556002)(6512007)(53376002)(6246003)(2900100001)(733005)(6436002)(229853002)(14444005)(2501003)(83716003)(5250100002)(256004)(606006)(86362001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR0602MB3675; H:DB3PR0602MB3788.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: g496EoWsfU7aazMigxtmwHohVNgIdGkuWBVrFdn4Dk6ePEyKLvV03YfdTaV7tPt+z56pF6oWM0ca7oe94ANC60hrV5VTolXt4h0p7G1v7/izFQWAYlEDoP/ssqt5NkBxUvshoDY/jh/Ghv5EEkHPXuyU6JTZCgKrL6Qb5+p12POo/rwj1PWKMoywg+/yoEu0nH0TXDiY91wYuH4Y79h+mKcBKVRREG0mmnaeGsnnKEShkox9MAgnQSsfuNM00+kPqW+EqjfjuPvHCCzS7gV+PtqBw5RHyQcD/5+PYMQqoV2nf261ztrPoCL7feDv6/NIJWPdRsc3H1xWu+w7xQmjvDdQPlVdMHwED8ZLXZXuswc= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/related; boundary="_004_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_"; type="multipart/alternative" MIME-Version: 1.0 X-OriginatorOrg: telefonica.com X-MS-Exchange-CrossTenant-Network-Message-Id: 519acac1-1d8e-46de-21cc-08d5ec26d705 X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2018 20:49:50.2362 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR0602MB3675 Archived-At: Subject: Re: [saag] Applied Quantum Resistant Crypto X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 20:50:20 -0000 --_004_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_ Content-Type: multipart/alternative; boundary="_000_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_" --_000_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGksDQoNCldlIGhhdmUgc3RhcnRlZCBzb21lIHdvcmsgaW4gZW5hYmxpbmcga2V5IGRpc3RyaWJ1 dGlvbiBzY2hlbWFzIHBvd2VyZWQgYnkgUUtELCB0aGF0IEkgYmVsaWV2ZSBjb3VsZCBiZSBhcHBs aWNhYmxlIHRvIHBvc3QtcXVhbnR1bSBvciBRUkMgYXMgd2VsbC4gU28sIHllcywgZGVmaW5pdGVs eSBpbnRlcmVzdGVkIGluIGV4cGxvcmluZyB0aG9zZSB3YXlzLg0KDQpCZSBnb29kZSwNCg0KLS0N CiJFc3RhIHZleiBubyBmYWxsYXJlbW9zLCBEb2N0b3IgSW5maWVybm8iDQoNCkRyIERpZWdvIFIu IExvcGV6DQpUZWxlZm9uaWNhIEkrRA0KaHR0cHM6Ly93d3cubGlua2VkaW4uY29tL2luL2RyMmxv cGV6Lw0KDQplLW1haWw6IGRpZWdvLnIubG9wZXpAdGVsZWZvbmljYS5jb208bWFpbHRvOmRpZWdv LnIubG9wZXpAdGVsZWZvbmljYS5jb20+DQpUZWw6ICAgICAgICAgKzM0IDkxMyAxMjkgMDQxDQpN b2JpbGU6ICArMzQgNjgyIDA1MSAwOTENCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0NCg0KT24gMTcvMDcvMjAxOCwgMTU6MzYsICJzYWFnIG9uIGJlaGFsZiBvZiBEci4gUGFsYSIg PHNhYWctYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86c2FhZy1ib3VuY2VzQGlldGYub3JnPiBvbiBi ZWhhbGYgb2YgZGlyZWN0b3JAb3BlbmNhLm9yZzxtYWlsdG86ZGlyZWN0b3JAb3BlbmNhLm9yZz4+ IHdyb3RlOg0KDQoNCkhpIGFsbCwNCg0KSSB3YXMgd29uZGVyaW5nIGlmIHRoZXJlIGFyZSBwZW9w bGUgaW50ZXJlc3RlZCBpbiBzZXR0aW5nIHVwIHNvbWUgc29ydCBvZiBkaXNjdXNzaW9uIGZvcnVt IHdoZXJlIHRvIGRpc2N1c3MgdGhlIGRlcGxveW1lbnQgKGZyb20gYSBwcmFjdGljYWwgcG9pbnQg b2YgdmlldykgZm9yIFFSQyBpbiB0aGVpciBzeXN0ZW1zLiBUaGUgaW50ZW50IGhlcmUgd291bGQg YmUgdG8gc2hhcmUgdGhlIGV4cGVyaWVuY2VzLCBwcm92aWRlIGZlZWRiYWNrLCBhbmQgcG9zc2li bHkgZXZlbiBzaGFyZSBpbXBsZW1lbnRhdGlvbnMvcmVmZXJlbmNlcy9ldGMuDQoNCk1vcmVvdmVy LCBiZWluZyB0aGlzIHF1aXRlIGEgbmV3IGZpZWxkIHdoZW4gaXQgY29tZXMgdG8gcmVhbC13b3Js ZCBhcHBsaWNhdGlvbnMsIGl0IHdvdWxkIGJlIGludGVyZXN0aW5nIHRvIHVuZGVyc3RhbmQgdGhl IG5ldyByZXF1aXJlbWVudHMgc28gdGhhdCB3ZSBjYW4gcGxhbiBmb3IgYWxnb3JpdGhtIGFnaWxp dHkgY29ycmVjdGx5IGFuZCBub3QgaGF2aW5nIHRvIGdvIHRocm91Z2ggd2hhdCB3ZSBzdWZmZXJl ZCBpbiB0aGUgcGFzdCAoYW5kIGluIHNvbWUgY2FzZXMgd2l0aCBjdXJyZW50IHByb3RvY29scykg dG8gdXBncmFkZS9zd2l0Y2ggYW1vbmcgZGlmZmVyZW50IHNjaGVtZXMvYWxnb3JpdGhtcy4NCg0K Rm9yIGV4YW1wbGUsIHNvbWUgb2YgdGhlIHRvcGljcyBtaWdodCBpbmNsdWRlOg0KwrcgICAgICAg ICBIb3cgdG8gZGVwbG95IFBLSSBzZXJ2aWNlcw0KwrcgICAgICAgICBNaXhlZCBlbnZpcm9ubWVu dHMgY29uc2lkZXJhdGlvbnMgKFFSQyBhbmQgIlRyYWRpdGlvbmFsIiBDcnlwdG8pDQrCtyAgICAg ICAgIE1peGVkIGVudmlyb25tZW50cyAoc3RhdGVmdWwgdnMuIHN0YXRlbGVzcykNCsK3ICAgICAg ICAgRW5jcnlwdGlvbiBhbmQgS2V5LUV4Y2hhbmdlIGZvciBRUkMgLSB3aGF0IGFyZSB0aGUgb3B0 aW9ucyB0aGVyZSAoaXQgc2VlbXMgYXV0aCBpcyB3ZWxsIHVuZGVyc3Rvb2QsIGJ1dCBvdGhlciBw cm9ibGVtcyBhcmUgc3RpbGwgb3Blbik/DQrCtyAgICAgICAgIEFyZSB0aGVyZSBpbXBsaWNhdGlv bnMgZm9yIHRoZSBkZXBsb3ltZW50IG9mIFBLSXMgd2UgbmVlZCB0byBiZSBhd2FyZSBvZiBhbmQg YXJlIG5vdCBjdXJyZW50bHkgbWVudGlvbmVkL2FkZHJlc3NlZD8NCsK3ICAgICAgICAgQW55IHJl YWwtd29ybGQgZGVwbG95bWVudCBvdXQgdGhlcmUgKG9yIHBsYW5zIGZvciBpdCk/DQrCtyAgICAg ICAgIEFsZ29yaXRobSBBZ2lsaXR5LCB3aGF0IHRvIHBsYW4gZm9yPw0KwrcgICAgICAgICBBcHBs aWNhYmlsaXR5IHRvIFJldm9jYXRpb24gU2VydmljZXMNCg0KTW9zdCBvZiB0aGUgYWN0aXZpdGll cyB0byBzdGFuZGFyZGl6ZSBRUkMgaW4gQ01TL1NlY0Zpcm13YXJlL2V0Yy4gdGhhdCBJIGNhbiBz ZWUgYXJlIHJlbGF0ZWQgdG8gdGhlIHVzZSBvZiBTdGF0ZWZ1bCBIQVNIU0lHIGFuZCBJIGhhdmUg bm90IHNlZW4gYW55ICJzdGFuZGFyZGl6YXRpb24iIGFjdGl2aXRpZXMgYXJvdW5kIHN0YXRlbGVz cyBzY2hlbWVzIChlLmcuLCBTUEhJTkNTKSwgYnV0IGlmIEkgYW0gd3JvbmcsIHBsZWFzZSBsZXQg bWUga25vdyAoYW5kIGlmIHlvdSBjb3VsZCBwcm92aWRlIHNvbWUgaW50ZXJlc3RpbmcgbGlua3Ms IHRoYXQgd291bGQgYmUgZ3JlYXQpLiBJIHRoaW5rIGl0IHdvdWxkIGJlIHVzZWZ1bCB0byB1bmRl cnN0YW5kIGhvdyB0byBwcmFjdGljYWxseSBkZXBsb3kgdGhlc2UgbmV3IHNjaGVtZXMgYW5kIGhv dyB0byByZWZpbmUgLyBwcm92aWRlIHRoZSBidWlsZGluZyBibG9ja3MgcmVxdWlyZWQgZm9yIHRo ZWlyIGltcGxlbWVudGF0aW9uIGFuZCBkZXBsb3ltZW50Lg0KDQpIZXJlJ3Mgc29tZSByZWZlcmVu Y2VzOg0KDQpNZXJrbGUgVHJlZSBTaWduYXR1cmVzIChTdGF0ZWZ1bCk6DQrCtyAgICAgICAgIGh0 dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LW1jZ3Jldy1oYXNoLXNpZ3MvDQrC tyAgICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWhvdXNsZXkt Y21zLW10cy1oYXNoLXNpZy8NCsK3ICAgICAgICAgaHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJh ZnQtaG91c2xleS1zdWl0LWNvc2UtaGFzaC1zaWctMDQudHh0DQrCtyAgICAgICAgIGh0dHBzOi8v ZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL3JmYzgzOTEvIChYTVNTKQ0KwrcgICAgICAgICBodHRw czovL2VwcmludC5pYWNyLm9yZy8yMDE4LzA2MyAoVmlhYmlsaXR5IG9mIFBvc3QgUXVhbnR1bSBY LjUwOSBDZXJ0cyBQYXBlcikNCsK3ICAgICAgICAgSW1wbGVtZW50YXRpb25zOg0KbyAgICBodHRw czovL2dpdGh1Yi5jb20vY2lzY28vaGFzaC1zaWdzDQoNClNQSElOQ1MgUmVsYXRlZCAoU3RhdGVs ZXNzKToNCsK3ICAgICAgICAgaHR0cHM6Ly9zcGhpbmNzLm9yZy8NCsK3ICAgICAgICAgSW1wbGVt ZW50YXRpb25zOg0KbyAgICBodHRwczovL3NwaGluY3Mub3JnL2RhdGEvc3BoaW5jcystcmVmZXJl bmNlLWltcGxlbWVudGF0aW9uLTIwMTgwMzEzLnRhci5iejINCg0KT3RoZXIgUmVsZXZhbnQgTGlu a3M6DQrCtyAgICAgICAgIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LXRy dXNrb3Zza3ktbGFtcHMtcHEtaHlicmlkLXg1MDkvDQrCtyAgICAgICAgIGh0dHBzOi8vY3NyYy5u aXN0Lmdvdi9Qcm9qZWN0cy9Qb3N0LVF1YW50dW0tQ3J5cHRvZ3JhcGh5DQrCtyAgICAgICAgIGh0 dHA6Ly90ZXN0LXBxcGtpLmNvbS8NCg0KSSBndWVzcyB0aGlzIGlzIGFsbCBmb3Igbm93IC0geW91 IGNhbiByZXBseSBwcml2YXRlbHkgYXQgdGhlIGZvbGxvd2luZyBhZGRyZXNzZXM6DQoNCiAgICBk aXJlY3RvckBvcGVuY2Eub3JnPG1haWx0bzpkaXJlY3RvckBvcGVuY2Eub3JnPg0KICAgIG0ucGFs YUBjYWJsZWxhYnMuY29tPG1haWx0bzptLnBhbGFAY2FibGVsYWJzLmNvbT4NCg0KVGhhbmtzLA0K TWF4DQotLQ0KQmVzdCBSZWdhcmRzLA0KTWFzc2ltaWxpYW5vIFBhbGEsIFBoLkQuDQpPcGVuQ0Eg TGFicyBEaXJlY3Rvcg0KW09wZW5DQSBMb2dvXQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fXw0KDQpFc3RlIG1lbnNhamUgeSBzdXMgYWRqdW50b3Mgc2UgZGlyaWdlbiBleGNsdXNp dmFtZW50ZSBhIHN1IGRlc3RpbmF0YXJpbywgcHVlZGUgY29udGVuZXIgaW5mb3JtYWNpw7NuIHBy aXZpbGVnaWFkYSBvIGNvbmZpZGVuY2lhbCB5IGVzIHBhcmEgdXNvIGV4Y2x1c2l2byBkZSBsYSBw ZXJzb25hIG8gZW50aWRhZCBkZSBkZXN0aW5vLiBTaSBubyBlcyB1c3RlZC4gZWwgZGVzdGluYXRh cmlvIGluZGljYWRvLCBxdWVkYSBub3RpZmljYWRvIGRlIHF1ZSBsYSBsZWN0dXJhLCB1dGlsaXph Y2nDs24sIGRpdnVsZ2FjacOzbiB5L28gY29waWEgc2luIGF1dG9yaXphY2nDs24gcHVlZGUgZXN0 YXIgcHJvaGliaWRhIGVuIHZpcnR1ZCBkZSBsYSBsZWdpc2xhY2nDs24gdmlnZW50ZS4gU2kgaGEg cmVjaWJpZG8gZXN0ZSBtZW5zYWplIHBvciBlcnJvciwgbGUgcm9nYW1vcyBxdWUgbm9zIGxvIGNv bXVuaXF1ZSBpbm1lZGlhdGFtZW50ZSBwb3IgZXN0YSBtaXNtYSB2w61hIHkgcHJvY2VkYSBhIHN1 IGRlc3RydWNjacOzbi4NCg0KVGhlIGluZm9ybWF0aW9uIGNvbnRhaW5lZCBpbiB0aGlzIHRyYW5z bWlzc2lvbiBpcyBwcml2aWxlZ2VkIGFuZCBjb25maWRlbnRpYWwgaW5mb3JtYXRpb24gaW50ZW5k ZWQgb25seSBmb3IgdGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBlbnRpdHkgbmFtZWQgYWJv dmUuIElmIHRoZSByZWFkZXIgb2YgdGhpcyBtZXNzYWdlIGlzIG5vdCB0aGUgaW50ZW5kZWQgcmVj aXBpZW50LCB5b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0IGFueSBkaXNzZW1pbmF0aW9uLCBk aXN0cmlidXRpb24gb3IgY29weWluZyBvZiB0aGlzIGNvbW11bmljYXRpb24gaXMgc3RyaWN0bHkg cHJvaGliaXRlZC4gSWYgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyB0cmFuc21pc3Npb24gaW4gZXJy b3IsIGRvIG5vdCByZWFkIGl0LiBQbGVhc2UgaW1tZWRpYXRlbHkgcmVwbHkgdG8gdGhlIHNlbmRl ciB0aGF0IHlvdSBoYXZlIHJlY2VpdmVkIHRoaXMgY29tbXVuaWNhdGlvbiBpbiBlcnJvciBhbmQg dGhlbiBkZWxldGUgaXQuDQoNCkVzdGEgbWVuc2FnZW0gZSBzZXVzIGFuZXhvcyBzZSBkaXJpZ2Vt IGV4Y2x1c2l2YW1lbnRlIGFvIHNldSBkZXN0aW5hdMOhcmlvLCBwb2RlIGNvbnRlciBpbmZvcm1h w6fDo28gcHJpdmlsZWdpYWRhIG91IGNvbmZpZGVuY2lhbCBlIMOpIHBhcmEgdXNvIGV4Y2x1c2l2 byBkYSBwZXNzb2Egb3UgZW50aWRhZGUgZGUgZGVzdGluby4gU2UgbsOjbyDDqSB2b3NzYSBzZW5o b3JpYSBvIGRlc3RpbmF0w6FyaW8gaW5kaWNhZG8sIGZpY2Egbm90aWZpY2FkbyBkZSBxdWUgYSBs ZWl0dXJhLCB1dGlsaXphw6fDo28sIGRpdnVsZ2HDp8OjbyBlL291IGPDs3BpYSBzZW0gYXV0b3Jp emHDp8OjbyBwb2RlIGVzdGFyIHByb2liaWRhIGVtIHZpcnR1ZGUgZGEgbGVnaXNsYcOnw6NvIHZp Z2VudGUuIFNlIHJlY2ViZXUgZXN0YSBtZW5zYWdlbSBwb3IgZXJybywgcm9nYW1vcy1saGUgcXVl IG5vcyBvIGNvbXVuaXF1ZSBpbWVkaWF0YW1lbnRlIHBvciBlc3RhIG1lc21hIHZpYSBlIHByb2Nl ZGEgYSBzdWEgZGVzdHJ1acOnw6NvDQo= --_000_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPCEtLVtp ZiAhbXNvXT48c3R5bGU+dlw6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kb1w6KiB7 YmVoYXZpb3I6dXJsKCNkZWZhdWx0I1ZNTCk7fQ0Kd1w6KiB7YmVoYXZpb3I6dXJsKCNkZWZhdWx0 I1ZNTCk7fQ0KLnNoYXBlIHtiZWhhdmlvcjp1cmwoI2RlZmF1bHQjVk1MKTt9DQo8L3N0eWxlPjwh W2VuZGlmXS0tPjxzdHlsZT48IS0tDQovKiBGb250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNl DQoJe2ZvbnQtZmFtaWx5OldpbmdkaW5nczsNCglwYW5vc2UtMTo1IDAgMCAwIDAgMCAwIDAgMCAw O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6 MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7 DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMg Ki8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBj bTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJ e21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1 bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1z dHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVy bGluZTt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21z by1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJn aW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0 OjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNl cmlmO30NCnNwYW4uRW1haWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5 Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7 fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1z aXplOjEwLjBwdDt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7 DQoJbWFyZ2luOjcwLjg1cHQgMy4wY20gNzAuODVwdCAzLjBjbTt9DQpkaXYuV29yZFNlY3Rpb24x DQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi8qIExpc3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGww DQoJe21zby1saXN0LWlkOjY1MTkwNzMzNTsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTE1MTgx NDY2ODQ7fQ0KQGxpc3QgbDA6bGV2ZWwxDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjM2LjBwdDsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglt c28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBs MDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10 ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOjcyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6 MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7DQoJbXNvLWJpZGktZm9udC1mYW1p bHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KQGxpc3QgbDA6bGV2ZWwzDQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1z dG9wOjEwOC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpX aW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE0NC4wcHQ7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0K QGxpc3QgbDA6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2kt Zm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2 ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrv gqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEw LjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxl dmVsLXRhYi1zdG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0K CXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250 LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXIt Zm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9w OjI4OC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5n ZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMyNC4wcHQ7DQoJ bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJ bXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxp c3QgbDENCgl7bXNvLWxpc3QtaWQ6OTAyOTA5ODA3Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo1 OTQ5Nzk5MDQ7fQ0KQGxpc3QgbDE6bGV2ZWwxDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjM2LjBwdDsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsN Cgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlz dCBsMTpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOjcyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVy LXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNp emU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7DQoJbXNvLWJpZGktZm9udC1m YW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KQGxpc3QgbDE6bGV2ZWwzDQoJe21zby1sZXZlbC1u dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh Yi1zdG9wOjEwOC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQt aW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWls eTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0 OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE0NC4w cHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7 fQ0KQGxpc3QgbDE6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCglt c28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjE4MC4wcHQ7DQoJbXNvLWxl dmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFu c2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6 bGV2ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjIxNi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXpl OjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw3DQoJe21z by1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNv LWxldmVsLXRhYi1zdG9wOjI1Mi4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglm b250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1z dG9wOjI4OC4wcHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpX aW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOjMyNC4wcHQ7 DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0K QGxpc3QgbDINCgl7bXNvLWxpc3QtaWQ6MTE2MDczMzc1NTsNCgltc28tbGlzdC10ZW1wbGF0ZS1p ZHM6LTMxMDE3OTY4O30NCkBsaXN0IGwyOmxldmVsMQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDozNi4w cHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7DQoJbXNvLWFuc2ktZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0K QGxpc3QgbDI6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDo3Mi4wcHQ7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJbXNvLWFuc2ktZm9u dC1zaXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciOw0KCW1zby1iaWRpLWZv bnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iO30NCkBsaXN0IGwyOmxldmVsMw0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZl bC10YWItc3RvcDoxMDguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0 ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1m YW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDox NDQuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot MTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2Rp bmdzO30NCkBsaXN0IGwyOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7 DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDoxODAuMHB0Ow0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1z by1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0 IGwyOmxldmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDoyMTYuMHB0Ow0KCW1zby1sZXZlbC1udW1i ZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQt c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVsNw0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K CW1zby1sZXZlbC10YWItc3RvcDoyNTIuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7 DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVsOA0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10 YWItc3RvcDoyODguMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0 LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1p bHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDozMjQu MHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTgu MHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2Rpbmdz O30NCkBsaXN0IGwzDQoJe21zby1saXN0LWlkOjEzOTM4NDgzNDA7DQoJbXNvLWxpc3QtdGVtcGxh dGUtaWRzOjYwNjg2NTQwMjt9DQpAbGlzdCBsMzpsZXZlbDENCgl7bXNvLWxldmVsLW51bWJlci1m b3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6 MzYuMHB0Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot MTguMHB0Ow0KCW1zby1hbnNpLWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9s O30NCkBsaXN0IGwzOmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ bXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6NzIuMHB0Ow0KCW1zby1sZXZl bC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCW1zby1hbnNp LWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3IjsNCgltc28tYmlk aS1mb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpAbGlzdCBsMzpsZXZlbDMNCgl7bXNv LWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28t bGV2ZWwtdGFiLXN0b3A6MTA4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZv bnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMzpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJl ci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0 b3A6MTQ0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRl bnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5Oldp bmdkaW5nczt9DQpAbGlzdCBsMzpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs bGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MTgwLjBwdDsN Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsN Cgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpA bGlzdCBsMzpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1s ZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MjE2LjBwdDsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1m b250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMzpsZXZl bDcNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+C pzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6MjUyLjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0 aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6MTAu MHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMzpsZXZlbDgNCgl7bXNvLWxl dmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2 ZWwtdGFiLXN0b3A6Mjg4LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQt ZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMzpsZXZlbDkNCgl7bXNvLWxldmVsLW51bWJlci1m b3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6 MzI0LjBwdDsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6 LTE4LjBwdDsNCgltc28tYW5zaS1mb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5Oldpbmdk aW5nczt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBjbTt9DQp1bA0KCXttYXJnaW4tYm90dG9tOjBj bTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0 cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1b aWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRt YXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5k aWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBs ZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij5IaSw8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9 ImZvbnQtc2l6ZToxMC4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+ V2UgaGF2ZSBzdGFydGVkIHNvbWUgd29yayBpbiBlbmFibGluZyBrZXkgZGlzdHJpYnV0aW9uIHNj aGVtYXMgcG93ZXJlZCBieSBRS0QsIHRoYXQgSSBiZWxpZXZlIGNvdWxkIGJlIGFwcGxpY2FibGUg dG8gcG9zdC1xdWFudHVtIG9yIFFSQyBhcyB3ZWxsLiBTbywgeWVzLCBkZWZpbml0ZWx5IGludGVy ZXN0ZWQgaW4gZXhwbG9yaW5nIHRob3NlDQogd2F5cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZTox MC4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+QmUgZ29vZGUsPG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4t R0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4w cHQiPi0tPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPiZxdW90O0VzdGEgdmV6IG5vIGZhbGxhcmVtb3MsIERv Y3RvciBJbmZpZXJubyZxdW90OzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjBwdCI+RHIgRGllZ28gUi4gTG9wZXo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+VGVsZWZvbmljYSBJJiM0 MztEPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMC4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmxpbmtlZGluLmNvbS9p bi9kcjJsb3Blei8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDU2M0MxIj5odHRwczovL3d3dy5saW5r ZWRpbi5jb20vaW4vZHIybG9wZXovPC9zcGFuPjwvYT4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+ Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPmUtbWFpbDombmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0i RU4tR0IiIHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij48YSBocmVmPSJtYWlsdG86ZGllZ28uci5s b3BlekB0ZWxlZm9uaWNhLmNvbSI+PHNwYW4gbGFuZz0iRU4tVVMiIHN0eWxlPSJjb2xvcjojMDU2 M0MxIj48c3BhbiBsYW5nPSJFTi1VUyI+ZGllZ28uci5sb3BlekB0ZWxlZm9uaWNhLmNvbTwvc3Bh bj48L3NwYW4+PC9hPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0Ii IHN0eWxlPSJmb250LXNpemU6MTAuMHB0Ij5UZWw6Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyAmIzQzOzM0IDkxMyAxMjkgMDQxPG86cD48L286cD48L3NwYW4+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiIHN0eWxlPSJmb250LXNp emU6MTAuMHB0Ij5Nb2JpbGU6ICZuYnNwOyYjNDM7MzQgNjgyIDA1MSAwOTE8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUdC IiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLTwvc3Bhbj48c3BhbiBsYW5nPSJFTi1HQiIgc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQiPjxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVO LUdCIiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9w Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij5PbiAxNy8wNy8yMDE4LCAxNTozNiwgJnF1b3Q7c2FhZyBvbiBiZWhhbGYgb2YgRHIu IFBhbGEmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzpzYWFnLWJvdW5jZXNAaWV0Zi5vcmciPnNh YWctYm91bmNlc0BpZXRmLm9yZzwvYT4gb24gYmVoYWxmIG9mDQo8YSBocmVmPSJtYWlsdG86ZGly ZWN0b3JAb3BlbmNhLm9yZyI+ZGlyZWN0b3JAb3BlbmNhLm9yZzwvYT4mZ3Q7IHdyb3RlOjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SGkgYWxsLDxvOnA+PC9vOnA+PC9wPg0KPHAg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+SSB3YXMgd29uZGVyaW5nIGlmIHRoZXJlIGFyZSBw ZW9wbGUgaW50ZXJlc3RlZCBpbiBzZXR0aW5nIHVwIHNvbWUgc29ydCBvZiBkaXNjdXNzaW9uIGZv cnVtIHdoZXJlIHRvIGRpc2N1c3MgdGhlIGRlcGxveW1lbnQgKGZyb20gYSBwcmFjdGljYWwgcG9p bnQgb2YgdmlldykgZm9yIFFSQyBpbiB0aGVpciBzeXN0ZW1zLiBUaGUgaW50ZW50IGhlcmUgd291 bGQgYmUgdG8gc2hhcmUgdGhlIGV4cGVyaWVuY2VzLA0KIHByb3ZpZGUgZmVlZGJhY2ssIGFuZCBw b3NzaWJseSBldmVuIHNoYXJlIGltcGxlbWVudGF0aW9ucy9yZWZlcmVuY2VzL2V0Yy48bzpwPjwv bzpwPjwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPk1vcmVvdmVyLCBiZWluZyB0 aGlzIHF1aXRlIGEgbmV3IGZpZWxkIHdoZW4gaXQgY29tZXMgdG8gcmVhbC13b3JsZCBhcHBsaWNh dGlvbnMsIGl0IHdvdWxkIGJlIGludGVyZXN0aW5nIHRvIHVuZGVyc3RhbmQgdGhlIG5ldyByZXF1 aXJlbWVudHMgc28gdGhhdCB3ZSBjYW4gcGxhbiBmb3IgYWxnb3JpdGhtIGFnaWxpdHkgY29ycmVj dGx5IGFuZCBub3QgaGF2aW5nIHRvIGdvIHRocm91Z2ggd2hhdCB3ZQ0KIHN1ZmZlcmVkIGluIHRo ZSBwYXN0IChhbmQgaW4gc29tZSBjYXNlcyB3aXRoIGN1cnJlbnQgcHJvdG9jb2xzKSB0byB1cGdy YWRlL3N3aXRjaCBhbW9uZyBkaWZmZXJlbnQgc2NoZW1lcy9hbGdvcml0aG1zLjxvOnA+PC9vOnA+ PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Rm9yIGV4YW1wbGUsIHNvbWUgb2Yg dGhlIHRvcGljcyBtaWdodCBpbmNsdWRlOjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0Omww IGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9y ZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsi PiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFu Pjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkhvdyB0byBkZXBsb3kgUEtJIHNlcnZpY2VzIDxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0 LWluZGVudDotMTguMHB0O21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFzdXBwb3J0 TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+ PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAm cXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPk1peGVk IGVudmlyb25tZW50cyBjb25zaWRlcmF0aW9ucyAoUVJDIGFuZCAmcXVvdDtUcmFkaXRpb25hbCZx dW90OyBDcnlwdG8pDQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzttYXJn aW4tbGVmdDo3Mi4wcHQ7dGV4dC1pbmRlbnQ6LTE4LjBwdDttc28tbGlzdDpsMCBsZXZlbDEgbGZv MSI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtm b250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPsK3PHNwYW4g c3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9z cGFuPjwhW2VuZGlmXT5NaXhlZCBlbnZpcm9ubWVudHMgKHN0YXRlZnVsIHZzLiBzdGF0ZWxlc3Mp IDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBw dDt0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwwIGxldmVsMSBsZm8xIj4NCjwhW2lmICFz dXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5 bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3 LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZd PkVuY3J5cHRpb24gYW5kIEtleS1FeGNoYW5nZSBmb3IgUVJDIC0gd2hhdCBhcmUgdGhlIG9wdGlv bnMgdGhlcmUgKGl0IHNlZW1zIGF1dGggaXMgd2VsbCB1bmRlcnN0b29kLCBidXQgb3RoZXIgcHJv YmxlbXMgYXJlIHN0aWxsIG9wZW4pPw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG87bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6bDAg bGV2ZWwxIGxmbzEiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3Jl Ij7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+ PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+QXJlIHRoZXJlIGltcGxpY2F0aW9ucyBmb3IgdGhlIGRl cGxveW1lbnQgb2YgUEtJcyB3ZSBuZWVkIHRvIGJlIGF3YXJlIG9mIGFuZCBhcmUgbm90IGN1cnJl bnRseSBtZW50aW9uZWQvYWRkcmVzc2VkPw0KPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t YWx0OmF1dG87bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6 bDAgbGV2ZWwxIGxmbzEiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdu b3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90 OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3Nw YW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+QW55IHJlYWwtd29ybGQgZGVwbG95bWVudCBvdXQg dGhlcmUgKG9yIHBsYW5zIGZvciBpdCk/DQo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h bHQ6YXV0bzttYXJnaW4tbGVmdDo3Mi4wcHQ7dGV4dC1pbmRlbnQ6LTE4LjBwdDttc28tbGlzdDps MCBsZXZlbDEgbGZvMSI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25v cmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bh bj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT5BbGdvcml0aG0gQWdpbGl0eSwgd2hhdCB0byBwbGFu IGZvcj8gPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bWFyZ2luLWxlZnQ6 NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6bDAgbGV2ZWwxIGxmbzEiPg0KPCFb aWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1p bHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJm b250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtl bmRpZl0+QXBwbGljYWJpbGl0eSB0byBSZXZvY2F0aW9uIFNlcnZpY2VzPG86cD48L286cD48L3A+ DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5Nb3N0IG9mIHRoZSBhY3Rpdml0aWVzIHRv IHN0YW5kYXJkaXplIFFSQyBpbiBDTVMvU2VjRmlybXdhcmUvZXRjLiB0aGF0IEkgY2FuIHNlZSBh cmUgcmVsYXRlZCB0byB0aGUgdXNlIG9mIFN0YXRlZnVsIEhBU0hTSUcgYW5kIEkgaGF2ZSBub3Qg c2VlbiBhbnkgJnF1b3Q7c3RhbmRhcmRpemF0aW9uJnF1b3Q7IGFjdGl2aXRpZXMgYXJvdW5kIHN0 YXRlbGVzcyBzY2hlbWVzIChlLmcuLCBTUEhJTkNTKSwgYnV0IGlmIEkNCiBhbSB3cm9uZywgcGxl YXNlIGxldCBtZSBrbm93IChhbmQgaWYgeW91IGNvdWxkIHByb3ZpZGUgc29tZSBpbnRlcmVzdGlu ZyBsaW5rcywgdGhhdCB3b3VsZCBiZSBncmVhdCkuIEkgdGhpbmsgaXQgd291bGQgYmUgdXNlZnVs IHRvIHVuZGVyc3RhbmQgaG93IHRvIHByYWN0aWNhbGx5IGRlcGxveSB0aGVzZSBuZXcgc2NoZW1l cyBhbmQgaG93IHRvIHJlZmluZSAvIHByb3ZpZGUgdGhlIGJ1aWxkaW5nIGJsb2NrcyByZXF1aXJl ZCBmb3IgdGhlaXIgaW1wbGVtZW50YXRpb24NCiBhbmQgZGVwbG95bWVudC48bzpwPjwvbzpwPjwv cD4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkhlcmUncyBzb21lIHJlZmVyZW5jZXM6 PG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5NZXJrbGUgVHJl ZSBTaWduYXR1cmVzIChTdGF0ZWZ1bCk6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0 OmF1dG87bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6bDMg bGV2ZWwxIGxmbzIiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3Jl Ij7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+ PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PGEgaHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRm Lm9yZy9kb2MvZHJhZnQtbWNncmV3LWhhc2gtc2lncy8iPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0 Zi5vcmcvZG9jL2RyYWZ0LW1jZ3Jldy1oYXNoLXNpZ3MvPC9hPg0KPG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h cmdpbi1ib3R0b20tYWx0OmF1dG87bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4w cHQ7bXNvLWxpc3Q6bDMgbGV2ZWwxIGxmbzIiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0i bXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5l dyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PGEgaHJlZj0iaHR0cHM6Ly9k YXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaG91c2xleS1jbXMtbXRzLWhhc2gtc2lnLyI+ aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaG91c2xleS1jbXMtbXRzLWhh c2gtc2lnLzwvYT4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21hcmdp bi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwzIGxldmVsMSBsZm8y Ij4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2Zv bnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBz dHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3Nw YW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL2lkL2RyYWZ0LWhvdXNs ZXktc3VpdC1jb3NlLWhhc2gtc2lnLTA0LnR4dCI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvaWQvZHJh ZnQtaG91c2xleS1zdWl0LWNvc2UtaGFzaC1zaWctMDQudHh0PC9hPg0KPG86cD48L286cD48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv LW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0x OC4wcHQ7bXNvLWxpc3Q6bDMgbGV2ZWwxIGxmbzIiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHls ZT0ibXNvLWxpc3Q6SWdub3JlIj7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVz IE5ldyBSb21hbiZxdW90OyI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7DQo8L3NwYW4+PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PGEgaHJlZj0iaHR0cHM6 Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvcmZjODM5MS8iPmh0dHBzOi8vZGF0YXRyYWNrZXIu aWV0Zi5vcmcvZG9jL3JmYzgzOTEvPC9hPiAoWE1TUyk8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9t OjEyLjBwdDttYXJnaW4tbGVmdDo3Mi4wcHQ7dGV4dC1pbmRlbnQ6LTE4LjBwdDttc28tbGlzdDps MyBsZXZlbDEgbGZvMiI+DQo8IVtpZiAhc3VwcG9ydExpc3RzXT48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjBwdDtmb250LWZhbWlseTpTeW1ib2wiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25v cmUiPsK3PHNwYW4gc3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7 Ij4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bh bj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48YSBocmVmPSJodHRwczovL2VwcmludC5pYWNyLm9y Zy8yMDE4LzA2MyI+aHR0cHM6Ly9lcHJpbnQuaWFjci5vcmcvMjAxOC8wNjM8L2E+IChWaWFiaWxp dHkgb2YgUG9zdCBRdWFudHVtIFguNTA5IENlcnRzIFBhcGVyKTxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn aW4tYm90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0 O21zby1saXN0OmwzIGxldmVsMSBsZm8yIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1z by1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcg Um9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPkltcGxlbWVudGF0aW9uczogPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87bWFyZ2luLWxlZnQ6MTA4LjBwdDt0 ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwzIGxldmVsMiBsZm8yIj4NCjwhW2lmICFzdXBw b3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NvdXJpZXIgTmV3JnF1b3Q7Ij48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3JlIj5vPHNwYW4g c3R5bGU9ImZvbnQ6Ny4wcHQgJnF1b3Q7VGltZXMgTmV3IFJvbWFuJnF1b3Q7Ij4mbmJzcDsmbmJz cDsmbmJzcDsNCjwvc3Bhbj48L3NwYW4+PC9zcGFuPjwhW2VuZGlmXT48YSBocmVmPSJodHRwczov L2dpdGh1Yi5jb20vY2lzY28vaGFzaC1zaWdzIj5odHRwczovL2dpdGh1Yi5jb20vY2lzY28vaGFz aC1zaWdzPC9hPg0KPG86cD48L286cD48L3A+DQo8cCBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5TUEhJTkNTIFJlbGF0ZWQgKFN0YXRlbGVzcyk6PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbTox Mi4wcHQ7bWFyZ2luLWxlZnQ6NzIuMHB0O3RleHQtaW5kZW50Oi0xOC4wcHQ7bXNvLWxpc3Q6bDEg bGV2ZWwxIGxmbzMiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC4wcHQ7Zm9udC1mYW1pbHk6U3ltYm9sIj48c3BhbiBzdHlsZT0ibXNvLWxpc3Q6SWdub3Jl Ij7CtzxzcGFuIHN0eWxlPSJmb250OjcuMHB0ICZxdW90O1RpbWVzIE5ldyBSb21hbiZxdW90OyI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7DQo8L3NwYW4+ PC9zcGFuPjwvc3Bhbj48IVtlbmRpZl0+PGEgaHJlZj0iaHR0cHM6Ly9zcGhpbmNzLm9yZy8iPmh0 dHBzOi8vc3BoaW5jcy5vcmcvPC9hPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph dXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0OmwxIGxl dmVsMSBsZm8zIj4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Oklnbm9yZSI+ wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFuPjwv c3Bhbj48L3NwYW4+PCFbZW5kaWZdPkltcGxlbWVudGF0aW9uczo8bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0bzttYXJnaW4tbGVmdDoxMDguMHB0O3RleHQtaW5kZW50Oi0xOC4w cHQ7bXNvLWxpc3Q6bDEgbGV2ZWwyIGxmbzMiPg0KPCFbaWYgIXN1cHBvcnRMaXN0c10+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q291cmllciBOZXcmcXVv dDsiPjxzcGFuIHN0eWxlPSJtc28tbGlzdDpJZ25vcmUiPm88c3BhbiBzdHlsZT0iZm9udDo3LjBw dCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOw0KPC9zcGFu Pjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHBzOi8vc3BoaW5jcy5vcmcvZGF0 YS9zcGhpbmNzJiM0MzstcmVmZXJlbmNlLWltcGxlbWVudGF0aW9uLTIwMTgwMzEzLnRhci5iejIi Pmh0dHBzOi8vc3BoaW5jcy5vcmcvZGF0YS9zcGhpbmNzJiM0MzstcmVmZXJlbmNlLWltcGxlbWVu dGF0aW9uLTIwMTgwMzEzLnRhci5iejI8L2E+DQo8bzpwPjwvbzpwPjwvcD4NCjxwIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPk90aGVyIFJlbGV2YW50IExpbmtzOjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTgu MHB0O21zby1saXN0OmwyIGxldmVsMSBsZm80Ij4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9 Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBO ZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHBzOi8v ZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LXRydXNrb3Zza3ktbGFtcHMtcHEtaHlicmlk LXg1MDkvIj5odHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC10cnVza292c2t5 LWxhbXBzLXBxLWh5YnJpZC14NTA5LzwvYT4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t LWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDotMTguMHB0O21zby1saXN0 OmwyIGxldmVsMSBsZm80Ij4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5bGU9Im1zby1saXN0Okln bm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1lcyBOZXcgUm9tYW4mcXVv dDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOw0KPC9z cGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHBzOi8vY3NyYy5uaXN0Lmdv di9Qcm9qZWN0cy9Qb3N0LVF1YW50dW0tQ3J5cHRvZ3JhcGh5Ij5odHRwczovL2NzcmMubmlzdC5n b3YvUHJvamVjdHMvUG9zdC1RdWFudHVtLUNyeXB0b2dyYXBoeTwvYT4NCjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z by1tYXJnaW4tYm90dG9tLWFsdDphdXRvO21hcmdpbi1sZWZ0OjcyLjBwdDt0ZXh0LWluZGVudDot MTguMHB0O21zby1saXN0OmwyIGxldmVsMSBsZm80Ij4NCjwhW2lmICFzdXBwb3J0TGlzdHNdPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OlN5bWJvbCI+PHNwYW4gc3R5 bGU9Im1zby1saXN0Oklnbm9yZSI+wrc8c3BhbiBzdHlsZT0iZm9udDo3LjBwdCAmcXVvdDtUaW1l cyBOZXcgUm9tYW4mcXVvdDsiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOw0KPC9zcGFuPjwvc3Bhbj48L3NwYW4+PCFbZW5kaWZdPjxhIGhyZWY9Imh0dHA6 Ly90ZXN0LXBxcGtpLmNvbS8iPmh0dHA6Ly90ZXN0LXBxcGtpLmNvbS88L2E+DQo8bzpwPjwvbzpw PjwvcD4NCjxwIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkkgZ3Vlc3MgdGhpcyBpcyBhbGwg Zm9yIG5vdyAtIHlvdSBjYW4gcmVwbHkgcHJpdmF0ZWx5IGF0IHRoZSBmb2xsb3dpbmcgYWRkcmVz c2VzOjxvOnA+PC9vOnA+PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7IDxhIGhyZWY9Im1haWx0bzpkaXJlY3RvckBvcGVuY2Eub3JnIj5kaXJlY3Rv ckBvcGVuY2Eub3JnPC9hPjxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyA8YSBocmVmPSJtYWlsdG86 bS5wYWxhQGNhYmxlbGFicy5jb20iPm0ucGFsYUBjYWJsZWxhYnMuY29tPC9hPjxvOnA+PC9vOnA+ PC9wPg0KPHAgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhhbmtzLDxicj4NCk1heDxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPi0tIDxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHlsZT0ibWFyZ2luLXRvcDo3LjVw dCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBzdHlsZT0iY29sb3I6YmxhY2siPkJlc3QgUmVnYXJkcywNCjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxkaXYgc3R5bGU9Im1hcmdpbi10b3A6My43NXB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+TWFz c2ltaWxpYW5vIFBhbGEsIFBoLkQuPGJyPg0KT3BlbkNBIExhYnMgRGlyZWN0b3I8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+PGltZyBib3JkZXI9IjAiIHdp ZHRoPSIxMDAiIGhlaWdodD0iNTQiIHN0eWxlPSJ3aWR0aDoxLjA0MTZpbjtoZWlnaHQ6LjU2MjVp biIgaWQ9Il94MDAwMF9pMTAyNSIgc3JjPSJjaWQ6aW1hZ2UwMDEucG5nQDAxRDQxREVFLjJEMkYx N0YwIiBhbHQ9Ik9wZW5DQSBMb2dvIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8YnI+DQo8aHI+DQo8Zm9udCBmYWNlPSJBcmlhbCIgY29sb3I9IkdyYXki IHNpemU9IjEiPjxicj4NCkVzdGUgbWVuc2FqZSB5IHN1cyBhZGp1bnRvcyBzZSBkaXJpZ2VuIGV4 Y2x1c2l2YW1lbnRlIGEgc3UgZGVzdGluYXRhcmlvLCBwdWVkZSBjb250ZW5lciBpbmZvcm1hY2nD s24gcHJpdmlsZWdpYWRhIG8gY29uZmlkZW5jaWFsIHkgZXMgcGFyYSB1c28gZXhjbHVzaXZvIGRl IGxhIHBlcnNvbmEgbyBlbnRpZGFkIGRlIGRlc3Rpbm8uIFNpIG5vIGVzIHVzdGVkLiBlbCBkZXN0 aW5hdGFyaW8gaW5kaWNhZG8sIHF1ZWRhIG5vdGlmaWNhZG8gZGUgcXVlIGxhDQogbGVjdHVyYSwg dXRpbGl6YWNpw7NuLCBkaXZ1bGdhY2nDs24geS9vIGNvcGlhIHNpbiBhdXRvcml6YWNpw7NuIHB1 ZWRlIGVzdGFyIHByb2hpYmlkYSBlbiB2aXJ0dWQgZGUgbGEgbGVnaXNsYWNpw7NuIHZpZ2VudGUu IFNpIGhhIHJlY2liaWRvIGVzdGUgbWVuc2FqZSBwb3IgZXJyb3IsIGxlIHJvZ2Ftb3MgcXVlIG5v cyBsbyBjb211bmlxdWUgaW5tZWRpYXRhbWVudGUgcG9yIGVzdGEgbWlzbWEgdsOtYSB5IHByb2Nl ZGEgYSBzdSBkZXN0cnVjY2nDs24uPGJyPg0KPGJyPg0KVGhlIGluZm9ybWF0aW9uIGNvbnRhaW5l ZCBpbiB0aGlzIHRyYW5zbWlzc2lvbiBpcyBwcml2aWxlZ2VkIGFuZCBjb25maWRlbnRpYWwgaW5m b3JtYXRpb24gaW50ZW5kZWQgb25seSBmb3IgdGhlIHVzZSBvZiB0aGUgaW5kaXZpZHVhbCBvciBl bnRpdHkgbmFtZWQgYWJvdmUuIElmIHRoZSByZWFkZXIgb2YgdGhpcyBtZXNzYWdlIGlzIG5vdCB0 aGUgaW50ZW5kZWQgcmVjaXBpZW50LCB5b3UgYXJlIGhlcmVieSBub3RpZmllZCB0aGF0IGFueSBk aXNzZW1pbmF0aW9uLA0KIGRpc3RyaWJ1dGlvbiBvciBjb3B5aW5nIG9mIHRoaXMgY29tbXVuaWNh dGlvbiBpcyBzdHJpY3RseSBwcm9oaWJpdGVkLiBJZiB5b3UgaGF2ZSByZWNlaXZlZCB0aGlzIHRy YW5zbWlzc2lvbiBpbiBlcnJvciwgZG8gbm90IHJlYWQgaXQuIFBsZWFzZSBpbW1lZGlhdGVseSBy ZXBseSB0byB0aGUgc2VuZGVyIHRoYXQgeW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBjb21tdW5pY2F0 aW9uIGluIGVycm9yIGFuZCB0aGVuIGRlbGV0ZSBpdC48YnI+DQo8YnI+DQpFc3RhIG1lbnNhZ2Vt IGUgc2V1cyBhbmV4b3Mgc2UgZGlyaWdlbSBleGNsdXNpdmFtZW50ZSBhbyBzZXUgZGVzdGluYXTD oXJpbywgcG9kZSBjb250ZXIgaW5mb3JtYcOnw6NvIHByaXZpbGVnaWFkYSBvdSBjb25maWRlbmNp YWwgZSDDqSBwYXJhIHVzbyBleGNsdXNpdm8gZGEgcGVzc29hIG91IGVudGlkYWRlIGRlIGRlc3Rp bm8uIFNlIG7Do28gw6kgdm9zc2Egc2VuaG9yaWEgbyBkZXN0aW5hdMOhcmlvIGluZGljYWRvLCBm aWNhIG5vdGlmaWNhZG8gZGUgcXVlIGENCiBsZWl0dXJhLCB1dGlsaXphw6fDo28sIGRpdnVsZ2HD p8OjbyBlL291IGPDs3BpYSBzZW0gYXV0b3JpemHDp8OjbyBwb2RlIGVzdGFyIHByb2liaWRhIGVt IHZpcnR1ZGUgZGEgbGVnaXNsYcOnw6NvIHZpZ2VudGUuIFNlIHJlY2ViZXUgZXN0YSBtZW5zYWdl bSBwb3IgZXJybywgcm9nYW1vcy1saGUgcXVlIG5vcyBvIGNvbXVuaXF1ZSBpbWVkaWF0YW1lbnRl IHBvciBlc3RhIG1lc21hIHZpYSBlIHByb2NlZGEgYSBzdWEgZGVzdHJ1acOnw6NvPGJyPg0KPC9m b250Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_-- --_004_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_ Content-Type: image/png; name="image001.png" Content-Description: image001.png Content-Disposition: inline; filename="image001.png"; size=3147; creation-date="Tue, 17 Jul 2018 20:49:50 GMT"; modification-date="Tue, 17 Jul 2018 20:49:50 GMT" Content-ID: Content-Transfer-Encoding: base64 iVBORw0KGgoAAAANSUhEUgAAAGQAAAA2CAMAAAAGesyaAAADAFBMVEUsJiEAAQAKAwMABwoXBwES CQAqDgEkEQItFQESGykaGh0WGyE1FwE9GwJHHwElJiY4JBQmKDE1KCAfLUQ8KygoMEAqMjpXKgs/ MilMMR0pOFEyOUo4OTo1OkRqMgpjOBlpNxUwQV1DPz48QExdOyM4QVV+OQRRQzo1SGdDR0lDSFJf RDFASVyaPwF+RRpNT1I9UXlwSi8+UnNDUm6hQgCPRhBdUEZTUlBKVGlPVF27PgCaSANtUT57VBer SQOMUgxHW4KMUiepTwmJVDh6WT6KVjGCWDpRYH21TwFiYF57YgJXYXaeVR+lVRZrYld1ZiB7YEuS YQBgZW+8VAlkZWjBVQCfXiqqXwG1WhPLVgedYDazXiDZVgCWZEDVWQJ1blapYjbXWgDRXACMaU6W bgCiZjnIXw9mcIixZC6pZjJ/cUeLbFdycmZ4cGnnWwNwc3WqaS6BcGeobwndXwzkXwLgYgDaYwyM eCq/bQHJaBi9ajDMagWVegvRZxzVaAvXaQDLainqZAuvcEPrZQDQaSyockrFbSvmZwnabQLvZwDp aQB0fpPkaxGld1d+f3/3aACfeV6RfG2JfnLebSF7gYy2fQmugQCigxW8d0K3eEr1bQXaciTicRqK gnzNewHuchbUdzKYiDzrdwKah1erjAvOfEXleSq5g1qYjGikiHO2kADigwC2hmSZjIGGj6aHkJzQ iwCximixim/EkAORkZGVkYrOh0rPiVL5giTvhDKkk4LMjF23mR+zmTrhikrviDzsi0TAlHDCnwvK lGqpnJLdlF2boKy+m324nImkoZ+eo6XKpgrloATwl1WypZPOn3zfqQjYrgLBrVDdo3nGq5mysa/S rI7dq4bqqXTOrpWttL+6s6uwtbe/t4rhvALetpjQuqnuwwe9v8LAv7vauqD3xA68w9XBw83rvJfR wbXFyMvbxbPNyMP8zgTczMDr0mb91xLM1ODQ1NfS1c7p0sD70bPd19PX4qj83cje4+Xr4tv54NLp 7/Hy9PHw9fj6/v3YktvJAAAAAXRSTlMAQObYZgAAAAFiS0dEAIgFHUgAAAjrSURBVFjDtVcNWFPX GT6E+l9BZ0EFsTKEIQaUAIrTZdYqxqG0I3UjIuiDM0ipoyO5l0rFh2PE472EoIJKL9hQV2OxqM+U SgFL4r9gEaIoQxgqKBZBR+nGGhXYdwNro0Kfkcp3ntzce/7e8/2e70PoJVDl3bMlZyurUSsaKnqE SrMplYrByozCjUOEUZORodMRVsViTjJc8GbLUGCUUstLv1SyLCGch8DGRiDPe/kY5/2HCQQTxZEE y4fb2gDI8KjjLxsjfyyc3lZgM3KixwgeY4TEzk7+kjHODbeb6u0xAhiw8XgFMOxolpP6J75UjLZf p6dzHIcBYCQbIBB4sCxDOLK6eMAVT39it57+e09ysCnDUtnrJ0vS5ZMW0PBFWDbd40G/85sH2KeX vj94u/flX8/2J6kYQkhkHbzWbkdH0N0UDN8sURS8uMd9dMzPL7BxIIjOayuWLBIf70RPUPjxLouB EgVhMaYuWXQlMjwsN+eFTR4cDZ4werRDYOoAIFkrptm/Ni0gthOt9Q4yWQxcAwyWTbacW0sTDGoJ en4P002/2S7LjgV6BpY1N6OO5g5eeiZTY/P9b1FzRwfKWuk9p/72ct+NpuKpq32qLVaexOCCJB91 aezt5y6zt7fXILSdJZjlVr1w0mCR66x6FL3QOXiUQ2a0k/sFlDlq1LzUMQ4uxxycjl0LWO1bBsY6 yXR3wSTJGxqLhdsJHDsS9cwF47XlvcQGQiXhRbih/HkQv4XOcajZb6GDu7PTFEdPkVu0k4vQyd3J c/SUwNnB+RJ/XsI9ptZDIxMly3dbLNwGnGBJF+Id3cZM9ui8Gjq5P/TDiRCegbOFgSKRo5e7yNHV 2dnPdVb0bHfHQCevNIV/rxqrX48oFQdYcpKMtYRbjuxtfqRypNACK28+j3FsqcilAD0ADuIWCt0y Ra7zRNEOY2YELhW5CV2dXVKixH8BC+s8GDN9wWKxf94zpsRiJuWmBYjgndsKFmu5Bc+D3HQXCcu7 QTFTMl3HF0SLxruLvGa4zUqdMGFWqqfX3GSxN0y6NT154i+v75zvH2thXiWgY2YVElhwYl9NYxar lr0grlQn92DQt1vBUk+nUFeHGZmegUIvl1RXr1AnV/fx6zd4v3HptM/YaXbrzmYFePu2WpowYRlJ o+2PGLb2d9WE5bw1L4DcnOco9HIcH3o02HOecMqMJhQqdLPXpArHl2uEo+Na8qZPXxw0+bVx46bF zhw3eZylM2dgwkbWW3IyJp9lMDe9H2/raiqPCy5/fHSCu+M7mkffoQuzQhvRhWVlj1FcWTfq6dwd ElJmarxedr/u3P6CNn7Fk95ol8wRjIMsOLGJSwLm/OMGjlFHJ7hqelDuxdMlpbU16JvqlJTamivo BjrfUgNB69zfb6Fr1TWPKmtOw9xCdLayEFWvBlaSfmEBsk6LSdTMNnQaldTe7Qfj20yveddR2toV EevCi9/ffmntR7ErtvompmyICM9qyYpZsG3FhqwNYRH5KUtyW7eGRRxfH1OHDv0ZXH6ihbSyVYzS Y3FuBkVR9LaS2wPxUxyTFpu2eGverr+dezvi0ttpOy/tTKlL2ZkWs6p4VV1Kyq60nevS8iLyi1tW hfNWzMfhYT+ArAQ+5odRBENjlRW5F/vH6O7u7urpXtvR/bQbmX/dPd3w7Ok+2Ij4ry5o0N/dY1p7 qA21FodhFRc1ctjIsXZ2Y18VcwCixNgcWlgVbUiue3b3J33te7497vv/oT1Bj5/7br1RgrYlfrRe SqmwPDyK0GqOUHKWj/RwP0J0ZlmsK3o2HP+7Qt9HBr3BYH5aNL3FG/+ul8sjKcxHdRJFGJkhfKxg mM2rUoaSg5h4GAwXJsF00dRGq+/21k2EF7o50oNswrNfsYUQKRBIZWIFh3luaLNe1F++bjXGyWyz ZiGoYFYLx5Ys4v0R3GWRdBHNErBiSiqVRhHMyeaYrMQ4SENWCvEcfhCmGIzpqKlm27KTSWUcAX1g oBw5oATctDb33aLTYV5SWoaXP5+gyqlFdnZ23nB+plcnREv0RWJCBVkrrBJ1BewMmlVpgRUQF7wp ItMJTcsJ34GBRVaFdQZaqoqxFmSb3qDQgu1A2GI4YAnODkQYIOhklDKzo2C1IV2sijzdhjorqwef NdL6ihxzegU7SynexHgBMXy+xWFG8qvdf91D8WpRi41qKFl02YaswYNkULTeLC9CFFK4bDHDMmZb hnuXSOdAsnN1LxgfVu7ZvG8LpSJUlO/gnaWQFwYvJpZeKdUaSC8ApuhIShYQYp5yWQ0oPgVXPtkc Hz/fx5rqqzosHSSlBYHIxKSolJcUsIIpnzkhmt4b7Z/tOzBRQWaA6uNCNdet0nxLkL8CgzeQKIlC XaHjXR9MlqQn9Y1fNd5RE0zF/ryKwVR/JMnsI3S8Umcw6NRYxRuUKqk3lfnKeGcTySAx5hy+7Wfg ZOv4uLLl0w8wUah71QLBpJeXq/eMVVivV8jz6lB2ofWF6i1dEYRZfMJ4piE+ZweNeb7A2VVyKEx6 vjt1z/ghMehVKiUpyt1VYBXCN6j0Q4Mazp7TvvndhIaGhqqvP1bwFk0YRYR5RoLR+PkWmlIpV/oE DQ6jB9Wc3Z6bm6zLTtLlgLC4LVWXz5Q1ffbV5oZ24wmsV/NeKTlirmg+u/q7w7/38PDdeKF8UBgX s2kV4WUC0YR/KOLvPby3L5O30yvG9vY/6vX8JSbb2je96coXX5QPznqfokKKEPWBAwd20ApaTWsP 7LnTfsd42at3+B+H7+zRUfwZZMutN6baHCX5+Ou9Zy4f3nuiKr7KaHxoNDbsSwhp6htvfyg3Zw90 1G+ttVlTJa34/E+fvrXmvY3713xy6tSZfadOJby7X1P/vwn/MeaYr0mF7IMEq690Gu95KwQq5L5K +f59qGUtaZMSciHMKjdVbY6zFqRC/pv3LgxY5tcW0pjIpGGJ7+89kxBnbXZSmjuz7CeyihyG8fbd XXYdrWlqQg+sZWTdzPqBB68VEdnkzDY0lHSjSD9/GRpaMt3OWqLpQENOTf/PpP8CK9ZVVe2a8XoA AAAASUVORK5CYIIA --_004_7A32408B4AF545589F5E5DFB5FEDFA39telefonicacom_-- From nobody Tue Jul 17 15:25:22 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A28130E41 for ; Tue, 17 Jul 2018 15:25:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.51 X-Spam-Level: X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyF8DCELJyCC for ; Tue, 17 Jul 2018 15:25:16 -0700 (PDT) Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58F2C130FAF for ; Tue, 17 Jul 2018 15:25:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6676; q=dns/txt; s=iport; t=1531866315; x=1533075915; h=from:to:subject:date:message-id:mime-version; bh=F4re3yftkdInsObmK7ul5H6PbSWLEbKN3MfdjwM5Nok=; b=akVnX+ZL/D+o/P+8CdtlYSr2f1F1OBIn37nW+y3X7rkQmfMO5l+7+cW2 809TY0MfUqBMqoUcxFB4E1luZFFGO1GdRD+7uhfZ1tjH/EgPwsQOlRnZd AQv+/sc+LCRQd5a4YSJ92i1Ieikuj5VDzpU7zy7sSmWmbcOUNo2Xm3soK o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AeAQB8a05b/51dJa1cGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYJTdmN/KAqDc4gEjD2BaJBOhQ8UgWYLJYRgglkhNBgBAgEBAgE?= =?us-ascii?q?BAm0cAQuFYGgBGjACBDAXEAQugwUBgRtkD6sJgS6EW4VJBYdqgRiCFoERJwy?= =?us-ascii?q?CDoF2gXMCAgEBFoETARECAYMfMYIkAplcCQKGCIkdDo1XijmHNAIRFIEkHTh?= =?us-ascii?q?hcXAVOyoBgj+LFIU+cIt2gRoBAQ?= X-IronPort-AV: E=Sophos;i="5.51,367,1526342400"; d="scan'208,217";a="144618055" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Jul 2018 22:25:14 +0000 Received: from XCH-RTP-015.cisco.com (xch-rtp-015.cisco.com [64.101.220.155]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id w6HMPEXL020634 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for ; Tue, 17 Jul 2018 22:25:14 GMT Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-015.cisco.com (64.101.220.155) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Tue, 17 Jul 2018 18:25:13 -0400 Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Tue, 17 Jul 2018 18:25:13 -0400 From: "Nancy Cam-Winget (ncamwing)" To: "saag@ietf.org" Thread-Topic: TEEP WG report Thread-Index: AQHUHh0HFzFajnZKMUSUnRgqcu2EIQ== Date: Tue, 17 Jul 2018 22:25:13 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.c.0.180410 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.24.103.160] Content-Type: multipart/alternative; boundary="_000_EAD449FAE6484009A00AC8F5B164ACD6ciscocom_" MIME-Version: 1.0 Archived-At: Subject: [saag] TEEP WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jul 2018 22:25:20 -0000 --_000_EAD449FAE6484009A00AC8F5B164ACD6ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhlIFRFRVAgV0cgbWV0IFR1ZXNkYXksIEp1bHkgMTcsIDIwMTggZnJvbSAxMzo1MC0xNTo1MC4N Cg0KDQoNCkFuIG92ZXJ2aWV3IG9mIHRoZSBhcmNoaXRlY3R1cmUgZHJhZnQgKGh0dHBzOi8vZGF0 YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtdGVlcC1hcmNoaXRlY3R1cmUvKSB3YXMg cHJlc2VudGVkIHdpdGggZGlzY3Vzc2lvbiBvZiBzb21lIGNvbW1lbnRzIHJlY2VpdmVkIHRocm91 Z2ggdGhlIHdvcmtpbmcgZ3JvdXDigJlzIG1haWwgbGlzdC4NCg0KDQoNClVwZGF0ZXMgdG8gdGhl IE9UclAgZHJhZnQgKGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYt dGVlcC1vcGVudHJ1c3Rwcm90b2NvbC8pIHdlcmUgYWxzbyBwcmVzZW50ZWQuDQoNCg0KDQpEYXZl IFRoYWxlciAoYXMgYW4gaW5kaXZpZHVhbCkgd2FzIG91ciBzb2xlIEhhY2thdGhvbiBwYXJ0aWNp cGFudCBhdHRlbXB0aW5nIHRvIGltcGxlbWVudCBPVHJQIGFuZCByZXBvcnRlZCBvbiBmaW5kaW5n cyBhbmQgaXNzdWVzIGluIGFyY2hpdGVjdHVyZSBhbmQgc29sdXRpb24gZHJhZnRzLg0KDQoNCg0K RGF2aWQgV2hlZWxlciBwcmVzZW50ZWQgcmVjb21tZW5kYXRpb25zIGZvciBURUVQIHRvIGVuYWJs ZSBzdXBwb3J0IGZvciBTR1guIFRoZXJlIHdhcyBnZW5lcmFsIGNvbnNlbnN1cyB0byB0aGUgc3Bp cml0IG9mIHRoZSByZWNvbW1lbmRhdGlvbnMgdGhvdWdoIHNvbWUgd29yZHNtaXRoaW5nIHdpbGwg YmUgcmVxdWlyZWQuDQoNCg0KDQpQcm9jZWR1cmFsbHksIHRoZSBncm91cCB3aWxsIHN0YXJ0IHRy YWNraW5nIGlzc3VlcyAoYW5kIGNvbnRpbnVlIGRyYWZ0IHdvcmspIHRocnUgR2l0SHViIHRvIGVu c3VyZSB0aGUgaXNzdWVzIHBvc3RlZCBpbiBlbWFpbCwgaW4gdGhlIEhhY2thdGhvbiByZXBvcnQg YW5kIERhdmlkIFdoZWVsZXLigJlzIHByZXNlbnRhdGlvbiBhcmUgdHJhY2tlZC4NCg0KDQoNClRo ZSBldGhlciBwYWQgbm90ZXMgY2FuIGJlIGZvdW5kIGluOiBodHRwczovL2V0aGVycGFkLnRvb2xz LmlldGYub3JnL3Avbm90ZXMtaWV0Zi0xMDItdGVlcDxodHRwczovL2V0aGVycGFkLnRvb2xzLmll dGYub3JnL3Avbm90ZXMtaWV0Zi0xMDItdGVlcD91c2VNb25vc3BhY2VGb250PXRydWU+DQoNCg== --_000_EAD449FAE6484009A00AC8F5B164ACD6ciscocom_ Content-Type: text/html; charset="utf-8" Content-ID: <728A1C719A09DC4A8ED0E8FE0A7F0D28@emea.cisco.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpIZWx2ZXRpY2E7DQoJcGFub3NlLTE6MCAwIDAgMCAwIDAgMCAwIDAg MDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OiJDYW1icmlhIE1hdGgiOw0KCXBhbm9zZS0x OjIgNCA1IDMgNSA0IDYgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDYWxpYnJp Ow0KCXBhbm9zZS0xOjIgMTUgNSAyIDIgMiA0IDMgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow aW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1m YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6IzA1NjNDMTsNCgl0ZXh0LWRlY29yYXRp b246dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXtt c28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Izk1NEY3MjsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCnNwYW4uRW1haWxTdHlsZTE3DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFs LWNvbXBvc2U7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2lu ZG93dGV4dDt9DQpwLnAxLCBsaS5wMSwgZGl2LnAxDQoJe21zby1zdHlsZS1uYW1lOnAxOw0KCW1h cmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZTo5LjBwdDsNCglm b250LWZhbWlseTpIZWx2ZXRpY2E7fQ0KcC5wMiwgbGkucDIsIGRpdi5wMg0KCXttc28tc3R5bGUt bmFtZTpwMjsNCgltYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNp emU6OS4wcHQ7DQoJZm9udC1mYW1pbHk6SGVsdmV0aWNhO30NCi5Nc29DaHBEZWZhdWx0DQoJe21z by1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNl cmlmO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46 MS4waW4gMS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRT ZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9 IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8 cCBjbGFzcz0icDEiPlRoZSBURUVQIFdHIG1ldCBUdWVzZGF5LCBKdWx5IDE3LCAyMDE4IGZyb20g MTM6NTAtMTU6NTAuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0icDIiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPHAgY2xhc3M9InAxIj5BbiBvdmVydmlldyBvZiB0aGUgYXJjaGl0ZWN0dXJlIGRy YWZ0ICg8YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRm LXRlZXAtYXJjaGl0ZWN0dXJlLyI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJh ZnQtaWV0Zi10ZWVwLWFyY2hpdGVjdHVyZS88L2E+KSB3YXMgcHJlc2VudGVkIHdpdGggZGlzY3Vz c2lvbiBvZiBzb21lIGNvbW1lbnRzIHJlY2VpdmVkIHRocm91Z2gNCiB0aGUgd29ya2luZyBncm91 cOKAmXMgbWFpbCBsaXN0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9InAyIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJwMSI+VXBkYXRlcyB0byB0aGUgT1RyUCBkcmFmdCAoPGEg aHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtaWV0Zi10ZWVwLW9w ZW50cnVzdHByb3RvY29sLyI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQt aWV0Zi10ZWVwLW9wZW50cnVzdHByb3RvY29sLzwvYT4pIHdlcmUgYWxzbyBwcmVzZW50ZWQuPG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0icDIiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xh c3M9InAxIj5EYXZlIFRoYWxlciAoYXMgYW4gaW5kaXZpZHVhbCkgd2FzIG91ciBzb2xlIEhhY2th dGhvbiBwYXJ0aWNpcGFudCBhdHRlbXB0aW5nIHRvIGltcGxlbWVudCBPVHJQIGFuZCByZXBvcnRl ZCBvbiBmaW5kaW5ncyBhbmQgaXNzdWVzIGluIGFyY2hpdGVjdHVyZSBhbmQgc29sdXRpb24gZHJh ZnRzLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9InAyIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxwIGNsYXNzPSJwMSI+RGF2aWQgV2hlZWxlciBwcmVzZW50ZWQgcmVjb21tZW5kYXRpb25zIGZv ciBURUVQIHRvIGVuYWJsZSBzdXBwb3J0IGZvciBTR1guIFRoZXJlIHdhcyBnZW5lcmFsIGNvbnNl bnN1cyB0byB0aGUgc3Bpcml0IG9mIHRoZSByZWNvbW1lbmRhdGlvbnMgdGhvdWdoIHNvbWUgd29y ZHNtaXRoaW5nIHdpbGwgYmUgcmVxdWlyZWQuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0icDIi PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9InAxIj5Qcm9jZWR1cmFsbHksIHRoZSBn cm91cCB3aWxsIHN0YXJ0IHRyYWNraW5nIGlzc3VlcyAoYW5kIGNvbnRpbnVlIGRyYWZ0IHdvcmsp IHRocnUgR2l0SHViIHRvIGVuc3VyZSB0aGUgaXNzdWVzIHBvc3RlZCBpbiBlbWFpbCwgaW4gdGhl IEhhY2thdGhvbiByZXBvcnQgYW5kIERhdmlkIFdoZWVsZXLigJlzIHByZXNlbnRhdGlvbiBhcmUg dHJhY2tlZC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJwMiI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8cCBjbGFzcz0icDEiPlRoZSBldGhlciBwYWQgbm90ZXMgY2FuIGJlIGZvdW5kIGluOiA8 YSBocmVmPSJodHRwczovL2V0aGVycGFkLnRvb2xzLmlldGYub3JnL3Avbm90ZXMtaWV0Zi0xMDIt dGVlcD91c2VNb25vc3BhY2VGb250PXRydWUiPg0KaHR0cHM6Ly9ldGhlcnBhZC50b29scy5pZXRm Lm9yZy9wL25vdGVzLWlldGYtMTAyLXRlZXA8L2E+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_EAD449FAE6484009A00AC8F5B164ACD6ciscocom_-- From nobody Wed Jul 18 09:01:01 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D914130DFE for ; Wed, 18 Jul 2018 09:00:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.71 X-Spam-Level: X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zC1U95EyC9Ms for ; Wed, 18 Jul 2018 09:00:57 -0700 (PDT) Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E706129619 for ; Wed, 18 Jul 2018 09:00:57 -0700 (PDT) Received: from pps.filterd (m0050093.ppops.net [127.0.0.1]) by m0050093.ppops.net-00190b01. (8.16.0.22/8.16.0.22) with SMTP id w6IFvRTl029798 for ; Wed, 18 Jul 2018 17:00:57 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : date : message-id : content-type : mime-version; s=jan2016.eng; bh=UWd1SSNgmBNrn7DKiGtT5duUQolr0/nxd301uDOC+GY=; b=LYqT8q0YRjGE2Gqt0W7cCL4Z1TcsjoJzACeL8MwiDEoeGOyBkdWfkZ22eRFET3TNiUZf FKy3yBPs0JeXmSNb+5PaUHICHlYxxagUT11gOCHvGwMW6dskmWntvWQFxMj7aq+PAjaE 7jTHkZURSNB1hRJE8azJuPf5QiptPdiOCbp/pwSTF1+Pri1BnEXhyVC1Ff2WA2NhN2W6 H4kN+H4HNgzuxTvhmWx2QvMe2Ya8lGVe34l+39x8qjHtShxUv4Bx/EMBuCe0alUPFgrX xYLbuuqssX6HM/UPQbqXZJPd86MjnVFPFYXkhx0fKIeuHMB3XLCuhGyfXQLG483AAmeb kg== Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050093.ppops.net-00190b01. with ESMTP id 2k9mgrtsdc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 18 Jul 2018 17:00:56 +0100 Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w6IFoADk025115 for ; Wed, 18 Jul 2018 12:00:55 -0400 Received: from email.msg.corp.akamai.com ([172.27.123.33]) by prod-mail-ppoint2.akamai.com with ESMTP id 2k7cgurd9k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Wed, 18 Jul 2018 12:00:55 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1365.1; Wed, 18 Jul 2018 12:00:54 -0400 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1365.000; Wed, 18 Jul 2018 12:00:55 -0400 From: "Salz, Rich" To: saag Thread-Topic: ACME WG report Thread-Index: AQHUHrCBH2l57IvpzUKhszXow/f9uQ== Date: Wed, 18 Jul 2018 16:00:54 +0000 Message-ID: <4D5BF703-DC72-4F48-8E80-1E53DE670C76@akamai.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.f.0.180709 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.46.213] Content-Type: multipart/alternative; boundary="_000_4D5BF703DC724F488E801E53DE670C76akamaicom_" MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-18_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=990 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807180176 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-18_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=910 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807180177 Archived-At: Subject: [saag] ACME WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 16:01:00 -0000 --_000_4D5BF703DC724F488E801E53DE670C76akamaicom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 QUNNRSBtZXQgVHVlc2RheSBhZnRlcm5vb24uICBJdCB3YXMgYSB2ZXJ5IHByb2R1Y3RpdmUgbWVl dGluZy4gIFRoaXMgc3RhdHVzIGFsc28gc2VydmVzIGFzIGEgcmVtaW5kZXIgdGhhdCB3ZSBuZWVk IDkwIG1pbnV0ZXMgbmV4dCB0aW1lLiA6KSAgT3IgdGhlIGNoYWlyKHMpIG5lZWQgdG8gYmUgbW9y ZSBydXRobGVzcyBhYm91dCBlbmZvcmNpbmcgdGhlIHVucmVhc29uYWJsZSB0aW1lIGxpbWl0cy4N Cg0KVGhlIGFnZW5kYSB3YXMgYXVnbWVudGVkIGJ5IHR3byBsYXN0LW1pbnV0ZSBwcmVzZW50YXRp b25zLCBmcm9tIHRoZSBBTlJXL2hvdFJGQyBhbmQgU0VDRElTUEFUQ0guIFRoZSBmaXJzdCB3YXMg b24gc2NvcGUgYW5kIHNvbWUgbWl0aWdhdGlvbiBmb3IgSVAgYWRkcmVzcyB1c2UtYWZ0ZXItZnJl ZSwgYW5kIHRoZSBzZWNvbmQgd2FzIG9uIHVzaW5nIEFDTUUgZm9yIFNUQVIuICBCb3RoIGhhZCBn b29kIGRpc2N1c3Npb24sIGFuZCBhcmUgbGlrZWx5IHRvIGJlIHRha2VuIHVwIGJ5IHRoZSBXRyBz b29uLiAgU28gdGhpcyBpcyBhIHBvaW50IGluIGZhdm9yIG9mIHRob3NlIGZvcnVtcy4NCg0KSW4g b3RoZXIgd29yaywgdGhlIFdHIGFjY2VwdGVkIGEgUFIgdGhhdCBhZGRyZXNzZXMgdGhlIGxhc3Qg QUQgY29tbWVudHMsIGFuZCBpcyByZWRvaW5nIFdHTEMgaW4gcGFyYWxsZWwgd2l0aCBJRVNHIHJl dmlldy4gIFRoZSBBTFBOIGFuZCBJUCBkb2N1bWVudHMgd2lsbCBiZSBtb3ZlZCB0byBXR0xDLiBU aGUgZW1haWwgZG9jcyBuZWVkIGFub3RoZXIgZHJhZnQgYW5kIHRoZW4gaG9wZWZ1bGx5IG1vdmUg dG8gV0dMQy4gIEV2ZXJ5b25lIHNob3VsZCByZWFkIHRoZSBBdXRob3JpdHkgVG9rZW4gZG9jdW1l bnRzLg0KDQo= --_000_4D5BF703DC724F488E801E53DE670C76akamaicom_ Content-Type: text/html; charset="utf-8" Content-ID: <9268C73E6BB58D4FB81F5179B89603FA@akamai.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9 DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpw Lm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1u YW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6 MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglm b250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNw YW4uRW1haWxTdHlsZTE4DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5hdXRob3It YS16Nzl6NXMzOXo4NHo0MDVvejg1eno4Mnp6NzV6a3BrDQoJe21zby1zdHlsZS1uYW1lOmF1dGhv ci1hLXo3OXo1czM5ejg0ejQwNW96ODV6ejgyeno3NXprcGs7fQ0KLk1zb0NocERlZmF1bHQNCgl7 bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4 LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3Jk U2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxi b2R5IGxhbmc9IkVOLVVTIiBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNs YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPkFDTUUgbWV0IFR1ZXNkYXkgYWZ0ZXJub29uLiZuYnNwOyBJdCB3YXMg YSB2ZXJ5IHByb2R1Y3RpdmUgbWVldGluZy4mbmJzcDsgVGhpcyBzdGF0dXMgYWxzbyBzZXJ2ZXMg YXMgYSByZW1pbmRlciB0aGF0IHdlIG5lZWQgOTAgbWludXRlcyBuZXh0IHRpbWUuIDopJm5ic3A7 IE9yIHRoZSBjaGFpcihzKSBuZWVkIHRvIGJlIG1vcmUgcnV0aGxlc3MgYWJvdXQgZW5mb3JjaW5n IHRoZSB1bnJlYXNvbmFibGUNCiB0aW1lIGxpbWl0cy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4m bmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQiPlRoZSBhZ2VuZGEgd2FzIGF1Z21lbnRlZCBieSB0d28gbGFzdC1t aW51dGUgcHJlc2VudGF0aW9ucywgZnJvbSB0aGUgQU5SVy9ob3RSRkMgYW5kIFNFQ0RJU1BBVENI LiBUaGUgZmlyc3Qgd2FzIG9uIHNjb3BlIGFuZCBzb21lIG1pdGlnYXRpb24gZm9yIElQIGFkZHJl c3MgdXNlLWFmdGVyLWZyZWUsIGFuZCB0aGUgc2Vjb25kIHdhcyBvbiB1c2luZyBBQ01FIGZvcg0K IFNUQVIuJm5ic3A7IEJvdGggaGFkIGdvb2QgZGlzY3Vzc2lvbiwgYW5kIGFyZSBsaWtlbHkgdG8g YmUgdGFrZW4gdXAgYnkgdGhlIFdHIHNvb24uJm5ic3A7IFNvIHRoaXMgaXMgYSBwb2ludCBpbiBm YXZvciBvZiB0aG9zZSBmb3J1bXMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij5JbiBvdGhlciB3b3JrLCB0aGUgV0cgYWNjZXB0ZWQgYSBQUiB0aGF0IGFkZHJlc3Nl cyB0aGUgbGFzdCBBRCBjb21tZW50cywgYW5kIGlzIHJlZG9pbmcgV0dMQyBpbiBwYXJhbGxlbCB3 aXRoIElFU0cgcmV2aWV3LiZuYnNwOyBUaGUgQUxQTiBhbmQgSVAgZG9jdW1lbnRzIHdpbGwgYmUg bW92ZWQgdG8gV0dMQy4gVGhlIGVtYWlsIGRvY3MgbmVlZCBhbm90aGVyIGRyYWZ0DQogYW5kIHRo ZW4gaG9wZWZ1bGx5IG1vdmUgdG8gV0dMQy4mbmJzcDsgRXZlcnlvbmUgc2hvdWxkIHJlYWQgdGhl IEF1dGhvcml0eSBUb2tlbiBkb2N1bWVudHMuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_4D5BF703DC724F488E801E53DE670C76akamaicom_-- From nobody Wed Jul 18 10:05:02 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71416131213 for ; Wed, 18 Jul 2018 10:04:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5jP4YiNpCt6U for ; Wed, 18 Jul 2018 10:04:53 -0700 (PDT) Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 412C0130E7F for ; Wed, 18 Jul 2018 10:04:53 -0700 (PDT) Received: from [10.47.60.101] (dhcp-8e1a.meeting.ietf.org [31.133.142.26]) (authenticated bits=0) by mail.proper.com (8.15.2/8.15.2) with ESMTPSA id w6IH4cvr034518 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 18 Jul 2018 10:04:40 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: mail.proper.com: Host dhcp-8e1a.meeting.ietf.org [31.133.142.26] claimed to be [10.47.60.101] From: "Paul Hoffman" To: "IETF SAAG" Date: Wed, 18 Jul 2018 13:04:48 -0400 X-Mailer: MailMate (1.11.3r5509) Message-ID: <349B5779-0367-4334-B8DD-D4BC1B374951@vpnc.org> MIME-Version: 1.0 Archived-At: Subject: [saag] Agenda for IETF 102? X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 17:05:00 -0000 Is there an agenda for tomorrow? --Paul Hoffman From nobody Wed Jul 18 10:05:15 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C713F1311FB; Wed, 18 Jul 2018 10:05:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6TRLxZI3F8OY; Wed, 18 Jul 2018 10:04:58 -0700 (PDT) Received: from mail-io0-x234.google.com (mail-io0-x234.google.com [IPv6:2607:f8b0:4001:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81BDC130EAC; Wed, 18 Jul 2018 10:04:58 -0700 (PDT) Received: by mail-io0-x234.google.com with SMTP id q4-v6so4692083iob.2; Wed, 18 Jul 2018 10:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=MglY+/ee33v3AS8I34KlL6J42p+3FIfZE6sHbdT2UNo=; b=OyLhu8zAZS7JrKen36dL/QHgJXSw1l6CEa1W07sE+9D87O88YK71FuRW09nOvlsXFZ T4A3Hos9zFCJ71abcIj/3tPqv5uc3q5SslhGSZA5P3uHq84i8wYmYfPZdmsoo5QEVQ2V /0HKfHHreeh2d8CRbPzB0BMEN1QO1RBPgpF9t6wqGPhOkkTmZ82DfWzucsiq7oadMZY6 h6/ePcdQEzjCTwjBtZqL6LWRBMu4qZwvYJ0dg20kP61zuqNe9Jqwcl6R2iEm6E5NfUlA NzJFNKzkuCw3coenMQgNTt/2M7h7YO1UqMT0+wGwHT/fxHW952ZG8HXWwVOOCzbYR5ca hI9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=MglY+/ee33v3AS8I34KlL6J42p+3FIfZE6sHbdT2UNo=; b=oqvfjtWIf5g9nCSPhDU5MitwNo5Lde8hGMMUOhYbzVaVpZtpu8MPzf0r24dFqIr3jw sHOKTL+jtxyQpeCs8pqlF7R/YdNyAIXYszSBDhiwMKD/2K2aLhgUTcsXyHrET3ud0xLO 2gt6Vn2v/2ZSUOkSytNzqN/416FsliKPjerYjMxhmFsbjUQObVLC/obk1zxeq+Bh4I45 u+q7lc7v3phrcfcIVnPmz2XuDvDfH/wpbjIs/3IfEwZe3c4xHpNYYzkxUBmVfAl4agql acc8zhA7UNr/TOEq/eiMztTRMnPTFoxpYo7LOdSfdAxjJCp7TZ/eMWamRzfTDJXbJm8N PLEw== X-Gm-Message-State: AOUpUlHU0lrf2nli7DhlTgMWM8sgSnswpNWmncHSpVdoVOFTuieIMpx1 jSFNsRgZ3d6BqM1EyN0hfgYvjn2AbcA= X-Google-Smtp-Source: AAOMgpd3HwsN21+RKnu82VjxD+Z8YAiXA5nFKxJ6G3K7dbN5MeZGq3eJrPegrCf5fsbstlcUr0M6zQ== X-Received: by 2002:a6b:9c09:: with SMTP id f9-v6mr5719700ioe.179.1531933497834; Wed, 18 Jul 2018 10:04:57 -0700 (PDT) Received: from ?IPv6:2001:67c:1232:144:20cb:f0e2:f015:1a1f? ([2001:67c:1232:144:20cb:f0e2:f015:1a1f]) by smtp.gmail.com with ESMTPSA id v13-v6sm1807623ita.38.2018.07.18.10.04.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jul 2018 10:04:57 -0700 (PDT) From: Apostol T Vassilev Content-Type: multipart/alternative; boundary="Apple-Mail=_5E2BD949-AC65-425D-8900-3535BB4FE2A7" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Wed, 18 Jul 2018 13:04:56 -0400 References: To: "acvp@ietf.org" , "cfrg@ietf.org" , "saag@ietf.org" In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] SAAG Presentation: Automated Cryptographic Validation Protocol (ACVP) and Side Meeting - UPDATE X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 17:05:08 -0000 --Apple-Mail=_5E2BD949-AC65-425D-8900-3535BB4FE2A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Our side meeting for an in-depth discussion of ACVP and live demo.will = be on Thursday evening at 19:30 EDT in the Van Horne room. Please join = us to explore opportunities for collaboration on the development of this = protocol within the IETF community. We are looking forward to seeing you = there.=20 Regards, ACVP team > On Jul 15, 2018, at 5:57 PM, Waltermire, David A. (Fed) = wrote: >=20 > At SAAG this week, there will be a presentation on the Automated = Cryptographic Validation Protocol (ACVP). This effort is focused on a = protocol for validating cryptographic implementations against = cryptographic standards. This protocol can be used as part of government = and industry cryptographic testing programs. >=20 > Additionally, a side meeting will be held on Thursday evening at = 7:30pm EDT to engage in further discussion around this work. A live demo = and in-depth look at the protocol internals will be provided for = context. A focus of the discussion will be around interest in = collaboration on this protocol within the IETF community. The specific = location of this meeting will be announced later this week once a room = has been reserved. >=20 > There is also a non-working group IETF mailing list to support ongoing = conversation on this topic. To join the ACVP IETF mailing list, please = visit:https://www.ietf.org/mailman/listinfo/acvp = . >=20 > We are looking forward to seeing you at the SAAG meeting and ACVP side = meeting. >=20 > Regards, > ACVP Team --Apple-Mail=_5E2BD949-AC65-425D-8900-3535BB4FE2A7 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Our = side meeting for an in-depth discussion of ACVP and live demo.will be on = Thursday evening at 19:30 EDT in the Van Horne = room. Please join us to explore opportunities for collaboration on = the development of this protocol within the IETF community. We are = looking forward to seeing you there. 

