From nobody Sun Feb 3 22:03:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CC96130E09; Sun, 3 Feb 2019 22:03:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZeNWmOyAPXUk; Sun, 3 Feb 2019 22:03:16 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CBFA1294FA; Sun, 3 Feb 2019 22:03:13 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sun, 3 Feb 2019 22:03:06 -0800 From: Jim Schaad To: CC: 'SPASM' Date: Sun, 3 Feb 2019 22:03:03 -0800 Message-ID: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdS6tWnY+rYQYCEtRz+f4xGhA+pcdw== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 06:03:18 -0000 After having read this document through with the intention of doing WGLC comments, I did not feel that it is ready for progression. My comment follow: 1. There should not be a reference in the abstract. 2. The document has at least minimal information on how to use this with for issuing a certificate on the public key. This should be noted in the abstract. 3. Section 1 - Introduction - I imagine that there is a fixed number of times that one can use a single ECDSA private key for signature creation. (My first guess would be Q, but I have never thought about it before.) It would be better to describe what the limitation on the number of signatures is rather than just saying that it is fixed. "Limited number of signatures" might be better than "fixed number of signatures" 4. Section 1 - It is not clear to me that the HSS/LMS signature algorithm does have small private keys. In order to be even slightly efficient (and possibly even correct, I would need to track this down farther), one needs to keep state about the entire current path as part of the private key. This does not seem to be small. If one did recompute the tree every time then it would not be low computational cost. 5. Section 2.1 - The two sentences in paragraph #2 about what a signed key is does not seem to jive with my understanding of things or to be really descriptive. "Each signed public key is represented by the public key for that layer of the HSS structure signed by the private key at in the previous level." 6. Section 2.1 - Paragraph #3 - You need to specify the type of stand-alone tree that you are talking about. My first read on this was a stand along HSS tree - and that did not make any sense. Is this really a stand-along tree or a stand-along signature? 7. Section 2.1 - Are "lms_signature" and "lms_signature_on_message" the same thing? If so then they should be named in a consistent manner. 8. Section 3 - As I am sure I have said before, I would really like to see an id-alg-hss-lms-hashsig-direct version that omits the extra hash operation. 9. Section 4 - I think that you should A) repeat the note that a value of L represents a stand along LMS tree w/o HSS. B) Some text about which lms_public_key is included here. 10. Section 5 - I am unclear on what the text about having a random string as part of the hash computation means. This does not appear to have anything to do with the actual value of digestAlgorithms so clarity about what is being said and why it is of importance would be nice 11. Section 6.1 - I don't know what is going to happen with this, but EKR has raised a big stink for the OSCORE document about the idea that one can reliably save state of the keys 12. Section 6.1 - I don't think this is exactly what is said in the CFRG document. It states that each tree must be generated independently which may not be read as the same thing as what this paragraph says. 13. s/sate/state/ 14. Section 6.2 - I am unclear why this is a security consideration for this document. This would seem to be better placed as introductory material rather than here. There is nothing about what needs to be dealt with as a potential problem for implementing what is presented here. 15. Appendix A - if you really mean it about id-alg-mts-hashsig then you should probably add it to the ASN.1 module as "id-alg-mts-hashsig OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig" Jim From nobody Mon Feb 4 14:13:39 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2F3127598; Mon, 4 Feb 2019 14:13:32 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <154931841235.28680.4013737926004150819@ietfa.amsl.com> Date: Mon, 04 Feb 2019 14:13:32 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-rfc6844bis-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Feb 2019 22:13:32 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : DNS Certification Authority Authorization (CAA) Resource Record Authors : Phillip Hallam-Baker Rob Stradling Jacob Hoffman-Andrews Filename : draft-ietf-lamps-rfc6844bis-05.txt Pages : 18 Date : 2019-02-04 Abstract: The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public Certification Authority to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by certificate issuers. This document obsoletes RFC 6844. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc6844bis/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-rfc6844bis-05 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-rfc6844bis-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-rfc6844bis-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Feb 5 10:01:56 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20B3131181 for ; Tue, 5 Feb 2019 10:01:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_5cbGq8aa5A for ; Tue, 5 Feb 2019 10:01:50 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A755E13117F for ; Tue, 5 Feb 2019 10:01:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id ADD82300A3C for ; Tue, 5 Feb 2019 12:43:32 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4Zr7g4lk-ODJ for ; Tue, 5 Feb 2019 12:43:30 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 2D27C30046F; Tue, 5 Feb 2019 12:43:30 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> Date: Tue, 5 Feb 2019 13:01:46 -0500 Cc: draft-ietf-lamps-cms-hash-sig@ietf.org, SPASM Content-Transfer-Encoding: quoted-printable Message-Id: <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 18:01:54 -0000 Jim: Thanks for doing such a careful review. > 1. There should not be a reference in the abstract. Indeed. Once an RFC number is assigned, it will be easy to replace with = "RFC XXXX". Until then, this approach helps the reader find the right = document. > 2. The document has at least minimal information on how to use this = with > for issuing a certificate on the public key. This should be noted in = the > abstract. I suggest: ... In addition, the algorithm identifier and public key syntax are provided. ... > 3. Section 1 - Introduction - I imagine that there is a fixed number = of > times that one can use a single ECDSA private key for signature = creation. > (My first guess would be Q, but I have never thought about it before.) = It > would be better to describe what the limitation on the number of = signatures > is rather than just saying that it is fixed. "Limited number of = signatures" > might be better than "fixed number of signatures" The number depends on the size of the tree used. I think it is too = early in the document to give a way to compute the exact number; = however, it might be useful to say: ... The HSS/LMS signature algorithm can only be used for a fixed number of signing operations. The number of signing operations depends upon the size of the tree; each node in the tree is used for one and only one signing operation. ... > 4. Section 1 - It is not clear to me that the HSS/LMS signature = algorithm > does have small private keys. In order to be even slightly efficient = (and > possibly even correct, I would need to track this down farther), one = needs > to keep state about the entire current path as part of the private = key. > This does not seem to be small. If one did recompute the tree every = time > then it would not be low computational cost. [HASHSIG] says: ... Private keys can be made very small by appropriate key generation, for example, as described in Appendix A. ... And, Appendix A computes the private key using a Hash function. So, if = SHA-256 is used, the private key is 256 bits. > 5. Section 2.1 - The two sentences in paragraph #2 about what a signed = key > is does not seem to jive with my understanding of things or to be = really > descriptive. "Each signed public key is represented by the public key = for > that layer of the HSS structure signed by the private key at in the = previous > level." =20 I do not think it is wrong, and I am not sure what is unclear to you. I = offer different words to see if this work better: An HSS signature as specified in [HASHSIG] carries the number of signed public keys (Nspk), followed by that number of signed public keys, followed by the LMS signature as described in Section 2.2. The public key for the top-most LMS tree is the public key of the HSS system. The LMS private key in the parent tree signs the LMS public key in the child tree, and the LMS private key in the bottom-most tree signs the actual message. The signature over the public key and the signature over the actual message are LMS signatures as described in Section 2.2. > 6. Section 2.1 - Paragraph #3 - You need to specify the type of = stand-alone > tree that you are talking about. My first read on this was a stand = along > HSS tree - and that did not make any sense. Is this really a = stand-along > tree or a stand-along signature? It really is a stand alone HSS tree; a tree with no children. Is this = more clear? The elements of the HSS signature value for a stand-alone tree (a top tree with no children) can be summarized as: > 7. Section 2.1 - Are "lms_signature" and "lms_signature_on_message" = the same > thing? If so then they should be named in a consistent manner. Yes. Fixed in my edit buffer. > 8. Section 3 - As I am sure I have said before, I would really like = to see > an id-alg-hss-lms-hashsig-direct version that omits the extra hash > operation. As I have said before, the processing in RFC 5652 assumes that a = signature is applied to a message digest. How would you describe the = processing in this document? > 9. Section 4 - I think that you should A) repeat the note that a = value of L > represents a stand along LMS tree w/o HSS. B) Some text about which > lms_public_key is included here. It is a stand alone HSS tree when L =3D 1. I will add that, = Regardless, it contains the public key for the top-most LMS tree. > 10. Section 5 - I am unclear on what the text about having a random = string > as part of the hash computation means. This does not appear to have > anything to do with the actual value of digestAlgorithms so clarity = about > what is being said and why it is of importance would be nice See Section 4.5 in [HASHSIG]. Step 4 says: 4. set C to a uniformly random n-byte string And then, it gets passed along in the signature value itself: 6. return u32str(type) || C || y[0] || ... || y[p-1] > 11. Section 6.1 - I don't know what is going to happen with this, but = EKR > has raised a big stink for the OSCORE document about the idea that one = can > reliably save state of the keys=20 The implementation needs to pay attention. An HSM makes this easier. > 12. Section 6.1 - I don't think this is exactly what is said in the = CFRG > document. It states that each tree must be generated independently = which > may not be read as the same thing as what this paragraph says. Yes. Corrected: When generating a LMS key pair, an implementation must generate each key pair independently of all other key pairs in the HSS tree. > 13. s/sate/state/ Fixed in my edit buffer. > 14. Section 6.2 - I am unclear why this is a security consideration = for > this document. This would seem to be better placed as introductory = material > rather than here. There is nothing about what needs to be dealt with = as a > potential problem for implementing what is presented here. Moved to Section 1.3, Algorithm Considerations. > 15. Appendix A - if you really mean it about id-alg-mts-hashsig then = you > should probably add it to the ASN.1 module as "id-alg-mts-hashsig = OBJECT > IDENTIFIER ::=3D id-alg-hss-lms-hashsig" Good idea. Russ From nobody Tue Feb 5 11:26:53 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA1C1130EE0; Tue, 5 Feb 2019 11:26:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.554 X-Spam-Level: X-Spam-Status: No, score=-6.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlfUENUBK3xF; Tue, 5 Feb 2019 11:26:49 -0800 (PST) Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06EB61311CD; Tue, 5 Feb 2019 11:26:48 -0800 (PST) Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta.az-b.us-west-2.aws.symcld.net id 17/63-27452-773E95C5; Tue, 05 Feb 2019 19:26:47 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrJJsWRWlGSWpSXmKPExsWSoa9qqlv+ODL G4PMRIYsbC6+wWrx6cZPdYvX072wW864lO7B4bJwznc1jyZKfTB6r7nxhDWCOYs3MS8qvSGDN +Lb0MlPBaauK6Y1P2RsY/1p0MXJxsAj0MEv8OrSeGcQREpjAJHF4w0V2COc+o8SyX3NZuhg5O dgEDCSu7T3OBGKLCPhIrPu1ihXEZhbIk1j+9DMbiC0s4Cyx59J+qBoXiS/n7zBC2FYSfx4cAr NZBFQkvnQdALI5OHgFYiVW/FcDCQsJlEh8nnYSbBWngIPErvsvwMYwCohJfD+1hglilbjErSf zwWwJARGJhxdPs0HYohIvH/9jhaiPkZj7+RAbyHgJAUWJm1t1IUpkJS7N72YEeUtCoJldYvWf o+wQCV+Jies3sUEknjBKPO9YyAKR0JJYvnAy1LIcica586AaZCR27DzIBNFwnFWi9d8EFogPU iSmrDoEdZGcxKrehywQRReYJTbuhVjBLLCAUWJCey9YB6+AoMTJmU9YJjCqz0Ly3ixkdbOQ1E EU6Urs2neAGcKWl9j+dg6QzQ5k20hsSYGIKkpM6X7IDmGbSbSd+8i2gJFjFaN5UlFmekZJbmJ mjq6hgYGuoaGRrqGxia6FgV5ilW6SXmmxbnlqcYmukV5iebFecWVuck6KXl5qySZGYLJLKWgL 2MF4syX9EKMkB5OSKC/PvcgYIb6k/JTKjMTijPii0pzU4kOMMhwcShK87I+AcoJFqempFWmZO cC0C5OW4OBREuH98RAozVtckJhbnJkOkTrFqMtxYNHDucxCLHn5ealS4rxXQGYIgBRllObBjY DlgEuMslLCvIwMDAxCPAWpRbmZJajyrxjFORiVhHkfg6ziycwrgdv0CugIJqAj8nQiQI4oSUR ISTUwpnf+lgybsN0u+knTZOeLsR3ckaJCzfFLXSdoq83r4v84N9Gz7H/enEfquluO5zx+t3/h Vfmb6yLOioQ73OIUNT53Or0k4PSpJiHpotJK9cwHFkaX39rrFG1inPWo1KHhh5f7Xf+QzE6T0 LCM2fGnpTaqHrq9+KjV2f8T+7TeGunssOm8t/ujEktxRqKhFnNRcSIAEM6HqPwDAAA= X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-20.tower-344.messagelabs.com!1549394806!739764!1 X-Originating-IP: [104.47.37.53] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.31.5; banners=-,-,- X-VirusChecked: Checked Received: (qmail 9446 invoked from network); 5 Feb 2019 19:26:47 -0000 Received: from mail-cys01nam02lp2053.outbound.protection.outlook.com (HELO NAM02-CY1-obe.outbound.protection.outlook.com) (104.47.37.53) by server-20.tower-344.messagelabs.com with AES256-SHA256 encrypted SMTP; 5 Feb 2019 19:26:47 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=F/RzE71k35bYRI3kGBi8o1wojVeUJG+y7VgHrmt6kyU=; b=h967ILg0MwWp2fBm0i8+zDcjF+3EGSodKoVvic0AhEyTJJosS1jwOsqR+ZrprRyROH/pN41mtRpkF3cEzYoikzjzp+YWO6IjpqKYxTs++uW5A5gv4iwDaXGqBM8fdo92H7AGcmui6BF+AMVgLizkDez3J2Jv+xPj0yfQohUwg9s= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1617.namprd14.prod.outlook.com (10.171.175.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.17; Tue, 5 Feb 2019 19:26:44 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::34c2:edc4:19ee:d9b0]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::34c2:edc4:19ee:d9b0%10]) with mapi id 15.20.1580.019; Tue, 5 Feb 2019 19:26:44 +0000 From: Tim Hollebeek To: Russ Housley , Jim Schaad CC: SPASM , "draft-ietf-lamps-cms-hash-sig@ietf.org" Thread-Topic: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig Thread-Index: AdS6tWnY+rYQYCEtRz+f4xGhA+pcdwCx3HYAAALkUpA= Date: Tue, 5 Feb 2019 19:26:43 +0000 Message-ID: References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> In-Reply-To: <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [98.111.253.32] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR14MB1617; 6:dKXGxGytGxtkXsmK8VDdGJhhJ7WXXhv4BkqbDlU3dItOUdxyw1AbprfOAsnZVh3s5Icvtw74BlCL4Br0NX56PIpNS+gcb9Cr0UiEmlFqhLvRL3VPCPoeW5YFXhTSIgwd8+ru19Ex7M0VK+xE0ISpO6ziGIqT2q8YJgLXgzTq2mHhux48B2yrgBY4EJBiJ2aEtELuvRIL/TDrQsbBXfPILzmahq1Dloo1nuuT/wMIdCNCJzU2zmtHMCbeDQKpWA0yzcpK75H46M9Oxr3EKm8ppAbheW5mQJVKkQvB5uYkv2lrKFirSr9f+rmHg4aCwFVUnIf6J5sW+RTXVbkXaT8fSanmFcrYw/TPtPF0uHUglo3LmLSGPljOFx/9R1VYdPTOIJ29L35ALojbXg6z2OoJ004FXV3cyM7U5ezclrkbyWS/gtnmuVr4K+eFJf6uLfzF7xqact/7u2xftfl27OkHgA==; 5:ZiKpedf3ZNKWEFDrL5RPUuN4LqlCoLVMI1G5RcjgpIBLfBF5QKZrK+6WoG2ULMqNZLGQnQZCdzuMpYY72KXAtNUtWy3MVwFV66q42cZ5s1ZLmuCwhkSpEiOqYnsL+KES9e6+32KcwgpNKRzqDWZ4k2z3CEgOdvLKEQfXD53wbx5fHAiOvnqa3QN70FFg2PTPTLMBDDygSbqWwNcf+fImmg==; 7:dOAgHYTXRycl9AT4btxlN9VUcAkNUUr9f3Vi6bR+0DgSiEpnGq68v9FPkfz5RTY1wCAk6nU/p4Ba6uth9gG/sOAW8PCU2+wIApGyYMhjSfp2DgXDFBXKhApdQTnRlDqo7gQ4dhweyJDduRX/qaXFJQ== x-ms-office365-filtering-correlation-id: 573767aa-b681-4f9c-cc8e-08d68b9fdcd2 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1617; x-ms-traffictypediagnostic: BN6PR14MB1617: x-microsoft-antispam-prvs: x-forefront-prvs: 0939529DE2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(136003)(39850400004)(376002)(346002)(396003)(189003)(199004)(6246003)(68736007)(6436002)(86362001)(99286004)(446003)(54906003)(66066001)(14454004)(305945005)(7736002)(110136005)(71190400001)(71200400001)(11346002)(53936002)(97736004)(229853002)(256004)(3846002)(2906002)(102836004)(99936001)(26005)(105586002)(81156014)(81166006)(9686003)(74316002)(316002)(106356001)(6116002)(55016002)(486006)(476003)(8936002)(4744005)(25786009)(478600001)(7696005)(4326008)(76176011)(44832011)(186003)(33656002)(6506007)(8676002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1617; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: ObdinwpyS/AXied6N0gJR82eZDuy9I2VVPxwnQ8LJc+5ONZdmLvX4DhysZom2K7gTwgtFT1E0lhokZ4P6TReU0O81+KkgVY19tctdsFcD7cl/P3s+oBEN0HYeRL5qZBeKnJ/wJIByF1frunWoZPaIHhmuPz8YfwT7ZPW56XRg070Ms5ysKno7ScV+qHbPEM9HwbBhmjD9SAhJMmMQlmhnmZKsNUdw+Uh+p5WVYklfEJlMo/Et2vm47E8tnN/XwGlLGWmALFfCmJ2rEoNzzqnaXEbrlX+fuQ6KltJbfFF2+38ulOaEu388NBoqDNrmk1XWDSP6HkrO7+XpKO1YGXeGwmSZNCK1ByFaN7I2feG6XfQvdWKoK0JI7vqkRIsOVf5m9lI6vAhYeXnr8NFjhjeHSgcgnLeNydmatpjxWSOx7s= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0503_01D4BD5E.C98EC720" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 573767aa-b681-4f9c-cc8e-08d68b9fdcd2 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2019 19:26:43.9016 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1617 Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 19:26:52 -0000 ------=_NextPart_000_0503_01D4BD5E.C98EC720 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit > > 11. Section 6.1 - I don't know what is going to happen with this, but > > EKR has raised a big stink for the OSCORE document about the idea that > > one can reliably save state of the keys > > The implementation needs to pay attention. An HSM makes this easier. Indeed. We're working with our HSM partners to incorporate these algorithms into their products in a foolproof way. It requires a little bit of care but it isn't rocket science. -Tim ------=_NextPart_000_0503_01D4BD5E.C98EC720 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMjA1MTkyNjMwWjAvBgkqhkiG9w0BCQQxIgQgiUf01D8YejvrQBcGcTNaYg0jaEGr 8kQT+uCq17UiKfMwgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAF1tz0xQxsd7eatFGR/Kjh+XI/qfOmkAS0WJc8LAirA/+o3Z/TE7CjfNiGtj7nxJz4L3u+xn ENPv3gHKiS2YnbTF9SNiInF/Vfx61TDvzHLrl3cxE/UFncok4r8BmVFvhms/PjyZQ6LplrfEHd10 /9MQELTQ/kyc5dYlAstGNmURIj9w7RQNmlgm102sRLUpKNmqMApRdhqJ6VPN0726nflKBJmfx7qR DQ7xTxsef/z/iCrY1PXXXlpI+hzYEpi4aZLF2zyMUPZld+X8vV334DqHqEgZhJZux90Y1M04S+4v iO9dIr02WPteZ/UgxBWgxEXT9zs6z7qalPy3JMCPJQkAAAAAAAA= ------=_NextPart_000_0503_01D4BD5E.C98EC720-- From nobody Tue Feb 5 11:29:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 038521311DD; Tue, 5 Feb 2019 11:29:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UYovNO9pQ_ud; Tue, 5 Feb 2019 11:29:11 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF9C01311D8; Tue, 5 Feb 2019 11:29:09 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Feb 2019 11:29:02 -0800 From: Jim Schaad To: 'Russ Housley' CC: , 'SPASM' References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> In-Reply-To: <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> Date: Tue, 5 Feb 2019 11:29:01 -0800 Message-ID: <044301d4bd89$0deca9d0$29c5fd70$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJtmVbCtXybR3YGW+/Bzf76tHcuYQItw3YPpI5gtuA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 19:29:14 -0000 > -----Original Message----- > From: Russ Housley > Sent: Tuesday, February 5, 2019 10:02 AM > To: Jim Schaad > Cc: draft-ietf-lamps-cms-hash-sig@ietf.org; SPASM > Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > Jim: > > Thanks for doing such a careful review. > > > 1. There should not be a reference in the abstract. > > Indeed. Once an RFC number is assigned, it will be easy to replace with "RFC > XXXX". Until then, this approach helps the reader find the right document. Perhaps this paragraph from the id-nits draft should be changed in that case. An Abstract should be complete in itself, so it should contain no citations unless they are completely defined within the Abstract. Abbreviations appearing in the Abstract should generally be expanded in parentheses. There is a small set of reasonable exceptions to this rule; for example, readers don't need to be reminded of what "IP" or "TCP" or "MIB" means. In the end, therefore, this is a judgment call, but please err on the side of explicitness. (I am only ragging you on this because you are the last listed author.) > > > 2. The document has at least minimal information on how to use this > > with for issuing a certificate on the public key. This should be > > noted in the abstract. > > I suggest: > > ... In addition, the algorithm identifier and public key > syntax are provided. ... Looks good. > > > 3. Section 1 - Introduction - I imagine that there is a fixed number > > of times that one can use a single ECDSA private key for signature creation. > > (My first guess would be Q, but I have never thought about it before.) > > It would be better to describe what the limitation on the number of > > signatures is rather than just saying that it is fixed. "Limited number of > signatures" > > might be better than "fixed number of signatures" > > The number depends on the size of the tree used. I think it is too early in the > document to give a way to compute the exact number; however, it might be > useful to say: > > ... The HSS/LMS signature algorithm can only be used for a > fixed number of signing operations. The number of signing operations > depends upon the size of the tree; each node in the tree is used for one and > only one signing operation. ... You are saying that you don't think a way should be given to compute the exact number and then you go ahead and give a formula which is both technically accurate and wrong from the point of view of a CMS signature usage. From that point of view the count is the number of leaves in the tree. I think up to the semi-colon is sufficient. > > > 4. Section 1 - It is not clear to me that the HSS/LMS signature > > algorithm does have small private keys. In order to be even slightly > > efficient (and possibly even correct, I would need to track this down > > farther), one needs to keep state about the entire current path as part of > the private key. > > This does not seem to be small. If one did recompute the tree every > > time then it would not be low computational cost. > > [HASHSIG] says: > > ... Private keys can be made very small by appropriate key > generation, for example, as described in Appendix A. ... > > And, Appendix A computes the private key using a Hash function. So, if SHA- > 256 is used, the private key is 256 bits. Sure - but in that case the computation cost on the signature is not small. You are then going to do a minimum 32 extra hash operations in the signature computation. I don't know the effective range of the coef function so I don't know if that is noise or not. But if it is noise then I don't know that I would consider the range of 1000 hash operations to be low computational cost. > > > 5. Section 2.1 - The two sentences in paragraph #2 about what a signed > > key is does not seem to jive with my understanding of things or to be > > really