Regards,
ACVP = team

On Jul 15, 2018, at 5:57 PM, Waltermire, = David A. (Fed) <david.waltermire@nist.gov> wrote:

At SAAG this week, there will be a presentation on the Automated = Cryptographic Validation Protocol (ACVP). This effort is focused on a = protocol for validating cryptographic implementations against = cryptographic standards. This protocol can be used as part of government = and industry cryptographic testing programs.

Additionally, a side = meeting will be held on Thursday evening at 7:30pm EDT to engage in = further discussion around this work. A live demo and in-depth look = at the protocol internals will be provided for context. A focus of = the discussion will be around interest in collaboration on this = protocol within the IETF community. The specific location of this = meeting will be announced later this week once a room has been = reserved.

There is also a non-working group IETF mailing = list to support ongoing conversation on this topic. To join the ACVP = IETF mailing list, please visit:https://www.ietf.org/mailman/listinfo/acvp.

We are looking forward to seeing you at the = SAAG meeting and ACVP side meeting.

Regards,
ACVP Team

= --Apple-Mail=_5E2BD949-AC65-425D-8900-3535BB4FE2A7-- From nobody Wed Jul 18 10:40:33 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DA47130F55 for ; Wed, 18 Jul 2018 10:40:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJCy7VUBNG5M for ; Wed, 18 Jul 2018 10:40:25 -0700 (PDT) Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DDE130F82 for ; Wed, 18 Jul 2018 10:40:24 -0700 (PDT) Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w6IHeNJS025316 for ; Wed, 18 Jul 2018 13:40:23 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w6IHeNJS025316 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1531935623; bh=oOar0lbuoIIF8pUoCQRa9iBTStvma2Gc81k0BLIeudg=; h=From:To:Subject:Date:From; b=lcrCqQtjUVDGu16KfNMMekvU4n2rcPTNj1Ign430ek+6uVPpujk1iU/Jr2hI+pJXu /TAGtJEYeRxC7IPXQutlDltw0veIi2TW7l3IXER3FcMQJuPDQ2BskhRo1dA9TH1DHJ 53uaPCI9A9+QDgipLjTohVEHL2uuf/7uba11xY3s= Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id w6IHeNKh041899 for ; Wed, 18 Jul 2018 13:40:23 -0400 Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0399.000; Wed, 18 Jul 2018 13:40:22 -0400 From: Roman Danyliw To: "saag@ietf.org" Thread-Topic: ACE WG Summary from IETF 102 Thread-Index: AdQeviE4pp5Ez1xtRh6QNXI1wvO4gg== Date: Wed, 18 Jul 2018 17:40:21 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC014C405170@marathon> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [saag] ACE WG Summary from IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 17:40:32 -0000 The ACE working group met on Monday morning. The CWT Proof of Possession draft [1] completed WGLC and final feedback is = being processed. The ACE framework drafts [2] will likely be ready for WGLC in September 201= 8. Discussion continues around non-working group drafts [3][4][5] that address= group messaging authorization scenarios. Adoption will be discussed afte= r existing, key WG drafts are completed. The WG held a facilitated discussion on security issues in resource directo= ry authorization and found a breath of perspectives on the problem and prop= erties of the solution. Recent changes in EDHOC [6] to reductions the message size were also discus= sed. [1] draft-ietf-ace-cwt-proof-of-possession [2] draft-ietf-ace-{oauth-authz, dtls-authorize, oscore-profile} [3] draft-palombini-ace-key-groupcomm [4] draft-palombini-ace-coap-pubsub-profile [5] draft-tiloca-ace-oscoap-joining [6] draft-selander-ace-cose-ecdhe-09 From nobody Wed Jul 18 10:52:52 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4709130E80 for ; Wed, 18 Jul 2018 10:52:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.79 X-Spam-Level: X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=smyslov.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDF3EJcGv09T for ; Wed, 18 Jul 2018 10:52:49 -0700 (PDT) Received: from direct.host-care.com (direct.host-care.com [198.136.54.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09240130E66 for ; Wed, 18 Jul 2018 10:52:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=smyslov.net ; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID :Date:Subject:Cc:To:From:Sender:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Unwe6E0pY7hza17hJWZMsJQ3+xndShtOukXYAs3HIoQ=; b=imaDlypnSxgANBphXnC+64v7Qn 648RGRv3y08gcDHuUezkfFnbZiVlpIK1pDFCv2ub0+3vmmtAwcamGH4PInsz16s2FgdTr+f1kpGg9 o0eknWMlaVcRV4EDfejAsXiP7DOuIR4O+Lx8tjKiwYIzKaZCyeX2GKXAJmulB8CPWyFDX4jonCTBU Qh8Hd2tq7VmeD7wjrzCITKVtFBG38Gq95WQk4bu9j13sDx3fpCRa8MQtYV2+aaY3yIXVWY3yppKs/ XT+jCONJbbX3hCT8ZXDfkXRqfC0XtT/JlLY5EIFHmGWvA50N6jS6U8l6UhNguH8b0zR9Blz/GSCSZ NrDnG3vA==; Received: from dhcp-8d71.meeting.ietf.org ([31.133.141.113]:50569 helo=svannotebook) by direct.host-care.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from ) id 1ffqd4-0006OQ-Pw; Wed, 18 Jul 2018 13:52:46 -0400 From: "Valery Smyslov" To: Cc: "'Leif Johansson'" Date: Wed, 18 Jul 2018 13:52:44 -0400 Message-ID: <04bb01d41ec0$223e2840$66ba78c0$@smyslov.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdQeu2TQvDeinmBBSlyE8wRpATL2Cw== Content-Language: ru X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - direct.host-care.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - smyslov.net X-Get-Message-Sender-Via: direct.host-care.com: authenticated_id: valery@smyslov.net X-Authenticated-Sender: direct.host-care.com: valery@smyslov.net X-Source: X-Source-Args: X-Source-Dir: Archived-At: Subject: [saag] UTA WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 17:52:51 -0000 UTA don't meet on IETF 102. Currently we have two drafts in the RFC Editor's queue - "SMTP TLS Reporting " and "SMTP MTA Strict Transport Security (MTA-STS) ". The WGLC for the last remaining active WG document - "SMTP Require TLS Option" - is announced today. Leif & Valery. From nobody Wed Jul 18 10:58:04 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B28130DDE for ; Wed, 18 Jul 2018 10:58:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0B5UFYlWLRs for ; Wed, 18 Jul 2018 10:57:59 -0700 (PDT) Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9759F1292F1 for ; Wed, 18 Jul 2018 10:57:59 -0700 (PDT) Received: by mail-oi0-x22a.google.com with SMTP id d189-v6so10442400oib.6 for ; Wed, 18 Jul 2018 10:57:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=oMXyH8NAsIhosew+N/GlpRXPFfbK7yPRqaC2qshdAZg=; b=Nn1GC/Q9MbcINUeuM5WOnjBUgwOABuScBquw+p2AVfZ35Mm6ta8n/jsca+qe1qk45Z aODHZSNX5fVjh4xDNPhGEJk1zeeOsx4Bg8VtJOMEe8sqcUn2H7lUecy1Mq8mE4fFzv0o Pl4AtU6U+5CJ8wdtTj6BxW5jW9gjVYqzTXnx8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=oMXyH8NAsIhosew+N/GlpRXPFfbK7yPRqaC2qshdAZg=; b=ltPp89M70+SQ08hlBW4cbwtyt+Kolf4C4NLew5b12/mjoeOjrPaTh8RmuIM7L1Q7VU lxaIKGbDJhXLVIM4PlN6zE4OTvMVh8IHsQXI9HN/7ruTck1tjvpKBf6KqzA9TVVoNtWM qLO+FJIxjncN/j92yeVDvh/3gimQS2gYGCPP4pWbGqkOcdM0wQGI0HNaaDo/A5aTjhPM POSdM5T1OPL3tVk+AoyprbaK+fPbdBtOqucHvQi1oLh3goW0aKTj424VVAvIVzw1z2f4 tmno+Djw9SO1zytm2GKqd9et1Sy1a7t7IxSqm9U43ZkKuUYtYpA8+6vEFhg1M5BSS/XX BPtA== X-Gm-Message-State: AOUpUlHr8GjteZFlyIJQf42iPZXaj3/LP7v4QZmxofAOdImkFgWjP3Vh ruQBuyp5HJiBUhhOOX+qFvUHXn8Y6fMDom8o+eu/sFk8tus= X-Google-Smtp-Source: AAOMgpeSUTwECSPVGnyL4of3Og0IPt6Wt+YrGhiKZhWXuOKhAWQ7Ppmn/n5y2h9p6zd5N12T0OXHSLk3ItvZ3aUOuxg= X-Received: by 2002:aca:4288:: with SMTP id p130-v6mr2044254oia.265.1531936678492; Wed, 18 Jul 2018 10:57:58 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a9d:204a:0:0:0:0:0 with HTTP; Wed, 18 Jul 2018 10:57:57 -0700 (PDT) X-Originating-IP: [2001:67c:370:128:99fd:af81:3a80:2e8f] From: Kyle Rose Date: Wed, 18 Jul 2018 13:57:57 -0400 Message-ID: To: saag@ietf.org, tcpinc-chairs@ietf.org Content-Type: multipart/alternative; boundary="0000000000008a4daa057149cde9" Archived-At: Subject: [saag] TCPINC report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 17:58:02 -0000 --0000000000008a4daa057149cde9 Content-Type: text/plain; charset="UTF-8" TCPINC did not meet at IETF 102. Of the two main drafts, TCP-ENO has been approved for publication and is pending a writeup (presumably waiting on approval of the other draft). Tcpcrypt has an open discuss point with a resolution pending review by the security AD. The remaining milestone is to complete and request publication of an informational abstract API draft. --0000000000008a4daa057149cde9 Content-Type: text/html; charset="UTF-8"
TCPINC did not meet at IETF 102.

Of the two main drafts, TCP-ENO has been approved for publication and is pending a writeup (presumably waiting on approval of the other draft). Tcpcrypt has an open discuss point with a resolution pending review by the security AD. The remaining milestone is to complete and request publication of an informational abstract API draft.

--0000000000008a4daa057149cde9-- From nobody Wed Jul 18 11:35:43 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB105130F5E for ; Wed, 18 Jul 2018 11:35:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.31 X-Spam-Level: X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ogO5gqPLSJJ for ; Wed, 18 Jul 2018 11:35:37 -0700 (PDT) Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DA70130F69 for ; Wed, 18 Jul 2018 11:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1531938934; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5xRrIGl3dWNS+dJb34fptesspKcuehMEXqClzYDdaTo=; b=T4+ZHwZ1xkKK8bMbllmuk1mILfPpq9Oq6WcYEGfTfxjnm4MUPSB4CFFLpp9AV8iN +gkBqmBU9Hkz/ObTLeqdEoxcmGVAEQh7bIOAu/Zo0P/Tvp7/ks31SdwzmZnhVtRB D3dI+Qwt5sHaXirhHnuub5a67kIt6ZQdYLJfkUZ1OSc=; X-AuditID: c618062d-bc3ff70000004941-ef-5b4f8876f85b Received: from EUSAAMB501.ericsson.se (Unknown_Domain [147.117.188.214]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id B1.E2.18753.6788F4B5; Wed, 18 Jul 2018 20:35:34 +0200 (CEST) Received: from EUSASMB503.ericsson.se (147.117.188.221) by EUSAAMB501.ericsson.se (147.117.188.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 18 Jul 2018 14:35:33 -0400 Received: from EUSASMB503.ericsson.se ([147.117.188.239]) by EUSASMB503.ericsson.se ([147.117.188.239]) with mapi id 15.01.1466.003; Wed, 18 Jul 2018 14:35:33 -0400 From: Daniel Migault To: "'saag@ietf.org'" CC: "curdle-chairs@ietf.org" , "curdle@ietf.org" Thread-Topic: CURDLE WG report Thread-Index: AdQexd0bvXxyG4XPTmOE8XlsSI6pyA== Date: Wed, 18 Jul 2018 18:35:33 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [147.117.188.8] Content-Type: multipart/alternative; boundary="_000_ff00dccda6864ba4b3028953d4af9439ericssoncom_" MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrFLMWRmVeSWpSXmKPExsUyuXTPNd2yDv9og9mXBCxm9mxgtti6cBaz xZT+TiYHZo8lS34yBTBGcdmkpOZklqUW6dslcGX8nxlUsFm4onnaK6YGxkbBLkZODgkBE4nv jQ2MXYxcHEICxxglni06zQTh/GCUeHfhCzuEs4JRYtPWBnaQFjYBI4m2Q/1gtoiAqkTP3TYW EJtZIEbi5t/pYHFhAUmJZ+8nMUPUyEl8eLyNEcLWk3j+8gwriM0C1PvvzD4mEJtXwFrixLUJ YHMYBcQkvp9awwQxU1zi1pP5TBCnCkgs2XOeGcIWlXj5+B8rhK0o8fn0DaC9HED1yRJnthRD jBSUODnzCcsERuFZSCbNQqiahaQKokRHYsHuT2wQtrbEsoWvmWHsMwceMyGLL2BkX8XIUVpc kJObbmSwiREYI8ck2HR3MN6f7nmIUYCDUYmH93mFf7QQa2JZcWXuIUYJDmYlEd6D7/2ihXhT EiurUovy44tKc1KLDzFKc7AoifOe8eSNEhJITyxJzU5NLUgtgskycXBKNTCeuBtvuMHhUd7W x4l/Z/1IyGMNKeF4HPXeljFy6bRn51qWnZ1n5efGnPhJs+jN+n/dzk+sX63Wz3j06ff7n8Kv u8r+zI0rXjHh6qMX0jlNWxn/xa9PEFqjnfl/JvffvnevL7n+PN1RPZ3dJvhEfkLX//WuMbOU dQ3PTlX7yfK5j/mu1ebdDL/nKLEUZyQaajEXFScCAONLYk6NAgAA Archived-At: Subject: [saag] CURDLE WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 18:35:39 -0000 --_000_ff00dccda6864ba4b3028953d4af9439ericssoncom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Curdle did not met at IETF102. The WG has two remaining documents that are = in WGLC. All documents are expected to be sent to the IESG in August. Yours, Rich and Daniel --_000_ff00dccda6864ba4b3028953d4af9439ericssoncom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Curdle did not met at IETF102. The WG has two remain= ing documents that are in WGLC. All documents are expected to be sent to th= e IESG in August.

Yours,

Rich and Daniel

--_000_ff00dccda6864ba4b3028953d4af9439ericssoncom_-- From nobody Wed Jul 18 12:52:36 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97ED130E4C for ; Wed, 18 Jul 2018 12:52:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HhjldDOdc1wR for ; Wed, 18 Jul 2018 12:52:33 -0700 (PDT) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B2A130FD3 for ; Wed, 18 Jul 2018 12:52:33 -0700 (PDT) X-AuditID: 1209190d-1dbff70000002f1e-2f-5b4f9a7f1a35 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id 25.04.12062.08A9F4B5; Wed, 18 Jul 2018 15:52:32 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w6IJqUXh001052; Wed, 18 Jul 2018 15:52:31 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6IJqPH3007273 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jul 2018 15:52:29 -0400 Date: Wed, 18 Jul 2018 14:52:25 -0500 From: Benjamin Kaduk To: Paul Hoffman Cc: IETF SAAG Message-ID: <20180718195225.GR11539@kduck.kaduk.org> References: <349B5779-0367-4334-B8DD-D4BC1B374951@vpnc.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <349B5779-0367-4334-B8DD-D4BC1B374951@vpnc.org> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpileLIzCtJLcpLzFFi42IRYrdT0W2Y5R9tcP4Xt8Wt9V9YLab0dzI5 MHksWfKTyePz7KvMAUxRXDYpqTmZZalF+nYJXBn/Hk9mLuhmrHi4diJjA2N2FyMnh4SAicSH jV9Yuhi5OIQEFjNJ9O75wgThbGSU+Nq6khHCucokcf/KXDaQFhYBVYm/W3YzgthsAioSDd2X mUFsEQENiQsPd7CD2MwCshLz1uwEqxcGin94PQ2snhdo3YbLx8FqhASsJa6efsQOEReUODnz CQtEr5bEjX8vga7gALKlJZb/4wAJcwrYSEy9fhmsRFRAWWJv3yH2CYwCs5B0z0LSPQuhewEj 8ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdI73czBK91JTSTYygIOWU5N3B+O+u1yFGAQ5GJR7e A/99o4VYE8uKK3MPMUpyMCmJ8lad94sW4kvKT6nMSCzOiC8qzUktPsQowcGsJMJ78D1Qjjcl sbIqtSgfJiXNwaIkzpu9iDFaSCA9sSQ1OzW1ILUIJivDwaEkwbt4pn+0kGBRanpqRVpmTglC momDE2Q4D9DwbSA1vMUFibnFmekQ+VOMlhzfrnVNYub4ASb/vJ86iVmIJS8/L1VKnHc1SIMA SENGaR7cTFDSkcjeX/OKURzoRWHeWSBVPMCEBTf1FdBCJqCF0tW+IAtLEhFSUg2MCw9cDm1f EJa3cdX3K2/PzeqePbWt8c/fpyuvRDOb+qxam/3gaS6nj+3cGe0xc5gZjb5eC1s4T433ltj/ l/9m8cV4pkvXbpi1yIP12dIDW0tqp5+aZFD7TizZdeGeJb6Kt4oWXt9kXbzpfgSve1Hz20Mi ZklLz+q3aix+ZGRRIL/8YYyI/7uEYiWW4oxEQy3mouJEAB5OaRUVAwAA Archived-At: Subject: Re: [saag] Agenda for IETF 102? X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 19:52:35 -0000 On Wed, Jul 18, 2018 at 01:04:48PM -0400, Paul Hoffman wrote: > Is there an agenda for tomorrow? There is now (thanks, Ekr!). -Ben From nobody Wed Jul 18 13:42:50 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EEBF130EA5 for ; Wed, 18 Jul 2018 13:42:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QneYiYXnBIRd for ; Wed, 18 Jul 2018 13:42:47 -0700 (PDT) Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 189AD130E21 for ; Wed, 18 Jul 2018 13:42:47 -0700 (PDT) Received: by mail-io0-x233.google.com with SMTP id l14-v6so5237363iob.7 for ; Wed, 18 Jul 2018 13:42:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language; bh=TVNxzHQp3dnLqN/fXi/exEWB0vysZFlQ8+IpAXh0L0k=; b=mZ5BDZzSCvZQJSPJy030rDVmHyS5x+4C/MmTlYv4ydzo2qDU3y7QyOFIaMNZbHYYQE 6/J3Gi4AIcq17/9KHxX8k0spjvLggVCkfsY5hueXbrK2C8u8wMlMmPb9lSbEGBLRe4sP /WhFwCaZSxvXHGkUnVrxE1FCkvOBYN/f55VComZ3FqCYO9DbKQ9kym4xqEo6/rdFnKZJ VL24LpWkIzFQsIDdg6+oJ4hAvQKp72aJj8Efo2g9uBPYsIkDI0eoYtEG4NoaskkP4D+o nInbeHfwhdypf4HD8cCji0p5lZFk5WvEOmNVQs66cdLA9yiE4NRBGVxX2t/bCTOXkacr y3jg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=TVNxzHQp3dnLqN/fXi/exEWB0vysZFlQ8+IpAXh0L0k=; b=d/TjhLzUXoNbTIwvbKtsoeo1jMWJTvevSgAc9Nhs97Xkj8rRXNkbhizpxZr4XXfbkM ac5/eT9MlxDmdkPAxmxqHFs0Ef0yrc75nTi0pLLLvAZBRkGHfpzvxUHohgHCs8ka27vU 7AlYclv6kVocBIhYo63P4qADaoF1BMOctvqN/ZU3uvxzHXhEbUERrVkvFw0XTOSfLije IslvAeJKcCTCN+y4QtE/oNgSAUD97NsEOqto0YuWXeejAbvxdBbFjdetny2SdEW+ODXN vwNmArPbYZJ3rIpgXE+TwqlIXYYzq/vRX3Et/jDixYpJqswaz2ruWDgiqyepMbsQdIlk QnvA== X-Gm-Message-State: AOUpUlF8EudkFfn+T7BxyQpHLGCdFlmv/6OAhLHHTIrJP1L15NCN38+C UZ+PQOAXkdbAJYEvQkInVnDBpqt/ X-Google-Smtp-Source: AA+uWPwb5SDNnuKYiGyC1UGQHXekizhB6xS1df2wpQeBi6THoV+kQPsiyKGU6cmGOb81dIuuJpX0eg== X-Received: by 2002:a6b:cf05:: with SMTP id o5-v6mr6321832ioa.245.1531946566270; Wed, 18 Jul 2018 13:42:46 -0700 (PDT) Received: from ?IPv6:2001:67c:1232:144:9c0e:63d5:c742:f99a? ([2001:67c:1232:144:9c0e:63d5:c742:f99a]) by smtp.gmail.com with ESMTPSA id j137-v6sm1845360ita.27.2018.07.18.13.42.45 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 18 Jul 2018 13:42:45 -0700 (PDT) To: saag@ietf.org From: Yaron Sheffer Message-ID: <336db6b5-3b0e-0fd7-8a87-c216eac0bd82@gmail.com> Date: Wed, 18 Jul 2018 16:42:44 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="------------D0EFC34117B5E8D44284AF24" Content-Language: en-US Archived-At: Subject: [saag] SecEvent WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 20:42:49 -0000 This is a multi-part message in MIME format. --------------D0EFC34117B5E8D44284AF24 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit SecEvent will be meeting on Friday. The baseline SET (security event token) specification, our first document, was published since London as RFC 8417. The group is working on two documents about delivery of SETs, and those will be discussed on Friday. --------------D0EFC34117B5E8D44284AF24 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit SecEvent will be meeting on Friday.

The baseline SET (security event token) specification, our first document, was published since London as RFC 8417. The group is working on two documents about delivery of SETs, and those will be discussed on Friday.
--------------D0EFC34117B5E8D44284AF24-- From nobody Wed Jul 18 14:44:22 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 265AF131094 for ; Wed, 18 Jul 2018 14:44:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.12 X-Spam-Level: X-Spam-Status: No, score=-1.12 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SlwuZCNarR2k for ; Wed, 18 Jul 2018 14:44:17 -0700 (PDT) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43A34131060 for ; Wed, 18 Jul 2018 14:44:17 -0700 (PDT) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w6ILiEph000602 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 19 Jul 2018 00:44:14 +0300 (EEST) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w6ILiEQf000683; Thu, 19 Jul 2018 00:44:14 +0300 (EEST) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <23375.46254.178468.201419@fireball.acr.fi> Date: Thu, 19 Jul 2018 00:44:14 +0300 From: Tero Kivinen To: saag@ietf.org X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd) X-Edit-Time: 4 min X-Total-Time: 4 min Archived-At: Subject: [saag] IPsecME WG Summary from IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jul 2018 21:44:20 -0000 The IPsecME WG met on Wednesday afternoon. We had hopefully resolved the issues AD had about the split-dns and all other old items should be ready soon. We did have some presentation and discussions about new items in new charter, i.e., IKE_AUX, Postquantum Key Exchange, Diet ESP, Labeled IPsec. In addition to those we had presentation about Controller IKE, which is not really using IKE, so it is outside the scope of the WG. Here is the latest status update from the datatracker: https://datatracker.ietf.org/group/ipsecme/about/status/ ---------------------------------------------------------------------- EdDSA is in the RFC editor queue, Publication requested has been issued for Split DNS, and now the AD comments should be resolved. Implicit IV is past WGLC, and should be ready for publication really soon now (waiting for writeup). Quantum resistance is currently in WGLC. Rechartering is now in the IESG and should be finished soon. We have already started working on the some of the new items in new charter, i.e., ESP compression, Post-quantum key exchanges (including making IKE_AUX exchange to allow transporting large objects before IKE_AUTH exchange) etc. -- kivinen@iki.fi From nobody Thu Jul 19 06:37:36 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EABC130E25 for ; Thu, 19 Jul 2018 06:37:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.01 X-Spam-Level: X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbbSesv_guNU for ; Thu, 19 Jul 2018 06:37:32 -0700 (PDT) Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-dm2gcc01on0122.outbound.protection.outlook.com [23.103.201.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38AF5130E0D for ; Thu, 19 Jul 2018 06:37:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8iRn9pZjGRZCl8YuT5F/S0PSVT6sqXeuc+x3/IjaSYw=; b=J2ueTqdYc0Ny41o4nz2TBqaMNxjjz1BjQHD+u+sqBi8aevh+DCDYNLFhLl+ijNa9O1iA/vzF+UqwEVVJHFXXquikSPDglcbEpxNqK+YvbmM0S9TBwK5FyK/eT3eQaE8exhuAPX7s5SpYU0R2XN32vHrZh6Ci8vOOBge5PVP9ngQ= Received: from BL0PR0901MB2306.namprd09.prod.outlook.com (52.132.18.148) by BL0PR0901MB2307.namprd09.prod.outlook.com (52.132.18.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Thu, 19 Jul 2018 13:37:30 +0000 Received: from BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::d015:c4b9:a7a2:b5a5]) by BL0PR0901MB2306.namprd09.prod.outlook.com ([fe80::d015:c4b9:a7a2:b5a5%3]) with mapi id 15.20.0973.018; Thu, 19 Jul 2018 13:37:30 +0000 From: "Waltermire, David A. (Fed)" To: "saag@ietf.org" Thread-Topic: SUIT WG Report Thread-Index: AQHUH2Q3tinwLnDXm0KMKmXs0cipBg== Date: Thu, 19 Jul 2018 13:37:30 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov; x-originating-ip: [129.6.219.66] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BL0PR0901MB2307; 6:qRbhoQyFQReVnAesJdlck9eflUITmnOGnsrNfLvXRHXjlNm6djGUAgut2ykPTsBFQqDZI5JzveSJ67fz9xxhH5rFDgbILmHsYmc33JEMb//ti+BucbS36lsSzfeYxfkQfexAxzvuWUGYcgdKrbefbEByg3NVO2pelQpePGDfwGJw7e9Kt/5ZoHMPOfSPKaBofbubH6nUTFlhlcXZLKqcf3Ei+CSB6dJuiO2sIDP4wTx3PxKGiJAJa8TiPNDmgEUq1ztXxxwMFck9M3ecsVsj8LjuB1rYTrKZ/HhtQ8x4Ljqis4x8wwutjf+5YBOFxFgxRSg5YeqfvL269pcxcFxAnH54qjx/JUYC+Kcy9gtue/vOpAJuT3P9pyD3u9rkEmGAKochhO3ELhAvC9te1sMzllVYiS93h7R+LEIO7wdQfN84YbLiMiNyCDpsofBxAfTQ8PTy80W7KpIkZeDrCI0/Fg==; 5:Klp6KNvERPvajK4OOLnRuyDwFVeKvOh+0zaaHM1fjHQ5HEVqLlAkmnIr3tMco8v3E5QLMOjnFIUhh1NWgw/0cWvBDWxTOmwOU1U4nTKgRzLrZ0pnMVWnOLsS/hMoDfON+M4bXNpxVeTrKvoxwyi+67+E+Wd6ouiD06oyhgCXDyM=; 7:Oqu5YJZAaTlMz8mG9P7dCNZASymKIjni8xKcTB8R9SHbNLrvj3mw0xaR52bjD6XzI21aGpck3NHsda9T4FLonWAWFdn0/7e0Jg6cY0sBRN6H3klFAR7/1gVHdLdOnuFxWX9SDFlIsCixs2kagapLW76yDGjDWX0xzFSIAxMp9DK3vxC4YatCNsB2tvW9cGI/aNeggTiOYosoqZtvWVpi3vN5WV5dJeW4N9OBZ6Q978yw3knKPEGUUZSEsVe3NNyd x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 1835dc87-8320-4711-5f4f-08d5ed7cc692 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:BL0PR0901MB2307; x-ms-traffictypediagnostic: BL0PR0901MB2307: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(120809045254105); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BL0PR0901MB2307; BCL:0; PCL:0; RULEID:; SRVR:BL0PR0901MB2307; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(136003)(396003)(366004)(199004)(189003)(68736007)(81166006)(9686003)(236005)(19627405001)(86362001)(476003)(2906002)(8936002)(54896002)(25786009)(105586002)(55016002)(6306002)(5250100002)(5640700003)(106356001)(6436002)(6116002)(3846002)(8676002)(486006)(97736004)(99286004)(606006)(66066001)(2351001)(81156014)(1730700003)(2900100001)(74316002)(7696005)(316002)(186003)(7736002)(478600001)(6506007)(33656002)(3480700004)(966005)(2501003)(6606003)(53936002)(6916009)(256004)(102836004)(14454004)(26005)(14444005)(7116003)(5660300001); DIR:OUT; SFP:1102; SCL:1; SRVR:BL0PR0901MB2307; H:BL0PR0901MB2306.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-microsoft-antispam-message-info: TS5z/bBL6iJxYapQ/ZLVz3VUoT5TeQvM7ntRoj5TX3Uf6o7uNz9GB0lfD8qNq2Yy4Unlgi4I6x8mL5SAOZ89z3+rRQdrvPs17KtSKAwGQ5Qy4o7gzOxUuEOzkJKra7IU35WCqYuD8dx2VGFDmOr18Pn02LY6dyvf+0a3LHPHA51tYfDLj+p3Z7HOrGVOjLubY+YbaWCAHDaf1ByyDirpjkZrsSPrpQJwHRfRNxbDGBBi8sgb1EdNfqg7owPDd6MvgF4k2laBxdH0AnDV4VSf4H+Lcho+dBEOgREWk8B5VFo7eTRWKxDkVFq9z91VzrJjOtXD33CjUeN8GzffaSZgRGPP2qKLzGao3FpQz6+LH/g= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BL0PR0901MB230684CC9D97EDA27CE37FBBF0520BL0PR0901MB2306_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 1835dc87-8320-4711-5f4f-08d5ed7cc692 X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 13:37:30.4908 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR0901MB2307 Archived-At: Subject: [saag] SUIT WG Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 13:37:35 -0000 --_000_BL0PR0901MB230684CC9D97EDA27CE37FBBF0520BL0PR0901MB2306_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable The SUIT WG met on Wednesday morning. The presentations and related discuss= ion largely focused on maturing the SUIT architecture [1] and information m= odel [2] WG drafts. These drafts are improving quickly and will hopefully b= e ready for WGLC around IETF 103. There was also discussion of the SUIT manifest CBOR data model [3] and an u= pdate on the SUIT hackathon activity [4]. The WG is planing to hold a virtual interim in late September to make progr= ess on the CBOR manifest format and to wrap up any remaining issues on the = architecture and information model drafts before WGLC. [1] https://datatracker.ietf.org/doc/draft-ietf-suit-architecture/ [2] https://datatracker.ietf.org/doc/draft-ietf-suit-information-model/ [3] https://datatracker.ietf.org/doc/draft-moran-suit-manifest/ [4] https://datatracker.ietf.org/meeting/102/materials/slides-102-suit-hack= athon-report-00 --_000_BL0PR0901MB230684CC9D97EDA27CE37FBBF0520BL0PR0901MB2306_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

The SUIT WG met on Wednesday morning. The presentations and related disc= ussion largely focused on maturing the SUIT architecture [1] and informatio= n model [2] WG drafts. These drafts are improving quickly and will hopefull= y be ready for WGLC around IETF 103.


There was also discussion of the SUIT manifest CBOR data model [3] and a= n update on the SUIT hackathon activity [4].


The WG is planing to hold a virtual interim in late September to make pr= ogress on the CBOR manifest format and to wrap up any remaining issues on t= he architecture and information model drafts before WGLC.


--_000_BL0PR0901MB230684CC9D97EDA27CE37FBBF0520BL0PR0901MB2306_-- From nobody Thu Jul 19 07:52:06 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16A97130FD9 for ; Thu, 19 Jul 2018 07:51:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvCE4HEkzOVi for ; Thu, 19 Jul 2018 07:51:56 -0700 (PDT) Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D7E1310CA for ; Thu, 19 Jul 2018 07:51:56 -0700 (PDT) Received: by mail-qt0-x22f.google.com with SMTP id d4-v6so7399990qtn.13 for ; Thu, 19 Jul 2018 07:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=jSRDw8mhVab5KOP2t9Z+35Xt3BoljLCRinIMfdeYc7Q=; b=LT5UFjBPANWlnkpNZ9lvQy6+BzZHczSFfbjvMOQEo/H5+Z+xvusF+NZe3OWk4nRP3K wUpf+lnrLUUc6ThhvqWbgDUaXBjfkp5me2D2/koiKLxLyoIk0sMeKN/B9TLTZyxPzhhn vnifDdJqzAYHeROkv5PpKrogQFSzlOZecAlPIKYfpyhOJM8pnz/cnFJdSJWPu1idyA4n 4XFfHbyxCxjyw50GadUnyxKG35T6OeYt5aLPIdKr52TnafJSF9yLVwE8f0u4LSvhRmkI mINtoFvAUmtPTht03n9rTfuP8opgSVC7rVg0u984W9X8XRf2Vmy7kpa/ZyGbFJtFEPaY O/4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jSRDw8mhVab5KOP2t9Z+35Xt3BoljLCRinIMfdeYc7Q=; b=NBvQ6jXfteLqJsOMpYtTgIow503S1w77qiVe44puNJNK3JBP/PrO1n5DIAlIQunoT5 XldmPkQt6HUAv9gQr7MucEzd4RoYY18JKsXLleVhMoBTyUFCQGqD9GdylKJ8EOghN+CM aimFOXLaqT9Q9DeS3lWeWQHWtRUYjEwzSvusi2+rfDIsrxTdmq7d8TvMcEgawjBD4675 VCKTDSVSkrhwur1a/EekVeFddVPmucaQQXUPQRbUVKCX9kbxYv2arWSTgNTPkhLkvfrg Stw2o9l9dhLdXyXax9gD9kzBBWq4NL73n8zw+OLI379zeuopumajLN5c1VPVjaOORmrt yV5Q== X-Gm-Message-State: AOUpUlElpMuFe6T6PgkxSF/st7LjWd2RDZ3HyIw45x6Byy6zfVK2AzVZ frI7kcvtGNilj+59NQzCQgJffU+zThdVCdjC6fbG2/eAJNdrcA3q X-Google-Smtp-Source: AAOMgpc4oPR06BsJK7yqKWi95Z/f0iKrSBaBOamYfdDC/oJyUlp7SAfq7WCZHXiE6o6nW6inDySy1e3fsfD1stOymVI= X-Received: by 2002:a0c:f20b:: with SMTP id h11-v6mr11135829qvk.190.1532011915365; Thu, 19 Jul 2018 07:51:55 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:aed:3aa7:0:0:0:0:0 with HTTP; Thu, 19 Jul 2018 07:51:34 -0700 (PDT) From: Joseph Salowey Date: Thu, 19 Jul 2018 10:51:34 -0400 Message-ID: To: saag@ietf.org Content-Type: multipart/alternative; boundary="00000000000001e17c05715b5200" Archived-At: Subject: [saag] EMU working group Summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 14:52:04 -0000 --00000000000001e17c05715b5200 Content-Type: text/plain; charset="UTF-8" EMU will meet on Friday morning. We will be discussing working group documents on using EAP-TLS with TLS with and improvements to EAP-AKA'. We will also discuss PFS enhancements to EAP-AKA' and problems using large certificates with EAP-TLS. In addition, we will have a presentation on TEAP and BRSKI. --00000000000001e17c05715b5200 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
EMU will meet on Friday morning.=C2=A0 We will be discussi= ng working group documents on using EAP-TLS with TLS with and improvements = to EAP-AKA'.=C2=A0 We will also discuss PFS enhancements to EAP-AKA'= ; and problems using large certificates with EAP-TLS.=C2=A0 =C2=A0In additi= on, we will have a presentation on TEAP and BRSKI.
--00000000000001e17c05715b5200-- From nobody Thu Jul 19 08:35:39 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEFB3130E63 for ; Thu, 19 Jul 2018 08:35:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.5 X-Spam-Level: X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qb75ZASl6AA for ; Thu, 19 Jul 2018 08:35:34 -0700 (PDT) Received: from ns1.nict.go.jp (ns1.nict.go.jp [IPv6:2001:df0:232:300::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB1D130D7A for ; Thu, 19 Jul 2018 08:35:33 -0700 (PDT) Received: from gw1.nict.go.jp (gw1.nict.go.jp [133.243.18.250]) by ns1.nict.go.jp with ESMTP id w6JFZXwX079281 for ; Fri, 20 Jul 2018 00:35:33 +0900 (JST) Received: from mail2.nict.go.jp (mail2.nict.go.jp [133.243.18.15]) by gw1.nict.go.jp with ESMTP id w6JFZXPF079238 for ; Fri, 20 Jul 2018 00:35:33 +0900 (JST) Received: from LAPTOP9DLCDU5S (ssh1.nict.go.jp [133.243.3.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.nict.go.jp (NICT Mail Spool Server2) with ESMTPS id B5CCF111BA for ; Fri, 20 Jul 2018 00:35:32 +0900 (JST) From: "Takeshi Takahashi" To: Date: Fri, 20 Jul 2018 00:35:33 +0900 Message-ID: <745e01d41f76$229a5a50$67cf0ef0$@nict.go.jp> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_745F_01D41FC1.9283B000" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdQfdaU+QWjAn1ubSfODivOqkCJAkQ== Content-Language: ja X-Virus-Scanned: clamav-milter 0.99.4 at zenith1 X-Virus-Status: Clean Archived-At: Subject: [saag] MILE WG report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 15:35:37 -0000 This is a multipart message in MIME format. ------=_NextPart_000_745F_01D41FC1.9283B000 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit MILE met at IETF102 at 09:30 on Thursday. There were about 25 attendees in the room. We have discussed the progress and issues of the three working group drafts. In addition to that, we have discussed the RFC7970 errata and the necessity of rechartering. As a result of discussion, we have agreed upon the following milestones. draft-ietf-mile-xmpp-grid: December 2018 [1] draft-ietf-mile-jsoniodef: December 2018 [2] draft-ietf-mile-rolie-csirt: April 2019. [3] We have also agreed upon considering rechartering so that MILE can cope with various threat intelligence information, such as STIX, over ROLIE. Further discussion will be done on the mailing list. [1] https://www.ietf.org/archive/id/draft-ietf-mile-xmpp-grid-06.txt [2] https://www.ietf.org/archive/id/draft-ietf-mile-jsoniodef-04.txt [3] https://www.ietf.org/archive/id/draft-ietf-mile-rolie-csirt-00.txt ------=_NextPart_000_745F_01D41FC1.9283B000 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

MILE met = at IETF102 at 09:30 on Thursday.

There = were about 25 attendees in the room.

We have = discussed the progress and issues of the three working group = drafts.

In addition to that, we have discussed the = RFC7970 errata and the necessity of = rechartering.

 

As a = result of discussion, we have agreed upon the following = milestones.

draft-ietf-mile-xmpp-grid: December 2018 = [1]

draft-ietf-mile-jsoniodef: December 2018 = [2]

draft-ietf-mile-rolie-csirt: April 2019. = [3]

 

We have = also agreed upon considering rechartering so that MILE can cope with = various threat intelligence information, such as STIX, over ROLIE. = Further discussion will be done on the mailing = list.

 

[1] https://www.ietf.org/archive/id/draft-ietf-mil= e-xmpp-grid-06.txt

[2] = https://www.ietf.org/archive/id/draft-ietf-mil= e-jsoniodef-04.txt

[3] = https://www.ietf.org/archive/id/draft-ietf-mil= e-rolie-csirt-00.txt

 

------=_NextPart_000_745F_01D41FC1.9283B000-- From nobody Thu Jul 19 08:54:39 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36B3C130E19 for ; Thu, 19 Jul 2018 08:54:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgca2RpiwUTJ for ; Thu, 19 Jul 2018 08:54:34 -0700 (PDT) Received: from mail-qt0-x22b.google.com (mail-qt0-x22b.google.com [IPv6:2607:f8b0:400d:c0d::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26E27130E17 for ; Thu, 19 Jul 2018 08:54:34 -0700 (PDT) Received: by mail-qt0-x22b.google.com with SMTP id t5-v6so7623116qtn.3 for ; Thu, 19 Jul 2018 08:54:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=cPIKr3BOCwCKULiZvm5oGQkeLWrfsmt2/l09dw0bSNg=; b=PqiS+TY4hhdfROssGRn2E2Nghxz8S5jY7OloV9dTJDO5K2ystah2EWIH5drn1hXPzL G3S8XPqtNiopWA8HKZpozCw+hKHul8grhltcRgAYKYGQE2j1vXxOyoED5h6Sz7Imn2FH u2FAsnjTx1yW2CUx/qCSIfg5vjgvkkrZgSnFs1DytM2GBVXE8jN2HyQcL31dvCEfsJj4 9b6wG7IMd8GsT/h87hHAPx2BDCWOmUGVDEwC7QMmEdEq7+xWXlxVXfFiDxFyS2AKjNsX xGBeEKWFY3NInU/83cF4uk+aXgblbGQ8k16Pg0yK6i5xNIpOLmVkZkQxAQENJAzzkHyb 7/bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cPIKr3BOCwCKULiZvm5oGQkeLWrfsmt2/l09dw0bSNg=; b=Wg3QZTdvQKuIwA6u67n4tji8AQeX4ymLi4yTi3w0kTRpUSiXD0PbYFG60DTrmoPXbK mv+QsfVc30E4/Jxm5uX37DKrkSqP1ZGPAo2NOdjcF44++w/lVeL196XSA7HtzaPCSkZI 4yK9bh6t7wRwgD0hbG62d2SFciCIVjihATHoGI92GfVOZJnuSjpLu56xqqsVP9HAd7xV Oi7+Jp1nqA/vgsIEBYAuquPK+UQ3yrfG2xOshw+5ihxhp0vYrBnrrrRy7nOXPb6r06YA KhDC/MIqURqWf/QnTb0PlDcUh88SBoQtOZy3prGGhH7MzXsVAvWx0BMioR/L1FAI131G erdw== X-Gm-Message-State: AOUpUlH3VP4vziIY3x0T3k1zPDYQNHXGiSs+5a0mezRfTdWQVm92NUpy UdeXrbQWqbeoMCh+LFQYUGDKHJOtqk/cEZdgChQkOdY/Ko0cxn7xoEw= X-Google-Smtp-Source: AAOMgpeJOBc0I2lTVdjeWL1WBXLJo4PCPwk3sarlGCzbaZJYbkyxdLDcK+uLs2X5GadkPmw6xWNqhbCA/CCJD5D+PTo= X-Received: by 2002:a0c:f20b:: with SMTP id h11-v6mr11393843qvk.190.1532015672890; Thu, 19 Jul 2018 08:54:32 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:aed:3aa7:0:0:0:0:0 with HTTP; Thu, 19 Jul 2018 08:54:12 -0700 (PDT) From: Joseph Salowey Date: Thu, 19 Jul 2018 11:54:12 -0400 Message-ID: To: saag@ietf.org Content-Type: multipart/alternative; boundary="000000000000f92b0b05715c3121" Archived-At: Subject: [saag] TLS Meeting summary for IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 15:54:36 -0000 --000000000000f92b0b05715c3121 Content-Type: text/plain; charset="UTF-8" TLS is meeting in two sessions this IETF on Monday afternoon and Thursday Evening. TLS 1.3 is currently in Auth48.We had some presentations of TLS 1.3 deployment numbers which showed TLS 1.3 is already measurable on the Internet. We had discussion on deprecating TLS 1.0 and TLS 1.1, there is support, but it will take time. Exported authenticators needs a slight revision and will then be ready for WGLC. We are bringing the DNSSEC chain extension draft back into the working group. We had some good discussions at the IETF this week that will hopefully pave the way forward for the document. Other topics discussed were DTLS connection IDs, delegated credentials and layered exported authenticators. On Thursday we will talk about Encrypted SNI, Ticket Requests, certificate authentication with external PSK, and TLS usage with PAKEs. --000000000000f92b0b05715c3121 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
TLS is meeting= in two sessions this IETF on Monday afternoon and Thursday Evening.=C2=A0 = TLS 1.3 is currently in Auth48.We had some presentations of TLS 1.3 deploym= ent numbers which showed TLS 1.3 is already measurable on the Internet.=C2= =A0 We had discussion on deprecating TLS 1.0 and TLS 1.1, there is support,= but it will take time.=C2=A0 Exported authenticators needs a slight revisi= on and will then be ready for WGLC.=C2=A0 We are bringing the DNSSEC chain = extension draft back into the working group.=C2=A0 We had some good discuss= ions at the IETF this week that will hopefully pave the way forward for the= document.=C2=A0 Other topics discussed were DTLS connection IDs, delegated= credentials and layered exported authenticators.=C2=A0 =C2=A0On Thursday w= e will talk about Encrypted SNI, Ticket Requests, certificate authenticatio= n with external PSK, and TLS usage with PAKEs.=C2=A0=C2=A0

<= /div>

--000000000000f92b0b05715c3121-- From nobody Thu Jul 19 09:34:59 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7961A130E63 for ; Thu, 19 Jul 2018 09:34:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.911 X-Spam-Level: X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zPZ8EazVLRv0 for ; Thu, 19 Jul 2018 09:34:55 -0700 (PDT) Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D15130E3D for ; Thu, 19 Jul 2018 09:34:55 -0700 (PDT) Received: by mail-oi0-x22d.google.com with SMTP id n84-v6so16089221oib.9 for ; Thu, 19 Jul 2018 09:34:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=sender:to:from:subject:openpgp:autocrypt:message-id:date:user-agent :mime-version; bh=tm7GhYxwPXrxxvsXfkT1lINzcGtW+UXTe2dgAY2QZHs=; b=QwFAktLuoq3rCuxojoI7UyyZKCgPgSh9p7stIOvrnT+un2XSFpyCb7ymu6KTWEJ3hF haSK5mLIfWDBQ2dn99RosWRGJc9HSICDkSaAcmk9NVx065BB9N76nAuGas0rvez6rEgg C60X5hIUkcibAQ9bFZVb6xy9SbX9MqIoh6jct1NdnaN6OVfreIKhssJ5PyBmCM+SoYvS a57uJe+/fz15ea6TpJJ3Dle17JGw52x49IP8AwMcXtzYgTsJPTAxI/IhnPh5Utwy2lhc Jd8lybRdqRle7hdMRa1NDfMq+5nkQsQzJs4E9w2Dn/Ys1Ln28WzjDS2A9MilhDuGvCM2 iL9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:to:from:subject:openpgp:autocrypt :message-id:date:user-agent:mime-version; bh=tm7GhYxwPXrxxvsXfkT1lINzcGtW+UXTe2dgAY2QZHs=; b=e+5rU1hUt/pF4n1lrspfyvxQp03HDttMtFgZ0ufDNKkKTtTqFZftTkspoq0SgzGUy9 ugwTcPMmVK+lMku2UKuAuug7ZqArnGJv/XW5+rySKgKUcBNGfHdRr4HuPQ2b+xquXMix RHG7VpsIUhF38M67s3yFG1AtgU3cHlQ5diN15yc+Zzb/RFV4x7drr97/wvZ+JgdMdr9h hEG/AhfGgsvNOrK3g3mkwtlQQ4NBZQohX64A+JHzInzpfUyeJGuqV51QV9Zf69KuavIV /gNJjzEslpr3m7d7G5qTMAyprYSFz34SxtRh1Dh24TxQfHjRlrnsA9a+2U2tjIthgnJR 57Ig== X-Gm-Message-State: AOUpUlGESoIFZ7xfhGqsNOjGiYpHAugslRAxb5x972/tIwqUGywfo968 H+IAOxm9g+/QcziUzYKKf4Pr3Ve4cRTyYA== X-Google-Smtp-Source: AAOMgpfsJUI5GT+KP9YU6D/O8VfY8AAA3Xxx1cTh0MOnNWdM7w1Q8eD+mVmDDON4BznAGrNMV1Nhjg== X-Received: by 2002:aca:4e4d:: with SMTP id c74-v6mr11109060oib.16.1532018094035; Thu, 19 Jul 2018 09:34:54 -0700 (PDT) Received: from [192.168.43.237] ([172.56.13.175]) by smtp.gmail.com with ESMTPSA id p132-v6sm4595688oia.31.2018.07.19.09.34.53 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jul 2018 09:34:53 -0700 (PDT) Sender: Matthew Miller To: saag@ietf.org From: "Matthew A. Miller" Openpgp: preference=signencrypt Autocrypt: addr=linuxwolf+ietf@outer-planes.net; prefer-encrypt=mutual; keydata= xsBNBFJoAooBCADQmEtpbpY/4wTeKgZIuyG7HkxIFgiUeqOvtiBKj/pCA73d7Q5hCvQdGcKJ 6uZsYz3Il9oKoKFxVt90iEXspbE39g6ek19e6RsB4j0Q10l4QvH+EqeD760gs0H2yf/eYj9i uk9/VY6axdQlPsmid1zoQgCNjSM7X4/K26WGMs03sbXJpKdoonelzIlJSNfzi0q546iplo72 D2cCm9BriMkQvcGnsm4B9eBIBn3GKmVx1tsmPNeNTyun2DvaLnrYxbA0Ivo1DzZReds9NZ25 uROI/+b+lcg9/kmHzhK+q8NMQCFWmqpS/lZRKxVBSijKGpGr5h8VLVf5iURHtwG+B/QxABEB AAHNLk1hdHRoZXcgQS4gTWlsbGVyIDxsaW51eHdvbGZAb3V0ZXItcGxhbmVzLm5ldD7CwIAE EwEKACoCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFCQvHJDEFAlirCeQCGQEACgkQ7PRy ThCeBbt+sAgAzUQokr+f+ArieIrv2JkiQLqiBaZX29Aph9YwG3OPLWSdESEKkFOSJT0LWbsC cAKHLrVfgl2+6iPhf4OOacTdqK7wS6vruPZC1ChdO7NZTgbVa0hP/Q/QKEoaMGNdfc1/lgxY 5kwh+bvGIF1+HyadytgCBBHxdVEhYI7G3ejKqA8iVwri1VW0Wjp8iWdjpF74swIHhid5GcAu 6VJgVNJw3P+WkTkNrkd2tx5yUfNXQuGyFhxwlpiuaOpIk3p74P6e8h/riMpkJ5mIH/ryGTH7 qxpEIuep2bLQZmGwBen8kf3MO/VbiA/NMY6OHdc93EBKr0g7n2BA5uFLdy79FqAA3M7ATQRS aAKKAQgAwP67h8GJUO6XYyWOrcJGXDJnnZEDS+q+bTQXkJMFa74rVIx0yioqY8QdpBJFGaMT 4DCNYe/3pw61ZTDDKqukSCfOh/ssdd8zSGTQZSX5lR4B4+00/LKWugP6iHHHYiETbBVb5bxc aR/LE41Wx3z2HsW3TkeZB6WVk82MTclS1zCuY3p9AeCvr424BSQL7KC38y2eQc95G+nabsVD c6oQ8oZOf1D2giBb2VgbYkSppKj8BKvBtmjCauWeEq/AkZKaDAdua8Qj0vEfgcoh8aavlPJi rqj1YNSyc3AO4R5prPGgTepcUpW8ip8xIPAFoJXfuvsZSV7uVP36gwApU4+ZnwARAQABwsB8 BBgBCgAmAhsMFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAlpvpIsFCQvLWoEACgkQ7PRyThCe BbuNHAf/cchJ7kHoIr5i+jgVRuR71AGlxlMbVolnS5tza3bi9Ie63LRdOtMUE3pDUQo25cWd cP7pzwwRBCDD2GxfIuyMCWaES0xtQdTIyNOAFFOtBtCFOrsNEk+iLAu6GBr4QzSQKW1QW4/b vcfpM2pLQn7Zd6naUioEYfTHCMmYHr7hQXaPNEQ7V/J4pLVAN8bHyVgQ9ciQN91DUs6jnueM BUW7DNvuHq0RDzA+ufYdpQAjwl4z1v+rnJ79P3HTxfFdiTTAk9MjyVQklHxS067cmLYkSOku dnCOHhDmSFwkKd9EwOBNuztpjCzmM5SgOT+U/iHH+IM/Hv6bjVCiAQ5WOihe6Q== Message-ID: Date: Thu, 19 Jul 2018 12:34:42 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.0 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="L8ho4gJ2WGB7LkMiVxYjl1POpMcfViQLv" Archived-At: Subject: [saag] KITTEN WG Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 16:34:58 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --L8ho4gJ2WGB7LkMiVxYjl1POpMcfViQLv Content-Type: multipart/mixed; boundary="3IBhoujRVD2ADlPf907l4InE2QeHdbD11"; protected-headers="v1" From: "Matthew A. Miller" To: saag@ietf.org Message-ID: Subject: KITTEN WG Report --3IBhoujRVD2ADlPf907l4InE2QeHdbD11 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable The kitten working group is not meeting in Montreal. It was hibernating as we searched for chairs, which we now have! Robbie Harwood and Roland Dowdeswell have stepped up to co-chair kitten; Matthew Miller will remain for a time to advise them as they get up to speed. --=20 - m&m Matthew A. Miller --3IBhoujRVD2ADlPf907l4InE2QeHdbD11-- --L8ho4gJ2WGB7LkMiVxYjl1POpMcfViQLv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEMddYjeyQaQ1rzJjg7PRyThCeBbsFAltQvaMACgkQ7PRyThCe BbuabggAgUCkdx3S45SsizzkEWehXFgxQkTFi434/UUt+6F1obj7FityqFLhrxrB 59c61vPfjMURc6fiSdWiOMpgETz/QAJ1OuIqeCsRBo2gPhE/aVJx8vtg4s01YcVr oW7onYOx9o8oGo1z7M1Wo1ZTTHPXH38ggpJgaLjN0MgcUVJ5p8bcRHC4q9scv3oE z2tRitfVM8/bnZSszGdDEEpMxunTE3HKDKDLk6umwfR6X/a5EsFsAcJvaXBft6ME Ko7Efu2/fqLDZ5BvaoFmLuoH3T+/VO7LiMJE1xcqwJo8u6FeJZ2YmCXFrXHb2BnO gka6UeBqC8BULsoB+IguJXJw4U18qw== =ml5J -----END PGP SIGNATURE----- --L8ho4gJ2WGB7LkMiVxYjl1POpMcfViQLv-- From nobody Thu Jul 19 10:25:13 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70433130E16 for ; Thu, 19 Jul 2018 10:25:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.221 X-Spam-Level: X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5alA8HWCFN83 for ; Thu, 19 Jul 2018 10:25:11 -0700 (PDT) Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4E64130DC6 for ; Thu, 19 Jul 2018 10:25:10 -0700 (PDT) X-AuditID: 1209190e-1afff70000002b4b-a5-5b50c97518c1 Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 39.58.11083.579C05B5; Thu, 19 Jul 2018 13:25:09 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w6JHP8IY013503 for ; Thu, 19 Jul 2018 13:25:08 -0400 Received: from mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6JHP4n1016776 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Thu, 19 Jul 2018 13:25:07 -0400 Date: Thu, 19 Jul 2018 12:25:05 -0500 From: Benjamin Kaduk To: saag@ietf.org Message-ID: <20180719172504.GP79497@mit.edu> References: <4A95BA014132FF49AE685FAB4B9F17F66B0D08AA@sjceml521-mbx.china.huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B0D08AA@sjceml521-mbx.china.huawei.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrAIsWRmVeSWpSXmKPExsUixCmqrFt6MiDaYMchXYsp/Z1MDoweS5b8 ZApgjOKySUnNySxLLdK3S+DKuPz1IlvBZpaKK5susjQwXmHuYuTkkBAwkbjyeQ1TFyMXh5DA YiaJTctWsIAkhASOMkpc3WUIkXjIJLG14xRYB4uAqsTk3X/BbDYBFYmG7stgtoiAoMSDvklg zcICmhIvDp9nBbF5BXQkDt++zAYxNFTiy625zBBxQYmTM5+A1TMLaEnc+PcS6AoOIFtaYvk/ DpAwp0CYRM/+R4wgtqiAssTevkPsExj5ZyHpnoWkexZC9wJG5lWMsim5Vbq5iZk5xanJusXJ iXl5qUW6xnq5mSV6qSmlmxjBgSfJt4NxUoP3IUYBDkYlHt4VTgHRQqyJZcWVuYcYJTmYlER5 q877RQvxJeWnVGYkFmfEF5XmpBYfYpTgYFYS4S3YAFTOm5JYWZValA+TkuZgURLnzV7EGC0k kJ5YkpqdmlqQWgSTleHgUJLgvXQCqFGwKDU9tSItM6cEIc3EwQkynAdo+EmQGt7igsTc4sx0 iPwpRl2OP++nTmIWYsnLz0uVEueNBykSACnKKM2DmwNKGBLZ+2teMYoDvSXM6wVSxQNMNnCT XgEtYQJaIl3tC7KkJBEhJdXAWP7rwlaRpd/vMt46dixm6dkTIhunaD74HrTbrfd6tOCCFw1R +2YwsMn3/O5pWLOzo+zA99qA7bXbJQTrFG7Y9O3a3mZorXBXfl3Fk5KtTL2CLi8Tt/qt2Tv5 ocDhlfLMv1Yq6+91Xm88f/lD5w2mOjoTetIPMh2MZ26ZEGO7vG3irOLK74sKepVYijMSDbWY i4oTAYk1XqjzAgAA Archived-At: Subject: [saag] Fwd: I2NSF WG summary of IETF102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:25:13 -0000 On Thu, Jul 19, 2018 at 03:57:18PM +0000, Linda Dunbar wrote: > > I2NSF WG met on Wed. The focus of this meeting is to flush out SDN controlled IPsec, especially in environment where there is already secure connection between Device (NSF) and Controller, on information models exchanged between NSF & controller (such as Peer Authentication information, configuration attributes, etc). > The WG agreed to merge information model and data model for Registration Interface, and to address operational issue. The WG agreed to change the proposed milestone. > From nobody Thu Jul 19 10:28:42 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07B35130EA8 for ; Thu, 19 Jul 2018 10:28:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MSoy64BCGaf4 for ; Thu, 19 Jul 2018 10:28:37 -0700 (PDT) Received: from NAM04-SN1-obe.outbound.protection.outlook.com (mail-eopbgr700064.outbound.protection.outlook.com [40.107.70.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BDDD130DC6 for ; Thu, 19 Jul 2018 10:28:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=drzA6ztjXPRuHJskX0xVt1CTZQCmsNmdLlujKsiHCn0=; b=DavmnqKtSUmmBEHoZfj/6gIJz1WnITwuTCEbhaCvIBTYf87tBvMDo63LKbHnYEvLiuGNhhDz4UAzfMP9QvRC6OYCmENFoQ0U+MEQaOzSEtCp/vKwoHBjDtIBZ6BQZaw5VRYlC1ZwaUwMlK9BGshdyxH1NlWt4TFNCOhxmG11/Nk= Received: from DM2PR06MB909.namprd06.prod.outlook.com (10.141.178.27) by DM2PR06MB414.namprd06.prod.outlook.com (10.141.102.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.952.19; Thu, 19 Jul 2018 17:28:34 +0000 Received: from DM2PR06MB909.namprd06.prod.outlook.com ([fe80::597:b100:1769:f7f7]) by DM2PR06MB909.namprd06.prod.outlook.com ([fe80::597:b100:1769:f7f7%3]) with mapi id 15.20.0973.016; Thu, 19 Jul 2018 17:28:34 +0000 From: Karen O'Donoghue To: "saag@ietf.org" Thread-Topic: SACM WG report @ IETF 102 Thread-Index: AQHUH4Xr9Cah9icNW0GQdnOKJ4v4Rg== Date: Thu, 19 Jul 2018 17:28:33 +0000 Message-ID: <6D7725F3-62EB-40B4-BE7A-9FB51D32416F@isoc.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=odonoghue@isoc.org; x-originating-ip: [2001:67c:1232:144:546b:f4a2:84c8:85db] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DM2PR06MB414; 7:dcBdBItQBLTYm2/9DGJn9CUCDhOLHUoBWEDmR4wOdbGreQYi0lMSngvJHo0MKoFfev4BzULPd4beprrgmL781z0WSIBLIHKvg5rDQ1FS0UTTsFmu39+UadM1g4YiNFIYiGkiqGpYUt/WmYOmKdzNqU1eE7Y0sxF0VXElW8zpTVNsVReFBfMda/lJEwsWFNdT5tCL1aCKH06UzVH0w/MTnBw8Z0MIAQgHK40BEURHHHUSoc6cxKkabBYXXFNI+IFZ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: dbd2646c-1d70-431a-1692-08d5ed9d0ddb x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DM2PR06MB414; x-ms-traffictypediagnostic: DM2PR06MB414: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(120809045254105); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:DM2PR06MB414; BCL:0; PCL:0; RULEID:; SRVR:DM2PR06MB414; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(396003)(39840400004)(366004)(136003)(199004)(189003)(82746002)(99286004)(305945005)(2501003)(36756003)(2906002)(97736004)(5250100002)(5640700003)(5660300001)(25786009)(6436002)(256004)(6306002)(2900100001)(6116002)(6486002)(316002)(83716003)(7736002)(6512007)(2351001)(14454004)(478600001)(46003)(6506007)(8936002)(6916009)(86362001)(186003)(1730700003)(102836004)(486006)(81156014)(68736007)(33656002)(81166006)(8676002)(966005)(105586002)(476003)(2616005)(106356001)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR06MB414; H:DM2PR06MB909.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts) x-microsoft-antispam-message-info: 5Qf6TXatKYqULU5OVzmF6PdAg9AnI5MrOttEryhTUecChv2OoI0vrqY+1re3Wz7pFhBsI5NpWRr234a/s+EyluM9NKPKddpgY/r07OKI+cZce9/9DQ5aZpbloJkepuv0rcnwZUAbWpN3ZF6wW1FpUdJEEleuS0oP9Wgsyf8XXzZ3Qbpt1ENt0XyvZgG7GxAKNLTgSjJoDsTjjfHmiwMVRX5saO7zR1/+sgX22PJXndkyxGnKb61RxlrJYvTu1gx7HifuJd4zX+BU6N1rhTfEHtMTPOw7Gtb2llUQBSlZFy1owUhL+nS2R368zS8jsGFvad1D25BOsl9SW4sq+A5r8s4ZcnEO85SsZXLtKg5dSkY= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: isoc.org X-MS-Exchange-CrossTenant-Network-Message-Id: dbd2646c-1d70-431a-1692-08d5ed9d0ddb X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 17:28:34.0363 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR06MB414 Archived-At: Subject: [saag] SACM WG report @ IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:28:40 -0000 VGhlIFNBQ00gV0cgd2lsbCBtZWV0IGF0IDExOjUwIGFtIHRvbW9ycm93IChGcmlkYXkpIA0KDQpX ZSBoYXZlIGEgcmVjZW50bHkgcHVibGlzaGVkIFJGQyDigKYgDQpSRkMgODQ1MiBTb2Z0d2FyZSBJ bnZlbnRvcnkgTWVzc2FnZSBhbmQgQXR0cmlidXRlcyAoU1dJTUEpIGZvciBQQS1UTkMNCmh0dHBz Oi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL3JmYzg0MTIvDQoNClRoZSBhZ2VuZGEgZm9yIEZy aWRheSB3aWxsIGluY2x1ZGUgdGVybWlub2xvZ3ksIGFyY2hpdGVjdHVyZSwgYW4gZW5kcG9pbnQg Y29tcGxpYW5jZSBwcm9maWxlLCBjb25jaXNlIHNvZnR3YXJlIGlkZW50aWZpZXJzLCBST0xJRSBl eHRlbnNpb25zLCBhbmQgZGF0YSBtb2RlbHMgZm9yIG5ldHdvcmsgaW5mcmFzdHJ1Y3R1cmUgZGV2 aWNlcy4gDQoNCg== From nobody Thu Jul 19 10:30:10 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AFF130F67 for ; Thu, 19 Jul 2018 10:30:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Qp5SRPGiGbp for ; Thu, 19 Jul 2018 10:29:59 -0700 (PDT) Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00041.outbound.protection.outlook.com [40.107.0.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C83E7130FD6 for ; Thu, 19 Jul 2018 10:29:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IY4WFs97SazVvOVlAmgCIK8Sh1dEC9d5HXTGbMIU6wA=; b=V1cumRwo+xCO7qU1fRreflXz9TZgPbdPU990bnZRDAvMlsoZWelJu6VUXsGBcvdXBSSxHZFBmUrdbIBiGsZBhlLha4IEOsVWSxydF9xVXUOz5fidRYEFSfTirXjiNEwm8d4Edm2Ls9QldOvYbKEkPT1BQ8ZOiSsOF8k00OQQmBo= Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1565.eurprd08.prod.outlook.com (10.167.210.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.952.18; Thu, 19 Jul 2018 17:29:53 +0000 Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db%10]) with mapi id 15.20.0952.021; Thu, 19 Jul 2018 17:29:53 +0000 From: Hannes Tschofenig To: "saag@ietf.org" Thread-Topic: OAuth Meeting Report Thread-Index: AdQfhWL5JbGzYEjPTBaUyem/GAEu9g== Date: Thu, 19 Jul 2018 17:29:53 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com; x-originating-ip: [31.133.157.45] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1565; 7:619apcGW2tulw5oNgmdOV40qZLvmSxtM9kg14edmpT/r1/KtGzaOQYqNEWYMgmY2NxCd0PH49PmEMsIrABBbd6C62iFZ2kB/dUyGSeEu7ualBDnNK7BNmNS71hcs4wzSfmUk0Otkw8kMlA328Cm5Mgm3FSg/4cDvv2ocu/eCRXtrTbPdfGe/jXqCf5OHy63/VcG1cbhHYvfwDxrfKTqMje9KABOlJxnEywcIQOLrZlRBkw1eFsW1O5Meof4jOsn+ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: e0d8aa0d-4fff-4e19-2e12-08d5ed9d3d2e x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(48565401081)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1565; x-ms-traffictypediagnostic: VI1PR0801MB1565: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(223705240517415)(21748063052155); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1565; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1565; x-forefront-prvs: 0738AF4208 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(396003)(39860400002)(376002)(136003)(366004)(40434004)(53754006)(189003)(199004)(33656002)(2906002)(86362001)(316002)(81156014)(81166006)(8936002)(1730700003)(8676002)(99286004)(5660300001)(7736002)(74316002)(53936002)(66066001)(7116003)(25786009)(476003)(97736004)(5630700001)(2351001)(3480700004)(68736007)(6506007)(186003)(7696005)(102836004)(6916009)(478600001)(14454004)(26005)(106356001)(72206003)(105586002)(3846002)(6116002)(790700001)(55016002)(2900100001)(486006)(5024004)(54896002)(9686003)(5640700003)(6306002)(2501003)(6436002)(5250100002)(256004)(14444005); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1565; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: UWG8Yt3vtnnmKQ5qIjm9sSiu6EvJzXXzVyPWXlVt3MjDTPZbQ3ya9NLTYP8sOojt3w/vCPqUmL+c5TeHNVNf41jtIqaibPcleb7nWu+lrP0eCPDDXTDyq+xDycn5zfsSOSByJdrcJe+0Pmnpd9HScxO4DqebBQq9O/Vj9wyo7ynb1J+Dn8kylN8Fro24NAr2A9nxxxegSaupYIDgMvw0u74niQd/UXIhiG235OC/TSvs/oAO1wG+4TTpwlCpI8975VeYDXfT5YHbWGP4lpsl7HUu52VGMAO8Fk+T7diN+Su5rCWZeWt0VC45NlJglcUAWLWHo6XTOgTBrF6aQHlPweLg9kF3MpL6M7D6wzUhLsM= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21126EA82AF761FF4DC0CA25FA520VI1PR0801MB2112_" MIME-Version: 1.0 X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-Network-Message-Id: e0d8aa0d-4fff-4e19-2e12-08d5ed9d3d2e X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jul 2018 17:29:53.3687 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1565 Archived-At: Subject: [saag] OAuth Meeting Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:30:05 -0000 --_000_VI1PR0801MB21126EA82AF761FF4DC0CA25FA520VI1PR0801MB2112_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, we had two sessions for OAuth this week. On Tuesday we discussed 'OAuth 2.0 Incremental Authorization' and 'Reciproc= al OAuth'. These two specifications recently became OAuth WG documents. Bri= an Campbell gave a presentation about 'OAuth 2.0 Token Binding', which has = been in development for some time in the group already. It is also getting = close to completion. The chairs were working with participants on two shepherd write-ups during = this week for 'OAuth MTLS' and 'JSON Web Token Best Current Practices'. The= se two documents will leave the working group any day now. There are also t= hree documents, namely the 'OAuth 2.0 Device Flow for Browserless and Input= Constrained Devices', the 'OAuth 2.0 Authorization Framework: JWT Secured = Authorization Request (JAR)' and the 'OAuth 2.0 Token Exchange', in IESG pr= ocessing right now. Today we spent some time discussing OAuth Proof-of-Possession tokens, which= turned into a heated discussion: we couldn't agree on the worksplit betwee= n the ACE and the OAuth working groups. Area director guidance will be need= ed. At the end of the meeting John Bradley spoke about OAuth 2.0 Security Best = Current Practice, pointed to two open issues and indicated that the documen= t will soon be ready for WGLC. We did calls for adoption of three documents during the meeting with positi= ve feedback from the participants in the room, namely * Distributed OAuth * Resource Indicators for OAuth 2.0 * JWT Response for OAuth Token Introspection We will confirm the call on the mailing list this week. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in = any medium. Thank you. --_000_VI1PR0801MB21126EA82AF761FF4DC0CA25FA520VI1PR0801MB2112_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi all,

 

we had two sessions for OAuth this week. =

 

On Tuesday we discussed ‘OAuth 2.0 Incremental= Authorization’ and ‘Reciprocal OAuth’. These two specifi= cations recently became OAuth WG documents. Brian Campbell gave a presentat= ion about ‘OAuth 2.0 Token Binding’, which has been in developm= ent for some time in the group already. It is also getting close to completion= .

 

The chairs were working with participants on two she= pherd write-ups during this week for ‘OAuth MTLS’ and ‘JS= ON Web Token Best Current Practices’. These two documents will leave = the working group any day now. There are also three documents, namely the ‘OAuth 2.0 Device Flow for Browserless and Input Constrai= ned Devices’, the ‘OAuth 2.0 Authorization Framework: JWT Secur= ed Authorization Request (JAR)’ and the ‘OAuth 2.0 Token Exchan= ge’, in IESG processing right now.

 

Today we spent some time discussing OAuth Proof-of-P= ossession tokens, which turned into a heated discussion: we couldn't agree = on the worksplit between the ACE and the OAuth working groups. Area directo= r guidance will be needed.

 

At the end of the meeting John Bradley spoke about O= Auth 2.0 Security Best Current Practice, pointed to two open issues and ind= icated that the document will soon be ready for WGLC.

 

We did calls for adoption of three documents during = the meeting with positive feedback from the participants in the room, namel= y

 * Distributed OAuth

* Resource Indicators for OAuth 2.0

 * JWT Response for OAuth Token Introspection <= o:p>

 

We will confirm the call on the mailing list this we= ek.

 

Ciao

Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confid= ential and may also be privileged. If you are not the intended recipient, p= lease notify the sender immediately and do not disclose the contents to any= other person, use it for any purpose, or store or copy the information in any medium. Thank you. --_000_VI1PR0801MB21126EA82AF761FF4DC0CA25FA520VI1PR0801MB2112_-- From nobody Thu Jul 19 10:30:28 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9CF131103 for ; Thu, 19 Jul 2018 10:30:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8qlkMyPG4gWg for ; Thu, 19 Jul 2018 10:30:13 -0700 (PDT) Received: from mail-pl0-x233.google.com (mail-pl0-x233.google.com [IPv6:2607:f8b0:400e:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE1A71310ED for ; Thu, 19 Jul 2018 10:30:13 -0700 (PDT) Received: by mail-pl0-x233.google.com with SMTP id 31-v6so3963136plc.4 for ; Thu, 19 Jul 2018 10:30:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=from:content-transfer-encoding:mime-version:subject:message-id:date :to; bh=nS/mqycV2VqK5EkfGFIEg+kZoylzWxtZsA9977rHKd8=; b=WFl07kM25uuNH6zvqevsejwkjkdbxR5pvd6MdSkleRGuVbfUpOUO2kjVI1tcfbzxdl qZKKYWgLWLoTFHGvTtSz+7XtxZ3+yX8ZSdr4rT1cXVyUJUurqDCTTke1ffew6hphqGnM 3JPNGCrp0e9SZnyr0YugzMufPm54qM5ornGR8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:mime-version :subject:message-id:date:to; bh=nS/mqycV2VqK5EkfGFIEg+kZoylzWxtZsA9977rHKd8=; b=g7Y2ciBiFyOJ+nOovA+lSFkr0pqV5fYKFQ16pfSix/qfwELt69il1HoxZn+deoYb7V GX6nrLdCd/st8LQq5u5qgcJxTAi7BCo0t3F1AnOCHhHkcyREtGjWmII+AOpUHXlSZKWF Z/eGq+1BklkWLAmE1nKZ4rnUhcysCNZ1ziE/wut4rdpxHGAn8El6MBsjLowgJXxQXYNk ZbMVORJOgbQgjdYwmm+r7WjkV5WI+4iJinafTLefB8jMbCrMnCWVZof0tAuCCYc652e7 xV7imI++CrAL3x1qQgIUX2WAI4MoR8baJez9q9UKw4nFSku9WxYGfn3MNqgSrUvUGwlH 2BUw== X-Gm-Message-State: AOUpUlE70hIAP1n7eUKF1o8aiRaIl7TYZcgagkiWd+Y9Kq6jJrkOra+w ITC9m4njZhFKF98GgHse6lKUYhMlFqky3w== X-Google-Smtp-Source: AAOMgpcQz5sMiTLIFPDlQbC0Uftw6Oip3TiodFjqv5U+FU5z/oYaeaVTwogUh2kuTpytHzK440Fs3g== X-Received: by 2002:a17:902:3281:: with SMTP id z1-v6mr11140825plb.226.1532021413162; Thu, 19 Jul 2018 10:30:13 -0700 (PDT) Received: from ?IPv6:2001:67c:370:1998:d8c0:959b:1398:4e02? ([2001:67c:370:1998:d8c0:959b:1398:4e02]) by smtp.gmail.com with ESMTPSA id k190-v6sm10527846pge.28.2018.07.19.10.30.11 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Jul 2018 10:30:12 -0700 (PDT) From: Sean Turner Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Message-Id: <6D8271D9-4084-4191-B876-960B3CEA6076@sn3rd.com> Date: Thu, 19 Jul 2018 13:30:07 -0400 To: saag@ietf.org X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: [saag] MLS WG summary for IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:30:22 -0000 The MLS WG meet for the first time. The sense of the room was that both = draft-omara-mls-architecture and draft-barnes-mls-protocol were both = candidates for adoption; this is to be confirmed on list by 3 August. = There are plenty of issues still outstanding though. An interim is also = being considered. spt= From nobody Thu Jul 19 10:31:03 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E0F130DC6 for ; Thu, 19 Jul 2018 10:31:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zbd5sgLUfbjb for ; Thu, 19 Jul 2018 10:30:58 -0700 (PDT) Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id CBB21130EFA for ; Thu, 19 Jul 2018 10:30:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1532021458; d=isode.com; s=june2016; i=@isode.com; bh=iIQWQwtm6nt+3D9KHT3EEP166Nur3e59ZiL4EYjxSkE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=IbJfsUqEvAY4vSr2/qkxxDR4G51irFM73J6yc2zf4Cd0N+7FDTUe8C5aCynnjghWG0CLR0 MCddWAscmaMB3JMlgROK1Gaufpogx3SeJIjZS/A0D1/TxnDsgJLpNFOGm0FsshRtwB+MxG BtguYHTjEmFtjrCgn2y0xnWVzV+B9Uo=; Received: from [31.133.133.50] (dhcp-8532.meeting.ietf.org [31.133.133.50]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 19 Jul 2018 18:30:57 +0100 To: "saag@ietf.org" From: Alexey Melnikov Openpgp: preference=signencrypt Message-ID: <290871df-f0a3-3d2c-1e89-f874b9c32e76@isode.com> Date: Thu, 19 Jul 2018 18:30:55 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-transfer-encoding: quoted-printable Archived-At: Subject: [saag] CFRG report for SAAG X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:31:01 -0000 CFRG met for 1 hour on Tuesday, July 17th. 4 documents are waiting for Chairs action, all 4 were reviewed by document shepherds recently. All comments will be sent to the mailing list soon. The RG heard update of "Hashing to Elliptic Curves" (draft-irtf-cfrg-hash-to-curve), "Verifiable Random Functions" (draft-irtf-cfrg-vrf) and "Randomness Improvements for Security Protocols" (draft-irtf-cfrg-randomness-improvements). These were well received and there was a proposal to regularize some primitives and terminology which is similar across these documents. There was a presentation on possible new work on OPAQUE password protocol (augmented PAKE) by Hugo Krawczyk and a followup presentation by Beno=C3=AEt Viguier about KangarooTwelve. From nobody Thu Jul 19 10:32:14 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8CB7130EAF for ; Thu, 19 Jul 2018 10:32:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id djPdXfgh2O-b for ; Thu, 19 Jul 2018 10:32:12 -0700 (PDT) Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 0B691130EC6 for ; Thu, 19 Jul 2018 10:32:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1532021531; d=isode.com; s=june2016; i=@isode.com; bh=NloDPxSrQPy1iwhh+3gB3SLojSFzxQm9Q8seo3S7BQY=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=hpS1X5ZpFYguHIz5fR54o1f3/DO3aJVV2VDYIKNBkVEVYFTTg/Soj5/fc2UfSXiN970e6P AuvrrW/u5MzwtPw02wz8kQpwt9GEtPRk2+9iianEeYMDQ8QLF//Pr+iY5rxEoCG8fk4omR VMByTeqgqnx5Npg+9bDJ0pFQxeDfA/o=; Received: from [31.133.133.50] (dhcp-8532.meeting.ietf.org [31.133.133.50]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 19 Jul 2018 18:32:11 +0100 From: Alexey Melnikov To: "saag@ietf.org" References: <290871df-f0a3-3d2c-1e89-f874b9c32e76@isode.com> Openpgp: preference=signencrypt Message-ID: <702eb11e-440a-aaae-b3f1-c976446ba118@isode.com> Date: Thu, 19 Jul 2018 18:32:10 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 In-Reply-To: <290871df-f0a3-3d2c-1e89-f874b9c32e76@isode.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-transfer-encoding: quoted-printable Archived-At: Subject: Re: [saag] CFRG report for SAAG X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:32:14 -0000 On 19/07/2018 18:30, Alexey Melnikov wrote: > CFRG met for 1 hour on Tuesday, July 17th. 4 documents are waiting for > Chairs action, all 4 were reviewed by document shepherds recently. All > comments will be sent to the mailing list soon. >=20 > The RG heard update of "Hashing to Elliptic Curves" > (draft-irtf-cfrg-hash-to-curve), "Verifiable Random Functions" > (draft-irtf-cfrg-vrf) and "Randomness Improvements for Security > Protocols" (draft-irtf-cfrg-randomness-improvements). These were well > received and there was a proposal to regularize some primitives and > terminology which is similar across these documents. >=20 > There was a presentation on possible new work on OPAQUE password > protocol (augmented PAKE) by Hugo Krawczyk and a followup presentation > by Beno=C3=AEt Viguier about KangarooTwelve. I forgot one thing: in case you haven't heard yet: CFRG chairs are looking for a 3rd co-chair. From nobody Thu Jul 19 10:34:39 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6038B130DC6 for ; Thu, 19 Jul 2018 10:34:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.88 X-Spam-Level: X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IBeROnwzdRF5 for ; Thu, 19 Jul 2018 10:34:35 -0700 (PDT) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50675130EAF for ; Thu, 19 Jul 2018 10:34:34 -0700 (PDT) Received: from dhcp-84b0.meeting.ietf.org (dhcp-84b0.meeting.ietf.org [31.133.132.176]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w6JHYXk6077026 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 19 Jul 2018 12:34:33 -0500 (CDT) (envelope-from rjsparks@nostrum.com) To: saag@ietf.org From: Robert Sparks Message-ID: <1aa5d0cb-e562-547b-46e0-09e83342af6a@nostrum.com> Date: Thu, 19 Jul 2018 13:34:32 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: [saag] all-status link X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:34:37 -0000 This page is way to hard to find, but it's still there: From nobody Thu Jul 19 10:40:13 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2B8B130E20 for ; Thu, 19 Jul 2018 10:40:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KCP2RBbEvYPH for ; Thu, 19 Jul 2018 10:40:09 -0700 (PDT) Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69CA120049 for ; Thu, 19 Jul 2018 10:40:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5746F308FB93 for ; Thu, 19 Jul 2018 17:40:09 +0000 (UTC) Received: from thinkpad.nohats.ca (ovpn-204-17.brq.redhat.com [10.40.204.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 946902010CBF for ; Thu, 19 Jul 2018 17:40:08 +0000 (UTC) To: "saag@ietf.org" From: Paul Wouters Message-ID: Date: Thu, 19 Jul 2018 13:40:01 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.84 on 10.5.11.25 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Thu, 19 Jul 2018 17:40:09 +0000 (UTC) Archived-At: Subject: [saag] trans report IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2018 17:40:12 -0000 - discussed AD review items. Resolved pending some minor text changes - Discussed 3 new items on 6962bis. We got promises of text to address these shortly (or we willl drop these) - threat document: chairs will make decision to seek publication or not of current version. WG lost energy to guide a stalled process between very few participants. - All other work is stalled or deadlocked. Will close WG once 6962bis is finished. Any unfinished business will need to spin up new WG. Paul & Melinda From nobody Fri Jul 20 14:51:33 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4921A130ECE for ; Fri, 20 Jul 2018 14:51:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EiWPZJGkU0XN for ; Fri, 20 Jul 2018 14:51:27 -0700 (PDT) Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72489131064 for ; Fri, 20 Jul 2018 14:51:27 -0700 (PDT) Received: by mail-it0-x22b.google.com with SMTP id h2-v6so16630099itj.1 for ; Fri, 20 Jul 2018 14:51:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:date:references:to:in-reply-to:message-id; bh=gH2ZSnPhusaTl9jA6YLmVBp2e8zRB90fSStUZuBtRos=; b=vITnidAVDSL62LzAuDXkqENehUrrRqBWpi6Avx8lCvI4vwASi/f9IJlpzVSEE3QuNY g16sL+DAZ+5w0IHDulEdmwdTVd58bCFumVPOqtgPKb2DfGbQXPvRRewSEBpfyqNpWBN7 fl+JvR9L/w+78QGqghW/ydyFM5yxS9i5lmQZEw5HhdYHk36F+UEgfb+Y6SsPaJ7b4lbX SxCybgI4kO3/zBiZtDtgtihQGMVsUjnSoOLrWVY/kscPfymTBoMMnnsQQB3xBIIdGqgq UjbwZMapJW7acc5fUMkzSybmlj0xVCWbc0s9T4CD4dPL3flxEsSNtWScunFenmli7AEm Zqlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:references:to :in-reply-to:message-id; bh=gH2ZSnPhusaTl9jA6YLmVBp2e8zRB90fSStUZuBtRos=; b=Lr3xGHDEt5SPJCVfL0p/T6ScrG4HOPNdFdWhvh6Bv/VjniT6mngOChK4fC1tuSmszB 1A2WjH6koyfpogT9j03KxhtDA144pN01VBcHO1O67FzCpd/qKvS8V0A+VR8sCeSWcSdx rfPxwvKHtU0iVwe7Zg73V3WxTnQgwfrXw7pqQzX6nfO7OEPnGyRtPzc6Pv8+pAdxeH0/ KjCiQ4bzLaA2f7w7IFHGErbX+DcyRaKNmYuXU+rcntOVBgTSuoX3aoGkNeDF/y0OIV7N TvtIdMEU7vuo3m8yaEHGpjv1AeosleF+zH7EhdC2RjrBHlSoduXkHc+Xk/qYw7jUIzI1 lNpQ== X-Gm-Message-State: AOUpUlFGm3dsl/7csaHPJTF5gzpJqatgsGs1Qrvi1j2mazeyCGJCgpwj SzwXJZJaSTDGplsbnb3g82hQtFQn X-Google-Smtp-Source: AAOMgpcwA5AfNNw1Y6lg+j6u3WpbwjrpE3w8NRzX7KngrHlSG+PUyHwJ5tNr2+j17OxM1oechB5nvQ== X-Received: by 2002:a24:ccc6:: with SMTP id x189-v6mr3272900itf.110.1532123486459; Fri, 20 Jul 2018 14:51:26 -0700 (PDT) Received: from [172.20.3.110] (marriott-chateau-champlain-montreal.sites.intello.com. [66.171.169.34]) by smtp.gmail.com with ESMTPSA id n195-v6sm1640493itg.16.2018.07.20.14.51.24 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Jul 2018 14:51:25 -0700 (PDT) From: Bret Jordan Content-Type: multipart/alternative; boundary="Apple-Mail=_B5347F7A-DFEE-4AC1-BEC3-FCA4CC71B7B2" Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Fri, 20 Jul 2018 17:51:15 -0400 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> To: saag@ietf.org In-Reply-To: <31612.1531750339@localhost> Message-Id: X-Mailer: Apple Mail (2.3445.8.2) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2018 21:51:32 -0000 --Apple-Mail=_B5347F7A-DFEE-4AC1-BEC3-FCA4CC71B7B2 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Getting back on topic. I agree this is a significant problem, one that = needs to be addressed. While things like LetsEncrypt are great for = trying to get everyone a cert for free, it also means, Threat Actors and = Intrusion Sets can get free certs as well.=20 Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that = can not be unscrambled is an egg." > On Jul 16, 2018, at 10:12 AM, Michael Richardson = wrote: >=20 >=20 > Ben Laurie > wrote: >> No, I mean in the more general sense that its a way to invoke "the >> system", guaranteed, no messing. >=20 >> It has a noble history of not working very well. >=20 >> Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it >> is more than login. >=20 > Yes, that's just it: it doesn't do that much. > That's why it was a failure. Also lack of any kind of tutorial. > And since it used to reboot the computer, so most people habitually = avoid it. >=20 > It's probably time to try it again. >=20 >>> On 15 Jul 2018, at 22:34, Ben Laurie wrote: >>>=20 >>>=20 >>>=20 >>> On Sun, 15 Jul 2018 at 18:56, Henry Story >> wrote: >>> Hi,=20 >>>=20 >>> I just wrote up some ideas on UI and security that came (back) >> to me reading=20 >>> this thread and other interesting papers on security. >>>=20 >>> "Phishing in Context -- Epistemology on the screen" >>> https://medium.com/@bblfish/phishing-in-context-9c84ca451314 >>>=20 >>> You have reinvented the Secure Attention Key. It hasn't work out >> that well, so far. >>>=20 >=20 >> Do you mean what they describe on wikipedia here ? >> https://en.wikipedia.org/wiki/Secure_attention_key=20 >=20 >> "A secure attention key (SAK) or secure attention sequence (SAS) >> is a special key or key combination to be pressed on a computer >> keyboard before a login screen which must, to the user, be >> completely trustworthy. The operating system kernel, which >> interacts directly with the hardware, is able to detect whether >> the secure attention key has been pressed. When this event is >> detected, the kernel starts the trusted login processing." >=20 >> That would be to authenticate the user of the computer, which is I >> suppose a=20 >> predecessor of what the fingerprint button on new MacBook Pro >> laptops is about=20 >> (I don't know, as I don't have them). They call it Touch Id=20 >> https://support.apple.com/en-us/HT207054 >=20 >> But that is not what I am talking about in the article. There I am >> speaking of server >> or application authentication, and I am arguing that to be secure >> this needs two screens >> the second screen being what Apple calls the Touch Bar. There is a >> video here describing it >> https://youtu.be/DhCJuJoE6wM?t=3D170 >> But I am sure you'll find many more. (Btw. the new Mac Book Pro is >> out today!) >=20 >> I would guess that parts of the Touch Bar must be OS secured, or >> else an app could get your fingerprints? In any case I am saying >> that there should be a couple more buttons on the Touch Bar that >> are controlled by the OS. >> 1) the icon of the App that is in the foreground ( which would be >> retrieved from the institutional web of trust >> 2) the icon of the favicon of the web page also retrieved from the >> institutional web of trust >=20 >> clickin those would give you more information about the app in 1) >> and more info about the page in 2). >> But not just the address of the headquarters, but something a lot >> richer..... >=20 >=20 >> But I may have misunderstood you...? >=20 >> Henry >=20 >=20 >=20 >=20 >=20 >> ---------------------------------------------------- >> Alternatives: >=20 >> ---------------------------------------------------- >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag = >=20 > --=20 > Michael Richardson >, Sandelman Software Works > -=3D IPv6 IoT consulting =3D- >=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag = --Apple-Mail=_B5347F7A-DFEE-4AC1-BEC3-FCA4CC71B7B2 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
Getting back on topic.  I agree this is a significant = problem, one that needs to be addressed.  While things like = LetsEncrypt are great for trying to get everyone a cert for free, it = also means, Threat Actors and Intrusion Sets can get free certs as = well. 


Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 16, 2018, at 10:12 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:


Ben Laurie <benl=3D40google.com@dmarc.ietf.org> wrote:
No, I = mean in the more general sense that its a way to invoke "the
system", guaranteed, no messing.
It = has a noble history of not working very well.

Windows uses ctl-alt-del as a SAK. It = doesn't let you do much, but it
is more than login.

Yes, that's just it: it doesn't do that much.
That's why it was a failure. =  Also lack of any kind of tutorial.
And since it used to reboot the computer, so most people = habitually avoid it.

It's probably time to try it again.

On 15 Jul 2018, at = 22:34, Ben Laurie <benl@google.com> wrote:


On Sun, 15 Jul 2018 at 18:56, Henry Story
<henry.story@bblfish.net> wrote:
Hi, 

I just wrote up some ideas on UI and security that came = (back)
to me reading 
this thread and other interesting papers on = security.

"Phishing in Context -- = Epistemology on the screen"
https://medium.com/@bblfish/phishing-in-context-9c84ca451314

You have reinvented the Secure Attention = Key. It hasn't work out
that well, so far.


Do you mean what they describe on = wikipedia here ?
https://en.wikipedia.org/wiki/Secure_attention_key 

"A secure attention key (SAK) or = secure attention sequence (SAS)
is a special key or key = combination to be pressed on a computer
keyboard before a = login screen which must, to the user, be
completely = trustworthy. The operating system kernel, which
interacts = directly with the hardware, is able to detect whether
the = secure attention key has been pressed. When this event is
detected, the kernel starts the trusted login processing."

That would be to authenticate the = user of the computer, which is I
suppose a 
predecessor = of what the fingerprint button on new MacBook Pro
laptops = is about 
(I don't know, as I don't have them). They call it Touch = Id 
https://support.apple.com/en-us/HT207054

But that is not what I am talking = about in the article. There I am
speaking of server
or application authentication, and I am arguing that to be = secure
this needs two screens
the second = screen being what Apple calls the Touch Bar. There is a
video here describing it
https://youtu.be/DhCJuJoE6wM?t=3D170
But I = am sure you'll find many more. (Btw. the new Mac Book Pro is
out today!)

I = would guess that parts of the Touch Bar must be OS secured, or
else an app could get your fingerprints? In any case I am = saying
that there should be a couple more buttons on the = Touch Bar that
are controlled by the OS.
1) = the icon of the App that is in the foreground ( which would be
retrieved from the institutional web of trust
2) = the icon of the favicon of the web page also retrieved from the
institutional web of trust

clickin= those would give you more information about the app in 1)
and more info about the page in 2).
But not = just the address of the headquarters, but something a lot
richer.....


But I = may have misunderstood you...?

Henry





----------------------------------------------------
Alternatives:

----------------------------------------------------
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software = Works
-=3D IPv6 IoT = consulting =3D-



_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_B5347F7A-DFEE-4AC1-BEC3-FCA4CC71B7B2-- From nobody Sat Jul 21 01:15:14 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8A92130E62 for ; Sat, 21 Jul 2018 01:15:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bs9uLtXah5CX for ; Sat, 21 Jul 2018 01:15:10 -0700 (PDT) Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35E7128CF3 for ; Sat, 21 Jul 2018 01:15:09 -0700 (PDT) Received: by mail-wm0-x22f.google.com with SMTP id s9-v6so11459584wmh.3 for ; Sat, 21 Jul 2018 01:15:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=5td/vf9ne9VfI/YNv8CARjuGz0e8y4yDOpV/Jf4sCTA=; b=0XUpKknkpSkA+7mBa6TV6qFlV1wAk4LRwdrjuJt9IS/oRSQjtAk+nKSOuoJTYXdMdL nhtwe2+NRIGK2TSOQaYS6mkNv9cjPtqvz9bwgJtQEK1R1XtJ9UQASZyoyyu+tjJB27/v deKx5xk2dCCrjwmAT8cmJkoFgDV28lS/mJ881gUPwO/bGd4+o0ZozlfKEM0LdTARiOOB nO7NhaSADcPB1GFMdOQEAvBB9a8KRaRaqzHxYGwPEkZSr11NPrC7ZLspVZAiu+ox+yTt xKDRAFMDA2CtYyYffSiy2fmmlLT+vxjIfEZVt+7I+6hG1IMNeDEHnSi+Yj4onA/3e1J8 M/Qw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=5td/vf9ne9VfI/YNv8CARjuGz0e8y4yDOpV/Jf4sCTA=; b=WX3vO5y/ydeMhgOO7oWBP2Mxw6fKBi+VrjM43EIZ3HLZ+ZvpCCPipAVfbJ0MerZomR Cnihr/OSxNcZiSA6Qklegsqx0VqR1FrqA5CpplETVkResl9zuTU94kf+Oa4iVknKcij3 j6FTFIbfCWuLdGH3vnNtY8UaFdGczP3pqZRZLBz80EWeLETH2Tkep6d8PlQ4EWUG9doM mDXGLVsizlcHq17v8diFMoxRzKIuIvoMKkjhvfqJ8oBjaJ+YjWo7Kt7xy5k1w85qV2Y9 +XA1G0HzGS1+t2MueTUV2crJv4X86ZbxPPsNJ+RboMMuUiy4Nm5jFov54wEg9KSfLDGE +RWQ== X-Gm-Message-State: AOUpUlHt0f9zMsO6drxm/z9InmKLwbuYEby4Jt0fhARtFr1A4RH/+NM4 eHf1ubjr5KVWkYCSK/Z+DTQk4CHF+gj/Kg== X-Google-Smtp-Source: AAOMgpc2VJ8Bn6T2SKezrkhLg0dW6Ol/eauj2D+4g2Dr1DJAJ7d065zsllh0c5srIAZQDzEl4Ql0zw== X-Received: by 2002:a1c:e043:: with SMTP id x64-v6mr3377446wmg.58.1532160908180; Sat, 21 Jul 2018 01:15:08 -0700 (PDT) Received: from [192.168.43.209] ([92.184.102.26]) by smtp.gmail.com with ESMTPSA id j131-v6sm3763352wmb.35.2018.07.21.01.15.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 01:15:06 -0700 (PDT) From: Henry Story Message-Id: <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_6F68F8F4-1465-479E-9B7B-08EBBF7D2CCD" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sat, 21 Jul 2018 10:15:02 +0200 In-Reply-To: To: saag@ietf.org References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 08:15:14 -0000 --Apple-Mail=_6F68F8F4-1465-479E-9B7B-08EBBF7D2CCD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 20 Jul 2018, at 23:51, Bret Jordan wrote: >=20 > Getting back on topic. I agree this is a significant problem, one = that needs to be addressed. While things like LetsEncrypt are great for = trying to get everyone a cert for free, it also means, Threat Actors and = Intrusion Sets can get free certs as well.=20 Yes, it looks like there is a sea change with regard to use of TLS, = which is leading=20 Chrome next week according to the register [1] to stop showing the = padlock icon for secure sites, and instead show a warning for non-https sites, which will = further accelerate the adoption of https, something made possible by = LetsEncrypt. So very soon everyone including the crooks will be behind https :-)=20 It will be the new default. =46rom then on the point to point security will have been dealt with = (especially=20 if DANE also gets adopted that far), and all that will remain is the = question as to who am I talking to so securely? That is the question of the identity of the web site the browser or = application is connected to, indeed the question of the identity of the application = controlling the screen more generally [2].=20 If one is of a category theoretic mind one will think that the identity = of each object is its position in the network of arrows of the category. But = more practically end users will be interested for applications or web site of knowing = what legal space they are in. For personal web pages we can fall back to the web of = trust we currently have.=20 That is actually quite a large project, but given that one is dealing = with nations that have the resources, it is quite feasible. But that was the point of my original post. :-)=20 Henry [1] https://www.theregister.co.uk/2018/07/03/google_chrome_http/ [2] The 2015 paper "What is that App? Deceptions and countermeasures=20 in the Android User Interface"=20 = https://www.computer.org/csdl/proceedings/sp/2015/6949/00/6949a931-abs.htm= l I integrated that article in the "Phishing in Context" post this week. >=20 >=20 > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing = that can not be unscrambled is an egg." >=20 >> On Jul 16, 2018, at 10:12 AM, Michael Richardson = > wrote: >>=20 >>=20 >> Ben Laurie > wrote: >>> No, I mean in the more general sense that its a way to invoke "the >>> system", guaranteed, no messing. >>=20 >>> It has a noble history of not working very well. >>=20 >>> Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but = it >>> is more than login. >>=20 >> Yes, that's just it: it doesn't do that much. >> That's why it was a failure. Also lack of any kind of tutorial. >> And since it used to reboot the computer, so most people habitually = avoid it. >>=20 >> It's probably time to try it again. >>=20 >>>> On 15 Jul 2018, at 22:34, Ben Laurie > wrote: >>>>=20 >>>>=20 >>>>=20 >>>> On Sun, 15 Jul 2018 at 18:56, Henry Story >>> > wrote: >>>> Hi,=20 >>>>=20 >>>> I just wrote up some ideas on UI and security that came (back) >>> to me reading=20 >>>> this thread and other interesting papers on security. >>>>=20 >>>> "Phishing in Context -- Epistemology on the screen" >>>> https://medium.com/@bblfish/phishing-in-context-9c84ca451314 = >>>>=20 >>>> You have reinvented the Secure Attention Key. It hasn't work out >>> that well, so far. >>>>=20 >>=20 >>> Do you mean what they describe on wikipedia here ? >>> https://en.wikipedia.org/wiki/Secure_attention_key = =20 >>=20 >>> "A secure attention key (SAK) or secure attention sequence (SAS) >>> is a special key or key combination to be pressed on a computer >>> keyboard before a login screen which must, to the user, be >>> completely trustworthy. The operating system kernel, which >>> interacts directly with the hardware, is able to detect whether >>> the secure attention key has been pressed. When this event is >>> detected, the kernel starts the trusted login processing." >>=20 >>> That would be to authenticate the user of the computer, which is I >>> suppose a=20 >>> predecessor of what the fingerprint button on new MacBook Pro >>> laptops is about=20 >>> (I don't know, as I don't have them). They call it Touch Id=20 >>> https://support.apple.com/en-us/HT207054 = >>=20 >>> But that is not what I am talking about in the article. There I am >>> speaking of server >>> or application authentication, and I am arguing that to be secure >>> this needs two screens >>> the second screen being what Apple calls the Touch Bar. There is a >>> video here describing it >>> https://youtu.be/DhCJuJoE6wM?t=3D170 = >>> But I am sure you'll find many more. (Btw. the new Mac Book Pro is >>> out today!) >>=20 >>> I would guess that parts of the Touch Bar must be OS secured, or >>> else an app could get your fingerprints? In any case I am saying >>> that there should be a couple more buttons on the Touch Bar that >>> are controlled by the OS. >>> 1) the icon of the App that is in the foreground ( which would be >>> retrieved from the institutional web of trust >>> 2) the icon of the favicon of the web page also retrieved from the >>> institutional web of trust >>=20 >>> clickin those would give you more information about the app in 1) >>> and more info about the page in 2). >>> But not just the address of the headquarters, but something a lot >>> richer..... >>=20 >>=20 >>> But I may have misunderstood you...? >>=20 >>> Henry >>=20 >>=20 >>=20 >>=20 >>=20 >>> ---------------------------------------------------- >>> Alternatives: >>=20 >>> ---------------------------------------------------- >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag = >>=20 >> --=20 >> Michael Richardson >, Sandelman Software Works >> -=3D IPv6 IoT consulting =3D- >>=20 >>=20 >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag = > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_6F68F8F4-1465-479E-9B7B-08EBBF7D2CCD Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 20 Jul 2018, at 23:51, Bret Jordan <jordan.ietf@gmail.com> wrote:

Getting = back on topic.  I agree this is a significant problem, one that = needs to be addressed.  While things like LetsEncrypt are great for = trying to get everyone a cert for free, it also means, Threat Actors and = Intrusion Sets can get free certs as = well. 

Yes, it looks like there is a sea change with = regard to use of TLS, which is leading 
Chrome next week =  according to the register [1] to stop showing the padlock icon = for
secure sites, and instead show a warning for non-https = sites, which will further
accelerate the adoption of https, = something made possible by LetsEncrypt.

So very soon everyone including the crooks will be = behind https :-) 
It will be the new = default.

=46rom then on the point to = point security will have been dealt with (especially 
if =  DANE also gets adopted that far), and all that will remain is the = question as to
who am I talking to so securely?

That is the question of the identity of the web = site the browser or application
is  connected to, indeed = the question of the identity of the application = controlling
the screen more generally [2]. 

If one is of a category theoretic mind one will = think that the identity of each
object is its position in the = network of arrows of the category. But more practically
end = users will be interested for applications or web site of knowing what = legal
space they are in. For personal web pages we can fall = back to the web of trust
we currently = have. 

That is actually quite a = large project, but given that one is dealing with nations
that = have the resources, it is quite feasible.

But that was the point of my original post. = :-) 

Henry

I integrated that article in the =  "Phishing in Context" post this week.



Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 16, 2018, at 10:12 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:


Ben Laurie <benl=3D40google.com@dmarc.ietf.org> wrote:
No, I = mean in the more general sense that its a way to invoke "the
system", guaranteed, no messing.
It = has a noble history of not working very well.

Windows uses ctl-alt-del as a SAK. It = doesn't let you do much, but it
is more than login.

Yes, that's just it: it doesn't do that much.
That's why it was a failure. =  Also lack of any kind of tutorial.
And since it used to reboot the computer, so most people = habitually avoid it.

It's probably time to try it again.

On 15 Jul 2018, at = 22:34, Ben Laurie <benl@google.com> wrote:


On Sun, 15 Jul 2018 at 18:56, Henry Story
<henry.story@bblfish.net> wrote:
Hi, 

I just wrote up some ideas on UI and security that came = (back)
to me reading 
this thread and other interesting papers on = security.

"Phishing in Context -- = Epistemology on the screen"
https://medium.com/@bblfish/phishing-in-context-9c84ca451314

You have reinvented the Secure Attention = Key. It hasn't work out
that well, so far.


Do you mean what they describe on = wikipedia here ?
https://en.wikipedia.org/wiki/Secure_attention_key 

"A secure attention key (SAK) or = secure attention sequence (SAS)
is a special key or key = combination to be pressed on a computer
keyboard before a = login screen which must, to the user, be
completely = trustworthy. The operating system kernel, which
interacts = directly with the hardware, is able to detect whether
the = secure attention key has been pressed. When this event is
detected, the kernel starts the trusted login processing."

That would be to authenticate the = user of the computer, which is I
suppose a 
predecessor = of what the fingerprint button on new MacBook Pro
laptops = is about 
(I don't know, as I don't have them). They call it Touch = Id 
https://support.apple.com/en-us/HT207054

But that is not what I am talking = about in the article. There I am
speaking of server
or application authentication, and I am arguing that to be = secure
this needs two screens
the second = screen being what Apple calls the Touch Bar. There is a
video here describing it
https://youtu.be/DhCJuJoE6wM?t=3D170
But I = am sure you'll find many more. (Btw. the new Mac Book Pro is
out today!)

I = would guess that parts of the Touch Bar must be OS secured, or
else an app could get your fingerprints? In any case I am = saying
that there should be a couple more buttons on the = Touch Bar that
are controlled by the OS.
1) = the icon of the App that is in the foreground ( which would be
retrieved from the institutional web of trust
2) = the icon of the favicon of the web page also retrieved from the
institutional web of trust

clickin= those would give you more information about the app in 1)
and more info about the page in 2).
But not = just the address of the headquarters, but something a lot
richer.....


But I = may have misunderstood you...?

Henry





----------------------------------------------------
Alternatives:

----------------------------------------------------
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software = Works
-=3D IPv6 IoT = consulting =3D-



_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_6F68F8F4-1465-479E-9B7B-08EBBF7D2CCD-- From nobody Sat Jul 21 05:27:10 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E5D130DF5 for ; Sat, 21 Jul 2018 05:27:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CddiCXr6Slts for ; Sat, 21 Jul 2018 05:27:06 -0700 (PDT) Received: from mail-it0-x22f.google.com (mail-it0-x22f.google.com [IPv6:2607:f8b0:4001:c0b::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12343128BAC for ; Sat, 21 Jul 2018 05:27:06 -0700 (PDT) Received: by mail-it0-x22f.google.com with SMTP id s7-v6so18152702itb.4 for ; Sat, 21 Jul 2018 05:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W68xNmW6YR4LDQCo4FU/rjOD81A9DehZ8PofuF/EnNs=; b=d3LqXfzAJOthink+BPAe8YIrCs573ycCqbOkDPPCpCo3Gomh0CiI7YDlQG6dr8McfU nGOAdvkEDIiPhmljPwG9fzXvys1eM3DCQg+6sMIbrVeUhFd4no4Dt2ZnuFVhs08C+Xqu ZB7gvvZ4t9JkReFS5jQRSK+tJSN4JY4bSynv4nezp4wNI0r5vm+AMn7JfB9XCXyIX9ab Urd9JWEQ04zin9q4xyUr7IHoDPTjdGbD7mGCOo+nxSbbegDRwzZS8EEXwVWh3JXYJ5Fn 3gYzg7Jf1bol+yzAGp2nWEHJWsjB2bBoaziwhUP/HxmBRpI615eanJkXMdNaShsH8yex cdwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W68xNmW6YR4LDQCo4FU/rjOD81A9DehZ8PofuF/EnNs=; b=EN/gRK7z6Dd1Ka7azSyVRg2nw6Mc3AxXF4mplpIwi0+O0E93POUuOD8dLrR9jUCdmr 9OVE/SUQqcD/cfKtUWZidBWLVtSVBm5u/FvJ8tsDaN8WUcPa7/gqaNjjK6OAF7ubHpoJ WLJgQ2jQSO8PoAcE3p5g91dGhpxS64O5Z+gMCTCR0fgc+dw6JfS4MDywyuFm+sD86nrY S/vW2g5MgLmeUptHh65QZxnWrBIyeAv2hNOI2aa/JeC77pcyiU6BvwRpDpcoV+DQOSzX oIUL+9/vVSyqkSR338Qw2nqjvdngNWKSe5/Rrvsqf/SWBz6NFzLemMTqg9R2tfD8JGHr xFcg== X-Gm-Message-State: AOUpUlFqLN86VwHbROGRWAsDc1p84aw0g1iwImg/JdQN8WB3fbBsPE0P +dVsclyW5nRFfeCf4czwe2D4GJy2 X-Google-Smtp-Source: AAOMgpdYbvWqvbYSs5F1iskXklcocVsr81JVEeQNrgOS94XqAZUK/VbwQdrj85LYGrtMbIjqsiOdLQ== X-Received: by 2002:a02:910d:: with SMTP id a13-v6mr5318713jag.14.1532176024966; Sat, 21 Jul 2018 05:27:04 -0700 (PDT) Received: from [172.20.13.195] (marriott-chateau-champlain-montreal.sites.intello.com. [66.171.169.34]) by smtp.gmail.com with ESMTPSA id b11-v6sm1287039ioc.85.2018.07.21.05.27.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 05:27:03 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-87AF8305-6553-4A8E-93BD-0447AAD0D8E3 Mime-Version: 1.0 (1.0) From: Bret Jordan X-Mailer: iPhone Mail (15F79) In-Reply-To: <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> Date: Sat, 21 Jul 2018 08:27:02 -0400 Cc: saag@ietf.org Content-Transfer-Encoding: 7bit Message-Id: <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> To: Henry Story Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 12:27:09 -0000 --Apple-Mail-87AF8305-6553-4A8E-93BD-0447AAD0D8E3 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable I completely agree. We need to figure what we can do and specifically how w= e can enable better protection for end users. Having a completely secure an= d private session is solving just half of the problem. =20 What do you suggest is the next steps forward? Clearly we need to do work h= ere. I would love to see some work done here in the IETF to help with this.= =20 As you have said attribution is one option. I think it would be good for end= users to know if they were connecting to a legally legit establishment or a= crime syndicate fronting an Intrusion Set. Bret=20 Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Jul 21, 2018, at 4:15 AM, Henry Story wrote: >=20 >=20 >=20 >> On 20 Jul 2018, at 23:51, Bret Jordan wrote: >>=20 >> Getting back on topic. I agree this is a significant problem, one that n= eeds to be addressed. While things like LetsEncrypt are great for trying to= get everyone a cert for free, it also means, Threat Actors and Intrusion Se= ts can get free certs as well.=20 >=20 > Yes, it looks like there is a sea change with regard to use of TLS, which i= s leading=20 > Chrome next week according to the register [1] to stop showing the padloc= k icon for > secure sites, and instead show a warning for non-https sites, which will f= urther > accelerate the adoption of https, something made possible by LetsEncrypt. >=20 > So very soon everyone including the crooks will be behind https :-)=20 > It will be the new default. >=20 > =46rom then on the point to point security will have been dealt with (espe= cially=20 > if DANE also gets adopted that far), and all that will remain is the ques= tion as to > who am I talking to so securely? >=20 > That is the question of the identity of the web site the browser or applic= ation > is connected to, indeed the question of the identity of the application c= ontrolling > the screen more generally [2].=20 >=20 > If one is of a category theoretic mind one will think that the identity of= each > object is its position in the network of arrows of the category. But more p= ractically > end users will be interested for applications or web site of knowing what l= egal > space they are in. For personal web pages we can fall back to the web of t= rust > we currently have.=20 >=20 > That is actually quite a large project, but given that one is dealing with= nations > that have the resources, it is quite feasible. >=20 > But that was the point of my original post. :-)=20 >=20 > Henry >=20 > [1] https://www.theregister.co.uk/2018/07/03/google_chrome_http/ > [2] The 2015 paper "What is that App? Deceptions and countermeasures=20 > in the Android User Interface"=20 > https://www.computer.org/csdl/proceedings/sp/2015/6949/00/6949a931-abs= .html > I integrated that article in the "Phishing in Context" post this week. >=20 >>=20 >>=20 >> Thanks, >> Bret >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that c= an not be unscrambled is an egg." >>=20 >>> On Jul 16, 2018, at 10:12 AM, Michael Richardson = wrote: >>>=20 >>>=20 >>> Ben Laurie wrote: >>>> No, I mean in the more general sense that its a way to invoke "the >>>> system", guaranteed, no messing. >>>=20 >>>> It has a noble history of not working very well. >>>=20 >>>> Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it >>>> is more than login. >>>=20 >>> Yes, that's just it: it doesn't do that much. >>> That's why it was a failure. Also lack of any kind of tutorial. >>> And since it used to reboot the computer, so most people habitually avoi= d it. >>>=20 >>> It's probably time to try it again. >>>=20 >>>>> On 15 Jul 2018, at 22:34, Ben Laurie wrote: >>>>>=20 >>>>>=20 >>>>>=20 >>>>> On Sun, 15 Jul 2018 at 18:56, Henry Story >>>> wrote: >>>>> Hi,=20 >>>>>=20 >>>>> I just wrote up some ideas on UI and security that came (back) >>>> to me reading=20 >>>>> this thread and other interesting papers on security. >>>>>=20 >>>>> "Phishing in Context -- Epistemology on the screen" >>>>> https://medium.com/@bblfish/phishing-in-context-9c84ca451314 >>>>>=20 >>>>> You have reinvented the Secure Attention Key. It hasn't work out >>>> that well, so far. >>>>>=20 >>>=20 >>>> Do you mean what they describe on wikipedia here ? >>>> https://en.wikipedia.org/wiki/Secure_attention_key=20 >>>=20 >>>> "A secure attention key (SAK) or secure attention sequence (SAS) >>>> is a special key or key combination to be pressed on a computer >>>> keyboard before a login screen which must, to the user, be >>>> completely trustworthy. The operating system kernel, which >>>> interacts directly with the hardware, is able to detect whether >>>> the secure attention key has been pressed. When this event is >>>> detected, the kernel starts the trusted login processing." >>>=20 >>>> That would be to authenticate the user of the computer, which is I >>>> suppose a=20 >>>> predecessor of what the fingerprint button on new MacBook Pro >>>> laptops is about=20 >>>> (I don't know, as I don't have them). They call it Touch Id=20 >>>> https://support.apple.com/en-us/HT207054 >>>=20 >>>> But that is not what I am talking about in the article. There I am >>>> speaking of server >>>> or application authentication, and I am arguing that to be secure >>>> this needs two screens >>>> the second screen being what Apple calls the Touch Bar. There is a >>>> video here describing it >>>> https://youtu.be/DhCJuJoE6wM?t=3D170 >>>> But I am sure you'll find many more. (Btw. the new Mac Book Pro is >>>> out today!) >>>=20 >>>> I would guess that parts of the Touch Bar must be OS secured, or >>>> else an app could get your fingerprints? In any case I am saying >>>> that there should be a couple more buttons on the Touch Bar that >>>> are controlled by the OS. >>>> 1) the icon of the App that is in the foreground ( which would be >>>> retrieved from the institutional web of trust >>>> 2) the icon of the favicon of the web page also retrieved from the >>>> institutional web of trust >>>=20 >>>> clickin those would give you more information about the app in 1) >>>> and more info about the page in 2). >>>> But not just the address of the headquarters, but something a lot >>>> richer..... >>>=20 >>>=20 >>>> But I may have misunderstood you...? >>>=20 >>>> Henry >>>=20 >>>=20 >>>=20 >>>=20 >>>=20 >>>> ---------------------------------------------------- >>>> Alternatives: >>>=20 >>>> ---------------------------------------------------- >>>> _______________________________________________ >>>> saag mailing list >>>> saag@ietf.org >>>> https://www.ietf.org/mailman/listinfo/saag >>>=20 >>> --=20 >>> Michael Richardson , Sandelman Software Works >>> -=3D IPv6 IoT consulting =3D- >>>=20 >>>=20 >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >=20 --Apple-Mail-87AF8305-6553-4A8E-93BD-0447AAD0D8E3 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable I completely agree.  We need to figure= what we can do and specifically how we can enable better protection for end= users.  Having a completely secure and private session is solving just= half of the problem.  

What do you suggest is the n= ext steps forward?  Clearly we need to do work here.  I would love= to see some work done here in the IETF to help with this.  
=
As you have said attribution is one option. I think it would b= e good for end users to know if they were connecting to a legally legit esta= blishment or a crime syndicate fronting an Intrusion Set.

Bret 

Sent from my Commodore 128D
=
PGP Fingerprint: 63B4 FC53 680= A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
<= div>
On Jul 21, 2018, at 4:15 AM, Henry Story <henry.story@bblfish.net> wrote:



On 20 Jul 2018, at 23:51, Bret Jordan= <jordan.ietf@gmail.c= om> wrote:

Getting back on t= opic.  I agree this is a significant problem, one that needs to be addr= essed.  While things like LetsEncrypt are great for trying to get every= one a cert for free, it also means, Threat Actors and Intrusion Sets can get= free certs as well. 

Yes, it looks like there is a sea change with regard to use of T= LS, which is leading 
Chrome next week  according to the= register [1] to stop showing the padlock icon for
secure sites, a= nd instead show a warning for non-https sites, which will further
= accelerate the adoption of https, something made possible by LetsEncrypt.

So very soon everyone including the crooks= will be behind https :-) 
It will be the new default.
<= div>
=46rom then on the point to point security wil= l have been dealt with (especially 
if  DANE also gets a= dopted that far), and all that will remain is the question as to
w= ho am I talking to so securely?

That is t= he question of the identity of the web site the browser or application
=
is  connected to, indeed the question of the identity of the appli= cation controlling
the screen more generally [2]. 
=
If one is of a category theoretic mind one will th= ink that the identity of each
object is its position in the networ= k of arrows of the category. But more practically
end users will b= e interested for applications or web site of knowing what legal
sp= ace they are in. For personal web pages we can fall back to the web of trust=
we currently have. 

That= is actually quite a large project, but given that one is dealing with natio= ns
that have the resources, it is quite feasible.

But that was the point of my original post. :-) 

Henry

[2] The 2015 paper "What is that App? Deceptions and countermeasu= res 
in the Android User Interface" 
I integrated that article in t= he  "Phishing in Context" post this week.



Thanks,
Bret
=
<= span class=3D"" style=3D"font-size: 11px;">PGP Fingerprint: 63B4 FC53 680A 6B7= D 1447  F2C0 74F8 ACAE 7415 0050
"Without cr= yptography vihv vivc ce xhrnrw, however, the only thing that can not be unsc= rambled is an egg."

On Jul 16, 2018, at 10:12 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

Ben Laurie <benl=3D40google= .com@dmarc.ietf.org> wrote:
No, I mean in the more general sense that its a way to invok= e "the
system", guaranteed, no messing.

It has a noble history= of not working very well.

Windows uses ctl-alt-del as a SAK. It doesn't let= you do much, but it
is more than login.

Yes, that's just it: it doesn't do= that much.
That's why it was a fa= ilure.  Also lack of any kind of tutorial.
And since it used to reboot the computer, so most people habi= tually avoid it.

It's probably time to try it again.

On 15 Jul 2018, at 22:34, Ben Laurie <benl@google.com> wrote:



On Sun, 15 Jul 2018 at 18:56= , Henry Story
<henry.story@bblfish.net> wrote:
=
Hi, 

I just wrote up some ideas on U= I and security that came (back)
to me reading 
this thread and other interesting papers on security.=

"Phishing in Context -- Epistemology on the sc= reen"
https://medium.com/@bblfish/phishing-in-context-= 9c84ca451314

You have reinvented the Secure= Attention Key. It hasn't work out
that well, so f= ar.


Do you= mean what they describe on wikipedia here ?
https://en.wikipedi= a.org/wiki/Secure_attention_key&nb= sp;

"A secure attention key (SAK) or secure attention sequence (SAS)=
is a special key or key combination to be pressed on a comput= er
keyboard before a login screen which must, to the user, be<= br class=3D"">completely trustworthy. The operating system kernel, which
interacts directly with the hardware, is able to detect whetherthe secure attention key has been pressed. When this event isdetected, the kernel starts the trusted login processing."

That= would be to authenticate the user of the computer, which is I
suppose a 
= predecessor of what the fingerprint button on new MacBook Pro
= laptops is about 
(I don't know, as I don't have them). They call it Touch Id 
https://support.apple.com/en-us/H= T207054

But that is not what I am talking about in the article. There I= am
speaking of server
or application authentica= tion, and I am arguing that to be secure
this needs two screen= s
the second screen being what Apple calls the Touch Bar. Ther= e is a
video here describing it
https://youtu.be/DhCJuJoE6wM?t=3D= 170
But I am sure you'll find many more. (Btw. the new Mac= Book Pro is
out today!)

I would guess that parts of the Touch B= ar must be OS secured, or
else an app could get your fingerpri= nts? In any case I am saying
that there should be a couple mor= e buttons on the Touch Bar that
are controlled by the OS.
1) the icon of the App that is in the foreground ( which would be<= br class=3D"">retrieved from the institutional web of trust
2)= the icon of the favicon of the web page also retrieved from the
institutional web of trust

clickin those would give you more information a= bout the app in 1)
and more info about the page in 2).
But not just the address of the headquarters, but something a lot
richer.....


But I may have misu= nderstood you...?

Henry





----------------------------------------------------
A= lternatives:

----------------------------------------------------
_______________________________________________
saag mailin= g list
saag@ietf.o= rg
https://www.ietf.org/mailman/listinfo/saag

-- 
Michael Rich= ardson <mcr+IETF@sandelman.ca>, Sandelman Software W= orks
-=3D IPv6 IoT consulting =3D-=



______= _________________________________________
saag mailing list
saag@ietf.o= rg
https://www.ie= tf.org/mailman/listinfo/saag