descriptive. "Each signed public key is represented by the > > public key for that layer of the HSS structure signed by the private > > key at in the previous level." > > I do not think it is wrong, and I am not sure what is unclear to you. I offer > different words to see if this work better: > > An HSS signature as specified in [HASHSIG] carries the number of > signed public keys (Nspk), followed by that number of signed public > keys, followed by the LMS signature as described in Section 2.2. The > public key for the top-most LMS tree is the public key of the HSS > system. The LMS private key in the parent tree signs the LMS public > key in the child tree, and the LMS private key in the bottom-most > tree signs the actual message. The signature over the public key and > the signature over the actual message are LMS signatures as described > in Section 2.2. Yes that is clearer. > > > 6. Section 2.1 - Paragraph #3 - You need to specify the type of > > stand-alone tree that you are talking about. My first read on this > > was a stand along HSS tree - and that did not make any sense. Is this > > really a stand-along tree or a stand-along signature? > > It really is a stand alone HSS tree; a tree with no children. Is this more clear? > > The elements of the HSS signature value for a stand-alone tree (a top > tree with no children) can be summarized as: Given that you now define a stand-alone tree that is fine. It just does not jive with my idea of a stand-along tree. > > > 7. Section 2.1 - Are "lms_signature" and "lms_signature_on_message" > > the same thing? If so then they should be named in a consistent manner. > > Yes. Fixed in my edit buffer. > > > 8. Section 3 - As I am sure I have said before, I would really like > > to see an id-alg-hss-lms-hashsig-direct version that omits the extra > > hash operation. > > As I have said before, the processing in RFC 5652 assumes that a signature is > applied to a message digest. How would you describe the processing in this > document? No it does not assume that. It assumes that the signature is applied to a message. For a signed CMS message with attributes the message that is signed is the DER encoded attributes. The fact that the signature operation does (or does not) apply a hash function internally is not part of CMS it is part of the signature operation. The signature function is sha256-with-RSA-encryption it is not RSA-encryption. Please remember that using EdDSA signatures does not have that extra hash operation but signs the encoded attributes directly. In section 4.5 of the McGrew document there is no inherit limitation on the length of "message" as there is with RSA where the message is limited to the number of bits of the key. If you say that the hash function needs to be applied before the signature operation then the following is correct. IF (signed attributes are absent) THEN message = content ELSE message-digest attributes = Hash(content) Message = DER(SignedAttributes) IF (doing direct) // or if EdDSA THEN md = message ELSE md = Hash(message) Sign(md) You could also skip the set IF statement if you wanted to say that the function is "Sign(md, Hash)" In my source code the hash function is not part of the CMS processing it is part of the cryptographic operation. Thus means that I would use "Sign(message)" and forget about the extra hash operation entirely. > > > 9. Section 4 - I think that you should A) repeat the note that a > > value of L represents a stand along LMS tree w/o HSS. B) Some text > > about which lms_public_key is included here. > > It is a stand alone HSS tree when L = 1. I will add that, Regardless, it contains > the public key for the top-most LMS tree. I think that should be fine. > > > 10. Section 5 - I am unclear on what the text about having a random > > string as part of the hash computation means. This does not appear to > > have anything to do with the actual value of digestAlgorithms so > > clarity about what is being said and why it is of importance would be > > nice > > See Section 4.5 in [HASHSIG]. Step 4 says: > > 4. set C to a uniformly random n-byte string > > And then, it gets passed along in the signature value itself: > > 6. return u32str(type) || C || y[0] || ... || y[p-1] > Right, so this would seem to be something that can be said in the security considerations about the strength of the hash function, but is nothing like the seeded hash functions of RFC 6210 where a random number was generated as carried in the parameters area of the hash function. > > 11. Section 6.1 - I don't know what is going to happen with this, but > > EKR has raised a big stink for the OSCORE document about the idea that > > one can reliably save state of the keys > > The implementation needs to pay attention. An HSM makes this easier. > > > 12. Section 6.1 - I don't think this is exactly what is said in the > > CFRG document. It states that each tree must be generated > > independently which may not be read as the same thing as what this > paragraph says. > > Yes. Corrected: > > When generating a LMS key pair, an implementation must generate each > key pair independently of all other key pairs in the HSS tree. > > > 13. s/sate/state/ > > Fixed in my edit buffer. > > > 14. Section 6.2 - I am unclear why this is a security consideration > > for this document. This would seem to be better placed as > > introductory material rather than here. There is nothing about what > > needs to be dealt with as a potential problem for implementing what is > presented here. > > Moved to Section 1.3, Algorithm Considerations. > > > 15. Appendix A - if you really mean it about id-alg-mts-hashsig then > > you should probably add it to the ASN.1 module as "id-alg-mts-hashsig > > OBJECT IDENTIFIER ::= id-alg-hss-lms-hashsig" > > Good idea. Jim > > Russ From nobody Tue Feb 5 11:55:15 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF752131211; Tue, 5 Feb 2019 11:55:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qv5QsuCA7-RY; Tue, 5 Feb 2019 11:55:12 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2C9E131210; Tue, 5 Feb 2019 11:55:11 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Feb 2019 11:55:06 -0800 From: Jim Schaad To: 'Tim Hollebeek' , 'Russ Housley' CC: 'SPASM' , References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> In-Reply-To: Date: Tue, 5 Feb 2019 11:55:05 -0800 Message-ID: <045701d4bd8c$b23584f0$16a08ed0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJtmVbCtXybR3YGW+/Bzf76tHcuYQItw3YPAnbiXyekesEW8A== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 19:55:14 -0000 > -----Original Message----- > From: Tim Hollebeek > Sent: Tuesday, February 5, 2019 11:27 AM > To: Russ Housley ; Jim Schaad > > Cc: SPASM ; draft-ietf-lamps-cms-hash-sig@ietf.org > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > > > > 11. Section 6.1 - I don't know what is going to happen with this, but > > > EKR has raised a big stink for the OSCORE document about the idea that > > > one can reliably save state of the keys > > > > The implementation needs to pay attention. An HSM makes this easier. > > Indeed. We're working with our HSM partners to incorporate these > algorithms into their products in a foolproof way. It requires a little > bit of care but it isn't rocket science. > > -Tim Sure - if you put it into an HSM then this should be fine. Are you going to put in a statement that signature creation can ONLY be done from an HSM and thus it is never to be implemented in software? Jim From nobody Tue Feb 5 12:40:34 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C19913125B; Tue, 5 Feb 2019 12:40:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.553 X-Spam-Level: X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0K_I2QK5Wt6G; Tue, 5 Feb 2019 12:40:29 -0800 (PST) Received: from mail1.bemta24.messagelabs.com (mail1.bemta24.messagelabs.com [67.219.250.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A68D2131267; Tue, 5 Feb 2019 12:40:21 -0800 (PST) Received: from [67.219.250.196] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-2.bemta.az-b.us-west-2.aws.symcld.net id EF/1F-16789-4B4F95C5; Tue, 05 Feb 2019 20:40:20 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBJsWRWlGSWpSXmKPExsWSoa9oprv5S2S MweQGLYsbC6+wWrx6cZPdYvX072wW864lO7B4bJwznc1jyZKfTB6r7nxhDWCOYs3MS8qvSGDN eL/oGmPBXaeKubNnszUw3rPvYuTiYBHoYZa4++wyI4gjJDCBSWJP5xp2COc+o8TUB3tYuxg5O dgEDCSu7T3OBGKLCPhJ3HlwiAXEZhYokFjQvgSsRljAWWLPpf1QNS4SX87fYYSw3SS2TV0PFm cRUJGY/3wVcxcjBwevQKzExAZeiF2/GSXub1jMChLnFHCQ6N9eDVLOKCAm8f3UGiaIVeISt57 MB7MlBEQkHl48zQZhi0q8fPyPFaI+RmLu50NsIGMkBBQlbm7VhSiRlbg0vxvsRwmBZnaJVY83 QPX6SvxvmgI18wmjxPHtHhC2lsT6nzPZIebkSPzYnwYRlpHYsfMgE8ScO6wSu8/sZQZJCAmkS ExZdQhqppzEqt6HLBBFF5glNt9tZAZxmAUWMEpcvHUP7FJeAUGJkzOfsExgVJ+F5LlZyOpmIa mDKNKV2LXvADOELS+x/e0cIJsdyLaR2JICEVWUmNL9kB3CNpNoO/eRbQEjxypGi6SizPSMktz EzBxdQwMDXUNDI11DYyA2NdFLrNJN0ist1i1PLS7RNdJLLC/WK67MTc5J0ctLLdnECEx1KQUt s3YwnlmRfohRkoNJSZT3xNvIGCG+pPyUyozE4oz4otKc1OJDjDIcHEoSvMWfgXKCRanpqRVpm TnApAuTluDgURLhTQBJ8xYXJOYWZ6ZDpE4x6nIcWPRwLrMQS15+XqqUOO+JT0BFAiBFGaV5cC NgGeASo6yUMC8jAwODEE9BalFuZgmq/CtGcQ5GJWFeLZBVPJl5JXCbXgEdwQR0RJ5OBMgRJYk IKakGRv7JBdffz98oY2YuZlPCn1o8UXhn+qqzG7NcZm9g+nCkxszoTwzbRBtuy07xf1G31urk 7jQ86VWedvlpYVo1Z8Al3cLtqmcKKh83lcVMWdN9JPGL2qw5ExPO+q+0/qIx7WanatHC+Y8St Y+95SooW9oyz/dZnPGT1EVtLu7iOgtVtjrXWsTkKLEUZyQaajEXFScCANsjFjz7AwAA X-Env-Sender: tim.hollebeek@digicert.com X-Msg-Ref: server-22.tower-344.messagelabs.com!1549399218!741786!1 X-Originating-IP: [104.47.33.54] X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass X-StarScan-Received: X-StarScan-Version: 9.31.5; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25722 invoked from network); 5 Feb 2019 20:40:19 -0000 Received: from mail-bn3nam01lp2054.outbound.protection.outlook.com (HELO NAM01-BN3-obe.outbound.protection.outlook.com) (104.47.33.54) by server-22.tower-344.messagelabs.com with AES256-GCM-SHA384 encrypted SMTP; 5 Feb 2019 20:40:19 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=95HuiOULDNL//lxpM05nPQzzq3zwA9W/qSpd3Yvm2Gk=; b=DuIvdV/eVzC4RHPR3yYcImvEtBkyCDyS6ROYXoAFJuBh6t3xvOuftZwGE55JF+u2UY6EP5dJ+l7c+TiypedI8shyv/ze2oV+aAYQvCCINBwZ81EL9Fs4rNEVOombrr95AOvP9BOLz2R/INgT7Xlvta5DyBRxHXiBH8+o2ByGbg8= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1154.namprd14.prod.outlook.com (10.173.160.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.17; Tue, 5 Feb 2019 20:40:17 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::34c2:edc4:19ee:d9b0]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::34c2:edc4:19ee:d9b0%10]) with mapi id 15.20.1580.019; Tue, 5 Feb 2019 20:40:17 +0000 From: Tim Hollebeek To: Jim Schaad , 'Russ Housley' CC: 'SPASM' , "draft-ietf-lamps-cms-hash-sig@ietf.org" Thread-Topic: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig Thread-Index: AdS6tWnY+rYQYCEtRz+f4xGhA+pcdwCx3HYAAALkUpAAARDPgAABjjKA Date: Tue, 5 Feb 2019 20:40:16 +0000 Message-ID: References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> <045701d4bd8c$b23584f0$16a08ed0$@augustcellars.com> In-Reply-To: <045701d4bd8c$b23584f0$16a08ed0$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: x-originating-ip: [98.111.253.32] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; BN6PR14MB1154; 6:hG0JlzTGyZaHdSOswbLjAjS5rZNnR4SV65aOAbT8EEUBoCcxrNkPsg4Km4wC4ogQaM7DqUZdazkb8cf3e7p1qSQYl2j0lZlW4BYZ7FGiQ31xzL5N8Bo/eDTXkC/GRtQ9QQ+jDMU7twTyckCiybbppKZRaJRCdKjTuk6Xerad+Junc89LyAINuMqB/aa4xIMXAQhikl/3IjK9Xou+SZZWGi93DdSM2T7vQ485PNKl0fiWDTIe2vPe/jy5ncG84R4a3qW3HRB6HeQlnmYJ1IBZ2MXILl0fxNhvMuaFzpUgxlkiGttO+u0KCyJljW8vPcfZ122cJzBNQbW6Rp2tv+LQBAdPcGPpC9CFjF7zOJiKkhJdpe+CqrDwaE2HQ5Riplh26p1YQizu06rPzHDs70oRPNbCBc8S0Gqwx8GB4skraukzseUogMrtsdMEL2gEyvARRGmvxZjnbXccfa8XwrY7xQ==; 5:Dd5nZOAGKFjke4nI060sTE+lnAHJ9YtzxjZ/UZI/KOyxg+sde5S1MT4Xe1gwIXIAk9VltvH5OEju6chPqndS0Gfbls5NnM6NcGbxiE2lPFvSvJZhur3ZdwuuRaG2VjvVIE+80As4s+udAIP068jVYNPmHG2UbbJolA/ltNi7z0XHyyB171kC9L/GchBUnqZajGdRtRmKmQTmHXdOrcvTkQ==; 7:H5PhhseT+4Trq7cNFJugLtXqFYrt+bHUYA+Gr4cM//0JEBUE1FYWq+LaRiebEDxz8iEY30q3pdRDVYWXPvWxQV6/h1P1Z/A1DmIkbfX44EKJxZhHYlGhpxPMLuXce7Uyj6K+EL0cy48hcUXOavU6Xw== x-ms-office365-filtering-correlation-id: 76e2f833-2359-4c20-51bf-08d68baa2345 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1154; x-ms-traffictypediagnostic: BN6PR14MB1154: x-microsoft-antispam-prvs: x-forefront-prvs: 0939529DE2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(346002)(366004)(136003)(39860400002)(376002)(13464003)(199004)(189003)(186003)(54906003)(9686003)(110136005)(229853002)(4326008)(55016002)(93886005)(8676002)(2906002)(81156014)(81166006)(14454004)(25786009)(7736002)(6436002)(53936002)(6246003)(26005)(7696005)(305945005)(97736004)(44832011)(86362001)(74316002)(99286004)(99936001)(3846002)(76176011)(6116002)(11346002)(6506007)(102836004)(476003)(446003)(478600001)(256004)(486006)(53546011)(71190400001)(71200400001)(33656002)(105586002)(68736007)(66066001)(316002)(106356001)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1154; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: SZJDf9NWdIwuU5C+v9Ik4wWUuO5ExNAh2IKroCiFlPCLi50EgIXTP+Ci0iF9VvyDckSYZehG8jVcAzBQSxsGpOQjVrV/H5Wg82FvGxo2nk/wVy/dOHIYmsuOJaiPuBjKyYyBAczuCLCed/QaQ900KZDgqZbq2lYb5+ZdHgYmtwkDl1DenmqW5ax37cbhx2DIVpsZuccYLNCDiwZpL+3hldONBldinmt3nHThx4mQZobBJLzk21+tDzw359YcUeH0bX7A3dUwFgfeXFtvaEmjwETvT5UQ9Rq8vHGci8pHPmOfUrtY9ya7zpXFwZXFjxeWsibdIag9pnmdqXjDJerkftB5YqiFw4wMdvhM4eWi3U2RLXOe9to/pDc7Pu7Bqix1tZNoGw5Wg1yEbDAc9a5yrlmCRGKivLu2JhSoDDHYL5Q= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0558_01D4BD69.10051010" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: 76e2f833-2359-4c20-51bf-08d68baa2345 X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Feb 2019 20:40:17.0599 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1154 Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 20:40:32 -0000 ------=_NextPart_000_0558_01D4BD69.10051010 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Nope - but well designed software APIs can also help. -Tim > -----Original Message----- > From: Jim Schaad > Sent: Tuesday, February 5, 2019 2:55 PM > To: Tim Hollebeek ; 'Russ Housley' > > Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > > > > -----Original Message----- > > From: Tim Hollebeek > > Sent: Tuesday, February 5, 2019 11:27 AM > > To: Russ Housley ; Jim Schaad > > > > Cc: SPASM ; draft-ietf-lamps-cms-hash-sig@ietf.org > > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > > > > > > > 11. Section 6.1 - I don't know what is going to happen with this, > > > > but EKR has raised a big stink for the OSCORE document about the > > > > idea that one can reliably save state of the keys > > > > > > The implementation needs to pay attention. An HSM makes this easier. > > > > Indeed. We're working with our HSM partners to incorporate these > > algorithms into their products in a foolproof way. It requires a > > little bit of care but it isn't rocket science. > > > > -Tim > > Sure - if you put it into an HSM then this should be fine. Are you going to put > in a statement that signature creation can ONLY be done from an HSM and > thus it is never to be implemented in software? > > Jim > ------=_NextPart_000_0558_01D4BD69.10051010 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMjA1MjA0MDAzWjAvBgkqhkiG9w0BCQQxIgQgmj8UbJuyJuEVJkakg3netAF+OOdP 5lqXGRx5pkOrUsswgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBALDFtKEu/+U/pYyCPWgNVrETCLdht1MWnY+tNYj67nfrJI23VxtA4WwWkF2qkwyVJ1QbEdS0 zAyg+46fZ5FL0OT9aqB3NSveXOh236jNy2EUML7+oF7JzTbwZ8OFJur3kX78h6zt0ZxGUs6ytNJI mdaLQ9O3tCvdQ+fbCBzNF86Dx/KjCo7e4OPlAtOASZa/fvh/hSdHU+5VarzQlYwOrhLV1l7rYHnz qhWdeS8jxPENtGLrK7yG2uQ0rW85XIe0rTU7JRr2gWUDs/xmLdWq4DcZBldrI18YfXvZ6zCH/6fT AYXb/lANKASCDWIBSZUJmRlrya1+wMDtQ0GmtlRG73cAAAAAAAA= ------=_NextPart_000_0558_01D4BD69.10051010-- From nobody Tue Feb 5 12:59:54 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98B7513128F; Tue, 5 Feb 2019 12:59:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.153 X-Spam-Level: X-Spam-Status: No, score=-10.153 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuBOJhFs0snj; Tue, 5 Feb 2019 12:59:51 -0800 (PST) Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E2F213128D; Tue, 5 Feb 2019 12:59:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=q5Ci8yVnq1r5dWcMoWBqLxPQNodaxeSfzmdxJcjEGrg=; b=lU+MEIvvww58Ec2sWHaA0zyT3n 0Xm3Gd0q2WNRnnB30sDDHb3J4JWNs6kXaXPWnxFfP7KcQowX8W3Nh3yyonrA+4uYXf+xNYks8fMKV r7wt4+NdrJrPQqCEJ27UKvm8VNTlGCP03wwXJu4dCuoLOvrVfyzwHUDvvRd9zAaPWg9k=; Received: ; Tue, 05 Feb 2019 12:59:47 -0800 To: Eric Rescorla , draft-ietf-lamps-rfc6844bis@ietf.org, SPASM References: From: Jacob Hoffman-Andrews Message-ID: Date: Tue, 5 Feb 2019 12:59:46 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: Re: [lamps] AD Review: draft-ietf-lamps-rfc6844bis-04 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 20:59:53 -0000 On 12/24/18 1:32 PM, Eric Rescorla wrote: > Rich version of this review at: > https://mozphab-ietf.devsvcdev.mozaws.net/D5745 I've resolved all these comments in https://datatracker.ietf.org/doc/html/draft-ietf-lamps-rfc6844bis-05. Thanks, Jacob From nobody Tue Feb 5 13:19:39 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1BAC13125F; Tue, 5 Feb 2019 13:19:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQ5DtjzP2Gt5; Tue, 5 Feb 2019 13:19:34 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41CAA130E25; Tue, 5 Feb 2019 13:19:34 -0800 (PST) Received: from Jude (50.252.25.182) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 5 Feb 2019 13:19:27 -0800 From: Jim Schaad To: 'Tim Hollebeek' , 'Russ Housley' CC: 'SPASM' , References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> <045701d4bd8c$b23584f0$16a08ed0$@augustcellars.com> In-Reply-To: Date: Tue, 5 Feb 2019 13:19:23 -0800 Message-ID: <046e01d4bd98$7942b300$6bc81900$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJtmVbCtXybR3YGW+/Bzf76tHcuYQItw3YPAnbiXycBrYLArAE4xBlcpGOmAdA= Content-Language: en-us X-Originating-IP: [50.252.25.182] Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 21:19:37 -0000 Given that what EKR was worrying about was things like - what happens if the computer crashes between the point where you generate the signature and the data gets flushed back to the hard disk, don't think that saying something like the statement below is going to be satisfactory. For OSCORE the document discussed a situation where you were writing back an updated IV counter that would be "significantly" higher than the last one used for the purpose of dealing with that delay and it was not considered to be sufficient by him. Jim > -----Original Message----- > From: Tim Hollebeek > Sent: Tuesday, February 5, 2019 12:40 PM > To: Jim Schaad ; 'Russ Housley' > > Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > Nope - but well designed software APIs can also help. > > -Tim > > > -----Original Message----- > > From: Jim Schaad > > Sent: Tuesday, February 5, 2019 2:55 PM > > To: Tim Hollebeek ; 'Russ Housley' > > > > Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org > > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > > > > > > > > -----Original Message----- > > > From: Tim Hollebeek > > > Sent: Tuesday, February 5, 2019 11:27 AM > > > To: Russ Housley ; Jim Schaad > > > > > > Cc: SPASM ; draft-ietf-lamps-cms-hash-sig@ietf.org > > > Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig > > > > > > > > > > > 11. Section 6.1 - I don't know what is going to happen with this, > > > > > but EKR has raised a big stink for the OSCORE document about the > > > > > idea that one can reliably save state of the keys > > > > > > > > The implementation needs to pay attention. An HSM makes this easier. > > > > > > Indeed. We're working with our HSM partners to incorporate these > > > algorithms into their products in a foolproof way. It requires a > > > little bit of care but it isn't rocket science. > > > > > > -Tim > > > > Sure - if you put it into an HSM then this should be fine. Are you going > to put > > in a statement that signature creation can ONLY be done from an HSM and > > thus it is never to be implemented in software? > > > > Jim > > From nobody Tue Feb 5 14:32:58 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E03131317 for ; Tue, 5 Feb 2019 14:32:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbpEU5g-2HTz for ; Tue, 5 Feb 2019 14:32:53 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B57F8131316 for ; Tue, 5 Feb 2019 14:32:53 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 16CF7300AB4 for ; Tue, 5 Feb 2019 17:14:36 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ZXByiJM3WRWb for ; Tue, 5 Feb 2019 17:14:34 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id D238F300471; Tue, 5 Feb 2019 17:14:33 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <046e01d4bd98$7942b300$6bc81900$@augustcellars.com> Date: Tue, 5 Feb 2019 17:32:50 -0500 Cc: Tim Hollebeek , SPASM , draft-ietf-lamps-cms-hash-sig@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <896B9A79-A4A5-42A4-8A17-E8F642062BD7@vigilsec.com> References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> <045701d4bd8c$b23584f0$16a08ed0$@augustcellars.com> <046e01d4bd98$7942b300$6bc81900$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 22:32:57 -0000 Jim: The Security Considerations of [HASHSIG] are pretty clear, and RFC 8391 = has a similar security concern when a more in the three get used more = than once. Russ > On Feb 5, 2019, at 4:19 PM, Jim Schaad wrote: >=20 > Given that what EKR was worrying about was things like - what happens = if the > computer crashes between the point where you generate the signature = and the > data gets flushed back to the hard disk, don't think that saying = something > like the statement below is going to be satisfactory. For OSCORE the > document discussed a situation where you were writing back an updated = IV > counter that would be "significantly" higher than the last one used = for the > purpose of dealing with that delay and it was not considered to be > sufficient by him. >=20 > Jim >=20 >=20 >> -----Original Message----- >> From: Tim Hollebeek >> Sent: Tuesday, February 5, 2019 12:40 PM >> To: Jim Schaad ; 'Russ Housley' >> >> Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org >> Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig >>=20 >> Nope - but well designed software APIs can also help. >>=20 >> -Tim >>=20 >>> -----Original Message----- >>> From: Jim Schaad >>> Sent: Tuesday, February 5, 2019 2:55 PM >>> To: Tim Hollebeek ; 'Russ Housley' >>> >>> Cc: 'SPASM' ; draft-ietf-lamps-cms-hash-sig@ietf.org >>> Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig >>>=20 >>>=20 >>>=20 >>>> -----Original Message----- >>>> From: Tim Hollebeek >>>> Sent: Tuesday, February 5, 2019 11:27 AM >>>> To: Russ Housley ; Jim Schaad >>>> >>>> Cc: SPASM ; draft-ietf-lamps-cms-hash-sig@ietf.org >>>> Subject: RE: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig >>>>=20 >>>>=20 >>>>>> 11. Section 6.1 - I don't know what is going to happen with this, >>>>>> but EKR has raised a big stink for the OSCORE document about the >>>>>> idea that one can reliably save state of the keys >>>>>=20 >>>>> The implementation needs to pay attention. An HSM makes this > easier. >>>>=20 >>>> Indeed. We're working with our HSM partners to incorporate these >>>> algorithms into their products in a foolproof way. It requires a >>>> little bit of care but it isn't rocket science. >>>>=20 >>>> -Tim >>>=20 >>> Sure - if you put it into an HSM then this should be fine. Are you > going >> to put >>> in a statement that signature creation can ONLY be done from an HSM = and >>> thus it is never to be implemented in software? >>>=20 >>> Jim >>>=20 >=20 >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Tue Feb 5 14:41:16 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1965713132A for ; Tue, 5 Feb 2019 14:41:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMKhTilg9nsJ for ; Tue, 5 Feb 2019 14:41:11 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6900131326 