_______________________________________________
saag mailing= list
saag@ietf.or= g
h= ttps://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail-87AF8305-6553-4A8E-93BD-0447AAD0D8E3-- From nobody Sat Jul 21 07:14:42 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5099129619 for ; Sat, 21 Jul 2018 07:14:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jisc.ac.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1APLNCy-kj0y for ; Sat, 21 Jul 2018 07:14:34 -0700 (PDT) Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB3AA1294D7 for ; Sat, 21 Jul 2018 07:14:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc.ac.uk; s=mimecast20170213; t=1532182472; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m0m2PXc26ow6BXRx3/245AEsbE8G5Ti8aBnKH2bXdv4=; b=E71lMGLApxYB/g5KQXQfLJ/o9v8q00gVGNsfqDc7o2O0P5AFUGRbGv+B8MUBXEtYYiN+WQylKfML9D1mBxOerP9USakhBGY9pT/gDfrdbUTlrbL8xEKwUnhjJ0ZeRj8yg8D3J/VKrQ5jDHoOWEz3hvjWc25lW9e2yHjEPapf1a0= Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-db5eur03lp0084.outbound.protection.outlook.com [94.245.120.84]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-83-fzldFcjYOZeOO9LygMEgQQ-1; Sat, 21 Jul 2018 15:14:27 +0100 Received: from DB7PR07MB4011.eurprd07.prod.outlook.com (52.134.100.33) by DB7PR07MB4539.eurprd07.prod.outlook.com (52.135.140.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.995.4; Sat, 21 Jul 2018 14:14:22 +0000 Received: from DB7PR07MB4011.eurprd07.prod.outlook.com ([fe80::65e4:a7ab:d9b4:89e0]) by DB7PR07MB4011.eurprd07.prod.outlook.com ([fe80::65e4:a7ab:d9b4:89e0%5]) with mapi id 15.20.0995.008; Sat, 21 Jul 2018 14:14:22 +0000 From: Josh Howlett To: Bret Jordan , Henry Story CC: "saag@ietf.org" Thread-Topic: [saag] stopping (https) phishing Thread-Index: AQHUESvaGJhDiZ5rn0SUENWuTJuKRqSPEieAgAB1cACAABLAgIAAvlIAgABPMQCAACxRgIAAEywAgAAAtICAAROggIAGyY2AgACuSACAAEZpAIAABlwg Date: Sat, 21 Jul 2018 14:14:21 +0000 Message-ID: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> In-Reply-To: <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2a00:23c5:4796:c600:b9a6:ea28:629d:27e2] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DB7PR07MB4539; 20:9UrkpHJCexmc6rzaef3m2f1EmOpsMyYHuZdMBmPjq0iPw/rhe96tfpCvqiir7EZ3h132upar2l96GWy+B+LVGAAZgCvQI/VgsqgZGoipM4xBNMaWEU12O0cwmjV7ajqv+oXuelXhCgwvZocKYrJwQ0BmRiA78DV3TytPCPKSOB4= x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: bceffe52-6e4f-4bf9-efe6-08d5ef144191 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DB7PR07MB4539; x-ms-traffictypediagnostic: DB7PR07MB4539: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(268559375225159)(28532068793085)(158342451672863)(278428928389397)(192374486261705)(85827821059158)(262074885356583)(211936372134217)(153496737603132)(276633543203371); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DB7PR07MB4539; BCL:0; PCL:0; RULEID:; SRVR:DB7PR07MB4539; x-forefront-prvs: 074040B844 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(376002)(366004)(396003)(39840400004)(199004)(189003)(236005)(606006)(99286004)(33656002)(25786009)(55016002)(14454004)(105586002)(93886005)(54896002)(46003)(14444005)(256004)(110136005)(74316002)(74482002)(7736002)(6436002)(5660300001)(81156014)(81166006)(316002)(7696005)(6506007)(6306002)(478600001)(76176011)(786003)(9686003)(106356001)(53546011)(2906002)(97736004)(39060400002)(8936002)(4326008)(11346002)(2900100001)(186003)(72206003)(229853002)(21615005)(6116002)(790700001)(68736007)(53946003)(966005)(8676002)(6246003)(5250100002)(53936002)(102836004)(476003)(86362001)(446003)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR07MB4539; H:DB7PR07MB4011.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; x-microsoft-antispam-message-info: vhAIQ72v083dRucmjxmJYFhUkgnGGZocLcXMwB65ZHeCJmqt6OhZ1Hs8Mh5iwMnsL9gsBguQwtiWLGF2Kxmi+imkVXzUpUWqf477+wNmj9IVaTdlAs/rknJ5lg/Rfjb4l24zOrzM1iCk7QmrPuVmhs1sm9uzuyaYcqyX1GqFYXXknjUQUlC/05EjiUs32QFIQ7U7x4oqdmYLJMhOV/tMJ/IGWGoVD8hPma2QffiYhZYXV/zEJaIq1LiYZILFJsDuZcOmEhkPkcIgmXt3Mq2fJTyHxE3n3AOrkwE2pg7SKyjrOuTePOoxWK6Nl3e9/+sOIgFxTURZCxhWpZ6mylN6wOxLWq7LcZquVu3RhIFut3o= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: jisc.ac.uk X-MS-Exchange-CrossTenant-Network-Message-Id: bceffe52-6e4f-4bf9-efe6-08d5ef144191 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2018 14:14:21.7137 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4539 X-MC-Unique: fzldFcjYOZeOO9LygMEgQQ-1 Content-Type: multipart/alternative; boundary="_000_DB7PR07MB40118399901CBF4D65BD1A8ABC500DB7PR07MB4011eurp_" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 14:14:40 -0000 --_000_DB7PR07MB40118399901CBF4D65BD1A8ABC500DB7PR07MB4011eurp_ Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 QSDigJxjb21wbGV0ZWx5IHNlY3VyZSBhbmQgcHJpdmF0ZSBzZXNzaW9u4oCdIHdoZXJlIHRoZSBp ZGVudGl0eSBvZiB0aGUgZW5kIHBvaW50IGhhcyBub3QgYmVlbiBhcHByb3ByaWF0ZWx5IHZhbGlk YXRlZCBhY3R1YWxseSBtYWtlcyB0aGUgcHJvYmxlbSB3b3JzZSwgYmVjYXVzZSBpdCBjYW4gbGVh ZCB0byBlcnJvbmVvdXMgYXNzdW1wdGlvbnMgYnkgdGhlIHVzZXIuIFNpbWlsYXJseSwgZXh0ZW5k ZWQgdmFsaWRhdGlvbiBvZiB0aGUgZW5kIHBvaW50IGFjaGlldmVzIG5vdGhpbmcgaWYgdGhlIGVu ZCBwb2ludCBpcyBhIGhpZ2hseSBhc3N1cmVkIGJ1dCB1bnRydXN0d29ydGh5IGFjdG9yLg0KDQpT aG91bGQgSSB0cnVzdCBhIENBIHRvIGlzc3VlIGFuIEVWIGNlcnRpZmljYXRlIGFwcHJvcHJpYXRl bHk/IFllcywgcHJvYmFibHkuIFNob3VsZCBJIGJsaW5kbHkgdHJ1c3QgdGhlIENB4oCZcyBjdXN0 b21lciBzaW1wbHkgYmVjYXVzZSBpdCBwcmVzZW50cyBhbiBFViBjZXJ0aWZpY2F0ZT8gTm8sIHBy b2JhYmx5IG5vdC4gVWx0aW1hdGVseSwgd2UgY2Fubm90IGNvbnRyb2wgYmVoYXZpb3VyIHVzaW5n IGNyeXB0bzogcG9vciBiZWhhdmlvdXIgaXMgYSBzb2NpYWwgcHJvYmxlbS4NCg0KSSBhZ3JlZSB3 aXRoIEhlbnJ54oCZcyBhbmFseXNpcyB0aGF0IHdlIGNhbiBvbmx5IHNvbHZlIHRoaXMgYnkgcHJv amVjdGluZyB0aGUgc29jaWFsIGluc3RpdHV0aW9ucyAoZm9ybWFsIG9yIGluZm9ybWFsKSB0aGF0 IHdlIHVzZSB0byBhc3Nlc3MgdHJ1c3R3b3J0aGluZXNzIGluIHRoZSByZWFsIHdvcmxkIG9udG8g dGhlIGludGVybmV04oCZcyBpbmZyYXN0cnVjdHVyZSAoSSBjYWxsIGl0IOKAnHRydXN0IGVuZ2lu ZWVyaW5n4oCdOyBhIGJlbmlnbiBmb3JtIG9mIOKAnHNvY2lhbCBlbmdpbmVlcmluZ+KAnSkuDQoN Ckhvd2V2ZXIsIEkgZGlzYWdyZWUgdGhhdCBjaHJvbWUgb2ZmZXJzIGEgc29sdXRpb24uIEkgYXJn dWUgdGhhdCB3ZSBtdXN0IGF2b2lkIGFueSBraW5kIG9mIHJlYWwtdGltZSBhc3Nlc3NtZW50IG9m IHRydXN0d29ydGhpbmVzcyBieSB0aGUgdXNlciwgYmVjYXVzZSB1c2VycyBhcmUgZWFzaWx5IGdh bWVkLiBJbnN0ZWFkLCB1c2VycyBzaG91bGQgYmUgYWJsZSB0byBzdGlwdWxhdGUgdGhlIGNvbmRp dGlvbnMgdGhhdCBjb25zdGl0dXRlIHRydXN0d29ydGhpbmVzcywgYW5kIHJlbHkgb24gdGhlIGlu ZnJhc3RydWN0dXJlIHRvIGFzc2VzcyB0aG9zZSBjb25kaXRpb25zIGluIHJlYWwtdGltZSBvbiBo aXMgYmVoYWxmLg0KDQpGcm9tOiBzYWFnIDxzYWFnLWJvdW5jZXNAaWV0Zi5vcmc+IE9uIEJlaGFs ZiBPZiBCcmV0IEpvcmRhbg0KU2VudDogMjEgSnVseSAyMDE4IDEzOjI3DQpUbzogSGVucnkgU3Rv cnkgPGhlbnJ5LnN0b3J5QGJibGZpc2gubmV0Pg0KQ2M6IHNhYWdAaWV0Zi5vcmcNClN1YmplY3Q6 IFJlOiBbc2FhZ10gc3RvcHBpbmcgKGh0dHBzKSBwaGlzaGluZw0KDQpJIGNvbXBsZXRlbHkgYWdy ZWUuICBXZSBuZWVkIHRvIGZpZ3VyZSB3aGF0IHdlIGNhbiBkbyBhbmQgc3BlY2lmaWNhbGx5IGhv dyB3ZSBjYW4gZW5hYmxlIGJldHRlciBwcm90ZWN0aW9uIGZvciBlbmQgdXNlcnMuICBIYXZpbmcg YSBjb21wbGV0ZWx5IHNlY3VyZSBhbmQgcHJpdmF0ZSBzZXNzaW9uIGlzIHNvbHZpbmcganVzdCBo YWxmIG9mIHRoZSBwcm9ibGVtLg0KDQpXaGF0IGRvIHlvdSBzdWdnZXN0IGlzIHRoZSBuZXh0IHN0 ZXBzIGZvcndhcmQ/ICBDbGVhcmx5IHdlIG5lZWQgdG8gZG8gd29yayBoZXJlLiAgSSB3b3VsZCBs b3ZlIHRvIHNlZSBzb21lIHdvcmsgZG9uZSBoZXJlIGluIHRoZSBJRVRGIHRvIGhlbHAgd2l0aCB0 aGlzLg0KDQpBcyB5b3UgaGF2ZSBzYWlkIGF0dHJpYnV0aW9uIGlzIG9uZSBvcHRpb24uIEkgdGhp bmsgaXQgd291bGQgYmUgZ29vZCBmb3IgZW5kIHVzZXJzIHRvIGtub3cgaWYgdGhleSB3ZXJlIGNv bm5lY3RpbmcgdG8gYSBsZWdhbGx5IGxlZ2l0IGVzdGFibGlzaG1lbnQgb3IgYSBjcmltZSBzeW5k aWNhdGUgZnJvbnRpbmcgYW4gSW50cnVzaW9uIFNldC4NCg0KQnJldA0KU2VudCBmcm9tIG15IENv bW1vZG9yZSAxMjhEDQoNCg0KUEdQIEZpbmdlcnByaW50OiA2M0I0IEZDNTMgNjgwQSA2QjdEIDE0 NDcgIEYyQzAgNzRGOCBBQ0FFIDc0MTUgMDA1MA0KDQpPbiBKdWwgMjEsIDIwMTgsIGF0IDQ6MTUg QU0sIEhlbnJ5IFN0b3J5IDxoZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDxtYWlsdG86aGVucnkuLnN0 b3J5QGJibGZpc2gubmV0Pj4gd3JvdGU6DQoNCg0KDQpPbiAyMCBKdWwgMjAxOCwgYXQgMjM6NTEs IEJyZXQgSm9yZGFuIDxqb3JkYW4uaWV0ZkBnbWFpbC5jb208bWFpbHRvOmpvcmRhbi5pZXRmQGdt YWlsLmNvbT4+IHdyb3RlOg0KDQpHZXR0aW5nIGJhY2sgb24gdG9waWMuICBJIGFncmVlIHRoaXMg aXMgYSBzaWduaWZpY2FudCBwcm9ibGVtLCBvbmUgdGhhdCBuZWVkcyB0byBiZSBhZGRyZXNzZWQu ICBXaGlsZSB0aGluZ3MgbGlrZSBMZXRzRW5jcnlwdCBhcmUgZ3JlYXQgZm9yIHRyeWluZyB0byBn ZXQgZXZlcnlvbmUgYSBjZXJ0IGZvciBmcmVlLCBpdCBhbHNvIG1lYW5zLCBUaHJlYXQgQWN0b3Jz IGFuZCBJbnRydXNpb24gU2V0cyBjYW4gZ2V0IGZyZWUgY2VydHMgYXMgd2VsbC4NCg0KWWVzLCBp dCBsb29rcyBsaWtlIHRoZXJlIGlzIGEgc2VhIGNoYW5nZSB3aXRoIHJlZ2FyZCB0byB1c2Ugb2Yg VExTLCB3aGljaCBpcyBsZWFkaW5nDQpDaHJvbWUgbmV4dCB3ZWVrICBhY2NvcmRpbmcgdG8gdGhl IHJlZ2lzdGVyIFsxXSB0byBzdG9wIHNob3dpbmcgdGhlIHBhZGxvY2sgaWNvbiBmb3INCnNlY3Vy ZSBzaXRlcywgYW5kIGluc3RlYWQgc2hvdyBhIHdhcm5pbmcgZm9yIG5vbi1odHRwcyBzaXRlcywg d2hpY2ggd2lsbCBmdXJ0aGVyDQphY2NlbGVyYXRlIHRoZSBhZG9wdGlvbiBvZiBodHRwcywgc29t ZXRoaW5nIG1hZGUgcG9zc2libGUgYnkgTGV0c0VuY3J5cHQuDQoNClNvIHZlcnkgc29vbiBldmVy eW9uZSBpbmNsdWRpbmcgdGhlIGNyb29rcyB3aWxsIGJlIGJlaGluZCBodHRwcyA6LSkNCkl0IHdp bGwgYmUgdGhlIG5ldyBkZWZhdWx0Lg0KDQpGcm9tIHRoZW4gb24gdGhlIHBvaW50IHRvIHBvaW50 IHNlY3VyaXR5IHdpbGwgaGF2ZSBiZWVuIGRlYWx0IHdpdGggKGVzcGVjaWFsbHkNCmlmICBEQU5F IGFsc28gZ2V0cyBhZG9wdGVkIHRoYXQgZmFyKSwgYW5kIGFsbCB0aGF0IHdpbGwgcmVtYWluIGlz IHRoZSBxdWVzdGlvbiBhcyB0bw0Kd2hvIGFtIEkgdGFsa2luZyB0byBzbyBzZWN1cmVseT8NCg0K VGhhdCBpcyB0aGUgcXVlc3Rpb24gb2YgdGhlIGlkZW50aXR5IG9mIHRoZSB3ZWIgc2l0ZSB0aGUg YnJvd3NlciBvciBhcHBsaWNhdGlvbg0KaXMgIGNvbm5lY3RlZCB0bywgaW5kZWVkIHRoZSBxdWVz dGlvbiBvZiB0aGUgaWRlbnRpdHkgb2YgdGhlIGFwcGxpY2F0aW9uIGNvbnRyb2xsaW5nDQp0aGUg c2NyZWVuIG1vcmUgZ2VuZXJhbGx5IFsyXS4NCg0KSWYgb25lIGlzIG9mIGEgY2F0ZWdvcnkgdGhl b3JldGljIG1pbmQgb25lIHdpbGwgdGhpbmsgdGhhdCB0aGUgaWRlbnRpdHkgb2YgZWFjaA0Kb2Jq ZWN0IGlzIGl0cyBwb3NpdGlvbiBpbiB0aGUgbmV0d29yayBvZiBhcnJvd3Mgb2YgdGhlIGNhdGVn b3J5LiBCdXQgbW9yZSBwcmFjdGljYWxseQ0KZW5kIHVzZXJzIHdpbGwgYmUgaW50ZXJlc3RlZCBm b3IgYXBwbGljYXRpb25zIG9yIHdlYiBzaXRlIG9mIGtub3dpbmcgd2hhdCBsZWdhbA0Kc3BhY2Ug dGhleSBhcmUgaW4uIEZvciBwZXJzb25hbCB3ZWIgcGFnZXMgd2UgY2FuIGZhbGwgYmFjayB0byB0 aGUgd2ViIG9mIHRydXN0DQp3ZSBjdXJyZW50bHkgaGF2ZS4NCg0KVGhhdCBpcyBhY3R1YWxseSBx dWl0ZSBhIGxhcmdlIHByb2plY3QsIGJ1dCBnaXZlbiB0aGF0IG9uZSBpcyBkZWFsaW5nIHdpdGgg bmF0aW9ucw0KdGhhdCBoYXZlIHRoZSByZXNvdXJjZXMsIGl0IGlzIHF1aXRlIGZlYXNpYmxlLg0K DQpCdXQgdGhhdCB3YXMgdGhlIHBvaW50IG9mIG15IG9yaWdpbmFsIHBvc3QuIDotKQ0KDQpIZW5y eQ0KDQpbMV0gaHR0cHM6Ly93d3cudGhlcmVnaXN0ZXIuY28udWsvMjAxOC8wNy8wMy9nb29nbGVf Y2hyb21lX2h0dHAvDQpbMl0gVGhlIDIwMTUgcGFwZXIgIldoYXQgaXMgdGhhdCBBcHA/IERlY2Vw dGlvbnMgYW5kIGNvdW50ZXJtZWFzdXJlcw0KaW4gdGhlIEFuZHJvaWQgVXNlciBJbnRlcmZhY2Ui DQogICAgaHR0cHM6Ly93d3cuY29tcHV0ZXIub3JnL2NzZGwvcHJvY2VlZGluZ3Mvc3AvMjAxNS82 OTQ5LzAwLzY5NDlhOTMxLWFicy5odG1sDQpJIGludGVncmF0ZWQgdGhhdCBhcnRpY2xlIGluIHRo ZSAgIlBoaXNoaW5nIGluIENvbnRleHQiIHBvc3QgdGhpcyB3ZWVrLg0KDQoNCg0KDQpUaGFua3Ms DQpCcmV0DQpQR1AgRmluZ2VycHJpbnQ6IDYzQjQgRkM1MyA2ODBBIDZCN0QgMTQ0NyAgRjJDMCA3 NEY4IEFDQUUgNzQxNSAwMDUwDQoiV2l0aG91dCBjcnlwdG9ncmFwaHkgdmlodiB2aXZjIGNlIHho cm5ydywgaG93ZXZlciwgdGhlIG9ubHkgdGhpbmcgdGhhdCBjYW4gbm90IGJlIHVuc2NyYW1ibGVk IGlzIGFuIGVnZy4iDQoNCg0KT24gSnVsIDE2LCAyMDE4LCBhdCAxMDoxMiBBTSwgTWljaGFlbCBS aWNoYXJkc29uIDxtY3IraWV0ZkBzYW5kZWxtYW4uY2E8bWFpbHRvOm1jcitpZXRmQHNhbmRlbG1h bi5jYT4+IHdyb3RlOg0KDQoNCkJlbiBMYXVyaWUgPGJlbmw9NDBnb29nbGUuLmNvbUBkbWFyYy5p ZXRmLm9yZzxtYWlsdG86YmVubD00MGdvb2dsZS5jb21AZG1hcmMuaWV0Zi5vcmc+PiB3cm90ZToN Cg0KTm8sIEkgbWVhbiBpbiB0aGUgbW9yZSBnZW5lcmFsIHNlbnNlIHRoYXQgaXRzIGEgd2F5IHRv IGludm9rZSAidGhlDQpzeXN0ZW0iLCBndWFyYW50ZWVkLCBubyBtZXNzaW5nLg0KDQoNCkl0IGhh cyBhIG5vYmxlIGhpc3Rvcnkgb2Ygbm90IHdvcmtpbmcgdmVyeSB3ZWxsLg0KDQoNCldpbmRvd3Mg dXNlcyBjdGwtYWx0LWRlbCBhcyBhIFNBSy4gSXQgZG9lc24ndCBsZXQgeW91IGRvIG11Y2gsIGJ1 dCBpdA0KaXMgbW9yZSB0aGFuIGxvZ2luLg0KDQpZZXMsIHRoYXQncyBqdXN0IGl0OiBpdCBkb2Vz bid0IGRvIHRoYXQgbXVjaC4NClRoYXQncyB3aHkgaXQgd2FzIGEgZmFpbHVyZS4gIEFsc28gbGFj ayBvZiBhbnkga2luZCBvZiB0dXRvcmlhbC4NCkFuZCBzaW5jZSBpdCB1c2VkIHRvIHJlYm9vdCB0 aGUgY29tcHV0ZXIsIHNvIG1vc3QgcGVvcGxlIGhhYml0dWFsbHkgYXZvaWQgaXQuDQoNCkl0J3Mg cHJvYmFibHkgdGltZSB0byB0cnkgaXQgYWdhaW4uDQoNCg0KT24gMTUgSnVsIDIwMTgsIGF0IDIy OjM0LCBCZW4gTGF1cmllIDxiZW5sQGdvb2dsZS5jb208bWFpbHRvOmJlbmxAZ29vZ2xlLmNvbT4+ IHdyb3RlOg0KDQoNCg0KT24gU3VuLCAxNSBKdWwgMjAxOCBhdCAxODo1NiwgSGVucnkgU3RvcnkN CjxoZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDxtYWlsdG86aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQ+ PiB3cm90ZToNCg0KSGksDQoNCkkganVzdCB3cm90ZSB1cCBzb21lIGlkZWFzIG9uIFVJIGFuZCBz ZWN1cml0eSB0aGF0IGNhbWUgKGJhY2spDQp0byBtZSByZWFkaW5nDQoNCnRoaXMgdGhyZWFkIGFu ZCBvdGhlciBpbnRlcmVzdGluZyBwYXBlcnMgb24gc2VjdXJpdHkuDQoNCiJQaGlzaGluZyBpbiBD b250ZXh0IC0tIEVwaXN0ZW1vbG9neSBvbiB0aGUgc2NyZWVuIg0KaHR0cHM6Ly9tZWRpdW0uY29t L0BiYmxmaXNoL3BoaXNoaW5nLWluLWNvbnRleHQtOWM4NGNhNDUxMzE0DQoNCllvdSBoYXZlIHJl aW52ZW50ZWQgdGhlIFNlY3VyZSBBdHRlbnRpb24gS2V5LiBJdCBoYXNuJ3Qgd29yayBvdXQNCnRo YXQgd2VsbCwgc28gZmFyLg0KDQoNCg0KDQpEbyB5b3UgbWVhbiB3aGF0IHRoZXkgZGVzY3JpYmUg b24gd2lraXBlZGlhIGhlcmUgPw0KaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvU2VjdXJl X2F0dGVudGlvbl9rZXkNCg0KDQoiQSBzZWN1cmUgYXR0ZW50aW9uIGtleSAoU0FLKSBvciBzZWN1 cmUgYXR0ZW50aW9uIHNlcXVlbmNlIChTQVMpDQppcyBhIHNwZWNpYWwga2V5IG9yIGtleSBjb21i aW5hdGlvbiB0byBiZSBwcmVzc2VkIG9uIGEgY29tcHV0ZXINCmtleWJvYXJkIGJlZm9yZSBhIGxv Z2luIHNjcmVlbiB3aGljaCBtdXN0LCB0byB0aGUgdXNlciwgYmUNCmNvbXBsZXRlbHkgdHJ1c3R3 b3J0aHkuIFRoZSBvcGVyYXRpbmcgc3lzdGVtIGtlcm5lbCwgd2hpY2gNCmludGVyYWN0cyBkaXJl Y3RseSB3aXRoIHRoZSBoYXJkd2FyZSwgaXMgYWJsZSB0byBkZXRlY3Qgd2hldGhlcg0KdGhlIHNl Y3VyZSBhdHRlbnRpb24ga2V5IGhhcyBiZWVuIHByZXNzZWQuIFdoZW4gdGhpcyBldmVudCBpcw0K ZGV0ZWN0ZWQsIHRoZSBrZXJuZWwgc3RhcnRzIHRoZSB0cnVzdGVkIGxvZ2luIHByb2Nlc3Npbmcu Ig0KDQoNClRoYXQgd291bGQgYmUgdG8gYXV0aGVudGljYXRlIHRoZSB1c2VyIG9mIHRoZSBjb21w dXRlciwgd2hpY2ggaXMgSQ0Kc3VwcG9zZSBhDQpwcmVkZWNlc3NvciBvZiB3aGF0IHRoZSBmaW5n ZXJwcmludCBidXR0b24gb24gbmV3IE1hY0Jvb2sgUHJvDQpsYXB0b3BzIGlzIGFib3V0DQooSSBk b24ndCBrbm93LCBhcyBJIGRvbid0IGhhdmUgdGhlbSkuIFRoZXkgY2FsbCBpdCBUb3VjaCBJZA0K aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS9lbi11cy9IVDIwNzA1NA0KDQoNCkJ1dCB0aGF0IGlz IG5vdCB3aGF0IEkgYW0gdGFsa2luZyBhYm91dCBpbiB0aGUgYXJ0aWNsZS4gVGhlcmUgSSBhbQ0K c3BlYWtpbmcgb2Ygc2VydmVyDQpvciBhcHBsaWNhdGlvbiBhdXRoZW50aWNhdGlvbiwgYW5kIEkg YW0gYXJndWluZyB0aGF0IHRvIGJlIHNlY3VyZQ0KdGhpcyBuZWVkcyB0d28gc2NyZWVucw0KdGhl IHNlY29uZCBzY3JlZW4gYmVpbmcgd2hhdCBBcHBsZSBjYWxscyB0aGUgVG91Y2ggQmFyLiBUaGVy ZSBpcyBhDQp2aWRlbyBoZXJlIGRlc2NyaWJpbmcgaXQNCmh0dHBzOi8veW91dHUuYmUvRGhDSnVK b0U2d00/dD0xNzANCkJ1dCBJIGFtIHN1cmUgeW91J2xsIGZpbmQgbWFueSBtb3JlLiAoQnR3LiB0 aGUgbmV3IE1hYyBCb29rIFBybyBpcw0Kb3V0IHRvZGF5ISkNCg0KDQpJIHdvdWxkIGd1ZXNzIHRo YXQgcGFydHMgb2YgdGhlIFRvdWNoIEJhciBtdXN0IGJlIE9TIHNlY3VyZWQsIG9yDQplbHNlIGFu IGFwcCBjb3VsZCBnZXQgeW91ciBmaW5nZXJwcmludHM/IEluIGFueSBjYXNlIEkgYW0gc2F5aW5n DQp0aGF0IHRoZXJlIHNob3VsZCBiZSBhIGNvdXBsZSBtb3JlIGJ1dHRvbnMgb24gdGhlIFRvdWNo IEJhciB0aGF0DQphcmUgY29udHJvbGxlZCBieSB0aGUgT1MuDQoxKSB0aGUgaWNvbiBvZiB0aGUg QXBwIHRoYXQgaXMgaW4gdGhlIGZvcmVncm91bmQgKCB3aGljaCB3b3VsZCBiZQ0KcmV0cmlldmVk IGZyb20gdGhlIGluc3RpdHV0aW9uYWwgd2ViIG9mIHRydXN0DQoyKSB0aGUgaWNvbiBvZiB0aGUg ZmF2aWNvbiBvZiB0aGUgd2ViIHBhZ2UgYWxzbyByZXRyaWV2ZWQgZnJvbSB0aGUNCmluc3RpdHV0 aW9uYWwgd2ViIG9mIHRydXN0DQoNCg0KY2xpY2tpbiB0aG9zZSB3b3VsZCBnaXZlIHlvdSBtb3Jl IGluZm9ybWF0aW9uIGFib3V0IHRoZSBhcHAgaW4gMSkNCmFuZCBtb3JlIGluZm8gYWJvdXQgdGhl IHBhZ2UgaW4gMikuDQpCdXQgbm90IGp1c3QgdGhlIGFkZHJlc3Mgb2YgdGhlIGhlYWRxdWFydGVy cywgYnV0IHNvbWV0aGluZyBhIGxvdA0KcmljaGVyLi4uLi4NCg0KDQoNCkJ1dCBJIG1heSBoYXZl IG1pc3VuZGVyc3Rvb2QgeW91Li4uPw0KDQoNCkhlbnJ5DQoNCg0KDQoNCg0KDQotLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBbHRlcm5hdGl2ZXM6 DQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCnNhYWcg bWFpbGluZyBsaXN0DQpzYWFnQGlldGYub3JnPG1haWx0bzpzYWFnQGlldGYub3JnPg0KaHR0cHM6 Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnDQoNCi0tDQpNaWNoYWVsIFJpY2hh cmRzb24gPG1jcitJRVRGQHNhbmRlbG1hbi5jYTxtYWlsdG86bWNyK0lFVEZAc2FuZGVsbWFuLmNh Pj4sIFNhbmRlbG1hbiBTb2Z0d2FyZSBXb3Jrcw0KLT0gSVB2NiBJb1QgY29uc3VsdGluZyA9LQ0K DQoNCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCnNh YWcgbWFpbGluZyBsaXN0DQpzYWFnQGlldGYub3JnPG1haWx0bzpzYWFnQGlldGYub3JnPg0KaHR0 cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnDQoNCl9fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpzYWFnIG1haWxpbmcgbGlzdA0Kc2Fh Z0BpZXRmLm9yZzxtYWlsdG86c2FhZ0BpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21h aWxtYW4vbGlzdGluZm8vc2FhZw0KDQpKaXNjIGlzIGEgcmVnaXN0ZXJlZCBjaGFyaXR5IChudW1i ZXIgMTE0OTc0MCkgYW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3aGljaCBpcyBy ZWdpc3RlcmVkIGluIEVuZ2xhbmQgdW5kZXIgQ29tcGFueSBOby4gNTc0NzMzOSwgVkFUIE5vLiBH QiAxOTcgMDYzMiA4Ni4gSmlzY+KAmXMgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGVw YXJrLCBUb3dlciBIaWxsLCBCcmlzdG9sLCBCUzIgMEpBLiBUIDAyMDMgNjk3IDU4MDAuDQoNCkpp c2MgU2VydmljZXMgTGltaXRlZCBpcyBhIHdob2xseSBvd25lZCBKaXNjIHN1YnNpZGlhcnkgYW5k IGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3aGljaCBpcyByZWdpc3RlcmVkIGluIEVu Z2xhbmQgdW5kZXIgY29tcGFueSBudW1iZXIgMjg4MTAyNCwgVkFUIG51bWJlciBHQiAxOTcgMDYz MiA4Ni4gVGhlIHJlZ2lzdGVyZWQgb2ZmaWNlIGlzOiBPbmUgQ2FzdGxlIFBhcmssIFRvd2VyIEhp bGwsIEJyaXN0b2wgQlMyIDBKQS4gVCAwMjAzIDY5NyA1ODAwLiAgDQo= --_000_DB7PR07MB40118399901CBF4D65BD1A8ABC500DB7PR07MB4011eurp_ Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRl eHQvaHRtbDsgY2hhcnNldD11dGYtOCI+DQo8bWV0YSBuYW1lPSJHZW5lcmF0b3IiIGNvbnRlbnQ9 Ik1pY3Jvc29mdCBXb3JkIDE1IChmaWx0ZXJlZCBtZWRpdW0pIj4NCjxzdHlsZT48IS0tDQovKiBG b250IERlZmluaXRpb25zICovDQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkhlbHZldGljYTsN CglwYW5vc2UtMToyIDExIDYgNCAyIDIgMiAyIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFt aWx5OldpbmdkaW5nczsNCglwYW5vc2UtMTo1IDAgMCAwIDAgMCAwIDAgMCAwO30NCkBmb250LWZh Y2UNCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQg NiAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6 MiAxNSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpWZXJkYW5h Ow0KCXBhbm9zZS0xOjIgMTEgNiA0IDMgNSA0IDQgMiA0O30NCi8qIFN0eWxlIERlZmluaXRpb25z ICovDQpwLk1zb05vcm1hbCwgbGkuTXNvTm9ybWFsLCBkaXYuTXNvTm9ybWFsDQoJe21hcmdpbjow Y207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1m YW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGluaw0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6Ymx1ZTsNCgl0ZXh0LWRlY29yYXRpb246 dW5kZXJsaW5lO30NCmE6dmlzaXRlZCwgc3Bhbi5Nc29IeXBlcmxpbmtGb2xsb3dlZA0KCXttc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJY29sb3I6cHVycGxlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRl cmxpbmU7fQ0KcC5Nc29MaXN0UGFyYWdyYXBoLCBsaS5Nc29MaXN0UGFyYWdyYXBoLCBkaXYuTXNv TGlzdFBhcmFncmFwaA0KCXttc28tc3R5bGUtcHJpb3JpdHk6MzQ7DQoJbWFyZ2luLXRvcDowY207 DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltYXJnaW4tYm90dG9tOjBjbTsNCgltYXJnaW4tbGVmdDoz Ni4wcHQ7DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9u dC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3Jt YWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1h cmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRv bS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLmFwcGxlLXN0eWxlLXNwYW4NCgl7 bXNvLXN0eWxlLW5hbWU6YXBwbGUtc3R5bGUtc3Bhbjt9DQpzcGFuLmFwcGxlLWNvbnZlcnRlZC1z cGFjZQ0KCXttc28tc3R5bGUtbmFtZTphcHBsZS1jb252ZXJ0ZWQtc3BhY2U7fQ0Kc3Bhbi5FbWFp bFN0eWxlMjANCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6 IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVs dA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBw YWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0 IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2Vj dGlvbjE7fQ0KLyogTGlzdCBEZWZpbml0aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6 MTA3ODIwNzQwOw0KCW1zby1saXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlk czoxMjI3NjYzNjE4IDk3OTkwMjMxOCAxMzQ4MDc1NTUgMTM0ODA3NTU3IDEzNDgwNzU1MyAxMzQ4 MDc1NTUgMTM0ODA3NTU3IDEzNDgwNzU1MyAxMzQ4MDc1NTUgMTM0ODA3NTU3O30NCkBsaXN0IGww OmxldmVsMQ0KCXttc28tbGV2ZWwtc3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwtbnVtYmVyLWZvcm1h dDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25l Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJnaW4tbGVmdDoyMC41cHQ7 DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7DQoJbXNvLWZhcmVh c3QtZm9udC1mYW1pbHk6Q2FsaWJyaTsNCgltc28tYmlkaS1mb250LWZhbWlseToiVGltZXMgTmV3 IFJvbWFuIjt9DQpAbGlzdCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVs bGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNv LWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjU2LjVwdDsNCgl0ZXh0 LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6 bGV2ZWwzDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjkyLjVwdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0K CWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMDpsZXZlbDQNCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFi LXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxl ZnQ6MTI4LjVwdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9 DQpAbGlzdCBsMDpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1z by1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjE2NC41cHQ7DQoJdGV4dC1pbmRlbnQ6 LTE4LjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwwOmxldmVsNg0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0K CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgltYXJnaW4tbGVmdDoyMDAuNXB0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1m YW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNw0KCXttc28tbGV2ZWwtbnVtYmVyLWZv cm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpu b25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJnaW4tbGVmdDoyMzYu NXB0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0 IGwwOmxldmVsOA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6MjcyLjVwdDsNCgl0ZXh0LWluZGVudDotMTguMHB0 Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw5DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxl dmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1h cmdpbi1sZWZ0OjMwOC41cHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpX aW5nZGluZ3M7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3QtaWQ6OTc0NDA3MTA0Ow0KCW1zby1saXN0 LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo5MTg2MDgwNjIgNjAxMTQ0OTE2 IDEzNDgwNzU1NSAxMzQ4MDc1NTcgMTM0ODA3NTUzIDEzNDgwNzU1NSAxMzQ4MDc1NTcgMTM0ODA3 NTUzIDEzNDgwNzU1NSAxMzQ4MDc1NTc7fQ0KQGxpc3QgbDE6bGV2ZWwxDQoJe21zby1sZXZlbC1z dGFydC1hdDowOw0KCW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwt dGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9s Ow0KCW1zby1mYXJlYXN0LWZvbnQtZmFtaWx5OkNhbGlicmk7DQoJbXNvLWJpZGktZm9udC1mYW1p bHk6IlRpbWVzIE5ldyBSb21hbiI7fQ0KQGxpc3QgbDE6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1i ZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3Rv cDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot MTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDE6bGV2ZWwzDQoJ e21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJ bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0 Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0 IGwxOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVs LXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJv bDt9DQpAbGlzdCBsMTpsZXZlbDUNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0K CW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1p bHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMTpsZXZlbDYNCgl7bXNvLWxldmVsLW51bWJlci1m b3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6 bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4 LjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDE6bGV2ZWw3DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxl dmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRl eHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwxOmxldmVs OA0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsN Cgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30N CkBsaXN0IGwxOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNv LWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5 OldpbmdkaW5nczt9DQpAbGlzdCBsMg0KCXttc28tbGlzdC1pZDoxMTY0ODU2NjcyOw0KCW1zby1s aXN0LXR5cGU6aHlicmlkOw0KCW1zby1saXN0LXRlbXBsYXRlLWlkczotMTQwNzEyNzMyNiA2MDEx NDQ5MTYgMTM0ODA3NTU1IDEzNDgwNzU1NyAxMzQ4MDc1NTMgMTM0ODA3NTU1IDEzNDgwNzU1NyAx MzQ4MDc1NTMgMTM0ODA3NTU1IDEzNDgwNzU1Nzt9DQpAbGlzdCBsMjpsZXZlbDENCgl7bXNvLWxl dmVsLXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1s ZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVt YmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpT eW1ib2w7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6Q2FsaWJyaTsNCgltc28tYmlkaS1mb250 LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpAbGlzdCBsMjpsZXZlbDINCgl7bXNvLWxldmVs LW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRh Yi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMjpsZXZl bDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+C pzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u OmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0K QGxpc3QgbDI6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6 U3ltYm9sO30NCkBsaXN0IGwyOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs ZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250 LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwyOmxldmVsNg0KCXttc28tbGV2ZWwtbnVt YmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWIt c3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVu dDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMjpsZXZlbDcNCgl7 bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCglt c28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7 DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDI6 bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4 dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5l dyI7fQ0KQGxpc3QgbDI6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsN Cgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxl dmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1m YW1pbHk6V2luZ2RpbmdzO30NCm9sDQoJe21hcmdpbi1ib3R0b206MGNtO30NCnVsDQoJe21hcmdp bi1ib3R0b206MGNtO30NCi0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpz aGFwZWRlZmF1bHRzIHY6ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5k aWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRp dCI+DQo8bzppZG1hcCB2OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48 L3htbD48IVtlbmRpZl0tLT4NCjwvaGVhZD48Ym9keSBsYW5nPSJFTi1HQiIgbGluaz0iYmx1ZSIg dmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5BIOKAnGNv bXBsZXRlbHkgc2VjdXJlIGFuZCBwcml2YXRlIHNlc3Npb27igJ0gd2hlcmUgdGhlIGlkZW50aXR5 IG9mIHRoZSBlbmQgcG9pbnQgaGFzIG5vdCBiZWVuIGFwcHJvcHJpYXRlbHkgdmFsaWRhdGVkIGFj dHVhbGx5IG1ha2VzIHRoZSBwcm9ibGVtIHdvcnNlLCBiZWNhdXNlIGl0IGNhbiBsZWFkIHRvIGVy cm9uZW91cyBhc3N1bXB0aW9ucyBieQ0KIHRoZSB1c2VyLiBTaW1pbGFybHksIGV4dGVuZGVkIHZh bGlkYXRpb24gb2YgdGhlIGVuZCBwb2ludCBhY2hpZXZlcyBub3RoaW5nIGlmIHRoZSBlbmQgcG9p bnQgaXMgYSBoaWdobHkgYXNzdXJlZCBidXQgdW50cnVzdHdvcnRoeSBhY3Rvci48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVh c3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+U2hv dWxkIEkgdHJ1c3QgYSBDQSB0byBpc3N1ZSBhbiBFViBjZXJ0aWZpY2F0ZSBhcHByb3ByaWF0ZWx5 PyBZZXMsIHByb2JhYmx5LiBTaG91bGQgSSBibGluZGx5IHRydXN0IHRoZSBDQeKAmXMgY3VzdG9t ZXIgc2ltcGx5IGJlY2F1c2UgaXQgcHJlc2VudHMgYW4gRVYgY2VydGlmaWNhdGU/IE5vLCBwcm9i YWJseSBub3QuIFVsdGltYXRlbHksIHdlDQogY2Fubm90IGNvbnRyb2wgYmVoYXZpb3VyIHVzaW5n IGNyeXB0bzogcG9vciBiZWhhdmlvdXIgaXMgYSBzb2NpYWwgcHJvYmxlbS48bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3Qt bGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SSBhZ3Jl ZSB3aXRoIEhlbnJ54oCZcyBhbmFseXNpcyB0aGF0IHdlIGNhbiBvbmx5IHNvbHZlIHRoaXMgYnkg cHJvamVjdGluZyB0aGUgc29jaWFsIGluc3RpdHV0aW9ucyAoZm9ybWFsIG9yIGluZm9ybWFsKSB0 aGF0IHdlIHVzZSB0byBhc3Nlc3MgdHJ1c3R3b3J0aGluZXNzIGluIHRoZSByZWFsIHdvcmxkIG9u dG8gdGhlIGludGVybmV04oCZcyBpbmZyYXN0cnVjdHVyZQ0KIChJIGNhbGwgaXQg4oCcdHJ1c3Qg ZW5naW5lZXJpbmfigJ07IGEgYmVuaWduIGZvcm0gb2Yg4oCcc29jaWFsIGVuZ2luZWVyaW5n4oCd KS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFn ZTpFTi1VUyI+SG93ZXZlciwgSSBkaXNhZ3JlZSB0aGF0IGNocm9tZSBvZmZlcnMgYSBzb2x1dGlv bi4gSSBhcmd1ZSB0aGF0IHdlIG11c3QgYXZvaWQgYW55IGtpbmQgb2YgcmVhbC10aW1lIGFzc2Vz c21lbnQgb2YgdHJ1c3R3b3J0aGluZXNzIGJ5IHRoZSB1c2VyLCBiZWNhdXNlIHVzZXJzIGFyZSBl YXNpbHkgZ2FtZWQuIEluc3RlYWQsIHVzZXJzIHNob3VsZA0KIGJlIGFibGUgdG8gc3RpcHVsYXRl IHRoZSBjb25kaXRpb25zIHRoYXQgY29uc3RpdHV0ZSB0cnVzdHdvcnRoaW5lc3MsIGFuZCByZWx5 IG9uIHRoZSBpbmZyYXN0cnVjdHVyZSB0byBhc3Nlc3MgdGhvc2UgY29uZGl0aW9ucyBpbiByZWFs LXRpbWUgb24gaGlzIGJlaGFsZi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5i c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0 OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRp diBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRp bmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFu Zz0iRU4tVVMiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IHNhYWcgJmx0O3Nh YWctYm91bmNlc0BpZXRmLm9yZyZndDsNCjxiPk9uIEJlaGFsZiBPZiA8L2I+QnJldCBKb3JkYW48 YnI+DQo8Yj5TZW50OjwvYj4gMjEgSnVseSAyMDE4IDEzOjI3PGJyPg0KPGI+VG86PC9iPiBIZW5y eSBTdG9yeSAmbHQ7aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQmZ3Q7PGJyPg0KPGI+Q2M6PC9iPiBz YWFnQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbc2FhZ10gc3RvcHBpbmcgKGh0 dHBzKSBwaGlzaGluZzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkkgY29tcGxldGVseSBhZ3JlZS4gJm5ic3A7V2UgbmVlZCB0byBmaWd1cmUgd2hhdCB3ZSBj YW4gZG8gYW5kIHNwZWNpZmljYWxseSBob3cgd2UgY2FuIGVuYWJsZSBiZXR0ZXIgcHJvdGVjdGlv biBmb3IgZW5kIHVzZXJzLiAmbmJzcDtIYXZpbmcgYSBjb21wbGV0ZWx5IHNlY3VyZSBhbmQgcHJp dmF0ZSBzZXNzaW9uIGlzIHNvbHZpbmcganVzdCBoYWxmIG9mIHRoZSBwcm9ibGVtLiAmbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldoYXQgZG8geW91 IHN1Z2dlc3QgaXMgdGhlIG5leHQgc3RlcHMgZm9yd2FyZD8gJm5ic3A7Q2xlYXJseSB3ZSBuZWVk IHRvIGRvIHdvcmsgaGVyZS4gJm5ic3A7SSB3b3VsZCBsb3ZlIHRvIHNlZSBzb21lIHdvcmsgZG9u ZSBoZXJlIGluIHRoZSBJRVRGIHRvIGhlbHAgd2l0aCB0aGlzLiAmbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QXMgeW91IGhhdmUgc2Fp ZCBhdHRyaWJ1dGlvbiBpcyBvbmUgb3B0aW9uLiBJIHRoaW5rIGl0IHdvdWxkIGJlIGdvb2QgZm9y IGVuZCB1c2VycyB0byBrbm93IGlmIHRoZXkgd2VyZSBjb25uZWN0aW5nIHRvIGEgbGVnYWxseSBs ZWdpdCBlc3RhYmxpc2htZW50IG9yIGEgY3JpbWUgc3luZGljYXRlIGZyb250aW5nIGFuIEludHJ1 c2lvbiBTZXQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+QnJldCZuYnNwOzxvOnA+PC9vOnA+ PC9wPg0KPGRpdiBpZD0iQXBwbGVNYWlsU2lnbmF0dXJlIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlNlbnQgZnJvbSBteSBDb21tb2RvcmUgMTI4RDxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UEdQIEZpbmdlcnByaW50OiZuYnNwOzYzQjQgRkM1MyA2 ODBBIDZCN0QgMTQ0NyAmbmJzcDtGMkMwIDc0RjggQUNBRSA3NDE1IDAwNTA8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1ib3R0b206MTIuMHB0Ij48YnI+DQpPbiBKdWwgMjEsIDIwMTgsIGF0IDQ6MTUgQU0sIEhl bnJ5IFN0b3J5ICZsdDs8YSBocmVmPSJtYWlsdG86aGVucnkuLnN0b3J5QGJibGZpc2gubmV0Ij5o ZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUu MHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4N CjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQi Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIDIwIEp1bCAyMDE4LCBhdCAyMzo1MSwg QnJldCBKb3JkYW4gJmx0OzxhIGhyZWY9Im1haWx0bzpqb3JkYW4uaWV0ZkBnbWFpbC5jb20iPmpv cmRhbi5pZXRmQGdtYWlsLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkdldHRpbmcgYmFjayBvbiB0b3BpYy4gJm5i c3A7SSBhZ3JlZSB0aGlzIGlzIGEgc2lnbmlmaWNhbnQgcHJvYmxlbSwgb25lIHRoYXQgbmVlZHMg dG8gYmUgYWRkcmVzc2VkLiAmbmJzcDtXaGlsZSB0aGluZ3MgbGlrZSBMZXRzRW5jcnlwdCBhcmUg Z3JlYXQgZm9yIHRyeWluZyB0byBnZXQgZXZlcnlvbmUgYSBjZXJ0IGZvciBmcmVlLCBpdCBhbHNv IG1lYW5zLCBUaHJlYXQgQWN0b3JzIGFuZCBJbnRydXNpb24gU2V0cyBjYW4gZ2V0DQogZnJlZSBj ZXJ0cyBhcyB3ZWxsLiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+WWVzLCBpdCBs b29rcyBsaWtlIHRoZXJlIGlzIGEgc2VhIGNoYW5nZSB3aXRoIHJlZ2FyZCB0byB1c2Ugb2YgVExT LCB3aGljaCBpcyBsZWFkaW5nJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5DaHJvbWUgbmV4dCB3ZWVrICZuYnNwO2FjY29yZGluZyB0byB0 aGUgcmVnaXN0ZXIgWzFdIHRvIHN0b3Agc2hvd2luZyB0aGUgcGFkbG9jayBpY29uIGZvcjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+c2VjdXJlIHNp dGVzLCBhbmQgaW5zdGVhZCBzaG93IGEgd2FybmluZyBmb3Igbm9uLWh0dHBzIHNpdGVzLCB3aGlj aCB3aWxsIGZ1cnRoZXI8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPmFjY2VsZXJhdGUgdGhlIGFkb3B0aW9uIG9mIGh0dHBzLCBzb21ldGhpbmcgbWFk ZSBwb3NzaWJsZSBieSBMZXRzRW5jcnlwdC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U28gdmVyeSBzb29uIGV2ZXJ5b25lIGluY2x1ZGluZyB0 aGUgY3Jvb2tzIHdpbGwgYmUgYmVoaW5kIGh0dHBzIDotKSZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgd2lsbCBiZSB0aGUgbmV3IGRl ZmF1bHQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkZyb20gdGhlbiBvbiB0aGUgcG9pbnQgdG8gcG9pbnQgc2VjdXJpdHkgd2lsbCBoYXZlIGJl ZW4gZGVhbHQgd2l0aCAoZXNwZWNpYWxseSZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+aWYgJm5ic3A7REFORSBhbHNvIGdldHMgYWRvcHRl ZCB0aGF0IGZhciksIGFuZCBhbGwgdGhhdCB3aWxsIHJlbWFpbiBpcyB0aGUgcXVlc3Rpb24gYXMg dG88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPndo byBhbSBJIHRhbGtpbmcgdG8gc28gc2VjdXJlbHk/PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYXQgaXMgdGhlIHF1ZXN0aW9uIG9mIHRoZSBp ZGVudGl0eSBvZiB0aGUgd2ViIHNpdGUgdGhlIGJyb3dzZXIgb3IgYXBwbGljYXRpb248bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmlzICZuYnNwO2Nv bm5lY3RlZCB0bywgaW5kZWVkIHRoZSBxdWVzdGlvbiBvZiB0aGUgaWRlbnRpdHkgb2YgdGhlIGFw cGxpY2F0aW9uIGNvbnRyb2xsaW5nPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj50aGUgc2NyZWVuIG1vcmUgZ2VuZXJhbGx5IFsyXS4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SWYgb25l IGlzIG9mIGEgY2F0ZWdvcnkgdGhlb3JldGljIG1pbmQgb25lIHdpbGwgdGhpbmsgdGhhdCB0aGUg aWRlbnRpdHkgb2YgZWFjaDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+b2JqZWN0IGlzIGl0cyBwb3NpdGlvbiBpbiB0aGUgbmV0d29yayBvZiBhcnJv d3Mgb2YgdGhlIGNhdGVnb3J5LiBCdXQgbW9yZSBwcmFjdGljYWxseTxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ZW5kIHVzZXJzIHdpbGwgYmUgaW50 ZXJlc3RlZCBmb3IgYXBwbGljYXRpb25zIG9yIHdlYiBzaXRlIG9mIGtub3dpbmcgd2hhdCBsZWdh bDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+c3Bh Y2UgdGhleSBhcmUgaW4uIEZvciBwZXJzb25hbCB3ZWIgcGFnZXMgd2UgY2FuIGZhbGwgYmFjayB0 byB0aGUgd2ViIG9mIHRydXN0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj53ZSBjdXJyZW50bHkgaGF2ZS4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhdCBpcyBhY3R1YWxseSBxdWl0 ZSBhIGxhcmdlIHByb2plY3QsIGJ1dCBnaXZlbiB0aGF0IG9uZSBpcyBkZWFsaW5nIHdpdGggbmF0 aW9uczxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ dGhhdCBoYXZlIHRoZSByZXNvdXJjZXMsIGl0IGlzIHF1aXRlIGZlYXNpYmxlLjxvOnA+PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5CdXQgdGhhdCB3YXMg dGhlIHBvaW50IG9mIG15IG9yaWdpbmFsIHBvc3QuIDotKSZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZW5yeTxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5bMV0gPGEgaHJlZj0iaHR0 cHM6Ly93d3cudGhlcmVnaXN0ZXIuY28udWsvMjAxOC8wNy8wMy9nb29nbGVfY2hyb21lX2h0dHAv Ij4NCmh0dHBzOi8vd3d3LnRoZXJlZ2lzdGVyLmNvLnVrLzIwMTgvMDcvMDMvZ29vZ2xlX2Nocm9t ZV9odHRwLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPlsyXSBUaGUgMjAxNSBwYXBlciAmcXVvdDtXaGF0IGlzIHRoYXQgQXBwPyBEZWNlcHRp b25zIGFuZCBjb3VudGVybWVhc3VyZXMmbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmluIHRoZSBBbmRyb2lkIFVzZXIgSW50ZXJmYWNlJnF1 b3Q7Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj4mbmJzcDsgJm5ic3A7Jm5ic3A7PGEgaHJlZj0iaHR0cHM6Ly93d3cuY29tcHV0ZXIub3Jn L2NzZGwvcHJvY2VlZGluZ3Mvc3AvMjAxNS82OTQ5LzAwLzY5NDlhOTMxLWFicy5odG1sIj5odHRw czovL3d3dy5jb21wdXRlci5vcmcvY3NkbC9wcm9jZWVkaW5ncy9zcC8yMDE1LzY5NDkvMDAvNjk0 OWE5MzEtYWJzLmh0bWw8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5JIGludGVncmF0ZWQgdGhhdCBhcnRpY2xlIGluIHRoZSAmbmJzcDsmcXVv dDtQaGlzaGluZyBpbiBDb250ZXh0JnF1b3Q7IHBvc3QgdGhpcyB3ZWVrLjxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwv cD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4w cHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g Y2xhc3M9ImFwcGxlLXN0eWxlLXNwYW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2Zv bnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5UaGFua3MsPC9zcGFu Pjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtI ZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImFwcGxlLXN0eWxlLXNw YW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZl dGljYSZxdW90OyxzYW5zLXNlcmlmIj5CcmV0PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJp ZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8 ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 OC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiM3 QzdDN0MiPlBHUCBGaW5nZXJwcmludDombmJzcDs2M0I0IEZDNTMgNjgwQSA2QjdEIDE0NDcgJm5i c3A7RjJDMCA3NEY4IEFDQUUgNzQxNSAwMDUwPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjguMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVv dDssc2Fucy1zZXJpZjtjb2xvcjojN0M3QzdDIj4mcXVvdDtXaXRob3V0IGNyeXB0b2dyYXBoeSB2 aWh2IHZpdmMgY2UgeGhybnJ3LCBob3dldmVyLCB0aGUgb25seSB0aGluZyB0aGF0IGNhbiBub3Qg YmUgdW5zY3JhbWJsZWQgaXMgYW4gZWdnLiZxdW90Ozwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8 L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0K PGJyPg0KPG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBw dDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBK dWwgMTYsIDIwMTgsIGF0IDEwOjEyIEFNLCBNaWNoYWVsIFJpY2hhcmRzb24gJmx0OzxhIGhyZWY9 Im1haWx0bzptY3ImIzQzO2lldGZAc2FuZGVsbWFuLmNhIj5tY3ImIzQzO2lldGZAc2FuZGVsbWFu LmNhPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGlj YSZxdW90OyxzYW5zLXNlcmlmIj48YnI+DQpCZW4gTGF1cmllICZsdDs8L3NwYW4+PGEgaHJlZj0i bWFpbHRvOmJlbmw9NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJp ZiI+YmVubD00MGdvb2dsZS4uY29tQGRtYXJjLmlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fu cy1zZXJpZiI+Jmd0OyB3cm90ZTo8YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7 Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1z dHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0 b206NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPk5vLCBJ IG1lYW4gaW4gdGhlIG1vcmUgZ2VuZXJhbCBzZW5zZSB0aGF0IGl0cyBhIHdheSB0byBpbnZva2Ug JnF1b3Q7dGhlPGJyPg0Kc3lzdGVtJnF1b3Q7LCBndWFyYW50ZWVkLCBubyBtZXNzaW5nLjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZx dW90OyxzYW5zLXNlcmlmIj48YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9u dC12YXJpYW50LWNhcHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJv a2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206 NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPkl0IGhhcyBh IG5vYmxlIGhpc3Rvcnkgb2Ygbm90IHdvcmtpbmcgdmVyeSB3ZWxsLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNl cmlmIj48YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9j a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1p bHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPldpbmRvd3MgdXNlcyBjdGwtYWx0 LWRlbCBhcyBhIFNBSy4gSXQgZG9lc24ndCBsZXQgeW91IGRvIG11Y2gsIGJ1dCBpdDxicj4NCmlz IG1vcmUgdGhhbiBsb2dpbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KWWVzLCB0aGF0J3Mg anVzdCBpdDogaXQgZG9lc24ndCBkbyB0aGF0IG11Y2guPGJyPg0KVGhhdCdzIHdoeSBpdCB3YXMg YSBmYWlsdXJlLiAmbmJzcDtBbHNvIGxhY2sgb2YgYW55IGtpbmQgb2YgdHV0b3JpYWwuPGJyPg0K QW5kIHNpbmNlIGl0IHVzZWQgdG8gcmVib290IHRoZSBjb21wdXRlciwgc28gbW9zdCBwZW9wbGUg aGFiaXR1YWxseSBhdm9pZCBpdC48YnI+DQo8YnI+DQpJdCdzIHByb2JhYmx5IHRpbWUgdG8gdHJ5 IGl0IGFnYWluLjxicj4NCjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1 LjBwdCI+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9t OjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu NXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5PbiAxNSBK dWwgMjAxOCwgYXQgMjI6MzQsIEJlbiBMYXVyaWUgJmx0OzxhIGhyZWY9Im1haWx0bzpiZW5sQGdv b2dsZS5jb20iPmJlbmxAZ29vZ2xlLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj4NCjxicj4NCjxicj4N Cjxicj4NCk9uIFN1biwgMTUgSnVsIDIwMTggYXQgMTg6NTYsIEhlbnJ5IFN0b3J5PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7 LHNhbnMtc2VyaWYiPiZsdDs8YSBocmVmPSJtYWlsdG86aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQi PmhlbnJ5LnN0b3J5QGJibGZpc2gubmV0PC9hPiZndDsgd3JvdGU6PGJyPg0KPGJyPg0KPG86cD48 L286cD48L3NwYW4+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFy Z2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJp ZiI+SGksPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxi cj4NCjxicj4NCkkganVzdCB3cm90ZSB1cCBzb21lIGlkZWFzIG9uIFVJIGFuZCBzZWN1cml0eSB0 aGF0IGNhbWUgKGJhY2spPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1p bHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPnRvIG1lIHJlYWRpbmc8c3BhbiBj bGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGJyPg0KPGJyPg0KPG86 cD48L286cD48L3NwYW4+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7 bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1z ZXJpZiI+dGhpcyB0aHJlYWQgYW5kIG90aGVyIGludGVyZXN0aW5nIHBhcGVycyBvbiBzZWN1cml0 eS48YnI+DQo8YnI+DQomcXVvdDtQaGlzaGluZyBpbiBDb250ZXh0IC0tIEVwaXN0ZW1vbG9neSBv biB0aGUgc2NyZWVuJnF1b3Q7PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9tZWRpdW0uY29tL0BiYmxm aXNoL3BoaXNoaW5nLWluLWNvbnRleHQtOWM4NGNhNDUxMzE0Ij5odHRwczovL21lZGl1bS5jb20v QGJibGZpc2gvcGhpc2hpbmctaW4tY29udGV4dC05Yzg0Y2E0NTEzMTQ8L2E+PGJyPg0KPGJyPg0K WW91IGhhdmUgcmVpbnZlbnRlZCB0aGUgU2VjdXJlIEF0dGVudGlvbiBLZXkuIEl0IGhhc24ndCB3 b3JrIG91dDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj50aGF0IHdlbGwsIHNvIGZhci48YnI+DQo8YnI+ DQo8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8 L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJy IHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApO2ZvbnQtdmFyaWFudC1jYXBzOiBub3Jt YWw7dGV4dC1hbGlnbjpzdGFydDstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1z cGFjaW5nOjBweCI+DQo8YnI+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBz dHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90 O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5EbyB5b3UgbWVhbiB3aGF0IHRoZXkgZGVzY3Jp YmUgb24gd2lraXBlZGlhIGhlcmUgPzxicj4NCjxhIGhyZWY9Imh0dHBzOi8vZW4ud2lraXBlZGlh Lm9yZy93aWtpL1NlY3VyZV9hdHRlbnRpb25fa2V5Ij5odHRwczovL2VuLndpa2lwZWRpYS5vcmcv d2lraS9TZWN1cmVfYXR0ZW50aW9uX2tleTwvYT48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVk LXNwYWNlIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3Rl Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHlsZT0iY2Fy ZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxp Z246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgi Pg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdp bi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2Em cXVvdDssc2Fucy1zZXJpZiI+JnF1b3Q7QSBzZWN1cmUgYXR0ZW50aW9uIGtleSAoU0FLKSBvciBz ZWN1cmUgYXR0ZW50aW9uIHNlcXVlbmNlIChTQVMpPGJyPg0KaXMgYSBzcGVjaWFsIGtleSBvciBr ZXkgY29tYmluYXRpb24gdG8gYmUgcHJlc3NlZCBvbiBhIGNvbXB1dGVyPGJyPg0Ka2V5Ym9hcmQg YmVmb3JlIGEgbG9naW4gc2NyZWVuIHdoaWNoIG11c3QsIHRvIHRoZSB1c2VyLCBiZTxicj4NCmNv bXBsZXRlbHkgdHJ1c3R3b3J0aHkuIFRoZSBvcGVyYXRpbmcgc3lzdGVtIGtlcm5lbCwgd2hpY2g8 YnI+DQppbnRlcmFjdHMgZGlyZWN0bHkgd2l0aCB0aGUgaGFyZHdhcmUsIGlzIGFibGUgdG8gZGV0 ZWN0IHdoZXRoZXI8YnI+DQp0aGUgc2VjdXJlIGF0dGVudGlvbiBrZXkgaGFzIGJlZW4gcHJlc3Nl ZC4gV2hlbiB0aGlzIGV2ZW50IGlzPGJyPg0KZGV0ZWN0ZWQsIHRoZSBrZXJuZWwgc3RhcnRzIHRo ZSB0cnVzdGVkIGxvZ2luIHByb2Nlc3NpbmcuJnF1b3Q7PG86cD48L286cD48L3NwYW4+PC9wPg0K PC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxi ciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9y bWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQt c3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUg c3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVv dDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+VGhhdCB3b3VsZCBiZSB0byBhdXRoZW50aWNh dGUgdGhlIHVzZXIgb2YgdGhlIGNvbXB1dGVyLCB3aGljaCBpcyBJPGJyPg0Kc3VwcG9zZSBhPHNw YW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCnByZWRl Y2Vzc29yIG9mIHdoYXQgdGhlIGZpbmdlcnByaW50IGJ1dHRvbiBvbiBuZXcgTWFjQm9vayBQcm88 YnI+DQpsYXB0b3BzIGlzIGFib3V0PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+ Jm5ic3A7PC9zcGFuPjxicj4NCihJIGRvbid0IGtub3csIGFzIEkgZG9uJ3QgaGF2ZSB0aGVtKS4g VGhleSBjYWxsIGl0IFRvdWNoIElkPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+ Jm5ic3A7PC9zcGFuPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vc3VwcG9ydC5hcHBsZS5jb20vZW4t dXMvSFQyMDcwNTQiPmh0dHBzOi8vc3VwcG9ydC5hcHBsZS5jb20vZW4tdXMvSFQyMDcwNTQ8L2E+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0 aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAw KTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0 LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJv dHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+QnV0 IHRoYXQgaXMgbm90IHdoYXQgSSBhbSB0YWxraW5nIGFib3V0IGluIHRoZSBhcnRpY2xlLiBUaGVy ZSBJIGFtPGJyPg0Kc3BlYWtpbmcgb2Ygc2VydmVyPGJyPg0Kb3IgYXBwbGljYXRpb24gYXV0aGVu dGljYXRpb24sIGFuZCBJIGFtIGFyZ3VpbmcgdGhhdCB0byBiZSBzZWN1cmU8YnI+DQp0aGlzIG5l ZWRzIHR3byBzY3JlZW5zPGJyPg0KdGhlIHNlY29uZCBzY3JlZW4gYmVpbmcgd2hhdCBBcHBsZSBj YWxscyB0aGUgVG91Y2ggQmFyLiBUaGVyZSBpcyBhPGJyPg0KdmlkZW8gaGVyZSBkZXNjcmliaW5n IGl0PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly95b3V0dS5iZS9EaENKdUpvRTZ3TT90PTE3MCI+aHR0 cHM6Ly95b3V0dS5iZS9EaENKdUpvRTZ3TT90PTE3MDwvYT48YnI+DQpCdXQgSSBhbSBzdXJlIHlv dSdsbCBmaW5kIG1hbnkgbW9yZS4gKEJ0dy4gdGhlIG5ldyBNYWMgQm9vayBQcm8gaXM8YnI+DQpv dXQgdG9kYXkhKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiBy Z2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13 ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0 O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMt c2VyaWYiPkkgd291bGQgZ3Vlc3MgdGhhdCBwYXJ0cyBvZiB0aGUgVG91Y2ggQmFyIG11c3QgYmUg T1Mgc2VjdXJlZCwgb3I8YnI+DQplbHNlIGFuIGFwcCBjb3VsZCBnZXQgeW91ciBmaW5nZXJwcmlu dHM/IEluIGFueSBjYXNlIEkgYW0gc2F5aW5nPGJyPg0KdGhhdCB0aGVyZSBzaG91bGQgYmUgYSBj b3VwbGUgbW9yZSBidXR0b25zIG9uIHRoZSBUb3VjaCBCYXIgdGhhdDxicj4NCmFyZSBjb250cm9s bGVkIGJ5IHRoZSBPUy48YnI+DQoxKSB0aGUgaWNvbiBvZiB0aGUgQXBwIHRoYXQgaXMgaW4gdGhl IGZvcmVncm91bmQgKCB3aGljaCB3b3VsZCBiZTxicj4NCnJldHJpZXZlZCBmcm9tIHRoZSBpbnN0 aXR1dGlvbmFsIHdlYiBvZiB0cnVzdDxicj4NCjIpIHRoZSBpY29uIG9mIHRoZSBmYXZpY29uIG9m IHRoZSB3ZWIgcGFnZSBhbHNvIHJldHJpZXZlZCBmcm9tIHRoZTxicj4NCmluc3RpdHV0aW9uYWwg d2ViIG9mIHRydXN0PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6 JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHlsZT0iY2FyZXQtY29sb3I6 IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7 LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0K PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fu cy1zZXJpZiI+Y2xpY2tpbiB0aG9zZSB3b3VsZCBnaXZlIHlvdSBtb3JlIGluZm9ybWF0aW9uIGFi b3V0IHRoZSBhcHAgaW4gMSk8YnI+DQphbmQgbW9yZSBpbmZvIGFib3V0IHRoZSBwYWdlIGluIDIp Ljxicj4NCkJ1dCBub3QganVzdCB0aGUgYWRkcmVzcyBvZiB0aGUgaGVhZHF1YXJ0ZXJzLCBidXQg c29tZXRoaW5nIGEgbG90PGJyPg0KcmljaGVyLi4uLi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJy Pg0KPGJyIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApO2ZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7dGV4dC1hbGlnbjpzdGFydDstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8YnI+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8YmxvY2tx dW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5CdXQgSSBtYXkgaGF2ZSBtaXN1bmRl cnN0b29kIHlvdS4uLj88bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls eTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyIHN0eWxlPSJjYXJldC1jb2xv cjogcmdiKDAsIDAsIDApO2ZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7dGV4dC1hbGlnbjpzdGFy dDstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8YnI+ DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj5IZW5yeTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFt aWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48YnI+DQo8YnI+DQo8YnI+DQo8 YnI+DQo8YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9j a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1p bHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPi0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS08YnI+DQpBbHRlcm5hdGl2ZXM6PG86cD48 L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1 b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250 LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9r ZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1 LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVw dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+LS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj4NCl9fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0Kc2FhZyBtYWlsaW5n IGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86c2FhZ0BpZXRmLm9yZyI+c2FhZ0BpZXRmLm9yZzwv YT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Nh YWciPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2FhZzwvYT48bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv dDssc2Fucy1zZXJpZiI+PGJyPg0KLS08c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNl Ij4mbmJzcDs8L3NwYW4+PGJyPg0KTWljaGFlbCBSaWNoYXJkc29uICZsdDs8L3NwYW4+PGEgaHJl Zj0ibWFpbHRvOm1jciYjNDM7SUVURkBzYW5kZWxtYW4uY2EiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5t Y3ImIzQzO0lFVEZAc2FuZGVsbWFuLmNhPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+Jmd0 OywgU2FuZGVsbWFuIFNvZnR3YXJlIFdvcmtzPGJyPg0KLT0gSVB2NiBJb1QgY29uc3VsdGluZyA9 LTxicj4NCjxicj4NCjxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fPGJyPg0Kc2FhZyBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJl Zj0ibWFpbHRvOnNhYWdAaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2Zv bnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5zYWFnQGlldGYub3Jn PC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVv dDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KPC9zcGFuPjxhIGhyZWY9Imh0dHBz Oi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2FhZyI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYi Pmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2FhZzwvc3Bhbj48L2E+PG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0K c2FhZyBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86c2FhZ0BpZXRmLm9yZyI+c2Fh Z0BpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFu L2xpc3RpbmZvL3NhYWciPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2Fh ZzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1 b3RlPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KDQoNCjxmb250IHNpemU9IjEiPiA8Zm9udCBm YWNlPSJDb3JiZWwiPiAgIDxiciAvPg0KSmlzYyBpcyBhIHJlZ2lzdGVyZWQgY2hhcml0eSAobnVt YmVyIDExNDk3NDApIGFuZCBhIGNvbXBhbnkgbGltaXRlZCBieSBndWFyYW50ZWUgd2hpY2ggaXMg cmVnaXN0ZXJlZCBpbiBFbmdsYW5kIHVuZGVyIENvbXBhbnkgTm8uIDU3NDczMzksIFZBVCBOby4g R0IgMTk3IDA2MzIgODYuIEppc2PigJlzIHJlZ2lzdGVyZWQgb2ZmaWNlIGlzOiBPbmUgQ2FzdGxl cGFyaywgVG93ZXIgSGlsbCwgQnJpc3RvbCwgQlMyIDBKQS4gVCAwMjAzIDY5NyA1ODAwLjxiciAv PjxiciAvPg0KIA0KSmlzYyBTZXJ2aWNlcyBMaW1pdGVkIGlzIGEgd2hvbGx5IG93bmVkIEppc2Mg c3Vic2lkaWFyeSBhbmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNoIGlzIHJl Z2lzdGVyZWQgaW4gRW5nbGFuZCB1bmRlciBjb21wYW55IG51bWJlciAyODgxMDI0LCBWQVQgbnVt YmVyIEdCIDE5NyAwNjMyIDg2LiBUaGUgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGUg UGFyaywgVG93ZXIgSGlsbCwgQnJpc3RvbCBCUzIgMEpBLiBUIDAyMDMgNjk3IDU4MDAuDQogDQog ICAgDQo8L2ZvbnQ+PC9mb250PjwvYm9keT48L2h0bWw+DQo= --_000_DB7PR07MB40118399901CBF4D65BD1A8ABC500DB7PR07MB4011eurp_-- From nobody Sat Jul 21 07:31:24 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E1A0126F72 for ; Sat, 21 Jul 2018 07:31:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 86nhC3Tadjhl for ; Sat, 21 Jul 2018 07:31:17 -0700 (PDT) Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C37C12426A for ; Sat, 21 Jul 2018 07:31:16 -0700 (PDT) Received: by mail-ed1-x52c.google.com with SMTP id x5-v6so11991678edr.0 for ; Sat, 21 Jul 2018 07:31:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cg3MrSWwZNc2z1IEOBtcbuLpY1trb0GI1A13xCDuHQQ=; b=AcYsVU3nO+lApD5wpBQ0N4012SrK/Ab0Q4uQKZ2hyZnSNY02Ei/2p6CIDDUQzTGXzx OAHlXwM+2+8vYW9Iz/bXwajOPjmkvb4QMsxvG05MfCG+OmltmjagemUpGziLKUeoZT4B qLrUePu/wGDOg7Pg82PADKTJSz1TAolQO5FMFeH8KTUjM8zV2HEz7naHhyi79Q0N9UFP eBmDrEwjMHGCnzyfA3hz/FAe7lHlOmosLEsK6ESmdQvQzA840h2AEY7Z4n2QtJq6Ljzb UNvGZ2SAU5XD+xW3jlGDOoEy+zMj27dev0z6w5RteJd1UGQ8fHEhjM/pZbgsphX4Wd9K 3lsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cg3MrSWwZNc2z1IEOBtcbuLpY1trb0GI1A13xCDuHQQ=; b=SbMHy1QeOnscS2uUtYVGbOJ3IgbmIpWWagYqVhg0HJtBeiPJL0MwwKt9ddfxb+izJK bzg3+cmGwBEwfElto/dR68Jf58RNmKDEmS7FXVEIDjMjfHHUY+IWbQ29kDvG/o9oY+mI rycGQy/c4qrRNlgLBdRgJsW3NlXMt6NSWKiNBc1vmKuOCanmBz3a1Wxd/F3ovKIiWFr2 /Dt7Zoq9j6+HxQFvqceliLz6WvAOqN/sc3sQbEPCaSvCZBfHo7dBeLbTriiyIeqney+a 3hVDNgSUgCmeAT24Tg0QZMVUO66IkGQjE02n0BoxFqo9ySdhzgpCt2z+5NtT7OukbWcW vc1w== X-Gm-Message-State: AOUpUlH5hCrfjBwELBzlyF/k3f4ewSuJj6bTgi0OP/LP9apbB54ltIbn P+NS5+0bkvInnMJJ7y5ORP3mm+OfyT56q6S9Gx0uXkB3 X-Google-Smtp-Source: AAOMgpd3Qg6KPljS6OtgUSGrYDCNV+gvmk4tA3uHx0HcRM5U9gsSuEOnISC68N7UljhRa1PeBkRAuRr5IdQetS1ZIME= X-Received: by 2002:aa7:db09:: with SMTP id t9-v6mr6504825eds.277.1532183474760; Sat, 21 Jul 2018 07:31:14 -0700 (PDT) MIME-Version: 1.0 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> In-Reply-To: <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> From: Dmitry Belyavsky Date: Sat, 21 Jul 2018 17:31:02 +0300 Message-ID: To: Bret Jordan Cc: Henry Story , saag@ietf.org Content-Type: multipart/alternative; boundary="000000000000be7164057183432a" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 14:31:22 -0000 --000000000000be7164057183432a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Well, it seems possible to confirm that site A is the site A with high probability. The main problem is detection that user has visited a site pretending to be site A and it is necessary to request a confirmation. =D1=81=D0=B1, 21 =D0=B8=D1=8E=D0=BB=D1=8F 2018 =D0=B3., 15:27 Bret Jordan <= jordan.ietf@gmail.com>: > I completely agree. We need to figure what we can do and specifically ho= w > we can enable better protection for end users. Having a completely secur= e > and private session is solving just half of the problem. > > What do you suggest is the next steps forward? Clearly we need to do wor= k > here. I would love to see some work done here in the IETF to help with > this. > > As you have said attribution is one option. I think it would be good for > end users to know if they were connecting to a legally legit establishmen= t > or a crime syndicate fronting an Intrusion Set. > > Bret > > Sent from my Commodore 128D > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > > On Jul 21, 2018, at 4:15 AM, Henry Story > wrote: > > > > On 20 Jul 2018, at 23:51, Bret Jordan wrote: > > Getting back on topic. I agree this is a significant problem, one that > needs to be addressed. While things like LetsEncrypt are great for tryin= g > to get everyone a cert for free, it also means, Threat Actors and Intrusi= on > Sets can get free certs as well. > > > Yes, it looks like there is a sea change with regard to use of TLS, which > is leading > Chrome next week according to the register [1] to stop showing the > padlock icon for > secure sites, and instead show a warning for non-https sites, which will > further > accelerate the adoption of https, something made possible by LetsEncrypt. > > So very soon everyone including the crooks will be behind https :-) > It will be the new default. > > From then on the point to point security will have been dealt with > (especially > if DANE also gets adopted that far), and all that will remain is the > question as to > who am I talking to so securely? > > That is the question of the identity of the web site the browser or > application > is connected to, indeed the question of the identity of the application > controlling > the screen more generally [2]. > > If one is of a category theoretic mind one will think that the identity o= f > each > object is its position in the network of arrows of the category. But more > practically > end users will be interested for applications or web site of knowing what > legal > space they are in. For personal web pages we can fall back to the web of > trust > we currently have. > > That is actually quite a large project, but given that one is dealing wit= h > nations > that have the resources, it is quite feasible. > > But that was the point of my original post. :-) > > Henry > > [1] https://www.theregister.co.uk/2018/07/03/google_chrome_http/ > [2] The 2015 paper "What is that App? Deceptions and countermeasures > in the Android User Interface" > > https://www.computer.org/csdl/proceedings/sp/2015/6949/00/6949a931-abs.ht= ml > I integrated that article in the "Phishing in Context" post this week. > > > > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that > can not be unscrambled is an egg." > > On Jul 16, 2018, at 10:12 AM, Michael Richardson > wrote: > > > Ben Laurie > wrote: > > No, I mean in the more general sense that its a way to invoke "the > system", guaranteed, no messing. > > > It has a noble history of not working very well. > > > Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but it > is more than login. > > > Yes, that's just it: it doesn't do that much. > That's why it was a failure. Also lack of any kind of tutorial. > And since it used to reboot the computer, so most people habitually avoid > it. > > It's probably time to try it again. > > On 15 Jul 2018, at 22:34, Ben Laurie wrote: > > > > On Sun, 15 Jul 2018 at 18:56, Henry Story > > wrote: > > Hi, > > I just wrote up some ideas on UI and security that came (back) > > to me reading > > this thread and other interesting papers on security. > > "Phishing in Context -- Epistemology on the screen" > https://medium.com/@bblfish/phishing-in-context-9c84ca451314 > > You have reinvented the Secure Attention Key. It hasn't work out > > that well, so far. > > > > Do you mean what they describe on wikipedia here ? > https://en.wikipedia.org/wiki/Secure_attention_key > > > "A secure attention key (SAK) or secure attention sequence (SAS) > is a special key or key combination to be pressed on a computer > keyboard before a login screen which must, to the user, be > completely trustworthy. The operating system kernel, which > interacts directly with the hardware, is able to detect whether > the secure attention key has been pressed. When this event is > detected, the kernel starts the trusted login processing." > > > That would be to authenticate the user of the computer, which is I > suppose a > predecessor of what the fingerprint button on new MacBook Pro > laptops is about > (I don't know, as I don't have them). They call it Touch Id > https://support.apple.com/en-us/HT207054 > > > But that is not what I am talking about in the article. There I am > speaking of server > or application authentication, and I am arguing that to be secure > this needs two screens > the second screen being what Apple calls the Touch Bar. There is a > video here describing it > https://youtu.be/DhCJuJoE6wM?t=3D170 > But I am sure you'll find many more. (Btw. the new Mac Book Pro is > out today!) > > > I would guess that parts of the Touch Bar must be OS secured, or > else an app could get your fingerprints? In any case I am saying > that there should be a couple more buttons on the Touch Bar that > are controlled by the OS. > 1) the icon of the App that is in the foreground ( which would be > retrieved from the institutional web of trust > 2) the icon of the favicon of the web page also retrieved from the > institutional web of trust > > > clickin those would give you more information about the app in 1) > and more info about the page in 2). > But not just the address of the headquarters, but something a lot > richer..... > > > > But I may have misunderstood you...? > > > Henry > > > > > > > ---------------------------------------------------- > Alternatives: > > > ---------------------------------------------------- > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > > -- > Michael Richardson , Sandelman Software Works > -=3D IPv6 IoT consulting =3D- > > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag > --000000000000be7164057183432a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Well, it seems possible to confirm that site A is the sit= e A with high probability.

The= main problem is detection that user has visited a site pretending to be si= te A and it is necessary to request a confirmation.=C2=A0

=D1=81=D0=B1, 21 =D0=B8=D1=8E=D0= =BB=D1=8F 2018 =D0=B3., 15:27 Bret Jordan <jordan.ietf@gmail.com>:
I completely agree.=C2=A0 We need to figure what = we can do and specifically how we can enable better protection for end user= s.=C2=A0 Having a completely secure and private session is solving just hal= f of the problem. =C2=A0

What do you suggest is the next= steps forward?=C2=A0 Clearly we need to do work here.=C2=A0 I would love t= o see some work done here in the IETF to help with this. =C2=A0
<= br>
As you have said attribution is one option. I think it would = be good for end users to know if they were connecting to a legally legit es= tablishment or a crime syndicate fronting an Intrusion Set.

<= /div>
Bret=C2=A0

Sent from my Comm= odore 128D
=
= PGP Fingerprint:=C2=A0<= font>63B4 FC53 680A 6B7D 1447 =C2=A0F2C0 74F8 ACAE 7415 0050<= /span>

On Jul 21, 2018, at 4:15 AM, Henry Story <henry.story@bblfish.net> wrote:



On 20 Jul 2018, at 2= 3:51, Bret Jordan <jordan.ietf@gmail.com> wrote:

Getting back on topic.= =C2=A0 I agree this is a significant problem, one that needs to be addresse= d.=C2=A0 While things like LetsEncrypt are great for trying to get everyone= a cert for free, it also means, Threat Actors and Intrusion Sets can get f= ree certs as well.=C2=A0

= Yes, it looks like there is a sea change with regard to use of TLS, which i= s leading=C2=A0
Chrome next week =C2=A0according to the register = [1] to stop showing the padlock icon for
secure sites, and instea= d show a warning for non-https sites, which will further
accelera= te the adoption of https, something made possible by LetsEncrypt.

So very soon everyone including the crooks will be behind h= ttps :-)=C2=A0
It will be the new default.

From then on the point to point security will have been dealt with (espe= cially=C2=A0
if =C2=A0DANE also gets adopted that far), and all t= hat will remain is the question as to
who am I talking to so secu= rely?

That is the question of the identity of the = web site the browser or application
is =C2=A0connected to, indeed= the question of the identity of the application controlling
the = screen more generally [2].=C2=A0

If one is of a ca= tegory theoretic mind one will think that the identity of each
ob= ject is its position in the network of arrows of the category. But more pra= ctically
end users will be interested for applications or web sit= e of knowing what legal
space they are in. For personal web pages= we can fall back to the web of trust
we currently have.=C2=A0

That is actually quite a large project, but given th= at one is dealing with nations
that have the resources, it is qui= te feasible.

But that was the point of my original= post. :-)=C2=A0

Henry

[2] The 2015 paper "What is that = App? Deceptions and countermeasures=C2=A0
in the Android User Int= erface"=C2=A0
I integrated that article in the =C2= =A0"Phishing in Context" post this week.



Thanks,
Bret
PGP Fingerprint:=C2=A063B4 FC53 680A 6B7D 1447 =C2=A0F2C0 74F8 ACAE 741= 5 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing th= at can not be unscrambled is an egg."
=

On Jul 16, 2018, at 10:12 AM, Micha= el Richardson <mcr+ietf@sandelman.ca> wrote:


<= span style=3D"font-family:Helvetica;font-size:14px;font-style:normal;font-v= ariant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:star= t;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;t= ext-decoration:none;float:none;display:inline!important">Ben Laurie <benl=3D40google..com@dmarc.ietf.org> wrote:
No, I mean in the more general s= ense that its a way to invoke "the
system", guaranteed, no mes= sing.

It has a noble history of not working very well.

Windows uses= ctl-alt-del as a SAK. It doesn't let you do much, but it
is more th= an login.

Yes, that's just it: it doesn't do tha= t much.
That's why it was a failure.=C2=A0 Also lack of any ki= nd of tutorial.
And since it used to reboot the computer, so most = people habitually avoid it.

<= span style=3D"font-family:Helvetica;font-size:14px;font-style:normal;font-v= ariant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:star= t;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;t= ext-decoration:none;float:none;display:inline!important">It's probably = time to try it again.

On 15 Jul 2018= , at 22:34, Ben Laurie <benl@google.com> wrote:



On Su= n, 15 Jul 2018 at 18:56, Henry Story
<henry.story@b= blfish.net> wrote:
Hi,=C2=A0

I just wrote= up some ideas on UI and security that came (back)
to me re= ading=C2=A0
this thread and other interesting papers on= security.

"Phishing in Context -- Epistemology on the screen&q= uot;
https://medium.com/@bblfish/phis= hing-in-context-9c84ca451314

You have reinvented the Secure Atte= ntion Key. It hasn't work out
that well, so far.


Do you mean what they describe on w= ikipedia here ?
https://en.wikipedia.org/wiki/S= ecure_attention_key=C2=A0

"A secure attention key (SAK) or secure atte= ntion sequence (SAS)
is a special key or key combination to be pressed o= n a computer
keyboard before a login screen which must, to the user, be<= br>completely trustworthy. The operating system kernel, which
interacts = directly with the hardware, is able to detect whether
the secure attenti= on key has been pressed. When this event is
detected, the kernel starts = the trusted login processing."

That would be to authenticate the us= er of the computer, which is I
suppose a=C2=A0
predecessor of what the fingerp= rint button on new MacBook Pro
laptops is about=C2=A0
(I don't know, as I = don't have them). They call it Touch Id=C2=A0
https://support.= apple.com/en-us/HT207054

But that is not what I am talking about in = the article. There I am
speaking of server
or application authenticat= ion, and I am arguing that to be secure
this needs two screens
the se= cond screen being what Apple calls the Touch Bar. There is a
video here = describing it
https://youtu.be/DhCJuJoE6wM?t=3D170
But= I am sure you'll find many more. (Btw. the new Mac Book Pro is
out = today!)

I would guess that parts of the Touch Bar must be OS secured, or=
else an app could get your fingerprints? In any case I am saying
tha= t there should be a couple more buttons on the Touch Bar that
are contro= lled by the OS.
1) the icon of the App that is in the foreground ( which= would be
retrieved from the institutional web of trust
2) the icon o= f the favicon of the web page also retrieved from the
institutional web = of trust

clickin those would give you more information about the app in = 1)
and more info about the page in 2).
But not just the address of th= e headquarters, but something a lot
richer.....


B= ut I may have misunderstood you...?

Henry





----------------------= ------------------------------
Alternatives:

----------------------= ------------------------------
_________________________________________= ______
saag mailing list
saag@ietf.org
https://www= .ietf.org/mailman/listinfo/saag

--=C2=A0
Michael Ric= hardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-=3D IPv6 = IoT consulting =3D-



_______________________________________________
saag= mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing = list
saag@ietf.org
https://www.ietf.org/mailman/listi= nfo/saag

_______________________________________________
saag mailing list
saag@= ietf.org
https://www.ietf.org/mailman/listinfo/saag<= br> --000000000000be7164057183432a-- From nobody Sat Jul 21 09:24:56 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A89130DCF for ; Sat, 21 Jul 2018 09:24:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L0xZtIRoA4n5 for ; Sat, 21 Jul 2018 09:24:49 -0700 (PDT) Received: from mail-wr1-x441.google.com (mail-wr1-x441.google.com [IPv6:2a00:1450:4864:20::441]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1A6A127333 for ; Sat, 21 Jul 2018 09:24:48 -0700 (PDT) Received: by mail-wr1-x441.google.com with SMTP id g6-v6so13936605wrp.0 for ; Sat, 21 Jul 2018 09:24:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=z2IZ8TxbuCo6YEPduX4txsSCvM687gQmPEdBgNnmF24=; b=yeUt3ivOgm93W/YYhYjIodJtwFqyHfPNBxLIn3NshQRluMTlnB2ZvJRVKlLOZo45lL Pi8yIgnR2RwBifWzYsgwbomlzxbN0yXnTsrxVAhTnXXanpE8LeOYALaUdpLx49005Arc z0a2ZpBCRhU3DkZyXtpFwJRLI14jGQix+nFnJb/DTX6I3YshWteIihWkq+WO3F9QRzLO jep8DMuqCr5uRFcKM7WHymCYyNUZL+39ODQZU/fNX1rGN7HR8C2VaSQsYTLaqipmUkYB 78CKUaGztTdpJ3elKKpLFs/uGPFsVgt9G+EZ1bg6osVOklfK6QocJwsmT+ZD0V1fLL6u ViFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=z2IZ8TxbuCo6YEPduX4txsSCvM687gQmPEdBgNnmF24=; b=OzXz2Hwfl0ipgu8rsjQtpqmrTX6lzYBAtmxM77fkNRt4HiAqFQF7IE+SdayKmipxoq CmPYo9iw8j4zfa4Bg7uwOOI7X6XY7YpoltpNhf5mKwKSDDpdTgZFjGCfJ/ocn/j+146U IPCyXRpvNvGAMTuGF4gHk4evtKbVEEjrH06I5TjVs87AbmRUl0L0uI8tOnw5aC+IC8Ap YhVM0r+s47AmWdrQfwxRZB5BMYqiHo/QNxoh9Bjkrb80rZ8Bd/jFMZtzxSkZnq7dEYu6 bMyK1pe8J6OTGogYO89zAAdw3O/wvD5VIjlwwvaR/pZOIrtx/fy651ooJp50ZdJgHKwy jftw== X-Gm-Message-State: AOUpUlH6qOTzbYcsdftFDMLTfJa87FaTuXqPhL6werPkcjvd7ilAB6YZ xa9O7lF3D3BGb5EBd7Gun67lejfgaUHfEA== X-Google-Smtp-Source: AAOMgpd6U3a43m803pVIRl/pbn19xOyZ665ZeZklL7Gur3yD+TM9QBqbbJ4Ug1RijDoy7wXRw5DNig== X-Received: by 2002:adf:ef8c:: with SMTP id d12-v6mr4541654wro.195.1532190287300; Sat, 21 Jul 2018 09:24:47 -0700 (PDT) Received: from [192.168.43.209] ([92.184.102.26]) by smtp.gmail.com with ESMTPSA id w3-v6sm13391wmc.45.2018.07.21.09.24.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 09:24:46 -0700 (PDT) From: Henry Story Message-Id: <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_42C8FDAC-73CA-4CBB-905F-BAC8AED01EDC" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sat, 21 Jul 2018 18:24:42 +0200 In-Reply-To: <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> Cc: saag@ietf.org, Sir Tim Berners-Lee To: Bret Jordan References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 16:24:54 -0000 --Apple-Mail=_42C8FDAC-73CA-4CBB-905F-BAC8AED01EDC Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 21 Jul 2018, at 14:27, Bret Jordan wrote: >=20 > I completely agree. We need to figure what we can do and specifically = how we can enable better protection for end users. Having a completely = secure and private session is solving just half of the problem. =20 >=20 > What do you suggest is the next steps forward? Clearly we need to do = work here. I would love to see some work done here in the IETF to help = with this. =20 >=20 > As you have said attribution is one option. I think it would be good = for end users to know if they were connecting to a legally legit = establishment or a crime syndicate fronting an Intrusion Set. Well if there were agreement that this Institutional Web of Trust (IWoT) = is missing and important to security then that would be an important achievement, as it = would prepare the next steps. This is clearly a very large project and there will be = many people involved. (I have added TimBL in CC as he will know many of them).=20 Here are the things I can think of, but I am aware I am probably going = into too=20 much detail, have some biases that are not explained here, and may be missing some important strands: =E2=80=A2 finding the right players: W3C, IETF, ODI, Repositories, = Browser Vendors, State players, etc... and getting them interested in building this out, and get the buy = in for deployment down the road =E2=80=A2 there will have to be some work done to prepare a convincing = road map for them (It would be helpful to find a way to prove the security features of = what is being built for example, initial prototypes, ...) =E2=80=A2 map out the size of the project by looking at what the size of = the current repositories would be. Ben Laurie stated that there were 1500 registries in the UK for = example. Where is that list? Are they all relevant? How much data do they have? This may be a web or = data science project. https://twitter.com/BenLaurie/status/1014520767235706880 = One does not need to start with all of them, but it would be useful to = know where the system has to grow to so as to make the right decisions upstream. =E2=80=A2 finding the ontologists to examining the data structures of = the key repositories=20 internationally to find the high level ontologies (classes) needed that = can grow=20 and be extended over time and that will be useful for the browsers to = display =20 information that will be of interest to the user. [0] There are departments dedicated to this in universities around the = world. The=20 major requirement would be to build it so that it is extensible over = time, ie that older browsers can continue working even as new categories appear, ie it has = to be able to degrade gracefully [1].=20 It should also be possible for one state to leave warning messages = for those that take it as a trust anchor on companies or sites in its own or other = states. In the end that work has to be submitted to a process of = standardization. =E2=80=A2 Load testing: it should be possible to work on some load = testing. For example would=20 Quic make a big difference to scalability of the project, over and above = HTTP2.0?=20 =E2=80=A2 Caching: the point was raised and it is one that the security = community is keen on that the data should be able to come signed from the server one is connected = to. In which case it needs to be signed by the institution in the IWoT that serves it. = Ideally the signed document=20 could also be dereferenced, so that web sites can start simply by = pointing to the institutions in an http header or the X509 Cert, and when understanding the value = optimise the process=20 by serving something like what the Verifiable Claims WG is working on, = but signed.=20 There would then need to be an extension to the HTTP standard for = passing the verifiable=20 claim through, in addition to the X509 certificate. (I am assuming here = that X509 is just going to be a bit tedious to extend and teach. It would help if the data were = the same in the Verifiable Claim as the one that was served by the institution, so that the graphs = are isomorphic) =E2=80=A2 Browser Vendors would check out the tools available to help = build this efficiently, to work on elegant and helpful User Interfaces for the data, test it on = initial users, give feedback to ontologies, ... =E2=80=A2 I suppose for legal purposes it would be useful if there were = ways that all the data served by institutions like companieshouse.gov.uk or https://www.sec.gov/ = were historically versioned in a verifiable way so that courts could look at what a web user would = have seen on a particular day in order to support or deny a claim. This sounds somewhat = blockchainy, though it may not require anything like global consensus. Signed data dumps per repository = may be fine with a way of verifying this. Given that one needs global hyper-data structures = (since we can allow links between institutions) something like a standard for an RDF based block chain = could be very useful here.=20 That would make is serialization agnostic, open to new schemas, globally = linkable, and formally=20 underpinned with logic.)=20 Well that's all I can think of right now. Clearly a lot can be done in parallel: and one can start small and grow = the system. (A bit like https has only recently grown to wide adoption)=20 [0] Ontologies are like Class hierarchies in OO programming but a declarative version of it that where intermediary relations=20 and classes can be added, and which are open to various levels=20 of reasoning. [1] https://www.w3.org/TR/html-design-principles/#degrade-gracefully > Bret=20 >=20 > Sent from my Commodore 128D :D >=20 > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >=20 > On Jul 21, 2018, at 4:15 AM, Henry Story > wrote: >=20 >>=20 >>=20 >>> On 20 Jul 2018, at 23:51, Bret Jordan > wrote: >>>=20 >>> Getting back on topic. I agree this is a significant problem, one = that needs to be addressed. While things like LetsEncrypt are great for = trying to get everyone a cert for free, it also means, Threat Actors and = Intrusion Sets can get free certs as well.=20 >>=20 >> Yes, it looks like there is a sea change with regard to use of TLS, = which is leading=20 >> Chrome next week according to the register [1] to stop showing the = padlock icon for >> secure sites, and instead show a warning for non-https sites, which = will further >> accelerate the adoption of https, something made possible by = LetsEncrypt. >>=20 >> So very soon everyone including the crooks will be behind https :-)=20= >> It will be the new default. >>=20 >> =46rom then on the point to point security will have been dealt with = (especially=20 >> if DANE also gets adopted that far), and all that will remain is the = question as to >> who am I talking to so securely? >>=20 >> That is the question of the identity of the web site the browser or = application >> is connected to, indeed the question of the identity of the = application controlling >> the screen more generally [2].=20 >>=20 >> If one is of a category theoretic mind one will think that the = identity of each >> object is its position in the network of arrows of the category. But = more practically >> end users will be interested for applications or web site of knowing = what legal >> space they are in. For personal web pages we can fall back to the web = of trust >> we currently have.=20 >>=20 >> That is actually quite a large project, but given that one is dealing = with nations >> that have the resources, it is quite feasible. >>=20 >> But that was the point of my original post. :-)=20 >>=20 >> Henry >>=20 >> [1] https://www.theregister.co.uk/2018/07/03/google_chrome_http/ = >> [2] The 2015 paper "What is that App? Deceptions and countermeasures=20= >> in the Android User Interface"=20 >> = https://www.computer.org/csdl/proceedings/sp/2015/6949/00/6949a931-abs.htm= l = >> I integrated that article in the "Phishing in Context" post this = week. >>=20 >>>=20 >>>=20 >>> Thanks, >>> Bret >>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing = that can not be unscrambled is an egg." >>>=20 >>>> On Jul 16, 2018, at 10:12 AM, Michael Richardson = > wrote: >>>>=20 >>>>=20 >>>> Ben Laurie > wrote: >>>>> No, I mean in the more general sense that its a way to invoke "the >>>>> system", guaranteed, no messing. >>>>=20 >>>>> It has a noble history of not working very well. >>>>=20 >>>>> Windows uses ctl-alt-del as a SAK. It doesn't let you do much, but = it >>>>> is more than login. >>>>=20 >>>> Yes, that's just it: it doesn't do that much. >>>> That's why it was a failure. Also lack of any kind of tutorial. >>>> And since it used to reboot the computer, so most people habitually = avoid it. >>>>=20 >>>> It's probably time to try it again. >>>>=20 >>>>>> On 15 Jul 2018, at 22:34, Ben Laurie > wrote: >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>> On Sun, 15 Jul 2018 at 18:56, Henry Story >>>>> > wrote: >>>>>> Hi,=20 >>>>>>=20 >>>>>> I just wrote up some ideas on UI and security that came (back) >>>>> to me reading=20 >>>>>> this thread and other interesting papers on security. >>>>>>=20 >>>>>> "Phishing in Context -- Epistemology on the screen" >>>>>> https://medium.com/@bblfish/phishing-in-context-9c84ca451314 = >>>>>>=20 >>>>>> You have reinvented the Secure Attention Key. It hasn't work out >>>>> that well, so far. >>>>>>=20 >>>>=20 >>>>> Do you mean what they describe on wikipedia here ? >>>>> https://en.wikipedia.org/wiki/Secure_attention_key = =20 >>>>=20 >>>>> "A secure attention key (SAK) or secure attention sequence (SAS) >>>>> is a special key or key combination to be pressed on a computer >>>>> keyboard before a login screen which must, to the user, be >>>>> completely trustworthy. The operating system kernel, which >>>>> interacts directly with the hardware, is able to detect whether >>>>> the secure attention key has been pressed. When this event is >>>>> detected, the kernel starts the trusted login processing." >>>>=20 >>>>> That would be to authenticate the user of the computer, which is I >>>>> suppose a=20 >>>>> predecessor of what the fingerprint button on new MacBook Pro >>>>> laptops is about=20 >>>>> (I don't know, as I don't have them). They call it Touch Id=20 >>>>> https://support.apple.com/en-us/HT207054 = >>>>=20 >>>>> But that is not what I am talking about in the article. There I am >>>>> speaking of server >>>>> or application authentication, and I am arguing that to be secure >>>>> this needs two screens >>>>> the second screen being what Apple calls the Touch Bar. There is a >>>>> video here describing it >>>>> https://youtu.be/DhCJuJoE6wM?t=3D170 = >>>>> But I am sure you'll find many more. (Btw. the new Mac Book Pro is >>>>> out today!) >>>>=20 >>>>> I would guess that parts of the Touch Bar must be OS secured, or >>>>> else an app could get your fingerprints? In any case I am saying >>>>> that there should be a couple more buttons on the Touch Bar that >>>>> are controlled by the OS. >>>>> 1) the icon of the App that is in the foreground ( which would be >>>>> retrieved from the institutional web of trust >>>>> 2) the icon of the favicon of the web page also retrieved from the >>>>> institutional web of trust >>>>=20 >>>>> clickin those would give you more information about the app in 1) >>>>> and more info about the page in 2). >>>>> But not just the address of the headquarters, but something a lot >>>>> richer..... >>>>=20 >>>>=20 >>>>> But I may have misunderstood you...? >>>>=20 >>>>> Henry >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>=20 >>>>> ---------------------------------------------------- >>>>> Alternatives: >>>>=20 >>>>> ---------------------------------------------------- >>>>> _______________________________________________ >>>>> saag mailing list >>>>> saag@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/saag = >>>>=20 >>>> --=20 >>>> Michael Richardson >, Sandelman Software Works >>>> -=3D IPv6 IoT consulting =3D- >>>>=20 >>>>=20 >>>>=20 >>>> _______________________________________________ >>>> saag mailing list >>>> saag@ietf.org >>>> https://www.ietf.org/mailman/listinfo/saag = >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag = >>=20 --Apple-Mail=_42C8FDAC-73CA-4CBB-905F-BAC8AED01EDC Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 21 Jul 2018, at 14:27, Bret Jordan <jordan.ietf@gmail.com> wrote:

I completely agree.  We = need to figure what we can do and specifically how we can enable better = protection for end users.  Having a completely secure and private = session is solving just half of the problem.  

What do you suggest is the next steps = forward?  Clearly we need to do work here.  I would love to = see some work done here in the IETF to help with this. =  

As you have said = attribution is one option. I think it would be good for end users to = know if they were connecting to a legally legit establishment or a crime = syndicate fronting an Intrusion = Set.

Well = if there were agreement that this Institutional Web of Trust (IWoT) =  is missing and
important to security then that would be = an important achievement, as it would prepare
the next steps. = This is clearly a very large project and there will be many = people
involved. (I have added TimBL in CC as he will know = many of them). 

Here are the = things I can think of, but I am aware I am probably going into = too 
much detail,  have some biases that are not = explained here, and may be
missing some important = strands:

=E2=80=A2 finding the right = players: W3C, IETF, ODI, Repositories, Browser Vendors, State = players,
etc... and getting them interested in building this = out, and get the buy in for deployment
down the = road

=E2=80=A2 there will have to be = some work done to prepare a convincing road map for them
(It = would be helpful to find a way to prove the security features of what is = being built for example,
initial prototypes, = ...)

=E2=80=A2 map out the size of = the project by looking at what the size of the current repositories = would
be. Ben Laurie stated that there were 1500 registries in = the UK for example. Where is that list?
Are they all relevant? = How much data do they have? This may be a web or data science = project.
https://twitter.com/BenLaurie/status/1014520767235706880
One does not need to start with all of them, but it would be = useful to know where the system
has to grow to so as to make = the right decisions upstream.

=E2=80=A2= finding the ontologists to examining the data structures of the key = repositories 
internationally to find the high level = ontologies (classes) needed that can grow 
and be = extended over time and that will be useful for the browsers to display =  
information that will be of interest to the user. = [0]
     There are departments dedicated to = this in universities around the world. The 
major = requirement would be to build it so that it is extensible over time, ie = that older
browsers can continue working even as new = categories appear, ie it has to be able
to degrade gracefully = [1]. 
   It should also be possible for one = state to leave warning messages for those that
take it as a = trust anchor on companies or sites in its own or other = states.
   In the end that work has to be submitted = to a process of standardization.

=E2=80= =A2 Load testing: it should be possible to work on some load testing. = For example would 
Quic make a big difference to = scalability of the project, over and above HTTP2.0? 

=E2=80=A2 Caching: the point was raised and it is = one that the security community is keen on that
the data = should be able to come signed from the server one is connected to. In = which case
it needs to be signed by the institution in the = IWoT that serves it. Ideally the signed document 
could = also be dereferenced, so that web sites can start simply by pointing to = the institutions in
an http header or the X509 Cert, and when = understanding the value optimise the process 
by serving = something like what the Verifiable Claims WG is working on, but = signed. 
There would then need to be an extension to the = HTTP standard for passing the verifiable 
claim through, = in addition to the X509 certificate. (I am assuming here that X509 is = just going
to be a bit tedious to extend and teach. It would = help if the data were the same in the Verifiable
Claim as the = one that was served by the institution, so that the graphs are = isomorphic)

=E2=80=A2 Browser = Vendors would check out the tools available to help build this = efficiently, to
work on elegant and helpful User Interfaces = for the data, test it on initial users, give feedback
to = ontologies, ...

=E2=80=A2 I suppose = for legal purposes it would be useful if there were ways that all the = data served
by institutions like companieshouse.gov.uk= or https://www.sec.gov/ were historically = versioned
in a verifiable way so that courts could look at = what a web user would have seen on a particular
day in order = to support or deny a claim. This sounds somewhat blockchainy, though it = may not
require anything like global consensus. Signed data = dumps per repository may be fine with a way
of verifying this. = Given that one needs global hyper-data structures (since we can allow = links between
institutions) something like a standard for an = RDF based block chain could be very useful here. 
That = would make is serialization agnostic, open to new schemas, globally = linkable, and formally 
underpinned with = logic.) 


Well that's all I can think of right = now.
Clearly a lot can be done in parallel: and one can start = small and grow the system.
(A bit like https has only recently = grown to wide adoption) 


[0] Ontologies are like Class hierarchies in OO = programming
   but a declarative version of it that = where intermediary relations 
   and classes = can  be added, and which are open to various = levels 
   of reasoning.


Bret 

Sent from my Commodore = 128D

:D


PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 = ACAE 7415 0050

On Jul 21, 2018, at 4:15 AM, Henry Story <henry.story@bblfish.net> wrote:



On 20 = Jul 2018, at 23:51, Bret Jordan <jordan.ietf@gmail.com> wrote:

Getting = back on topic.  I agree this is a significant problem, one that = needs to be addressed.  While things like LetsEncrypt are great for = trying to get everyone a cert for free, it also means, Threat Actors and = Intrusion Sets can get free certs as = well. 

Yes, it looks like there is a sea = change with regard to use of TLS, which is leading 
Chrome next week  according to the register [1] to stop = showing the padlock icon for
secure sites, and = instead show a warning for non-https sites, which will further
accelerate the adoption of https, something made possible by = LetsEncrypt.

So = very soon everyone including the crooks will be behind https = :-) 
It will be the new default.

=46rom then on the point = to point security will have been dealt with (especially 
if  DANE also gets adopted that far), and all that will = remain is the question as to
who am I talking to so = securely?

That = is the question of the identity of the web site the browser or = application
is  connected to, indeed the = question of the identity of the application controlling
the screen more generally [2]. 

If one is of a category theoretic mind = one will think that the identity of each
object is = its position in the network of arrows of the category. But more = practically
end users will be interested for = applications or web site of knowing what legal
space = they are in. For personal web pages we can fall back to the web of = trust
we currently have. 

That is actually quite a = large project, but given that one is dealing with nations
that have the resources, it is quite feasible.

But that was the point = of my original post. :-) 

Henry

[1] https://www.theregister.co.uk/2018/07/03/google_chrome_http/
[2] The 2015 paper "What is that App? Deceptions = and countermeasures 
in the Android User = Interface" 
    https://www.computer.org/csdl/proceedings/sp/2015/6949/00/6949a= 931-abs.html
I integrated that article in the =  "Phishing in Context" post this week.



Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 16, 2018, at 10:12 AM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:


Ben Laurie <benl=3D40google.com@dmarc.ietf.org> wrote:
No, I = mean in the more general sense that its a way to invoke "the
system", guaranteed, no messing.
It = has a noble history of not working very well.

Windows uses ctl-alt-del as a SAK. It = doesn't let you do much, but it
is more than login.

Yes, that's just it: it doesn't do that much.
That's why it was a failure. =  Also lack of any kind of tutorial.
And since it used to reboot the computer, so most people = habitually avoid it.

It's probably time to try it again.

On 15 Jul 2018, at = 22:34, Ben Laurie <benl@google.com> wrote:


On Sun, 15 Jul 2018 at 18:56, Henry Story
<henry.story@bblfish.net> wrote:
Hi, 

I just wrote up some ideas on UI and security that came = (back)
to me reading 
this thread and other interesting papers on = security.

"Phishing in Context -- = Epistemology on the screen"
https://medium.com/@bblfish/phishing-in-context-9c84ca451314

You have reinvented the Secure Attention = Key. It hasn't work out
that well, so far.


Do you mean what they describe on = wikipedia here ?
https://en.wikipedia.org/wiki/Secure_attention_key 

"A secure attention key (SAK) or = secure attention sequence (SAS)
is a special key or key = combination to be pressed on a computer
keyboard before a = login screen which must, to the user, be
completely = trustworthy. The operating system kernel, which
interacts = directly with the hardware, is able to detect whether
the = secure attention key has been pressed. When this event is
detected, the kernel starts the trusted login processing."

That would be to authenticate the = user of the computer, which is I
suppose a 
predecessor = of what the fingerprint button on new MacBook Pro
laptops = is about 
(I don't know, as I don't have them). They call it Touch = Id 
https://support.apple.com/en-us/HT207054

But that is not what I am talking = about in the article. There I am
speaking of server
or application authentication, and I am arguing that to be = secure
this needs two screens
the second = screen being what Apple calls the Touch Bar. There is a
video here describing it
https://youtu.be/DhCJuJoE6wM?t=3D170
But I = am sure you'll find many more. (Btw. the new Mac Book Pro is
out today!)

I = would guess that parts of the Touch Bar must be OS secured, or
else an app could get your fingerprints? In any case I am = saying
that there should be a couple more buttons on the = Touch Bar that
are controlled by the OS.
1) = the icon of the App that is in the foreground ( which would be
retrieved from the institutional web of trust
2) = the icon of the favicon of the web page also retrieved from the
institutional web of trust

clickin= those would give you more information about the app in 1)
and more info about the page in 2).
But not = just the address of the headquarters, but something a lot
richer.....


But I = may have misunderstood you...?