for ; Tue, 5 Feb 2019 14:41:11 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DCBE5300AAD for ; Tue, 5 Feb 2019 17:15:27 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id n-lJI4Zu5OEi for ; Tue, 5 Feb 2019 17:15:25 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 6B21D300471; Tue, 5 Feb 2019 17:15:25 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <044301d4bd89$0deca9d0$29c5fd70$@augustcellars.com> Date: Tue, 5 Feb 2019 17:33:42 -0500 Cc: SPASM , draft-ietf-lamps-cms-hash-sig@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <036c01d4bc4f$4c2a8400$e47f8c00$@augustcellars.com> <871B83AD-8A02-46B8-A9E3-2B79663C4FB5@vigilsec.com> <044301d4bd89$0deca9d0$29c5fd70$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] WGLC comments on draft-ietf-lamps-cms-hash-sig X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Feb 2019 22:41:14 -0000 Jim: Dropping the parts where we reached agreement. >>> 3. Section 1 - Introduction - I imagine that there is a fixed = number >>> of times that one can use a single ECDSA private key for signature = creation. >>> (My first guess would be Q, but I have never thought about it = before.) >>> It would be better to describe what the limitation on the number of >>> signatures is rather than just saying that it is fixed. "Limited = number of >>> signatures" might be better than "fixed number of signatures" >>=20 >> The number depends on the size of the tree used. I think it is too = early in the >> document to give a way to compute the exact number; however, it might = be >> useful to say: >>=20 >> ... The HSS/LMS signature algorithm can only be used for a >> fixed number of signing operations. The number of signing = operations >> depends upon the size of the tree; each node in the tree is used for = one and >> only one signing operation. ... >=20 > You are saying that you don't think a way should be given to compute = the > exact number and then you go ahead and give a formula which is both > technically accurate and wrong from the point of view of a CMS = signature > usage. =46rom that point of view the count is the number of leaves in = the > tree. I think up to the semi-colon is sufficient. I am saying that at this point in the document, we have not defined all = of the variables that are needed to give a formula. Okay, I'll drop the = part after the semi-colon in my proposed text. >>> 4. Section 1 - It is not clear to me that the HSS/LMS signature >>> algorithm does have small private keys. In order to be even = slightly >>> efficient (and possibly even correct, I would need to track this = down >>> farther), one needs to keep state about the entire current path as = part of >>> the private key. >>> This does not seem to be small. If one did recompute the tree every >>> time then it would not be low computational cost. >>=20 >> [HASHSIG] says: >>=20 >> ... Private keys can be made very small by appropriate key >> generation, for example, as described in Appendix A. ... >>=20 >> And, Appendix A computes the private key using a Hash function. So, = if >> SHA-256 is used, the private key is 256 bits. >=20 > Sure - but in that case the computation cost on the signature is not = small. > You are then going to do a minimum 32 extra hash operations in the = signature > computation. I don't know the effective range of the coef function so = I > don't know if that is noise or not. But if it is noise then I don't = know > that I would consider the range of 1000 hash operations to be low > computational cost. Using OpenSSL speed, I get these results for SHA-256 and RSA-20148, = respectively: type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 = bytes sha256 73006.69k 160765.21k 274290.52k 331870.58k = 361368.23k sign verify sign/s verify/s rsa 2048 bits 0.000986s 0.000030s 1013.7 33114.4 So, even if one does a 1000 additional hash operations to keep the = private key small, I still think it can be characterized as fast. >>> 8. Section 3 - As I am sure I have said before, I would really like >>> to see an id-alg-hss-lms-hashsig-direct version that omits the extra >>> hash operation. >>=20 >> As I have said before, the processing in RFC 5652 assumes that a = signature is >> applied to a message digest. How would you describe the processing = in this >> document? >=20 > No it does not assume that. It assumes that the signature is applied = to a > message. For a signed CMS message with attributes the message that is > signed is the DER encoded attributes. The fact that the signature = operation > does (or does not) apply a hash function internally is not part of CMS = it is > part of the signature operation. The signature function is > sha256-with-RSA-encryption it is not RSA-encryption. Please remember = that > using EdDSA signatures does not have that extra hash operation but = signs the > encoded attributes directly. In section 4.5 of the McGrew document = there is > no inherit limitation on the length of "message" as there is with RSA = where > the message is limited to the number of bits of the key. >=20 > If you say that the hash function needs to be applied before the = signature > operation then the following is correct. >=20 > IF (signed attributes are absent) > THEN message =3D content > ELSE message-digest attributes =3D Hash(content) > Message =3D DER(SignedAttributes) >=20 > IF (doing direct) // or if EdDSA > THEN md =3D message > ELSE md =3D Hash(message) >=20 > Sign(md) >=20 >=20 > You could also skip the set IF statement if you wanted to say that the > function is "Sign(md, Hash)" In my source code the hash function is = not > part of the CMS processing it is part of the cryptographic operation. = Thus > means that I would use "Sign(message)" and forget about the extra hash > operation entirely. I think I get your point. You would like to see an alternative that = allows the structure described in Section 3 of RFC 8419. I would like = to hear what other on this list think before I work on it. >>> 10. Section 5 - I am unclear on what the text about having a random >>> string as part of the hash computation means. This does not appear = to >>> have anything to do with the actual value of digestAlgorithms so >>> clarity about what is being said and why it is of importance would = be >>> nice >>=20 >> See Section 4.5 in [HASHSIG]. Step 4 says: >>=20 >> 4. set C to a uniformly random n-byte string >>=20 >> And then, it gets passed along in the signature value itself: >>=20 >> 6. return u32str(type) || C || y[0] || ... || y[p-1] >>=20 >=20 > Right, so this would seem to be something that can be said in the = security > considerations about the strength of the hash function, but is nothing = like > the seeded hash functions of RFC 6210 where a random number was = generated > as carried in the parameters area of the hash function. =20 Correct. The security benefits of the hash structure used are described = in the Security Considerations of [HASHSIG]. Russ From nobody Thu Feb 7 08:47:07 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77FF91271FF for ; Thu, 7 Feb 2019 08:47:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.001 X-Spam-Level: X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lShJJ7iE34FR for ; Thu, 7 Feb 2019 08:47:03 -0800 (PST) Received: from gecko.sbs.de (gecko.sbs.de [194.138.37.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7795124BF6 for ; Thu, 7 Feb 2019 08:47:02 -0800 (PST) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x17Gl0vD012616 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 17:47:00 +0100 Received: from DEFTHW99ERLMSX.ww902.siemens.net (defthw99erlmsx.ww902.siemens.net [139.22.70.136]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTPS id x17GkxxM022539 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 17:46:59 +0100 Received: from DENBGAT9ER8MSX.ww902.siemens.net (139.22.70.86) by DEFTHW99ERLMSX.ww902.siemens.net (139.22.70.136) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 7 Feb 2019 17:46:59 +0100 Received: from DENBGAT9EJ0MSX.ww902.siemens.net ([169.254.7.224]) by DENBGAT9ER8MSX.ww902.siemens.net ([139.22.70.86]) with mapi id 14.03.0415.000; Thu, 7 Feb 2019 17:46:58 +0100 From: "Brockhaus, Hendrik" To: "housley@vigilsec.com" CC: "spasm@ietf.org" , "Fries, Steffen" Thread-Topic: New work item proposal Thread-Index: AdS/BDeQsSVGnImKRgOFYRYNLpkRNg== Date: Thu, 7 Feb 2019 16:46:57 +0000 Message-ID: Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [139.22.70.24] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [lamps] New work item proposal X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 16:47:05 -0000 Hi Russ =A0 Currently we make use of CMP (Certificate Management Protocol, RFC4210) in = several industrial use cases. Due to the complexity of RFC4210 and RFC4211 = we specified a concrete and more lightweight profile of CMP addressing the = industrial use cases we see. Following standardization of CMP profiles by E= TSI and UNISIG that already exist, we strive for standardization of this li= ghtweight industrial CMP profile as well. RFC4210 already has some profiles in Appendix D and E, but on the one hand = they focus more on human end entities and on the other hand they do not add= ress the communication of the RA validating and forwarding messages to the = CA. As the focus of our CMP profile is on automating certificate management= in a m2m and IoT environment, we are looking for a working group within IE= TF to present our approach to. From the charter of LAMPS we believe this WG= fits best for our proposal as it is a limited update to an existing PKIX s= tandards document. =A0 Currently I am working on transferring our internal CMP profile document in= to the IETF draft format and hope to be able to distribute a first version = showing our approach until IETF 104. =A0 Steffen and I are interested in the discussion of our proposal on profiling= CMP for a more lightweight use in industrial environments and like to ask = for acceptance of our draft as a new work item of LAMPS at IETF 104.=20 Is there already a meeting session of the LAMPS WG planned for IETF 104 in = Prague? =A0 - Hendrik From nobody Thu Feb 7 09:00:59 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F8BC129284 for ; Thu, 7 Feb 2019 09:00:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7TwEPd-w5i8n for ; Thu, 7 Feb 2019 09:00:57 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E55D5124BF6 for ; Thu, 7 Feb 2019 09:00:56 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 1C3D6300AB0 for ; Thu, 7 Feb 2019 11:42:39 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dGkELKCqHmcl for ; Thu, 7 Feb 2019 11:42:37 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 9CC2F300400; Thu, 7 Feb 2019 11:42:37 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: Date: Thu, 7 Feb 2019 12:00:54 -0500 Cc: "spasm@ietf.org" , "Fries, Steffen" Content-Transfer-Encoding: quoted-printable Message-Id: References: To: "Brockhaus, Hendrik" X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] New work item proposal X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 17:00:59 -0000 Hendrick: We can put an item at the bottom of the agenda. The WG must focus on = the chartered work first. It would be very helpful for you to post in = individual Internet-Draft so that people can review it in advance of the = meeting. Russ > On Feb 7, 2019, at 11:46 AM, Brockhaus, Hendrik = wrote: >=20 > Hi Russ > =20 > Currently we make use of CMP (Certificate Management Protocol, = RFC4210) in several industrial use cases. Due to the complexity of = RFC4210 and RFC4211 we specified a concrete and more lightweight profile = of CMP addressing the industrial use cases we see. Following = standardization of CMP profiles by ETSI and UNISIG that already exist, = we strive for standardization of this lightweight industrial CMP profile = as well. > RFC4210 already has some profiles in Appendix D and E, but on the one = hand they focus more on human end entities and on the other hand they do = not address the communication of the RA validating and forwarding = messages to the CA. As the focus of our CMP profile is on automating = certificate management in a m2m and IoT environment, we are looking for = a working group within IETF to present our approach to. =46rom the = charter of LAMPS we believe this WG fits best for our proposal as it is = a limited update to an existing PKIX standards document. > =20 > Currently I am working on transferring our internal CMP profile = document into the IETF draft format and hope to be able to distribute a = first version showing our approach until IETF 104. > =20 > Steffen and I are interested in the discussion of our proposal on = profiling CMP for a more lightweight use in industrial environments and = like to ask for acceptance of our draft as a new work item of LAMPS at = IETF 104.=20 > Is there already a meeting session of the LAMPS WG planned for IETF = 104 in Prague? > =20 > - Hendrik From nobody Thu Feb 7 09:11:34 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 015B5129508 for ; Thu, 7 Feb 2019 09:11:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5 X-Spam-Level: X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fHkkJmIRL_xm for ; Thu, 7 Feb 2019 09:11:31 -0800 (PST) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 639F7129284 for ; Thu, 7 Feb 2019 09:11:31 -0800 (PST) Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id x17HBTD7011423 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 18:11:29 +0100 Received: from DEFTHW99ERIMSX.ww902.siemens.net (defthw99erimsx.ww902.siemens.net [139.22.70.134]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTPS id x17HAsRp008522 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 7 Feb 2019 18:11:29 +0100 Received: from DENBGAT9EJ0MSX.ww902.siemens.net ([169.254.7.224]) by DEFTHW99ERIMSX.ww902.siemens.net ([139.22.70.134]) with mapi id 14.03.0415.000; Thu, 7 Feb 2019 18:11:18 +0100 From: "Brockhaus, Hendrik" To: Russ Housley CC: "spasm@ietf.org" , "Fries, Steffen" Thread-Topic: [lamps] New work item proposal Thread-Index: AdS/BDeQsSVGnImKRgOFYRYNLpkRNv//9CwA///tmlA= Date: Thu, 7 Feb 2019 17:11:16 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-document-confidentiality: NotClassified x-originating-ip: [139.22.70.24] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] New work item proposal X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Feb 2019 17:11:33 -0000 Russ Thanks for your swift response. Being at the bottom of the agenda is totall= y OK for me as newcomer :-) I will circulate an individual Internet-Draft in advance to the meeting. Hendrik > -----Urspr=FCngliche Nachricht----- > Von: Russ Housley > Gesendet: Donnerstag, 7. Februar 2019 18:01 > An: Brockhaus, Hendrik (CT RDA ITS SEA-DE) > > Cc: spasm@ietf.org; Fries, Steffen (CT RDA ITS) > > Betreff: Re: [lamps] New work item proposal >=20 > Hendrick: >=20 > We can put an item at the bottom of the agenda. The WG must focus on the > chartered work first. It would be very helpful for you to post in indivi= dual > Internet-Draft so that people can review it in advance of the meeting. >=20 > Russ >=20 >=20 > > On Feb 7, 2019, at 11:46 AM, Brockhaus, Hendrik > wrote: > > > > Hi Russ > > > > Currently we make use of CMP (Certificate Management Protocol, > RFC4210) in several industrial use cases. Due to the complexity of RFC421= 0 > and RFC4211 we specified a concrete and more lightweight profile of CMP > addressing the industrial use cases we see. Following standardization of = CMP > profiles by ETSI and UNISIG that already exist, we strive for standardiza= tion > of this lightweight industrial CMP profile as well. > > RFC4210 already has some profiles in Appendix D and E, but on the one > hand they focus more on human end entities and on the other hand they do > not address the communication of the RA validating and forwarding > messages to the CA. As the focus of our CMP profile is on automating > certificate management in a m2m and IoT environment, we are looking for a > working group within IETF to present our approach to. From the charter of > LAMPS we believe this WG fits best for our proposal as it is a limited up= date > to an existing PKIX standards document. > > > > Currently I am working on transferring our internal CMP profile documen= t > into the IETF draft format and hope to be able to distribute a first vers= ion > showing our approach until IETF 104. > > > > Steffen and I are interested in the discussion of our proposal on profi= ling > CMP for a more lightweight use in industrial environments and like to ask= for > acceptance of our draft as a new work item of LAMPS at IETF 104. > > Is there already a meeting session of the LAMPS WG planned for IETF 104= in > Prague? > > > > - Hendrik From nobody Sat Feb 9 08:36:33 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790B31200ED for ; Sat, 9 Feb 2019 08:36:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.5 X-Spam-Level: X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DcjhqIRHVCcK for ; Sat, 9 Feb 2019 08:36:28 -0800 (PST) Received: from mail-yw1-xc34.google.com (mail-yw1-xc34.google.com [IPv6:2607:f8b0:4864:20::c34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B44F12008A for ; Sat, 9 Feb 2019 08:36:28 -0800 (PST) Received: by mail-yw1-xc34.google.com with SMTP id k14so2599536ywe.4 for ; Sat, 09 Feb 2019 08:36:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6FcYESDilcmCobCz4G1To3xGGysOf5ujvNdVodz01Ew=; b=AdVURBQ2TuR5PajpCFxw6A4y40szgn3bO/3x9nIpqtCHGf2YgZobTAMqGYzsqpl3CP ZxMl9smMLCgliDM8r3yQ2vwND8MWdmoHgoD1y1gQGp1jkqaIloCUviv+nQo3N/slHrMe h/L57VkTpndRu8rViwH3jbmjHXr1T76gG0aRlpaX2+xI9eYF1huEFTd8IpADuZEx+77g JlhShE/CIHclyThg3IE83Dgeje1nRzmtZuAH1cUJ8nB4PeDapTYR0+uGKLxDwtFMZqmE CMpWeubOy5+gZ9vWSf+8pjGM53WvnWKVF5a7PjHh2GBB0jB4X6ViSc02aBXxWQjfj0uV SFiQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6FcYESDilcmCobCz4G1To3xGGysOf5ujvNdVodz01Ew=; b=s6Lt7ZSxZO8LE8V7XeYMkbuhAAiD6xuWGoyk/TuT86hT/fQgA/I58ats9p7GRsXLCm x2rMEVVGsu+DgzDEDuc78MWSWhj/DvBuowsP7MoEletb2VTTMIOiZ9Pjjzb9rwH8xnQY 60uYMBgTm3jx4Sucjv3dakdDXDvBP0G06oMIy4taz2Qxu8tAaZQuhFS6CSDCKH8q3IOz FuOGhFviYh269lNR3p8dDwjFH0upGp1IDBn5TetTZHh7UJ4f6FG4BRHS10kwygwcAyqL r0ywD+opIKOwPLhKZQy10aeQl8Gd1OQ7e0qoSXaAvgrPWQVZ4aVFAMMMX48SZ/zQnle+ D/nw== X-Gm-Message-State: AHQUAuaZIPxyP41HTBMbTzOmOnzBL5vl2mi/uHEtTqvz+EzFedVOH7XO 1fqfC6LNIf9y0l7nD0hfHB4kKr39lwHMxtC6apeSitMDkWE2og== X-Google-Smtp-Source: AHgI3IYiPBs5l45fXJF8uTjyL9h7KoQmlQPiOtLs2m9C7uwyxa8bE6NymhT4xzCsevrM795F/UwiBhAU/guG6Oq1f70= X-Received: by 2002:a81:52d3:: with SMTP id g202mr10571643ywb.244.1549730186024; Sat, 09 Feb 2019 08:36:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Wei Chuang Date: Sat, 9 Feb 2019 08:36:13 -0800 Message-ID: To: SPASM Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000004bf3af058178ad48" Archived-At: Subject: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 16:36:32 -0000 --0000000000004bf3af058178ad48 Content-Type: multipart/alternative; boundary="0000000000003cd0a1058178ad4f" --0000000000003cd0a1058178ad4f Content-Type: text/plain; charset="UTF-8" Hi all, I'm cross posting to the LAMPS mailing list for visibility, that there is a new mailing list for Brand Indicators for Message Identification (BIMI) which allows for logos to be displayed by an email recipient. This is of interest to LAMPS since a secured part of the specification uses X.509/PKIX certificates to carry these logos and assert a 3rd party validation. A while back, I posted here a draft requesting a new certificate Extended Key Usage value to distinguish these logo carrying certificate which linked below. Also described below is the validation procedure for the certificate based on web Extended Validation (EV) but built upon to handle the logo validation. I also have a security justification document that I hope to turn into an IETF informational draft that will help justify the security of the logo and other information carried in the certificate. We look forward to your comments and questions on the BIMI list. https://www.ietf.org/mailman/listinfo/bimi -Wei ---------- Forwarded message --------- From: Seth Blank Date: Wed, Feb 6, 2019 at 12:11 PM Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt To: I've uploaded two documents as I-Ds to kick off IETF discussions around BIMI. Both these documents need a good deal of work, but are ready for public discussion. For BIMI publishing and usage: - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 For logo validation: - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 - https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing At a high level, these documents have several issues to be worked through: 1) The intent is for this to be globally accessible to any domain owner, but the current mechanisms are more approachable to larger organizations in first world countries a) We need a discussion of what other validation mechanisms could work at scale (our expectation is to have several, signposted weakly in the draft) b) We need a way to properly reflect this in the proposed a= tag 2) BIMI is NOT a new authentication mechanism, nor does it make ANY claims about user security or trust in the inbox. However, in places this draft may be unclear. How do we make this clearer while still explaining why standardizing this process is important, without crossing the line into UX or trust, of which BIMI is neither? 3) Right now, security surrounding logos is limited to SVGs per https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more that's needed here, especially against attacks that rely on steganography or resizing vectors, etc. 4) Other nits for draft-blank-ietf-bimi: a) The structure needs work, as do the Introduction and Overview b) Some of the technical construction feels like it could be dramatically simplified c) Section 8.2 mentions hashes with no definition or clarity d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each other left and right i) And the document is heavily focused on larger receivers where this distinction is clear, but doesn't give any thought to other receiving architectures at all, especially mail clients that are the entire stack Several authors of these documents will be in Prague, we're looking forward to the conversations over the next few weeks and face to face! Seth ---------- Forwarded message --------- From: Date: Wed, Feb 6, 2019 at 11:11 AM Subject: New Version Notification for draft-blank-ietf-bimi-00.txt A new version of I-D, draft-blank-ietf-bimi-00.txt has been successfully submitted by Seth Blank and posted to the IETF repository. Name: draft-blank-ietf-bimi Revision: 00 Title: Brand Indicators for Message Identification (BIMI) Document date: 2019-02-06 Group: Individual Submission Pages: 26 URL: https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi Abstract: Brand Indicators for Message Identification (BIMI) permits Domain Owners to coordinate with Mail User Agents (MUAs) to display brand- specific Indicators next to properly authenticated messages. There are two aspects of BIMI coordination: a scalable mechanism for Domain Owners to publish their desired indicators, and a mechanism for Mail Transfer Agents (MTAs) to verify the authenticity of the indicator. This document specifies how Domain Owners communicate their desired indicators through the BIMI assertion record in DNS and how that record is to be handled by MTAs and MUAs. The domain verification mechanism and extensions for other mail protocols (IMAP, etc.) are specified in separate documents. MUAs and mail-receiving organizations are free to define their own policies for indicator display that makes use or not of BIMI data as they see fit. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- bimi mailing list bimi@ietf.org https://www.ietf.org/mailman/listinfo/bimi --0000000000003cd0a1058178ad4f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