Henry





----------------------------------------------------
Alternatives:

----------------------------------------------------
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software = Works
-=3D IPv6 IoT = consulting =3D-



_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


= --Apple-Mail=_42C8FDAC-73CA-4CBB-905F-BAC8AED01EDC-- From nobody Sat Jul 21 09:33:57 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98537130DCF for ; Sat, 21 Jul 2018 09:33:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.321 X-Spam-Level: X-Spam-Status: No, score=-2.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=symantec.com header.b=BBXmfkX4; dkim=pass (1024-bit key) header.d=symantec.com header.b=HBXU54ko Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P-rFkjoCibAj for ; Sat, 21 Jul 2018 09:33:49 -0700 (PDT) Received: from asbsmtoutape02.symantec.com (asbsmtoutape02.symantec.com [155.64.138.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E896312F1A2 for ; Sat, 21 Jul 2018 09:33:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; d=Symantec.com; s=2; c=relaxed/simple; q=dns/txt; i=@Symantec.com; t=1532190827; x=2396104427; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xWnnVZ4JDe2LVqGvuWBCv+ATHCnDEtDVOve44c9iM18=; b=BBXmfkX4zjSDtWQ7IR8Hu69zxKx2AgTdtqPoLUcriz6NYbigClKjDKMG99Ug79fv bKPbbbN2e+5GK1dGkxA6grK2/ASM27xMUF3C6cgL2BSsWOC5ACcEYtIAyzuToUWx Kt3KEz/gYz8TLU3g6ETybAE/9Ef7h5oT5zvWgXoF6kQ=; Received: from asbsmtmtaapi01.symc.symantec.com (asb1-f5-symc-ext-prd-snat4.net.symantec.com [10.90.75.4]) by asbsmtoutape02.symantec.com (Symantec Messaging Gateway) with SMTP id CB.7C.24116.B60635B5; Sat, 21 Jul 2018 16:33:47 +0000 (GMT) X-AuditID: 0a5af81a-d2b329e000005e34-f8-5b53606ba2de Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (asb1-f5-symc-ext-prd-snat3.net.symantec.com [10.90.75.3]) by asbsmtmtaapi01.symc.symantec.com (Symantec Messaging Gateway) with SMTP id BA.15.00857.B60635B5; Sat, 21 Jul 2018 16:33:47 +0000 (GMT) Received: from TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 21 Jul 2018 09:33:45 -0700 Received: from NAM05-DM3-obe.outbound.protection.outlook.com (10.44.128.4) by TUSXCHMBXWPI02.SYMC.SYMANTEC.COM (10.44.91.34) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Sat, 21 Jul 2018 09:33:45 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symantec.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xWnnVZ4JDe2LVqGvuWBCv+ATHCnDEtDVOve44c9iM18=; b=HBXU54koS7vCobdJdeWNYb51ZXOYO7gpK9O8qIFiWD309ZcWdy+aP5jvyA/5QlY7zzEhYiwe6ZdqnDz6sfgqfspjizrUIKQhQ4k9UnYHDCO1Kv4IhwKNhHnlV1vRQ3v4SjPCLuSX/w+XC8gEFgzNCzho2ejRQV3MmUp+Pp4/kCs= Received: from BY2PR16MB0871.namprd16.prod.outlook.com (10.164.172.145) by BY2PR16MB0488.namprd16.prod.outlook.com (10.163.191.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.21; Sat, 21 Jul 2018 16:33:42 +0000 Received: from BY2PR16MB0871.namprd16.prod.outlook.com ([fe80::d1e5:5182:99f8:594a]) by BY2PR16MB0871.namprd16.prod.outlook.com ([fe80::d1e5:5182:99f8:594a%6]) with mapi id 15.20.0973.018; Sat, 21 Jul 2018 16:33:42 +0000 From: Brian Witten To: Josh Howlett CC: Bret Jordan , Henry Story , "saag@ietf.org" Thread-Topic: [EXT] Re: [saag] stopping (https) phishing Thread-Index: AQHUG5pbInZlD7kvC0CjTEKezs7JUqSPcroAgAASwICAAL5SAIAATzEAgAAsUYCAABMsAIAAALSAgAEToICABsmNgIAArkgAgABGaQCAAB38gIAAJu5e Date: Sat, 21 Jul 2018 16:33:42 +0000 Message-ID: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=brian_witten@symantec.com; x-originating-ip: [2600:387:8:7::bb] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BY2PR16MB0488; 6:fIeoFkW9tw3ZC73Yv+QjxzLidq0ljCxbvF8qlvUQKLy4UvW995j/e5d5UxtEC421bAQdyQFzOj0Hsf73RWF9JOnbyRna0OrVIedXB9payYTWdflIeSiRJTsSeh+OptpnoM3VqDK5iNmQJdkbJasfrL/ETMe5aJachHxdrqeSkGuY7kY4OEXbY64xaYBLtwAocuiWupuM6gbO6bZHsdu0t/vakZxF760lXiYhSx3DECXTvTnTaFvGiXDCfLvog6UeByIa8Yy6xoQhjKRVXaxCODwqQTNBfjH5pjFG2dpKnKUowAKFElG6KYBHKNQ9ByUVO8x+MfcwS8V9j19YBUBqnr2HOiZ8bIP/hjk+iT4cUQe0L/P9GkIxUa9NZfo8xMfnEcyI1k97DgTn558xCHxUl4wEU6GRPpbinizNsphoKHbWo6xP6RRQxIB42MUvLymaPN2Yl+3qpifWBH0bZ5a+2Q==; 5:qR+4fibrOi8civx9/DTa3/fuC0bTsIGGhm3aSszQJfaNTjweJVJQNPC9dG74mxFsK2FkjMO4XDFDGbnc7gTzTdtwIHC5LGvd0C8bXdoBlG4ervocHtInmJkelmOtl1v/Bfrr7QWocu1YfWIM/p6sv8y5NpEDU1mvQtbY9NNUOCQ=; 7:27I3OR9FVF2JGzfoga3w3UAckRZvRjrQMG66yFtmQnVigglpkLSvlEf3KKjN6vktWWiNqSoLz0fcRvdV5RFIoH6WlettV3GDS3Gt/mNW194LKOqnML3ZXB1lR21g+80Y3v8aNSvBb/qsUnuKGnTnCSe5syAmE646KvIpcrkX3xeBeniNi2cbfmr1ho6hRBJYyWCeF5m98NMm9We79HBrgten4wr0Uy/HhGxOOOarbfZblNUrZdYp4MWLe7IW2OH/ x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 3807f755-58cc-45be-857a-08d5ef27b8d6 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600073)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:BY2PR16MB0488; x-ms-traffictypediagnostic: BY2PR16MB0488: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(274715658323672)(268559375225159)(158342451672863)(278428928389397)(192374486261705)(258766100185102)(85827821059158)(262074885356583)(211936372134217)(153496737603132); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BY2PR16MB0488; BCL:0; PCL:0; RULEID:; SRVR:BY2PR16MB0488; x-forefront-prvs: 074040B844 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(376002)(396003)(366004)(136003)(39860400002)(189003)(199004)(446003)(575784001)(186003)(86362001)(105586002)(11346002)(46003)(97736004)(106356001)(102836004)(5660300001)(2906002)(6506007)(790700001)(53546011)(21615005)(76176011)(6116002)(606006)(68736007)(8936002)(5250100002)(486006)(36756003)(82746002)(7736002)(54906003)(10290500003)(478600001)(316002)(53936002)(256004)(14454004)(966005)(6246003)(229853002)(8676002)(4326008)(39060400002)(2616005)(476003)(2900100001)(6486002)(93886005)(14444005)(33656002)(25786009)(81166006)(6916009)(81156014)(53946003)(83716003)(6512007)(236005)(6306002)(6436002)(54896002)(99286004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR16MB0488; H:BY2PR16MB0871.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: symantec.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: ak//TLqDWRNn36TCVVUoibgRKcPXtQuPmaH/g27uSeZVl1yjiItbBGSrvaBt3IjpqC8hSmbzDuTdU8+E5ZaigpmqHoCaQBRH3B5U/I90trSM61B5fO/tyadDEXVUhxMI5jeiM8D7dj6sGE50oPU9aTpwD9v/B/tIEzXe4f0SWR47rJRJJOWU8ofU3IdYh0paILbmFgYyvZJ3cNICMUkkxuHM+J5HzL3tEvjyJ+ZVX6GvGZwiY5wH0z0guY93dvknuv93UMPEkmU3vjfs42huAx/qIMyjrEEX7pFg4RIu9UP88Y6gmTOpEfR5vOsZxcna4UMhTAiFrpRNe35dnJ0qDkeISJa2FH9SShYo1nXNons= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_F8D95B17FDC8454696B2E99A5C10DFD7symanteccom_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 3807f755-58cc-45be-857a-08d5ef27b8d6 X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2018 16:33:42.4841 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 3b217a9b-6c58-428b-b022-5ad741ce2016 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR16MB0488 X-OriginatorOrg: symantec.com X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJKsWRmVeSWpSXmKPExsXCFeXNopudEBxt8OStqcXnZV+ZLB7v/sVm ce3mI3aLKf2dTA4sHju2qnjsnHWX3WPJkp9MHit/X2ELYInisklJzcksSy3St0vgypjWtYSp 4MAVloolXz4yNjC2HGXpYuTkkBAwkfj0/QBrFyMXh5DAR0aJmZf+MMEk/p46wwSR+MYosfDC dqiqI4wSb2d+gMq8YJRY1HqKDcRhEZjALLFt2XqwwUICU5gkms4yQlQ9YpQ4+mANI0iCTUBP 4ujfO6wgtoiAlsTshlVsIDazQKHEqfubwWxhAXOJ5/t3sUPUWEg8W/qMBWSQiEATo8SahefA ilgEVCWuvV8EVsQrYC9x9txaNojNHWwS75bqgdicArES05e+ALuIUUBM4vupNUwQy8Qlbj2Z D/WpgMSSPeeZIWxRiZeP/7FC1MdInFr7CiquIvFxxgl2CFtW4tL8bkYIex+7RO/JHAhbV+LD 1KlQ9b4Sr2+3gX0vIXCcUeLj8odAQzmAHC2JxxvSIGqyJVpOPWGZwGgyC8lJEHayxPUJk1hm gb0mKHFy5hMgmwMorimxfpc+RImixJTuh+wQtoZE65y57MjiCxjZVzEqJBYnFeeW5JeWJBak GhjpFVfmJoOIRGDyStZLzs/dxAhOYD+kdjA+ueNziFGAg1GJhzfJJzhaiDWxDKjyEKMEB7OS CG9+FFCINyWxsiq1KD++qDQntfgQozQHi5I4r4qff7SQQHpiSWp2ampBahFMlomDU6qBsaG4 rsBWRP3a9IT0lfNWGImx3+/auuVQx5fPjHulc3SMJtw04py4m8dl8gXBENmFHP6XooIOSibZ Fop3z/22RmKxVo78idryjcLXt57dcu9sUqTjD1dxjc4Z1zxvNRrycRr6n7x6WsI75Ff4i+sX VT6fDLV6MHmu8tvNWY7uOyVa7LZ/Fv21UomlOCPRUIu5qDgRAGLXtWRcAwAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLKsWRmVeSWpSXmKPExsXCFeXNrJudEBxtcP2opsXnZV+ZLB7v/sVm ce3mI3aLKf2dTA4sHju2qnjsnHWX3WPJkp9MHit/X2ELYInisklJzcksSy3St0vgypjWtYSp 4MAVloolXz4yNjC2HGXpYuTkkBAwkfh76gxTFyMXh5DAN0aJhRe2s0I4Rxgl3s78AJV5wSix qPUUG4jDIjCBWWLbsvVg/UICU5gkms4yQlQ9YpQ4+mANI0iCTUBP4ujfO6wgtoiAlsTshlVs IDazQKHEqfubwWxhAXOJ5/t3sUPUWEg8W/qMBWSQiEATo8SahefAilgEVCWuvV8EVsQrYC9x 9txaNojNHWwS75bqgdicArES05e+ALuIUUBM4vupNUwQy8Qlbj2ZzwTxqYDEkj3nmSFsUYmX j/+xQtTHSJxa+woqriLxccYJdghbVuLS/G5GCHsfu0TvyRwIW1fiw9SpUPW+Eq9vt4F9LyFw nFHi4/KHQEM5gBwticcb0iBqsiVaTj2BhvZlRoljRzIhbDmJVb0PWSYwGsxCciqEnSxxfcIk lllgLwtKnJz5BMjmAIprSqzfpQ9RoigxpfshO4StIdE6Zy47svgCRvZVjAqJxUnFuSW5JYmJ BZkGhnrFlbnJICIRmLqS9ZLzczcxgtPXb7EdjAf++BxiFOBgVOLhnfA+MFqINbEMqPIQozQH i5I4rzz3zSghgfTEktTs1NSC1KL4otKc1OJDjEwcnFINjF2uE344+nlvWq1zqK3YYZbGpRLb ZYnuJ1QTZR8smXbCaJeG67N+Q23drfn8Pq6Tw2/ov2Iz1L08mV/f8sBVl7e3g7evOXU7xCU5 4MDdvtKaB9ve/qg0Vdj25Hcol2Lvfwbx6wrpf7iznk04VNZsGcbUvFpMOtXtlnSK+nSGLX86 pmXcjd0QqMRSnJFoqMVcVJwIAL2uStRAAwAA X-CFilter-Loop: ASB04 Archived-At: Subject: Re: [saag] [EXT] Re: stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 16:33:55 -0000 --_000_F8D95B17FDC8454696B2E99A5C10DFD7symanteccom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkgSm9zaCwNCg0KVGhhbmtzISAgSSBsaWtlIHlvdXIgaWRlYXMgYW5kIEkgYWdyZWUgd2l0aCB2 ZXJ5IG5lYXJseSBldmVyeXRoaW5nIHlvdSBzYXkgaGVyZS4gIEkg4oCcb25seeKAnSBkaXNhZ3Jl ZSB3aXRoIHRoZSDigJxvbmx54oCdIGluIHlvdXIgc3RhdGVtZW50IHRoYXQgd2UgY2FuIOKAnG9u bHkgc29sdmUgdGhpcyBieSB4LuKAnSAgU3VyZSwgSSBhZ3JlZSB0aGF0IHggbG9va3MgbGlrZSBh IGdyZWF0IGFwcHJvYWNoLCBidXQgb3RoZXIgYXBwcm9hY2hlcyBoYXZlIGFsc28gcHJvdmVuIGVm ZmVjdGl2ZS4gIFRoZXNlIGluY2x1ZGUgcmVwdXRhdGlvbiBiYXNlZCBhcHByb2FjaGVzIGFuZCBy ZWFsLXRpbWUgZmxhZ2dpbmcgdmlzdWFscyAmIHRleHQgb2YgZnJlcXVlbnRseSBwaGlzaGVkIGJy YW5kcywgYWxvbmcgd2l0aCBzZXJ2ZXItdG8tY2xpZW50IGV4cGxvaXRzLiAgU29tZSBvZiB0aGVz ZSBhbHJlYWR5IGJsb2NrIG92ZXIgYSBiaWxsaW9uIGF0dGFja3MgcGVyIHllYXIuICBTdGlsbCwg SSBhZ3JlZSB3aG9sZWhlYXJ0ZWRseSB0aGF0IHRoaXMgaXMgYSBwcm9ibGVtIHRoYXQgd2UgdGhl IElFVEYgbmVlZCB0byBzb2x2ZS4gIFNwZWNpYWwgdGhhbmtzIHRvIHlvdSwgSGVucnksIGFuZCB0 aGUgb3RoZXJzIGZvciB0aGUgYXR0ZW50aW9uIHRvIHRoZSBpc3N1ZS4gIFRoYW5rIFlvdSBBZ2Fp biENCg0KQ2hlZXJzLA0KQnJpYW4NCg0KDQoNCk9uIEp1bCAyMSwgMjAxOCwgYXQgNzoxNSBBTSwg Sm9zaCBIb3dsZXR0IDxKb3NoLkhvd2xldHRAamlzYy5hYy51azxtYWlsdG86Sm9zaC5Ib3dsZXR0 QGppc2MuYWMudWs+PiB3cm90ZToNCg0KQSDigJxjb21wbGV0ZWx5IHNlY3VyZSBhbmQgcHJpdmF0 ZSBzZXNzaW9u4oCdIHdoZXJlIHRoZSBpZGVudGl0eSBvZiB0aGUgZW5kIHBvaW50IGhhcyBub3Qg YmVlbiBhcHByb3ByaWF0ZWx5IHZhbGlkYXRlZCBhY3R1YWxseSBtYWtlcyB0aGUgcHJvYmxlbSB3 b3JzZSwgYmVjYXVzZSBpdCBjYW4gbGVhZCB0byBlcnJvbmVvdXMgYXNzdW1wdGlvbnMgYnkgdGhl IHVzZXIuIFNpbWlsYXJseSwgZXh0ZW5kZWQgdmFsaWRhdGlvbiBvZiB0aGUgZW5kIHBvaW50IGFj aGlldmVzIG5vdGhpbmcgaWYgdGhlIGVuZCBwb2ludCBpcyBhIGhpZ2hseSBhc3N1cmVkIGJ1dCB1 bnRydXN0d29ydGh5IGFjdG9yLg0KDQpTaG91bGQgSSB0cnVzdCBhIENBIHRvIGlzc3VlIGFuIEVW IGNlcnRpZmljYXRlIGFwcHJvcHJpYXRlbHk/IFllcywgcHJvYmFibHkuIFNob3VsZCBJIGJsaW5k bHkgdHJ1c3QgdGhlIENB4oCZcyBjdXN0b21lciBzaW1wbHkgYmVjYXVzZSBpdCBwcmVzZW50cyBh biBFViBjZXJ0aWZpY2F0ZT8gTm8sIHByb2JhYmx5IG5vdC4gVWx0aW1hdGVseSwgd2UgY2Fubm90 IGNvbnRyb2wgYmVoYXZpb3VyIHVzaW5nIGNyeXB0bzogcG9vciBiZWhhdmlvdXIgaXMgYSBzb2Np YWwgcHJvYmxlbS4NCg0KSSBhZ3JlZSB3aXRoIEhlbnJ54oCZcyBhbmFseXNpcyB0aGF0IHdlIGNh biBvbmx5IHNvbHZlIHRoaXMgYnkgcHJvamVjdGluZyB0aGUgc29jaWFsIGluc3RpdHV0aW9ucyAo Zm9ybWFsIG9yIGluZm9ybWFsKSB0aGF0IHdlIHVzZSB0byBhc3Nlc3MgdHJ1c3R3b3J0aGluZXNz IGluIHRoZSByZWFsIHdvcmxkIG9udG8gdGhlIGludGVybmV04oCZcyBpbmZyYXN0cnVjdHVyZSAo SSBjYWxsIGl0IOKAnHRydXN0IGVuZ2luZWVyaW5n4oCdOyBhIGJlbmlnbiBmb3JtIG9mIOKAnHNv Y2lhbCBlbmdpbmVlcmluZ+KAnSkuDQoNCkhvd2V2ZXIsIEkgZGlzYWdyZWUgdGhhdCBjaHJvbWUg b2ZmZXJzIGEgc29sdXRpb24uIEkgYXJndWUgdGhhdCB3ZSBtdXN0IGF2b2lkIGFueSBraW5kIG9m IHJlYWwtdGltZSBhc3Nlc3NtZW50IG9mIHRydXN0d29ydGhpbmVzcyBieSB0aGUgdXNlciwgYmVj YXVzZSB1c2VycyBhcmUgZWFzaWx5IGdhbWVkLiBJbnN0ZWFkLCB1c2VycyBzaG91bGQgYmUgYWJs ZSB0byBzdGlwdWxhdGUgdGhlIGNvbmRpdGlvbnMgdGhhdCBjb25zdGl0dXRlIHRydXN0d29ydGhp bmVzcywgYW5kIHJlbHkgb24gdGhlIGluZnJhc3RydWN0dXJlIHRvIGFzc2VzcyB0aG9zZSBjb25k aXRpb25zIGluIHJlYWwtdGltZSBvbiBoaXMgYmVoYWxmLg0KDQpGcm9tOiBzYWFnIDxzYWFnLWJv dW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNhYWctYm91bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFsZiBP ZiBCcmV0IEpvcmRhbg0KU2VudDogMjEgSnVseSAyMDE4IDEzOjI3DQpUbzogSGVucnkgU3Rvcnkg PGhlbnJ5LnN0b3J5QGJibGZpc2gubmV0PG1haWx0bzpoZW5yeS5zdG9yeUBiYmxmaXNoLm5ldD4+ DQpDYzogc2FhZ0BpZXRmLm9yZzxtYWlsdG86c2FhZ0BpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBb c2FhZ10gc3RvcHBpbmcgKGh0dHBzKSBwaGlzaGluZw0KDQpJIGNvbXBsZXRlbHkgYWdyZWUuICBX ZSBuZWVkIHRvIGZpZ3VyZSB3aGF0IHdlIGNhbiBkbyBhbmQgc3BlY2lmaWNhbGx5IGhvdyB3ZSBj YW4gZW5hYmxlIGJldHRlciBwcm90ZWN0aW9uIGZvciBlbmQgdXNlcnMuICBIYXZpbmcgYSBjb21w bGV0ZWx5IHNlY3VyZSBhbmQgcHJpdmF0ZSBzZXNzaW9uIGlzIHNvbHZpbmcganVzdCBoYWxmIG9m IHRoZSBwcm9ibGVtLg0KDQpXaGF0IGRvIHlvdSBzdWdnZXN0IGlzIHRoZSBuZXh0IHN0ZXBzIGZv cndhcmQ/ICBDbGVhcmx5IHdlIG5lZWQgdG8gZG8gd29yayBoZXJlLiAgSSB3b3VsZCBsb3ZlIHRv IHNlZSBzb21lIHdvcmsgZG9uZSBoZXJlIGluIHRoZSBJRVRGIHRvIGhlbHAgd2l0aCB0aGlzLg0K DQpBcyB5b3UgaGF2ZSBzYWlkIGF0dHJpYnV0aW9uIGlzIG9uZSBvcHRpb24uIEkgdGhpbmsgaXQg d291bGQgYmUgZ29vZCBmb3IgZW5kIHVzZXJzIHRvIGtub3cgaWYgdGhleSB3ZXJlIGNvbm5lY3Rp bmcgdG8gYSBsZWdhbGx5IGxlZ2l0IGVzdGFibGlzaG1lbnQgb3IgYSBjcmltZSBzeW5kaWNhdGUg ZnJvbnRpbmcgYW4gSW50cnVzaW9uIFNldC4NCg0KQnJldA0KU2VudCBmcm9tIG15IENvbW1vZG9y ZSAxMjhEDQoNCg0KUEdQIEZpbmdlcnByaW50OiA2M0I0IEZDNTMgNjgwQSA2QjdEIDE0NDcgIEYy QzAgNzRGOCBBQ0FFIDc0MTUgMDA1MA0KDQpPbiBKdWwgMjEsIDIwMTgsIGF0IDQ6MTUgQU0sIEhl bnJ5IFN0b3J5IDxoZW5yeS5zdG9yeUBiYmxmaXNoLm5ldDxtYWlsdG86aGVucnkuLnN0b3J5QGJi bGZpc2gubmV0Pj4gd3JvdGU6DQoNCg0KDQpPbiAyMCBKdWwgMjAxOCwgYXQgMjM6NTEsIEJyZXQg Sm9yZGFuIDxqb3JkYW4uaWV0ZkBnbWFpbC5jb208bWFpbHRvOmpvcmRhbi5pZXRmQGdtYWlsLmNv bT4+IHdyb3RlOg0KDQpHZXR0aW5nIGJhY2sgb24gdG9waWMuICBJIGFncmVlIHRoaXMgaXMgYSBz aWduaWZpY2FudCBwcm9ibGVtLCBvbmUgdGhhdCBuZWVkcyB0byBiZSBhZGRyZXNzZWQuICBXaGls ZSB0aGluZ3MgbGlrZSBMZXRzRW5jcnlwdCBhcmUgZ3JlYXQgZm9yIHRyeWluZyB0byBnZXQgZXZl cnlvbmUgYSBjZXJ0IGZvciBmcmVlLCBpdCBhbHNvIG1lYW5zLCBUaHJlYXQgQWN0b3JzIGFuZCBJ bnRydXNpb24gU2V0cyBjYW4gZ2V0IGZyZWUgY2VydHMgYXMgd2VsbC4NCg0KWWVzLCBpdCBsb29r cyBsaWtlIHRoZXJlIGlzIGEgc2VhIGNoYW5nZSB3aXRoIHJlZ2FyZCB0byB1c2Ugb2YgVExTLCB3 aGljaCBpcyBsZWFkaW5nDQpDaHJvbWUgbmV4dCB3ZWVrICBhY2NvcmRpbmcgdG8gdGhlIHJlZ2lz dGVyIFsxXSB0byBzdG9wIHNob3dpbmcgdGhlIHBhZGxvY2sgaWNvbiBmb3INCnNlY3VyZSBzaXRl cywgYW5kIGluc3RlYWQgc2hvdyBhIHdhcm5pbmcgZm9yIG5vbi1odHRwcyBzaXRlcywgd2hpY2gg d2lsbCBmdXJ0aGVyDQphY2NlbGVyYXRlIHRoZSBhZG9wdGlvbiBvZiBodHRwcywgc29tZXRoaW5n IG1hZGUgcG9zc2libGUgYnkgTGV0c0VuY3J5cHQuDQoNClNvIHZlcnkgc29vbiBldmVyeW9uZSBp bmNsdWRpbmcgdGhlIGNyb29rcyB3aWxsIGJlIGJlaGluZCBodHRwcyA6LSkNCkl0IHdpbGwgYmUg dGhlIG5ldyBkZWZhdWx0Lg0KDQpGcm9tIHRoZW4gb24gdGhlIHBvaW50IHRvIHBvaW50IHNlY3Vy aXR5IHdpbGwgaGF2ZSBiZWVuIGRlYWx0IHdpdGggKGVzcGVjaWFsbHkNCmlmICBEQU5FIGFsc28g Z2V0cyBhZG9wdGVkIHRoYXQgZmFyKSwgYW5kIGFsbCB0aGF0IHdpbGwgcmVtYWluIGlzIHRoZSBx dWVzdGlvbiBhcyB0bw0Kd2hvIGFtIEkgdGFsa2luZyB0byBzbyBzZWN1cmVseT8NCg0KVGhhdCBp cyB0aGUgcXVlc3Rpb24gb2YgdGhlIGlkZW50aXR5IG9mIHRoZSB3ZWIgc2l0ZSB0aGUgYnJvd3Nl ciBvciBhcHBsaWNhdGlvbg0KaXMgIGNvbm5lY3RlZCB0bywgaW5kZWVkIHRoZSBxdWVzdGlvbiBv ZiB0aGUgaWRlbnRpdHkgb2YgdGhlIGFwcGxpY2F0aW9uIGNvbnRyb2xsaW5nDQp0aGUgc2NyZWVu IG1vcmUgZ2VuZXJhbGx5IFsyXS4NCg0KSWYgb25lIGlzIG9mIGEgY2F0ZWdvcnkgdGhlb3JldGlj IG1pbmQgb25lIHdpbGwgdGhpbmsgdGhhdCB0aGUgaWRlbnRpdHkgb2YgZWFjaA0Kb2JqZWN0IGlz IGl0cyBwb3NpdGlvbiBpbiB0aGUgbmV0d29yayBvZiBhcnJvd3Mgb2YgdGhlIGNhdGVnb3J5LiBC dXQgbW9yZSBwcmFjdGljYWxseQ0KZW5kIHVzZXJzIHdpbGwgYmUgaW50ZXJlc3RlZCBmb3IgYXBw bGljYXRpb25zIG9yIHdlYiBzaXRlIG9mIGtub3dpbmcgd2hhdCBsZWdhbA0Kc3BhY2UgdGhleSBh cmUgaW4uIEZvciBwZXJzb25hbCB3ZWIgcGFnZXMgd2UgY2FuIGZhbGwgYmFjayB0byB0aGUgd2Vi IG9mIHRydXN0DQp3ZSBjdXJyZW50bHkgaGF2ZS4NCg0KVGhhdCBpcyBhY3R1YWxseSBxdWl0ZSBh IGxhcmdlIHByb2plY3QsIGJ1dCBnaXZlbiB0aGF0IG9uZSBpcyBkZWFsaW5nIHdpdGggbmF0aW9u cw0KdGhhdCBoYXZlIHRoZSByZXNvdXJjZXMsIGl0IGlzIHF1aXRlIGZlYXNpYmxlLg0KDQpCdXQg dGhhdCB3YXMgdGhlIHBvaW50IG9mIG15IG9yaWdpbmFsIHBvc3QuIDotKQ0KDQpIZW5yeQ0KDQpb MV0gaHR0cHM6Ly93d3cudGhlcmVnaXN0ZXIuY28udWsvMjAxOC8wNy8wMy9nb29nbGVfY2hyb21l X2h0dHAvPGh0dHBzOi8vY2xpY2t0aW1lLnN5bWFudGVjLmNvbS9hLzEvcnlDTW92QkJzdk5TUGVE aXE2MjJPbElET05ObWpNSG1QRF84czRpZk1Wcz0/ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZbnV0 M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FUYUlvM2pKSmNPakJDcWcyZjQ2ai15UDBlLVRJ Q2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZtYmRYQWFJd0VzdEs3UE1ad1J0REJGM180THNU engtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpqT3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNkVktW U3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFOcTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJHTWhV bzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9YZUxhekxFWWJKdm1WQWdudFFfMUpJM21LXzZE elU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllXaFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5INDRv cFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lMTElLUTVQZWRVRjB5eGJRbkljOWFjSSUzRCZ1 PWh0dHBzJTNBJTJGJTJGd3d3LnRoZXJlZ2lzdGVyLmNvLnVrJTJGMjAxOCUyRjA3JTJGMDMlMkZn b29nbGVfY2hyb21lX2h0dHAlMkY+DQpbMl0gVGhlIDIwMTUgcGFwZXIgIldoYXQgaXMgdGhhdCBB cHA/IERlY2VwdGlvbnMgYW5kIGNvdW50ZXJtZWFzdXJlcw0KaW4gdGhlIEFuZHJvaWQgVXNlciBJ bnRlcmZhY2UiDQogICAgaHR0cHM6Ly93d3cuY29tcHV0ZXIub3JnL2NzZGwvcHJvY2VlZGluZ3Mv c3AvMjAxNS82OTQ5LzAwLzY5NDlhOTMxLWFicy5odG1sPGh0dHBzOi8vY2xpY2t0aW1lLnN5bWFu dGVjLmNvbS9hLzEveU9iZjI5d2E1UTc4cXVCdWhsaGRFVUFkLTRBeWVPM0w3LVlCaXZqMGM0ND0/ ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZbnV0M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FU YUlvM2pKSmNPakJDcWcyZjQ2ai15UDBlLVRJQ2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZt YmRYQWFJd0VzdEs3UE1ad1J0REJGM180THNUengtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpq T3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNkVktWU3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFO cTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJHTWhVbzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9Y ZUxhekxFWWJKdm1WQWdudFFfMUpJM21LXzZEelU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllX aFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5INDRvcFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lM TElLUTVQZWRVRjB5eGJRbkljOWFjSSUzRCZ1PWh0dHBzJTNBJTJGJTJGd3d3LmNvbXB1dGVyLm9y ZyUyRmNzZGwlMkZwcm9jZWVkaW5ncyUyRnNwJTJGMjAxNSUyRjY5NDklMkYwMCUyRjY5NDlhOTMx LWFicy5odG1sPg0KSSBpbnRlZ3JhdGVkIHRoYXQgYXJ0aWNsZSBpbiB0aGUgICJQaGlzaGluZyBp biBDb250ZXh0IiBwb3N0IHRoaXMgd2Vlay4NCg0KDQoNCg0KVGhhbmtzLA0KQnJldA0KUEdQIEZp bmdlcnByaW50OiA2M0I0IEZDNTMgNjgwQSA2QjdEIDE0NDcgIEYyQzAgNzRGOCBBQ0FFIDc0MTUg MDA1MA0KIldpdGhvdXQgY3J5cHRvZ3JhcGh5IHZpaHYgdml2YyBjZSB4aHJucncsIGhvd2V2ZXIs IHRoZSBvbmx5IHRoaW5nIHRoYXQgY2FuIG5vdCBiZSB1bnNjcmFtYmxlZCBpcyBhbiBlZ2cuIg0K DQoNCk9uIEp1bCAxNiwgMjAxOCwgYXQgMTA6MTIgQU0sIE1pY2hhZWwgUmljaGFyZHNvbiA8bWNy K2lldGZAc2FuZGVsbWFuLmNhPG1haWx0bzptY3IraWV0ZkBzYW5kZWxtYW4uY2E+PiB3cm90ZToN Cg0KDQpCZW4gTGF1cmllIDxiZW5sPTQwZ29vZ2xlLi5jb21AZG1hcmMuaWV0Zi5vcmc8bWFpbHRv OmJlbmw9NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3JnPj4gd3JvdGU6DQoNCk5vLCBJIG1lYW4g aW4gdGhlIG1vcmUgZ2VuZXJhbCBzZW5zZSB0aGF0IGl0cyBhIHdheSB0byBpbnZva2UgInRoZQ0K c3lzdGVtIiwgZ3VhcmFudGVlZCwgbm8gbWVzc2luZy4NCg0KDQpJdCBoYXMgYSBub2JsZSBoaXN0 b3J5IG9mIG5vdCB3b3JraW5nIHZlcnkgd2VsbC4NCg0KDQpXaW5kb3dzIHVzZXMgY3RsLWFsdC1k ZWwgYXMgYSBTQUsuIEl0IGRvZXNuJ3QgbGV0IHlvdSBkbyBtdWNoLCBidXQgaXQNCmlzIG1vcmUg dGhhbiBsb2dpbi4NCg0KWWVzLCB0aGF0J3MganVzdCBpdDogaXQgZG9lc24ndCBkbyB0aGF0IG11 Y2guDQpUaGF0J3Mgd2h5IGl0IHdhcyBhIGZhaWx1cmUuICBBbHNvIGxhY2sgb2YgYW55IGtpbmQg b2YgdHV0b3JpYWwuDQpBbmQgc2luY2UgaXQgdXNlZCB0byByZWJvb3QgdGhlIGNvbXB1dGVyLCBz byBtb3N0IHBlb3BsZSBoYWJpdHVhbGx5IGF2b2lkIGl0Lg0KDQpJdCdzIHByb2JhYmx5IHRpbWUg dG8gdHJ5IGl0IGFnYWluLg0KDQoNCk9uIDE1IEp1bCAyMDE4LCBhdCAyMjozNCwgQmVuIExhdXJp ZSA8YmVubEBnb29nbGUuY29tPG1haWx0bzpiZW5sQGdvb2dsZS5jb20+PiB3cm90ZToNCg0KDQoN Ck9uIFN1biwgMTUgSnVsIDIwMTggYXQgMTg6NTYsIEhlbnJ5IFN0b3J5DQo8aGVucnkuc3RvcnlA YmJsZmlzaC5uZXQ8bWFpbHRvOmhlbnJ5LnN0b3J5QGJibGZpc2gubmV0Pj4gd3JvdGU6DQoNCkhp LA0KDQpJIGp1c3Qgd3JvdGUgdXAgc29tZSBpZGVhcyBvbiBVSSBhbmQgc2VjdXJpdHkgdGhhdCBj YW1lIChiYWNrKQ0KdG8gbWUgcmVhZGluZw0KDQp0aGlzIHRocmVhZCBhbmQgb3RoZXIgaW50ZXJl c3RpbmcgcGFwZXJzIG9uIHNlY3VyaXR5Lg0KDQoiUGhpc2hpbmcgaW4gQ29udGV4dCAtLSBFcGlz dGVtb2xvZ3kgb24gdGhlIHNjcmVlbiINCmh0dHBzOi8vbWVkaXVtLmNvbS9AYmJsZmlzaC9waGlz aGluZy1pbi1jb250ZXh0LTljODRjYTQ1MTMxNDxodHRwczovL2NsaWNrdGltZS5zeW1hbnRlYy5j b20vYS8xL2dXdjJ5UlVTdzVqTmlRWTRVd21jcndHRGxtSGZ4YlV2SnF5WUduT0ZVbkE9P2Q9bEdn UW5uTnFDUEx5YkYyVElPZDNLWW51dDNSZzk5UFBqN0p0eUxsaXRyeFZTVXdvLV9teDNBVGFJbzNq SkpjT2pCQ3FnMmY0NmoteVAwZS1USUNqTmptUk1TdjZHOUxJRUlMbW8tMXpCMzIzNFl2bWJkWEFh SXdFc3RLN1BNWndSdERCRjNfNExzVHp4LWNZeVZUZDBiTWdBdnVCTTZqYnpyU0c2bWxqak93NVBj QldZN191MXZnWGxWcUlqZEgzZFZLVlN6Zy1sR29DUTQ4SWZlZjRSUXJ5cmljYXdRZXQxTnE0WktX LXZiQW5nWkg5eUF0LUZ0dS1iR01oVW8zR2FLTVlrSHR6QzJUM1FERHc0Y3MwRXd3YmxPWGVMYXpM RVliSnZtVkFnbnRRXzFKSTNtS182RHpVN1A1ZlNwTGMyVUlUbDNVY0NMWXBXQkZyOWJZV2hTeGNj TXZLTkItQ0wwQWNYX1VoODhuSDQ0b3BXd21qeGw3a0VabVc3bWstbVVmZzU2Q2NpOFdpTExJS1E1 UGVkVUYweXhiUW5JYzlhY0klM0QmdT1odHRwcyUzQSUyRiUyRm1lZGl1bS5jb20lMkYlNDBiYmxm aXNoJTJGcGhpc2hpbmctaW4tY29udGV4dC05Yzg0Y2E0NTEzMTQ+DQoNCllvdSBoYXZlIHJlaW52 ZW50ZWQgdGhlIFNlY3VyZSBBdHRlbnRpb24gS2V5LiBJdCBoYXNuJ3Qgd29yayBvdXQNCnRoYXQg d2VsbCwgc28gZmFyLg0KDQoNCg0KDQpEbyB5b3UgbWVhbiB3aGF0IHRoZXkgZGVzY3JpYmUgb24g d2lraXBlZGlhIGhlcmUgPw0KaHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvU2VjdXJlX2F0 dGVudGlvbl9rZXk8aHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS9TTTFHMUJiQkkt RndNSEJXbHVmR0FxR3dYbkZDeXBEbjNZOFljREpVY3g0PT9kPWxHZ1Fubk5xQ1BMeWJGMlRJT2Qz S1ludXQzUmc5OVBQajdKdHlMbGl0cnhWU1V3by1fbXgzQVRhSW8zakpKY09qQkNxZzJmNDZqLXlQ MGUtVElDak5qbVJNU3Y2RzlMSUVJTG1vLTF6QjMyMzRZdm1iZFhBYUl3RXN0SzdQTVp3UnREQkYz XzRMc1R6eC1jWXlWVGQwYk1nQXZ1Qk02amJ6clNHNm1sampPdzVQY0JXWTdfdTF2Z1hsVnFJamRI M2RWS1ZTemctbEdvQ1E0OElmZWY0UlFyeXJpY2F3UWV0MU5xNFpLVy12YkFuZ1pIOXlBdC1GdHUt YkdNaFVvM0dhS01Za0h0ekMyVDNRRER3NGNzMEV3d2JsT1hlTGF6TEVZYkp2bVZBZ250UV8xSkkz bUtfNkR6VTdQNWZTcExjMlVJVGwzVWNDTFlwV0JGcjliWVdoU3hjY012S05CLUNMMEFjWF9VaDg4 bkg0NG9wV3dtanhsN2tFWm1XN21rLW1VZmc1NkNjaThXaUxMSUtRNVBlZFVGMHl4YlFuSWM5YWNJ JTNEJnU9aHR0cHMlM0ElMkYlMkZlbi53aWtpcGVkaWEub3JnJTJGd2lraSUyRlNlY3VyZV9hdHRl bnRpb25fa2V5Pg0KDQoNCiJBIHNlY3VyZSBhdHRlbnRpb24ga2V5IChTQUspIG9yIHNlY3VyZSBh dHRlbnRpb24gc2VxdWVuY2UgKFNBUykNCmlzIGEgc3BlY2lhbCBrZXkgb3Iga2V5IGNvbWJpbmF0 aW9uIHRvIGJlIHByZXNzZWQgb24gYSBjb21wdXRlcg0Ka2V5Ym9hcmQgYmVmb3JlIGEgbG9naW4g c2NyZWVuIHdoaWNoIG11c3QsIHRvIHRoZSB1c2VyLCBiZQ0KY29tcGxldGVseSB0cnVzdHdvcnRo eS4gVGhlIG9wZXJhdGluZyBzeXN0ZW0ga2VybmVsLCB3aGljaA0KaW50ZXJhY3RzIGRpcmVjdGx5 IHdpdGggdGhlIGhhcmR3YXJlLCBpcyBhYmxlIHRvIGRldGVjdCB3aGV0aGVyDQp0aGUgc2VjdXJl IGF0dGVudGlvbiBrZXkgaGFzIGJlZW4gcHJlc3NlZC4gV2hlbiB0aGlzIGV2ZW50IGlzDQpkZXRl Y3RlZCwgdGhlIGtlcm5lbCBzdGFydHMgdGhlIHRydXN0ZWQgbG9naW4gcHJvY2Vzc2luZy4iDQoN Cg0KVGhhdCB3b3VsZCBiZSB0byBhdXRoZW50aWNhdGUgdGhlIHVzZXIgb2YgdGhlIGNvbXB1dGVy LCB3aGljaCBpcyBJDQpzdXBwb3NlIGENCnByZWRlY2Vzc29yIG9mIHdoYXQgdGhlIGZpbmdlcnBy aW50IGJ1dHRvbiBvbiBuZXcgTWFjQm9vayBQcm8NCmxhcHRvcHMgaXMgYWJvdXQNCihJIGRvbid0 IGtub3csIGFzIEkgZG9uJ3QgaGF2ZSB0aGVtKS4gVGhleSBjYWxsIGl0IFRvdWNoIElkDQpodHRw czovL3N1cHBvcnQuYXBwbGUuY29tL2VuLXVzL0hUMjA3MDU0PGh0dHBzOi8vY2xpY2t0aW1lLnN5 bWFudGVjLmNvbS9hLzEvTDkycUNtZzFONGV2azZJOHdqVmlkczJ5UnVOdXZ1RVoyWmJLMHhUTXZj TT0/ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZbnV0M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214 M0FUYUlvM2pKSmNPakJDcWcyZjQ2ai15UDBlLVRJQ2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0 WXZtYmRYQWFJd0VzdEs3UE1ad1J0REJGM180THNUengtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZt bGpqT3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNkVktWU3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1Fl dDFOcTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJHTWhVbzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3di bE9YZUxhekxFWWJKdm1WQWdudFFfMUpJM21LXzZEelU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5 YllXaFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5INDRvcFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4 V2lMTElLUTVQZWRVRjB5eGJRbkljOWFjSSUzRCZ1PWh0dHBzJTNBJTJGJTJGc3VwcG9ydC5hcHBs ZS5jb20lMkZlbi11cyUyRkhUMjA3MDU0Pg0KDQoNCkJ1dCB0aGF0IGlzIG5vdCB3aGF0IEkgYW0g dGFsa2luZyBhYm91dCBpbiB0aGUgYXJ0aWNsZS4gVGhlcmUgSSBhbQ0Kc3BlYWtpbmcgb2Ygc2Vy dmVyDQpvciBhcHBsaWNhdGlvbiBhdXRoZW50aWNhdGlvbiwgYW5kIEkgYW0gYXJndWluZyB0aGF0 IHRvIGJlIHNlY3VyZQ0KdGhpcyBuZWVkcyB0d28gc2NyZWVucw0KdGhlIHNlY29uZCBzY3JlZW4g YmVpbmcgd2hhdCBBcHBsZSBjYWxscyB0aGUgVG91Y2ggQmFyLiBUaGVyZSBpcyBhDQp2aWRlbyBo ZXJlIGRlc2NyaWJpbmcgaXQNCmh0dHBzOi8veW91dHUuYmUvRGhDSnVKb0U2d00/dD0xNzA8aHR0 cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS9aWWJNZjdXY1Yya0pfSXRLNUFLd2NUY3hq QWZMSlpiTmVvTC1MQlQwdS00PT9kPWxHZ1Fubk5xQ1BMeWJGMlRJT2QzS1ludXQzUmc5OVBQajdK dHlMbGl0cnhWU1V3by1fbXgzQVRhSW8zakpKY09qQkNxZzJmNDZqLXlQMGUtVElDak5qbVJNU3Y2 RzlMSUVJTG1vLTF6QjMyMzRZdm1iZFhBYUl3RXN0SzdQTVp3UnREQkYzXzRMc1R6eC1jWXlWVGQw Yk1nQXZ1Qk02amJ6clNHNm1sampPdzVQY0JXWTdfdTF2Z1hsVnFJamRIM2RWS1ZTemctbEdvQ1E0 OElmZWY0UlFyeXJpY2F3UWV0MU5xNFpLVy12YkFuZ1pIOXlBdC1GdHUtYkdNaFVvM0dhS01Za0h0 ekMyVDNRRER3NGNzMEV3d2JsT1hlTGF6TEVZYkp2bVZBZ250UV8xSkkzbUtfNkR6VTdQNWZTcExj MlVJVGwzVWNDTFlwV0JGcjliWVdoU3hjY012S05CLUNMMEFjWF9VaDg4bkg0NG9wV3dtanhsN2tF Wm1XN21rLW1VZmc1NkNjaThXaUxMSUtRNVBlZFVGMHl4YlFuSWM5YWNJJTNEJnU9aHR0cHMlM0El MkYlMkZ5b3V0dS5iZSUyRkRoQ0p1Sm9FNndNJTNGdCUzRDE3MD4NCkJ1dCBJIGFtIHN1cmUgeW91 J2xsIGZpbmQgbWFueSBtb3JlLiAoQnR3LiB0aGUgbmV3IE1hYyBCb29rIFBybyBpcw0Kb3V0IHRv ZGF5ISkNCg0KDQpJIHdvdWxkIGd1ZXNzIHRoYXQgcGFydHMgb2YgdGhlIFRvdWNoIEJhciBtdXN0 IGJlIE9TIHNlY3VyZWQsIG9yDQplbHNlIGFuIGFwcCBjb3VsZCBnZXQgeW91ciBmaW5nZXJwcmlu dHM/IEluIGFueSBjYXNlIEkgYW0gc2F5aW5nDQp0aGF0IHRoZXJlIHNob3VsZCBiZSBhIGNvdXBs ZSBtb3JlIGJ1dHRvbnMgb24gdGhlIFRvdWNoIEJhciB0aGF0DQphcmUgY29udHJvbGxlZCBieSB0 aGUgT1MuDQoxKSB0aGUgaWNvbiBvZiB0aGUgQXBwIHRoYXQgaXMgaW4gdGhlIGZvcmVncm91bmQg KCB3aGljaCB3b3VsZCBiZQ0KcmV0cmlldmVkIGZyb20gdGhlIGluc3RpdHV0aW9uYWwgd2ViIG9m IHRydXN0DQoyKSB0aGUgaWNvbiBvZiB0aGUgZmF2aWNvbiBvZiB0aGUgd2ViIHBhZ2UgYWxzbyBy ZXRyaWV2ZWQgZnJvbSB0aGUNCmluc3RpdHV0aW9uYWwgd2ViIG9mIHRydXN0DQoNCg0KY2xpY2tp biB0aG9zZSB3b3VsZCBnaXZlIHlvdSBtb3JlIGluZm9ybWF0aW9uIGFib3V0IHRoZSBhcHAgaW4g MSkNCmFuZCBtb3JlIGluZm8gYWJvdXQgdGhlIHBhZ2UgaW4gMikuDQpCdXQgbm90IGp1c3QgdGhl IGFkZHJlc3Mgb2YgdGhlIGhlYWRxdWFydGVycywgYnV0IHNvbWV0aGluZyBhIGxvdA0KcmljaGVy Li4uLi4NCg0KDQoNCkJ1dCBJIG1heSBoYXZlIG1pc3VuZGVyc3Rvb2QgeW91Li4uPw0KDQoNCkhl bnJ5DQoNCg0KDQoNCg0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tDQpBbHRlcm5hdGl2ZXM6DQoNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18NCnNhYWcgbWFpbGluZyBsaXN0DQpzYWFnQGlldGYub3JnPG1h aWx0bzpzYWFnQGlldGYub3JnPg0KaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5m by9zYWFnPGh0dHBzOi8vY2xpY2t0aW1lLnN5bWFudGVjLmNvbS9hLzEvNG9EYmJsMHVpc3lSWjN0 MHp3QnREUmtXTjZWYUh5WldvdkxHTVNFbDZoZz0/ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZbnV0 M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FUYUlvM2pKSmNPakJDcWcyZjQ2ai15UDBlLVRJ Q2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZtYmRYQWFJd0VzdEs3UE1ad1J0REJGM180THNU engtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpqT3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNkVktW U3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFOcTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJHTWhV bzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9YZUxhekxFWWJKdm1WQWdudFFfMUpJM21LXzZE elU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllXaFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5INDRv cFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lMTElLUTVQZWRVRjB5eGJRbkljOWFjSSUzRCZ1 PWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGc2FhZz4N Cg0KLS0NCk1pY2hhZWwgUmljaGFyZHNvbiA8bWNyK0lFVEZAc2FuZGVsbWFuLmNhPG1haWx0bzpt Y3IrSUVURkBzYW5kZWxtYW4uY2E+PiwgU2FuZGVsbWFuIFNvZnR3YXJlIFdvcmtzDQotPSBJUHY2 IElvVCBjb25zdWx0aW5nID0tDQoNCg0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fXw0Kc2FhZyBtYWlsaW5nIGxpc3QNCnNhYWdAaWV0Zi5vcmc8bWFpbHRv OnNhYWdAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3Nh YWc8aHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS80b0RiYmwwdWlzeVJaM3QwendC dERSa1dONlZhSHlaV292TEdNU0VsNmhnPT9kPWxHZ1Fubk5xQ1BMeWJGMlRJT2QzS1ludXQzUmc5 OVBQajdKdHlMbGl0cnhWU1V3by1fbXgzQVRhSW8zakpKY09qQkNxZzJmNDZqLXlQMGUtVElDak5q bVJNU3Y2RzlMSUVJTG1vLTF6QjMyMzRZdm1iZFhBYUl3RXN0SzdQTVp3UnREQkYzXzRMc1R6eC1j WXlWVGQwYk1nQXZ1Qk02amJ6clNHNm1sampPdzVQY0JXWTdfdTF2Z1hsVnFJamRIM2RWS1ZTemct bEdvQ1E0OElmZWY0UlFyeXJpY2F3UWV0MU5xNFpLVy12YkFuZ1pIOXlBdC1GdHUtYkdNaFVvM0dh S01Za0h0ekMyVDNRRER3NGNzMEV3d2JsT1hlTGF6TEVZYkp2bVZBZ250UV8xSkkzbUtfNkR6VTdQ NWZTcExjMlVJVGwzVWNDTFlwV0JGcjliWVdoU3hjY012S05CLUNMMEFjWF9VaDg4bkg0NG9wV3dt anhsN2tFWm1XN21rLW1VZmc1NkNjaThXaUxMSUtRNVBlZFVGMHl4YlFuSWM5YWNJJTNEJnU9aHR0 cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZzYWFnPg0KDQpf X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0Kc2FhZyBtYWls aW5nIGxpc3QNCnNhYWdAaWV0Zi5vcmc8bWFpbHRvOnNhYWdAaWV0Zi5vcmc+DQpodHRwczovL3d3 dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL3NhYWc8aHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50 ZWMuY29tL2EvMS80b0RiYmwwdWlzeVJaM3QwendCdERSa1dONlZhSHlaV292TEdNU0VsNmhnPT9k PWxHZ1Fubk5xQ1BMeWJGMlRJT2QzS1ludXQzUmc5OVBQajdKdHlMbGl0cnhWU1V3by1fbXgzQVRh SW8zakpKY09qQkNxZzJmNDZqLXlQMGUtVElDak5qbVJNU3Y2RzlMSUVJTG1vLTF6QjMyMzRZdm1i ZFhBYUl3RXN0SzdQTVp3UnREQkYzXzRMc1R6eC1jWXlWVGQwYk1nQXZ1Qk02amJ6clNHNm1sampP dzVQY0JXWTdfdTF2Z1hsVnFJamRIM2RWS1ZTemctbEdvQ1E0OElmZWY0UlFyeXJpY2F3UWV0MU5x NFpLVy12YkFuZ1pIOXlBdC1GdHUtYkdNaFVvM0dhS01Za0h0ekMyVDNRRER3NGNzMEV3d2JsT1hl TGF6TEVZYkp2bVZBZ250UV8xSkkzbUtfNkR6VTdQNWZTcExjMlVJVGwzVWNDTFlwV0JGcjliWVdo U3hjY012S05CLUNMMEFjWF9VaDg4bkg0NG9wV3dtanhsN2tFWm1XN21rLW1VZmc1NkNjaThXaUxM SUtRNVBlZFVGMHl4YlFuSWM5YWNJJTNEJnU9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZt YWlsbWFuJTJGbGlzdGluZm8lMkZzYWFnPg0KDQoNCkppc2MgaXMgYSByZWdpc3RlcmVkIGNoYXJp dHkgKG51bWJlciAxMTQ5NzQwKSBhbmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdo aWNoIGlzIHJlZ2lzdGVyZWQgaW4gRW5nbGFuZCB1bmRlciBDb21wYW55IE5vLiA1NzQ3MzM5LCBW QVQgTm8uIEdCIDE5NyAwNjMyIDg2LiBKaXNj4oCZcyByZWdpc3RlcmVkIG9mZmljZSBpczogT25l IENhc3RsZXBhcmssIFRvd2VyIEhpbGwsIEJyaXN0b2wsIEJTMiAwSkEuIFQgMDIwMyA2OTcgNTgw MC4NCg0KSmlzYyBTZXJ2aWNlcyBMaW1pdGVkIGlzIGEgd2hvbGx5IG93bmVkIEppc2Mgc3Vic2lk aWFyeSBhbmQgYSBjb21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNoIGlzIHJlZ2lzdGVy ZWQgaW4gRW5nbGFuZCB1bmRlciBjb21wYW55IG51bWJlciAyODgxMDI0LCBWQVQgbnVtYmVyIEdC IDE5NyAwNjMyIDg2LiBUaGUgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGUgUGFyaywg VG93ZXIgSGlsbCwgQnJpc3RvbCBCUzIgMEpBLiBUIDAyMDMgNjk3IDU4MDAuDQpfX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0Kc2FhZyBtYWlsaW5nIGxpc3QN CnNhYWdAaWV0Zi5vcmc8bWFpbHRvOnNhYWdAaWV0Zi5vcmc+DQpodHRwczovL2NsaWNrdGltZS5z eW1hbnRlYy5jb20vYS8xL1Q5dmRGOFJYYTN1elZFQzhlc0JIanVRR1VpZ2dyZnVyaXgxeGZIRzVF M3c9P2Q9TlB0WDNCeGZjNXRkVlRYWG0zcVhFckdJZUhJQTJRX29vWURic09vMFJUVEZPR1JYX0s2 eXJIazBDNDlRYmZZVDhvWWJFRzRwa3U2YkVpcW1admlBRV9KUEtiNXA2YlI3WjJmdXllSWoxUFQ1 Ukh3b1d5a1lqZkl2akhud2FNempHYzJwLTVZdTNfOHBzTkI2SDNxLWN5QXppeDE4VlJOeDFRbFE4 UTRCNG1DUU55YXAyVTF6b1BHT2JpSUYxeWNJLUZHaXgtNFN3bExaSnhSNG5lRUdXcFFJVWFSVkhr Zmo3cm5UTjQ5aTdnS19Od2N2MWpxbXdHNFFRYW5wdXUyeGczY0ctTk9FZ0hONjhZblBLYTBQMC1R UjJGNDJnRW5qM0JEelN4WFlUcDZiVm4tdXlLaml5RFpyTFRXZkdTWGNENGQxWE55cHFHcDVHcHEx ZDlRWjlyLTNvVk5JVEpsNFZac19XVHdOa0c3VW9hSGVfRmZpaUJXVXFhVnhtZ1NtanRBVUF4OTFq bFFZQlBYbHY4SGtwWU1jNkNZX0hPNi00bWslM0QmdT1odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9y ZyUyRm1haWxtYW4lMkZsaXN0aW5mbyUyRnNhYWcNCg== --_000_F8D95B17FDC8454696B2E99A5C10DFD7symanteccom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IGRpcj0iYXV0byI+DQpI aSBKb3NoLA0KPGRpdj48YnI+DQo8L2Rpdj4NCjxkaXY+VGhhbmtzISAmbmJzcDtJIGxpa2UgeW91 ciBpZGVhcyBhbmQgSSBhZ3JlZSB3aXRoIHZlcnkgbmVhcmx5IGV2ZXJ5dGhpbmcgeW91IHNheSBo ZXJlLiAmbmJzcDtJIOKAnG9ubHnigJ0gZGlzYWdyZWUgd2l0aCB0aGUg4oCcb25seeKAnSBpbiB5 b3VyIHN0YXRlbWVudCB0aGF0IHdlIGNhbiDigJxvbmx5IHNvbHZlIHRoaXMgYnkgeC7igJ0gJm5i c3A7U3VyZSwgSSBhZ3JlZSB0aGF0IHggbG9va3MgbGlrZSBhIGdyZWF0IGFwcHJvYWNoLCBidXQg b3RoZXIgYXBwcm9hY2hlcyBoYXZlIGFsc28NCiBwcm92ZW4gZWZmZWN0aXZlLiAmbmJzcDtUaGVz ZSBpbmNsdWRlIHJlcHV0YXRpb24gYmFzZWQgYXBwcm9hY2hlcyBhbmQgcmVhbC10aW1lIGZsYWdn aW5nIHZpc3VhbHMgJmFtcDsgdGV4dCBvZiBmcmVxdWVudGx5IHBoaXNoZWQgYnJhbmRzLCBhbG9u ZyB3aXRoIHNlcnZlci10by1jbGllbnQgZXhwbG9pdHMuICZuYnNwO1NvbWUgb2YgdGhlc2UgYWxy ZWFkeSBibG9jayBvdmVyIGEgYmlsbGlvbiBhdHRhY2tzIHBlciB5ZWFyLiAmbmJzcDtTdGlsbCwg SSBhZ3JlZSB3aG9sZWhlYXJ0ZWRseQ0KIHRoYXQgdGhpcyBpcyBhIHByb2JsZW0gdGhhdCB3ZSB0 aGUgSUVURiBuZWVkIHRvIHNvbHZlLiAmbmJzcDtTcGVjaWFsIHRoYW5rcyB0byB5b3UsIEhlbnJ5 LCBhbmQgdGhlIG90aGVycyBmb3IgdGhlIGF0dGVudGlvbiB0byB0aGUgaXNzdWUuICZuYnNwO1Ro YW5rIFlvdSBBZ2FpbiE8L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2PkNoZWVycyw8L2Rp dj4NCjxkaXY+QnJpYW48L2Rpdj4NCjxkaXY+PGJyPg0KPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2 Pg0KPGRpdj4NCjxkaXY+PGJyPg0KT24gSnVsIDIxLCAyMDE4LCBhdCA3OjE1IEFNLCBKb3NoIEhv d2xldHQgJmx0OzxhIGhyZWY9Im1haWx0bzpKb3NoLkhvd2xldHRAamlzYy5hYy51ayI+Sm9zaC5I b3dsZXR0QGppc2MuYWMudWs8L2E+Jmd0OyB3cm90ZTo8YnI+DQo8YnI+DQo8L2Rpdj4NCjxibG9j a3F1b3RlIHR5cGU9ImNpdGUiPg0KPGRpdj4NCjxtZXRhIG5hbWU9IkdlbmVyYXRvciIgY29udGVu dD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxlPjwhLS0NCi8q IEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6SGVsdmV0aWNh Ow0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1m YW1pbHk6V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQt ZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUg NCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2Ut MToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OlZlcmRh bmE7DQoJcGFub3NlLTE6MiAxMSA2IDQgMyA1IDQgNCAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlv bnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2lu OjBjbTsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5r DQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlv bjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21z by1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpwdXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwLk1zb0xpc3RQYXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5N c29MaXN0UGFyYWdyYXBoDQoJe21zby1zdHlsZS1wcmlvcml0eTozNDsNCgltYXJnaW4tdG9wOjBj bTsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1hcmdpbi1ib3R0b206MGNtOw0KCW1hcmdpbi1sZWZ0 OjM2LjBwdDsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25v cm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28t bWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1tYXJnaW4tYm90 dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZv bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uYXBwbGUtc3R5bGUtc3Bhbg0K CXttc28tc3R5bGUtbmFtZTphcHBsZS1zdHlsZS1zcGFuO30NCnNwYW4uYXBwbGUtY29udmVydGVk LXNwYWNlDQoJe21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQpzcGFuLkVt YWlsU3R5bGUyMA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWls eToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZh dWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0K QHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4w cHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRT ZWN0aW9uMTt9DQovKiBMaXN0IERlZmluaXRpb25zICovDQpAbGlzdCBsMA0KCXttc28tbGlzdC1p ZDoxMDc4MjA3NDA7DQoJbXNvLWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUt aWRzOjEyMjc2NjM2MTggOTc5OTAyMzE4IDEzNDgwNzU1NSAxMzQ4MDc1NTcgMTM0ODA3NTUzIDEz NDgwNzU1NSAxMzQ4MDc1NTcgMTM0ODA3NTUzIDEzNDgwNzU1NSAxMzQ4MDc1NTc7fQ0KQGxpc3Qg bDA6bGV2ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDowOw0KCW1zby1sZXZlbC1udW1iZXItZm9y bWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5v bmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjIwLjVw dDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDsNCgltc28tZmFy ZWFzdC1mb250LWZhbWlseTpDYWxpYnJpOw0KCW1zby1iaWRpLWZvbnQtZmFtaWx5OiJUaW1lcyBO ZXcgUm9tYW4iO30NCkBsaXN0IGwwOmxldmVsMg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpi dWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6NTYuNXB0Ow0KCXRl eHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBs MDpsZXZlbDMNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10 ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBv c2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6OTIuNXB0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7 DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10 YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgltYXJnaW4t bGVmdDoxMjguNXB0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6U3ltYm9s O30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJ bXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJbWFyZ2luLWxlZnQ6MTY0LjVwdDsNCgl0ZXh0LWluZGVu dDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2ZWw2 DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7 DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjps ZWZ0Ow0KCW1hcmdpbi1sZWZ0OjIwMC41cHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250 LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXIt Zm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9w Om5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCW1hcmdpbi1sZWZ0OjIz Ni41cHQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxp c3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgltYXJnaW4tbGVmdDoyNzIuNXB0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNv LWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28t bGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ bWFyZ2luLWxlZnQ6MzA4LjVwdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5 OldpbmdkaW5nczt9DQpAbGlzdCBsMQ0KCXttc28tbGlzdC1pZDo5NzQ0MDcxMDQ7DQoJbXNvLWxp c3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOjkxODYwODA2MiA2MDExNDQ5 MTYgMTM0ODA3NTU1IDEzNDgwNzU1NyAxMzQ4MDc1NTMgMTM0ODA3NTU1IDEzNDgwNzU1NyAxMzQ4 MDc1NTMgMTM0ODA3NTU1IDEzNDgwNzU1Nzt9DQpAbGlzdCBsMTpsZXZlbDENCgl7bXNvLWxldmVs LXN0YXJ0LWF0OjA7DQoJbXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVy LXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1i b2w7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6Q2FsaWJyaTsNCgltc28tYmlkaS1mb250LWZh bWlseToiVGltZXMgTmV3IFJvbWFuIjt9DQpAbGlzdCBsMTpsZXZlbDINCgl7bXNvLWxldmVsLW51 bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1z dG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50 Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMTpsZXZlbDMN Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsN Cgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxl ZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0KQGxp c3QgbDE6bGV2ZWw0DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJl ci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6U3lt Ym9sO30NCkBsaXN0IGwxOmxldmVsNQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7 DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2 ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZh bWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwxOmxldmVsNg0KCXttc28tbGV2ZWwtbnVtYmVy LWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3Rv cDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot MTguMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpAbGlzdCBsMTpsZXZlbDcNCgl7bXNv LWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CtzsNCgltc28t bGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJ dGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseTpTeW1ib2w7fQ0KQGxpc3QgbDE6bGV2 ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDpv Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246 bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 fQ0KQGxpc3QgbDE6bGV2ZWw5DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCglt c28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVs LW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1p bHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyDQoJe21zby1saXN0LWlkOjExNjQ4NTY2NzI7DQoJbXNv LWxpc3QtdHlwZTpoeWJyaWQ7DQoJbXNvLWxpc3QtdGVtcGxhdGUtaWRzOi0xNDA3MTI3MzI2IDYw MTE0NDkxNiAxMzQ4MDc1NTUgMTM0ODA3NTU3IDEzNDgwNzU1MyAxMzQ4MDc1NTUgMTM0ODA3NTU3 IDEzNDgwNzU1MyAxMzQ4MDc1NTUgMTM0ODA3NTU3O30NCkBsaXN0IGwyOmxldmVsMQ0KCXttc28t bGV2ZWwtc3RhcnQtYXQ6MDsNCgltc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNv LWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1u dW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5 OlN5bWJvbDsNCgltc28tZmFyZWFzdC1mb250LWZhbWlseTpDYWxpYnJpOw0KCW1zby1iaWRpLWZv bnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iO30NCkBsaXN0IGwyOmxldmVsMg0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwt dGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1p bmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCkBsaXN0IGwyOmxl dmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6 74KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRp b246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9 DQpAbGlzdCBsMjpsZXZlbDQNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1z by1sZXZlbC10ZXh0Ou+CtzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwt bnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250LWZhbWls eTpTeW1ib2w7fQ0KQGxpc3QgbDI6bGV2ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1 bGxldDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZv bnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDI6bGV2ZWw2DQoJe21zby1sZXZlbC1u dW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrvgqc7DQoJbXNvLWxldmVsLXRh Yi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5k ZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwyOmxldmVsNw0K CXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0K CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotMTguMHB0Ow0KCWZvbnQtZmFtaWx5OlN5bWJvbDt9DQpAbGlzdCBs MjpsZXZlbDgNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10 ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3Np dGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIg TmV3Ijt9DQpAbGlzdCBsMjpsZXZlbDkNCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0 Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28t bGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6LTE4LjBwdDsNCglmb250 LWZhbWlseTpXaW5nZGluZ3M7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KdWwNCgl7bWFy Z2luLWJvdHRvbTowY207fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxv OnNoYXBlZGVmYXVsdHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtl bmRpZl0tLT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJl ZGl0Ij4NCjxvOmlkbWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0 PjwveG1sPjwhW2VuZGlmXS0tPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+QSDi gJxjb21wbGV0ZWx5IHNlY3VyZSBhbmQgcHJpdmF0ZSBzZXNzaW9u4oCdIHdoZXJlIHRoZSBpZGVu dGl0eSBvZiB0aGUgZW5kIHBvaW50IGhhcyBub3QgYmVlbiBhcHByb3ByaWF0ZWx5IHZhbGlkYXRl ZCBhY3R1YWxseSBtYWtlcyB0aGUgcHJvYmxlbSB3b3JzZSwgYmVjYXVzZSBpdCBjYW4gbGVhZCB0 byBlcnJvbmVvdXMgYXNzdW1wdGlvbnMgYnkNCiB0aGUgdXNlci4gU2ltaWxhcmx5LCBleHRlbmRl ZCB2YWxpZGF0aW9uIG9mIHRoZSBlbmQgcG9pbnQgYWNoaWV2ZXMgbm90aGluZyBpZiB0aGUgZW5k IHBvaW50IGlzIGEgaGlnaGx5IGFzc3VyZWQgYnV0IHVudHJ1c3R3b3J0aHkgYWN0b3IuPG86cD48 L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1m YXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PlNob3VsZCBJIHRydXN0IGEgQ0EgdG8gaXNzdWUgYW4gRVYgY2VydGlmaWNhdGUgYXBwcm9wcmlh dGVseT8gWWVzLCBwcm9iYWJseS4gU2hvdWxkIEkgYmxpbmRseSB0cnVzdCB0aGUgQ0HigJlzIGN1 c3RvbWVyIHNpbXBseSBiZWNhdXNlIGl0IHByZXNlbnRzIGFuIEVWIGNlcnRpZmljYXRlPyBObywg cHJvYmFibHkgbm90LiBVbHRpbWF0ZWx5LCB3ZQ0KIGNhbm5vdCBjb250cm9sIGJlaGF2aW91ciB1 c2luZyBjcnlwdG86IHBvb3IgYmVoYXZpb3VyIGlzIGEgc29jaWFsIHByb2JsZW0uPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJl YXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkkg YWdyZWUgd2l0aCBIZW5yeeKAmXMgYW5hbHlzaXMgdGhhdCB3ZSBjYW4gb25seSBzb2x2ZSB0aGlz IGJ5IHByb2plY3RpbmcgdGhlIHNvY2lhbCBpbnN0aXR1dGlvbnMgKGZvcm1hbCBvciBpbmZvcm1h bCkgdGhhdCB3ZSB1c2UgdG8gYXNzZXNzIHRydXN0d29ydGhpbmVzcyBpbiB0aGUgcmVhbCB3b3Js ZCBvbnRvIHRoZSBpbnRlcm5ldOKAmXMgaW5mcmFzdHJ1Y3R1cmUNCiAoSSBjYWxsIGl0IOKAnHRy dXN0IGVuZ2luZWVyaW5n4oCdOyBhIGJlbmlnbiBmb3JtIG9mIOKAnHNvY2lhbCBlbmdpbmVlcmlu Z+KAnSkuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFu Z3VhZ2U6RU4tVVMiPkhvd2V2ZXIsIEkgZGlzYWdyZWUgdGhhdCBjaHJvbWUgb2ZmZXJzIGEgc29s dXRpb24uIEkgYXJndWUgdGhhdCB3ZSBtdXN0IGF2b2lkIGFueSBraW5kIG9mIHJlYWwtdGltZSBh c3Nlc3NtZW50IG9mIHRydXN0d29ydGhpbmVzcyBieSB0aGUgdXNlciwgYmVjYXVzZSB1c2VycyBh cmUgZWFzaWx5IGdhbWVkLiBJbnN0ZWFkLCB1c2VycyBzaG91bGQNCiBiZSBhYmxlIHRvIHN0aXB1 bGF0ZSB0aGUgY29uZGl0aW9ucyB0aGF0IGNvbnN0aXR1dGUgdHJ1c3R3b3J0aGluZXNzLCBhbmQg cmVseSBvbiB0aGUgaW5mcmFzdHJ1Y3R1cmUgdG8gYXNzZXNzIHRob3NlIGNvbmRpdGlvbnMgaW4g cmVhbC10aW1lIG9uIGhpcyBiZWhhbGYuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt bGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4N CjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtw YWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFu IGxhbmc9IkVOLVVTIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gbGFuZz0iRU4tVVMiPiBzYWFnICZs dDs8YSBocmVmPSJtYWlsdG86c2FhZy1ib3VuY2VzQGlldGYub3JnIj5zYWFnLWJvdW5jZXNAaWV0 Zi5vcmc8L2E+Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5CcmV0IEpvcmRhbjxicj4NCjxiPlNl bnQ6PC9iPiAyMSBKdWx5IDIwMTggMTM6Mjc8YnI+DQo8Yj5Ubzo8L2I+IEhlbnJ5IFN0b3J5ICZs dDs8YSBocmVmPSJtYWlsdG86aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQiPmhlbnJ5LnN0b3J5QGJi bGZpc2gubmV0PC9hPiZndDs8YnI+DQo8Yj5DYzo8L2I+IDxhIGhyZWY9Im1haWx0bzpzYWFnQGll dGYub3JnIj5zYWFnQGlldGYub3JnPC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW3NhYWdd IHN0b3BwaW5nIChodHRwcykgcGhpc2hpbmc8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5JIGNvbXBsZXRlbHkgYWdyZWUuICZuYnNwO1dlIG5lZWQgdG8gZmln dXJlIHdoYXQgd2UgY2FuIGRvIGFuZCBzcGVjaWZpY2FsbHkgaG93IHdlIGNhbiBlbmFibGUgYmV0 dGVyIHByb3RlY3Rpb24gZm9yIGVuZCB1c2Vycy4gJm5ic3A7SGF2aW5nIGEgY29tcGxldGVseSBz ZWN1cmUgYW5kIHByaXZhdGUgc2Vzc2lvbiBpcyBzb2x2aW5nIGp1c3QgaGFsZiBvZiB0aGUgcHJv YmxlbS4gJm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5XaGF0IGRvIHlvdSBzdWdnZXN0IGlzIHRoZSBuZXh0IHN0ZXBzIGZvcndhcmQ/ICZuYnNwO0Ns ZWFybHkgd2UgbmVlZCB0byBkbyB3b3JrIGhlcmUuICZuYnNwO0kgd291bGQgbG92ZSB0byBzZWUg c29tZSB3b3JrIGRvbmUgaGVyZSBpbiB0aGUgSUVURiB0byBoZWxwIHdpdGggdGhpcy4gJm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFz IHlvdSBoYXZlIHNhaWQgYXR0cmlidXRpb24gaXMgb25lIG9wdGlvbi4gSSB0aGluayBpdCB3b3Vs ZCBiZSBnb29kIGZvciBlbmQgdXNlcnMgdG8ga25vdyBpZiB0aGV5IHdlcmUgY29ubmVjdGluZyB0 byBhIGxlZ2FsbHkgbGVnaXQgZXN0YWJsaXNobWVudCBvciBhIGNyaW1lIHN5bmRpY2F0ZSBmcm9u dGluZyBhbiBJbnRydXNpb24gU2V0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkJyZXQmbmJz cDs8bzpwPjwvbzpwPjwvcD4NCjxkaXYgaWQ9IkFwcGxlTWFpbFNpZ25hdHVyZSI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj5TZW50IGZyb20gbXkgQ29tbW9kb3JlIDEyOEQ8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBHUCBGaW5nZXJwcmludDombmJz cDs2M0I0IEZDNTMgNjgwQSA2QjdEIDE0NDcgJm5ic3A7RjJDMCA3NEY4IEFDQUUgNzQxNSAwMDUw PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PGJyPg0KT24gSnVsIDIxLCAyMDE4LCBh dCA0OjE1IEFNLCBIZW5yeSBTdG9yeSAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhlbnJ5Li5zdG9yeUBi YmxmaXNoLm5ldCI+aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQ8L2E+Jmd0OyB3cm90ZTo8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFy Z2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPG86 cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4t Ym90dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiAyMCBKdWwgMjAx OCwgYXQgMjM6NTEsIEJyZXQgSm9yZGFuICZsdDs8YSBocmVmPSJtYWlsdG86am9yZGFuLmlldGZA Z21haWwuY29tIj5qb3JkYW4uaWV0ZkBnbWFpbC5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5HZXR0aW5nIGJhY2sg b24gdG9waWMuICZuYnNwO0kgYWdyZWUgdGhpcyBpcyBhIHNpZ25pZmljYW50IHByb2JsZW0sIG9u ZSB0aGF0IG5lZWRzIHRvIGJlIGFkZHJlc3NlZC4gJm5ic3A7V2hpbGUgdGhpbmdzIGxpa2UgTGV0 c0VuY3J5cHQgYXJlIGdyZWF0IGZvciB0cnlpbmcgdG8gZ2V0IGV2ZXJ5b25lIGEgY2VydCBmb3Ig ZnJlZSwgaXQgYWxzbyBtZWFucywgVGhyZWF0IEFjdG9ycyBhbmQgSW50cnVzaW9uIFNldHMgY2Fu IGdldA0KIGZyZWUgY2VydHMgYXMgd2VsbC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PC9kaXY+DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPlllcywgaXQgbG9va3MgbGlrZSB0aGVyZSBpcyBhIHNlYSBjaGFuZ2Ugd2l0aCByZWdhcmQg dG8gdXNlIG9mIFRMUywgd2hpY2ggaXMgbGVhZGluZyZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Q2hyb21lIG5leHQgd2VlayAmbmJzcDth Y2NvcmRpbmcgdG8gdGhlIHJlZ2lzdGVyIFsxXSB0byBzdG9wIHNob3dpbmcgdGhlIHBhZGxvY2sg aWNvbiBmb3I8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPnNlY3VyZSBzaXRlcywgYW5kIGluc3RlYWQgc2hvdyBhIHdhcm5pbmcgZm9yIG5vbi1odHRw cyBzaXRlcywgd2hpY2ggd2lsbCBmdXJ0aGVyPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5hY2NlbGVyYXRlIHRoZSBhZG9wdGlvbiBvZiBodHRwcywg c29tZXRoaW5nIG1hZGUgcG9zc2libGUgYnkgTGV0c0VuY3J5cHQuPG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNvIHZlcnkgc29vbiBldmVyeW9u ZSBpbmNsdWRpbmcgdGhlIGNyb29rcyB3aWxsIGJlIGJlaGluZCBodHRwcyA6LSkmbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkl0IHdpbGwg YmUgdGhlIG5ldyBkZWZhdWx0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5Gcm9tIHRoZW4gb24gdGhlIHBvaW50IHRvIHBvaW50IHNlY3VyaXR5 IHdpbGwgaGF2ZSBiZWVuIGRlYWx0IHdpdGggKGVzcGVjaWFsbHkmbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmlmICZuYnNwO0RBTkUgYWxz byBnZXRzIGFkb3B0ZWQgdGhhdCBmYXIpLCBhbmQgYWxsIHRoYXQgd2lsbCByZW1haW4gaXMgdGhl IHF1ZXN0aW9uIGFzIHRvPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj53aG8gYW0gSSB0YWxraW5nIHRvIHNvIHNlY3VyZWx5PzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48 L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGF0IGlzIHRoZSBxdWVz dGlvbiBvZiB0aGUgaWRlbnRpdHkgb2YgdGhlIHdlYiBzaXRlIHRoZSBicm93c2VyIG9yIGFwcGxp Y2F0aW9uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5pcyAmbmJzcDtjb25uZWN0ZWQgdG8sIGluZGVlZCB0aGUgcXVlc3Rpb24gb2YgdGhlIGlkZW50 aXR5IG9mIHRoZSBhcHBsaWNhdGlvbiBjb250cm9sbGluZzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+dGhlIHNjcmVlbiBtb3JlIGdlbmVyYWxseSBb Ml0uJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPklmIG9uZSBpcyBvZiBhIGNhdGVnb3J5IHRoZW9yZXRpYyBtaW5kIG9uZSB3aWxsIHRo aW5rIHRoYXQgdGhlIGlkZW50aXR5IG9mIGVhY2g8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPm9iamVjdCBpcyBpdHMgcG9zaXRpb24gaW4gdGhlIG5l dHdvcmsgb2YgYXJyb3dzIG9mIHRoZSBjYXRlZ29yeS4gQnV0IG1vcmUgcHJhY3RpY2FsbHk8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmVuZCB1c2Vy cyB3aWxsIGJlIGludGVyZXN0ZWQgZm9yIGFwcGxpY2F0aW9ucyBvciB3ZWIgc2l0ZSBvZiBrbm93 aW5nIHdoYXQgbGVnYWw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPnNwYWNlIHRoZXkgYXJlIGluLiBGb3IgcGVyc29uYWwgd2ViIHBhZ2VzIHdlIGNh biBmYWxsIGJhY2sgdG8gdGhlIHdlYiBvZiB0cnVzdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+d2UgY3VycmVudGx5IGhhdmUuJm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYXQgaXMg YWN0dWFsbHkgcXVpdGUgYSBsYXJnZSBwcm9qZWN0LCBidXQgZ2l2ZW4gdGhhdCBvbmUgaXMgZGVh bGluZyB3aXRoIG5hdGlvbnM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPnRoYXQgaGF2ZSB0aGUgcmVzb3VyY2VzLCBpdCBpcyBxdWl0ZSBmZWFzaWJs ZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ QnV0IHRoYXQgd2FzIHRoZSBwb2ludCBvZiBteSBvcmlnaW5hbCBwb3N0LiA6LSkmbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5i c3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SGVucnk8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+WzFd IDxhIGhyZWY9Imh0dHBzOi8vY2xpY2t0aW1lLnN5bWFudGVjLmNvbS9hLzEvcnlDTW92QkJzdk5T UGVEaXE2MjJPbElET05ObWpNSG1QRF84czRpZk1Wcz0/ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZ bnV0M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FUYUlvM2pKSmNPakJDcWcyZjQ2ai15UDBl LVRJQ2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZtYmRYQWFJd0VzdEs3UE1ad1J0REJGM180 THNUengtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpqT3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNk VktWU3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFOcTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJH TWhVbzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9YZUxhekxFWWJKdm1WQWdudFFfMUpJM21L XzZEelU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllXaFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5I NDRvcFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lMTElLUTVQZWRVRjB5eGJRbkljOWFjSSUz RCZhbXA7dT1odHRwcyUzQSUyRiUyRnd3dy50aGVyZWdpc3Rlci5jby51ayUyRjIwMTglMkYwNyUy RjAzJTJGZ29vZ2xlX2Nocm9tZV9odHRwJTJGIj4NCmh0dHBzOi8vd3d3LnRoZXJlZ2lzdGVyLmNv LnVrLzIwMTgvMDcvMDMvZ29vZ2xlX2Nocm9tZV9odHRwLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlsyXSBUaGUgMjAxNSBwYXBlciAmcXVv dDtXaGF0IGlzIHRoYXQgQXBwPyBEZWNlcHRpb25zIGFuZCBjb3VudGVybWVhc3VyZXMmbmJzcDs8 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPmluIHRo ZSBBbmRyb2lkIFVzZXIgSW50ZXJmYWNlJnF1b3Q7Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsgJm5ic3A7Jm5ic3A7PGEgaHJl Zj0iaHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS95T2JmMjl3YTVRNzhxdUJ1aGxo ZEVVQWQtNEF5ZU8zTDctWUJpdmowYzQ0PT9kPWxHZ1Fubk5xQ1BMeWJGMlRJT2QzS1ludXQzUmc5 OVBQajdKdHlMbGl0cnhWU1V3by1fbXgzQVRhSW8zakpKY09qQkNxZzJmNDZqLXlQMGUtVElDak5q bVJNU3Y2RzlMSUVJTG1vLTF6QjMyMzRZdm1iZFhBYUl3RXN0SzdQTVp3UnREQkYzXzRMc1R6eC1j WXlWVGQwYk1nQXZ1Qk02amJ6clNHNm1sampPdzVQY0JXWTdfdTF2Z1hsVnFJamRIM2RWS1ZTemct bEdvQ1E0OElmZWY0UlFyeXJpY2F3UWV0MU5xNFpLVy12YkFuZ1pIOXlBdC1GdHUtYkdNaFVvM0dh S01Za0h0ekMyVDNRRER3NGNzMEV3d2JsT1hlTGF6TEVZYkp2bVZBZ250UV8xSkkzbUtfNkR6VTdQ NWZTcExjMlVJVGwzVWNDTFlwV0JGcjliWVdoU3hjY012S05CLUNMMEFjWF9VaDg4bkg0NG9wV3dt anhsN2tFWm1XN21rLW1VZmc1NkNjaThXaUxMSUtRNVBlZFVGMHl4YlFuSWM5YWNJJTNEJmFtcDt1 PWh0dHBzJTNBJTJGJTJGd3d3LmNvbXB1dGVyLm9yZyUyRmNzZGwlMkZwcm9jZWVkaW5ncyUyRnNw JTJGMjAxNSUyRjY5NDklMkYwMCUyRjY5NDlhOTMxLWFicy5odG1sIj5odHRwczovL3d3dy5jb21w dXRlci5vcmcvY3NkbC9wcm9jZWVkaW5ncy9zcC8yMDE1LzY5NDkvMDAvNjk0OWE5MzEtYWJzLmh0 bWw8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5JIGludGVncmF0ZWQgdGhhdCBhcnRpY2xlIGluIHRoZSAmbmJzcDsmcXVvdDtQaGlzaGluZyBp biBDb250ZXh0JnF1b3Q7IHBvc3QgdGhpcyB3ZWVrLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1 b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImFwcGxl LXN0eWxlLXNwYW4iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZx dW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5UaGFua3MsPC9zcGFuPjwvc3Bhbj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv dDssc2Fucy1zZXJpZiI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gY2xhc3M9ImFwcGxlLXN0eWxlLXNwYW4iPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj5CcmV0PC9zcGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVw dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7VmVyZGFuYSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiM3QzdDN0MiPlBHUCBG aW5nZXJwcmludDombmJzcDs2M0I0IEZDNTMgNjgwQSA2QjdEIDE0NDcgJm5ic3A7RjJDMCA3NEY4 IEFDQUUgNzQxNSAwMDUwPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQt ZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjguMHB0O2ZvbnQtZmFtaWx5OiZxdW90O1ZlcmRhbmEmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojN0M3QzdDIj4mcXVvdDtXaXRob3V0IGNyeXB0b2dyYXBoeSB2aWh2IHZpdmMgY2Ug eGhybnJ3LCBob3dldmVyLCB0aGUgb25seSB0aGluZyB0aGF0IGNhbiBub3QgYmUgdW5zY3JhbWJs ZWQgaXMgYW4gZWdnLiZxdW90Ozwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm b250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0KPG86cD48 L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90 dG9tOjUuMHB0Ij4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5PbiBKdWwgMTYsIDIwMTgs IGF0IDEwOjEyIEFNLCBNaWNoYWVsIFJpY2hhcmRzb24gJmx0OzxhIGhyZWY9Im1haWx0bzptY3Im IzQzO2lldGZAc2FuZGVsbWFuLmNhIj5tY3ImIzQzO2lldGZAc2FuZGVsbWFuLmNhPC9hPiZndDsg d3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5z LXNlcmlmIj48YnI+DQpCZW4gTGF1cmllICZsdDs8L3NwYW4+PGEgaHJlZj0ibWFpbHRvOmJlbmw9 NDBnb29nbGUuY29tQGRtYXJjLmlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVw dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+YmVubD00MGdv b2dsZS4uY29tQGRtYXJjLmlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+Jmd0 OyB3cm90ZTo8YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50 LWNhcHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6 IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxi bG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPk5vLCBJIG1lYW4gaW4gdGhl IG1vcmUgZ2VuZXJhbCBzZW5zZSB0aGF0IGl0cyBhIHdheSB0byBpbnZva2UgJnF1b3Q7dGhlPGJy Pg0Kc3lzdGVtJnF1b3Q7LCBndWFyYW50ZWVkLCBubyBtZXNzaW5nLjxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNl cmlmIj48YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNh cHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBw eDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9j a3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1p bHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPkl0IGhhcyBhIG5vYmxlIGhpc3Rv cnkgb2Ygbm90IHdvcmtpbmcgdmVyeSB3ZWxsLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvYmxv Y2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu NXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48YnIgc3R5 bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDt0 ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNp bmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxl PSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVs dmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPldpbmRvd3MgdXNlcyBjdGwtYWx0LWRlbCBhcyBhIFNB Sy4gSXQgZG9lc24ndCBsZXQgeW91IGRvIG11Y2gsIGJ1dCBpdDxicj4NCmlzIG1vcmUgdGhhbiBs b2dpbi48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtI ZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KWWVzLCB0aGF0J3MganVzdCBpdDogaXQg ZG9lc24ndCBkbyB0aGF0IG11Y2guPGJyPg0KVGhhdCdzIHdoeSBpdCB3YXMgYSBmYWlsdXJlLiAm bmJzcDtBbHNvIGxhY2sgb2YgYW55IGtpbmQgb2YgdHV0b3JpYWwuPGJyPg0KQW5kIHNpbmNlIGl0 IHVzZWQgdG8gcmVib290IHRoZSBjb21wdXRlciwgc28gbW9zdCBwZW9wbGUgaGFiaXR1YWxseSBh dm9pZCBpdC48YnI+DQo8YnI+DQpJdCdzIHByb2JhYmx5IHRpbWUgdG8gdHJ5IGl0IGFnYWluLjxi cj4NCjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2Nr cXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8Ymxv Y2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFt aWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5PbiAxNSBKdWwgMjAxOCwgYXQg MjI6MzQsIEJlbiBMYXVyaWUgJmx0OzxhIGhyZWY9Im1haWx0bzpiZW5sQGdvb2dsZS5jb20iPmJl bmxAZ29vZ2xlLmNvbTwvYT4mZ3Q7IHdyb3RlOjxicj4NCjxicj4NCjxicj4NCjxicj4NCk9uIFN1 biwgMTUgSnVsIDIwMTggYXQgMTg6NTYsIEhlbnJ5IFN0b3J5PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYi PiZsdDs8YSBocmVmPSJtYWlsdG86aGVucnkuc3RvcnlAYmJsZmlzaC5uZXQiPmhlbnJ5LnN0b3J5 QGJibGZpc2gubmV0PC9hPiZndDsgd3JvdGU6PGJyPg0KPGJyPg0KPG86cD48L286cD48L3NwYW4+ PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1 LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVw dDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+SGksPHNwYW4g Y2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCjxicj4NCkkg anVzdCB3cm90ZSB1cCBzb21lIGlkZWFzIG9uIFVJIGFuZCBzZWN1cml0eSB0aGF0IGNhbWUgKGJh Y2spPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVs dmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPnRvIG1lIHJlYWRpbmc8c3BhbiBjbGFzcz0iYXBwbGUt Y29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PGJyPg0KPGJyPg0KPG86cD48L286cD48L3Nw YW4+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRv bTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEw LjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+dGhpcyB0 aHJlYWQgYW5kIG90aGVyIGludGVyZXN0aW5nIHBhcGVycyBvbiBzZWN1cml0eS48YnI+DQo8YnI+ DQomcXVvdDtQaGlzaGluZyBpbiBDb250ZXh0IC0tIEVwaXN0ZW1vbG9neSBvbiB0aGUgc2NyZWVu JnF1b3Q7PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS9n V3YyeVJVU3c1ak5pUVk0VXdtY3J3R0RsbUhmeGJVdkpxeVlHbk9GVW5BPT9kPWxHZ1Fubk5xQ1BM eWJGMlRJT2QzS1ludXQzUmc5OVBQajdKdHlMbGl0cnhWU1V3by1fbXgzQVRhSW8zakpKY09qQkNx ZzJmNDZqLXlQMGUtVElDak5qbVJNU3Y2RzlMSUVJTG1vLTF6QjMyMzRZdm1iZFhBYUl3RXN0SzdQ TVp3UnREQkYzXzRMc1R6eC1jWXlWVGQwYk1nQXZ1Qk02amJ6clNHNm1sampPdzVQY0JXWTdfdTF2 Z1hsVnFJamRIM2RWS1ZTemctbEdvQ1E0OElmZWY0UlFyeXJpY2F3UWV0MU5xNFpLVy12YkFuZ1pI OXlBdC1GdHUtYkdNaFVvM0dhS01Za0h0ekMyVDNRRER3NGNzMEV3d2JsT1hlTGF6TEVZYkp2bVZB Z250UV8xSkkzbUtfNkR6VTdQNWZTcExjMlVJVGwzVWNDTFlwV0JGcjliWVdoU3hjY012S05CLUNM MEFjWF9VaDg4bkg0NG9wV3dtanhsN2tFWm1XN21rLW1VZmc1NkNjaThXaUxMSUtRNVBlZFVGMHl4 YlFuSWM5YWNJJTNEJmFtcDt1PWh0dHBzJTNBJTJGJTJGbWVkaXVtLmNvbSUyRiU0MGJibGZpc2gl MkZwaGlzaGluZy1pbi1jb250ZXh0LTljODRjYTQ1MTMxNCI+aHR0cHM6Ly9tZWRpdW0uY29tL0Bi YmxmaXNoL3BoaXNoaW5nLWluLWNvbnRleHQtOWM4NGNhNDUxMzE0PC9hPjxicj4NCjxicj4NCllv dSBoYXZlIHJlaW52ZW50ZWQgdGhlIFNlY3VyZSBBdHRlbnRpb24gS2V5LiBJdCBoYXNuJ3Qgd29y ayBvdXQ8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtI ZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+dGhhdCB3ZWxsLCBzbyBmYXIuPGJyPg0KPGJyPg0K PG86cD48L286cD48L3NwYW4+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4w cHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHls ZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fu cy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPC9i bG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBz dHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFs O3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3Bh Y2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5 bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtI ZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+RG8geW91IG1lYW4gd2hhdCB0aGV5IGRlc2NyaWJl IG9uIHdpa2lwZWRpYSBoZXJlID88YnI+DQo8YSBocmVmPSJodHRwczovL2NsaWNrdGltZS5zeW1h bnRlYy5jb20vYS8xL1NNMUcxQmJCSS1Gd01IQldsdWZHQXFHd1huRkN5cERuM1k4WWNESlVjeDQ9 P2Q9bEdnUW5uTnFDUEx5YkYyVElPZDNLWW51dDNSZzk5UFBqN0p0eUxsaXRyeFZTVXdvLV9teDNB VGFJbzNqSkpjT2pCQ3FnMmY0NmoteVAwZS1USUNqTmptUk1TdjZHOUxJRUlMbW8tMXpCMzIzNFl2 bWJkWEFhSXdFc3RLN1BNWndSdERCRjNfNExzVHp4LWNZeVZUZDBiTWdBdnVCTTZqYnpyU0c2bWxq ak93NVBjQldZN191MXZnWGxWcUlqZEgzZFZLVlN6Zy1sR29DUTQ4SWZlZjRSUXJ5cmljYXdRZXQx TnE0WktXLXZiQW5nWkg5eUF0LUZ0dS1iR01oVW8zR2FLTVlrSHR6QzJUM1FERHc0Y3MwRXd3YmxP WGVMYXpMRVliSnZtVkFnbnRRXzFKSTNtS182RHpVN1A1ZlNwTGMyVUlUbDNVY0NMWXBXQkZyOWJZ V2hTeGNjTXZLTkItQ0wwQWNYX1VoODhuSDQ0b3BXd21qeGw3a0VabVc3bWstbVVmZzU2Q2NpOFdp TExJS1E1UGVkVUYweXhiUW5JYzlhY0klM0QmYW1wO3U9aHR0cHMlM0ElMkYlMkZlbi53aWtpcGVk aWEub3JnJTJGd2lraSUyRlNlY3VyZV9hdHRlbnRpb25fa2V5Ij5odHRwczovL2VuLndpa2lwZWRp YS5vcmcvd2lraS9TZWN1cmVfYXR0ZW50aW9uX2tleTwvYT48c3BhbiBjbGFzcz0iYXBwbGUtY29u dmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9j a3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHls ZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO3Rl eHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2lu ZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9 Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2 ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+JnF1b3Q7QSBzZWN1cmUgYXR0ZW50aW9uIGtleSAoU0FL KSBvciBzZWN1cmUgYXR0ZW50aW9uIHNlcXVlbmNlIChTQVMpPGJyPg0KaXMgYSBzcGVjaWFsIGtl eSBvciBrZXkgY29tYmluYXRpb24gdG8gYmUgcHJlc3NlZCBvbiBhIGNvbXB1dGVyPGJyPg0Ka2V5 Ym9hcmQgYmVmb3JlIGEgbG9naW4gc2NyZWVuIHdoaWNoIG11c3QsIHRvIHRoZSB1c2VyLCBiZTxi cj4NCmNvbXBsZXRlbHkgdHJ1c3R3b3J0aHkuIFRoZSBvcGVyYXRpbmcgc3lzdGVtIGtlcm5lbCwg d2hpY2g8YnI+DQppbnRlcmFjdHMgZGlyZWN0bHkgd2l0aCB0aGUgaGFyZHdhcmUsIGlzIGFibGUg dG8gZGV0ZWN0IHdoZXRoZXI8YnI+DQp0aGUgc2VjdXJlIGF0dGVudGlvbiBrZXkgaGFzIGJlZW4g cHJlc3NlZC4gV2hlbiB0aGlzIGV2ZW50IGlzPGJyPg0KZGV0ZWN0ZWQsIHRoZSBrZXJuZWwgc3Rh cnRzIHRoZSB0cnVzdGVkIGxvZ2luIHByb2Nlc3NpbmcuJnF1b3Q7PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2Vy aWYiPjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fw czogbm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4 O3dvcmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2Nr cXVvdGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls eTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+VGhhdCB3b3VsZCBiZSB0byBhdXRo ZW50aWNhdGUgdGhlIHVzZXIgb2YgdGhlIGNvbXB1dGVyLCB3aGljaCBpcyBJPGJyPg0Kc3VwcG9z ZSBhPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4N CnByZWRlY2Vzc29yIG9mIHdoYXQgdGhlIGZpbmdlcnByaW50IGJ1dHRvbiBvbiBuZXcgTWFjQm9v ayBQcm88YnI+DQpsYXB0b3BzIGlzIGFib3V0PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCihJIGRvbid0IGtub3csIGFzIEkgZG9uJ3QgaGF2ZSB0 aGVtKS4gVGhleSBjYWxsIGl0IFRvdWNoIElkPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1z cGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vY2xpY2t0aW1lLnN5bWFu dGVjLmNvbS9hLzEvTDkycUNtZzFONGV2azZJOHdqVmlkczJ5UnVOdXZ1RVoyWmJLMHhUTXZjTT0/ ZD1sR2dRbm5OcUNQTHliRjJUSU9kM0tZbnV0M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FU YUlvM2pKSmNPakJDcWcyZjQ2ai15UDBlLVRJQ2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZt YmRYQWFJd0VzdEs3UE1ad1J0REJGM180THNUengtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpq T3c1UGNCV1k3X3UxdmdYbFZxSWpkSDNkVktWU3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFO cTRaS1ctdmJBbmdaSDl5QXQtRnR1LWJHTWhVbzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9Y ZUxhekxFWWJKdm1WQWdudFFfMUpJM21LXzZEelU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllX aFN4Y2NNdktOQi1DTDBBY1hfVWg4OG5INDRvcFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lM TElLUTVQZWRVRjB5eGJRbkljOWFjSSUzRCZhbXA7dT1odHRwcyUzQSUyRiUyRnN1cHBvcnQuYXBw bGUuY29tJTJGZW4tdXMlMkZIVDIwNzA1NCI+aHR0cHM6Ly9zdXBwb3J0LmFwcGxlLmNvbS9lbi11 cy9IVDIwNzA1NDwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWls eTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyIHN0eWxlPSJjYXJldC1jb2xv cjogcmdiKDAsIDAsIDApO2ZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7dGV4dC1hbGlnbjpzdGFy dDstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8YnI+ DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1 LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90Oyxz YW5zLXNlcmlmIj5CdXQgdGhhdCBpcyBub3Qgd2hhdCBJIGFtIHRhbGtpbmcgYWJvdXQgaW4gdGhl IGFydGljbGUuIFRoZXJlIEkgYW08YnI+DQpzcGVha2luZyBvZiBzZXJ2ZXI8YnI+DQpvciBhcHBs aWNhdGlvbiBhdXRoZW50aWNhdGlvbiwgYW5kIEkgYW0gYXJndWluZyB0aGF0IHRvIGJlIHNlY3Vy ZTxicj4NCnRoaXMgbmVlZHMgdHdvIHNjcmVlbnM8YnI+DQp0aGUgc2Vjb25kIHNjcmVlbiBiZWlu ZyB3aGF0IEFwcGxlIGNhbGxzIHRoZSBUb3VjaCBCYXIuIFRoZXJlIGlzIGE8YnI+DQp2aWRlbyBo ZXJlIGRlc2NyaWJpbmcgaXQ8YnI+DQo8YSBocmVmPSJodHRwczovL2NsaWNrdGltZS5zeW1hbnRl Yy5jb20vYS8xL1pZYk1mN1djVjJrSl9JdEs1QUt3Y1RjeGpBZkxKWmJOZW9MLUxCVDB1LTQ9P2Q9 bEdnUW5uTnFDUEx5YkYyVElPZDNLWW51dDNSZzk5UFBqN0p0eUxsaXRyeFZTVXdvLV9teDNBVGFJ bzNqSkpjT2pCQ3FnMmY0NmoteVAwZS1USUNqTmptUk1TdjZHOUxJRUlMbW8tMXpCMzIzNFl2bWJk WEFhSXdFc3RLN1BNWndSdERCRjNfNExzVHp4LWNZeVZUZDBiTWdBdnVCTTZqYnpyU0c2bWxqak93 NVBjQldZN191MXZnWGxWcUlqZEgzZFZLVlN6Zy1sR29DUTQ4SWZlZjRSUXJ5cmljYXdRZXQxTnE0 WktXLXZiQW5nWkg5eUF0LUZ0dS1iR01oVW8zR2FLTVlrSHR6QzJUM1FERHc0Y3MwRXd3YmxPWGVM YXpMRVliSnZtVkFnbnRRXzFKSTNtS182RHpVN1A1ZlNwTGMyVUlUbDNVY0NMWXBXQkZyOWJZV2hT eGNjTXZLTkItQ0wwQWNYX1VoODhuSDQ0b3BXd21qeGw3a0VabVc3bWstbVVmZzU2Q2NpOFdpTExJ S1E1UGVkVUYweXhiUW5JYzlhY0klM0QmYW1wO3U9aHR0cHMlM0ElMkYlMkZ5b3V0dS5iZSUyRkRo Q0p1Sm9FNndNJTNGdCUzRDE3MCI+aHR0cHM6Ly95b3V0dS5iZS9EaENKdUpvRTZ3TT90PTE3MDwv YT48YnI+DQpCdXQgSSBhbSBzdXJlIHlvdSdsbCBmaW5kIG1hbnkgbW9yZS4gKEJ0dy4gdGhlIG5l dyBNYWMgQm9vayBQcm8gaXM8YnI+DQpvdXQgdG9kYXkhKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48 YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2IoMCwgMCwgMCk7Zm9udC12YXJpYW50LWNhcHM6IG5v cm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJraXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3Jk LXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3Rl IHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPkkgd291bGQgZ3Vlc3MgdGhhdCBwYXJ0cyBv ZiB0aGUgVG91Y2ggQmFyIG11c3QgYmUgT1Mgc2VjdXJlZCwgb3I8YnI+DQplbHNlIGFuIGFwcCBj b3VsZCBnZXQgeW91ciBmaW5nZXJwcmludHM/IEluIGFueSBjYXNlIEkgYW0gc2F5aW5nPGJyPg0K dGhhdCB0aGVyZSBzaG91bGQgYmUgYSBjb3VwbGUgbW9yZSBidXR0b25zIG9uIHRoZSBUb3VjaCBC YXIgdGhhdDxicj4NCmFyZSBjb250cm9sbGVkIGJ5IHRoZSBPUy48YnI+DQoxKSB0aGUgaWNvbiBv ZiB0aGUgQXBwIHRoYXQgaXMgaW4gdGhlIGZvcmVncm91bmQgKCB3aGljaCB3b3VsZCBiZTxicj4N CnJldHJpZXZlZCBmcm9tIHRoZSBpbnN0aXR1dGlvbmFsIHdlYiBvZiB0cnVzdDxicj4NCjIpIHRo ZSBpY29uIG9mIHRoZSBmYXZpY29uIG9mIHRoZSB3ZWIgcGFnZSBhbHNvIHJldHJpZXZlZCBmcm9t IHRoZTxicj4NCmluc3RpdHV0aW9uYWwgd2ViIG9mIHRydXN0PG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9ibG9ja3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYi PjxiciBzdHlsZT0iY2FyZXQtY29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczog bm9ybWFsO3RleHQtYWxpZ246c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dv cmQtc3BhY2luZzowcHgiPg0KPGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVv dGUgc3R5bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+Y2xpY2tpbiB0aG9zZSB3b3VsZCBnaXZl IHlvdSBtb3JlIGluZm9ybWF0aW9uIGFib3V0IHRoZSBhcHAgaW4gMSk8YnI+DQphbmQgbW9yZSBp bmZvIGFib3V0IHRoZSBwYWdlIGluIDIpLjxicj4NCkJ1dCBub3QganVzdCB0aGUgYWRkcmVzcyBv ZiB0aGUgaGVhZHF1YXJ0ZXJzLCBidXQgc29tZXRoaW5nIGEgbG90PGJyPg0KcmljaGVyLi4uLi48 bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRp Y2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KPGJyIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAs IDAsIDApO2ZvbnQtdmFyaWFudC1jYXBzOiBub3JtYWw7dGV4dC1hbGlnbjpzdGFydDstd2Via2l0 LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7d29yZC1zcGFjaW5nOjBweCI+DQo8YnI+DQo8L3NwYW4+ PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJn aW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlm Ij5CdXQgSSBtYXkgaGF2ZSBtaXN1bmRlcnN0b29kIHlvdS4uLj88bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8L2Jsb2NrcXVvdGU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJp ZiI+PGJyIHN0eWxlPSJjYXJldC1jb2xvcjogcmdiKDAsIDAsIDApO2ZvbnQtdmFyaWFudC1jYXBz OiBub3JtYWw7dGV4dC1hbGlnbjpzdGFydDstd2Via2l0LXRleHQtc3Ryb2tlLXdpZHRoOiAwcHg7 d29yZC1zcGFjaW5nOjBweCI+DQo8YnI+DQo8L3NwYW4+PG86cD48L286cD48L3A+DQo8YmxvY2tx dW90ZSBzdHlsZT0ibWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tYm90dG9tOjUuMHB0Ij4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5 OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj5IZW5yeTxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjwvYmxvY2txdW90ZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuNXB0O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNl cmlmIj48YnI+DQo8YnI+DQo8YnI+DQo8YnI+DQo8YnIgc3R5bGU9ImNhcmV0LWNvbG9yOiByZ2Io MCwgMCwgMCk7Zm9udC12YXJpYW50LWNhcHM6IG5vcm1hbDt0ZXh0LWFsaWduOnN0YXJ0Oy13ZWJr aXQtdGV4dC1zdHJva2Utd2lkdGg6IDBweDt3b3JkLXNwYWNpbmc6MHB4Ij4NCjxicj4NCjwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9wOjUuMHB0O21h cmdpbi1ib3R0b206NS4wcHQiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2Vy aWYiPi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS08 YnI+DQpBbHRlcm5hdGl2ZXM6PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9ja3F1b3RlPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1m YW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxiciBzdHlsZT0iY2FyZXQt Y29sb3I6IHJnYigwLCAwLCAwKTtmb250LXZhcmlhbnQtY2Fwczogbm9ybWFsO3RleHQtYWxpZ246 c3RhcnQ7LXdlYmtpdC10ZXh0LXN0cm9rZS13aWR0aDogMHB4O3dvcmQtc3BhY2luZzowcHgiPg0K PGJyPg0KPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9Im1hcmdpbi10 b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVv dDssc2Fucy1zZXJpZiI+LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLTxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fPGJyPg0Kc2FhZyBtYWlsaW5nIGxpc3Q8YnI+DQo8YSBocmVmPSJtYWlsdG86c2FhZ0Bp ZXRmLm9yZyI+c2FhZ0BpZXRmLm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL2NsaWNrdGlt ZS5zeW1hbnRlYy5jb20vYS8xLzRvRGJibDB1aXN5UlozdDB6d0J0RFJrV042VmFIeVpXb3ZMR01T RWw2aGc9P2Q9bEdnUW5uTnFDUEx5YkYyVElPZDNLWW51dDNSZzk5UFBqN0p0eUxsaXRyeFZTVXdv LV9teDNBVGFJbzNqSkpjT2pCQ3FnMmY0NmoteVAwZS1USUNqTmptUk1TdjZHOUxJRUlMbW8tMXpC MzIzNFl2bWJkWEFhSXdFc3RLN1BNWndSdERCRjNfNExzVHp4LWNZeVZUZDBiTWdBdnVCTTZqYnpy U0c2bWxqak93NVBjQldZN191MXZnWGxWcUlqZEgzZFZLVlN6Zy1sR29DUTQ4SWZlZjRSUXJ5cmlj YXdRZXQxTnE0WktXLXZiQW5nWkg5eUF0LUZ0dS1iR01oVW8zR2FLTVlrSHR6QzJUM1FERHc0Y3Mw RXd3YmxPWGVMYXpMRVliSnZtVkFnbnRRXzFKSTNtS182RHpVN1A1ZlNwTGMyVUlUbDNVY0NMWXBX QkZyOWJZV2hTeGNjTXZLTkItQ0wwQWNYX1VoODhuSDQ0b3BXd21qeGw3a0VabVc3bWstbVVmZzU2 Q2NpOFdpTExJS1E1UGVkVUYweXhiUW5JYzlhY0klM0QmYW1wO3U9aHR0cHMlM0ElMkYlMkZ3d3cu aWV0Zi5vcmclMkZtYWlsbWFuJTJGbGlzdGluZm8lMkZzYWFnIj5odHRwczovL3d3dy5pZXRmLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL3NhYWc8L2E+PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9ibG9j a3F1b3RlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41 cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPjxicj4NCi0t PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPjxicj4NCk1p Y2hhZWwgUmljaGFyZHNvbiAmbHQ7PC9zcGFuPjxhIGhyZWY9Im1haWx0bzptY3ImIzQzO0lFVEZA c2FuZGVsbWFuLmNhIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTom cXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+bWNyJiM0MztJRVRGQHNhbmRlbG1hbi5j YTwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPiZndDssIFNhbmRlbG1hbiBTb2Z0d2FyZSBX b3Jrczxicj4NCi09IElQdjYgSW9UIGNvbnN1bHRpbmcgPS08YnI+DQo8YnI+DQo8YnI+DQo8YnI+ DQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCnNh YWcgbWFpbGluZyBsaXN0PGJyPg0KPC9zcGFuPjxhIGhyZWY9Im1haWx0bzpzYWFnQGlldGYub3Jn Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRp Y2EmcXVvdDssc2Fucy1zZXJpZiI+c2FhZ0BpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMC41cHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMt c2VyaWYiPjxicj4NCjwvc3Bhbj48YSBocmVmPSJodHRwczovL2NsaWNrdGltZS5zeW1hbnRlYy5j b20vYS8xLzRvRGJibDB1aXN5UlozdDB6d0J0RFJrV042VmFIeVpXb3ZMR01TRWw2aGc9P2Q9bEdn UW5uTnFDUEx5YkYyVElPZDNLWW51dDNSZzk5UFBqN0p0eUxsaXRyeFZTVXdvLV9teDNBVGFJbzNq SkpjT2pCQ3FnMmY0NmoteVAwZS1USUNqTmptUk1TdjZHOUxJRUlMbW8tMXpCMzIzNFl2bWJkWEFh SXdFc3RLN1BNWndSdERCRjNfNExzVHp4LWNZeVZUZDBiTWdBdnVCTTZqYnpyU0c2bWxqak93NVBj QldZN191MXZnWGxWcUlqZEgzZFZLVlN6Zy1sR29DUTQ4SWZlZjRSUXJ5cmljYXdRZXQxTnE0WktX LXZiQW5nWkg5eUF0LUZ0dS1iR01oVW8zR2FLTVlrSHR6QzJUM1FERHc0Y3MwRXd3YmxPWGVMYXpM RVliSnZtVkFnbnRRXzFKSTNtS182RHpVN1A1ZlNwTGMyVUlUbDNVY0NMWXBXQkZyOWJZV2hTeGNj TXZLTkItQ0wwQWNYX1VoODhuSDQ0b3BXd21qeGw3a0VabVc3bWstbVVmZzU2Q2NpOFdpTExJS1E1 UGVkVUYweXhiUW5JYzlhY0klM0QmYW1wO3U9aHR0cHMlM0ElMkYlMkZ3d3cuaWV0Zi5vcmclMkZt YWlsbWFuJTJGbGlzdGluZm8lMkZzYWFnIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEwLjVwdDtm b250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+aHR0cHM6Ly93d3cu aWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zYWFnPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+X19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpzYWFnIG1haWxpbmcg bGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpzYWFnQGlldGYub3JnIj5zYWFnQGlldGYub3JnPC9h Pjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vY2xpY2t0aW1lLnN5bWFudGVjLmNvbS9hLzEvNG9EYmJs MHVpc3lSWjN0MHp3QnREUmtXTjZWYUh5WldvdkxHTVNFbDZoZz0/ZD1sR2dRbm5OcUNQTHliRjJU SU9kM0tZbnV0M1JnOTlQUGo3SnR5TGxpdHJ4VlNVd28tX214M0FUYUlvM2pKSmNPakJDcWcyZjQ2 ai15UDBlLVRJQ2pOam1STVN2Nkc5TElFSUxtby0xekIzMjM0WXZtYmRYQWFJd0VzdEs3UE1ad1J0 REJGM180THNUengtY1l5VlRkMGJNZ0F2dUJNNmpienJTRzZtbGpqT3c1UGNCV1k3X3UxdmdYbFZx SWpkSDNkVktWU3pnLWxHb0NRNDhJZmVmNFJRcnlyaWNhd1FldDFOcTRaS1ctdmJBbmdaSDl5QXQt RnR1LWJHTWhVbzNHYUtNWWtIdHpDMlQzUUREdzRjczBFd3dibE9YZUxhekxFWWJKdm1WQWdudFFf MUpJM21LXzZEelU3UDVmU3BMYzJVSVRsM1VjQ0xZcFdCRnI5YllXaFN4Y2NNdktOQi1DTDBBY1hf VWg4OG5INDRvcFd3bWp4bDdrRVptVzdtay1tVWZnNTZDY2k4V2lMTElLUTVQZWRVRjB5eGJRbklj OWFjSSUzRCZhbXA7dT1odHRwcyUzQSUyRiUyRnd3dy5pZXRmLm9yZyUyRm1haWxtYW4lMkZsaXN0 aW5mbyUyRnNhYWciPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc2FhZzwv YT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9ibG9ja3F1b3Rl Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGZvbnQgc2l6ZT0iMSI+PGZvbnQgZmFjZT0iQ29y YmVsIj48YnI+DQpKaXNjIGlzIGEgcmVnaXN0ZXJlZCBjaGFyaXR5IChudW1iZXIgMTE0OTc0MCkg YW5kIGEgY29tcGFueSBsaW1pdGVkIGJ5IGd1YXJhbnRlZSB3aGljaCBpcyByZWdpc3RlcmVkIGlu IEVuZ2xhbmQgdW5kZXIgQ29tcGFueSBOby4gNTc0NzMzOSwgVkFUIE5vLiBHQiAxOTcgMDYzMiA4 Ni4gSmlzY+KAmXMgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGVwYXJrLCBUb3dlciBI aWxsLCBCcmlzdG9sLCBCUzIgMEpBLiBUIDAyMDMgNjk3IDU4MDAuPGJyPg0KPGJyPg0KSmlzYyBT ZXJ2aWNlcyBMaW1pdGVkIGlzIGEgd2hvbGx5IG93bmVkIEppc2Mgc3Vic2lkaWFyeSBhbmQgYSBj b21wYW55IGxpbWl0ZWQgYnkgZ3VhcmFudGVlIHdoaWNoIGlzIHJlZ2lzdGVyZWQgaW4gRW5nbGFu ZCB1bmRlciBjb21wYW55IG51bWJlciAyODgxMDI0LCBWQVQgbnVtYmVyIEdCIDE5NyAwNjMyIDg2 LiBUaGUgcmVnaXN0ZXJlZCBvZmZpY2UgaXM6IE9uZSBDYXN0bGUgUGFyaywgVG93ZXIgSGlsbCwg QnJpc3RvbCBCUzIgMEpBLiBUIDAyMDMNCiA2OTcgNTgwMC4gPC9mb250PjwvZm9udD48L2Rpdj4N CjwvYmxvY2txdW90ZT4NCjxibG9ja3F1b3RlIHR5cGU9ImNpdGUiPg0KPGRpdj48c3Bhbj5fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzwvc3Bhbj48YnI+DQo8 c3Bhbj5zYWFnIG1haWxpbmcgbGlzdDwvc3Bhbj48YnI+DQo8c3Bhbj48YSBocmVmPSJtYWlsdG86 c2FhZ0BpZXRmLm9yZyI+c2FhZ0BpZXRmLm9yZzwvYT48L3NwYW4+PGJyPg0KPHNwYW4+PGEgaHJl Zj0iaHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS9UOXZkRjhSWGEzdXpWRUM4ZXNC SGp1UUdVaWdncmZ1cml4MXhmSEc1RTN3PT9kPU5QdFgzQnhmYzV0ZFZUWFhtM3FYRXJHSWVISUEy UV9vb1lEYnNPbzBSVFRGT0dSWF9LNnlySGswQzQ5UWJmWVQ4b1liRUc0cGt1NmJFaXFtWnZpQUVf SlBLYjVwNmJSN1oyZnV5ZUlqMVBUNVJId29XeWtZamZJdmpIbndhTXpqR2MycC01WXUzXzhwc05C NkgzcS1jeUF6aXgxOFZSTngxUWxROFE0QjRtQ1FOeWFwMlUxem9QR09iaUlGMXljSS1GR2l4LTRT d2xMWkp4UjRuZUVHV3BRSVVhUlZIa2ZqN3JuVE40OWk3Z0tfTndjdjFqcW13RzRRUWFucHV1Mnhn M2NHLU5PRWdITjY4WW5QS2EwUDAtUVIyRjQyZ0VuajNCRHpTeFhZVHA2YlZuLXV5S2ppeURackxU V2ZHU1hjRDRkMVhOeXBxR3A1R3BxMWQ5UVo5ci0zb1ZOSVRKbDRWWnNfV1R3TmtHN1VvYUhlX0Zm aWlCV1VxYVZ4bWdTbWp0QVVBeDkxamxRWUJQWGx2OEhrcFlNYzZDWV9ITzYtNG1rJTNEJmFtcDt1 PWh0dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGc2FhZyI+ aHR0cHM6Ly9jbGlja3RpbWUuc3ltYW50ZWMuY29tL2EvMS9UOXZkRjhSWGEzdXpWRUM4ZXNCSGp1 UUdVaWdncmZ1cml4MXhmSEc1RTN3PT9kPU5QdFgzQnhmYzV0ZFZUWFhtM3FYRXJHSWVISUEyUV9v b1lEYnNPbzBSVFRGT0dSWF9LNnlySGswQzQ5UWJmWVQ4b1liRUc0cGt1NmJFaXFtWnZpQUVfSlBL YjVwNmJSN1oyZnV5ZUlqMVBUNVJId29XeWtZamZJdmpIbndhTXpqR2MycC01WXUzXzhwc05CNkgz cS1jeUF6aXgxOFZSTngxUWxROFE0QjRtQ1FOeWFwMlUxem9QR09iaUlGMXljSS1GR2l4LTRTd2xM Wkp4UjRuZUVHV3BRSVVhUlZIa2ZqN3JuVE40OWk3Z0tfTndjdjFqcW13RzRRUWFucHV1MnhnM2NH LU5PRWdITjY4WW5QS2EwUDAtUVIyRjQyZ0VuajNCRHpTeFhZVHA2YlZuLXV5S2ppeURackxUV2ZH U1hjRDRkMVhOeXBxR3A1R3BxMWQ5UVo5ci0zb1ZOSVRKbDRWWnNfV1R3TmtHN1VvYUhlX0ZmaWlC V1VxYVZ4bWdTbWp0QVVBeDkxamxRWUJQWGx2OEhrcFlNYzZDWV9ITzYtNG1rJTNEJmFtcDt1PWh0 dHBzJTNBJTJGJTJGd3d3LmlldGYub3JnJTJGbWFpbG1hbiUyRmxpc3RpbmZvJTJGc2FhZzwvYT48 L3NwYW4+PGJyPg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRt bD4NCg== --_000_F8D95B17FDC8454696B2E99A5C10DFD7symanteccom_-- From nobody Sat Jul 21 10:12:39 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76090127333 for ; Sat, 21 Jul 2018 10:12:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ulzSADliDiHV for ; Sat, 21 Jul 2018 10:12:34 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82896130E17 for ; Sat, 21 Jul 2018 10:12:34 -0700 (PDT) Received: (qmail 94608 invoked from network); 21 Jul 2018 17:12:32 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1718e.5b536980.k1807; bh=9UptJ3gIAHvhZkVYPLxoAEYzFA0VsQJ+EZhskGwkEAk=; b=PqqkZP8jMe7pkihWN2BLxhFHYDwHN4wLX3+jY7ETpcRDQ1B0CPtbdLMjMVV0Ief8c0jT1yHvU/2lg8aHRdSF5hswRWusO7+uhkwvZubfsGocRTvZX/xOB3NnCaFKVx1iYG869VClS4sugY5NpAzXqHugkkXVuXx+fW2HC3uuBSQBBZTRFUrYJrePPzbDcx6tfvuzYL4Sssma5HrsJo0AZ7rOURmHVNo7JjCXTYY2FyxwNs5a9Bn/62aGMGjjmO8F Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 21 Jul 2018 17:12:32 -0000 Date: 21 Jul 2018 13:12:31 -0400 Message-ID: From: "John R. Levine" To: "Henry Story" Cc: "Bret Jordan" , saag@ietf.org In-Reply-To: <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 17:12:38 -0000 On Sat, 21 Jul 2018, Henry Story wrote: > Well if there were agreement that this Institutional Web of Trust (IWoT) is missing and > important to security then that would be an important achievement, ... How would this IWoT differ from what CAs were supposed to do? When I got my first SSL certificate 20 years ago, I had multiple phone calls and faxes with the CA to establish that I was who I purported to be. That was then, now DV CAs verify nothing, and EV certs, which sort of do what DV certs used to do, are also briskly racing to the bottom. I would also consider the impressive non-success of the PGP web of trust outside tiny niches of people who know each other anyway. This does not sound like a good idea to me. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Sat Jul 21 11:27:52 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3612130E26 for ; Sat, 21 Jul 2018 11:27:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WhQA7R_oqlij for ; Sat, 21 Jul 2018 11:27:46 -0700 (PDT) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1647D130E0A for ; Sat, 21 Jul 2018 11:27:46 -0700 (PDT) Received: by mail-wr1-x433.google.com with SMTP id h9-v6so14102568wro.3 for ; Sat, 21 Jul 2018 11:27:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=dSGamMyeJx+non51TC3AbKDUzQ86Ul/Sn/nzCwlixzQ=; b=Pydx2FCBVToyPMCV713xdo7xgy8WoDHDpp+oVUVEqRK9M87P5gSW71qKkVIeNIPN+J FuOFZupzbddQ+m8R4zcZUAsaJYMi6VDx0TThEnpuiEcMpz86nSgevMOQZCVHkj73qyhG 0by+GwUe3jsUuoaF4xMzUQEAkDf2Wl7kyHWe/tN7wGb7cN4Vb3WTMo4uMN/dmBJxIjfB YAFiAcKPdzkZ4oZxt3zJBr6JneLkgBibfxNe5rpMUm3eEkSJFNr8jSVIucuuhwbtFfl9 Jv8qyIUPoy2z0BQa8QKrRIZJ5qqSVlLl5UdbyOCuVoLCXIIUetVzCpBy9aozWbeCwCCT pg2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=dSGamMyeJx+non51TC3AbKDUzQ86Ul/Sn/nzCwlixzQ=; b=n+jqKqSfZpVwdWxgc1qHGMfHjolYgCWBfEl/oMVsnw2noqQGjxH9E9oLPXiBdjhHK+ YqrDS8t0E8/aIDIuAbAzYLdThA1VCAvMUEGpjzt6Ohi4X8nwqs3Fd5ofsf7CBDCDLTSZ 3YgBiyTzVhKRUNTU4mvG9YfkGzoYqggjskEFqnqNJgvpNjlQOcZpWFZli7YdBZR4oOmW w7KVqLzGGXryGUtHV1OwGYer7Df81KEkai6KyyJ9WZUDbtoGbBRXw1E9PCM9+4CXHgX5 CGmznmZcECGLrKvNScKGL3AUb9wJntlgzRv8O9SOmmuhRfXTHP6HVEg1MclE+kNZ6y+9 4eDQ== X-Gm-Message-State: AOUpUlF/oFnxaPD04cIciDBxK+fSdSsMD8KQMVoxeFokPH4I4BWA/2yp cowJFJVo+LKsNVLmzKpXJWjPt/+RKwOjhA== X-Google-Smtp-Source: AAOMgpdtlefDXtvteGi/acLK7MkKA+lFd9ITtW25pYGdoc86t4DAD4hTbZ100Ec4LQP6Sli/ZPtBdg== X-Received: by 2002:adf:ed41:: with SMTP id u1-v6mr4305813wro.262.1532197664486; Sat, 21 Jul 2018 11:27:44 -0700 (PDT) Received: from [192.168.43.209] ([80.12.41.251]) by smtp.gmail.com with ESMTPSA id 127-v6sm3822197wmd.18.2018.07.21.11.27.42 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 11:27:42 -0700 (PDT) From: Henry Story Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_23F879A7-DFA0-462F-B01D-8EFE98A94180" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sat, 21 Jul 2018 20:27:40 +0200 In-Reply-To: Cc: Bret Jordan , saag@ietf.org To: "John R. Levine" References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 18:27:50 -0000 --Apple-Mail=_23F879A7-DFA0-462F-B01D-8EFE98A94180 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 21 Jul 2018, at 19:12, John R. Levine wrote: >=20 > On Sat, 21 Jul 2018, Henry Story wrote: >> Well if there were agreement that this Institutional Web of Trust = (IWoT) is missing and >> important to security then that would be an important achievement, = ... >=20 > How would this IWoT differ from what CAs were supposed to do? =20 That is easy. IWoT would be based on institutions that tie into nation = or region based local=20 registries that tie into national anchors that may tie into federal ones = (as in the USA, or Germany). We are trying to get the national legal registries system to publish in open data what they already have about the companies, bakeries, = hospitals, schools, universities, etc in a decentralised way so that we don't need = to specify the=20 topology of these registries in advance. This data would be published on = the web, so it can be used by browsers to give rich information to the user about = the company=20 whose home page they are landing on. ( So because thinking in terms of digital sovereignty is unusual for = computer scientists I wrote up a perhaps too lengthy post that goes into the debate at the = political level that is going on there, by linking to laws the French parliament passed = a few years ago,=20 a book that was published on the subject, an interview by a = constitutional lawyer,=20 the relation to Brexit and how this can tie back to the Web. =46rom Digital Sovereignty to the Web of Nations = https://medium.com/cybersoton/from-digital-sovereignty-to-the-web-of-natio= ns-61fbc28d79cd = ) Now CAs are very different. A CA only certifies a few attributes of the = owner of the web site,=20 and only a minute part of the information published on the web by a = registry such as beta.companyhouse.gov.uk In the article on "Stopping (https) Phishing" https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9 = there is a curl example showing JSON data published from the = api.companyhouse.gov.uk version of the beta web site. Then I show how a web site could link to = such a document which could link back, how a browser could follow links to get to the root authority, always = verifying that the page it landed on linked back to the original site it just came from. This creates a link based, = https protected, verification chain. This chain would mostly be hierarchical up to the national level, = and then peer to peer between nations, though without a requirement that all nations link to = each other. Because this is web based it is quite easy to set and change information or links, so = that the data can be much more fluid and rich than what X509 certificates can give.=20 X509 CA's can certify web sites for companies of any nationality. The = proposal works with=20 nations that are restricted to certify web sites for their institutions, = binding those to their legal=20 and diplomatic systems.=20 > When I got my first SSL certificate 20 years ago, I had multiple phone = calls and faxes with the CA to establish that I was who I purported to = be. That was then, now DV CAs verify nothing, and EV certs, which sort = of do what DV certs used to do, are also briskly racing to the bottom. Well here it is the country that would be responsible for collecting = taxes that is tied to your identity. There is a lot of value for them to track you correctly, and there = should be legal systems in place for=20 you to be able to defend yourself against abuse, but also for people to = seek redress in case your=20 company breaks the law. All this already exists. It could just be made = explicit so that browsers can tie into them. > I would also consider the impressive non-success of the PGP web of = trust outside tiny niches of people who know each other anyway. Yes I also write a short post=20 "Why did the Web of Trust fail?" In response to a similar question by Prof Bryan Ford of EPFL=20 = https://medium.com/@bblfish/what-are-the-failings-of-pgp-web-of-trust-958e= 1f62e5b7 = I argue there that the person 2 person PGP web of trust failed because = people are not necessarily good at verifying properties. I may be good at verifying anyone's name, = but that does not mean that those I verify are good at it. So the links cannot go very far. And that is = just for names. Clearly nobody is going=20 to argue that anyone would be good at verifying driving ability. There = are institutions designed to do that=20 such as the DMV and the driving training schools. > This does not sound like a good idea to me. yes, the PGP web of trust was a good way to get a lot of people to think = about cryptography.=20 But as it's only way of linking two people was signing and there are = only 2 attributes in PGP (name/e-mail and photo) and there are only 8bits of attributes = available, it is quite limited. Since then we have a whole slew of tools have been standardized for = working with data=20 globally and so potentially inconsistently, which following hyper-text = we should call hyper-data.=20 These that have been developed over the past 20 years, which allow very = rich data structures=20 that can evolve, for which there are logical formalisms and that are = designed for the web - ie=20 for linkability across organizations and nations. This allows one to = cleanly separate the data and=20 the security layer which can just use https. One can then add signatures = too, but the fact that=20 one does not need to helps make clear that these are orthogonal = problems. But it is also because these are orthogonal (data, api, security, UI) = that the communities rarely meet. It is time to link them :-) >=20 > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for = Dummies", > Please consider the environment before reading this e-mail. = https://jl.ly --Apple-Mail=_23F879A7-DFA0-462F-B01D-8EFE98A94180 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 21 Jul 2018, at 19:12, John R. Levine <johnl@iecc.com> = wrote:

On Sat, 21 Jul 2018, Henry Story wrote:
Well if there were = agreement that this Institutional Web of Trust (IWoT)  is missing = and
important to security then that would be an important = achievement, ...

How would = this IWoT differ from what CAs were supposed to do? =  

That is = easy. IWoT would be based on institutions that tie into nation or region = based local 
registries that tie into national anchors = that may tie into federal ones (as in the USA, or Germany).
We = are trying to get the national legal registries system to = publish
in open data what  they already have about the = companies, bakeries, hospitals,
schools, universities, etc in = a decentralised way so that we don't need to specify = the 
topology of these registries in advance. This data = would be published on the web,
so it can be used by browsers = to give rich information to the user about the = company 
whose home page they are landing = on.

(
So because thinking = in terms of digital sovereignty is unusual for computer = scientists
I wrote up a perhaps too lengthy post that goes = into the debate at the political level
that is going on there, = by linking to laws the French parliament passed a few years = ago, 
a book that was published on the subject, an = interview by a constitutional lawyer, 
the relation to = Brexit and how this can tie back to the Web.

=46rom Digital Sovereignty to the Web of = Nations
)

Now CAs are very different. A CA only certifies a = few attributes of the owner of the web site, 
and only a = minute part of the information published on the web by a registry such = as

In the article on "Stopping (https) = Phishing"

 there is a curl = example showing JSON data published from the api.companyhouse.gov.uk
version of the beta web = site. Then I show how a web site could link to such a document which = could link back,
how a browser could follow links to get to = the root authority,  always verifying that the page it landed on = linked
back to the original site it just came from. This = creates a link based, https protected, verification
chain. = This chain would mostly be hierarchical up to the national level, and = then peer to peer
between nations, though without a = requirement that all nations link to each other. Because = this
is web based it is quite easy to set and change = information or links, so that the data can be
much more fluid = and rich than what X509 certificates can give. 

X509 CA's can certify web sites for companies of = any nationality. The proposal works with 
nations that = are restricted to certify web sites for their institutions, binding = those to their legal 
and diplomatic = systems. 

When I got my first SSL = certificate 20 years ago, I had multiple phone calls and faxes with the = CA to establish that I was who I purported to be.  That was then, = now DV CAs verify nothing, and EV certs, which sort of do what DV certs = used to do, are also briskly racing to the bottom.

Well = here it is the country that would be responsible for collecting taxes = that is tied to your identity.
There is a lot of value for = them to track you correctly, and there should be legal systems in place = for 
you to be able to defend yourself against abuse, but = also for people to seek redress in case your 
company =  breaks the law. All this already exists. It could just be made = explicit so that browsers can
tie into them.

I would also consider the impressive non-success of the PGP = web of trust outside tiny niches of people who know each other = anyway.

Yes I also write a short post 
"Why = did the Web of Trust fail?"
In response to a similar question = by Prof Bryan Ford of EPFL 

I argue = there that the person 2 person PGP web of trust failed because people = are not necessarily
good at verifying properties. I may be = good at verifying anyone's name, but that does not mean that = those
I verify are good at it. So the links cannot go very = far. And that is just for names. Clearly nobody is = going 
to argue that anyone would be good at verifying = driving ability. There are institutions designed to do = that 
such as the DMV and the driving training = schools.

This does not sound like a good idea to = me.

yes, the PGP web of trust was a good way to get a = lot of people to think about cryptography. 
But as it's = only way of linking two people was signing and there are only 2 = attributes in PGP
(name/e-mail and photo) and there are only = 8bits of attributes available, it is quite limited.

Since then we have a whole slew of tools have been = standardized for working with data 
globally and so = potentially inconsistently, which following hyper-text we should call = hyper-data. 
These  that have been developed over = the past 20 years, which allow very rich data = structures 
that can evolve, for which there are logical = formalisms  and that are designed for the web - = ie 
for linkability across organizations and nations. = This allows one to cleanly separate the data and 
the = security layer which can just use https. One can then add signatures = too, but the fact that 
one does not need to helps make = clear that these are orthogonal problems.

But it is also because these are orthogonal (data, = api, security, UI) that the communities rarely meet.
It is = time to link them :-)



Regards,
John Levine, johnl@iecc.com, Primary = Perpetrator of "The Internet for Dummies",
Please consider = the environment before reading this e-mail. https://jl.ly

= --Apple-Mail=_23F879A7-DFA0-462F-B01D-8EFE98A94180-- From nobody Sat Jul 21 11:40:07 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3848130E26 for ; Sat, 21 Jul 2018 11:40:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Jps2DVtzB71 for ; Sat, 21 Jul 2018 11:40:04 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4949130E15 for ; Sat, 21 Jul 2018 11:40:03 -0700 (PDT) Received: (qmail 26786 invoked from network); 21 Jul 2018 18:40:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=68a0.5b537e02.k1807; bh=bVzp+JeruFVJeLyZ9OjB0DsMGrXmwoAnGlwtfsVgBMc=; b=ZX5blhTszqH3Kugo22u7fJIaL4/saiADWcrmf4Vu2MXLvubRxitHzXkzY0nl5+nmfY1bsKwnOywKzTH07EOuGYE0BS8KKoclV79Y09K2vAITiJ8PJIS4cmjhD5Mb2mMudAFQ5yxwB4+OXviv+knm3Amghw+nbtP7aIBK4BLIbRoJjP0IvIFxvyttRvP7V0Oi6vGjUJzMvXVhZpM2wAqtJFU7VN2q/Yph5sJQ+waP2EGH0uwwBfMxGqoEH2C8wBIj Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 21 Jul 2018 18:40:02 -0000 Date: 21 Jul 2018 14:40:01 -0400 Message-ID: From: "John R. Levine" To: "Henry Story" Cc: saag@ietf.org In-Reply-To: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 18:40:06 -0000 On Sat, 21 Jul 2018, Henry Story wrote: >> How would this IWoT differ from what CAs were supposed to do? > > That is easy. IWoT would be based on institutions that tie into nation or region based local > registries that tie into national anchors that may tie into federal ones (as in the USA, or Germany). This sounds a lot like the industry-specific CAs I proposed, only this depends on a great deal of software that does not exist and probably never will. R's, John From nobody Sat Jul 21 12:21:22 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EDA1130E15 for ; Sat, 21 Jul 2018 12:21:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y4h-A_zl4CYm for ; Sat, 21 Jul 2018 12:21:18 -0700 (PDT) Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B96C0130934 for ; Sat, 21 Jul 2018 12:21:17 -0700 (PDT) Received: by mail-wr1-x42a.google.com with SMTP id t13-v6so4716483wrv.12 for ; Sat, 21 Jul 2018 12:21:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=RO9hlkmxVpVPrXp3Kh5JL291EReFd49rbin6qCBIy5M=; b=tC4x50M77yJH8eYBjvS57zZYXLLSsiF4tjKYbOxUNXt/tyA1ZRwgcxDzKfPQ+Y0gHT +JQKhYBTdn0YLx7P8QUDu0wM0fwixhIRZqCypE9wsOZQvA3z9gyjy4LxI/vOMM6SkTOr rQe2XPI6zZHFBBaGtawXHoTPI7V5hCDNOs4ErfvZFI2jML8kzRy6rfpnDMJ8EsXE8yKr XYeX1OPV9QVka3eyt1a2e7X3CY4j3fwRiXLIoElauMbjZoVXg0dlx+HL0c0XoL0Y7zXZ r9Karlh+xF4zr8lMK73urwADH60xnGkEkX4oU7jjSC7Ev/+CGvB4qT3COx72h/L70AUH yBIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=RO9hlkmxVpVPrXp3Kh5JL291EReFd49rbin6qCBIy5M=; b=tbtS+NSculRjgaH+if0xJ1kJFvD042GFde5OOBNLFv9lvBJNClIQunU/wZr9tdgKuN ynWD7+0n8ZEHYap8+GnJt/exn8YBm4N78AGsPS8ZBwxQ9fVajXqvATqhC1pzoN0PITuw oHLyUZnVrsCHO08F9CQ2zpRO3k133JyJsqoM/Kn/sFhzxejSXcBGOuycIYxFAUawB1nH TdPKDGs2KeGy2GkJrlpQ8dpyzCx+ycS0agYpTL5sW0fNFsZM3QZzoE00mkw95hsWmKv2 xBdU1v2/gpTm8jSvHH9CV5SJ9ZnC0H/2oPTlBkvgvIr8A6nD5N9KDXA8Td8JjGuhnzwt sEAg== X-Gm-Message-State: AOUpUlF+GVCv9uqOF5hfm7LY8GDUfTgAJvq5PkHuNfk9Nwwnhw2YEH7e kW6qU95WFz59Lc2F07s8bmV1BA== X-Google-Smtp-Source: AAOMgpdFO3AfYz+KWUk5CM7lhiRBfqvDdNGjLqxE/3SjHvZyUYBg2f43el+Sm7UxPPHTZfdyA82HCA== X-Received: by 2002:adf:8877:: with SMTP id e52-v6mr4776699wre.30.1532200876216; Sat, 21 Jul 2018 12:21:16 -0700 (PDT) Received: from [192.168.43.209] ([80.12.41.251]) by smtp.gmail.com with ESMTPSA id f20-v6sm7292250wmd.3.2018.07.21.12.21.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 12:21:14 -0700 (PDT) From: Henry Story Message-Id: <97A6F4DE-EC28-46D1-A598-FBE8B3F7742C@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_F82EE83E-AAFF-4FB2-BD91-CEFDDC888BFE" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sat, 21 Jul 2018 21:21:12 +0200 In-Reply-To: Cc: saag@ietf.org To: "John R. Levine" References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 19:21:21 -0000 --Apple-Mail=_F82EE83E-AAFF-4FB2-BD91-CEFDDC888BFE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 21 Jul 2018, at 20:40, John R. Levine wrote: >=20 > On Sat, 21 Jul 2018, Henry Story wrote: >>> How would this IWoT differ from what CAs were supposed to do? >>=20 >> That is easy. IWoT would be based on institutions that tie into = nation or region based local >> registries that tie into national anchors that may tie into federal = ones (as in the USA, or Germany). >=20 > This sounds a lot like the industry-specific CAs I proposed, only this = depends on a great deal of software that does not exist and probably = never will. It would be interesting to look in more details at your proposal for = industry specific CAs to contrast=20 and compare the proposal I made.=20 Here the idea is to cover all industries across all nations, fora world = wide web of institutional trust. =20 If your proposal is based on X509 then you have the problem of having a = format that is too rigid I think as far as attribute extensibility goes. Also if it is only based on = certificates, then you limit yourself to=20 a very limited set of attributes, unless you update certificates every = day. Both of those two limitations=20 together add up to something that is somewhat brittle and inflexible.=20 As far as "software that does not exist..." , well it's has all been = developed over the past 20 years or so. =E2=80=A2 The Open Data Institute and other such organizations have been = getting governments to start publishing their data see the beta.companieshouse.gov.uk = for example =E2=80=A2 hyperdata has been standardized at the W3C and widely tested = with projects around the world. There is a depiction at http://lod-cloud.net/ =E2=80=A2 There is a JSON-LD format to interoperate nicely with JSON = folks =E2=80=A2 there are many open source implementations of the standards in = many different languages including of course JS. There are competitions for large scale databases, though this is not = needed here. Small quad stores would do fine. =E2=80=A2 Universities have been forming people at this for years, and = there are numerous Phds, companies, etc. on the ball As I said because at one level it is orthogonal to security it is not = surprising if the security community encountered this at the periphery. Just the same is true on their side. (Though = there have been quite a few papers on access control reasoning systems too in linked data communities)... The proposal may not be incompatible with CAs or X509 either btw. The = proposal is to start off getting government registries to publish data that can be used = openly by browsers to=20 increase security. Nothing excludes yet CAs to play an important new = role here. I am happy to look at papers that cover similar topics to compare and = contrast. Henry >=20 > R's, > John --Apple-Mail=_F82EE83E-AAFF-4FB2-BD91-CEFDDC888BFE Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 21 Jul 2018, at 20:40, John R. Levine <johnl@iecc.com> = wrote:

On Sat, 21 Jul 2018, Henry Story wrote:
How would this IWoT differ from what CAs were supposed to = do?

That is easy. IWoT would = be based on institutions that tie into nation or region based local
registries that tie into national anchors that may tie into = federal ones (as in the USA, or Germany).

This sounds a lot like the industry-specific CAs I proposed, = only this depends on a great deal of software that does not exist and = probably never will.

It would be interesting to look in more details at = your proposal for industry specific CAs to contrast 
and = compare the proposal I made. 

Here the idea is to cover all industries across = all nations, fora world wide web of institutional trust. =  
If your proposal is based on X509 then you have the = problem of having a format that is too rigid I think
as far as = attribute extensibility goes. Also if it is only based on certificates, = then you limit yourself to 
a very limited set of = attributes, unless you update certificates every day. Both of those two = limitations 
together add up to something that is = somewhat brittle and inflexible. 

As far as "software that does not exist..." , well = it's has all been developed over the past 20 years or so.

=E2=80=A2 The Open Data Institute and other such = organizations have been getting governments to start publishing their = data
   see the beta.companieshouse.gov.uk for example
=E2=80= =A2 hyperdata has been standardized at the W3C and widely tested with = projects around the world. There
is a depiction at http://lod-cloud.net/
=E2=80=A2 There is a = JSON-LD format to interoperate nicely with JSON folks
=E2=80=A2 = there are many open source implementations of the standards in many = different languages including of course
JS. There are = competitions for large scale databases, though this is not needed here. = Small quad
stores would do fine.
=E2=80=A2 = Universities have been forming people at this for years, and there are = numerous Phds, companies, etc. on the ball

As I said because at one level it is orthogonal to = security it is not surprising if the security community = encountered
this at the periphery. Just the same is true on = their side. (Though there have been quite a few papers on access = control
reasoning systems too in linked data = communities)...

The proposal may not = be incompatible with CAs or X509 either btw. The proposal is to = start
off getting government registries to publish data that = can be used openly by browsers to 
increase security. = Nothing excludes yet CAs to play an important new role = here.

I am happy to look at papers = that cover similar topics to compare and contrast.

Henry





R's,
John

= --Apple-Mail=_F82EE83E-AAFF-4FB2-BD91-CEFDDC888BFE-- From nobody Sat Jul 21 16:30:41 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224EB130E09 for ; Sat, 21 Jul 2018 16:30:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKImGF__thEm for ; Sat, 21 Jul 2018 16:30:37 -0700 (PDT) Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C00A1130DE6 for ; Sat, 21 Jul 2018 16:30:37 -0700 (PDT) Received: by mail-yb0-x235.google.com with SMTP id s1-v6so5990036ybk.3 for ; Sat, 21 Jul 2018 16:30:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T2eKTDy3bzIJ+XkdpPI/JPUugpOXIRVCviYSJvnf/g8=; b=WhOp1Xgfm4QUMIZJOewXr1CUlch1FGtg8HdZv/xD2BmQ4Qyuusa3qdW1QkHvXVpsqZ Hv0qEAtVh6XNpLMrO8vhp1S5mxXj/00530I7s7rmxPC6IRCwYvoBIIKNQi5xSLuzORGQ M77e4jugyDCBiFckoN9AMFbiPG0fc+01jzQ+zVQ/X0jW+TXU17j4XlTQI8KeU4t8jIC3 GYUWNWpnti+FMnnQtjshZG0gXC/gy7YwS9VoaTTsWJ6wfIK18uUqc3F0JXM0vNj+H7/c CP1gohSl0QlBucmpMCp64wECIJsv4u5jHrYYbU444JUEruqMyDKLgmDZY3MgUM+vFWBs a+wA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=T2eKTDy3bzIJ+XkdpPI/JPUugpOXIRVCviYSJvnf/g8=; b=qqsuFAAyKxNNcSjBZQ1BKWH5p9NcHfsmPJyYjE4tOmRRZCesyc8W6780CjZGP2H4rX eA1mvIEjn6NLm/Wbvr8ogdUUrPmupH0ESFOfzZsouc+4LDRfZObbp6gRiQFN73O5/A70 fXibeECxCkezaCKeXjMLo5WV/hX6S5aXOmikXMqDUFcGCiF+pcYjAIlXquEwISytcyZb PxweIrPafwQAJa/Am6NUHSFlkBti7CtZr8MT4REV10ivvB+NB69vzUq/+ibhBSroWOJc kleEtF/MeRp7WTP7zLxJapCve9pPT3Hr4cK2IZzKp8OCjuCyzt4H/tnTgYbrol4yPCy5 4nqg== X-Gm-Message-State: AOUpUlGo3kGjsKyDSgZc78qKT/LQeZYpEaj+UBwRLi6M9vvHZBffbvd0 d+z+rhJiruP5e7RgRCELdrU= X-Google-Smtp-Source: AAOMgpd78eeOENlvOOVCxu+hnlbAd5elikg6ilGeLX8ps3STtm7bhKrWZvfm3LHAblveHoblntGxWQ== X-Received: by 2002:a5b:bc5:: with SMTP id c5-v6mr3741069ybr.290.1532215837007; Sat, 21 Jul 2018 16:30:37 -0700 (PDT) Received: from ?IPv6:2600:1005:b043:4eb0:4c38:5d5:6e37:bbb4? ([2600:1005:b043:4eb0:4c38:5d5:6e37:bbb4]) by smtp.gmail.com with ESMTPSA id l2-v6sm2497882ywl.41.2018.07.21.16.30.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Jul 2018 16:30:35 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-39FF33EC-2F1A-4BAD-BCC9-B4BFF1195C4D Mime-Version: 1.0 (1.0) From: Bret Jordan X-Mailer: iPhone Mail (15F79) In-Reply-To: Date: Sat, 21 Jul 2018 19:30:34 -0400 Cc: Henry Story , saag@ietf.org Content-Transfer-Encoding: 7bit Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> To: "John R. Levine" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jul 2018 23:30:40 -0000 --Apple-Mail-39FF33EC-2F1A-4BAD-BCC9-B4BFF1195C4D Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable The key is to keep working on this, discussing ideas, working through option= s. =20 I for one would really like to see the IETF setup a working group for this s= pecific topic, it would be good to work through this and find a solution tha= t works. I would be willing to help out here and will dedicate time to this e= ffort.=20 Bret=20 Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: >=20 > On Sat, 21 Jul 2018, Henry Story wrote: >>> How would this IWoT differ from what CAs were supposed to do? >>=20 >> That is easy. IWoT would be based on institutions that tie into nation or= region based local >> registries that tie into national anchors that may tie into federal ones (= as in the USA, or Germany). >=20 > This sounds a lot like the industry-specific CAs I proposed, only this dep= ends on a great deal of software that does not exist and probably never will= . >=20 > R's, > John >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail-39FF33EC-2F1A-4BAD-BCC9-B4BFF1195C4D Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable The key is to keep working on this, discuss= ing ideas, working through options.   

I for on= e would really like to see the IETF setup a working group for this specific t= opic, it would be good to work through this and find a solution that works. I= would be willing to help out here and will dedicate time to this effort.&nb= sp;

Bret 

Sent from m= y Commodore 128D

PGP Fing= erprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Jul 21, 2018, at 2:40 PM, John R. Lev= ine <johnl@iecc.com> wrote:
<= br>
On Sat, 21 Jul 2018, Henry Sto= ry wrote:
How would this IWoT differ from what CAs were supposed to do?

That is easy. IWoT would be based on ins= titutions that tie into nation or region based local
=
registries that tie into national anchors th= at may tie into federal ones (as in the USA, or Germany).

This sounds a lot like the industry-specific CAs= I proposed, only this depends on a great deal of software that does not exi= st and probably never will.

R's,
= John

________________________________= _______________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/sa= ag
= --Apple-Mail-39FF33EC-2F1A-4BAD-BCC9-B4BFF1195C4D-- From nobody Sat Jul 21 18:01:03 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6A69130DC6 for ; Sat, 21 Jul 2018 18:01:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWYqev6tvC84 for ; Sat, 21 Jul 2018 18:00:58 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB5B1271FF for ; Sat, 21 Jul 2018 18:00:57 -0700 (PDT) Received: (qmail 63411 invoked from network); 22 Jul 2018 01:00:56 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=f7af.5b53d748.k1807; bh=HECfbKeQKzFMccw9V3IQp+rvITWncFLvGP2zIuuE454=; b=SvSHUTo71C8srRsLvcVTMCp/2TxgCBLRU91MZx+8kpNEpFDPhetcylAi8kH/J03gchi9Ce98iKtmeApqXaK1Y+Wk0MKw9ELIOdgYSLUomQ5vOiC+ZKIdAuc5ry3zhPBxxSc2qzSV/9xvwvnnd182T7GstwYhQKL+A0OKSqpu3FETVZpOdwkEjYkYJcOoF8pmSwPORPwcHH35eoKa7TP/73CzTYRnYp3hyPcL4PFEmwzbk2WmRG8uFuo89WJdPiJF Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 22 Jul 2018 01:00:55 -0000 Date: 21 Jul 2018 21:00:55 -0400 Message-ID: From: "John R. Levine" To: "Bret Jordan" Cc: "Henry Story" , saag@ietf.org In-Reply-To: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 01:01:01 -0000 > I for one would really like to see the IETF setup a working group for this specific topic, it would be good to work through this and find a solution that works. I would be willing to help out here and will dedicate time to this effort. I don't think there is enough stuff here to merit WG. Perhaps talk to the IRTF about an RG to explore ideas not ready to standardize. > > Bret > > Sent from my Commodore 128D > > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > >> On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: >> >> On Sat, 21 Jul 2018, Henry Story wrote: >>>> How would this IWoT differ from what CAs were supposed to do? >>> >>> That is easy. IWoT would be based on institutions that tie into nation or region based local >>> registries that tie into national anchors that may tie into federal ones (as in the USA, or Germany). >> >> This sounds a lot like the industry-specific CAs I proposed, only this depends on a great deal of software that does not exist and probably never will. >> >> R's, >> John >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Sun Jul 22 01:45:22 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D043F130E52 for ; Sun, 22 Jul 2018 01:45:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.908 X-Spam-Level: X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stkTArLCcWh3 for ; Sun, 22 Jul 2018 01:45:17 -0700 (PDT) Received: from mail-wm0-x241.google.com (mail-wm0-x241.google.com [IPv6:2a00:1450:400c:c09::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C0C12872C for ; Sun, 22 Jul 2018 01:45:17 -0700 (PDT) Received: by mail-wm0-x241.google.com with SMTP id c14-v6so13116201wmb.4 for ; Sun, 22 Jul 2018 01:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=L32U9tyLXAEGrshNcM5lE3U9zMSlB7wN9SgYaEi7daU=; b=d1eQIdTNKT7kDBlGsmz9JfVFmPtlHOflS1FzCEsSpd6fvdUcJ2wsXRe+iYdnEPOjeL UP2PJXQXAjscUYoGqATCJsAwR0SsjEglmoz79Yjp2K1bSe+OkmxyX5iUdBgs2ZbTsPoT JWt0qs2UAx2RBd0E9mjWico4vWBuUhWGqTbZigU32/4FEvxvn0RQ1saIs4tvWYafgiXm ZYvHEahZdLbhOGLxYAnMBYuVgiQDaYiq6xA3KCz/8wd9eXRteNM/vtQleMRdgcE34rPJ 1NBef4G6ki4PyPhXv0GZc0YSuo2Ajp5H8SPvW0fh1ai4EM4V15eLDsAc03dzQzN5DZnu oGQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=L32U9tyLXAEGrshNcM5lE3U9zMSlB7wN9SgYaEi7daU=; b=DbqS3T3/94/qq/7QqDnL6lY6iWqRh/icM1InB/Qr/RoBwtacDd40SuA7xkgp5gRUkH dXTirmRvFwlgJTWcy/iiM+JVbebc/+1OpvaovJ4MIW68C8L6Nbu+4fj3KOi5NN30gfwt WCz7PJ293qv6zBuCKm4DAtigdgEGrXxjE1gA307QNJtQtTUCnO2Apkv/oesCqX9Pp7M+ 6AZ2sU1LnzImNYuwOh9oOOfUHe/HTz6ppop/vSt7HyuifbuzWlo02OIeDohYCVJvARCb 7pQU1z9Mpobc20GpGkysRcZykyeuOuCXMyS8hIdbJMyoEkjyMWu0nkz+bITi8tdIOz/J vrXg== X-Gm-Message-State: AOUpUlHiVLd5uVYJ5TnqsL1M9NIVhUNW8xl9qPZnERTWXXp9Dgxh5YKC usSRyClpzMA+GpFmrR/ncZv9H4vagKSX1w== X-Google-Smtp-Source: AAOMgpcs/M6wgY+yCT1TpmzVCIxv+mZnB60MT2LnE31/I18qkw8t/a9VqGFQAhLN0wSfP53otpjDgQ== X-Received: by 2002:a1c:4885:: with SMTP id v127-v6mr4848726wma.161.1532249115433; Sun, 22 Jul 2018 01:45:15 -0700 (PDT) Received: from [192.168.43.209] ([92.184.96.104]) by smtp.gmail.com with ESMTPSA id f12-v6sm5429048wrg.88.2018.07.22.01.45.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 01:45:14 -0700 (PDT) From: Henry Story Message-Id: <6AA0F4A4-24DA-4937-9D9A-5BDA318DBA30@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_C706A5C9-EC73-40B2-A37A-3181E4044183" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sun, 22 Jul 2018 10:45:11 +0200 In-Reply-To: Cc: saag@ietf.org To: "John R. Levine" References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> <97A6F4DE-EC28-46D1-A598-FBE8B3F7742C@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 08:45:20 -0000 --Apple-Mail=_C706A5C9-EC73-40B2-A37A-3181E4044183 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 21 Jul 2018, at 21:27, John R. Levine wrote: >=20 >> It would be interesting to look in more details at your proposal for = industry specific CAs to contrast >> and compare the proposal I made. >=20 > It was on this list a week ago. Can you please give a link to the document. That would help. I searched = the archive for posts by you on your two e-mail addresses on = https://mailarchive.ietf.org/arch/browse/saag/ = =20 >=20 >> =E2=80=A2 The Open Data Institute and other such organizations have = been getting governments to start publishing their data >> see the beta.companieshouse.gov.uk = for example >> =E2=80=A2 hyperdata has been standardized at the W3C and widely = tested with projects around the world. There >> is a depiction at http://lod-cloud.net/ >> =E2=80=A2 There is a JSON-LD format to interoperate nicely with JSON = folks >> =E2=80=A2 there are many open source implementations of the standards = in many different languages including of course >> JS. There are competitions for large scale databases, though this is = not needed here. Small quad >> stores would do fine. >> =E2=80=A2 Universities have been forming people at this for years, = and there are numerous Phds, companies, etc. on the ball >=20 > Sounds like software that does not exist to me. Write back in a = decade and let us know how it's coming along. Ah I understand [1]!=20 So what does exist is: =E2=80=93 https web servers servers =E2=80=93 at least one open data server with a RESTful API publishing = data for public companies for the whole UK and a list of other online repositories some of which may also do this = https://www.gov.uk/government/publications/overseas-registries/overseas-re= gistries =E2=80=93 web browsers =E2=80=93 JSON and RDF Parers and libraries What is missing is code implementing the proof procedure I describe I = the article with the name of this thread [2], and potentially a proof for why this = would be good enough of a proof.=20 I could implement a Firefox plugin that showed a button that changed = color to green=20 say if there a proven chain to the trust authority, and on clicking that = would open the info page about the company whose web site the user was looking at.=20= The proof for why this is a proof (even though in a way it is obvious = that it is) is something I am working on for my PhD. That requires I think a mathematical = representation of the web. Is that the kind of software you would be looking for? Henry [1] For reasons similar to those in the Muddy Children's Puzzle [1] = where just by someone asking a question the answer can be revealed http://sierra.nmsu.edu/morandi/CourseMaterials/MuddyChildren.html [2] https://medium.com/cybersoton/stopping-https-phishing-42226ca9e7d9 = >=20 > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for = Dummies", > Please consider the environment before reading this e-mail. = https://jl.ly --Apple-Mail=_C706A5C9-EC73-40B2-A37A-3181E4044183 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 21 Jul 2018, at 21:27, John R. Levine <johnl@iecc.com> = wrote:

It would be interesting = to look in more details at your proposal for industry specific CAs to = contrast
and compare the proposal I made.

It was on this list a week = ago.

Can you please give a link to the document. That = would help. I searched the archive for posts
by you on your = two e-mail addresses on https://mailarchive.ietf.org/arch/browse/saag/ 
<= br class=3D"">

=E2=80=A2 = The Open Data Institute and other such organizations have been getting = governments to start publishing their data
 see the = beta.companieshouse.gov.uk <http://beta.companieshouse.gov.uk/> for example
=E2=80=A2 hyperdata has been standardized at the W3C and = widely tested with projects around the world. There
is a = depiction at http://lod-cloud.net/ <http://lod-cloud.net/>
=E2=80=A2 There = is a JSON-LD format to interoperate nicely with JSON folks
=E2=80=A2 there are many open source implementations of the = standards in many different languages including of course
JS. There are competitions for large scale databases, though = this is not needed here. Small quad
stores would do = fine.
=E2=80=A2 Universities have been forming people at = this for years, and there are numerous Phds, companies, etc. on the = ball

Sounds like software that = does not exist to me.  Write back in a decade and let us know how = it's coming along.

Ah I understand [1]! 

So what does exist is:
=E2=80=93 https = web servers servers
=E2=80=93 at least one open data server = with a RESTful API publishing data for public companies for the whole = UK
  and a list of other online repositories some of = which may also do this
=E2=80=93 web browsers
=E2=80=93= JSON and RDF Parers and libraries

What is missing is code implementing the proof = procedure I describe I the article
with the name of this = thread [2], and potentially a proof for why this would be = good
enough of a proof. 

I could implement a Firefox plugin that showed a = button that changed color to green 
say if there a proven = chain to the trust authority, and on clicking that would = open
the info page about the company whose web site the user = was looking at. 

The proof for = why this is a proof (even though in a way it is obvious that it is) is = something
I am working on for my PhD. That requires I think a = mathematical representation of the web.

Is that the kind of software you would be looking = for?