I'm cross posting to the LA= MPS mailing list for visibility, that there is a new mailing list for Brand= Indicators for Message Identification (BIMI) which allows for logos to be = displayed by an email recipient. This is of interest to LAMPS since a secur= ed part of the specification uses X.509/PKIX certificates to carry these lo= gos and assert a 3rd party validation.=C2=A0 A while back, I posted here a = draft requesting a new certificate Extended Key Usage value to distinguish = these logo carrying certificate which linked below.=C2=A0 Also described be= low is the validation procedure for the certificate based on web Extended V= alidation (EV) but built upon to handle the logo validation.=C2=A0 I also h= ave a security justification document that I hope to turn into an IETF=C2= =A0informational draft that will help justify the security of the logo and = other information carried in the certificate.=C2=A0 We look forward to your= comments and questions on the BIMI list.

-Wei

---------- Forwarded message ---------
Fr= om: Seth Blank <seth@sethblank.com= >
Date: Wed, Feb 6, 2019 at 12:11 PM
Subject: [Bimi] Ne= w Version Notification for draft-blank-ietf-bimi-00.txt
To: <bimi@ietf.org>


I've uploaded two documents as I-Ds to kick off= IETF discussions around BIMI. Both these documents need a good deal of wor= k, but are ready for public discussion.

For BIMI publishing and usag= e:
- https://tools.ietf.org/html/draft-blank-ietf-bimi-00- https://tools.ietf.org/html/draft-brotman-ietf-bimi-g= uidance-00

For logo validation:
- https://too= ls.ietf.org/html/draft-chuang-bimi-certificate-00
- https://docs.google.com/document/d/10= IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=3Dsharing

At= a high level, these documents have several issues to be worked through:
1) The intent is for this to be globally accessible to any domain owne= r, but the current mechanisms are more approachable to larger organizations= in first world countries
=C2=A0 =C2=A0a) We need a discussion of what o= ther validation mechanisms could work at scale (our expectation is to have = several, signposted weakly in the draft)
=C2=A0 =C2=A0b) We need a way t= o properly reflect this in the proposed a=3D tag

2) BIMI is NOT a ne= w authentication mechanism, nor does it make ANY claims about user security= or trust in the inbox. However, in places this draft may be unclear. How d= o we make this clearer while still explaining why standardizing this proces= s is important, without crossing the line into UX or trust, of which BIMI i= s neither?

3) Right now, security surrounding logos is limited to SV= Gs per https://tools.ietf.org/html/rfc6170#section-5.2. There'= s clearly more that's needed here, especially against attacks that rely= on steganography or resizing vectors, etc.

4) Other nits for draft-= blank-ietf-bimi:

=C2=A0 =C2=A0a) The structure needs work, as do the= Introduction and Overview
=C2=A0 =C2=A0b) Some of the technical constru= ction feels like it could be dramatically simplified
=C2=A0 =C2=A0c) Sec= tion 8.2 mentions hashes with no definition or clarity
=C2=A0 =C2=A0d) T= he uses of MTA, MUA, and Mail Receiver feel like they overlap each other le= ft and right
=C2=A0 =C2=A0 =C2=A0 =C2=A0i) And the document is heavily f= ocused on larger receivers where this distinction is clear, but doesn't= give any thought to other receiving architectures at all, especially mail = clients that are the entire stack

Several authors = of these documents will be in Prague, we're looking forward to the conv= ersations over the next few weeks and face to face!

Seth

---------- Forwarded message ---------
From:=C2=A0<= internet-drafts@ietf.org>
Date: Wed, Feb 6, 2019 at 11:11 = AM
Subject: New Version Notification for draft-blank-ietf-bimi-00.txt


A new version of I-D, draft-blank-ietf-bimi-00.txt
has be= en successfully submitted by Seth Blank and posted to the
IETF repositor= y.

Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-blank-ietf-bi= mi
Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A000
Title:=C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 Brand Indicators for Message Identification (BIMI)
Documen= t date:=C2=A0 2019-02-06
Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Indivi= dual Submission
Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 26
URL:=C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0=C2=A0https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt<= /a>
Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/
Htmlized:= =C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools.ietf.or= g/html/draft-blank-ietf-bimi-00
Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0= https://datatracker.ietf.org/doc/html/dra= ft-blank-ietf-bimi


Abstract:
=C2=A0 =C2=A0Brand Indicator= s for Message Identification (BIMI) permits Domain
=C2=A0 =C2=A0Owners t= o coordinate with Mail User Agents (MUAs) to display brand-
=C2=A0 =C2= =A0specific Indicators next to properly authenticated messages.=C2=A0 There=
=C2=A0 =C2=A0are two aspects of BIMI coordination: a scalable mechanism= for Domain
=C2=A0 =C2=A0Owners to publish their desired indicators, and= a mechanism for Mail
=C2=A0 =C2=A0Transfer Agents (MTAs) to verify the = authenticity of the indicator.
=C2=A0 =C2=A0This document specifies how = Domain Owners communicate their desired
=C2=A0 =C2=A0indicators through = the BIMI assertion record in DNS and how that
=C2=A0 =C2=A0record is to = be handled by MTAs and MUAs.=C2=A0 The domain verification
=C2=A0 =C2=A0= mechanism and extensions for other mail protocols (IMAP, etc.) are
=C2= =A0 =C2=A0specified in separate documents.=C2=A0 MUAs and mail-receiving=C2=A0 =C2=A0organizations are free to define their own policies for indic= ator
=C2=A0 =C2=A0display that makes use or not of BIMI data as they see= fit.




Please note that it may take a couple of minutes f= rom the time of submission
until the htmlized version and diff are avail= able at=C2=A0tools.ietf.org.

The IETF Secretariat

--
bimi mailing list
bimi@ietf.org
https://www.ietf.org/mailman/listinfo/bimi
--0000000000003cd0a1058178ad4f-- --0000000000004bf3af058178ad48 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIS5wYJKoZIhvcNAQcCoIIS2DCCEtQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ghBNMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVy c29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcNMjEw NjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEiMCAG A1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALR23lKtjlZW/17kthzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6F GO2fqnsTygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeNv1Gbnnes BIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALXnyztTDp1L5d1bABJN/bJbEU3 Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilOFmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi6 6LqqzJL8MsmkP53GGhf11YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB /wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIB ADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYDVR0jBBgwFoAUJiSSix/TRK+xsBtt r+500ox4AAMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n c3BlcnNvbmFsc2lnbnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG 9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNse Qa4e+FeHWq2fu73SamhAQyLigNKZF7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9x t4HPwRQuur57RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO0H5h isymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTUmh9DuvKEQ1Ge7siwsWgA NS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPYvrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQA AAAAATGJxkCyMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAt IFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTExMDgwMjEw MDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24g bnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hB MjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NB Kr3J0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDDWldYw35K+sge C8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9BaN09cqJ/wF6KuP9jSyWcyY+IgL6u2 52my5UzYhnbf7D7IcC372bfhwM92n6r5hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXua eoiMLV5gdmo0sQg23j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAADMEcGA1UdIARAMD4wPAYEVR0gADA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1UdIwQY MBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQACAFVjHihZCV/IqJYt 7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKNr4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+e oQJ8GRODG9pxlSn3kysh7f+kotX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7 qBYKadFizPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1iBnNpNwXT Lmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwljw3ePDwfGP9kNrR+lc8XrfClk WbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAw TDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24x EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEG A1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5Bngi FvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hp sk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7 DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBL QNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV 3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyr VQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E 7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fMIIEZDCCA0ygAwIBAgIMWMqzbpn2SydMzpfaMA0G CSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIw IAYDVQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE4MTExNTE4NDMwM1oXDTE5MDUx NDE4NDMwM1owIjEgMB4GCSqGSIb3DQEJAQwRd2VpaGF3QGdvb2dsZS5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDOGIfi32h8dhJEeUGHfN1nAVrJsY4ph3nisYgnB2pOA4hcNkX4 xnnbD7PDr6G2S6LqYfXegzUkLT7FoOGtptBAixwpSxBUvEWQdrlbYdYuoNK7/DBASrlp4J7UocGX ZS5dkWL0IolToc52mCmOxhTqDjbD9MG3+AvyyQPK0RVgNY5n7BZBdNZDHTeswReAtjQ4t+b1IStQ 7Y59jxTOfDPpAT2Y0ON44Lx2hBLyQ8wXYCmHHbWCyGT3xZH0p8p+cGgkKvDjaxBX3ilopH8hx4zm 5HVh6wDOBHhAnRYVU1bqmjohWNuLhz/Za6lWGiylhPD+2yFLQfvHn6OBE0a/048NAgMBAAGjggFu MIIBajAcBgNVHREEFTATgRF3ZWloYXdAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzaHZzbWltZWNhMS5j cnQwHQYDVR0OBBYEFJUPLExeOaBiYyZVRuorZTtplIumMB8GA1UdIwQYMBaAFMs4ErDHmcB4koyz IZXm9CZiwOA/MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9j cmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBuvV1bxPXhqWWCHYz7 40fvnmDIUsNiLecW3PCDQxdpPMc3V/6T31qSKYvuFigtj2MpXMCkLqbHupVN3b14UvnqNx3jnu7b Yp+rMcjjO70W3ufBqqz/QQzSykR9ATo+Zqs09dhJtTl02ApUqYipoInGx8wu0ChTI84NwR5UUo7H GSOet+Eluj5Yjq0YdM2qzfapP/XbfO7t533yiK5Cs//IlaQagdizrM/b1DTYjJ/28b3uPMS3l6a8 BoWm7kiV6GCY7zBNF9D6Gkf6U4dZgx6SwQjQoG3mSBV1zzIs0cZYoVvq/8y+5jC9CdH1ran/ahb6 1ZtMG4auBaKMRzEe3TimMYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xv YmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMQIMWMqzbpn2 SydMzpfaMA0GCWCGSAFlAwQCAQUAoIHUMC8GCSqGSIb3DQEJBDEiBCA/SMffCr6x57nmgRP0cjZW Kcr8ZyOiiVfH9vxsUK4KFDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0xOTAyMDkxNjM2MjdaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB FjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEBBzALBglg hkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAET4NkKHFkBDC0I4tZott1LqarBer9jAYz1hEwI2m ZXa9+cnVLWCU3Rf53xwERqxnjhzjXaT3T25F8USkPsIK4XZ4fRcv0PXZgxTZPKkdZXH5nPSRszQJ x3Fsqc0s66QNTbli40v44UwshEqyeKEvM9Pqqn0x7mlGNCYd0Wzd+yG84DZJmwxAzPfjfZaZnsYW b1/TTQQSQjFepDF3yvLsYIrlJqSSHzsTSP1yQF+3nTil7ZbTGvOodUq4AS0qZdSKTgvL60FdDsjN evM6gL0XAQop9c2jcH1tBN8CFxvkYHTCgloQg134R3dYOHVfl348zELWrf3t3uhH9+uKZ9l8/A== --0000000000004bf3af058178ad48-- From nobody Sat Feb 9 08:53:07 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41FE0129524 for ; Sat, 9 Feb 2019 08:53:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6JR0GpduJRz for ; Sat, 9 Feb 2019 08:53:01 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB5C1200ED for ; Sat, 9 Feb 2019 08:53:00 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B7DD8BE38; Sat, 9 Feb 2019 16:52:57 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkuHm2DM0wWT; Sat, 9 Feb 2019 16:52:53 +0000 (GMT) Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C3943BE2E; Sat, 9 Feb 2019 16:52:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1549731172; bh=P68ESU9HWWtnDbUDaSRNgDsVwDN+HdVFmN/buUR3POU=; h=Subject:To:References:From:Date:In-Reply-To:From; b=wPbgWcpdzLrTDHzOLuUco1Ubbk8gxd7rMxf4pGhV+6unPD8x1OjNbxYI9a+OB/ThV 2B6zBXal0maoS1/YpZyRS2muo3Xfh7PsLiJC6zbNVKjlRbAzZY1ccbsVzLq1x1+6Q7 ovTKQThijgqbRgMcr4H8EWvte5B03tdoNUZyr+14= To: Wei Chuang , SPASM References: From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> Date: Sat, 9 Feb 2019 16:52:51 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="JUA5ds8fPePPG0izrtuN8XVtckOU6hEEZ" Archived-At: Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 16:53:05 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --JUA5ds8fPePPG0izrtuN8XVtckOU6hEEZ Content-Type: multipart/mixed; boundary="q1gIXdZn5IWunfipldh0azRbC1bR2RzFn"; protected-headers="v1" From: Stephen Farrell To: Wei Chuang , SPASM Message-ID: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt References: In-Reply-To: --q1gIXdZn5IWunfipldh0azRbC1bR2RzFn Content-Type: multipart/mixed; boundary="------------9FDA2096AEC5D547E5A8DF06" Content-Language: en-GB This is a multi-part message in MIME format. --------------9FDA2096AEC5D547E5A8DF06 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I've not yet subscribed to that bimi list but... As a user of email I do not want more crap in messages that user agents might de-reference thereby increasing how much I am tracked and my devices' attack surfaces. So my starting position is that I need to be convinced bimi is not just a bad idea. S. On 09/02/2019 16:36, Wei Chuang wrote: > Hi all, >=20 > I'm cross posting to the LAMPS mailing list for visibility, that there = is a > new mailing list for Brand Indicators for Message Identification (BIMI)= > which allows for logos to be displayed by an email recipient. This is o= f > interest to LAMPS since a secured part of the specification uses X.509/= PKIX > certificates to carry these logos and assert a 3rd party validation. A= > while back, I posted here a draft requesting a new certificate Extended= Key > Usage value to distinguish these logo carrying certificate which linked= > below. Also described below is the validation procedure for the > certificate based on web Extended Validation (EV) but built upon to han= dle > the logo validation. I also have a security justification document tha= t I > hope to turn into an IETF informational draft that will help justify th= e > security of the logo and other information carried in the certificate. = We > look forward to your comments and questions on the BIMI list. > https://www.ietf.org/mailman/listinfo/bimi >=20 > -Wei >=20 > ---------- Forwarded message --------- > From: Seth Blank > Date: Wed, Feb 6, 2019 at 12:11 PM > Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.t= xt > To: >=20 >=20 > I've uploaded two documents as I-Ds to kick off IETF discussions around= > BIMI. Both these documents need a good deal of work, but are ready for > public discussion. >=20 > For BIMI publishing and usage: > - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 >=20 > For logo validation: > - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 > - > https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwH= Ecbja42w/edit?usp=3Dsharing >=20 > At a high level, these documents have several issues to be worked throu= gh: >=20 > 1) The intent is for this to be globally accessible to any domain owner= , > but the current mechanisms are more approachable to larger organization= s in > first world countries > a) We need a discussion of what other validation mechanisms could wo= rk > at scale (our expectation is to have several, signposted weakly in the > draft) > b) We need a way to properly reflect this in the proposed a=3D tag >=20 > 2) BIMI is NOT a new authentication mechanism, nor does it make ANY cla= ims > about user security or trust in the inbox. However, in places this draf= t > may be unclear. How do we make this clearer while still explaining why > standardizing this process is important, without crossing the line into= UX > or trust, of which BIMI is neither? >=20 > 3) Right now, security surrounding logos is limited to SVGs per > https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more > that's needed here, especially against attacks that rely on steganograp= hy > or resizing vectors, etc. >=20 > 4) Other nits for draft-blank-ietf-bimi: >=20 > a) The structure needs work, as do the Introduction and Overview > b) Some of the technical construction feels like it could be > dramatically simplified > c) Section 8.2 mentions hashes with no definition or clarity > d) The uses of MTA, MUA, and Mail Receiver feel like they overlap ea= ch > other left and right > i) And the document is heavily focused on larger receivers where= > this distinction is clear, but doesn't give any thought to other receiv= ing > architectures at all, especially mail clients that are the entire stack= >=20 > Several authors of these documents will be in Prague, we're looking for= ward > to the conversations over the next few weeks and face to face! >=20 > Seth >=20 > ---------- Forwarded message --------- > From: > Date: Wed, Feb 6, 2019 at 11:11 AM > Subject: New Version Notification for draft-blank-ietf-bimi-00.txt >=20 >=20 > A new version of I-D, draft-blank-ietf-bimi-00.txt > has been successfully submitted by Seth Blank and posted to the > IETF repository. >=20 > Name: draft-blank-ietf-bimi > Revision: 00 > Title: Brand Indicators for Message Identification (BIMI) > Document date: 2019-02-06 > Group: Individual Submission > Pages: 26 > URL: > https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt > Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/= > Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > Htmlized: https://datatracker.ietf.org/doc/html/draft-blank-ietf-= bimi >=20 >=20 > Abstract: > Brand Indicators for Message Identification (BIMI) permits Domain > Owners to coordinate with Mail User Agents (MUAs) to display brand- > specific Indicators next to properly authenticated messages. There > are two aspects of BIMI coordination: a scalable mechanism for Domai= n > Owners to publish their desired indicators, and a mechanism for Mail= > Transfer Agents (MTAs) to verify the authenticity of the indicator. > This document specifies how Domain Owners communicate their desired > indicators through the BIMI assertion record in DNS and how that > record is to be handled by MTAs and MUAs. The domain verification > mechanism and extensions for other mail protocols (IMAP, etc.) are > specified in separate documents. MUAs and mail-receiving > organizations are free to define their own policies for indicator > display that makes use or not of BIMI data as they see fit. >=20 >=20 >=20 >=20 > Please note that it may take a couple of minutes from the time of submi= ssion > until the htmlized version and diff are available at tools.ietf.org. >=20 > The IETF Secretariat >=20 >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >=20 --------------9FDA2096AEC5D547E5A8DF06 Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------9FDA2096AEC5D547E5A8DF06-- --q1gIXdZn5IWunfipldh0azRbC1bR2RzFn-- --JUA5ds8fPePPG0izrtuN8XVtckOU6hEEZ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlxfBWMACgkQWrL68XsX K+rQmhAAhzXP37FYGHkd0sU0Q13xLMCdn3L22wH4VqjstbXOgX44bWYl7qlMVKd8 QCzWq8l8sPYH6cpuThU1wrJaxEIKXcOkUQ84FazXJ92Vfl3bMFyEQFAxsF3J0oUP ZJAnih6YzRvefR7HP1c0D25k5YZbnNYT7DLMFeQPBKcNjCAMcT+RQspgQl/ERLMO 0lC4n6hMyCE5U3oRlS3GYOH9+TGhhtRyLmeTicO155it3RoRGoFcIxj22Z2vuTZd LHTEXkCMQ+DM1ho4iqnIHAB8XAS2AMiOClHgi72+Fh+vKxUxxaw+qs3knNM/nnha Xs+PtZT0sYj1c+ceBVwaNUNceQIVuxm+bM1Jqkha4u+/mWgT7lqCzhEvOdSatNfk KexMsiVj3pPDyDRMZf1TjdbuTrIXaG6wxAx6UKdc0Dn2wMBeKUcrQlVR2OwnrET5 UxcbHVz8KvQLZxY6N92Qgw48idrBhE0VOZsUL7dnlw8NnVbmLAKTRcGXhlbcY0Fe UzVF2Cx92NPTDxoypdB9v+khBlwX3z/2zHYSkq3zBVgiAgGlLiz8fwokDNe9zQQD VJQ7TOQ+id6GVBkg/lmzOfFD8Vitzdb9iXkY3ckHYvPi+7Fc6mcTURQX0LyDwbnD +rvs+rBIIIDODGR60iHK4bfJ2+SreH3U+kYimUc6M/HfFu9zwjg= =cj17 -----END PGP SIGNATURE----- --JUA5ds8fPePPG0izrtuN8XVtckOU6hEEZ-- From nobody Sat Feb 9 11:05:35 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7C71294FA for ; Sat, 9 Feb 2019 11:05:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.5 X-Spam-Level: X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1mTPsW17FcWS for ; Sat, 9 Feb 2019 11:05:29 -0800 (PST) Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E06A2126D00 for ; Sat, 9 Feb 2019 11:05:28 -0800 (PST) Received: by mail-yb1-xb2b.google.com with SMTP id o81so2762604yba.8 for ; Sat, 09 Feb 2019 11:05:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dXSuDYgIMpdem+Pa+6hatp5vesFa4s8T9SYwskKh0l0=; b=d2nw9lwjzaO4+/unm62tizgkFhResnYHAIFrtFKKnSZaqCNEtvPnPP0TkVS2LiRl3H 57McB8eBOKzANfXgo84DteMFJFkc+rVn4Oi8eTmNdMPLA3j0WWuAg1bGG7EUW/C/96Gk y+xbYJH7KLgihG00/jYo6ui5rX5PPn/If534yp5WDHHwndwJ5u1n2wXIxzP8gSSHovOJ PIxDPRnGmBdHaH+25MjhjemyGtZri3JDLEd0ga5RA3vesXjprKAQs9Aj2ofYu7jv11EE GA2SupKylPhKnlaO/v+5hpwNxnMZWc7/XM/9J30G4P+X7c/UL5Lb2RJYOfXmZbqhoyqa 7YCA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dXSuDYgIMpdem+Pa+6hatp5vesFa4s8T9SYwskKh0l0=; b=Ic34QpC4MhIr/a8UVXunGRtihm+Pxvdla6UyAF8kxrJBIK8ZIeUlRtyXx1b4lHJbaN jskt0yHOqYmF3X1YpMRCmcB23U0YsbqTtespq+PQrk90LJcKOQkD6G+iNtp5bmS/jrx/ dJs4SeiFXBY6llnA+eYOjndIJRLQEFC8Gqh3WY8TlBR9lxa6LY08htvGoD+P7k2uORdH nVt6thjPgBJmfBS76wQ1js/zmSZVrvVwFQcxQMkMcAoDysMJLNXEvcuyr/sJir3wM9cj m6AbGKsa7BTn3paGP6ZKXnusUZ625Bu75zUe2XSPcPyGsz4e/L7uS/OxaGPEnAOI0ID1 PhBQ== X-Gm-Message-State: AHQUAuamR93NQ4kTQgah/SoMc+oB/FZe7jjuT1EJ3lSO6zh8vCDfQ+JO kgbRN5jKPnIbg/XFGPEIMoSTy1fL0Wb1aXGQbWjlPmxDbw0= X-Google-Smtp-Source: AHgI3IZgaW1d3H02KgjCWMgnv0WB1QEsU1HATZrBMgNfPL5xTsxcMqgXSnEfZHOdqcDlXKzVTUStxmu3hbgWAn2Utgg= X-Received: by 2002:a25:2008:: with SMTP id g8mr22533059ybg.167.1549739125846; Sat, 09 Feb 2019 11:05:25 -0800 (PST) MIME-Version: 1.0 References: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> In-Reply-To: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> From: Wei Chuang Date: Sat, 9 Feb 2019 11:05:12 -0800 Message-ID: To: Stephen Farrell Cc: SPASM Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000271ed105817ac212" Archived-At: Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 19:05:34 -0000 --000000000000271ed105817ac212 Content-Type: multipart/alternative; boundary="000000000000179c5405817ac2a9" --000000000000179c5405817ac2a9 Content-Type: text/plain; charset="UTF-8" It is intended to support privacy, though it is up to email providers and clients to do the right thing. It uses certificates that carry the logo (and other identity information) and assert 3rd party validation without interacting with another server. Our intent is that these certificates are meant to be fetched at delivery and stored by email provider for the client, though such a fetch could be done by the client at use. Along those lines, for revocation checks, the guidelines requires that CAs to provide CRLs though OCSPs are allowed. -Wei On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell wrote: > > I've not yet subscribed to that bimi list but... > > As a user of email I do not want more crap in messages that > user agents might de-reference thereby increasing how much > I am tracked and my devices' attack surfaces. So my starting > position is that I need to be convinced bimi is not just a > bad idea. > > S. > > On 09/02/2019 16:36, Wei Chuang wrote: > > Hi all, > > > > I'm cross posting to the LAMPS mailing list for visibility, that there > is a > > new mailing list for Brand Indicators for Message Identification (BIMI) > > which allows for logos to be displayed by an email recipient. This is of > > interest to LAMPS since a secured part of the specification uses > X.509/PKIX > > certificates to carry these logos and assert a 3rd party validation. A > > while back, I posted here a draft requesting a new certificate Extended > Key > > Usage value to distinguish these logo carrying certificate which linked > > below. Also described below is the validation procedure for the > > certificate based on web Extended Validation (EV) but built upon to > handle > > the logo validation. I also have a security justification document that > I > > hope to turn into an IETF informational draft that will help justify the > > security of the logo and other information carried in the certificate. > We > > look forward to your comments and questions on the BIMI list. > > https://www.ietf.org/mailman/listinfo/bimi > > > > -Wei > > > > ---------- Forwarded message --------- > > From: Seth Blank > > Date: Wed, Feb 6, 2019 at 12:11 PM > > Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt > > To: > > > > > > I've uploaded two documents as I-Ds to kick off IETF discussions around > > BIMI. Both these documents need a good deal of work, but are ready for > > public discussion. > > > > For BIMI publishing and usage: > > - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > > - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 > > > > For logo validation: > > - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 > > - > > > https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing > > > > At a high level, these documents have several issues to be worked > through: > > > > 1) The intent is for this to be globally accessible to any domain owner, > > but the current mechanisms are more approachable to larger organizations > in > > first world countries > > a) We need a discussion of what other validation mechanisms could work > > at scale (our expectation is to have several, signposted weakly in the > > draft) > > b) We need a way to properly reflect this in the proposed a= tag > > > > 2) BIMI is NOT a new authentication mechanism, nor does it make ANY > claims > > about user security or trust in the inbox. However, in places this draft > > may be unclear. How do we make this clearer while still explaining why > > standardizing this process is important, without crossing the line into > UX > > or trust, of which BIMI is neither? > > > > 3) Right now, security surrounding logos is limited to SVGs per > > https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more > > that's needed here, especially against attacks that rely on steganography > > or resizing vectors, etc. > > > > 4) Other nits for draft-blank-ietf-bimi: > > > > a) The structure needs work, as do the Introduction and Overview > > b) Some of the technical construction feels like it could be > > dramatically simplified > > c) Section 8.2 mentions hashes with no definition or clarity > > d) The uses of MTA, MUA, and Mail Receiver feel like they overlap each > > other left and right > > i) And the document is heavily focused on larger receivers where > > this distinction is clear, but doesn't give any thought to other > receiving > > architectures at all, especially mail clients that are the entire stack > > > > Several authors of these documents will be in Prague, we're looking > forward > > to the conversations over the next few weeks and face to face! > > > > Seth > > > > ---------- Forwarded message --------- > > From: > > Date: Wed, Feb 6, 2019 at 11:11 AM > > Subject: New Version Notification for draft-blank-ietf-bimi-00.txt > > > > > > A new version of I-D, draft-blank-ietf-bimi-00.txt > > has been successfully submitted by Seth Blank and posted to the > > IETF repository. > > > > Name: draft-blank-ietf-bimi > > Revision: 00 > > Title: Brand Indicators for Message Identification (BIMI) > > Document date: 2019-02-06 > > Group: Individual Submission > > Pages: 26 > > URL: > > https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt > > Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ > > Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > > Htmlized: > https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi > > > > > > Abstract: > > Brand Indicators for Message Identification (BIMI) permits Domain > > Owners to coordinate with Mail User Agents (MUAs) to display brand- > > specific Indicators next to properly authenticated messages. There > > are two aspects of BIMI coordination: a scalable mechanism for Domain > > Owners to publish their desired indicators, and a mechanism for Mail > > Transfer Agents (MTAs) to verify the authenticity of the indicator. > > This document specifies how Domain Owners communicate their desired > > indicators through the BIMI assertion record in DNS and how that > > record is to be handled by MTAs and MUAs. The domain verification > > mechanism and extensions for other mail protocols (IMAP, etc.) are > > specified in separate documents. MUAs and mail-receiving > > organizations are free to define their own policies for indicator > > display that makes use or not of BIMI data as they see fit. > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > > --000000000000179c5405817ac2a9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It is intended to support privacy, though it is up to emai= l providers and clients to do the right thing.=C2=A0 It uses certificates t= hat carry the logo (and other identity information) and assert 3rd party va= lidation without interacting with another server.=C2=A0 Our intent is that = these certificates are meant to be fetched at delivery and stored by email = provider for the client, though=C2=A0such a fetch could be done by the clie= nt at use.=C2=A0 Along those lines, for revocation checks, the guidelines r= equires that CAs to provide CRLs though OCSPs are allowed.

-Wei

On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:<= br>

I've not yet subscribed to that bimi list but...

As a user of email I do not want more crap in messages that
user agents might de-reference thereby increasing how much
I am tracked and my devices' attack surfaces. So my starting
position is that I need to be convinced bimi is not just a
bad idea.

S.