Henry

[1]  For reasons similar to those in the = Muddy Children's Puzzle [1] where just by someone
asking a = question the answer can be revealed
[2] https://medium.com/cybersoton/stopping-https-phishing-42226ca9e= 7d9


Regards,
John = Levine, johnl@iecc.com, = Primary Perpetrator of "The Internet for Dummies",
Please = consider the environment before reading this e-mail. https://jl.ly

= --Apple-Mail=_C706A5C9-EC73-40B2-A37A-3181E4044183-- From nobody Sun Jul 22 05:05:02 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8380B130EF8 for ; Sun, 22 Jul 2018 05:05:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UexUg1BdlC0m for ; Sun, 22 Jul 2018 05:04:59 -0700 (PDT) Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 061BD130EEF for ; Sun, 22 Jul 2018 05:04:59 -0700 (PDT) Received: by mail-oi0-x233.google.com with SMTP id w126-v6so28669311oie.7 for ; Sun, 22 Jul 2018 05:04:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SuUZZHiqlXgLTgj8FU2ZwxfFZh2KyJ8X4mO0skOe7x0=; b=jLXwZHDp+ojnSoEtnVCpsJptT/EH60Z3nP/RxMzxghlzhZz3zLiEeNknbNxdvSCY7P T58ulx6rUcXvhw1YJV4f4Mu+JssCBifKpRJjj2fIks8WaBVrfAsce+wgxoF84s/655HH 2PA2O7vEOk/2LAFTZEUJoHVMUZHjcMlc2OrtZ14mOyzNQwgebU2hcQIPgE5KuoVxr3vU bcfO/zZP1nDdfa3LUNXH93yMVPdow7nuI7lwB1Bms3k1bO7Q1gEtNgA9ntFY1vaVlZxX J1e/0oz6CR33qTkkT68ufPtL7loDJMgl5YJZkjKPJsiOdanpuAajN1K02YRtpt9ocff6 10FA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SuUZZHiqlXgLTgj8FU2ZwxfFZh2KyJ8X4mO0skOe7x0=; b=iTUTEnGgROBgEVzXPo6/IHQFh6tP3+ux2PB2xAIxcmn2XDnT0oeXqqTJzl/1vrUDW+ JoLsFlWWdm4iUrZp9zRtp3J6l8xNwwesOdyV3Ob+NccbNevS2cuVeCTFmVG1fPpV1Aqx Xaai9n3IHZaiLrah4+/j8TCyCdtZ0CkM4Wkt5DIGDeEkoFqLAwV5GLxJf5VgL81ywbTQ MUQZDNtVrutDMQ1tyu9fn0Jg0ppd1XQpx8txdpFdAOP8gdO3CW8Xu3GcseJfGC57UK6/ xHXuV2w7/fcA9iFjds+zpRUW/4d3carNOIeeG6nsyNjyfWXxsGu/6q+oaiV/TcSKy3bn FNTw== X-Gm-Message-State: AOUpUlHYWjxEzIWINzAm9r/CH+aR8LtlgPUQZuEtLMBCIye8ui6BAMKT DDYaWYfGkE4DBoLaOzXfUQatnqmV X-Google-Smtp-Source: AAOMgpcv2PXITjJaAyXUQJeAhKtzE2evbbSAm5abTladxc5+MEo0WpJvytQNUSVFCEpqP6wTMAJ9CQ== X-Received: by 2002:aca:ceca:: with SMTP id e193-v6mr4725109oig.37.1532261097836; Sun, 22 Jul 2018 05:04:57 -0700 (PDT) Received: from [192.168.86.238] (99-64-100-131.lightspeed.austtx.sbcglobal.net. [99.64.100.131]) by smtp.gmail.com with ESMTPSA id 5-v6sm4276088oix.58.2018.07.22.05.04.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 05:04:56 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Adam Montville X-Mailer: iPad Mail (15G77) In-Reply-To: Date: Sun, 22 Jul 2018 07:04:55 -0500 Cc: Bret Jordan , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> To: "John R. Levine" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 12:05:02 -0000 Whether a WG or an RG, I=E2=80=99d be interested in helping here. On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >> I for one would really like to see the IETF setup a working group for thi= s specific topic, it would be good to work through this and find a solution t= hat works. I would be willing to help out here and will dedicate time to thi= s effort. >=20 > I don't think there is enough stuff here to merit WG. Perhaps talk to the= IRTF about an RG to explore ideas not ready to standardize. >=20 >=20 >>=20 >> Bret >>=20 >> Sent from my Commodore 128D >>=20 >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>=20 >>> On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: >>>=20 >>> On Sat, 21 Jul 2018, Henry Story wrote: >>>>> How would this IWoT differ from what CAs were supposed to do? >>>>=20 >>>> That is easy. IWoT would be based on institutions that tie into nation o= r region based local >>>> registries that tie into national anchors that may tie into federal one= s (as in the USA, or Germany). >>>=20 >>> This sounds a lot like the industry-specific CAs I proposed, only this d= epends on a great deal of software that does not exist and probably never wi= ll. >>>=20 >>> R's, >>> John >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>=20 >=20 > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dumm= ies", > Please consider the environment before reading this e-mail. https://jl.ly >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From nobody Sun Jul 22 06:49:33 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1A7130E1D for ; Sun, 22 Jul 2018 06:49:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfEh2QjpgwiV for ; Sun, 22 Jul 2018 06:49:29 -0700 (PDT) Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 0ED8D130DDD for ; Sun, 22 Jul 2018 06:49:29 -0700 (PDT) Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id BEBFF6D6; Sun, 22 Jul 2018 13:49:27 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alan DeKok In-Reply-To: Date: Sun, 22 Jul 2018 09:49:26 -0400 Cc: Bret Jordan , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> To: Dmitry Belyavsky X-Mailer: Apple Mail (2.3124) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 13:49:31 -0000 On Jul 21, 2018, at 10:31 AM, Dmitry Belyavsky = wrote: >=20 > Well, it seems possible to confirm that site A is the site A with high = probability. What are the properties that make it continue to be "site A" ? So far as I can see, the only property that the user can trust is = "it's the same site as I visited last time". But what does that mean? Companies move. Domains expire and get re-bought. Certificates = expire. Systems change. That means the "same" site may have all public information about it = change in between visits. Not a good practice for continued = identification. > The main problem is detection that user has visited a site pretending = to be site A and it is necessary to request a confirmation.=20 There are an infinite number of "bad" sites, and only one "good" site. = That tells me you should ignore the problem of detecting "bad" sites. = Because to first order "It's bad" is correct for 99.999...% of the sites = out there. A big cause of phishing is that each end point doesn't retain much = information about the other. So for *every* connection, each end point = has to ask "is the other end real?"=20 Perhaps making that decision fewer times would be a better solution. A better solution would be to check "is this the same site as last = time?" That seems to be a much simpler problem to solve. i.e. presume = that the initial connection can be done correctly (as is mostly done = today). Then, leverage that connection to have stronger identity checks = for subsequent connections. Alan DeKok. From nobody Sun Jul 22 07:05:05 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE7E130F29 for ; Sun, 22 Jul 2018 07:05:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5qXRpx8bs0m for ; Sun, 22 Jul 2018 07:05:02 -0700 (PDT) Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A83FF130E1D for ; Sun, 22 Jul 2018 07:05:01 -0700 (PDT) Received: from xsmtp04.mail2web.com ([168.144.250.231]) by mx15.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1fhEyn-0004rJ-OI for saag@ietf.org; Sun, 22 Jul 2018 16:04:59 +0200 Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp04.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from ) id 1fhEyi-0000Su-9G for saag@ietf.org; Sun, 22 Jul 2018 10:04:56 -0400 Received: (qmail 17451 invoked from network); 22 Jul 2018 14:04:49 -0000 Received: from unknown (HELO [100.171.150.12]) (Authenticated-user:_huitema@huitema.net@[172.56.6.69]) (envelope-sender ) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for ; 22 Jul 2018 14:04:48 -0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (1.0) From: Christian Huitema X-Mailer: iPhone Mail (15F79) In-Reply-To: Date: Sun, 22 Jul 2018 16:04:44 +0200 Cc: Dmitry Belyavsky , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> To: Alan DeKok X-Originating-IP: 168.144.250.231 X-AntiSpamCloud-Domain: xsmtpout.mail2web.com X-AntiSpamCloud-Username: 168.144.250.0/24 Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com X-AntiSpamCloud-Outgoing-Class: unsure X-AntiSpamCloud-Outgoing-Evidence: Combined (0.16) X-Recommended-Action: accept X-Filter-ID: EX5BVjFpneJeBchSMxfU5q39vAMIx6+eY90JaV8F9Ch602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvO4aMtG2lQcetUzONmBGEKwds1ujulqUFmMITHM77eiVimqKzLtR1bc7JphWUyokyKs7i TvJ2/ZGzVWB9scFAaCdIFaUvXN+CI+RGy3Me16pB4BYXicIRbWrtVh3YscLvvx/TBCf6oYXAWGet lavcAjD9ytQxIHf9lN5jjLJaPK8lRJSPf/SXbEnDSsal/zZzc4n9VZdr7RAFD5mRwooUYhwMPaBP aKeQW+/QlaOdv8isl/qMm08Zpim2AHUKEWvQ6G/bWfgucjnNmABpGhD9TTttrFCuZ0NkwnSz2Luu o1u9uevuNfM1HjkNEFwape+IgNezYqxGMqsKjARq8PBC4qjpVMhqNcdjhoIlgrKzBvjTmdySlZou 9qHIGOZDEEo7Oyc1nq0gsY582CWqKjiRB3ukywmZtiDkyd4mEBjJGGEJgawbllbHk+xyUKopM6rc KCaQX/lIXcRWtobViGg9fpXAOqm+6J4QXGS373vqtxtHcR6CKAM47zSLQCZndpALh54QCBRxji9x 3csLKi8pCm6U2yw6z85L3UyCdO+oQ3S7VPd90DA1c/ZLOZZo7XGPVfWv8HL1YL3Zn8TE/e4IMjT6 4dZYZAAUgQSn0n4YsmwRhK7unSGReaJhoESbMmiSIuggKW28pboyZCmKkHUYXalqI2MWqX4saTMB jxtfhMd0cgIZm6eSaFsuF9NXshzk8XtB4/4Pbrz2QtFuyl+Sh6eSMv+rdVKXDLDaTBj+LzkUfqb5 R4VemuUI6bcEARsm0KnLtMabt6P+t78klMitoc+NZy58uobCIkCdwVDO83SGTnM2K/9iKCD9v589 nVS3hWSdEOMftBjsWb6BDQzjSsHUIomTnJwT4ky6b7E7Hukt2Ge4B8NG0VKlrY+34Zmj+F/tjlrZ UvGhhjiSam0tWhQxL7hrJSk60SF3F6RYOYr2 X-Report-Abuse-To: spam@quarantine6.antispamcloud.com Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:05:04 -0000 > On Jul 22, 2018, at 3:49 PM, Alan DeKok wrote:= >=20 >> On Jul 21, 2018, at 10:31 AM, Dmitry Belyavsky wrote:= >>=20 >> Well, it seems possible to confirm that site A is the site A with high pr= obability. >=20 > What are the properties that make it continue to be "site A" ? >=20 > So far as I can see, the only property that the user can trust is "it's t= he same site as I visited last time". But what does that mean? >=20 > Companies move. Domains expire and get re-bought. Certificates expire. = Systems change. >=20 > That means the "same" site may have all public information about it chang= e in between visits. Not a good practice for continued identification. >=20 >> The main problem is detection that user has visited a site pretending to b= e site A and it is necessary to request a confirmation.=20 >=20 > There are an infinite number of "bad" sites, and only one "good" site. T= hat tells me you should ignore the problem of detecting "bad" sites. Becaus= e to first order "It's bad" is correct for 99.999...% of the sites out there= . The problem is the disconnect between the user intent and the hyperlink. Bas= ed on the context, the user believes that she is checking her account at "ba= nk of example", but the hyperlink points to something different. If only the= system could understand what the user is thinking. It might then throw a wa= rning, or better still just connect to the actual "bankofexample.com". But of course, understanding the context and guessing what the user thinks s= eems really hard... -- Christian Huitema=20= From nobody Sun Jul 22 07:12:00 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D608F130F2C for ; Sun, 22 Jul 2018 07:11:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mOOdPvxVjDXb for ; Sun, 22 Jul 2018 07:11:57 -0700 (PDT) Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D241B130E1D for ; Sun, 22 Jul 2018 07:11:56 -0700 (PDT) Received: by mail-ed1-x534.google.com with SMTP id r4-v6so13574349edp.9 for ; Sun, 22 Jul 2018 07:11:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iI+2Oki2kQEFHK6SeHRmY5UWouMVSYNcoRd4gRsZEO8=; b=Tfii6tGCNTZeWZxMHvnk7SBxFYP5twxZfT3qGr5krFlkbS2lcg92wNPiA8ZFSJ1wKO 6PPWold6TZWN6vwN/F2Yx5L0XNAtV4utZp/EfsEHn/+PeGicaxcCbXHXJVloU9j/DMgj 1HS+GRLaiNjCMfdl/pPeIVXm0TBQJ6SnBHqkIwo0URm2mKflEMhqvihDtWa6SO2kgno+ WHQkU7nvCpZk2E8vVQMxxKkmtIIcukquUga4A8ADB+hIagFjjAWVutqZKCtkhsuWSeGm eYADPjc2EHcczsOSjpwBTLbdsixWS1HFPHRfPQJyjfeMQ4zEeI3F5t8cLKpT+tpHEhcw 6f7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iI+2Oki2kQEFHK6SeHRmY5UWouMVSYNcoRd4gRsZEO8=; b=YelZgop+C/CqR/xXDTG8wiUgkEhPfI0Au0rQGCoyQQGdszWa5/Z7ZbVXmNN9qv1cjx 7i/bfbtXKdWEr3NbuH1GveFHFFq/QI9NTtfhc2mknEdgbg2Ql5/ZwhYjP3xbxs3BxhLx oV8KXs5DphUxSLpCxnrwRoMZml7bSJeO/ZXDE3StNGBOluL5c1NFyKZtJU8In9TuN+rw Hi5q/ovz4EuAlZN0qtYdOWOWjoU+MdeDUneAZar2jgBge2oYKE1QpEPMsIhbGoAiFHsN 3NpL0Cv8mXiXyJIQR+suBwkzMGkxXXg7i9zBgi9KJuTXnqRBV2SxN34V3tm423E7EPr+ UOyw== X-Gm-Message-State: AOUpUlGkpULhJifs7R7YVAYvXlTKBnipcwkN//IkUpV5bY3SY+QADauY JaxNm0yO+fysvgdHukKHIaVR3wdwCiyaOLbP2Ps= X-Google-Smtp-Source: AAOMgpexas6n9gOh0hzzIMMAYgr83tAXz0XRVrE9QK+wat/DR9rcvzfs0hFRTwcn3LHsuMXCA09EF3qIRi1tO58a+yg= X-Received: by 2002:a50:d689:: with SMTP id r9-v6mr10015245edi.259.1532268715394; Sun, 22 Jul 2018 07:11:55 -0700 (PDT) MIME-Version: 1.0 References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> In-Reply-To: From: Dmitry Belyavsky Date: Sun, 22 Jul 2018 17:11:43 +0300 Message-ID: To: Alan DeKok Cc: Bret Jordan , saag@ietf.org Content-Type: multipart/alternative; boundary="0000000000007b4cb90571971c7c" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:11:59 -0000 --0000000000007b4cb90571971c7c Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =D0=B2=D1=81, 22 =D0=B8=D1=8E=D0=BB=D1=8F 2018 =D0=B3., 16:49 Alan DeKok : > On Jul 21, 2018, at 10:31 AM, Dmitry Belyavsky wrote: > > > > Well, it seems possible to confirm that site A is the site A with high > probability. > > What are the properties that make it continue to be "site A" ? > > So far as I can see, the only property that the user can trust is "it's > the same site as I visited last time". But what does that mean? > Yes, but this does not cover all the cases. I may want to visit a e.g. new online shop I have never seen before. > Companies move. Domains expire and get re-bought. Certificates > expire. Systems change. > > That means the "same" site may have all public information about it > change in between visits. Not a good practice for continued identificati= on. > Yes. So we come to idea of long-term identity independent from all these changes. > > The main problem is detection that user has visited a site pretending t= o > be site A and it is necessary to request a confirmation. > > There are an infinite number of "bad" sites, and only one "good" site. > That tells me you should ignore the problem of detecting "bad" sites. > Because to first order "It's bad" is correct for 99.999...% of the sites > out there. > Yes. But if I visit PayPal I need to know it's PayPal, not Facebook. > A big cause of phishing is that each end point doesn't retain much > information about the other. So for *every* connection, each end point h= as > to ask "is the other end real?" > > Perhaps making that decision fewer times would be a better solution. > > A better solution would be to check "is this the same site as last > time?" That seems to be a much simpler problem to solve. i.e. presume > that the initial connection can be done correctly (as is mostly done > today). Then, leverage that connection to have stronger identity checks > for subsequent connections. > > Alan DeKok. > > --0000000000007b4cb90571971c7c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


= =D0=B2=D1=81, 22 =D0=B8=D1=8E=D0=BB=D1=8F 2018 =D0=B3., 16:49 Alan DeKok &l= t;aland@deployingradius.com>:
On Jul 21, 2018, at 10:31 AM= , Dmitry Belyavsky <beldmit@gmail.com> wrote:
>
> Well, it seems possible to confirm that site A is the site A with high= probability.

=C2=A0 What are the properties that make it continue to be "site A&quo= t; ?

=C2=A0 So far as I can see, the only property that the user can trust is &q= uot;it's the same site as I visited last time".=C2=A0 But what doe= s that mean?

Yes, but this does not cover all the cases. I may want to visit= a e.g. new online shop I have never seen before.=C2=A0



=C2=A0 Companies move.=C2=A0 Domains expire and get re-bought.=C2=A0 Certif= icates expire.=C2=A0 Systems change.

=C2=A0 That means the "same" site may have all public information= about it change in between visits.=C2=A0 Not a good practice for continued= identification.

Yes. So we come to idea of long-term identity independent f= rom all these changes.=C2=A0


> The main problem is detection that user has visited a site pretending = to be site A and it is necessary to request a confirmation.

=C2=A0 There are an infinite number of "bad" sites, and only one = "good" site.=C2=A0 That tells me you should ignore the problem of= detecting "bad" sites.=C2=A0 Because to first order "It'= ;s bad" is correct for 99.999...% of the sites out there.

Yes. But if I= visit PayPal I need to know it's PayPal, not Facebook.=C2=A0


=C2=A0 A big cause of phishing is that each end point doesn't retain mu= ch information about the other.=C2=A0 So for *every* connection, each end p= oint has to ask "is the other end real?"

=C2=A0 Perhaps making that decision fewer times would be a better solution.=

=C2=A0 A better solution would be to check "is this the same site as l= ast time?"=C2=A0 That seems to be a much simpler problem to solve.=C2= =A0 i.e. presume that the initial connection can be done correctly (as is m= ostly done today).=C2=A0 Then, leverage that connection to have stronger id= entity checks for subsequent connections.

=C2=A0 Alan DeKok.

--0000000000007b4cb90571971c7c-- From nobody Sun Jul 22 07:13:30 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A75BA130F2C for ; Sun, 22 Jul 2018 07:13:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.997 X-Spam-Level: X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z42b4CGNX8XE for ; Sun, 22 Jul 2018 07:13:26 -0700 (PDT) Received: from mail-pl0-x233.google.com (mail-pl0-x233.google.com [IPv6:2607:f8b0:400e:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D515A130E1D for ; Sun, 22 Jul 2018 07:13:25 -0700 (PDT) Received: by mail-pl0-x233.google.com with SMTP id e11-v6so7113250plb.3 for ; Sun, 22 Jul 2018 07:13:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VZV9X2LcDvCPjqze3H1PMAaVuzGfuic2F/Ca7xPkhHg=; b=kK10CJmbup/fBVPX5NbtCPQ9VSLgY3pIPvOMoKvGxSYUZWpF9+9/TwywfaGSmrNRK5 Vv7vOeEJ4G7xOg5Rb0+pvIuDQLl2DMnIPbKhHP3Y3Jtv5j6/JxEK3reopdJbloT7vtqn 4eAd+rNUGOO3lbUruMw2LJbwEVNtsJkmYlPtO4hGz//mdQKu7Gp10M2IgpNBAIY4Yr4Z sIr0H9rQulXWy6nEhscKh1q2SQGts2SVKulAl9FGstJfsvIhnM69eDSxLmtBmygBjWLK otxXgKqgpJ3vdIa3C2A3/J4CHw+YAZm0KhkHshiF2JgcgDoIKktngAH+N+yXpy7R7PyJ jyCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VZV9X2LcDvCPjqze3H1PMAaVuzGfuic2F/Ca7xPkhHg=; b=caoBoa+ONJNdfb2tS45uhACJA1J5nWOUYtiyQlcTK35FkbOD+dhPX2WatlmOJaOdbt b8XzqqcHntBsvl184dafQcTAbyP/ChuDIp/H8jVZn2k5JvcRrHl3dY6qkmO1pPKfbcO5 2XHx43T666HAini1ZozM6mq9+J53pmyg4Dm9vif7Mz9Hmmj7g7fOsGc7RdV9XVJhvjwb /iY28evNZ4owQe/40OeffyBTIlI/TVX+tajLRluf4XxZCuFVc9USpDlQ0rjXzuLt3JBw a0dnm0vPrhWSZt+srwZYWP7sF513AD9yobGcnOtr4IIlj3kr7rxC4dy9dSIJ3jDOwFlF zxwA== X-Gm-Message-State: AOUpUlFqsgPWQBqtsRTgTKEYMU43hUPDFdUP3qnKxDtvZrNgVfZwRBwE uRgDkiuPcWhp+pkiMLbImwT6XOCw X-Google-Smtp-Source: AAOMgpcpoa7IJJ647H92dKg9cgkEhsRMS74AqQq7AMZ7WR0tgsYBVvO/99zZjesg1ngzL7zLhVIihQ== X-Received: by 2002:a17:902:345:: with SMTP id 63-v6mr9422784pld.328.1532268805516; Sun, 22 Jul 2018 07:13:25 -0700 (PDT) Received: from ?IPv6:2605:a601:3260:266:10fe:34e5:1009:a4a7? ([2605:a601:3260:266:10fe:34e5:1009:a4a7]) by smtp.gmail.com with ESMTPSA id v20-v6sm14775257pfk.12.2018.07.22.07.13.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 07:13:24 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-EA96DC85-4E00-4940-B5E0-504643B4624A Mime-Version: 1.0 (1.0) From: Bret Jordan X-Mailer: iPhone Mail (15F79) In-Reply-To: Date: Sun, 22 Jul 2018 08:13:22 -0600 Cc: Henry Story , saag@ietf.org Content-Transfer-Encoding: 7bit Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> To: "John R. Levine" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:13:29 -0000 --Apple-Mail-EA96DC85-4E00-4940-B5E0-504643B4624A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Talking to the IRTF is an option. It just feels like once we allocate people= and resources to this problem it is going to need a WG, then as we go along= and discover the rest of the ice berg, it may need to even grow bigger than= that.=20 Bret=20 Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 On Jul 21, 2018, at 7:00 PM, John R. Levine wrote: >> I for one would really like to see the IETF setup a working group for thi= s specific topic, it would be good to work through this and find a solution t= hat works. I would be willing to help out here and will dedicate time to thi= s effort. >=20 > I don't think there is enough stuff here to merit WG. Perhaps talk to the= IRTF about an RG to explore ideas not ready to standardize. >=20 >=20 >>=20 >> Bret >>=20 >> Sent from my Commodore 128D >>=20 >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>=20 >>> On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: >>>=20 >>> On Sat, 21 Jul 2018, Henry Story wrote: >>>>> How would this IWoT differ from what CAs were supposed to do? >>>>=20 >>>> That is easy. IWoT would be based on institutions that tie into nation o= r region based local >>>> registries that tie into national anchors that may tie into federal one= s (as in the USA, or Germany). >>>=20 >>> This sounds a lot like the industry-specific CAs I proposed, only this d= epends on a great deal of software that does not exist and probably never wi= ll. >>>=20 >>> R's, >>> John >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>=20 >=20 > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dumm= ies", > Please consider the environment before reading this e-mail. https://jl.ly --Apple-Mail-EA96DC85-4E00-4940-B5E0-504643B4624A Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Talking to the IRTF is an option. It just f= eels like once we allocate people and resources to this problem it is going t= o need a WG, then as we go along and discover the rest of the ice berg, it m= ay need to even grow bigger than that. 

Bret 
Sent from my Commodore 128D

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  = F2C0 74F8 ACAE 7415 0050

On Jul 21,= 2018, at 7:00 PM, John R. Levine <john= l@iecc.com> wrote:

I for one would really like to see the IETF setup a= working group for this specific topic, it would be good to work through thi= s and find a solution that works. I would be willing to help out here and wi= ll dedicate time to this effort.

I don't think there is enough stuff here to merit WG.  Perhaps talk t= o the IRTF about an RG to explore ideas not ready to standardize.
=

Bret

Sent from my Commodore 128D

PGP= Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050=

On Jul 21, 2018, at 2= :40 PM, John R. Levine <johnl@iecc.com<= /a>> wrote:

On Sat, 21 Jul 2018, Hen= ry Story wrote:
How would this IWoT differ from what CAs were supposed to do?

=
That is easy. IWoT would be b= ased on institutions that tie into nation or region based local
registries that tie into nation= al anchors that may tie into federal ones (as in the USA, or Germany).

This sounds a lot like the indu= stry-specific CAs I proposed, only this depends on a great deal of software t= hat does not exist and probably never will.

<= span>R's,
John

<= /blockquote>
______= _________________________________________
saag mailing lis= t
saag@ietf.org=
https://w= ww.ietf.org/mailman/listinfo/saag


Regards,
John Levine, joh= nl@iecc.com, Primary Perpetrator of "The Internet for Dummies",Please consider the environment before reading this e-mail. https://jl.ly
= = --Apple-Mail-EA96DC85-4E00-4940-B5E0-504643B4624A-- From nobody Sun Jul 22 07:31:17 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00DEB130F5E for ; Sun, 22 Jul 2018 07:31:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxtMhjW93a16 for ; Sun, 22 Jul 2018 07:31:14 -0700 (PDT) Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 772B6130D7A for ; Sun, 22 Jul 2018 07:31:14 -0700 (PDT) Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id 33E98608; Sun, 22 Jul 2018 14:31:13 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alan DeKok In-Reply-To: Date: Sun, 22 Jul 2018 10:31:11 -0400 Cc: Bret Jordan , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> To: Dmitry Belyavsky X-Mailer: Apple Mail (2.3124) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:31:16 -0000 On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky = wrote: >=20 > Yes, but this does not cover all the cases. I may want to visit a e.g. = new online shop I have never seen before.=20 I am well aware of that. My point is that the current system works. Not perfectly. But it = mostly works. Any solution which involves many parties (national registries, etc.) = is bound to fail. Changing their behaviour involves political and legal = procedures. Which makes the IETF look lightning fast. > Yes. So we come to idea of long-term identity independent from all = these changes.=20 My $0.02 is that the only two parties who care about their identities = are the site, and the user. A solution which involves just them is = likely to work. And, be deployed *much* more quickly than a system = which involves national registries. > Yes. But if I visit PayPal I need to know it's PayPal, not Facebook.=20= You know today that it's Paypal. Mostly. Imperfectly. But the = billions of people who get online every day show that the system works = reasonable well My point (which I think was missed) is that you don't need to do = in-depth validations for every connection. You just need to do them on = the initial connection. Subsequent connections can leverage cached = information to gain additional security. This is how the real world works. When I meet someone new, I remember = their physical attributes (face, voice, mannerisms). I use that = information in subsequent interactions. Re-introducing yourself for every interaction is inefficient, and is = likely to have new failure modes. Alan DeKok. From nobody Sun Jul 22 07:34:20 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A02D1130F5F for ; Sun, 22 Jul 2018 07:34:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.997 X-Spam-Level: X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 48f_9oLm7CDb for ; Sun, 22 Jul 2018 07:34:15 -0700 (PDT) Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0232130F58 for ; Sun, 22 Jul 2018 07:34:15 -0700 (PDT) Received: by mail-pg1-x534.google.com with SMTP id g2-v6so10385809pgs.6 for ; Sun, 22 Jul 2018 07:34:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3PsN3RBnGvcZC/J3k+VzVnsN8Kjv3gLvQtV39lrMDP4=; b=gmQtCA24eV9ChveK3PfqemXNbubayEVWeDpKPSKEECcA4n+8BX7DcWm0jYcJsYpFJl nU7aLVC8C7jp/AKecsAoHrphJzXGZjccuzG92A11yq/eXV4CxVug/HyJIRT0/unQvasV NMe9SyIthJ0VlqqkTx76XRc5NjKsqhZajUul96XNrOZTZKMNi+l9shMPI7lCLuhtZ5zT XdiiU52rmaQ8lOcBi0nLfyK8ZSgoXy0sxaNEHtzjiNfvva3iv8RjGFalARfRt7YVWs68 13Wnz1QKfNOquL9goZMRUY9icX4tfrcN3FneHW3+78Nv+37ABLrmik+6swMt/XrVDOD8 R5vw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3PsN3RBnGvcZC/J3k+VzVnsN8Kjv3gLvQtV39lrMDP4=; b=KA9lPZGFi9slIC2Mc7Zr7TeSu9j0slaWn+RE0Bb/33hNTL8f55lA+hYb3C4snML8qZ QO5P1To0HGKa3jWqB5gaXCsFD9CJ9kKfXNYPSBlgY+P+v6YUIOMDGLWEz6bphoV17BPH kUUpeka24ABjntJP709ycwMTlt0VzzyfvsOBK+FtWYt36zFSOqg2lrbbkFQj6t8CECFL 3xEdeI7LRxv86dGnWD8rzOL9gg3z+HU+J/krL3gqRTgBNbE7WkbHByOQ+/0e/oj091Ik ipqoXHhU1jvIZ8zgz3N5N/4kOyrgWeha28mEjeu24qJEHh5vAK3GhKa5K23n2C/VJ3HU BGKQ== X-Gm-Message-State: AOUpUlEpxXJ2ONdhSz1BOBLjLDJ1GovIDvgc6GfwpJr/2EWYjg4QBc47 pJLdA4vodaw4oTeKDg+2KaQfoMl2 X-Google-Smtp-Source: AAOMgpd8Fo59megtqvJpsnRsxeA4qg5mf/kMHxrpFuYyFckLvoR3GReZzEVoRQAZuM987hS1H/j+JQ== X-Received: by 2002:a65:608b:: with SMTP id t11-v6mr8846185pgu.259.1532270054854; Sun, 22 Jul 2018 07:34:14 -0700 (PDT) Received: from ?IPv6:2600:100e:b13b:3e87:f44a:49af:c6b0:bc29? ([2600:100e:b13b:3e87:f44a:49af:c6b0:bc29]) by smtp.gmail.com with ESMTPSA id h24-v6sm16316177pfk.113.2018.07.22.07.33.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 07:34:13 -0700 (PDT) Content-Type: multipart/alternative; boundary=Apple-Mail-BB9E80F1-F309-4D35-8B71-6E4D8A5B369C Mime-Version: 1.0 (1.0) From: Bret Jordan X-Mailer: iPhone Mail (15F79) In-Reply-To: Date: Sun, 22 Jul 2018 08:33:50 -0600 Cc: Alan DeKok , saag@ietf.org Content-Transfer-Encoding: 7bit Message-Id: <1F12697F-E54B-4FB3-BC50-55ABFD1FDEB1@gmail.com> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> To: Dmitry Belyavsky Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:34:19 -0000 --Apple-Mail-BB9E80F1-F309-4D35-8B71-6E4D8A5B369C Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable This is all great discussion and I believe it indicated that we should do mo= re work here. Getting a WG going that is focused on this sort of problem can= really help drive things forward. Initially there might just be a lot of i= nformational drafts, but longer term I could see us publishing a whole serie= s of standards. Bret=20 Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > On Jul 22, 2018, at 8:11 AM, Dmitry Belyavsky wrote: >=20 >=20 >=20 > =D0=B2=D1=81, 22 =D0=B8=D1=8E=D0=BB=D1=8F 2018 =D0=B3., 16:49 Alan DeKok <= aland@deployingradius.com>: >> On Jul 21, 2018, at 10:31 AM, Dmitry Belyavsky wrote:= >> >=20 >> > Well, it seems possible to confirm that site A is the site A with high p= robability. >>=20 >> What are the properties that make it continue to be "site A" ? >>=20 >> So far as I can see, the only property that the user can trust is "it's= the same site as I visited last time". But what does that mean? >=20 >=20 > Yes, but this does not cover all the cases. I may want to visit a e.g. new= online shop I have never seen before.=20 >=20 >=20 >>=20 >> Companies move. Domains expire and get re-bought. Certificates expire= . Systems change. >>=20 >> That means the "same" site may have all public information about it cha= nge in between visits. Not a good practice for continued identification. >=20 >=20 > Yes. So we come to idea of long-term identity independent from all these c= hanges.=20 >=20 >>=20 >> > The main problem is detection that user has visited a site pretending t= o be site A and it is necessary to request a confirmation.=20 >>=20 >> There are an infinite number of "bad" sites, and only one "good" site. = That tells me you should ignore the problem of detecting "bad" sites. Beca= use to first order "It's bad" is correct for 99.999...% of the sites out the= re. >=20 >=20 > Yes. But if I visit PayPal I need to know it's PayPal, not Facebook.=20 >=20 >>=20 >> A big cause of phishing is that each end point doesn't retain much info= rmation about the other. So for *every* connection, each end point has to a= sk "is the other end real?"=20 >>=20 >> Perhaps making that decision fewer times would be a better solution. >>=20 >> A better solution would be to check "is this the same site as last time= ?" That seems to be a much simpler problem to solve. i.e. presume that the= initial connection can be done correctly (as is mostly done today). Then, l= everage that connection to have stronger identity checks for subsequent conn= ections. >>=20 >> Alan DeKok. >>=20 --Apple-Mail-BB9E80F1-F309-4D35-8B71-6E4D8A5B369C Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable This is all great discussion and I believe i= t indicated that we should do more work here. Getting a WG going that is foc= used on this sort of problem can really help drive things forward.  Ini= tially there might just be a lot of informational drafts, but longer term I c= ould see us publishing a whole series of standards.

Bret&= nbsp;

Sent from my Commodore 128D

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447=  F2C0 74F8 ACAE 7415 0050

On J= ul 22, 2018, at 8:11 AM, Dmitry Belyavsky <beldmit@gmail.com> wrote:



=D0=B2=D1=81, 22 =D0=B8=D1=8E=D0=BB=D1=8F 2018 =D0=B3., 16:49 Alan DeK= ok <aland@deployingradius.co= m>:
On Jul 21, 2018, at 10:31 A= M, Dmitry Belyavsky <beldmit@gmail.com> wrote:
>
> Well, it seems possible to confirm that site A is the site A with high p= robability.

  What are the properties that make it continue to be "site A" ?

  So far as I can see, the only property that the user can trust is "it= 's the same site as I visited last time".  But what does that mean?
=

Yes, b= ut this does not cover all the cases. I may want to visit a e.g. new online s= hop I have never seen before. 



  Companies move.  Domains expire and get re-bought.  Certifi= cates expire.  Systems change.

  That means the "same" site may have all public information about it c= hange in between visits.  Not a good practice for continued identificat= ion.

Yes. So we come to idea of long-term identity independent from all these c= hanges. 


> The main problem is detection that user has visited a site pretending t= o be site A and it is necessary to request a confirmation.

  There are an infinite number of "bad" sites, and only one "good" site= .  That tells me you should ignore the problem of detecting "bad" sites= .  Because to first order "It's bad" is correct for 99.999...% of the s= ites out there.

Yes. But if I visit PayPal I need to know it's PayPal, not Fac= ebook. 


  A big cause of phishing is that each end point doesn't retain much in= formation about the other.  So for *every* connection, each end point h= as to ask "is the other end real?"

  Perhaps making that decision fewer times would be a better solution.<= br>
  A better solution would be to check "is this the same site as last ti= me?"  That seems to be a much simpler problem to solve.  i.e. pres= ume that the initial connection can be done correctly (as is mostly done tod= ay).  Then, leverage that connection to have stronger identity checks f= or subsequent connections.

  Alan DeKok.

= --Apple-Mail-BB9E80F1-F309-4D35-8B71-6E4D8A5B369C-- From nobody Sun Jul 22 07:47:04 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C053130E42 for ; Sun, 22 Jul 2018 07:47:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOse-MXAb8-I for ; Sun, 22 Jul 2018 07:47:00 -0700 (PDT) Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id 3E409129C6B for ; Sun, 22 Jul 2018 07:47:00 -0700 (PDT) Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id 062E56D6; Sun, 22 Jul 2018 14:46:58 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Alan DeKok In-Reply-To: Date: Sun, 22 Jul 2018 10:46:57 -0400 Cc: Dmitry Belyavsky , saag@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <56EEE551-0BBF-4981-A049-15154FEA69CA@deployingradius.com> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> To: Christian Huitema X-Mailer: Apple Mail (2.3124) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 14:47:02 -0000 On Jul 22, 2018, at 10:04 AM, Christian Huitema = wrote: >=20 > The problem is the disconnect between the user intent and the = hyperlink. Based on the context, the user believes that she is checking = her account at "bank of example", but the hyperlink points to something = different. Such as when the bank changes the domain name it uses? And why are you relying on hyperlinks for the second to N connections = to the bank? e.g. some systems use downloadable apps. The user doesn't trust = hyperlinks. The user trusts the app residing on his desktop. Which he = controls. When the user clicks on a hyperlink, the site could cause the = downloaded app to open. Which (again) is done today in many situations. The user then knows "no app =3D=3D not the real bank". I'm not proposing this as a solution. But you could see how it would = solve a large part of the problem space. > If only the system could understand what the user is thinking. It = might then throw a warning, or better still just connect to the actual = "bankofexample.com". >=20 > But of course, understanding the context and guessing what the user = thinks seems really hard... Which is why I wasn't suggesting that. I think there are solutions. But those solutions likely involve = changing the way we think about the problem. i.e. "detecting bad sites" is hard. Knowing it's the "same site" is = easy. Why not solve the easy problem? Alan DeKok. From nobody Sun Jul 22 08:47:17 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 886CF12F1AB for ; Sun, 22 Jul 2018 08:47:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.908 X-Spam-Level: X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 85-2QQ20g8NG for ; Sun, 22 Jul 2018 08:47:11 -0700 (PDT) Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26E8E126F72 for ; Sun, 22 Jul 2018 08:47:11 -0700 (PDT) Received: by mail-wr1-x429.google.com with SMTP id g6-v6so15529160wrp.0 for ; Sun, 22 Jul 2018 08:47:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=r5cmQX8NHjAD/XgAmVnxU9d5FwuCvQWGRnnIMfa5fEA=; b=ALj4QkyNSFqBNXJ5u5gExbPdVjN+/LML6g+Vwz5VG+8eM3Pds55dppGebZqvGC4Xnv PxVTMqvOuMGyHJV6bv0crydzb48xdxUk9/KZF9erC/EpCkY+dchGO8wlxcxgktJOcq6G qkBCPca1Lra1/kMM5PuVab7zG2m6ovfsmifnGWkClllatdDNWdin2i7kp0ycK3hlBE9k /yiNjrFAVy1/XeGqK4RfrNYQlKU2P5riGoSZCAazXmfSdTZ28RCZ7NqpoZbysFgHG2Ul uDoyip2SEAG/LqBnZMjm10VTaVbwd4zyIKawtlYVoqbuBmqmSGklB/dckYM8XASBkrVQ lLaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=r5cmQX8NHjAD/XgAmVnxU9d5FwuCvQWGRnnIMfa5fEA=; b=UizqWH8yPG5SkGS/OoFWECuqECQrgXc2KQyv7X45MWLfxeSIbZ+RbCpLsWWYjkkHUQ yLSUJqAPjk9Zppr4+WQ8eEwjxCQpJeYTs6LNvSOWNtEXcAmvWPJ40ZS6Z7rI2Rd31Ki1 TpWF3PA0IGvOXM0ywVCTq/DJoxGD8R/Sm+3ME8reQh6yCTAZe/AD1CVG7VHkCkvTciz2 LBSyn/ZEdSBMX+dEZVhuFq0gWE/G420EuX2iMx9jeo7wkg4rdqUUtpTRkhlAZDyXja2V iIqN8CzjyY3CELe0yzx7Kxbw3QErqRSHEgosZ7aW3qtoDKKi/piezYdyWpwDny14ypqR uppw== X-Gm-Message-State: AOUpUlGPx0Do6nlp5GWo3c7N+u/TYr0tqnmxc2kv0En0cHwy1SxuE4tw XzvyvW6g+yZDFrwDEGBI9PD6O1vcWwJGyA== X-Google-Smtp-Source: AAOMgpcA6z7M1pLkYdNogzvTcXJla2EzUkV4Y5Go1hPaXvkWmHmz8dnKQG1wLTyqOsAr9k+yUu4Hsw== X-Received: by 2002:adf:81a3:: with SMTP id 32-v6mr6728932wra.9.1532274429667; Sun, 22 Jul 2018 08:47:09 -0700 (PDT) Received: from [192.168.43.209] ([92.184.100.185]) by smtp.gmail.com with ESMTPSA id t70-v6sm4268509wmt.30.2018.07.22.08.47.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 22 Jul 2018 08:47:08 -0700 (PDT) From: Henry Story Message-Id: <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_294727B4-57C7-4AC8-B682-64F53C3C6A91" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Sun, 22 Jul 2018 17:47:05 +0200 In-Reply-To: Cc: Dmitry Belyavsky , saag@ietf.org To: Alan DeKok References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 15:47:16 -0000 --Apple-Mail=_294727B4-57C7-4AC8-B682-64F53C3C6A91 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 22 Jul 2018, at 16:31, Alan DeKok = wrote: >=20 > On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky = wrote: >>=20 >> Yes, but this does not cover all the cases. I may want to visit a = e.g. new online shop I have never seen before.=20 >=20 > I am well aware of that. >=20 > My point is that the current system works. Not perfectly. But it = mostly works. >=20 > Any solution which involves many parties (national registries, etc.) = is bound to fail. Changing their behaviour involves political and legal = procedures. Which makes the IETF look lightning fast. yes, the current system was designed to give the web and the internet = time to grow to the point where it would start becoming evident to the political systems that it is an = essential piece of infrastracture that cannot be ignored. The recent elections in the UK, the USA and = other places have made that point. Not a day goes by without these issues being discussed on = the news, in television, by the President of the USA himself under the theme of "fake news".=20 So now we had better build the right system before the politicians make = laws that make the situation worse than better. Having a clean plan that respects national = sovereignties would at least allow one to redirect political energies towards something constructive in = which the nations can feel they have their place. While this work goes on the current system will continue functioning = with various improvements that people are already working on. Complete deployment of DANE and = DNS-Sec for example, IPV-6, and other projects that I don't know about.... >=20 >> Yes. So we come to idea of long-term identity independent from all = these changes.=20 >=20 > My $0.02 is that the only two parties who care about their identities = are the site, and the user. A solution which involves just them is = likely to work. And, be deployed *much* more quickly than a system = which involves national registries. Perhaps solving both problems is not incompatible and can work together. = Always something to consider. >=20 >> Yes. But if I visit PayPal I need to know it's PayPal, not Facebook.=20= >=20 > You know today that it's Paypal. Mostly. Imperfectly. But the = billions of people who get online every day show that the system works = reasonable well >=20 > My point (which I think was missed) is that you don't need to do = in-depth validations for every connection. You just need to do them on = the initial connection. Subsequent connections can leverage cached = information to gain additional security. >=20 > This is how the real world works. When I meet someone new, I remember = their physical attributes (face, voice, mannerisms). I use that = information in subsequent interactions. >=20 > Re-introducing yourself for every interaction is inefficient, and is = likely to have new failure modes. Actually there is something to that in the IWoT proposal I put forward = in the UI side. The full information UI would only be shown on first visit, or if there was an important = company change, or warning information from the government with respect to that site. Henry Story >=20 > Alan DeKok. >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag = = --Apple-Mail=_294727B4-57C7-4AC8-B682-64F53C3C6A91 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 22 = Jul 2018, at 16:31, Alan DeKok <aland@deployingradius.com> wrote:

On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky <beldmit@gmail.com> = wrote:

Yes, but this does not cover all the cases. I may want to = visit a e.g. new online shop I have never seen before. 

I am well aware of that.

My point is that the current system works. =  Not perfectly.  But it mostly works.

Any solution which involves many parties (national = registries, etc.) is bound to fail.  Changing their behaviour = involves political and legal procedures.  Which makes the IETF look = lightning fast.

yes, the current system was = designed to give the web and the internet time to grow to the point = where it
would start becoming evident to the = political systems that it is an essential piece of = infrastracture
that cannot be ignored. The recent = elections in the UK, the USA and other places have made
that point. Not a day goes by = without these issues being discussed on the news, in = television,
by the President of the USA himself = under the theme of "fake news". 

So now we had better build the = right system before the politicians make laws that make the = situation
worse than better. Having a clean = plan that respects national sovereignties would at least allow
one to redirect political energies = towards something constructive in which the nations can
feel they have their = place.

While this work goes on the current = system will continue functioning with various improvements
that people are already working on. = Complete deployment of DANE and DNS-Sec for
example, IPV-6, and other projects = that I don't know about....


Yes. So we come to idea = of long-term identity independent from all these changes. 

My $0.02 is that the only two = parties who care about their identities are the site, and the user. =  A solution which involves just them is likely to work.  And, = be deployed *much* more quickly than a system which involves national = registries.

Perhaps solving both problems is = not incompatible and can work together. Always something to = consider.


Yes. But if I visit = PayPal I need to know it's PayPal, not Facebook. 

You know today that it's Paypal. =  Mostly.  Imperfectly.  But the billions of people who = get online every day show that the system works reasonable well

My point (which I think was missed) is that = you don't need to do in-depth validations for every connection. You just = need to do them on the initial connection.  Subsequent connections = can  leverage cached information to gain additional security.

This is how the real world works.  When I = meet someone new, I remember their physical attributes (face, voice, = mannerisms).  I use that information in subsequent interactions.

Re-introducing yourself for every interaction = is inefficient, and is likely to have new failure modes.

Actually there is something to that = in the IWoT proposal I put forward in the UI side. The full = information
UI would only be shown on first = visit, or if there was an important company change, or warning = information
from the government with respect to = that site.

Henry Story


Alan DeKok.

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
= --Apple-Mail=_294727B4-57C7-4AC8-B682-64F53C3C6A91-- From nobody Sun Jul 22 13:18:52 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1B6130E73 for ; Sun, 22 Jul 2018 13:18:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id imBcMATxY4VS for ; Sun, 22 Jul 2018 13:18:49 -0700 (PDT) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43EFA124C04 for ; Sun, 22 Jul 2018 13:18:48 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 7598B20008; Sun, 22 Jul 2018 16:34:51 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id DCB0F2E0A; Sun, 22 Jul 2018 16:18:47 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id D86B5335; Sun, 22 Jul 2018 16:18:47 -0400 (EDT) From: Michael Richardson To: Henry Story cc: saag@ietf.org In-Reply-To: <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 20:18:52 -0000 --=-=-= Content-Type: text/plain Henry Story wrote: > So now we had better build the right system before the politicians > make laws that make the situation > worse than better. Having a clean plan that respects national > sovereignties would at least allow > one to redirect political energies towards something constructive in > which the nations can > feel they have their place. I think that you make a very good point. I agree strongly: that the national entities need to have somewhere to put their energies. But, in particular that point makes it out probably not IETF's job. Rather, it's for W3C, browser makers and specifically, I think it's called WebPKI, but google isn't finding the entity I think that I want. Having said that, there is value for what Alan suggested: familiarity should be re-inforced.... but initial contact continues to be a problem. -- Michael Richardson , Sandelman Software Works -= IPv6 IoT consulting =- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBW1TmpYCLcPvd0N1lAQLDHAf+N+F5JRWLkW1bQDVbZCiyyLQSZ6Fuqlzt aQClKghKQNOW3IL36sz4usfm3h83HaUHiqa2j6jhzqOz3UPjYnYxhX9WP/TUDAem MtOrtNfV1hxVXikeKBV5VfLQRhqFKGl+h4oeDyl06MK8IeW8SgxJFipIjuCwko33 mCxckPKfuslCsDAF94Q+kRhJzfKwYNcT4ySZFHKLNmMZVQ0Tg3CD7QVQWSwPvypu +azak8u7ONcBo0kn8UtMoHKKzcf5VEiKD8NDGLBfSkZ15MKOco/n9PYdSJqs93Bt URt5vHIlZa3BuZEcTrAfnbyg9Ng+Y4a6JWbDNjNlx/vA7yaaNrLHyA== =bCFx -----END PGP SIGNATURE----- --=-=-=-- From nobody Sun Jul 22 16:18:09 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996DE131059 for ; Sun, 22 Jul 2018 16:18:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zinks.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z_pMbO10jYnA for ; Sun, 22 Jul 2018 16:18:02 -0700 (PDT) Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EF09131058 for ; Sun, 22 Jul 2018 16:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1532301478; s=strato-dkim-0002; d=zinks.de; h=In-Reply-To:Date:Message-ID:From:References:To:Subject: X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender; bh=KDLmYd2/0TGuLJ+HmWfDpBmHvbyhk71ymPaDxJo949w=; b=m0tjYprt7c7yPe0I1bySRchUXEUJhfl7IlGbFyt8FFCXlTlzCIpBBBAVzosVbXAuRX SnwKSg+gJKXxfF5evLNR9SOnELUWHyOSJkszTROFgik9F1OISnM3pPkVir+2E7LzhwPa E+w/eckLRXPpVAaAMkfA1m3peYXs7spWHX89TbJhP4RUWaZcd1ivvtiaRwkqR5YQE85G O9Y563+20rKCg6u4whoPOrr+GZqwqFv6uKMDJhmkfS8FZC1yxfGpx0b1RzpNDl+xA6lo 0j4vq4HtzNCNkbtzLZNmfPpnl3TIG118k/6/Dbxq3ivRVTVC7ykhCvr8mhJCzpPpIOJC khrg== X-RZG-AUTH: ":PmMIdE6sW+WWP9q/oR3Lt+I+9LAZzXrcq8knhvfmBiJzkmKt0Zib1EwEOzr8+EFktTh1c4x7V/hBwYJvBWMKy9BCyXS4NuA=" X-RZG-CLASS-ID: mo00 Received: from [IPv6:2003:f4:73cc:300:473:7100:656f:efc8] by smtp.strato.de (RZmta 43.13 AUTH) with ESMTPSA id c0bc5bu6MNHvRnn (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp521r1 with 521 ECDH bits, eq. 15360 bits RSA)) (Client did not present a certificate) for ; Mon, 23 Jul 2018 01:17:57 +0200 (CEST) To: saag@ietf.org References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> From: Roland Zink Message-ID: <5868dbe3-0fe5-5b84-25dd-a184b46d883b@zinks.de> Date: Mon, 23 Jul 2018 01:17:57 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> Content-Type: multipart/alternative; boundary="------------1579690B33526B5FCADC127A" Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Jul 2018 23:18:07 -0000 This is a multi-part message in MIME format. --------------1579690B33526B5FCADC127A Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Am 22.07.2018 um 17:47 schrieb Henry Story: > > >> On 22 Jul 2018, at 16:31, Alan DeKok > > wrote: >> >> On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky > > wrote: >>> >>> Yes, but this does not cover all the cases. I may want to visit a >>> e.g. new online shop I have never seen before. >> >> I am well aware of that. >> >> My point is that the current system works.  Not perfectly.  But it >> mostly works. >> >> Any solution which involves many parties (national registries, etc.) >> is bound to fail.  Changing their behaviour involves political and >> legal procedures.  Which makes the IETF look lightning fast. > > yes, the current system was designed to give the web and the internet > time to grow to the point where it > would start becoming evident to the political systems that it is an > essential piece of infrastracture > that cannot be ignored. The recent elections in the UK, the USA and > other places have made > that point. Not a day goes by without these issues being discussed on > the news, in television, > by the President of the USA himself under the theme of "fake news". > > So now we had better build the right system before the politicians > make laws that make the situation > worse than better. Having a clean plan that respects national > sovereignties would at least allow > one to redirect political energies towards something constructive in > which the nations can > feel they have their place. > > While this work goes on the current system will continue functioning > with various improvements > that people are already working on. Complete deployment of DANE and > DNS-Sec for > example, IPV-6, and other projects that I don't know about.... > >> >>> Yes. So we come to idea of long-term identity independent from all >>> these changes. >> >> My $0.02 is that the only two parties who care about their identities >> are the site, and the user.  A solution which involves just them is >> likely to work.  And, be deployed *much* more quickly than a system >> which involves national registries. > > Perhaps solving both problems is not incompatible and can work > together. Always something to consider. My $0.02 is that the user probably care about a site identity but doesn't get information about all involved parties. Although in the web browser one party is displayed in reality the page is composed and hosted on potential many sites. Especially the site hosting may be delegated to a third party and the access information sold for example into the adverts industry. What is missing is that the user is able to delegate some of its security concerns to a third party acting on his behalf. I don't see why this needs to be in the browser or institutional. Currently the virus scanning industry has such a business model. > >> >>> Yes. But if I visit PayPal I need to know it's PayPal, not Facebook. >> >> You know today that it's Paypal.  Mostly.  Imperfectly.  But the >> billions of people who get online every day show that the system >> works reasonable well >> >> My point (which I think was missed) is that you don't need to do >> in-depth validations for every connection. You just need to do them >> on the initial connection.  Subsequent connections can  leverage >> cached information to gain additional security. >> >> This is how the real world works.  When I meet someone new, I >> remember their physical attributes (face, voice, mannerisms).  I use >> that information in subsequent interactions. >> >> Re-introducing yourself for every interaction is inefficient, and is >> likely to have new failure modes. > > Actually there is something to that in the IWoT proposal I put forward > in the UI side. The full information > UI would only be shown on first visit, or if there was an important > company change, or warning information > from the government with respect to that site. > There are many aspects of the many servers involved in handling the requests for a page or application. In many cases users will not be interested in the full information and when you don't know which ones are the interesting ones, for example into which countries the requests are logged. > Henry Story > >> >> Alan DeKok. >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --------------1579690B33526B5FCADC127A Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 8bit Am 22.07.2018 um 17:47 schrieb Henry Story:


On 22 Jul 2018, at 16:31, Alan DeKok <aland@deployingradius.com> wrote:

On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky <beldmit@gmail.com> wrote:

Yes, but this does not cover all the cases. I may want to visit a e.g. new online shop I have never seen before. 

I am well aware of that.

My point is that the current system works.  Not perfectly.  But it mostly works.

Any solution which involves many parties (national registries, etc.) is bound to fail.  Changing their behaviour involves political and legal procedures.  Which makes the IETF look lightning fast.

yes, the current system was designed to give the web and the internet time to grow to the point where it
would start becoming evident to the political systems that it is an essential piece of infrastracture
that cannot be ignored. The recent elections in the UK, the USA and other places have made
that point. Not a day goes by without these issues being discussed on the news, in television,
by the President of the USA himself under the theme of "fake news". 

So now we had better build the right system before the politicians make laws that make the situation
worse than better. Having a clean plan that respects national sovereignties would at least allow
one to redirect political energies towards something constructive in which the nations can
feel they have their place.

While this work goes on the current system will continue functioning with various improvements
that people are already working on. Complete deployment of DANE and DNS-Sec for
example, IPV-6, and other projects that I don't know about....


Yes. So we come to idea of long-term identity independent from all these changes. 

My $0.02 is that the only two parties who care about their identities are the site, and the user.  A solution which involves just them is likely to work.  And, be deployed *much* more quickly than a system which involves national registries.

Perhaps solving both problems is not incompatible and can work together. Always something to consider.

My $0.02 is that the user probably care about a site identity but doesn't get information about all involved parties. Although in the web browser one party is displayed in reality the page is composed and hosted on potential many sites. Especially the site hosting may be delegated to a third party and the access information sold for example into the adverts industry. What is missing is that the user is able to delegate some of its security concerns to a third party acting on his behalf. I don't see why this needs to be in the browser or institutional. Currently the virus scanning industry has such a business model.



Yes. But if I visit PayPal I need to know it's PayPal, not Facebook. 

You know today that it's Paypal.  Mostly.  Imperfectly.  But the billions of people who get online every day show that the system works reasonable well

My point (which I think was missed) is that you don't need to do in-depth validations for every connection. You just need to do them on the initial connection.  Subsequent connections can  leverage cached information to gain additional security.

This is how the real world works.  When I meet someone new, I remember their physical attributes (face, voice, mannerisms).  I use that information in subsequent interactions.

Re-introducing yourself for every interaction is inefficient, and is likely to have new failure modes.

Actually there is something to that in the IWoT proposal I put forward in the UI side. The full information
UI would only be shown on first visit, or if there was an important company change, or warning information
from the government with respect to that site.

There are many aspects of the many servers involved in handling the requests for a page or application. In many cases users will not be interested in the full information and when you don't know which ones are the interesting ones, for example into which countries the requests are logged.

Henry Story


Alan DeKok.

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

--------------1579690B33526B5FCADC127A-- From nobody Mon Jul 23 01:31:11 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB1B3130E5A for ; Mon, 23 Jul 2018 01:31:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ogXYOKGx_u3l for ; Mon, 23 Jul 2018 01:31:05 -0700 (PDT) Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 164E1130E59 for ; Mon, 23 Jul 2018 01:31:05 -0700 (PDT) Received: by mail-wr1-x434.google.com with SMTP id h10-v6so16993479wre.6 for ; Mon, 23 Jul 2018 01:31:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=PXVx6plCzIZdXSkLl5oBL9D0WoJBcsk95zTkxt2POYA=; b=QgyfN9vRBCS6kAvwxJChITqqQYlpVA2QB1IOvBQ85TYdub4W2DZ9RNsobMpVDWwIR0 XCT1yjJVc+3k7Ab6x2DKZiic5oSHZICG5+jjt7GaSc0Q/HY+3BZmkX5s3C8mEqWQNJHd m1LH67yQMl9Pj2QgrQT9ZucgjJn8U6xqk4GCfw0Or6OMwXDTQlg0BazNphZTUwGjWnFX eOJJAxDQmivwDLmxG6jbXxXfoBWOJiJgHJzAZyoG9rXtXADYHM5iegsbFifzL1elA/1b e5s1L/4Wu+ivGlR0Tvg+nHVfvSewxFJx/drCipjR3b7iLXTfh96LTkMb0NBiuN7E7i3v hi+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=PXVx6plCzIZdXSkLl5oBL9D0WoJBcsk95zTkxt2POYA=; b=Mx+dbPNlOSdr0JSREmklUuyeOzOtaPiLdB/YZOChcM5EFpl4hB60FiTJDmO5lEtm6V Pmq5rgQnHXAahhugTcZzoZroUmZYApgMtqWAqO7uM+x7D79pWN+uH7E9mple3XImziSc BPzvZnjjN1m7LZni4J5I9byZUTht60XQd+1CrdIHEG/td0oTGemezXvQ0I2LhZ1m7zV/ 4cmcpWhidojDtcZGrMzEwzmIkxJf8DM+FytxLD18VMdIythwL1IWnTL2HIz8Zl6ZSHmk WPgOZL0mZ8IAz9+Dlim0XO9yREZOx1FdtXmG5MZu/jJDpK0CUQ4jMs/Jvw15AgdKGoxb dNaA== X-Gm-Message-State: AOUpUlEdKDarzcrQWD+2TFCmt1bisFS5/7b7kQiVg1YiOTfRtFXTL4ai 919+KYMW/+jVKNw7W1sVirf4BlQPzi+cBA== X-Google-Smtp-Source: AAOMgpcS9l6ft1My7l0aYr4w1oiswKC41GOF9gzoa4MQq/WKKumzRG4oFk4n0VRtc8AseABPIzIzKA== X-Received: by 2002:a5d:50cd:: with SMTP id f13-v6mr8238105wrt.73.1532334663323; Mon, 23 Jul 2018 01:31:03 -0700 (PDT) Received: from [192.168.43.209] ([80.12.58.52]) by smtp.gmail.com with ESMTPSA id v1-v6sm23964189wrs.34.2018.07.23.01.31.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 01:31:01 -0700 (PDT) From: Henry Story Message-Id: <09FF881C-9FD3-4677-8DB7-57E379AFF896@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_EAD82E11-8A96-4214-93F3-1CDFB7276348" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 10:30:56 +0200 In-Reply-To: <27322.1532290727@localhost> Cc: saag@ietf.org To: Michael Richardson References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> <27322.1532290727@localhost> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 08:31:09 -0000 --Apple-Mail=_EAD82E11-8A96-4214-93F3-1CDFB7276348 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On 22 Jul 2018, at 22:18, Michael Richardson = wrote: >=20 > Henry Story wrote: >> So now we had better build the right system before the politicians >> make laws that make the situation >> worse than better. Having a clean plan that respects national >> sovereignties would at least allow >> one to redirect political energies towards something constructive in >> which the nations can >> feel they have their place. >=20 > I think that you make a very good point. > I agree strongly: that the national entities need to have somewhere > to put their energies. >=20 > But, in particular that point makes it out probably not IETF's job. > Rather, it's for W3C, browser makers and specifically, I think it's = called > WebPKI, but google isn't finding the entity I think that I want. It's a big project and there will be parts that clearly seem best done = at W3C, such as the development of the ontologies, for which they have a lot of = expertise. Not everything going on at W3C is browser related btw. Well only in the = very large sense that all applications on the OS are going to be browsers of = hyper-data on a read-write web.=20 In the article below I argue why control of open hardware, = inspectability of OS,=20 open standards, data, are the only way for us to be able to know. But = also=20 and as a weird shadow phenomenon knowledge also requires access = control, =20 privacy, identity and security. "Epistemology in the Cloud - on Fake News and digital Sovereignty" https://bblfish.net/blog/2018/04/21/ = The difficulty is that all the open requirements of the architecture are = seemingly=20 in contradiction to the protection part. We have a yin/yang duality of = concepts that come together. This means that groups focusing on open=20 data tend to not think about security. And those thinking about security = tend to=20 only want point 2 point communication and not have anything to do with = the rest=20 of the social space in which we interact. One side is too open, the = other side too=20 closed. One side is too trusting, the other side paranoid by profession. So perhaps because the SAAG is used to high level security discussions this thought has caught on here much better than in some other forums, and more easily that on W3C security forums, where the browser as the = first hyperdata application, have an overwhelming presence and sometimes = forget the bigger picture of hyper apps. >=20 > Having said that, there is value for what Alan suggested: familiarity = should > be re-inforced.... but initial contact continues to be a problem. Btw, is it just me, or could we say that IETF is mostly concentrated on = protocols (DNS, HTTP, IPV6, TLS, TCP,...) where W3C is mostly concentrated on data structures (HTML, CSS, XML, = RDF, ... ). Now in category theory data structures fall in the algebraic side, and = protocols fall in the co-algebraic side of things. These are the same categories with the = arrows turned around! [0] =E2=80=A2 Data Structures such as an RDF graph have clear identity = relations. They can be added together g1 + g2 =3D g3 , as numbers can eg 1+2=3D3. These are = algebraic constructs. You start out with something you know, and you end up with something = completely determined=20 by the input to the function. =E2=80=A2 On the other co-algebras is the space of (infinite) streams, = of processes, object oriented programming [1], and I guess protocols. Here you start off with states, that you don't = know much about and you need to inspect them. The equivalent of equational reasoning in algebras in = co-algebras is modal reasoning:=20 one reasons about the next state, or all future next steps (all states = have a certain property, or one=20 future state could have that property). There is a concept of bialgebras which work with both. And I guess that = is where the web as protocol plus data is located. So mathematically it may just be that the = IETF and W3C are inseparable ;-) Henry [0] = https://scholar.google.co.uk/scholar?cluster=3D678090575657123815&hl=3Den&= as_sdt=3D0,5 [1] = https://www.quora.com/Why-is-functional-programming-seen-as-the-opposite-o= f-OOP-rather-than-an-addition-to-it/answer/Henry-Story >=20 > -- > Michael Richardson , Sandelman Software Works > -=3D IPv6 IoT consulting =3D- >=20 >=20 >=20 --Apple-Mail=_EAD82E11-8A96-4214-93F3-1CDFB7276348 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8

On 22 Jul 2018, at 22:18, Michael Richardson <mcr+ietf@sandelman.ca> wrote:

Henry Story <henry.story@bblfish.net> wrote:
So now we had better = build the right system before the politicians
make laws = that make the situation
worse than better. Having a clean = plan that respects national
sovereignties would at least = allow
one to redirect political energies towards something = constructive in
which the nations can
feel = they have their place.

I think = that you make a very good point.
I agree strongly: that = the national entities need to have somewhere
to put their = energies.

But, in particular that point = makes it out probably not IETF's job.
Rather, it's for = W3C, browser makers and specifically, I think it's called
WebPKI, but google isn't finding the entity I think that I = want.

It's a big project and there will be parts that = clearly seem best done at W3C,
such as the development of the = ontologies, for which they have a lot of expertise.

Not everything going on at W3C is browser related = btw. Well only in the very large
sense that all applications = on the OS are going to be browsers of hyper-data on
a = read-write web. 

In the article = below I argue why control of open hardware, inspectability of = OS, 
open standards, data, are the only way for us to be = able to know. But also 
and as a weird shadow =  phenomenon knowledge also requires access control, =  
privacy, identity and security.

"Epistemology in the Cloud - on Fake News and = digital Sovereignty"

The difficulty is that all the open requirements = of the architecture are seemingly 
in contradiction to = the protection part. We have a yin/yang duality of concepts = that
come together. This means that groups focusing on = open 
data tend to not think about security. And those = thinking about security tend to 
only want point 2 point = communication and not have anything to do with the = rest 
of the social space in which we interact. One side = is too open, the other side too 
closed. One side is too = trusting, the other side paranoid by profession.

So perhaps because the SAAG is used to high level = security discussions
this thought has caught on here much = better than in some other forums,
and more easily that on W3C = security forums, where the browser as the first
hyperdata = application, have an overwhelming presence and sometimes = forget
the bigger picture of hyper apps.


Having said that, there is value for what = Alan suggested: familiarity should
be re-inforced.... but = initial contact continues to be a problem.

Btw, = is it just me, or could we say that IETF is mostly concentrated on = protocols
(DNS, HTTP, IPV6, TLS, TCP,...)
where W3C = is mostly concentrated on data structures (HTML, CSS, XML, RDF, ... = ).

Now in category theory data = structures fall in the algebraic side, and protocols fall = in
the co-algebraic side of things. These are the same = categories with the arrows turned
around! [0]

=E2=80=A2  Data Structures such as an RDF = graph have clear identity relations. They can be = added
 together g1 + g2 =3D g3 , as numbers can eg 1+2=3D3.= These are algebraic constructs. You
start out with something = you know, and you end up with something completely = determined 
by the input to the function.

=E2=80=A2 On the other co-algebras is the space of = (infinite) streams, of processes, object oriented programming = [1],
and I guess protocols. Here you start off with states, = that you don't know much about and you need
to inspect them. = The equivalent of equational reasoning in algebras  in co-algebras = is modal reasoning: 
one reasons about the next state, or = all future next steps (all states have a certain property, or = one 
future state could have that = property).

There is a concept of = bialgebras which work with both. And I guess that is where the web = as
protocol plus data is located. So mathematically it may = just be that the IETF and W3C are
inseparable = ;-)

Henry


= --Apple-Mail=_EAD82E11-8A96-4214-93F3-1CDFB7276348-- From nobody Mon Jul 23 03:25:33 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A846130E4B for ; Mon, 23 Jul 2018 03:25:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bblfish-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hs4iy4gE7haR for ; Mon, 23 Jul 2018 03:25:24 -0700 (PDT) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C3F5130E7E for ; Mon, 23 Jul 2018 03:25:23 -0700 (PDT) Received: by mail-wm0-x22b.google.com with SMTP id h20-v6so615569wmb.4 for ; Mon, 23 Jul 2018 03:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bblfish-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VXJutzOKQerZ/xYcZMVdZnvZRBtMeiF3C1apje2cqSY=; b=oE9STXmSB83KbzQS6qAfADP7g45n2DqAkzSVpHMlasKsHvfg6WjWmWgd2GP2lYnRbS DYTjaai0X1g6dPTJgqcExGF0XHq4yd/fk1B0ZeGjahxcVpYgtnpJoNGt7stqsgHgMJxB J5p1TelkyoCpy0Sbm+u9c0Npo7bqIKd87KGqiFUnvWOQn63pDllZ6+WofIqTW2Saowxp kYTn2iv8+qUhJxgAtm+f2OcFtxqc6kDSP8rTVqkPOYtDpwOnt2R+T8g2pWar8ZuCATai UG/20gKh8aVDenuaq3FYF/ijje2ZHmw49vRuQp13ueO2PojU0MgiN+aC2hzabW9fo8mS /BuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VXJutzOKQerZ/xYcZMVdZnvZRBtMeiF3C1apje2cqSY=; b=LDKTNGjj90EwdF9McNF/WH2lmPqHWZ/ZW9Ubm0fMf+H3XM75+qyerzHspJr8L7T/Fl 1CvzpKETKqRp4LCVL9ctKYT1NFP7BqR1oWAdwfLnJOn0HwpnW2yZd+x0QcybeU7bBy+c CChTQYzrYdzX12AWdVE1HUYj/1Dxg3AAxhUWNISgxpWOrmATU/fr1i/pP+dm4Syamfwf T8AY92lr7SPufLSy3H8DEpxnKIe1FEbSYYfrskTM+oVVBt7nv9zcuH9hwuCo/3wk7RFm J6R57N/pdbtZXhZUrgL21rU5ifvNZ0DdEwI/rsh5fU274bXiImAaE0SVgUH/LzclPeap s+gA== X-Gm-Message-State: AOUpUlF2yMio9Q+fDzMykye+OetOtTtvNfdd8Xrz+QFwThcQvr7Jh2ZQ fXu9J8OwCcFXcXzCytGMIpSt+TN6qclDzw== X-Google-Smtp-Source: AAOMgpeEKo/w1UJUxBV3ws7rnlLUrZr0w1vrjez8qL+GLvfFrVKinK/I3SzgZAQYVybCyrWUMoyTVw== X-Received: by 2002:a1c:96c8:: with SMTP id y191-v6mr6930292wmd.37.1532341521660; Mon, 23 Jul 2018 03:25:21 -0700 (PDT) Received: from [192.168.43.209] ([80.12.58.52]) by smtp.gmail.com with ESMTPSA id b6-v6sm12976731wru.66.2018.07.23.03.25.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 03:25:20 -0700 (PDT) From: Henry Story Message-Id: <1E014CD8-FC0A-4410-9897-CA0BE06BFD8B@bblfish.net> Content-Type: multipart/alternative; boundary="Apple-Mail=_9250CDFE-8365-42D0-84B5-7BB11C68A092" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 12:25:17 +0200 In-Reply-To: <5868dbe3-0fe5-5b84-25dd-a184b46d883b@zinks.de> Cc: saag@ietf.org To: Roland Zink References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <3AC98092-2836-4388-8A31-24914F6A2939@bblfish.net> <5868dbe3-0fe5-5b84-25dd-a184b46d883b@zinks.de> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 10:25:30 -0000 --Apple-Mail=_9250CDFE-8365-42D0-84B5-7BB11C68A092 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 23 Jul 2018, at 01:17, Roland Zink > wrote: >=20 > Am 22.07.2018 um 17:47 schrieb Henry Story: >>=20 >>=20 >>> On 22 Jul 2018, at 16:31, Alan DeKok > wrote: >>>=20 >>> On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky > wrote: >>>>=20 >>>> Yes, but this does not cover all the cases. I may want to visit a = e.g. new online shop I have never seen before.=20 >>>=20 >>> I am well aware of that. >>>=20 >>> My point is that the current system works. Not perfectly. But it = mostly works. >>>=20 >>> Any solution which involves many parties (national registries, etc.) = is bound to fail. Changing their behaviour involves political and legal = procedures. Which makes the IETF look lightning fast. >>=20 >> yes, the current system was designed to give the web and the internet = time to grow to the point where it >> would start becoming evident to the political systems that it is an = essential piece of infrastracture >> that cannot be ignored. The recent elections in the UK, the USA and = other places have made >> that point. Not a day goes by without these issues being discussed on = the news, in television, >> by the President of the USA himself under the theme of "fake news".=20= >>=20 >> So now we had better build the right system before the politicians = make laws that make the situation >> worse than better. Having a clean plan that respects national = sovereignties would at least allow >> one to redirect political energies towards something constructive in = which the nations can >> feel they have their place. >>=20 >> While this work goes on the current system will continue functioning = with various improvements >> that people are already working on. Complete deployment of DANE and = DNS-Sec for >> example, IPV-6, and other projects that I don't know about.... >>=20 >>>=20 >>>> Yes. So we come to idea of long-term identity independent from all = these changes.=20 >>>=20 >>> My $0.02 is that the only two parties who care about their = identities are the site, and the user. A solution which involves just = them is likely to work. And, be deployed *much* more quickly than a = system which involves national registries. >>=20 >> Perhaps solving both problems is not incompatible and can work = together. Always something to consider. >=20 > My $0.02 is that the user probably care about a site identity but = doesn't get information about all involved parties. Although in the web = browser one party is displayed in reality the page is composed and = hosted on potential many sites. This will be even more true in a world of hyper-apps, where one = application fetches data from many different sites by following links, has to be the case if we are going to respect = individual and company autonomy, national sovereignties. ( see https://bblfish.net/blog/2018/04/21/ = )=20 An application that shows information from many sites should be able to = give information when requested about each place it got it from, but clearly soon many decisions will be = automated for the convenience of the user. Still it should always be possible to help the user understand why a = certain decision was taken and how it relates to his automation preferences. Indeed it should be transparent, so that = in case this reaches a court, all the information that lead to a representation being shown can be placed in front of a = judge and jury. > Especially the site hosting may be delegated to a third party and the = access information sold for example into the adverts industry. What is = missing is that the user is able to delegate some of its security = concerns to a third party acting on his behalf. I don't see why this = needs to be in the browser or institutional. Currently the virus = scanning industry has such a business model. The institutional web of trust is there to delegate descriptions of = companies. Not to make further trust decisions, which may completely depend on each individual actor. After all, not every = company in a country trusts the other. Many are in very rivalrous = competition. The IWoT only gives the official information about = institutions, which is a lot more than what we have right now. Henry >=20 >>=20 >>>=20 >>>> Yes. But if I visit PayPal I need to know it's PayPal, not = Facebook.=20 >>>=20 >>> You know today that it's Paypal. Mostly. Imperfectly. But the = billions of people who get online every day show that the system works = reasonable well >>>=20 >>> My point (which I think was missed) is that you don't need to do = in-depth validations for every connection. You just need to do them on = the initial connection. Subsequent connections can leverage cached = information to gain additional security. >>>=20 >>> This is how the real world works. When I meet someone new, I = remember their physical attributes (face, voice, mannerisms). I use = that information in subsequent interactions. >>>=20 >>> Re-introducing yourself for every interaction is inefficient, and is = likely to have new failure modes. >>=20 >> Actually there is something to that in the IWoT proposal I put = forward in the UI side. The full information >> UI would only be shown on first visit, or if there was an important = company change, or warning information >> from the government with respect to that site. >>=20 > There are many aspects of the many servers involved in handling the = requests for a page or application. In many cases users will not be = interested in the full information and when you don't know which ones = are the interesting ones, for example into which countries the requests = are logged. >=20 >> Henry Story >>=20 >>>=20 >>> Alan DeKok. >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag = >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag = >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_9250CDFE-8365-42D0-84B5-7BB11C68A092 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On= 23 Jul 2018, at 01:17, Roland Zink <roland@zinks.de> wrote:

Am 22.07.2018 um 17:47 schrieb Henry = Story:


On 22 Jul 2018, at 16:31, Alan DeKok <aland@deployingradius.com> wrote:

On Jul 22, 2018, at 10:11 AM, Dmitry Belyavsky = <beldmit@gmail.com> wrote:

Yes, but = this does not cover all the cases. I may want to visit a e.g. new online = shop I have never seen before. 

I am well aware of that.

My point is that the current system works. =  Not perfectly.  But it mostly works.

Any solution which involves many parties (national = registries, etc.) is bound to fail.  Changing their behaviour = involves political and legal procedures.  Which makes the IETF look = lightning fast.

yes, the current system was designed to = give the web and the internet time to grow to the point where = it
would start becoming = evident to the political systems that it is an essential piece of = infrastracture
that = cannot be ignored. The recent elections in the UK, the USA and other = places have made
that = point. Not a day goes by without these issues being discussed on the = news, in television,
by the = President of the USA himself under the theme of "fake news". 

So now we had better build the right system = before the politicians make laws that make the situation
worse than better. = Having a clean plan that respects national sovereignties would at least = allow
one to = redirect political energies towards something constructive in which the = nations can
feel = they have their place.

While = this work goes on the current system will continue functioning with = various improvements
that = people are already working on. Complete deployment of DANE and DNS-Sec = for
example, IPV-6, and other projects that I don't know = about....


Yes. So we come to idea of long-term identity independent = from all these changes. 

My $0.02 is that the only two = parties who care about their identities are the site, and the user. =  A solution which involves just them is likely to work.  And, = be deployed *much* more quickly than a system which involves national = registries.

Perhaps solving both problems is not = incompatible and can work together. Always something to = consider.

My $0.02 is that the = user probably care about a site identity but doesn't get information = about all involved parties. Although in the web browser one party is = displayed in reality the page is composed and hosted on potential many = sites.

This will be even more true in a = world of hyper-apps, where one application fetches data from many = different
sites by following links,  has = to be the case if we are going to respect individual and company = autonomy, national
sovereignties.  ( see https://bblfish.net/blog/2018/04/21/ ) 

An application that shows information = from many sites should be able to give information when requested = about
each place it got it from, but = clearly soon many decisions will be automated for the convenience of the = user.
Still it should always be possible to = help the user understand why a certain decision was taken and how it = relates
to his automation preferences. Indeed = it should be transparent, so that in case this reaches a court, all the = information
that lead to a representation being = shown can be placed in front of a judge and jury.

Especially= the site hosting may be delegated to a third party and the access = information sold for example into the adverts industry. What is missing = is that the user is able to delegate some of its security concerns to a = third party acting on his behalf. I don't see why this needs to be in = the browser or institutional. Currently the virus scanning industry has = such a business model.

The institutional web of trust is = there to delegate descriptions of companies. Not to make further trust = decisions, which
may completely depend on each = individual actor. After all, not every company in a country trusts the = other. Many are in very rivalrous competition. The IWoT only gives the = official information about institutions, which is a lot more than what = we have right now.

Henry




Yes. But if I visit PayPal I need to know it's PayPal, not = Facebook. 

You know today that it's Paypal. =  Mostly.  Imperfectly.  But the billions of people who = get online every day show that the system works reasonable well

My point (which I think was missed) is that = you don't need to do in-depth validations for every connection. You just = need to do them on the initial connection.  Subsequent connections = can  leverage cached information to gain additional security.

This is how the real world works.  When I = meet someone new, I remember their physical attributes (face, voice, = mannerisms).  I use that information in subsequent interactions.

Re-introducing yourself for every interaction = is inefficient, and is likely to have new failure modes.

Actually there is something to that in the IWoT proposal I = put forward in the UI side. The full information
UI would only be shown on first visit, or = if there was an important company change, or warning = information
from = the government with respect to that site.

There are many aspects of the many servers involved = in handling the requests for a page or application. In many cases users = will not be interested in the full information and when you don't know = which ones are the interesting ones, for example into which countries = the requests are logged.

Henry = Story


Alan DeKok.

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/m=
ailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
= --Apple-Mail=_9250CDFE-8365-42D0-84B5-7BB11C68A092-- From nobody Mon Jul 23 08:55:54 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F0F7130EBA for ; Mon, 23 Jul 2018 08:55:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQIDXZgvwT_m for ; Mon, 23 Jul 2018 08:55:50 -0700 (PDT) Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F6A9130EC5 for ; Mon, 23 Jul 2018 08:55:50 -0700 (PDT) Received: from [67.219.251.52] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-c.us-west-2.aws.symcld.net id 53/E8-07043-58AF55B5; Mon, 23 Jul 2018 15:55:49 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA1WTfUgTcRjH++1utzNcnFPbo2jRKgTlhtNeBln 0TzCCKKigsqjTXW6wTdudNYPMxlyvYiyNXJpZVvhCVtqbaNZ6QzMjgyzN0lpB1srIMMte7naz l/vr+zzfz/2e73P8jsRUASKWZB08a7cxFg0xGX+gPammXd9WpydfOp+kbxp04/rX19frS4r3y hZjhqvefoWhtbgBGaqrx2QrsHVysy0j27FJbjrS2IbllC91fLhYiQrQhyX70GQSpw5gEChvQG Khog7K4ObIR5lUvEDguX1ZKMJIgkqGx613gzqKWgk/6nsVosaomRAY9wf7kRQNdT0NConRwqN hDy7pRgQ3OleJGqdmQ3OPK8goqQ0wXlamkIY5SfjavQeJRhi1EHa3/iREjaipMNpRL5OGqaHX XxnUQEXB4MN7hKSj4e2rn3KJXw8Vn32hvgY6+wpwScdDd+X+4JpAtSng2Z1bIYOG4dJSTNLL4 PnDdpkEdSOoHhkIQYnw7XxjCLLA916nfKK/55Y3lGga1BYN4tLL1zDoKL0XguLgUpGHkAwXAc 72U8E9VZQRSmp9xEGU5P1nPa/AYdRxBI9amhTe4IeKgPYyPy5BiVDt/KWQdBKcrnqHeZFC0Gn QZJS6M6Bk/2CImAfurk/EcUTWIn2G3Zxl4q2M2ULrkpNpnS6F1qXq6RTdHC2znc7U5nL0Npbj 6RQts43TcnnWTItRa2P5C0i4dJOE5woa9Rl9KIaUaaKVQx2r01VTMrKNeSaGM22051pYzofiS FIDSueY4EXY2SzWsdlsEW7uhA1kuCZKeUW0lVwOY+XMWZLVgVLJrhqPByPHP5Z6MBVuy7axsW rlURGlRNSUa/tz0MRf0I3iYyOVSIimCs9h7VYz/78/hNQk0kQq28RTws02/s+8ISGKTIgSnRm MwjN/rdgClDY3J9+1/NwvS7ThefGRpZWHefUhL1Ozc6xvztCmwuF69yKsyv0+KyJ/Xl0bmV9R a3JuPWaav+P6Sgd/tq/u/pfAzfi8zKo1J/ov9roTiumwQlec/7vVZ3jGJbX4c8/ItxQ2f50xE HdCNzq6ZMHLpzEJa4tOrZrV/mRX/8D0hEDaGw3OmRhdImbnmN/7mRRdAAQAAA== X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-11.tower-364.messagelabs.com!1532361347!1906059!1 X-Originating-IP: [207.46.163.23] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.9.15; banners=-,-,- X-VirusChecked: Checked Received: (qmail 1007 invoked from network); 23 Jul 2018 15:55:48 -0000 Received: from mail-dm3nam03lp0023.outbound.protection.outlook.com (HELO NAM03-DM3-obe.outbound.protection.outlook.com) (207.46.163.23) by server-11.tower-364.messagelabs.com with AES256-SHA256 encrypted SMTP; 23 Jul 2018 15:55:48 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vnQuMhkyvCUg6gwsIPfITvA5B4d4k21FAT93NXkVZuM=; b=cbToJj9FeZDJ3jVJmqWggquW6VO3f2pq5GpK8lu/eLFlyLdeocxWfH/vyR4Oy2RW+b2hq9cT1bKBLgW4jJNnOZyY2cYEsYSCf0gO5sL5GTgkwYBsR+FPgfijyI5rclP82q3KGfj2HRspZQciykk890fYINZLtq0/g9s/IJ0Y7nY= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1172.namprd14.prod.outlook.com (10.173.161.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Mon, 23 Jul 2018 15:55:46 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::f861:ae59:39b3:8960%8]) with mapi id 15.20.0973.022; Mon, 23 Jul 2018 15:55:46 +0000 From: Tim Hollebeek To: Adam Montville , "John R. Levine" CC: "saag@ietf.org" Thread-Topic: [saag] stopping (https) phishing Thread-Index: AQHUESvFOKQYkLMovE6Uw5Pe7y8qZKSPDKUwgAB68gCAABLBgIAAu3GQgABSEQCAACxRgIAAEywAgAAAtICAAROggIAGyY2AgACuSACAAEZpAIAAQmcAgAANXICAABT/AIAAA3SAgABRLgCAABk+gIAAuYWAgAHSOJA= Date: Mon, 23 Jul 2018 15:55:46 +0000 Message-ID: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [173.71.184.143] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR14MB1172; 6:1U0GvXgssldeMR+NXtMAnyxFISJNuVLb7w3dZbzxd2qiDpm4dAnnzPtRd5asrVoZUPvpP9bGfMpT54INz/MqZSNdzLB1NEJwgHPqWDRgKbc0R4GYFZvczTqVeOt9o3CFqigPcU+ZIMTq6o3iU+bqmkLkYkoEFrg4fKcHf1H+zH4yN0cr65DZuF4aYKwd4d1nbfhHRfs+k3gK8AnmBaRQE8VVlSPYd2hnW15b11vLQsrz41vcIYDlOjz6ab5mGhGZMP7JykVpXSoHtTLHlY4pHhWf6LLrvH3pYdqqwd/hnHl7dx5YwoPJV0cVXZyI868IVceVoFPLNj5x+OsIUTh5SMR9aN5vJUoBPfmD7edljJQWoJZKwhLYIFRhjgmZ/6yIUHdTJSNSWT078FRbqwFoMOS/BvD8cAjaJPtybqTnkgzvAUTDZVDixnz3KD+UsL+bJQ+01bsymzCKCTMWczSIHw==; 5:k3dcd+FHW5U8gzclvIzC22cHhEZO6Yh+aWyKQqhNVykDUb4uGOt5UevU1C+TXh+nP3ca/GIL4saKkPZwf620xyGGlX74nIjBOg0l/HAflSb9lLnLt8n4/0FaqKmK7Q0sHHEiAGewm2XZCwAfjIZCp1MAfXg2eDrxmOk3cZcAlPg=; 7:XLloXmGMFogiq+2iHeYmuz+MVpk7W2TRXWQ4L31ysV2iRh4pGaabXwrM/thznqK/fuApGjVcpoePCDPT5v4AzLXCysO+zNimj5vJaQfH0hkcc4pButl5Z/KVat7dHR1R8kD28gJgZ5w7YyBVwRQ2Y3LmrPSnN8Ld3SULkWteeUSKr75ydtHUnIFSdCOzYybAGD+sGF0AInXXDcwat7T8ABDx1zV/Qm7XQ9kWuJjHKKGNIIprTYuavEd0XxImhTng x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: aa1d1b2a-ca12-4af3-50cb-08d5f0b4c0d7 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600073)(711020)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1172; x-ms-traffictypediagnostic: BN6PR14MB1172: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:BN6PR14MB1172; BCL:0; PCL:0; RULEID:; SRVR:BN6PR14MB1172; x-forefront-prvs: 0742443479 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(39860400002)(136003)(396003)(366004)(189003)(199004)(13464003)(186003)(14454004)(53546011)(6506007)(74316002)(476003)(66066001)(966005)(110136005)(106356001)(55016002)(7736002)(76176011)(305945005)(105586002)(316002)(97736004)(68736007)(11346002)(6436002)(446003)(93886005)(229853002)(7696005)(99936001)(102836004)(8676002)(5660300001)(81166006)(5250100002)(53936002)(99286004)(44832011)(6246003)(81156014)(86362001)(25786009)(2906002)(9686003)(14444005)(3846002)(39060400002)(26005)(256004)(6116002)(8936002)(6306002)(478600001)(2900100001)(33656002)(486006)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1172; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: 0If99Srz76J7w7MxqKr51dxK0kuMueaLHR2SqPGQiPNSu/lM6LaimtzwMQqPSY6mVXze9li9USGsgqEXPdLPyfU56Kbg00pKaskkxXEBvyi9tw1Rgiby8W5DF8Jpx3L1JmGKh33UGQYX12/Wru7KdAEaxTxK+STTD8EUAhrd0juOwNAvnv9YXmcdG+717incXojN1XHxPoGGiwQJX8jVjG6b+D8rXTmIG/htwEh4+pKsQKR38G1bAJID1MeYB+o0J1yuoQHCXWnAXRxgExVYwu0I3JPMQBHoaDkINChjz2N5urdPttBuS8iDU2vsdjGPT0A3aYGiE2MJlD1xf1yrX9Whslewc/svM9ebCaNR5uc= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0196_01D4227C.155C0BF0" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: aa1d1b2a-ca12-4af3-50cb-08d5f0b4c0d7 X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2018 15:55:46.1177 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1172 Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 15:55:53 -0000 ------=_NextPart_000_0196_01D4227C.155C0BF0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'd help, too. This is an important problem. I think I would favor a = RG because I haven't seen any ideas proposed yet that would have a significant = impact on the problem, though some people seem to be thinking along the right = directions. It's a tough problem. -Tim > -----Original Message----- > From: saag On Behalf Of Adam Montville > Sent: Sunday, July 22, 2018 8:05 AM > To: John R. Levine > Cc: saag@ietf.org > Subject: Re: [saag] stopping (https) phishing >=20 > Whether a WG or an RG, I=E2=80=99d be interested in helping here. >=20 > On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >=20 > >> I for one would really like to see the IETF setup a working group = for this > specific topic, it would be good to work through this and find a = solution that > works. I would be willing to help out here and will dedicate time to = this effort. > > > > I don't think there is enough stuff here to merit WG. Perhaps talk = to the IRTF > about an RG to explore ideas not ready to standardize. > > > > > >> > >> Bret > >> > >> Sent from my Commodore 128D > >> > >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > >> > >>> On Jul 21, 2018, at 2:40 PM, John R. Levine = wrote: > >>> > >>> On Sat, 21 Jul 2018, Henry Story wrote: > >>>>> How would this IWoT differ from what CAs were supposed to do? > >>>> > >>>> That is easy. IWoT would be based on institutions that tie into > >>>> nation or region based local registries that tie into national = anchors that > may tie into federal ones (as in the USA, or Germany). > >>> > >>> This sounds a lot like the industry-specific CAs I proposed, only = this > depends on a great deal of software that does not exist and probably = never > will. > >>> > >>> R's, > >>> John > >>> > >>> _______________________________________________ > >>> saag mailing list > >>> saag@ietf.org > >>> https://www.ietf.org/mailman/listinfo/saag > >> > > > > Regards, > > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet = for > > Dummies", Please consider the environment before reading this = e-mail. > > https://jl.ly > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag ------=_NextPart_000_0196_01D4227C.155C0BF0 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTgwNzIzMTU1NTQzWjAvBgkqhkiG9w0BCQQxIgQg8U3b85QEK5+dVjyjLfE9YTBreY5s JTfdfBKnqGwBePMwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBACffZfem/8nrVJkjjPkyOMif2dK+UnAbbCxsTgI+n5Eyz6GHOv2KUudvnD59/8xDumR8IgaF 2OpoxcSkW1aVhwJ33At3NYKOMQ5fwwHveEH9h1ph7Ht2pqfieTbsFcga6qR9Og0fSleBlbKPoN7H LJqWjS4AEdTLpUoRxy3b29WYiuQXtXotnlm8zXCDuFtD8vu0HyAPziQBWnYzjxFvM0UrW9GmLIE1 SWSprcOPLI3QzBbAANmiG6sZSLTgJ4eO0k5FDLKf9OL+HzN8dZhlckE/d9QfFIM4dTpfJMbMizAA jwatxKXbBmBcxSl7AsrBdBHIK+aBN6E2D0Y0I7PhSnAAAAAAAAA= ------=_NextPart_000_0196_01D4227C.155C0BF0-- From nobody Mon Jul 23 09:09:20 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AA3E130ED6 for ; Mon, 23 Jul 2018 09:09:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.79 X-Spam-Level: X-Spam-Status: No, score=-1.79 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0eV5fgFwquhL for ; Mon, 23 Jul 2018 09:09:14 -0700 (PDT) Received: from sonic311-28.consmr.mail.ne1.yahoo.com (sonic311-28.consmr.mail.ne1.yahoo.com [66.163.188.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9CA130EAC for ; Mon, 23 Jul 2018 09:09:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1532362154; bh=X4M8CnWXFRXpQYSVXsoGBw+u6YEPZg3ww5jqTHs/WA4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=Prkpb1Hd9f1yB1k7ev1Zpd9HQSo+Knc8qXlERxeVQCtFkDWpUHRpGtCxcIgEjptpKNAxl7pDQcDyk+uZnLVgCEDVIHtZl7bpfBh+UY7Zt4HLyrb9qPNt9wOgJTSINf7uGGUAVXDLG7HzFAw0JKcHbll9glEPoC1v3peiEe1EOpP+DPS6PiVBYIKod6tKWPnQe+wnTeXAd7i2+1z4VuqkiU1F7+NQisTAEGGLYlcQizoekaf5/353drjqDwyKoIFFSe0V8Wx0KH1WwjAtpVDxuZIDLsu+i5IDPwWWvd990257UTaKrfOPhoQ+n2LJ/3Z5TQ/diMtS/O6wopiaQxXN5w== X-YMail-OSG: wKRQtpAVM1mfTu_f66l0SdEzrFI3EAoXQqCwu1q1ytAYeXTE6U4o6zSEJlBRkaY Xt8o3VQdLWRTAfrYrt_Vphrf0K1CbCEDShcnpI6I_aY_NQ0MJznGStfp5vlcpWqv6LgYndqB2eB3 2cn1tsWHWxCJCK54Fipl7cdqWjC17hzDpVGW18kvLOssdmN7Hjv2tL46wDZNnJeeyUutt5CQ2YHW Ih0a4dbmWrMwTqWXrXycDIhk9vvZ2gu7HzD158eM2N5Sqi5LsB6sPu4pdoLUUJpGyzzYwPWGbGNL zAM5wVK4DcWsC.0xX.TGhX9f2ZZaz.SjsKrqh8sNH9mD2nbj0E2wh5Nos3NBheR4xaD1enJ7xF7I X0MvxF0SPvCubzkiSZoTJzGDj7XAx5adX2UDgY48skNm1xWw3rPWAR98HB9sYciWzaVXqGTQPG00 lP7dh7GZe8hd5eLhk0gqroALs3ZDhuXszXcc8ILNXSn_e9XDNcQ8NQfGPd27lrvSH8mEU8FYJ9i9 T9otygFp_xMY9OZ7RtyPtGJQc2nNCP73NfpG09i8kHGt35XZMgWOGmhOtjI3QcxaLnXrtF0xNf6p ynO2KOH3dXOCW38PdCwLMtFquR_ZsosISuawbSCQUFFTQXvvwvUHTA0ZmJ4vh0sEN4h_BMEnSBR8 ho01S018akI2O3uHea92pfqBgTfza0f9BSpM.e4yWTEMBexbRNS8WjvQQsXsX3RCvxqYEyWxYyhA BIq7_XnxodHqXfO_75wieKMIl6HgxZ.Lx1w.Jc_oxlc_QOoUfzh2uFXalcmK13qEzgp8nFbvbaT8 EeP5yUwLrzoeOQlnFIF4LfFBIF.o5thglA0SIOLZb.Hzh9.G9OAI3TC_yo6.aiIBvAi0pt5zqExh W5ErBISXBVpiEvgETVM2W9hZl8n4bkKL16HE6kSl2bQ6kqdf0v_rLe6u8dAXzi5_wI27VX_qZJu2 m_QWn0lF4hzVx9ODfSqLH_GkQmXNTL.9DoMi4Gge3Ghw4AdBb.AkIXTtzypxMr5UoTCWxi8htTg- - Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Mon, 23 Jul 2018 16:09:14 +0000 Date: Mon, 23 Jul 2018 16:09:02 +0000 (UTC) From: Nalini J Elkins Reply-To: Nalini J Elkins To: Tim Hollebeek , Adam Montville , "John R. Levine" Cc: "saag@ietf.org" Message-ID: <1775793239.1010578.1532362142537@mail.yahoo.com> In-Reply-To: References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Mailer: WebService/1.1.12144 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 16:09:18 -0000 I am willing to help also. This is an important problem for enterprises. You may be familiar with the= OPM data breach which was most likely started by a phishing attack. https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach I wonder if we want to have some type of meeting in Bangkok. Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com (831) 659-8360 ________________________________ From: Tim Hollebeek To: Adam Montville ; John R. Levine =20 Cc: "saag@ietf.org" Sent: Monday, July 23, 2018 8:56 AM Subject: Re: [saag] stopping (https) phishing I'd help, too. This is an important problem. I think I would favor a RG b= ecause I haven't seen any ideas proposed yet that would have a significant impact = on the problem, though some people seem to be thinking along the right directi= ons. It's a tough problem. -Tim > -----Original Message----- > From: saag On Behalf Of Adam Montville > Sent: Sunday, July 22, 2018 8:05 AM > To: John R. Levine > Cc: saag@ietf.org > Subject: Re: [saag] stopping (https) phishing >=20 > Whether a WG or an RG, I=E2=80=99d be interested in helping here. >=20 > On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >=20 > >> I for one would really like to see the IETF setup a working group for = this > specific topic, it would be good to work through this and find a solution= that > works. I would be willing to help out here and will dedicate time to this= effort. > > > > I don't think there is enough stuff here to merit WG. Perhaps talk to = the IRTF > about an RG to explore ideas not ready to standardize. > > > > > >> > >> Bret > >> > >> Sent from my Commodore 128D > >> > >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > >> > >>> On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: > >>> > >>> On Sat, 21 Jul 2018, Henry Story wrote: > >>>>> How would this IWoT differ from what CAs were supposed to do? > >>>> > >>>> That is easy. IWoT would be based on institutions that tie into > >>>> nation or region based local registries that tie into national ancho= rs that > may tie into federal ones (as in the USA, or Germany). > >>> > >>> This sounds a lot like the industry-specific CAs I proposed, only thi= s > depends on a great deal of software that does not exist and probably neve= r > will. > >>> > >>> R's, > >>> John > >>> > >>> _______________________________________________ > >>> saag mailing list > >>> saag@ietf.org > >>> https://www.ietf.org/mailman/listinfo/saag > >> > > > > Regards, > > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for > > Dummies", Please consider the environment before reading this e-mail. > > https://jl.ly > > > > _______________________________________________ > > saag mailing list > > saag@ietf.org > > https://www.ietf.org/mailman/listinfo/saag >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag From nobody Mon Jul 23 09:17:01 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93202130ED6 for ; Mon, 23 Jul 2018 09:16:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCgGMXPusv2c for ; Mon, 23 Jul 2018 09:16:56 -0700 (PDT) Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49004130DCB for ; Mon, 23 Jul 2018 09:16:56 -0700 (PDT) X-AuditID: 12074425-cafff70000005e72-c6-5b55ff770e09 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 1D.E0.24178.77FF55B5; Mon, 23 Jul 2018 12:16:55 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id w6NGGssN004662; Mon, 23 Jul 2018 12:16:54 -0400 Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6NGGo91009164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 23 Jul 2018 12:16:53 -0400 Date: Mon, 23 Jul 2018 11:16:50 -0500 From: Benjamin Kaduk To: Dmitry Belyavsky Cc: Alan DeKok , saag@ietf.org Message-ID: <20180723161650.GV92448@kduck.kaduk.org> References: <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.9.1 (2017-09-22) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDKsWRmVeSWpSXmKPExsUixG6nolv+PzTa4HqjpEXT5yZ2i3NbZ7Fa TOnvZHJg9mg52sLisXPWXXaPJUt+MgUwR3HZpKTmZJalFunbJXBlfL9eWXCdraLz3irWBsbF rF2MnBwSAiYSi7ccY+pi5OIQEljMJDHz2h4WCGcjo8Ts9zfYIZyrTBKHezcBORwcLAKqEu93 K4N0swmoSDR0X2YGsUUENCSeTlzMAmIzC1hKtK36A2YLC+hKTFxynRWklRdo259FOiBhIYGL LBIrVweB2LwCghInZz6BalWX+DPvEjNIObOAtMTyfxwQYXmJ5q2zwTZxCgRK7N94AKxcVEBZ Ym/fIfYJjIKzkEyahWTSLIRJs5BMWsDIsopRNiW3Sjc3MTOnODVZtzg5MS8vtUjXQi83s0Qv NaV0EyM4yF1UdzDO+et1iFGAg1GJh/fCt9BoIdbEsuLK3EOMkhxMSqK8r04BhfiS8lMqMxKL M+KLSnNSiw8xSnAwK4nwXmIDyvGmJFZWpRblw6SkOViUxHlzFjFGCwmkJ5akZqemFqQWwWRl ODiUJHid/gE1ChalpqdWpGXmlCCkmTg4QYbzAA3f+RdkeHFBYm5xZjpE/hSjMUfPvSmTmDn+ vJ86iVmIJS8/L1VKnHcNSKkASGlGaR7cNFCiksjeX/OKURzoOWHeAJClPMAkBzfvFdAqJqBV oslgq0oSEVJSDYzLIuWdPt2RsUw8Mddmpn0XR9e5VeL2lpenyO71PBFy9X+59j61J/KFbDPy nn2/HVD9j7XW8VqwRotc+q8VC1bMmbTP1sK830PQXYnr5BrPKQfiV399sOZRr+eKbT5HL4m2 /t2qYHv4+j5hs8ywEq9PGwVvBWS3XNNSm2qkM8fv/2pWe5vj8xcosRRnJBpqMRcVJwIA3rt3 Py8DAAA= Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 16:16:59 -0000 On Sun, Jul 22, 2018 at 05:11:43PM +0300, Dmitry Belyavsky wrote: > вÑ, 22 Ð¸ÑŽÐ»Ñ 2018 г., 16:49 Alan DeKok : > > > > Companies move. Domains expire and get re-bought. Certificates > > expire. Systems change. > > > > That means the "same" site may have all public information about it > > change in between visits. Not a good practice for continued identification. > > > > Yes. So we come to idea of long-term identity independent from all these > changes. This calls to mind the "TLS Identity Ticket" proposal that was brought to TLS and secdispatch several IETF meetings ago. I'm curious how it compares to what you're thinking of, and what you think it lacks in terms of getting a complete solution. (Disclosure: I was not particularly excited about the proposal at the time.) -Ben From nobody Mon Jul 23 10:39:53 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82B6130F23 for ; Mon, 23 Jul 2018 10:39:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.751 X-Spam-Level: X-Spam-Status: No, score=-1.751 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=dvNLG585; dkim=pass (1536-bit key) header.d=taugh.com header.b=MV2jLHAn Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXgKs7FWYOtC for ; Mon, 23 Jul 2018 10:39:50 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AB04130F1E for ; Mon, 23 Jul 2018 10:39:50 -0700 (PDT) Received: (qmail 28565 invoked from network); 23 Jul 2018 17:39:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=6f90.5b5612e5.k1807; bh=qM8MGwV1XoZ8imxTDkX6xQBUeSeTX+t6CQWMGeEpNeU=; b=dvNLG585uSaKTBJctXFCurC5obWP0AQl3JEwcwHazr1+rr1p1+TyAtLLJ9W2pZmHkq1LenuOBvMCyqEhHZNhwr20HxpKNcwfASCqatvk9y8dhaQJytceaNHEkCQu7AddRuu8uw6eNLIQWzLG1NcTyHuQ7o3oU9Rv2rgvGQlU1h3gLDyw8N1bkM2FLQ7elVzp0yvzW8zzMX9Y3MDmle2PAgGGduaWGm7vwvzZGW5ElDstuPBlD1vnhl8vyfX2QCH9 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=6f90.5b5612e5.k1807; bh=qM8MGwV1XoZ8imxTDkX6xQBUeSeTX+t6CQWMGeEpNeU=; b=MV2jLHAnLLfidzYt+vaurnFBrxK2hUu8ifDiU9kfuWGFIw6LzgzbvANbyLtyJ3HuPKJeVtFIHkxpIflkxt3XXis1f2a/drc0CYBrm0QEKIfRVbYP/xnDaIIhMEprYFGrns4MuB+0qZc1hKXPSpJZrv+IeQX2YdVu24q+ONq0YqcnoB1Yx247onuvrMy3ih9p7MPkjt0F0pR4Hc4aV2k038ogH+DebTgSM4BISm+Jns7sZ8Ue6ec8txtwsILdhXhT Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 23 Jul 2018 17:39:49 -0000 Received: by ary.qy (Postfix, from userid 501) id F3196200298356; Mon, 23 Jul 2018 13:39:48 -0400 (EDT) Date: 23 Jul 2018 13:39:48 -0400 Message-Id: <20180723173948.F3196200298356@ary.qy> From: "John Levine" To: saag@ietf.org In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 17:39:52 -0000 In article you write: >I'd help, too. This is an important problem. I think I would favor a RG because >I haven't seen any ideas proposed yet that would have a significant impact on >the problem, though some people seem to be thinking along the right directions. WGs generally need to start with some drafts that are intended to become standards. Not seeing any of those, it seems like an RG would be appropriate. >It's a tough problem. No kidding. I'll ask about an RG. R's, John From nobody Mon Jul 23 12:31:29 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AEE7130EC7 for ; Mon, 23 Jul 2018 12:31:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgjsbU_eQT_4 for ; Mon, 23 Jul 2018 12:31:24 -0700 (PDT) Received: from mail-pl0-x22f.google.com (mail-pl0-x22f.google.com [IPv6:2607:f8b0:400e:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74CE412F1A6 for ; Mon, 23 Jul 2018 12:31:24 -0700 (PDT) Received: by mail-pl0-x22f.google.com with SMTP id m1-v6so640312plt.6 for ; Mon, 23 Jul 2018 12:31:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=M2DaxlzzUh3tlwNRD3xiQJTRVzaob9PvlwDcgar0ick=; b=boI3GXmMW92F9gFfjEjSm1/kr6WDnNv4m9cfPMj8siyFyKYtCflp2x2BDZXz8uQHxH ow5D3QfzrNUFCyS9knwZstSS7oiQI0QUHL1RYYGdKSs4i1RtskJeSgX2sOb4TyqTh2dL Q8xtjJzsYVJiqLEky8NDGzm0dUapVV5ckDvzqj8bFMb6RWkMeY3giUGZ9OXTDNVaeMrI guzkS1HCXpfOzTxEDDDpxF++YGaGlcQCIXNAz/H4v6NzYNYZPekhN4y3FkVSVrT1D6OM DMRvN/oO8TxzIWvFSohfkBXFgGMMo5QyywwCRvaer+1A53CpX+fwL17Y8faLpURMWRP0 OEuw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=M2DaxlzzUh3tlwNRD3xiQJTRVzaob9PvlwDcgar0ick=; b=MXtLXerWRsgj4COavbgyHyDJCagQH0nn/whgf5o5AYbe/hHnH/R2OQ4Fi1ukhNDK9M SeMTRuh9bBi9wVtpiZNGIqjHnwESGoE8YoNnNn1gOXrv5F+rvxJNy6gw0SSGWcqpYYK9 SgN1klDjMywR5cKeYZYWWW10C1bUexesZsSMmGrcZRfyjs2r2EkgHRIAlePuK1ybcqFp tuswlCA/S9TsAE8OcuMNMvnqoGmDHdZ3skcqYRo9bwSsaYnjJBR5Lfi6xPSgDVJoTvTC FSPibBa3dS4XRbXnweGh2B1Mo00oS9NIGri58+t1BjsXGbGVjpdkE+rvx0RSU83uwjcJ 5ZoA== X-Gm-Message-State: AOUpUlGDFyyxbg0EE3RNSaXsAMbmpAYri1Tg7jARERWASvgeFj6DddW+ jqA+uBDnk7bfl+qKnWZwryg= X-Google-Smtp-Source: AAOMgpfyc2mideLxPqasx0NoJRu1FwGEWeDcmdZp0+ioPuKohnuz89zWLjJ2QaWxFr6L+EPcRLJJ3A== X-Received: by 2002:a17:902:42a3:: with SMTP id h32-v6mr13912684pld.72.1532374284127; Mon, 23 Jul 2018 12:31:24 -0700 (PDT) Received: from ?IPv6:2605:a601:3260:266:10e4:66a:f0a3:73d9? ([2605:a601:3260:266:10e4:66a:f0a3:73d9]) by smtp.gmail.com with ESMTPSA id v22-v6sm21524097pfi.60.2018.07.23.12.31.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 12:31:22 -0700 (PDT) From: Bret Jordan Message-Id: <94D0E644-F2E5-48F8-A409-EF8AB1177EFD@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_30CBF745-A0BF-4DCD-BD76-1B3030B0379E" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 13:31:09 -0600 In-Reply-To: Cc: Adam Montville , "John R. Levine" , "saag@ietf.org" To: Tim Hollebeek References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 19:31:28 -0000 --Apple-Mail=_30CBF745-A0BF-4DCD-BD76-1B3030B0379E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 It is a very hard problem, but it is the kind of problem that we need to = work on and try and solve. I just want to make sure this gets the focus = it deserves. =20 Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that = can not be unscrambled is an egg." > On Jul 23, 2018, at 9:55 AM, Tim Hollebeek = wrote: >=20 > I'd help, too. This is an important problem. I think I would favor a = RG because > I haven't seen any ideas proposed yet that would have a significant = impact on > the problem, though some people seem to be thinking along the right = directions. > It's a tough problem. >=20 > -Tim >=20 >> -----Original Message----- >> From: saag On Behalf Of Adam Montville >> Sent: Sunday, July 22, 2018 8:05 AM >> To: John R. Levine >> Cc: saag@ietf.org >> Subject: Re: [saag] stopping (https) phishing >>=20 >> Whether a WG or an RG, I=E2=80=99d be interested in helping here. >>=20 >> On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >>=20 >>>> I for one would really like to see the IETF setup a working group = for this >> specific topic, it would be good to work through this and find a = solution that >> works. I would be willing to help out here and will dedicate time to = this effort. >>>=20 >>> I don't think there is enough stuff here to merit WG. Perhaps talk = to the IRTF >> about an RG to explore ideas not ready to standardize. >>>=20 >>>=20 >>>>=20 >>>> Bret >>>>=20 >>>> Sent from my Commodore 128D >>>>=20 >>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>>>=20 >>>>> On Jul 21, 2018, at 2:40 PM, John R. Levine = wrote: >>>>>=20 >>>>> On Sat, 21 Jul 2018, Henry Story wrote: >>>>>>> How would this IWoT differ from what CAs were supposed to do? >>>>>>=20 >>>>>> That is easy. IWoT would be based on institutions that tie into >>>>>> nation or region based local registries that tie into national = anchors that >> may tie into federal ones (as in the USA, or Germany). >>>>>=20 >>>>> This sounds a lot like the industry-specific CAs I proposed, only = this >> depends on a great deal of software that does not exist and probably = never >> will. >>>>>=20 >>>>> R's, >>>>> John >>>>>=20 >>>>> _______________________________________________ >>>>> saag mailing list >>>>> saag@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/saag >>>>=20 >>>=20 >>> Regards, >>> John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet = for >>> Dummies", Please consider the environment before reading this = e-mail. >>> https://jl.ly >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_30CBF745-A0BF-4DCD-BD76-1B3030B0379E Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 It = is a very hard problem, but it is the kind of problem that we need to = work on and try and solve. I just want to make sure this gets the focus = it deserves.  


Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 23, 2018, at 9:55 AM, Tim Hollebeek <tim.hollebeek@digicert.com> wrote:

I'd = help, too.  This is an important problem.  I think I would = favor a RG because
I haven't seen any ideas proposed yet = that would have a significant impact on
the problem, = though some people seem to be thinking along the right directions.
It's a tough problem.

-Tim

-----Original Message-----
From: saag <saag-bounces@ietf.org> On Behalf Of Adam Montville
Sent: Sunday, July 22, 2018 8:05 AM
To: John R. = Levine <johnl@iecc.com>
Cc: saag@ietf.org
Subject: Re: [saag] stopping (https) phishing
Whether a WG or an RG, I=E2=80=99d be interested in helping = here.

On Jul 21, 2018, at 8:00 PM, John R. = Levine <johnl@iecc.com> wrote:

I for one would really like to see the IETF setup a working = group for this
specific topic, = it would be good to work through this and find a solution that
works. I would be willing to help out here and will dedicate = time to this effort.

I don't think there is enough stuff here to = merit WG.  Perhaps talk to the IRTF
about = an RG to explore ideas not ready to standardize.



Bret

Sent from my Commodore 128D

PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Jul = 21, 2018, at 2:40 PM, John R. Levine <johnl@iecc.com> wrote:

On = Sat, 21 Jul 2018, Henry Story wrote:
How would = this IWoT differ from what CAs were supposed to do?

That is easy. IWoT would be based = on institutions that tie into
nation or region based local = registries that tie into national anchors that
may tie = into federal ones (as in the USA, or Germany).

This sounds a lot like the = industry-specific CAs I proposed, only this
depends on a great = deal of software that does not exist and probably never
will.

R's,
John

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


Regards,
John Levine, johnl@iecc.com, Primary = Perpetrator of "The Internet for
Dummies", Please consider = the environment before reading this e-mail.
https://jl.ly

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_30CBF745-A0BF-4DCD-BD76-1B3030B0379E-- From nobody Mon Jul 23 12:32:44 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D0AD130EC7 for ; Mon, 23 Jul 2018 12:32:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 88dYhr3Z13oW for ; Mon, 23 Jul 2018 12:32:39 -0700 (PDT) Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4491A12F1A6 for ; Mon, 23 Jul 2018 12:32:39 -0700 (PDT) Received: by mail-pg1-x52d.google.com with SMTP id x5-v6so1081271pgp.7 for ; Mon, 23 Jul 2018 12:32:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=c3ZMGr9JA4w1w7ZaXqSgJ1ydgPGowRhwG8hQoupZkRc=; b=CPE5LpABxr1ahCsHxPcu+WJDxOx7bptcfV2FWeM+gUyBjvzS51GBuxMx1yYQZuVwSU LwzoV7s9vlYJllPSBtTreRRuAA85ZdiDvKBRga9n2eqH0LXkJCC850T757crVAL4Em0K uRgdn0bvZ77MjFIEWLE/+Iwkn9PhV8RzZqETCe25hpM6a+O0t5bvVy0WIW6oE15mSBsQ B2nFjWkWkBOscN8fQSKL33Vr2z3bVVVzQvVa6wrTJzgC/fmX4y2mWRZPvgb7woi/sudG 1ESx8J/0iX061/kljHbhXerdd6qkIt/0d2mLmUnVt1Rj8Bun4A8wo3mQ+0UIJFCtOdDF HHPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=c3ZMGr9JA4w1w7ZaXqSgJ1ydgPGowRhwG8hQoupZkRc=; b=Lb53UoZnzxDqwyep3PIKMZX3sP9nc8efH6Jkf20lSfNBQrIV3+e3/HBmysHT2KtVPC 17tCQt3b3kPCqBIIVAkF7yNdzo48t640g3GblMAMHA5aqzsQmlGHqgmHwPZ1kgk1aXKZ GAMLx14xAytFR0gpVNcnTgClQeXtUQU0lm5JluWsFgrXLy07sdPlL80tkPHzbeUWpY2N i0sih/LSTH6djSrVSKlTyuVszQVdEG6b7CBIpV9DKMhTkGNwSshCovg6hRJsKz5UmIzI JNfgRoaosy/We1YP6+CxHvUJySh5nGGtC7MoZp9p9NcqhL9DdP+9bGPEO7neHkFYX8Et PFVw== X-Gm-Message-State: AOUpUlHNdJ5/M43jJjvERel6ykUtxgZpwX3bDQOsqd4+auEw0MBxGZq+ ksYntvN4rDyjcwBjqAFdn3E= X-Google-Smtp-Source: AAOMgpfrXjumBLOOT3aUieliDs5fFtwnEdjhXWydWNCmlWe+axcexQhXVGX5vuWeo5RRJXWHRKAHTQ== X-Received: by 2002:a63:b504:: with SMTP id y4-v6mr13646616pge.247.1532374358924; Mon, 23 Jul 2018 12:32:38 -0700 (PDT) Received: from ?IPv6:2605:a601:3260:266:10e4:66a:f0a3:73d9? ([2605:a601:3260:266:10e4:66a:f0a3:73d9]) by smtp.gmail.com with ESMTPSA id s14-v6sm8166482pfj.105.2018.07.23.12.32.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 12:32:37 -0700 (PDT) From: Bret Jordan Message-Id: <425C3EFB-ECD9-4C4C-A4C5-0786600538F9@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_A3B374FC-D504-4BAF-8BB2-4FC159EF6E29" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 13:32:24 -0600 In-Reply-To: <1775793239.1010578.1532362142537@mail.yahoo.com> Cc: Tim Hollebeek , Adam Montville , "John R. Levine" , "saag@ietf.org" To: Nalini J Elkins References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> <1775793239.1010578.1532362142537@mail.yahoo.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 19:32:42 -0000 --Apple-Mail=_A3B374FC-D504-4BAF-8BB2-4FC159EF6E29 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I think it would be great if we could organize some sort of Bar BOF or = even less formal get together to talk about this. Maybe just stay late = in one of the room one night??? Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that = can not be unscrambled is an egg." > On Jul 23, 2018, at 10:09 AM, Nalini J Elkins = wrote: >=20 > I am willing to help also. >=20 >=20 > This is an important problem for enterprises. You may be familiar = with the OPM data breach which was most likely started by a phishing = attack. >=20 > = https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach >=20 > I wonder if we want to have some type of meeting in Bangkok. > Thanks, >=20 > Nalini Elkins > CEO and Founder > Inside Products, Inc. > www.insidethestack.com > (831) 659-8360 >=20 >=20 >=20 > ________________________________ > From: Tim Hollebeek > To: Adam Montville ; John R. Levine = =20 > Cc: "saag@ietf.org" > Sent: Monday, July 23, 2018 8:56 AM > Subject: Re: [saag] stopping (https) phishing >=20 >=20 >=20 > I'd help, too. This is an important problem. I think I would favor a = RG because > I haven't seen any ideas proposed yet that would have a significant = impact on > the problem, though some people seem to be thinking along the right = directions. > It's a tough problem. >=20 > -Tim >=20 >=20 >> -----Original Message----- >> From: saag On Behalf Of Adam Montville >> Sent: Sunday, July 22, 2018 8:05 AM >> To: John R. Levine >> Cc: saag@ietf.org >> Subject: Re: [saag] stopping (https) phishing >>=20 >> Whether a WG or an RG, I=E2=80=99d be interested in helping here. >>=20 >> On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >>=20 >>>> I for one would really like to see the IETF setup a working group = for this >> specific topic, it would be good to work through this and find a = solution that >> works. I would be willing to help out here and will dedicate time to = this effort. >>>=20 >>> I don't think there is enough stuff here to merit WG. Perhaps talk = to the IRTF >> about an RG to explore ideas not ready to standardize. >>>=20 >>>=20 >>>>=20 >>>> Bret >>>>=20 >>>> Sent from my Commodore 128D >>>>=20 >>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>>>=20 >>>>> On Jul 21, 2018, at 2:40 PM, John R. Levine = wrote: >>>>>=20 >>>>> On Sat, 21 Jul 2018, Henry Story wrote: >>>>>>> How would this IWoT differ from what CAs were supposed to do? >>>>>>=20 >>>>>> That is easy. IWoT would be based on institutions that tie into >>>>>> nation or region based local registries that tie into national = anchors that >> may tie into federal ones (as in the USA, or Germany). >>>>>=20 >>>>> This sounds a lot like the industry-specific CAs I proposed, only = this >> depends on a great deal of software that does not exist and probably = never >> will. >>>>>=20 >>>>> R's, >>>>> John >>>>>=20 >>>>> _______________________________________________ >>>>> saag mailing list >>>>> saag@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/saag >>>>=20 >>>=20 >>> Regards, >>> John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet = for >>> Dummies", Please consider the environment before reading this = e-mail. >>> https://jl.ly >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_A3B374FC-D504-4BAF-8BB2-4FC159EF6E29 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 I = think it would be great if we could organize some sort of Bar BOF or = even less formal get together to talk about this. Maybe just stay late = in one of the room one night???


Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 23, 2018, at 10:09 AM, Nalini J Elkins <nalini.elkins@insidethestack.com> wrote:

I am = willing to help also.


This = is an important problem for enterprises.  You may be familiar with = the OPM data breach which was most likely started by a phishing = attack.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_da= ta_breach

I wonder if we want to have = some type of meeting in Bangkok.
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360



________________________________
From: Tim = Hollebeek <tim.hollebeek@digicert.com>
To: Adam = Montville <adam.w.montville@gmail.com>; John R. Levine = <johnl@iecc.com>
Cc: "saag@ietf.org" = <saag@ietf.org>
Sent: Monday, July 23, 2018 8:56 = AM
Subject: Re: [saag] stopping (https) phishing



I'd help, too. =  This is an important problem.  I think I would favor a RG = because
I haven't seen any ideas proposed yet that would = have a significant impact on
the problem, though some = people seem to be thinking along the right directions.
It's = a tough problem.

-Tim


-----Original Message-----
From: saag = <saag-bounces@ietf.org> On Behalf Of Adam Montville
Sent: Sunday, July 22, 2018 8:05 AM
To: John R. = Levine <johnl@iecc.com>
Cc: saag@ietf.org
Subject: Re: [saag] stopping (https) phishing
Whether a WG or an RG, I=E2=80=99d be interested in helping = here.

On Jul 21, 2018, at 8:00 PM, John R. = Levine <johnl@iecc.com> wrote:

I for one would really like to see the IETF setup a working = group for this
specific topic, = it would be good to work through this and find a solution that
works. I would be willing to help out here and will dedicate = time to this effort.

I don't think there is enough stuff here to = merit WG.  Perhaps talk to the IRTF
about = an RG to explore ideas not ready to standardize.



Bret

Sent from my Commodore 128D

PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Jul = 21, 2018, at 2:40 PM, John R. Levine <johnl@iecc.com> wrote:

On Sat, 21 Jul 2018, Henry Story wrote:
How would this IWoT differ from what CAs were supposed to = do?

That is easy. IWoT would = be based on institutions that tie into
nation or region = based local registries that tie into national anchors that
may tie = into federal ones (as in the USA, or Germany).

This sounds a lot like the = industry-specific CAs I proposed, only this
depends on a great = deal of software that does not exist and probably never
will.

R's,
John

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


Regards,
John Levine, johnl@iecc.com, Primary = Perpetrator of "The Internet for
Dummies", Please consider = the environment before reading this e-mail.
https://jl.ly
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_A3B374FC-D504-4BAF-8BB2-4FC159EF6E29-- From nobody Mon Jul 23 12:33:40 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17106130FA8 for ; Mon, 23 Jul 2018 12:33:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ER8VNMQUvF6k for ; Mon, 23 Jul 2018 12:33:28 -0700 (PDT) Received: from mail-pl0-x233.google.com (mail-pl0-x233.google.com [IPv6:2607:f8b0:400e:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2DF8130F75 for ; Mon, 23 Jul 2018 12:33:27 -0700 (PDT) Received: by mail-pl0-x233.google.com with SMTP id w3-v6so648424plq.2 for ; Mon, 23 Jul 2018 12:33:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WRNl3YONbC/kcFETSVZwxOgFrBF3bAT+LJHZa7W7s7k=; b=RBPaWNrE78GS0SJQwCQJN9CqhKMitakVsNOeaPgbmuB8J0GKwempEwE3DchuxlgzmZ dOsFkwK0/nYSoY+HUgfnDiPGCAFtJzOHz6QgEjxjPgpTOoxyBoqJ2GnYVzO9oaVrkZe0 qcNdJkbWqRhLl4MSQBfv5v0fCo748zsCooWoqLsh14rM8DJBoscUinrOfnbySpgH3y86 KH3y9UtQeIf+IPLRUCrEVGCwIFHNlQicO5En0DXR4O/xlUjk/7vSZqlw2k8R5jd5k/tR K6d0YMpfriMZ+39Az3w56tFCjLfQAWZ+G8dTbPG0IKj/DkfysIG0aL1ceS9/NmGYX3ul wl3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WRNl3YONbC/kcFETSVZwxOgFrBF3bAT+LJHZa7W7s7k=; b=ENR4K1RRCdxgcv+wWyek7WNe6jQKLf8d2yQcSZnJQKT8CIawbXvfkYYfkjWk2Ej/UV 3L3cM8pXHCQEsjgBz1xwyE5bgKtaNyI+yyyXpd4ZZ/SvfsHkFd7VpO/XKfd1njXmkuyK wkdU+HH/VEY0yRKoRsqt11ELDUgB5tXRg3XB0KkIGrN+UFEGQcbxWV2o32WZoMp4BQmJ UC/KcWMSBGDufHSzKYf0P7Vxg5jWgW8thngYJl0MbpbX5gY0PfZ0Fb6cHj+/q3QHkmpi UXbuooJIpEjavkGVRM/R4dLQJtyCRAfxMTb4a/k/n5FB91EVXUKl/In2mnv/Qm/uIP0Z roYg== X-Gm-Message-State: AOUpUlEw/YKFnRYaMtxHEMIdU79cBz0qfY8G+pGtkjq2MwH01hLzYx40 OUddcg/TNSODmudYtKeXqUVRRnH5 X-Google-Smtp-Source: AAOMgpf6rco7bkqUXNZ9PS7m6R2EOIq83Pr9hJITDcgowcIbP0p9YnMjl3whAm1cuOho0wNntn5XrQ== X-Received: by 2002:a17:902:342:: with SMTP id 60-v6mr14105205pld.311.1532374407589; Mon, 23 Jul 2018 12:33:27 -0700 (PDT) Received: from ?IPv6:2605:a601:3260:266:10e4:66a:f0a3:73d9? ([2605:a601:3260:266:10e4:66a:f0a3:73d9]) by smtp.gmail.com with ESMTPSA id s14-v6sm8166482pfj.105.2018.07.23.12.33.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 12:33:26 -0700 (PDT) From: Bret Jordan Message-Id: <504D3AF2-DD7A-4240-BC1B-A85C3EB3C33E@gmail.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_091243A5-1490-4C1A-9109-BD80417204B6" Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 13:33:16 -0600 In-Reply-To: <20180723173948.F3196200298356@ary.qy> Cc: saag@ietf.org To: John Levine References: <20180723173948.F3196200298356@ary.qy> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 19:33:38 -0000 --Apple-Mail=_091243A5-1490-4C1A-9109-BD80417204B6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Thanks John. If a RG is the way to go right now, then lets do that. = Hopefully we can figure out a solution and start working on some = standards that can be adopted and published.=20 Thanks, Bret PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that = can not be unscrambled is an egg." > On Jul 23, 2018, at 11:39 AM, John Levine wrote: >=20 > In article = you write: >> I'd help, too. This is an important problem. I think I would favor = a RG because >> I haven't seen any ideas proposed yet that would have a significant = impact on >> the problem, though some people seem to be thinking along the right = directions. >=20 > WGs generally need to start with some drafts that are intended to > become standards. Not seeing any of those, it seems like an RG would > be appropriate. >=20 >> It's a tough problem. >=20 > No kidding. I'll ask about an RG. >=20 > R's, > John >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_091243A5-1490-4C1A-9109-BD80417204B6 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Thanks John.  If a RG is the way to go right now, then = lets do that.  Hopefully we can figure out a solution and start = working on some standards that can be adopted and published. 


Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 = 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an = egg."

On Jul 23, 2018, at 11:39 AM, John Levine <johnl@taugh.com> = wrote:

In article <BN6PR14MB11065825288876734BA0F36F83560@BN6PR14MB1106.namprd14.p= rod.outlook.com> you write:
I'd help, too.  This is an important problem.  I = think I would favor a RG because
I haven't seen any ideas = proposed yet that would have a significant impact on
the = problem, though some people seem to be thinking along the right = directions.

WGs generally need = to start with some drafts that are intended to
become = standards.  Not seeing any of those, it seems like an RG would
be appropriate.

It's a tough problem.

No kidding.  I'll ask about = an RG.

R's,
John

_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_091243A5-1490-4C1A-9109-BD80417204B6-- From nobody Mon Jul 23 12:51:05 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45B41130E1D for ; Mon, 23 Jul 2018 12:51:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.909 X-Spam-Level: X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6upSlJ0Du3qX for ; Mon, 23 Jul 2018 12:50:58 -0700 (PDT) Received: from sonic311-28.consmr.mail.ne1.yahoo.com (sonic311-28.consmr.mail.ne1.yahoo.com [66.163.188.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 694A012F1A6 for ; Mon, 23 Jul 2018 12:50:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1532375457; bh=oHS8wAxtUTu1mh/SIPhiaUxKzS5ah8lJzUXgQjj1Oxc=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=T/2TUGeKae9T9wA2pAO1NERdzH1TyjVl5d/LRd9ecs9X2aAY8+jNHcvktUQGKajR2jFp0L6pqtFfJLLH9nc1fjVj051/cmz+0li7ZOyEzR9v5VU1x7MLQSkhnOjpsRrqSczvBoGwIPNz0Ccq9UL8uBxamBIoBCVuM6dBOcTZXX/Vt1jZ7LP6Qw0C3jeO5BdbU9vZvvLXjVuDzDdlfp2LIbchHB9dYpePg2hAljIlvymaeh19MrFiAwUqy6D98XswyyHMRXZCSBBxLWoSm9yBuTLTMw4+alxgYGB6ClReb6EW9z1liNKfRX52sWqt/rKtikbdxSdaj4SIw5DciX8ZAg== X-YMail-OSG: FVYtVPgVM1nWLFprIbNTxJmHfplU.BZxKdeNsFcocR_gqq_Nvf1_EwPcPpqS1VV .tViCDoQU1kBHRLtQgEooWJRRyj52FElVkQV7Xr0a_I1dwZkzSGCpUpGKZCAkGuxMg9LaTrD21lH ad_JSRG9Erh8ivqUPSoLP6ZrU0tSksF3SvelvlDelTwDJuZfU8LPyoznrImBquBsOrQF_qXG3h0b TQKSBpA1unhRIUQhAGcQihIg.d5LTdO2SFDpr5nLlRclENAPIhRRWOwvZNq4WpjMTTYGqoY.LfQs yP3l3p5esnfSvNC7tjeBEasSxjQ_OAK5UObWV6c4naYoFC_BbZ0T5HFZuXiQQ60hW2LepBh4_gvP _aPnlkdxevKugboSjM4T92Ffp_jtEVby_jRgQJK468i9GYn0PAFDjgQ7RRyuJ71claL7dMaxJxFe p5jCrvk95U2U.2jOU62vghNGy2Dqx0LQSdEnPhUaTDm7DHGrx7_fQjLY.JXOrdjVrfsXe95nc6cu 4XIbECpJ6nShBc6TbMt6Rd0B.dnAwayPPjZXvH9BdRMbXJ9Ny.1IUxXTb46e_Zxt6btVXt4Cw6On uaJPlJP.VxjiEg_9XWLj96UQJExDUwyP7MJLwsk2UzKkI91lxNFjQxoItczTrf19P3Hc9Q4ulvUV GiMXRqzAeYxiwzoD53EfzGpqQVkQJEgvzi3uHW4yxyrBQtuSxmrdgI_IA0XR.YRKJM7Azb_Qgwq4 M0N1Cb1qSER9eLKM8lpbxwoeGiD_a8vrEBeRtAsyD0YWjo_2rQjR1AaXbTzCGd324FBsnfQfITry m7D8vb2cgL0jWDn0z5PaVv4iza1i4.CjWYGmbyLGV9bZ9j4FcyEPFgmVBhjXAgdwa3bMs8r028cD SwBH0MSsz4AK35W_FKVZdfHEu.6WUtFKYKTe7uhahG2WapvRZFWm.YyWib5JYEdMaOcfN6D.YMMt R1yDWg8n0vUAu3AXPTXN.3C4uqsAvRG4a8VQau4b9Bl3azsNuYEDp4o5zfcyNMw-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Mon, 23 Jul 2018 19:50:57 +0000 Date: Mon, 23 Jul 2018 19:50:52 +0000 (UTC) From: Nalini J Elkins Reply-To: Nalini J Elkins To: Bret Jordan Cc: Tim Hollebeek , Adam Montville , "John R. Levine" , "saag@ietf.org" Message-ID: <1751939009.1122154.1532375452369@mail.yahoo.com> In-Reply-To: <425C3EFB-ECD9-4C4C-A4C5-0786600538F9@gmail.com> References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> <1775793239.1010578.1532362142537@mail.yahoo.com> <425C3EFB-ECD9-4C4C-A4C5-0786600538F9@gmail.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_1122153_1081087599.1532375452366" X-Mailer: WebService/1.1.12144 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36 Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 19:51:01 -0000 ------=_Part_1122153_1081087599.1532375452366 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > I think it would be great if we could organize some sort of Bar BOF or ev= en less formal get together to talk about this. Maybe just stay late in one= of the room one night??? Sure.=C2=A0 I am working with some of the enterprises to get some concrete = examples of what has worked, what has not, and other concerns. We can maybe even meet in an actual bar!=C2=A0 =C2=A0Let's discuss more as = time approaches. Thanks,BretPGP Fingerprint:=C2=A063B4 FC53 680A 6B7D 1447 =C2=A0F2C0 74F8 A= CAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only t= hing that can not be unscrambled is an egg." On Jul 23, 2018, at 10:09 AM, Nalini J Elkins wrote: I am willing to help also. This is an important problem for enterprises. =C2=A0You may be familiar wit= h the OPM data breach which was most likely started by a phishing attack. https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach I wonder if we want to have some type of meeting in Bangkok. Thanks, Nalini Elkins CEO and Founder Inside Products, Inc. www.insidethestack.com (831) 659-8360 ________________________________ From: Tim Hollebeek To: Adam Montville ; John R. Levine =20 Cc: "saag@ietf.org" Sent: Monday, July 23, 2018 8:56 AM Subject: Re: [saag] stopping (https) phishing I'd help, too. =C2=A0This is an important problem. =C2=A0I think I would fa= vor a RG because I haven't seen any ideas proposed yet that would have a significant impact = on the problem, though some people seem to be thinking along the right directi= ons. It's a tough problem. -Tim -----Original Message----- From: saag On Behalf Of Adam Montville Sent: Sunday, July 22, 2018 8:05 AM To: John R. Levine Cc: saag@ietf.org Subject: Re: [saag] stopping (https) phishing Whether a WG or an RG, I=E2=80=99d be interested in helping here. On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: I for one would really like to see the IETF setup a working group for this specific topic, it would be good to work through this and find a solution t= hat works. I would be willing to help out here and will dedicate time to this e= ffort. I don't think there is enough stuff here to merit WG. =C2=A0Perhaps talk to= the IRTF about an RG to explore ideas not ready to standardize. Bret Sent from my Commodore 128D PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 =C2=A0F2C0 74F8 ACAE 7415 0050 On Jul 21, 2018, at 2:40 PM, John R. Levine wrote: On Sat, 21 Jul 2018, Henry Story wrote: How would this IWoT differ from what CAs were supposed to do? That is easy. IWoT would be based on institutions that tie into nation or region based local registries that tie into national anchors that may tie into federal ones (as in the USA, or Germany). This sounds a lot like the industry-specific CAs I proposed, only this depends on a great deal of software that does not exist and probably never will. R's, John _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag _______________________________________________ saag mailing list saag@ietf.org https://www.ietf.org/mailman/listinfo/saag =20 ------=_Part_1122153_1081087599.1532375452366 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable



> I think it would be great if we could organize some sort of B= ar BOF or even less formal get together to talk about this. Maybe just stay= late in one of the room one night???

Sure.  I am working with some of the enterprises to get some concre= te examples of what has worked, what has not, and other concerns.

We can maybe even meet in an actual bar!   Let'= s discuss more as time approaches.

Thanks,
Bret
= PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 741= 5 0050
"Without cryptog= raphy vihv vivc ce xhrnrw, however, the only thing that can not be unscramb= led is an egg."

On Jul 23, 2018, at 10:09 AM, Nalini J = Elkins <nalini.elkins@insidethestack.com> wrote:

I am willing to help a= lso.


This is an import= ant problem for enterprises.  You may be familiar with the OPM data br= each which was most likely started by a phishing attack.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach=

I wonder if we want to have some type of meeting in Bangkok.=
Thanks,

Nalini Elkins=
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360


________________________________From: Tim Hollebeek <tim.holleb= eek@digicert.com>
To: Adam Mon= tville <adam.w.montville@gmail.com>; John R. Levine <johnl@iecc.co= m>
Cc: "saag@ietf.org" <sa= ag@ietf.org>
Sent: Monday, Jul= y 23, 2018 8:56 AM
Subject: Re: [= saag] stopping (https) phishing
<= br clear=3D"none" class=3D"yiv4571483899">

I'd help, too.  T= his is an important problem.  I think I would favor a RG because
I haven't seen any ideas proposed yet = that would have a significant impact on
the problem, though some people seem to be thinking along the right = directions.
It's a tough problem.=

-Tim


-----Original Message-----
From: saag <saag-bounces@ietf.org&= gt; On Behalf Of Adam Montville
S= ent: Sunday, July 22, 2018 8:05 AM
To: John R. Levine <johnl@iecc.com>
Cc: saag@ietf.org
Subj= ect: Re: [saag] stopping (https) phishing

Whether a WG or an RG, = I=E2=80=99d be interested in helping here.

On Jul 21, 2018, at 8:= 00 PM, John R. Levine <johnl@iecc.com> wrote:

I for one would really like to see the IETF setup a working gro= up for this
specific topic, it would be good to work through this and find a solut= ion that
works. I would be willin= g to help out here and will dedicate time to this effort.
=
I don't think there is enough st= uff here to merit WG.  Perhaps talk to the IRTF
about an RG to explore ideas not ready to = standardize.


Bret

S= ent from my Commodore 128D

PGP Fingerprint: 63B4 FC53 680A 6B7D 1= 447  F2C0 74F8 ACAE 7415 0050

On Jul 21, 2018, at 2:40 PM, John R. Levine <johnl@i= ecc.com> wrote:

On Sat, 21 Jul 2018, Henry Story wrote:
How would this= IWoT differ from what CAs were supposed to do?

That= is easy. IWoT would be based on institutions that tie into
nation or region based local registries that tie= into national anchors that
may tie into federal ones (a= s in the USA, or Germany).

This sounds a lot like the industry-sp= ecific CAs I proposed, only this
=
depends on a great deal of software = that does not exist and probably never
will.

R's,
John
_______________________________________________
saag mailing list
saag@ietf.org
https://ww= w.ietf.org/mailman/listinfo/saag
=


Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Inter= net for
Dummies", Please consider= the environment before reading this e-mail.
https://jl.ly

_______________________________________= ________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________
saag mailing list
saag@ietf.org
https://w= ww.ietf.org/mailman/listinfo/saag
_______________________________________________
saag mailing list
saag@ietf.org
https= ://www.ietf.org/mailman/listinfo/saag

___________________________= ____________________
saag mailing= list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
<= br clear=3D"none" class=3D"yiv4571483899">


<= /div>
------=_Part_1122153_1081087599.1532375452366-- From nobody Mon Jul 23 13:24:32 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6F8130E25 for ; Mon, 23 Jul 2018 13:24:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rD6Hd28RqnWP for ; Mon, 23 Jul 2018 13:24:26 -0700 (PDT) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F368130F25 for ; Mon, 23 Jul 2018 13:24:26 -0700 (PDT) Received: by mail-wm0-x230.google.com with SMTP id o18-v6so377702wmc.0 for ; Mon, 23 Jul 2018 13:24:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=wP8Myxu+Q9AwPcxR+4vvUfOIruy3bCq+aPHGT24DIxw=; b=cP+sXb3OlFNexs+7nX/vFUhhVPSUFnvZza9zOH0Z24+JPQxo11YHtZc4/sxlVTGA9U Rqw4/sQFQJ4Ezfm4AwVcgr+i1MzauIwkauh2T/3cX9GYIGsCBcp8pwAMYIkh2IRVxbWZ Wp7kGTXxt2I+SIZm/yf+t32Tejknb4JSEEge+XEn9lwgwke28LmUAbB1vaSfPoUXfK4U zWFVdoXP8EdcnZ2lSPUsXkEnrSM0e8hZxgJAskfl24UCOQE3VTFn/rT8EIWGVQhYp1QS sDKgL1XQn4ukyxOExa0MclBJ4c/i+i20tW6lb6eo3FmvAtpRiQTAFg+rHF9uBDF49Gig 7cmg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=wP8Myxu+Q9AwPcxR+4vvUfOIruy3bCq+aPHGT24DIxw=; b=mNhVXnZkpqGsiwvIptiq7Eb13xFaM/4uR4TIXRHtg0fPGESziFKo3awF7JfvmC2dds vNnV/Do3zhfeWiBPPZWZ78V73sENS/YgTPTqy41q8v6gxC12R1qp1nSKe2bjqY772Yis aQ/2Xvg4uV0AszlY8dFDqq8oaUSGdMs8mtR9xc2oHFleXuiGqFT1plYHKkLrmNtkB8+U ogyc7wBnbEd+53EwS4Vu3kreLJ11FJON1Ru0a064Qq0PePS/ZC59Tu5wA4BqDgTKkc0L sjWWepsxAJ8szzajKpvTk6ye2LKsVIsq6b2F3xJlP8dcVFhQvQHNC/D6eKE7LECgbKeI nIyw== X-Gm-Message-State: AOUpUlHe3+XNbSa0ApfrKFYZwxwmChZVREwQMVDPEQ5TR2wtpOYU7ROB Vx1pTZSLixzJqOHaADo1cgk= X-Google-Smtp-Source: AAOMgpex1OLMBflz80N+AMMrdN7HTAt0Qww19mHQuXKZpUdaMHWOxi/xF8iY9gV8DpJpuyNJ1lXT+g== X-Received: by 2002:a1c:2352:: with SMTP id j79-v6mr260147wmj.124.1532377464937; Mon, 23 Jul 2018 13:24:24 -0700 (PDT) Received: from [192.168.1.12] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id b198-v6sm10750698wme.11.2018.07.23.13.24.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 13:24:23 -0700 (PDT) From: Yoav Nir Message-Id: Content-Type: multipart/signed; boundary="Apple-Mail=_B033E488-76E7-4599-8ECB-64E0E5B2B4A3"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Date: Mon, 23 Jul 2018 23:24:21 +0300 In-Reply-To: <1751939009.1122154.1532375452369@mail.yahoo.com> Cc: Bret Jordan , "John R. Levine" , Security Area Advisory Group To: Nalini J Elkins References: <20180715004421.246C720024FBA4@ary.qy> <20180715015127.GH33554@straasha.imrryr.org> <8D99AB13-5A8A-4425-8613-03AB228704CE@bblfish.net> <31612.1531750339@localhost> <48DDA580-5502-4A1F-B2BA-9D2639147B80@bblfish.net> <5F5F3CD6-2EB4-4456-96EE-804310BC258B@gmail.com> <0C438763-56A4-42F5-8D4D-7B09A56AE8E9@bblfish.net> <1775793239.1010578.1532362142537@mail.yahoo.com> <425C3EFB-ECD9-4C4C-A4C5-0786600538F9@gmail.com> <1751939009.1122154.1532375452369@mail.yahoo.com> X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [saag] stopping (https) phishing X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2018 20:24:30 -0000 --Apple-Mail=_B033E488-76E7-4599-8ECB-64E0E5B2B4A3 Content-Type: multipart/alternative; boundary="Apple-Mail=_358F7847-6A3E-410E-9D30-ED866DD62DEB" --Apple-Mail=_358F7847-6A3E-410E-9D30-ED866DD62DEB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Next IETF no meetings will be scheduled on Friday exactly for things = like this. > On 23 Jul 2018, at 22:50, Nalini J Elkins = wrote: >=20 >=20 >=20 >=20 > > I think it would be great if we could organize some sort of Bar BOF = or even less formal get together to talk about this. Maybe just stay = late in one of the room one night??? >=20 > Sure. I am working with some of the enterprises to get some concrete = examples of what has worked, what has not, and other concerns. >=20 > We can maybe even meet in an actual bar! Let's discuss more as time = approaches. >=20 > Thanks, > Bret > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 > "Without cryptography vihv vivc ce xhrnrw, however, the only thing = that can not be unscrambled is an egg." >=20 >> On Jul 23, 2018, at 10:09 AM, Nalini J Elkins = > wrote: >>=20 >> I am willing to help also. >>=20 >>=20 >> This is an important problem for enterprises. You may be familiar = with the OPM data breach which was most likely started by a phishing = attack. >>=20 >> = https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach = = >>=20 >> I wonder if we want to have some type of meeting in Bangkok. >> Thanks, >>=20 >> Nalini Elkins >> CEO and Founder >> Inside Products, Inc. >> www.insidethestack.com >> (831) 659-8360 >>=20 >>=20 >>=20 >> ________________________________ >> From: Tim Hollebeek >> To: Adam Montville ; John R. Levine = >> Cc: "saag@ietf.org" >> Sent: Monday, July 23, 2018 8:56 AM >> Subject: Re: [saag] stopping (https) phishing >>=20 >>=20 >>=20 >> I'd help, too. This is an important problem. I think I would favor = a RG because >> I haven't seen any ideas proposed yet that would have a significant = impact on >> the problem, though some people seem to be thinking along the right = directions. >> It's a tough problem. >>=20 >> -Tim >>=20 >>=20 >>> -----Original Message----- >>> From: saag On Behalf Of Adam Montville >>> Sent: Sunday, July 22, 2018 8:05 AM >>> To: John R. Levine >>> Cc: saag@ietf.org >>> Subject: Re: [saag] stopping (https) phishing >>>=20 >>> Whether a WG or an RG, I=E2=80=99d be interested in helping here. >>>=20 >>> On Jul 21, 2018, at 8:00 PM, John R. Levine wrote: >>>=20 >>>>> I for one would really like to see the IETF setup a working group = for this >>> specific topic, it would be good to work through this and find a = solution that >>> works. I would be willing to help out here and will dedicate time to = this effort. >>>>=20 >>>> I don't think there is enough stuff here to merit WG. Perhaps talk = to the IRTF >>> about an RG to explore ideas not ready to standardize. >>>>=20 >>>>=20 >>>>>=20 >>>>> Bret >>>>>=20 >>>>> Sent from my Commodore 128D >>>>>=20 >>>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 = 0050 >>>>>=20 >>>>>> On Jul 21, 2018, at 2:40 PM, John R. Levine = wrote: >>>>>>=20 >>>>>> On Sat, 21 Jul 2018, Henry Story wrote: >>>>>>>> How would this IWoT differ from what CAs were supposed to do? >>>>>>>=20 >>>>>>> That is easy. IWoT would be based on institutions that tie into >>>>>>> nation or region based local registries that tie into national = anchors that >>> may tie into federal ones (as in the USA, or Germany). >>>>>>=20 >>>>>> This sounds a lot like the industry-specific CAs I proposed, only = this >>> depends on a great deal of software that does not exist and probably = never >>> will. >>>>>>=20 >>>>>> R's, >>>>>> John >>>>>>=20 >>>>>> _______________________________________________ >>>>>> saag mailing list >>>>>> saag@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/saag >>>>>=20 >>>>=20 >>>> Regards, >>>> John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet = for >>>> Dummies", Please consider the environment before reading this = e-mail. >>>> https://jl.ly >>>>=20 >>>> _______________________________________________ >>>> saag mailing list >>>> saag@ietf.org >>>> https://www.ietf.org/mailman/listinfo/saag >>>=20 >>> _______________________________________________ >>> saag mailing list >>> saag@ietf.org >>> https://www.ietf.org/mailman/listinfo/saag >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >>=20 >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag >=20 >=20 >=20 >=20 > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag --Apple-Mail=_358F7847-6A3E-410E-9D30-ED866DD62DEB Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Next = IETF no meetings will be scheduled on Friday exactly for things like = this.

On 23 Jul 2018, at 22:50, Nalini J Elkins = <nalini.elkins@insidethestack.com> wrote:




> I think it would be great if we could organize some sort = of Bar BOF or even less formal get together to talk about this. Maybe = just stay late in one of the room one night???

Sure.  I am working with some of the enterprises to get = some concrete examples of what has worked, what has not, and other = concerns.

We can maybe even meet in = an actual bar!   Let's discuss more as time = approaches.

Thanks,
Bret
PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE = 7415 0050
"Without = cryptography vihv vivc ce xhrnrw, however, the only thing that can not = be unscrambled is an egg."

On = Jul 23, 2018, at 10:09 AM, Nalini J Elkins <nalini.elkins@insidethestack.= com> wrote:

I = am willing to help also.


This is an important problem for enterprises. =  You may be familiar with the OPM data breach which was most likely = started by a phishing attack.

https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_= breach

I wonder if we want to have some type of meeting = in Bangkok.
Thanks,

Nalini Elkins
CEO and Founder
Inside Products, Inc.
www.insidethestack.com
(831) 659-8360



________________________________
From: Tim Hollebeek = <tim.hollebeek@digicert.com>
To: Adam Montville = <adam.w.montville@gmail.com>; John R. Levine = <johnl@iecc.com>
Cc: = "saag@ietf.org" <saag@ietf.org>
Sent: Monday, July 23, 2018 8:56 AM
Subject: Re: [saag] stopping = (https) phishing



I'd = help, too.  This is an important problem.  I think I would = favor a RG because
I haven't = seen any ideas proposed yet that would have a significant impact on
the problem, though some people = seem to be thinking along the right directions.
It's a tough problem.

-Tim

-----Original Message-----
From: saag <saag-bounces@ietf.org> On = Behalf Of Adam Montville
Sent: = Sunday, July 22, 2018 8:05 AM
To: John R. Levine <johnl@iecc.com>
Cc: saag@ietf.org
Subject: Re: [saag] stopping (https) = phishing

Whether a WG or an RG, I=E2=80=99d be interested = in helping here.

On Jul 21, 2018, at 8:00 PM, John = R. Levine <johnl@iecc.com> wrote:

I for = one would really like to see the IETF setup a working group for this
specific = topic, it would be good to work through this and find a solution that
works. I would be willing to help = out here and will dedicate time to this effort.

I don't think = there is enough stuff here to merit WG.  Perhaps talk to the = IRTF
about an RG = to explore ideas not ready to standardize.



Bret

Sent from my Commodore 128D

PGP = Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Jul 21, 2018, at 2:40 PM, John R. Levine = <johnl@iecc.com> wrote:

On = Sat, 21 Jul 2018, Henry Story wrote:
How = would this IWoT differ from what CAs were supposed to do?

That is easy. IWoT would be based on = institutions that tie into
nation or region based local registries that tie = into national anchors that
may tie into federal ones (as in the USA, or Germany).

This sounds a lot like the = industry-specific CAs I proposed, only this
depends = on a great deal of software that does not exist and probably never
will.

R's,
John
_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag


Regards,
John Levine, johnl@iecc.com, Primary Perpetrator = of "The Internet for
Dummies", = Please consider the environment before reading this e-mail.
https://jl.ly

_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag
_____________________________________= __________
saag mailing = list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

_______________________________________________saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag



=
_______________________________________________
saag mailing list
saag@ietf.org
https://www.ietf.org/mailman/listinfo/saag

= --Apple-Mail=_358F7847-6A3E-410E-9D30-ED866DD62DEB-- --Apple-Mail=_B033E488-76E7-4599-8ECB-64E0E5B2B4A3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEE9OWnAqT2UIzvSbaAuEkLFQpYzJkFAltWOXUACgkQuEkLFQpY zJl10Qf/ZBRqC6iRpSKWptAIGYWstgbhzS+9CNALO/0ZgI1kYSuy8nfpM8ij/5eW STbMEXBL/0fGEWBQjJCgaissLTMxPY5MXbEsZO0bx/v4nLz8cSH1AMsYPvjl0t4r KkAM+pp9MKd8LDpXUCYrgE+NiGS/njW9vR5VL4VZruzKDLXdpxT2IuiGsMHjjx9R R9jXCLg/kcTMZoefYAjEPhZgryH/gQfP9PjFjQlI5BDXG9mMGg5uJl23geYz0J1A 1Eh7+TZHVSwCYOh/x7BPeT1FZpMumqy+RxXeNSgDQPHpWiQXVtgeeE/I9tEI3Pxx f+CQKh+BD44qSc1HpaHWh7E9uPQu2g== =wzX+ -----END PGP SIGNATURE----- --Apple-Mail=_B033E488-76E7-4599-8ECB-64E0E5B2B4A3-- From nobody Tue Jul 24 19:44:07 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 690DD130F5F for ; Tue, 24 Jul 2018 19:44:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FetJF6rQjH4N for ; Tue, 24 Jul 2018 19:44:02 -0700 (PDT) Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0088.outbound.protection.outlook.com [104.47.42.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82329130F53 for ; Tue, 24 Jul 2018 19:44:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XVK7MFrFuIbl8zMx/vNbzOpADWbPIWW/5ZnlzSdn+yQ=; b=0cMf0ihGx71kGNBd6ob9SuMSAtr20/t2a1cXZHslqfhHpEVKM71O+qiOCYUlVJlOwL9PyxW0Xol3wJQs0/jVfn8G9qabArzxMKuqu3HJ/fh5e4MVzCGk3Eb3fwdZesEEU2OG+S6fWKwKDprLs9K16+5f0zeLDli6nk6/d+kPgfM= Received: from DM2PR06MB909.namprd06.prod.outlook.com (10.141.178.27) by DM2PR06MB398.namprd06.prod.outlook.com (10.141.102.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.973.21; Wed, 25 Jul 2018 02:44:01 +0000 Received: from DM2PR06MB909.namprd06.prod.outlook.com ([fe80::597:b100:1769:f7f7]) by DM2PR06MB909.namprd06.prod.outlook.com ([fe80::597:b100:1769:f7f7%3]) with mapi id 15.20.0973.018; Wed, 25 Jul 2018 02:44:01 +0000 From: Karen O'Donoghue To: "saag@ietf.org" Thread-Topic: NTP WG report from IETF 102 Thread-Index: AQHUI8FXUsbjT4IpnU+DIWsW+kUb4Q== Date: Wed, 25 Jul 2018 02:44:01 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=odonoghue@isoc.org; x-originating-ip: [98.101.180.98] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; DM2PR06MB398; 6:Fx2ZHDlHAnmqfTX+oNziwJrIMPOVoRUFKoajHGp4JYIyfxftWRfDYW770QRkIf8eHrNIDQGv/RMVPtHJHWYA5ZDdHyz/9iX+7Z7iBy5Wyx9Ra1sP4gYPnNrPR09egUQTkmJjvoWDFb2mwghldaUAe5VldKUoYqawlni+jgZqZJoavvkdjPBCcyOxP8kDPXYj60lHJQxKyEbF8h45Ds2WM9ulLUtCcC5mxU7yvOW5vlNHhEGxURjkYHjP1vOTe+l0nf6MvqfDWxcueW4RhB1ntJ1RINpUIuSTO1387vXbYODXKS8/b9o2LOFhEPciFfk4UiqgaUaQNxk6qw07Ncks+kEeqyZDB0HqkGAEI0v84Exu9jZlcwvNQMpPR3f5EHld6EpWycZnAkk0wXsVdKbhFsgEqAM/5x0MVrG74JzzOBxb9slaAgyhfadgVTOXuPfv/fqIbcWMZFDQ8HWSZ/3tSA==; 5:97lRH2xmIbFsxU31G99LsrHc0Ejp+hbt2gQM7KPWW5h+EW8WFjSLGSOaqL7RuTUrjoC7WH8FevphuPRAG5AA+OwnQuo3D/vUOHn8iS6zpdGmWsGmNh6Pm42haPpA48qN/BWz13Zc/iaAcAKkyOzOy4b47o6hQC0Yqo0v1dvsxi0=; 7:+H/j+l7Ff5Hy2rGP8paVpb0+bsiI5YQyNggnSMwZU/Q3Y/mlEMI92OHdz9W/qCGeK1CipMxeijD5MxMwNxn+Mq9dh14NtsPq5nQAx+Z8BhWUgbUgZrlCwDOtvpbgjjpa35mnw1agGtIEc/LUqGwWggLf8CmYKFrYUzcC0o0WWFGmL8qlNmUbkDtDt9C9/46bVLi0sctA4Tr3vbNh5kG9yKaoGokdKadFJGWFbSJ8U92+tLpSWe14osXr5ucLHumk x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: e500e94a-fffe-4ebb-bd10-08d5f1d87a81 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600073)(711020)(2017052603328)(7153060)(7193020); SRVR:DM2PR06MB398; x-ms-traffictypediagnostic: DM2PR06MB398: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM2PR06MB398; BCL:0; PCL:0; RULEID:; SRVR:DM2PR06MB398; x-forefront-prvs: 0744CFB5E8 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(39850400004)(396003)(376002)(136003)(346002)(366004)(199004)(189003)(102836004)(6916009)(6506007)(26005)(186003)(36756003)(7736002)(82746002)(305945005)(25786009)(2351001)(86362001)(2501003)(316002)(97736004)(5250100002)(478600001)(5660300001)(6436002)(6486002)(5640700003)(476003)(2616005)(6306002)(2900100001)(6512007)(106356001)(99286004)(53936002)(966005)(68736007)(8676002)(1730700003)(105586002)(2906002)(486006)(81166006)(81156014)(83716003)(8936002)(14444005)(3846002)(33656002)(6116002)(66066001)(256004)(14454004)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR06MB398; H:DM2PR06MB909.namprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts) x-microsoft-antispam-message-info: 8qOVi7OCNIPO+IzCbtGtx1b/dfYHXQ9Ni2lvwxAaY6o2hRlHhH1xu3S3UZ0oAbAK/cR3wxoCgPEUacP2oqySo98mrRt8+KdYrRChSx2hT3kL8SRzr2B2WUbdvRlAaPlKQlbEfqmhkFH7VFIt6LTQKrsFWRHzGXrGOooE31CetZz+SNu40HMx3IRdOwD19WY6y0Nw6mxp2dGPo88e5Q/iN/jkjNzpBuZSY4HfOq0MkKV7Lj/gAEt0EIrO2+CWga4p2XEJ1Syp4NDistjlzcqCH34QswGdDkEq/nzqGT1RIRdtUjJNlFgEu2uXaH/MqO5lgj++Tdn70azOE41/n22xei0mUK/o3EolKVJCSQk5Ge4= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: isoc.org X-MS-Exchange-CrossTenant-Network-Message-Id: e500e94a-fffe-4ebb-bd10-08d5f1d87a81 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jul 2018 02:44:01.2025 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR06MB398 Archived-At: Subject: [saag] NTP WG report from IETF 102 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jul 2018 02:44:06 -0000 SnVzdCBhIHF1aWNrIHVwZGF0ZSBmcm9tIGxhc3Qgd2VlayB0aGF0IEkgZGlkbuKAmXQgc2F5IGZy b20gdGhlIG1pYyBkdXJpbmcgdGhlIHNhYWcgbWVldGluZ+KApiANCg0KVGhlIE5UUCB3b3JraW5n IGdyb3VwIG1lZXQgb24gV2VkbmVzZGF5IDE4IEp1bHkuIEJlbG93IGFyZSBzb21lIHNlY3VyaXR5 IHJlbGF0ZWQgaXRlbXMgZnJvbSB0aGF0IHdvcmtpbmcgZ3JvdXAuIA0KDQpUaGUgZm9sbG93aW5n IGRvY3VtZW50cyBoYXZlIGJlZW4gc3VibWl0dGVkIGZvciBwdWJsaWNhdGlvbg0KTUFDIGZvciBO VFAg4oCUIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtbnRwLW1h Yy8NCk5UUCBCQ1Ag4oCUIGh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWll dGYtbnRwLWJjcC8NCg0KVGhlIHByaW1hcnkgc2VjdXJpdHkgd29yayBpdGVtIGZvciB0aGUgTlRQ IFdHIGNvbnRpbnVlcyB0byB3b3JrIG9uIE5ldHdvcmsgVGltZSBTZWN1cml0eSAoTlRTKS4gQSBz bWFsbCB0ZWFtIGRpc3RyaWJ1dGVkIGFjcm9zcyBNb250cmVhbCwgU3dlZGVuLCBhbmQgR2VybWFu eSB3b3JrZWQgZHVyaW5nIHRoZSBoYWNrYXRob24gdG8gYWR2YW5jZSBpbXBsZW1lbnRhdGlvbnMg b2YgTlRTIGFuZCB0byBkbyBzb21lIGJhc2ljIGludGVyb3AgdGVzdGluZy4gVGhlIE5UUyBkaXNj dXNzaW9uIGR1cmluZyB0aGUgd29ya2luZyBncm91cCBtZWV0aW5nIHByaW1hcmlseSBpbnZvbHZl ZCBhZGRyZXNzaW5nIHRoZSBjaGFuZ2VzIHN1Z2dlc3RlZCBieSBodHRwczovL2RhdGF0cmFja2Vy LmlldGYub3JnL2RvYy9kcmFmdC1kYW5zYXJpZS1udHMvIHRvIHRoZSBjb3JlIE5UUyBzcGVjaWZp Y2F0aW9uDQpodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRmLW50cC11 c2luZy1udHMtZm9yLW50cC8NCg0KQXMgYWx3YXlzLCB0aGUgbW9yZSBzZWN1cml0eSBleWVzIHRo ZSBiZXR0ZXIgaWYgYW55IG9mIHlvdSBraW5kIGZvbGtzIGhhdmUgc3BhcmUgY3ljbGVzIChwZXJo YXBzIHdhaXQgZm9yIGRyYWZ0IC0xMyB0byBpbmNvcnBvcmF0ZSB0aGUgY2hhbmdlcyBmcm9tIHRo ZSBkYW5zYXJpZSBkcmFmdCkNCg0KDQo= From nobody Mon Jul 30 02:55:06 2018 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D31EF130FF6; Mon, 30 Jul 2018 02:55:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQG4clah6nk8; Mon, 30 Jul 2018 02:55:03 -0700 (PDT) Received: from statler.isode.com (Statler.isode.com [62.232.206.189]) by ietfa.amsl.com (Postfix) with ESMTP id 0B479130FEE; Mon, 30 Jul 2018 02:55:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1532944502; d=isode.com; s=june2016; i=@isode.com; bh=SyKQudwV9rSkAA+HWLkPoQPxQq+4zt2EWO1zXsiW7bE=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=r+x2+ZoKgad2bBNq1/lz/f991bRJqcVM7tLZMwszi1arYttiBkkjsiqbjwKaSVG5K+pNLb xB7RacVjvggUKig0OWabLbVUpyaWjn45WnHivPPvG5wRa98oThpD9aazOVUlfuhIO2UVnZ z7jqmTZ4TxcJaWVS871FkaEYXvCrRpM=; Received: from [172.20.1.215] (dhcp-215.isode.net [172.20.1.215]) by statler.isode.com (submission channel) via TCP with ESMTPSA id ; Mon, 30 Jul 2018 10:55:02 +0100 To: Peter Gutmann , "draft-gutmann-scep@ietf.org" , "carl@redhoundsoftware.com" Cc: "saag@ietf.org" References: <152231658869.24008.11321959845877039592.idtracker@ietfa.amsl.com> <1522887334433.4490@cs.auckland.ac.nz> <1525092187804.38190@cs.auckland.ac.nz> <1531471734017.88813@cs.auckland.ac.nz> <1531537625942.57273@cs.auckland.ac.nz> From: Alexey Melnikov Message-ID: Date: Mon, 30 Jul 2018 10:55:00 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 In-Reply-To: <1531537625942.57273@cs.auckland.ac.nz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-GB Archived-At: Subject: Re: [saag] Comment added to draft-gutmann-scep history X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2018 09:55:05 -0000 Hi Peter, I will respond to your long email next week when I have a chance to catch up with my documents, in the meantime, a quick response to this email: On 14/07/2018 04:07, Peter Gutmann wrote: > I wrote: > >> I could perhaps add a note somewhere at the start saying that SCEP, like any >> number of other PKI protocols, uses HTTP as a universal substrate, and that >> you shouldn't expect that doing something HTTP-ish like setting a Content- >> type will actually have any effect? A reference to RFC 3205/BCP 56 should >> probably accompany that. > How about this: > > -- Snip -- > > Like many other Internet protocols, SCEP uses HTTP as a universal substrate, > for more on the implications of this see BCP 56. Referencing existing version of BCP 56 doesn't sound great, considering that it is being revised by the HTTPBIS WG. Also, can you please add some text that SCEP deviates from best current practices, like correct use of MIME types and non use of harcoded paths. > While SCEP messages are carried over HTTP transport, neither the client nor > the server is likely to be a conventional HTTP-speaking web server or client, > providing only the minimum functionality required for HTTP transport, see the > "HTTP Considerations" section of RFC 6712 for > more on this. Implementations SHOULD NOT use complex HTTP mechanisms such as > chunked encoding, Expect/Continue, HTTP redirects, and similar facilities. > > To guard against establishing an erroneous connection to any of the myriad > other devices and services that speak HTTP, SCEP servers MAY choose to respond > to non-SCEP requests, for example a GET from a web browser, I understand where you are going with this, but the above is non implementable. What is "non-SCEP request" and how a SCEP server can determine that the client is a browser? I think the above text can be made tighter. > with an HTML > diagnostic message notifying the client that they're talking to the wrong > server or service. Similarly, clients MAY check for an HTML response from the > server and report a configuration error, for example that the client is > connecting to the wrong server or port on a server. If you change "HTML response" to "text/html", the above is agreable. Best Regards, Alexey > -- Snip -- > > The latter is particularly useful, my code has been doing that for quite some > time to deal with "the client/server is broken, it's not getting > certificates". The problem invariably is that they've specified the wrong > server name/IP address, or forgotten to specify a port so the default 80 is > used, or there's a proxy in the way that redirects the connection to a web > server on 80 rather than a SCEP server on 80, or something similar. > > Maybe we need an updated BCP 56 that provides info on the general use of HTTP > as a substrate and how to deal with it that every other HTTP-as-substrate- > using RFC can refer to (no, I'm not volunteering to write it :-). > > Peter.