On 09/02/2019 16:36, Wei Chuang wrote:
> Hi all,
>
> I'm cross posting to the LAMPS mailing list for visibility, that t= here is a
> new mailing list for Brand Indicators for Message Identification (BIMI= )
> which allows for logos to be displayed by an email recipient. This is = of
> interest to LAMPS since a secured part of the specification uses X.509= /PKIX
> certificates to carry these logos and assert a 3rd party validation.= =C2=A0 A
> while back, I posted here a draft requesting a new certificate Extende= d Key
> Usage value to distinguish these logo carrying certificate which linke= d
> below.=C2=A0 Also described below is the validation procedure for the<= br> > certificate based on web Extended Validation (EV) but built upon to ha= ndle
> the logo validation.=C2=A0 I also have a security justification docume= nt that I
> hope to turn into an IETF informational draft that will help justify t= he
> security of the logo and other information carried in the certificate.= =C2=A0 We
> look forward to your comments and questions on the BIMI list.
> https://www.ietf.org/mailman/listinfo/bimi
>
> -Wei
>
> ---------- Forwarded message ---------
> From: Seth Blank <seth@sethblank.com>
> Date: Wed, Feb 6, 2019 at 12:11 PM
> Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.= txt
> To: <bimi@ietf.o= rg>
>
>
> I've uploaded two documents as I-Ds to kick off IETF discussions a= round
> BIMI. Both these documents need a good deal of work, but are ready for=
> public discussion.
>
> For BIMI publishing and usage:
> - https://tools.ietf.org/html/draft-blank-i= etf-bimi-00
> - https://tools.ietf.org/html/dr= aft-brotman-ietf-bimi-guidance-00
>
> For logo validation:
> - https://tools.ietf.org/html/draft= -chuang-bimi-certificate-00
> -
> https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHE= cbja42w/edit?usp=3Dsharing
>
> At a high level, these documents have several issues to be worked thro= ugh:
>
> 1) The intent is for this to be globally accessible to any domain owne= r,
> but the current mechanisms are more approachable to larger organizatio= ns in
> first world countries
>=C2=A0 =C2=A0 a) We need a discussion of what other validation mechanis= ms could work
> at scale (our expectation is to have several, signposted weakly in the=
> draft)
>=C2=A0 =C2=A0 b) We need a way to properly reflect this in the proposed= a=3D tag
>
> 2) BIMI is NOT a new authentication mechanism, nor does it make ANY cl= aims
> about user security or trust in the inbox. However, in places this dra= ft
> may be unclear. How do we make this clearer while still explaining why=
> standardizing this process is important, without crossing the line int= o UX
> or trust, of which BIMI is neither?
>
> 3) Right now, security surrounding logos is limited to SVGs per
> https://tools.ietf.org/html/rfc6170#section-5.2<= /a>. There's clearly more
> that's needed here, especially against attacks that rely on stegan= ography
> or resizing vectors, etc.
>
> 4) Other nits for draft-blank-ietf-bimi:
>
>=C2=A0 =C2=A0 a) The structure needs work, as do the Introduction and O= verview
>=C2=A0 =C2=A0 b) Some of the technical construction feels like it could= be
> dramatically simplified
>=C2=A0 =C2=A0 c) Section 8.2 mentions hashes with no definition or clar= ity
>=C2=A0 =C2=A0 d) The uses of MTA, MUA, and Mail Receiver feel like they= overlap each
> other left and right
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 i) And the document is heavily focused on l= arger receivers where
> this distinction is clear, but doesn't give any thought to other r= eceiving
> architectures at all, especially mail clients that are the entire stac= k
>
> Several authors of these documents will be in Prague, we're lookin= g forward
> to the conversations over the next few weeks and face to face!
>
> Seth
>
> ---------- Forwarded message ---------
> From: <internet-drafts@ietf.org>
> Date: Wed, Feb 6, 2019 at 11:11 AM
> Subject: New Version Notification for draft-blank-ietf-bimi-00.txt
>
>
> A new version of I-D, draft-blank-ietf-bimi-00.txt
> has been successfully submitted by Seth Blank and posted to the
> IETF repository.
>
> Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-blank-ietf-bimi > Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A000
> Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Brand Indicators for Message = Identification (BIMI)
> Document date:=C2=A0 2019-02-06
> Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Individual Submission
> Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 26
> URL:
> https://www.ietf.org/internet-= drafts/draft-blank-ietf-bimi-00.txt
> Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/
> Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https:/= /tools.ietf.org/html/draft-blank-ietf-bimi-00
> Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0= https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi
>
>
> Abstract:
>=C2=A0 =C2=A0 Brand Indicators for Message Identification (BIMI) permit= s Domain
>=C2=A0 =C2=A0 Owners to coordinate with Mail User Agents (MUAs) to disp= lay brand-
>=C2=A0 =C2=A0 specific Indicators next to properly authenticated messag= es.=C2=A0 There
>=C2=A0 =C2=A0 are two aspects of BIMI coordination: a scalable mechanis= m for Domain
>=C2=A0 =C2=A0 Owners to publish their desired indicators, and a mechani= sm for Mail
>=C2=A0 =C2=A0 Transfer Agents (MTAs) to verify the authenticity of the = indicator.
>=C2=A0 =C2=A0 This document specifies how Domain Owners communicate the= ir desired
>=C2=A0 =C2=A0 indicators through the BIMI assertion record in DNS and h= ow that
>=C2=A0 =C2=A0 record is to be handled by MTAs and MUAs.=C2=A0 The domai= n verification
>=C2=A0 =C2=A0 mechanism and extensions for other mail protocols (IMAP, = etc.) are
>=C2=A0 =C2=A0 specified in separate documents.=C2=A0 MUAs and mail-rece= iving
>=C2=A0 =C2=A0 organizations are free to define their own policies for i= ndicator
>=C2=A0 =C2=A0 display that makes use or not of BIMI data as they see fi= t.
>
>
>
>
> Please note that it may take a couple of minutes from the time of subm= ission
> until the htmlized version and diff are available at tools.ietf.org. >
> The IETF Secretariat
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org=
> https://www.ietf.org/mailman/listinfo/spasm
>
--000000000000179c5405817ac2a9-- --000000000000271ed105817ac212 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIS5wYJKoZIhvcNAQcCoIIS2DCCEtQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ghBNMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVy c29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcNMjEw NjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEiMCAG A1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALR23lKtjlZW/17kthzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6F GO2fqnsTygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeNv1Gbnnes BIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALXnyztTDp1L5d1bABJN/bJbEU3 Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilOFmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi6 6LqqzJL8MsmkP53GGhf11YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB /wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIB ADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYDVR0jBBgwFoAUJiSSix/TRK+xsBtt r+500ox4AAMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n c3BlcnNvbmFsc2lnbnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG 9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNse Qa4e+FeHWq2fu73SamhAQyLigNKZF7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9x t4HPwRQuur57RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO0H5h isymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTUmh9DuvKEQ1Ge7siwsWgA NS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPYvrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQA AAAAATGJxkCyMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAt IFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTExMDgwMjEw MDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24g bnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hB MjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NB Kr3J0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDDWldYw35K+sge C8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9BaN09cqJ/wF6KuP9jSyWcyY+IgL6u2 52my5UzYhnbf7D7IcC372bfhwM92n6r5hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXua eoiMLV5gdmo0sQg23j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAADMEcGA1UdIARAMD4wPAYEVR0gADA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1UdIwQY MBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQACAFVjHihZCV/IqJYt 7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKNr4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+e oQJ8GRODG9pxlSn3kysh7f+kotX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7 qBYKadFizPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1iBnNpNwXT Lmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwljw3ePDwfGP9kNrR+lc8XrfClk WbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAw TDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24x EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEG A1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5Bngi FvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hp sk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7 DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBL QNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV 3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyr VQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E 7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fMIIEZDCCA0ygAwIBAgIMWMqzbpn2SydMzpfaMA0G CSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIw IAYDVQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE4MTExNTE4NDMwM1oXDTE5MDUx NDE4NDMwM1owIjEgMB4GCSqGSIb3DQEJAQwRd2VpaGF3QGdvb2dsZS5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDOGIfi32h8dhJEeUGHfN1nAVrJsY4ph3nisYgnB2pOA4hcNkX4 xnnbD7PDr6G2S6LqYfXegzUkLT7FoOGtptBAixwpSxBUvEWQdrlbYdYuoNK7/DBASrlp4J7UocGX ZS5dkWL0IolToc52mCmOxhTqDjbD9MG3+AvyyQPK0RVgNY5n7BZBdNZDHTeswReAtjQ4t+b1IStQ 7Y59jxTOfDPpAT2Y0ON44Lx2hBLyQ8wXYCmHHbWCyGT3xZH0p8p+cGgkKvDjaxBX3ilopH8hx4zm 5HVh6wDOBHhAnRYVU1bqmjohWNuLhz/Za6lWGiylhPD+2yFLQfvHn6OBE0a/048NAgMBAAGjggFu MIIBajAcBgNVHREEFTATgRF3ZWloYXdAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzaHZzbWltZWNhMS5j cnQwHQYDVR0OBBYEFJUPLExeOaBiYyZVRuorZTtplIumMB8GA1UdIwQYMBaAFMs4ErDHmcB4koyz IZXm9CZiwOA/MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9j cmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBuvV1bxPXhqWWCHYz7 40fvnmDIUsNiLecW3PCDQxdpPMc3V/6T31qSKYvuFigtj2MpXMCkLqbHupVN3b14UvnqNx3jnu7b Yp+rMcjjO70W3ufBqqz/QQzSykR9ATo+Zqs09dhJtTl02ApUqYipoInGx8wu0ChTI84NwR5UUo7H GSOet+Eluj5Yjq0YdM2qzfapP/XbfO7t533yiK5Cs//IlaQagdizrM/b1DTYjJ/28b3uPMS3l6a8 BoWm7kiV6GCY7zBNF9D6Gkf6U4dZgx6SwQjQoG3mSBV1zzIs0cZYoVvq/8y+5jC9CdH1ran/ahb6 1ZtMG4auBaKMRzEe3TimMYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xv YmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMQIMWMqzbpn2 SydMzpfaMA0GCWCGSAFlAwQCAQUAoIHUMC8GCSqGSIb3DQEJBDEiBCAGJ+Xj6YezXsvBIlYAYcnh WswQkrVeM/O4oSWA9+hh0TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0xOTAyMDkxOTA1MjZaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB FjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEBBzALBglg hkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAtEoSvawTH1CStA6T+EoPKlW7zpR5TFhIM2yH25cT hOXfIMV4x6iotGTpfIWSSOOYJbfg04yQg8rJ34+DdToOVfLG0/SrLNbBBF26Hs2kL/rAiEoiw7X2 Z78RvPJTknSLOVsvQU2JZEHXsL37SS9BrDmoKBqJLPbgKC16ECIrJhtiuTs9FDI+efbHDhAT+Vzx B2dEfYGu9js6G5IAvkruw0qthnEV8CeTXj1qRUdITp+smw0mbdJw3aHh+O62X1GieVP+9GWVnOPh 6MiwHzHkdXJfwJy2CuCZlAN6wz3r4E58xdskTS0Zbp55nWXx3YMYsOclLmOqp9rtGWyzh9Hqog== --000000000000271ed105817ac212-- From nobody Sat Feb 9 11:45:14 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DAF1279E6 for ; Sat, 9 Feb 2019 11:45:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iweMxpMrHGdI for ; Sat, 9 Feb 2019 11:45:07 -0800 (PST) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2BB1277CC for ; Sat, 9 Feb 2019 11:45:06 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 58954BE38; Sat, 9 Feb 2019 19:45:03 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5y7AdmOFsFWj; Sat, 9 Feb 2019 19:45:01 +0000 (GMT) Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 12267BE2E; Sat, 9 Feb 2019 19:45:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1549741501; bh=/4tjfGYG35TG1iuN3xg94YF/GFa9Kl64EYr4euIzXKM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=lOAp4hVDpIobuPcDnRUjEk0Ezq+cBRPlSfiqJUajNJF094f/nr5H8bbX2dfkiTFA5 kxnwbDPbYOcs4cEj3gLs+8Va4FGqmLQwi/FRFQ9Wie2jncdoGaVS6v0NH/RnxRP0Qd UDZUow0ZOUR3IzbzrsFK6KjRNSEuV5oJCcusP+Zs= To: Wei Chuang Cc: SPASM References: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> From: Stephen Farrell Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url= Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw== Message-ID: Date: Sat, 9 Feb 2019 19:45:00 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3sBLVAYg5MMciqNVT85nVcUJohWbVCUgI" Archived-At: Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 19:45:11 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --3sBLVAYg5MMciqNVT85nVcUJohWbVCUgI Content-Type: multipart/mixed; boundary="WVEW8rcChg8YfubwmJms8WAv78ThQBhmh"; protected-headers="v1" From: Stephen Farrell To: Wei Chuang Cc: SPASM Message-ID: Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt References: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> In-Reply-To: --WVEW8rcChg8YfubwmJms8WAv78ThQBhmh Content-Type: multipart/mixed; boundary="------------00103043B130448D5C79AEBA" Content-Language: en-GB This is a multi-part message in MIME format. --------------00103043B130448D5C79AEBA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 09/02/2019 19:05, Wei Chuang wrote: > It is intended to support privacy,=20 "In its most basic setup, a BIMI-capable MUA could retrieve that image file directly from the site specified in the BIMI record." It could well be that if various actors all do the right thing, that bimi might not be privacy invasive. If however, any of the relevant actors aren't careful, this becomes a tracking device, as per the quoted text above. There are enough of those in mail bodies already and we shouldn't be standardising such tracking schemes in headers IMO. I see no merit in bimi myself, only downsides. S. > though it is up to email providers and > clients to do the right thing. It uses certificates that carry the log= o > (and other identity information) and assert 3rd party validation withou= t > interacting with another server. Our intent is that these certificates= are > meant to be fetched at delivery and stored by email provider for the > client, though such a fetch could be done by the client at use. Along > those lines, for revocation checks, the guidelines requires that CAs to= > provide CRLs though OCSPs are allowed. >=20 > -Wei >=20 > On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell > wrote: >=20 >> >> I've not yet subscribed to that bimi list but... >> >> As a user of email I do not want more crap in messages that >> user agents might de-reference thereby increasing how much >> I am tracked and my devices' attack surfaces. So my starting >> position is that I need to be convinced bimi is not just a >> bad idea. >> >> S. >> >> On 09/02/2019 16:36, Wei Chuang wrote: >>> Hi all, >>> >>> I'm cross posting to the LAMPS mailing list for visibility, that ther= e >> is a >>> new mailing list for Brand Indicators for Message Identification (BIM= I) >>> which allows for logos to be displayed by an email recipient. This is= of >>> interest to LAMPS since a secured part of the specification uses >> X.509/PKIX >>> certificates to carry these logos and assert a 3rd party validation. = A >>> while back, I posted here a draft requesting a new certificate Extend= ed >> Key >>> Usage value to distinguish these logo carrying certificate which link= ed >>> below. Also described below is the validation procedure for the >>> certificate based on web Extended Validation (EV) but built upon to >> handle >>> the logo validation. I also have a security justification document t= hat >> I >>> hope to turn into an IETF informational draft that will help justify = the >>> security of the logo and other information carried in the certificate= =2E >> We >>> look forward to your comments and questions on the BIMI list. >>> https://www.ietf.org/mailman/listinfo/bimi >>> >>> -Wei >>> >>> ---------- Forwarded message --------- >>> From: Seth Blank >>> Date: Wed, Feb 6, 2019 at 12:11 PM >>> Subject: [Bimi] New Version Notification for draft-blank-ietf-bimi-00= =2Etxt >>> To: >>> >>> >>> I've uploaded two documents as I-Ds to kick off IETF discussions arou= nd >>> BIMI. Both these documents need a good deal of work, but are ready fo= r >>> public discussion. >>> >>> For BIMI publishing and usage: >>> - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 >>> - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 >>> >>> For logo validation: >>> - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 >>> - >>> >> https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluw= HEcbja42w/edit?usp=3Dsharing >>> >>> At a high level, these documents have several issues to be worked >> through: >>> >>> 1) The intent is for this to be globally accessible to any domain own= er, >>> but the current mechanisms are more approachable to larger organizati= ons >> in >>> first world countries >>> a) We need a discussion of what other validation mechanisms could = work >>> at scale (our expectation is to have several, signposted weakly in th= e >>> draft) >>> b) We need a way to properly reflect this in the proposed a=3D tag= >>> >>> 2) BIMI is NOT a new authentication mechanism, nor does it make ANY >> claims >>> about user security or trust in the inbox. However, in places this dr= aft >>> may be unclear. How do we make this clearer while still explaining wh= y >>> standardizing this process is important, without crossing the line in= to >> UX >>> or trust, of which BIMI is neither? >>> >>> 3) Right now, security surrounding logos is limited to SVGs per >>> https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more= >>> that's needed here, especially against attacks that rely on steganogr= aphy >>> or resizing vectors, etc. >>> >>> 4) Other nits for draft-blank-ietf-bimi: >>> >>> a) The structure needs work, as do the Introduction and Overview >>> b) Some of the technical construction feels like it could be >>> dramatically simplified >>> c) Section 8.2 mentions hashes with no definition or clarity >>> d) The uses of MTA, MUA, and Mail Receiver feel like they overlap = each >>> other left and right >>> i) And the document is heavily focused on larger receivers whe= re >>> this distinction is clear, but doesn't give any thought to other >> receiving >>> architectures at all, especially mail clients that are the entire sta= ck >>> >>> Several authors of these documents will be in Prague, we're looking >> forward >>> to the conversations over the next few weeks and face to face! >>> >>> Seth >>> >>> ---------- Forwarded message --------- >>> From: >>> Date: Wed, Feb 6, 2019 at 11:11 AM >>> Subject: New Version Notification for draft-blank-ietf-bimi-00.txt >>> >>> >>> A new version of I-D, draft-blank-ietf-bimi-00.txt >>> has been successfully submitted by Seth Blank and posted to the >>> IETF repository. >>> >>> Name: draft-blank-ietf-bimi >>> Revision: 00 >>> Title: Brand Indicators for Message Identification (BIMI) >>> Document date: 2019-02-06 >>> Group: Individual Submission >>> Pages: 26 >>> URL: >>> https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt >>> Status: https://datatracker.ietf.org/doc/draft-blank-ietf-bim= i/ >>> Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 >>> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi >>> >>> >>> Abstract: >>> Brand Indicators for Message Identification (BIMI) permits Domain >>> Owners to coordinate with Mail User Agents (MUAs) to display brand= - >>> specific Indicators next to properly authenticated messages. Ther= e >>> are two aspects of BIMI coordination: a scalable mechanism for Dom= ain >>> Owners to publish their desired indicators, and a mechanism for Ma= il >>> Transfer Agents (MTAs) to verify the authenticity of the indicator= =2E >>> This document specifies how Domain Owners communicate their desire= d >>> indicators through the BIMI assertion record in DNS and how that >>> record is to be handled by MTAs and MUAs. The domain verification= >>> mechanism and extensions for other mail protocols (IMAP, etc.) are= >>> specified in separate documents. MUAs and mail-receiving >>> organizations are free to define their own policies for indicator >>> display that makes use or not of BIMI data as they see fit. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of >> submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >>> >>> _______________________________________________ >>> Spasm mailing list >>> Spasm@ietf.org >>> https://www.ietf.org/mailman/listinfo/spasm >>> >> >=20 >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >=20 --------------00103043B130448D5C79AEBA Content-Type: application/pgp-keys; name="0x5AB2FAF17B172BEA.asc" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="0x5AB2FAF17B172BEA.asc" -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nem CP5PMvmh5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kT q0IqYzsEv5HI58S+QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtE gvw4fVhVWJuyy3w//0F2tzKrEMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy +pAh4EKzS1FE7BOZp9daMu9MUQmDqtZUbUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5 iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqOVz+7L+WiVfxLbeVqBwV+4uL9 to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJgb097ZaNyuY1ETghV B5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k4LyM2lp5 FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9t lyWxn5XiHzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQAB tCFTdGVwaGVuIEZhcnJlbGwgPHN0ZXBoZW5AamVsbC5pZT6JAj0EEwEIACcFAlo9 UYwCGwMFCQmUJgAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+qG CxAApYHWYgGOIL3G6/OpkejdAkQoCVQAK8LJUSf6vzwost4iVfxIKcKW/3RqKNKk rRl8beJ7j1CWXAz9+VXAOsE9+zNxXIDgGA7HlvJnhffl+qwibVgiHgUcJFhCSbBr sjC+1uULaTU8zYEyET//GOGPLF+X+degkE/sesh4zcEAjF7fGPnlncdCCH3tvPZZ sdTcjwOCRVonKsDgQzBTCMz/RPBfEFX44HZx4g1UQAcCA4xlucY8QkJEyCrSNGpG nvGK8DcGSmnstl1/a9fnlhpdFxieX3oY2phJ1WKkYTn6Advrek3UP71CKxpgtPmk d3iUUz/VZa0Cv6YxQXskspRDVEvdCMYSQBtJPQ4y2+5UxVR9GIQXenwYp9AP2niv Voh+ITsDWWeWnnvYMq07rSDjq0nGdj41MJkNX+Yb2PXVyXItcj5ybE3T2+y3pSBG FEZYJGuaL4NwtBJFMOdOtBmUOPbetS2971EL3Izxb7ibOZWDwexv+8R6SWYfP1wV N3p46RyBQuXqJV8ccE11m6vtZTGSYgnLUUFZMRQYH+0hwuYe0T3AA18xDdSYsa8v ovCCd3l5S4UNzIM2PMChqGrEzKapUpZg7+8ACcxRU3b9Ihd7WYjJ+pQPCoWYKozv tEvenbNpE/govO/ED3B14e+R2yevRPjRrsN7PJzSf15fQLuJARwEEAEIAAYFAlo9 UqAACgkQLzyHNoBfjaLrSwf+MIHbFRQ4O5cmLYR5sIByWelN3SuRN/gW8rpKo9Ok Cz6An8uV/iCXy5tNMLzzi0BFl8f22DwBcC5qy9qnlIAdogWam1qWoTAoAD8veEqm uKhYrqJsCcAyNrKYmK0hP3rpHxx1LySDmKYXmw/8qtBXKHTouMm+5tSsznhykRMT AAr2p7PSaHgo+hIVaW/rKSspHjDhhZS+G9mtOZad1IH29M6G1Q1NCO0Ywe8krKLQ IAQlFxtgvOqpPOZNzeKBa/+KbE8TGgMWrkOhC8OeEM5PVzdDhlhD9kPzB/pCKDF5 DofJ/ZRqnDpbKPQ0bsW38AOig3kOc0A27awiBEw3urqR1YkCMwQQAQgAHRYhBH4X CgRchM9GDit5oBDvedn9g1MSBQJbtyScAAoJEBDvedn9g1MSI/oP/0A9J9nrnBMq Zpm857lfYWw+rshLK+tyeP4OQeOqnDFvs9jePpcyJLG3DF2r6VbVKPQq+AE6Uf5h cJBDEN6BjEhRPSbLcqG3A1cz/nNwm8rPmNp+oKhmaBBQGxwciMLmzgynsDydnjPp MyEs04zvsbsl4vrp2095o105l8KcrrxQrioFjbwveGwHQK9bxJKhx9D+gIk+MouB ur45UDKTZkMZrr9FGrtkyXCGAxvKdcNC5Oa8z9sj1rcUJfG/OpVAMWhArdlZbFUQ yoX6pU2Zb1CR2qpWAVerGSfBhmfCyStjARqaKxlftjO+Bj3Jj73Cr5eqej3qB5+V 4BCsPjr4RLvVbYUCPsRdxWc+nBLlfVYkRURu21g1hFm5KFPjgUkyo1s4vjUOY8Dy I+xLGF7f/IhUBG6l+Vswhpwu7ydalZkeFiPx5xna5NfbEYxvsIf71DvipGvIOaHv X4egWoFgm8n/9c3rcMxJtpwHPSsUt5dgLsyu6VE0IbvOAc3dN7CWJ355DVFJq9Zg 2YVf0izSpyyzJeGsgkfjW6xpmdvZxuT2UcN4BTcm6vYqueASGrb3lfhzC5gpeVsc /MoSjTS65vNWbpzONZWMZuLEFraxWJzC0JrDK3NCd0VN3kstqGkVbUIiYOnUm8Vu 4zoVMLlGWzHLIGoPRG2nRezn1YyNfyb5tDJTdGVwaGVuIEZhcnJlbGwgKDIwMTcp IDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJCZQmAAUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1yw aps8HGUNhLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG +48od+Xn7qg6LT7GrHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXk kTFaSGYJj3yIP4R6IgwBYGMzDXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRr pZtXB1XQc23ZZmrlTkl2HaThL6w3YKdiTi1NbuMeOxZqtXcUshII45sANm4HuWNT iRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS3MmGgVS4ZoX8+VaPGpXdQVFy BMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml3OEuIQiP2ehRt/HV LMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi2/Jrsz6M zh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6 TzKjGjruq8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxIkBHAQQAQgABgUCWj1SoAAK CRAvPIc2gF+NovMcCACVZPo1cQa3D+vWaIo0ZyinO/MgtD2gHysoj1T0Qvq05//L ZXmhh578bJANvdl2g/HFhhwl/5HKIfWcyipQhmJklp/dsleKcNnn4B18T75RHY0G +po3ILq7evbiOjUH+xqApti1aCxi1GocsPghaLfsxmtXKMG4Xu7XhDTv66GOrqZf Y7+0ekJjD9Dza1t5NE/JR/VZA4B8PWR8Glb0+8C9rkjD0VZ5ekJdHPDGcJmFh8Z+ q25LDoI8Fgt1uKSowvoVnsQO5MFv/y6bXArtj1uB4hAL4JiOFgHlFdrW0MlFpvYm ziW4K9JHTD8KAfDbrb3e2W97ZDpROuYfE/lTbYOWiQI9BBMBCAAnBQJaPVAyAhsD BQkJlCYABQsJCAcCBhUICQoLAgQWAgMBAh4BAheAAAoJEFqy+vF7Fyvq0mkP/ius gsf6Z4/Tu+vHzBbl5i6oKI8ZieH8JfEgXx4ut9t7l3hBGC2r7DpR5A8zLMpEhGIK gFcHagksFkfLEE/FmWDfd1MysQafxBYrHaI27P2tkxfI5JYV6247TV39pQ93kGds tsjIrmh/zEJCVczoofxtz72BDt51H2Z8tN28F/YVHnbaGDwFEEzWKYpze87y/f36 ogcdGO6LDEEEIA6Ee0dGxleuKlLS4UDTt0zjo6L8TyiyPHp9C3+UfnP8837Zp3Fh KstIBd+vWgPdHFg2G5aDIYUvrj9UJBvVgaN/RnkwE+dab2OBSg5jkr141JLQvzdZ 4mOUXn5D9Y6AH6tvj0+ubYMV6j35L1/ZXncuXPVYiylcmDp/6f2WYcT3gx9CPUYA cLMjQV4vX2W8z4uEPyMlIJuGsLf7KhvLL8BQ6zlncT6eONfUUX9UJUCzqI5rqL5c b5jWGHeKvbLWRyQnlq5PXQxJTwYRm71rJTgzejc33LE6Nqg/Q25Dgwwsv+f+7i73 gB5loc80Fef+FV9VFGalFe0Yq8m0UASmkYRh7MH5ssoibpeWk+SGfBjOV4tnsAwR yjYLpAzxA8HeDcmlLeypGEDmsQ/iUvXoGaKOYX4Ieg8T/PCAplsqnJUOq8hbkgOC 98gLZfiltkNG8YhQpoZIHj6SxmBRSc3K99CvanuOiQIzBBABCAAdFiEEfhcKBFyE z0YOK3mgEO952f2DUxIFAlu3JJsACgkQEO952f2DUxJ4qRAAmbjiO3WTAeBCB4ME p2N2+XQCMTTFURDGuJnqU/+X//fhhPRq4V/OxgisKFKlBcAS2hsECvg6HDVSz4Fl 74fk/y+botG4/CjMLdKPB9fgh5zz72i3q0hWDixt50NKBv8IIVWOyYgZxDU/vcks lMEnqbFgJX+CfdALpvAM4WjuQP0UMcKNE3xd+EdDhD1xjK3Tq4XfWob9q6aBZgL2 B4IaADCIeDDE1hv0agnSJmMJE7Bti8tNxCCxVRbZtOaxVHXdRUoOx2XTaxFXupxV hbpHRrdFrwq51f6e3bkfkNEZ3fzYpnlbynJ2zL++JO8P3Pq/S6UKEFjEB50i8YgK WuFvGUsQ+YiDgiZU4saqxSBWbfYn3lY6MSSTg8RnXbFIMG3CFImqYk1uhaV+bDjc p0htjzM2F98g7c3o7sWx0bGarId4uhOmpj7JJVQ+lu7Jby6Ocj8n//7qF1Nn11Cw QlCVaeAq5Y5DmZrnww9I3zzOWWyqFkAVCM3GqeRLMvplD6/+O+5FF7XoHzQB47nk OyZtawy/9gssPWZKLv4qHLYS0wGGCiNbCsYy90s3pfeafM0kSxxjIvEz21KT6LJI /awu2ErQFWCkDMFJ1p/97MjPrQ/6d4cPO140V/wyfuWaBiTVqa9mgnb2zn6fYfDH JEvl1UzIx3JCae25tty1+qtnS0i0LlN0ZXBoZW4gRmFycmVsbCA8c3RlcGhlbkB0 b2xlcmFudG5ldHdvcmtzLmNvbT6JAj0EEwEIACcFAlo9UVoCGwMFCQmUJgAFCwkI BwIGFQgJCgsCBBYCAwECHgECF4AACgkQWrL68XsXK+o7HBAAxHAdFkBGZ9gJK8w7 NUYS9C6enGYtAYoKH5G3Bn3YScjErNfQtHYb53KwBQpVSOv1HcN8hbQ8mLTgn9lt zNwNSuv0XxIswi807HRSIZ4vYDiS5VKV1YkLYK5bLY5O4alVdzqM+AZQqkuHBu63 6n+C0ED6UwLhVBFfSNvBQVAdoq6gvr+IE8rCIKTMNGwNcgVPbF+YxP7UZM6p7s2a 5MIqGw7URSfaqfuztibXGOBLFbSwLGqHSSnOXBfEeDrwdZ+ur8cXIIPRIeCTVmeO 8bGgpgBqNQXG9oyGN+TrYAC+4Ahi0UjCk7QGj8tf3xICKoQpYyfceNBZJ/969gV9 tVgvRxUjxUwc9kZbi0c8XYMTq5GCvBIh1D6BOW9QBM2SsNgG3l36+e3+c2LDdyKn 20C1IzGLVDdcCtz42/onQ/e9sMlzFrfLjs5SO2/TnLvp2JtsIQXyb/T5qd0GE5j8 /iwfZR+uVTVVEsUl1a+Yllzt6sdR7RIhhKpKaKzEAk4d0+VHdz7zEkQRRSjbPVoS fy8c/kld9Fi8Buna+ZkKpcwIW+D4XP83pGcl0XUv6AyqwS1LnEt+jv/+PSXskYtU Lzn8Z35iKkSAH/5Nz6GCZk6ORPNv/6+UI92BpUbu/G2tBwK8bPgAg+gJxBx3G7MK W7VRCmM5UrtAK9A3O70VjPyMkHSJARwEEAEIAAYFAlo9UqAACgkQLzyHNoBfjaLC LAf/X/9vRTZWtwSXxiBCA54a6hg9IvW0mvPUqgXfvrhtOk0IFucLKrTXK8J/NcmU 6ulxOovVbQ+Bin6gtHeCmSa/W523g/NXCOuFTnS/MyVibNL4+RCFwqGysl++Cm+L nj1MmasE9kO+CNdervx8APfxV7D6OYrG4eGag+LdFR6VpJn6tRT0/WvyT8l+Oqiq gdhXHv+0MvkkD9TX5LlJW4VB/yRvWkkmL5N5c5zYh+NcfTPhQ5S9dOorVzrm65d6 Itn0937Ennau7s7fiFdA0BHjWqEAFLsBIXQfCFjjKjdsKA4xlSiX7X7ElmPYpWa5 wwTQ66dL0anMd9y1DJCMOHe4gYkCMwQQAQgAHRYhBH4XCgRchM9GDit5oBDvedn9 g1MSBQJbtyScAAoJEBDvedn9g1MSY7sP+gKR0rFU1g+GtB+hSdtwPRbacvml2eL2 Jc5Eq37J9hAqxHyt5V0If7s8IyVA2GXgdfwULBWbXGDUDiUkh20OPQRUS8G9Sf8A WRuG25q5C8ZzWygykL88RKXJZDFtA49CeqO5Bq5syBhq4QfiSTffQHIp3h0boPGU hSBEUQpooMXYQClNARQ+z/uRzR5bUi9wxdXNnxTn9ia4ASlaBPvUYTGY1jW2HrRR SwpI12+UaWsvc3jJtQ8X0kxgJ7jsFF1uqquIZ5eflQv+PHHg2RJSy37u0UFGb+OK ZEkzlmbPokKCYhzBR5PcD6sgdlaJNcidmto9u1oV6yZT8J2W4CTuUclgxt6f3lZq ZeVLnNnbHyKUdeypwLlqYISulfnMhZ3A6Bgpf2BtjL6KJbFtPBYmYdxI+HZyY49u U2ZHhRu+CSQ1y7zGKSX0gRp5hE7+A4XJtsT6lTLhbi9aiZTG1S6zKNhl3qNNzszc r27PrvFiyGhpuYQuzdQl2PMGbOI6Ojif3sab53NO3RLsLOM09wIlr95yKLlkXkUr WcvUJGrw6HKm8j5opXHTwmJOAbDpc6cMDu+ITRu4spdCnQJcE8RkO8tKyaLuh2Gt U5kYSBK97yr5VviX1FK6rY14LLmnE16OPiK2tiVBKy9nGM0DKtY+K9WcoRZ7s/d7 O0bMfzcNPtGLuQINBFo9UDIBEAD6DdHQfMav8OXfhjTteoarOrlJTSdci727xiez GPuBHmpvceBRZgRasdbaMc4HJee+R9+5x/nLPCuy/DxDyIjwIUeJNgc+l7LjI9Wf pHTD8U4xxjvR5Mi7+ToQQUOUNuzT0O0pyuxP1uY3RehHEhOVfBZO59ipSeZL5iQC 6T5MsK1SKfs51pLa5ToC1rc8tBJ4zZmxRAyZiYc/AH2uZ/6rYjTTkAn1DVI9DYo2 D/zE4bGjXdJW5pKphFB2lX3dG4I7ODi+5e1H6A/QpCu6z8/ZkIQ+9T1xcX/YwiFe A7PbTuW/eITbMbI1eV3+fyym9aT7Rsflmp31Zxtr+sZwGGZf00ooMBFmqOS//NUQ /Vf3vDUew1h5QU1yDaWT3NApvi+XWPH9TPy6TMfZA2FThHf11sX/gDBa5JWQZbpt PEcmoazpiKZt91CrFPOaoXDPck/Q61dfmr/oPikfByYnASIM3OwEuXqyQ9JDRfKr em5r+oA/wxWb5jELElAhOpnyqMMvOh7uz1foUssL8MAv2TGXmxpVJ8Nu4je6wf96 Z22fQ0D38zud+CKH3bMP3ayXXJBcdPoENrzFbWP5FTg/4TTDJ3vOAHZR5iCunYgh x8b7Ffa4UbkwlD+dh8GiIAtvT51Ac0cO0Wc0Zjc57zPUz1zloMbf+zb1Bsn7DuEQ oqj1gwARAQABiQIlBBgBCAAPBQJaPVAyAhsMBQkJlCYAAAoJEFqy+vF7FyvqrC8P /1tF6TeR83xD6MasqXyrBjwcLmziaF0Mlkj8k/YUiZ/knb53n97xQnh9yxPv0TT8 Wpfdn3BmvqGyh8+ouHX9jMOxiRkMdNhIauVYY/8jmRfBSYWcFkfMzdYasvdLtmYJ gx252HKTFdeOrszoOjWjEzwmh+tca3AFMu/nB++/KAmi5UJV7zsZ7uYJ5jm97LV5 SLjNJIXXM+lHqCDrjDaDhNczmq1LCRlU6/WDjvkuwaVhZG4lXxMDrvKnXMkjseQ2 oKjwrIdfQM86H1z5J31lfhqop+of0cimcIsBgSCPu+h96LHuAzeRBCbDKeqrfZtA ZAGsokRina9947fRWxXHh3O66ILmXKNRxxWbDkPvYnQWUat8SbSTDoPWrDIGDRIA ypqYo3pcN2OE0C1chqgDZQxkr+9kYZQpupOAN2TR+fM7JvbO9coKI8Uqog8CopoM eDQkd0YjcqlB1E0svODHTzcSoRzogDBYDqNLP7qVkNXpcOAXSVioBgiSDf7o5RdS /qmUyXBIeq6I5z8xBcd+BQ/n/9Frkm6K7IKP3ngUP4wEoiPx5ZE5+fPIScGmVUcZ IMhkvMvem9XXh1yyhqN14gfjmLwPGdWbrgG8QUe0s2WeWIyss6uTiyF+ZbJSo2XO KVc3YFMVUUfgyudqAV1wWdZinUk+H3pkqOKoHAy/8fST =3DJ121 -----END PGP PUBLIC KEY BLOCK----- --------------00103043B130448D5C79AEBA-- --WVEW8rcChg8YfubwmJms8WAv78ThQBhmh-- --3sBLVAYg5MMciqNVT85nVcUJohWbVCUgI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEW7Wm6ldl0sWGPK4nWrL68XsXK+oFAlxfLbwACgkQWrL68XsX K+qbOQ/9Hmt8+1lTTRZDRTOgKUQy++GOilsHKehA+7L1ckMvkc7Ci9yUFUMGmdYO g6Opj78fNqDDKL7237GYNfMb+DKELQ3BfR940xgVvoGyUyo2/nBvyOLpbQr/hthy 28qN0mRv0VjrZ+DkHtGUJ3IHU+i7ssbK+vplLJ2/KUVeAxZbUBxM+0mdpq8SFBzb Dv2xayf+GqUZgOWAqh9Q4YBg8r7xbsZzVTzxYANUK+ITVzOgDYkENeZZUXd5AQ0i zxgIlPEWvaa0v9J2Or+aRF6fyQFzzMgv0/qRIyFvwIwZQCZOeNMr3a1RoqjIeaCs aYAbOS+9UlKMyLklMb8X7HXf0lPBjzB5ueyQ9F8BW4FWeq8XVNQWiTCB3kjC/aNj pHVh2dnMxkxupZ6YkEbh4yPd/y3xwEn2v0/9W07Hp6eG59cts6n/K24WJg3/ymtp JLzSYXraot9HQpWOunCyP822fAQbj8ZXv9k8VmsTHFbmoVLQ4zcq/GGrwswRTeJS j1/zsF3DLzpoVMG2oiu3l3iFM0hfgrjOD80ImInrj719vpnzbmVX9Zchfe0GVTfL 6LTNLofakx2+JwAHc7ulgfsDta68vzxN2Hh8IKs/E/t7zjNIofY3FaAmr+/2MmxT p3suO+dEBUcCIMTdNDTeqyNlH39DFSgnWgqvhBZLK9hfvM6zhYA= =OnrH -----END PGP SIGNATURE----- --3sBLVAYg5MMciqNVT85nVcUJohWbVCUgI-- From nobody Sat Feb 9 13:54:51 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E583130F8E for ; Sat, 9 Feb 2019 13:54:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -17.5 X-Spam-Level: X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RCx6DRGITHps for ; Sat, 9 Feb 2019 13:54:46 -0800 (PST) Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60DD4130F89 for ; Sat, 9 Feb 2019 13:54:46 -0800 (PST) Received: by mail-yb1-xb29.google.com with SMTP id j189so2849642ybj.9 for ; Sat, 09 Feb 2019 13:54:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c0AFCs6oS64lyGr8oydde1xEXhBOxggevsEgCZE6GTY=; b=i719DtoBsJ8jZbHpF6MYKFkWCN1wjQri2gBSftgKmf1QR85xmfTlx6OzHHFzkTIYGq pPssXVRH1Wz/dCouJxRkI75wo9BAI0tzaH4l3HBnp1Wdh4F88CvPJFvHfnOf3/zRonyK 8ircC6vIO2OrV1os7aFKkiF2jUVdXegfDdrRqeQw4Zp+OXaZBL5vpjZ2MdeRWrU42rMg 7MRA6G7ke9Uc369PmtDZ8+phySLEWGYUZkJKEEmoI4zo013TDlQHfJIX96oboP4qKzD/ 0kqG3kD5X50X6ficgVbc5RXK3+5dJH/CBp0XHvD/52A8y4P9FlWmcaK/76b1V1unKbtF acNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c0AFCs6oS64lyGr8oydde1xEXhBOxggevsEgCZE6GTY=; b=fbE7lObFxswv2fqVVcrzupYbnfT40wj37kJOo7guOUL8NcMMibXyUCyW+FVPVEHCi6 tdXTgSekvB1Jr68jBkRk7O5rqPk9O9s085Vhj3Y9b5AnEYGf5b4RpnTbdVMTCzK+fSPd tOs0sMePhcY7/KQog3quMK+Jlb/zyUv6hIM+ONnEZ3snucp3zrfS6iFW1f30rmykpfG7 QyQPk+r+Jd0q2fv1BKJPRT9Av+yXriE/9c/p+mWEwTfzekoybJAv8qCbe3/fyK8Shida UL6t9YVQmj9nHpDkExunauEpsBRNFUW2BlrKe/Iky1vdlP0OWG7FGD/u30vHajFlER+N AeqQ== X-Gm-Message-State: AHQUAubBtU4QkmFA3/c74CI5gl2HuwBzpvH9B/xGiErKz5gCGmIhjBYh 5vUaQ8L2DZn5xLHtzRnV6Cktu+1FJVzd8MmCyrhvcDxeywE= X-Google-Smtp-Source: AHgI3IYG2VZyXjyp1nbb7Ul6v+gwIOqPRLc3ymbKZxGE0HfMJKJjVGWZ+6c5h1R4f6kwSvajLRP4UD41fZs7FBaIfnE= X-Received: by 2002:a25:6645:: with SMTP id z5mr13106408ybm.314.1549749284391; Sat, 09 Feb 2019 13:54:44 -0800 (PST) MIME-Version: 1.0 References: <3cbf4861-94ab-6623-86ad-a13d292d3393@cs.tcd.ie> In-Reply-To: From: Wei Chuang Date: Sat, 9 Feb 2019 13:54:30 -0800 Message-ID: To: Stephen Farrell Cc: SPASM Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000a7ba1605817d1ffe" Archived-At: Subject: Re: [lamps] Fwd: [Bimi] New Version Notification for draft-blank-ietf-bimi-00.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Feb 2019 21:54:50 -0000 --000000000000a7ba1605817d1ffe Content-Type: multipart/alternative; boundary="00000000000096b22105817d1f86" --00000000000096b22105817d1f86 Content-Type: text/plain; charset="UTF-8" On Sat, Feb 9, 2019 at 11:45 AM Stephen Farrell wrote: > > > On 09/02/2019 19:05, Wei Chuang wrote: > > It is intended to support privacy, > > "In its most basic setup, a BIMI-capable MUA could retrieve that > image file directly from the site specified in the BIMI record." > > It could well be that if various actors all do the right thing, > that bimi might not be privacy invasive. If however, any of the > relevant actors aren't careful, this becomes a tracking device, > as per the quoted text above. There are enough of those in mail > bodies already and we shouldn't be standardising such tracking > schemes in headers IMO. > Privacy is something the IETF process can very much help with, by providing constraints on the parts of the specification that impacts privacy that would otherwise be overlooked or worse. Take for instance the choice of CRLs vs OCSPs. Our initial starting point in the Authindicators working group* was only requiring CRLs indeed due to privacy, and intentionally not stating anything about OCSPs. The CA that we were working with this added as optional because it was something they already supported. I don't think they meant OCSP support to be privacy invasive in any form and since we had our as required support for CRLs we were fine. What the IETF process can do is provide many additionally eyes on the specification, with a strong interest in security and privacy. Making privacy mandatory in the specification is something that the IETF process can make sure happens. * The Authindicators working group is an informal group of individuals and companies in the space of email providers and authentication consultancy that has been developing BIMI so far. The intent now is to bring the BIMI specification to IETF if possible for further feedback and standardization work. -Wei I see no merit in bimi myself, only downsides. > > S. > > > > though it is up to email providers and > > clients to do the right thing. It uses certificates that carry the logo > > (and other identity information) and assert 3rd party validation without > > interacting with another server. Our intent is that these certificates > are > > meant to be fetched at delivery and stored by email provider for the > > client, though such a fetch could be done by the client at use. Along > > those lines, for revocation checks, the guidelines requires that CAs to > > provide CRLs though OCSPs are allowed. > > > > -Wei > > > > On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell < > stephen.farrell@cs.tcd.ie> > > wrote: > > > >> > >> I've not yet subscribed to that bimi list but... > >> > >> As a user of email I do not want more crap in messages that > >> user agents might de-reference thereby increasing how much > >> I am tracked and my devices' attack surfaces. So my starting > >> position is that I need to be convinced bimi is not just a > >> bad idea. > >> > >> S. > >> > >> On 09/02/2019 16:36, Wei Chuang wrote: > >>> Hi all, > >>> > >>> I'm cross posting to the LAMPS mailing list for visibility, that there > >> is a > >>> new mailing list for Brand Indicators for Message Identification (BIMI) > >>> which allows for logos to be displayed by an email recipient. This is > of > >>> interest to LAMPS since a secured part of the specification uses > >> X.509/PKIX > >>> certificates to carry these logos and assert a 3rd party validation. A > >>> while back, I posted here a draft requesting a new certificate Extended > >> Key > >>> Usage value to distinguish these logo carrying certificate which linked > >>> below. Also described below is the validation procedure for the > >>> certificate based on web Extended Validation (EV) but built upon to > >> handle > >>> the logo validation. I also have a security justification document > that > >> I > >>> hope to turn into an IETF informational draft that will help justify > the > >>> security of the logo and other information carried in the certificate. > >> We > >>> look forward to your comments and questions on the BIMI list. > >>> https://www.ietf.org/mailman/listinfo/bimi > >>> > >>> -Wei > >>> > >>> ---------- Forwarded message --------- > >>> From: Seth Blank > >>> Date: Wed, Feb 6, 2019 at 12:11 PM > >>> Subject: [Bimi] New Version Notification for > draft-blank-ietf-bimi-00.txt > >>> To: > >>> > >>> > >>> I've uploaded two documents as I-Ds to kick off IETF discussions around > >>> BIMI. Both these documents need a good deal of work, but are ready for > >>> public discussion. > >>> > >>> For BIMI publishing and usage: > >>> - https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > >>> - https://tools.ietf.org/html/draft-brotman-ietf-bimi-guidance-00 > >>> > >>> For logo validation: > >>> - https://tools.ietf.org/html/draft-chuang-bimi-certificate-00 > >>> - > >>> > >> > https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w/edit?usp=sharing > >>> > >>> At a high level, these documents have several issues to be worked > >> through: > >>> > >>> 1) The intent is for this to be globally accessible to any domain > owner, > >>> but the current mechanisms are more approachable to larger > organizations > >> in > >>> first world countries > >>> a) We need a discussion of what other validation mechanisms could > work > >>> at scale (our expectation is to have several, signposted weakly in the > >>> draft) > >>> b) We need a way to properly reflect this in the proposed a= tag > >>> > >>> 2) BIMI is NOT a new authentication mechanism, nor does it make ANY > >> claims > >>> about user security or trust in the inbox. However, in places this > draft > >>> may be unclear. How do we make this clearer while still explaining why > >>> standardizing this process is important, without crossing the line into > >> UX > >>> or trust, of which BIMI is neither? > >>> > >>> 3) Right now, security surrounding logos is limited to SVGs per > >>> https://tools.ietf.org/html/rfc6170#section-5.2. There's clearly more > >>> that's needed here, especially against attacks that rely on > steganography > >>> or resizing vectors, etc. > >>> > >>> 4) Other nits for draft-blank-ietf-bimi: > >>> > >>> a) The structure needs work, as do the Introduction and Overview > >>> b) Some of the technical construction feels like it could be > >>> dramatically simplified > >>> c) Section 8.2 mentions hashes with no definition or clarity > >>> d) The uses of MTA, MUA, and Mail Receiver feel like they overlap > each > >>> other left and right > >>> i) And the document is heavily focused on larger receivers where > >>> this distinction is clear, but doesn't give any thought to other > >> receiving > >>> architectures at all, especially mail clients that are the entire stack > >>> > >>> Several authors of these documents will be in Prague, we're looking > >> forward > >>> to the conversations over the next few weeks and face to face! > >>> > >>> Seth > >>> > >>> ---------- Forwarded message --------- > >>> From: > >>> Date: Wed, Feb 6, 2019 at 11:11 AM > >>> Subject: New Version Notification for draft-blank-ietf-bimi-00.txt > >>> > >>> > >>> A new version of I-D, draft-blank-ietf-bimi-00.txt > >>> has been successfully submitted by Seth Blank and posted to the > >>> IETF repository. > >>> > >>> Name: draft-blank-ietf-bimi > >>> Revision: 00 > >>> Title: Brand Indicators for Message Identification (BIMI) > >>> Document date: 2019-02-06 > >>> Group: Individual Submission > >>> Pages: 26 > >>> URL: > >>> https://www.ietf.org/internet-drafts/draft-blank-ietf-bimi-00.txt > >>> Status: > https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/ > >>> Htmlized: https://tools.ietf.org/html/draft-blank-ietf-bimi-00 > >>> Htmlized: > >> https://datatracker.ietf.org/doc/html/draft-blank-ietf-bimi > >>> > >>> > >>> Abstract: > >>> Brand Indicators for Message Identification (BIMI) permits Domain > >>> Owners to coordinate with Mail User Agents (MUAs) to display brand- > >>> specific Indicators next to properly authenticated messages. There > >>> are two aspects of BIMI coordination: a scalable mechanism for > Domain > >>> Owners to publish their desired indicators, and a mechanism for Mail > >>> Transfer Agents (MTAs) to verify the authenticity of the indicator. > >>> This document specifies how Domain Owners communicate their desired > >>> indicators through the BIMI assertion record in DNS and how that > >>> record is to be handled by MTAs and MUAs. The domain verification > >>> mechanism and extensions for other mail protocols (IMAP, etc.) are > >>> specified in separate documents. MUAs and mail-receiving > >>> organizations are free to define their own policies for indicator > >>> display that makes use or not of BIMI data as they see fit. > >>> > >>> > >>> > >>> > >>> Please note that it may take a couple of minutes from the time of > >> submission > >>> until the htmlized version and diff are available at tools.ietf.org. > >>> > >>> The IETF Secretariat > >>> > >>> > >>> _______________________________________________ > >>> Spasm mailing list > >>> Spasm@ietf.org > >>> https://www.ietf.org/mailman/listinfo/spasm > >>> > >> > > > > > > _______________________________________________ > > Spasm mailing list > > Spasm@ietf.org > > https://www.ietf.org/mailman/listinfo/spasm > > > --00000000000096b22105817d1f86 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Feb 9, 2019 at 11:45 AM Steph= en Farrell <stephen.farrell= @cs.tcd.ie> wrote:


On 09/02/2019 19:05, Wei Chuang wrote:
> It is intended to support privacy,

"In its most basic setup, a BIMI-capable MUA could retrieve that
=C2=A0image file directly from the site specified in the BIMI record."=

It could well be that if various actors all do the right thing,
that bimi might not be privacy invasive. If however, any of the
relevant actors aren't careful, this becomes a tracking device,
as per the quoted text above. There are enough of those in mail
bodies already and we shouldn't be standardising such tracking
schemes in headers IMO.

Privacy is some= thing the IETF process can very much help with, by providing constraints on= the parts of the specification that impacts privacy that would otherwise b= e overlooked or worse.=C2=A0 Take for instance the choice of CRLs vs OCSPs.= =C2=A0 Our initial starting point in the Authindicators working group* was = only requiring CRLs indeed due to privacy, and intentionally not stating an= ything about OCSPs.=C2=A0 The CA that we were working with this added as op= tional because it was something they already supported.=C2=A0 I don't t= hink they meant OCSP support to be privacy invasive in any form and since w= e had our as required support for CRLs we were fine.=C2=A0 What the IETF pr= ocess can do is provide many additionally eyes on the specification, with a= strong interest in security and privacy.=C2=A0 Making privacy mandatory in= the specification is something that the=C2=A0IETF process can make sure ha= ppens.

* The Authindicators working group is an in= formal group of individuals and companies in the space of email providers a= nd authentication consultancy that has been developing BIMI so far.=C2=A0 T= he intent now is to bring the BIMI specification to IETF if possible for fu= rther feedback and standardization work.

-Wei

I see no merit in bimi myself, only downsides.

S.


> though it is up to email providers and
> clients to do the right thing.=C2=A0 It uses certificates that carry t= he logo
> (and other identity information) and assert 3rd party validation witho= ut
> interacting with another server.=C2=A0 Our intent is that these certif= icates are
> meant to be fetched at delivery and stored by email provider for the > client, though such a fetch could be done by the client at use.=C2=A0 = Along
> those lines, for revocation checks, the guidelines requires that CAs t= o
> provide CRLs though OCSPs are allowed.
>
> -Wei
>
> On Sat, Feb 9, 2019 at 8:53 AM Stephen Farrell <stephen.farrell@cs.tcd.ie&g= t;
> wrote:
>
>>
>> I've not yet subscribed to that bimi list but...
>>
>> As a user of email I do not want more crap in messages that
>> user agents might de-reference thereby increasing how much
>> I am tracked and my devices' attack surfaces. So my starting >> position is that I need to be convinced bimi is not just a
>> bad idea.
>>
>> S.
>>
>> On 09/02/2019 16:36, Wei Chuang wrote:
>>> Hi all,
>>>
>>> I'm cross posting to the LAMPS mailing list for visibility= , that there
>> is a
>>> new mailing list for Brand Indicators for Message Identificati= on (BIMI)
>>> which allows for logos to be displayed by an email recipient. = This is of
>>> interest to LAMPS since a secured part of the specification us= es
>> X.509/PKIX
>>> certificates to carry these logos and assert a 3rd party valid= ation.=C2=A0 A
>>> while back, I posted here a draft requesting a new certificate= Extended
>> Key
>>> Usage value to distinguish these logo carrying certificate whi= ch linked
>>> below.=C2=A0 Also described below is the validation procedure = for the
>>> certificate based on web Extended Validation (EV) but built up= on to
>> handle
>>> the logo validation.=C2=A0 I also have a security justificatio= n document that
>> I
>>> hope to turn into an IETF informational draft that will help j= ustify the
>>> security of the logo and other information carried in the cert= ificate.
>> We
>>> look forward to your comments and questions on the BIMI list.<= br> >>> https://www.ietf.org/mailman/listinfo/bimi
>>>
>>> -Wei
>>>
>>> ---------- Forwarded message ---------
>>> From: Seth Blank <seth@sethblank.com>
>>> Date: Wed, Feb 6, 2019 at 12:11 PM
>>> Subject: [Bimi] New Version Notification for draft-blank-ietf-= bimi-00.txt
>>> To: <bim= i@ietf.org>
>>>
>>>
>>> I've uploaded two documents as I-Ds to kick off IETF discu= ssions around
>>> BIMI. Both these documents need a good deal of work, but are r= eady for
>>> public discussion.
>>>
>>> For BIMI publishing and usage:
>>> - https://tools.ietf.org/html/draft= -blank-ietf-bimi-00
>>> - https://tools.ietf.org= /html/draft-brotman-ietf-bimi-guidance-00
>>>
>>> For logo validation:
>>> - https://tools.ietf.org/ht= ml/draft-chuang-bimi-certificate-00
>>> -
>>>
>> https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdml= uwHEcbja42w/edit?usp=3Dsharing
>>>
>>> At a high level, these documents have several issues to be wor= ked
>> through:
>>>
>>> 1) The intent is for this to be globally accessible to any dom= ain owner,
>>> but the current mechanisms are more approachable to larger org= anizations
>> in
>>> first world countries
>>>=C2=A0 =C2=A0 a) We need a discussion of what other validation = mechanisms could work
>>> at scale (our expectation is to have several, signposted weakl= y in the
>>> draft)
>>>=C2=A0 =C2=A0 b) We need a way to properly reflect this in the = proposed a=3D tag
>>>
>>> 2) BIMI is NOT a new authentication mechanism, nor does it mak= e ANY
>> claims
>>> about user security or trust in the inbox. However, in places = this draft
>>> may be unclear. How do we make this clearer while still explai= ning why
>>> standardizing this process is important, without crossing the = line into
>> UX
>>> or trust, of which BIMI is neither?
>>>
>>> 3) Right now, security surrounding logos is limited to SVGs pe= r
>>> https://tools.ietf.org/html/rfc6170#sect= ion-5.2. There's clearly more
>>> that's needed here, especially against attacks that rely o= n steganography
>>> or resizing vectors, etc.
>>>
>>> 4) Other nits for draft-blank-ietf-bimi:
>>>
>>>=C2=A0 =C2=A0 a) The structure needs work, as do the Introducti= on and Overview
>>>=C2=A0 =C2=A0 b) Some of the technical construction feels like = it could be
>>> dramatically simplified
>>>=C2=A0 =C2=A0 c) Section 8.2 mentions hashes with no definition= or clarity
>>>=C2=A0 =C2=A0 d) The uses of MTA, MUA, and Mail Receiver feel l= ike they overlap each
>>> other left and right
>>>=C2=A0 =C2=A0 =C2=A0 =C2=A0 i) And the document is heavily focu= sed on larger receivers where
>>> this distinction is clear, but doesn't give any thought to= other
>> receiving
>>> architectures at all, especially mail clients that are the ent= ire stack
>>>
>>> Several authors of these documents will be in Prague, we'r= e looking
>> forward
>>> to the conversations over the next few weeks and face to face!=
>>>
>>> Seth
>>>
>>> ---------- Forwarded message ---------
>>> From: <internet-drafts@ietf.org>
>>> Date: Wed, Feb 6, 2019 at 11:11 AM
>>> Subject: New Version Notification for draft-blank-ietf-bimi-00= .txt
>>>
>>>
>>> A new version of I-D, draft-blank-ietf-bimi-00.txt
>>> has been successfully submitted by Seth Blank and posted to th= e
>>> IETF repository.
>>>
>>> Name:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0draft-blank-ietf= -bimi
>>> Revision:=C2=A0 =C2=A0 =C2=A0 =C2=A000
>>> Title:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Brand Indicators for = Message Identification (BIMI)
>>> Document date:=C2=A0 2019-02-06
>>> Group:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Individual Submission=
>>> Pages:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 26
>>> URL:
>>> https://www.ietf.org/i= nternet-drafts/draft-blank-ietf-bimi-00.txt
>>> Status:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://datatracker.ietf.org/doc/draft-blank-ietf-bimi/
>>> Htmlized:=C2=A0 =C2=A0 =C2=A0 =C2=A0https://tools.ietf.org/html/draft-blank-ietf-bimi-00
>>> Htmlized:
>> https://datatracker.ietf.org/doc= /html/draft-blank-ietf-bimi
>>>
>>>
>>> Abstract:
>>>=C2=A0 =C2=A0 Brand Indicators for Message Identification (BIMI= ) permits Domain
>>>=C2=A0 =C2=A0 Owners to coordinate with Mail User Agents (MUAs)= to display brand-
>>>=C2=A0 =C2=A0 specific Indicators next to properly authenticate= d messages.=C2=A0 There
>>>=C2=A0 =C2=A0 are two aspects of BIMI coordination: a scalable = mechanism for Domain
>>>=C2=A0 =C2=A0 Owners to publish their desired indicators, and a= mechanism for Mail
>>>=C2=A0 =C2=A0 Transfer Agents (MTAs) to verify the authenticity= of the indicator.
>>>=C2=A0 =C2=A0 This document specifies how Domain Owners communi= cate their desired
>>>=C2=A0 =C2=A0 indicators through the BIMI assertion record in D= NS and how that
>>>=C2=A0 =C2=A0 record is to be handled by MTAs and MUAs.=C2=A0 T= he domain verification
>>>=C2=A0 =C2=A0 mechanism and extensions for other mail protocols= (IMAP, etc.) are
>>>=C2=A0 =C2=A0 specified in separate documents.=C2=A0 MUAs and m= ail-receiving
>>>=C2=A0 =C2=A0 organizations are free to define their own polici= es for indicator
>>>=C2=A0 =C2=A0 display that makes use or not of BIMI data as the= y see fit.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time= of
>> submission
>>> until the htmlized version and diff are available at tools.ietf.= org.
>>>
>>> The IETF Secretariat
>>>
>>>
>>> _______________________________________________
>>> Spasm mailing list
>>> Spasm@ietf= .org
>>> https://www.ietf.org/mailman/listinfo/spasm<= /a>
>>>
>>
>
>
> _______________________________________________
> Spasm mailing list
> Spasm@ietf.org=
> https://www.ietf.org/mailman/listinfo/spasm
>
--00000000000096b22105817d1f86-- --000000000000a7ba1605817d1ffe Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIS5wYJKoZIhvcNAQcCoIIS2DCCEtQCAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg ghBNMIIEXDCCA0SgAwIBAgIOSBtqDm4P/739RPqw/wcwDQYJKoZIhvcNAQELBQAwZDELMAkGA1UE BhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVy c29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hBMjU2IC0gRzIwHhcNMTYwNjE1MDAwMDAwWhcNMjEw NjE1MDAwMDAwWjBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTEiMCAG A1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBALR23lKtjlZW/17kthzYcMHHKFgywfc4vLIjfq42NmMWbXkNUabIgS8KX4PnIFsTlD6F GO2fqnsTygvYPFBSMX4OCFtJXoikP2CQlEvO7WooyE94tqmqD+w0YtyP2IB5j4KvOIeNv1Gbnnes BIUWLFxs1ERvYDhmk+OrvW7Vd8ZfpRJj71Rb+QQsUpkyTySaqALXnyztTDp1L5d1bABJN/bJbEU3 Hf5FLrANmognIu+Npty6GrA6p3yKELzTsilOFmYNWg7L838NS2JbFOndl+ce89gM36CW7vyhszi6 6LqqzJL8MsmkP53GGhf11YMP9EkmawYouMDP/PwQYhIiUO0CAwEAAaOCASIwggEeMA4GA1UdDwEB /wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIB ADAdBgNVHQ4EFgQUyzgSsMeZwHiSjLMhleb0JmLA4D8wHwYDVR0jBBgwFoAUJiSSix/TRK+xsBtt r+500ox4AAMwSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9n c3BlcnNvbmFsc2lnbnB0bnJzc2hhMmcyLmNybDBMBgNVHSAERTBDMEEGCSsGAQQBoDIBKDA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzANBgkqhkiG 9w0BAQsFAAOCAQEACskdySGYIOi63wgeTmljjA5BHHN9uLuAMHotXgbYeGVrz7+DkFNgWRQ/dNse Qa4e+FeHWq2fu73SamhAQyLigNKZF7ZzHPUkSpSTjQqVzbyDaFHtRBAwuACuymaOWOWPePZXOH9x t4HPwRQuur57RKiEm1F6/YJVQ5UTkzAyPoeND/y1GzXS4kjhVuoOQX3GfXDZdwoN8jMYBZTO0H5h isymlIl6aot0E5KIKqosW6mhupdkS1ZZPp4WXR4frybSkLejjmkTYCTUmh9DuvKEQ1Ge7siwsWgA NS1Ln+uvIuObpbNaeAyMZY0U5R/OyIDaq+m9KXPYvrCZ0TCLbcKuRzCCBB4wggMGoAMCAQICCwQA AAAAATGJxkCyMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9vdCBDQSAt IFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTExMDgwMjEw MDAwMFoXDTI5MDMyOTEwMDAwMFowZDELMAkGA1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24g bnYtc2ExOjA4BgNVBAMTMUdsb2JhbFNpZ24gUGVyc29uYWxTaWduIFBhcnRuZXJzIENBIC0gU0hB MjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCg/hRKosYAGP+P7mIdq5NB Kr3J0tg+8lPATlgp+F6W9CeIvnXRGUvdniO+BQnKxnX6RsC3AnE0hUUKRaM9/RDDWldYw35K+sge C8fWXvIbcYLXxWkXz+Hbxh0GXG61Evqux6i2sKeKvMr4s9BaN09cqJ/wF6KuP9jSyWcyY+IgL6u2 52my5UzYhnbf7D7IcC372bfhwM92n6r5hJx3r++rQEMHXlp/G9J3fftgsD1bzS7J/uHMFpr4MXua eoiMLV5gdmo0sQg23j4pihyFlAkkHHn4usPJ3EePw7ewQT6BUTFyvmEB+KDoi7T4RCAZDstgfpzD rR/TNwrK8/FXoqnFAgMBAAGjgegwgeUwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C AQEwHQYDVR0OBBYEFCYkkosf00SvsbAbba/udNKMeAADMEcGA1UdIARAMD4wPAYEVR0gADA0MDIG CCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA2BgNVHR8E LzAtMCugKaAnhiVodHRwOi8vY3JsLmdsb2JhbHNpZ24ubmV0L3Jvb3QtcjMuY3JsMB8GA1UdIwQY MBaAFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQACAFVjHihZCV/IqJYt 7Nig/xek+9g0dmv1oQNGYI1WWeqHcMAV1h7cheKNr4EOANNvJWtAkoQz+076Sqnq0Puxwymj0/+e oQJ8GRODG9pxlSn3kysh7f+kotX7pYX5moUa0xq3TCjjYsF3G17E27qvn8SJwDsgEImnhXVT5vb7 qBYKadFizPzKPmwsJQDPKX58XmPxMcZ1tG77xCQEXrtABhYC3NBhu8+c5UoinLpBQC1iBnNpNwXT Lmd4nQdf9HCijG1e8myt78VP+QSwsaDT7LVcLT2oDPVggjhVcwljw3ePDwfGP9kNrR+lc8XrfClk WbrdhC2o4Ui28dtIVHd3MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAw TDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24x EzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4MTAwMDAwWjBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEG A1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5Bngi FvXAg7aEyiie/QV2EcWtiHL8RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X 17YUhhB5uzsTgHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zdQQ4gOsC0p6Hp sk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZXriX7613t2Saer9fwRPvm2L7 DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFI/wS3+oLkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBL QNvAUKr+yAzv95ZURUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25s bwMpjjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK6fBdRoyV 3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQXmcIfeg7jLQitChws/zyr VQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecsMx86OyXShkDOOyyGeMlhLxS67ttVb9+E 7gUJTb0o2HLO02JQZR7rkpeDMdmztcpHWD9fMIIEZDCCA0ygAwIBAgIMWMqzbpn2SydMzpfaMA0G CSqGSIb3DQEBCwUAMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIw IAYDVQQDExlHbG9iYWxTaWduIEhWIFMvTUlNRSBDQSAxMB4XDTE4MTExNTE4NDMwM1oXDTE5MDUx NDE4NDMwM1owIjEgMB4GCSqGSIb3DQEJAQwRd2VpaGF3QGdvb2dsZS5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDOGIfi32h8dhJEeUGHfN1nAVrJsY4ph3nisYgnB2pOA4hcNkX4 xnnbD7PDr6G2S6LqYfXegzUkLT7FoOGtptBAixwpSxBUvEWQdrlbYdYuoNK7/DBASrlp4J7UocGX ZS5dkWL0IolToc52mCmOxhTqDjbD9MG3+AvyyQPK0RVgNY5n7BZBdNZDHTeswReAtjQ4t+b1IStQ 7Y59jxTOfDPpAT2Y0ON44Lx2hBLyQ8wXYCmHHbWCyGT3xZH0p8p+cGgkKvDjaxBX3ilopH8hx4zm 5HVh6wDOBHhAnRYVU1bqmjohWNuLhz/Za6lWGiylhPD+2yFLQfvHn6OBE0a/048NAgMBAAGjggFu MIIBajAcBgNVHREEFTATgRF3ZWloYXdAZ29vZ2xlLmNvbTBQBggrBgEFBQcBAQREMEIwQAYIKwYB BQUHMAKGNGh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzaHZzbWltZWNhMS5j cnQwHQYDVR0OBBYEFJUPLExeOaBiYyZVRuorZTtplIumMB8GA1UdIwQYMBaAFMs4ErDHmcB4koyz IZXm9CZiwOA/MEwGA1UdIARFMEMwQQYJKwYBBAGgMgEoMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9j cmwuZ2xvYmFsc2lnbi5jb20vZ3NodnNtaW1lY2ExLmNybDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQBuvV1bxPXhqWWCHYz7 40fvnmDIUsNiLecW3PCDQxdpPMc3V/6T31qSKYvuFigtj2MpXMCkLqbHupVN3b14UvnqNx3jnu7b Yp+rMcjjO70W3ufBqqz/QQzSykR9ATo+Zqs09dhJtTl02ApUqYipoInGx8wu0ChTI84NwR5UUo7H GSOet+Eluj5Yjq0YdM2qzfapP/XbfO7t533yiK5Cs//IlaQagdizrM/b1DTYjJ/28b3uPMS3l6a8 BoWm7kiV6GCY7zBNF9D6Gkf6U4dZgx6SwQjQoG3mSBV1zzIs0cZYoVvq/8y+5jC9CdH1ran/ahb6 1ZtMG4auBaKMRzEe3TimMYICXjCCAloCAQEwXDBMMQswCQYDVQQGEwJCRTEZMBcGA1UEChMQR2xv YmFsU2lnbiBudi1zYTEiMCAGA1UEAxMZR2xvYmFsU2lnbiBIViBTL01JTUUgQ0EgMQIMWMqzbpn2 SydMzpfaMA0GCWCGSAFlAwQCAQUAoIHUMC8GCSqGSIb3DQEJBDEiBCAM54A45sCuWuocWpIOs+M9 YSDCQ5KhLm3+RSRg2zJehTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0xOTAyMDkyMTU0NDVaMGkGCSqGSIb3DQEJDzFcMFowCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB FjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwCwYJKoZIhvcNAQEKMAsGCSqGSIb3DQEBBzALBglg hkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEATy9AtS2h7VeeX6P0X3wjTz+XDfPgxsUvhYKYrEwE CNS8BPBbl3u7763Fn5N5P9ASvG7FkEBJaD0jmN8LPvuyob9kA36UTtMLWYjxBChqXsDeCRl1SeSV 12RCibDafgitIW42aA0Mq0iRvyDadQj47XblxF9iurZF/4W5Ul4kzSl7jmZK8xyBukeZ7VjOUFb7 z38uCPjpHisEANyOfROoMtgYRni1k/o5cng1eiebPfAVJFFyNa5qL1WwDYID85zCjd4ibXrIX44c Hrx20dXUju6xh6pIOwYp/y3PPkK/iRqnWIQksfEhSA0zHcC7hTMZmQbj9kOJIVo9bh4iBME51g== --000000000000a7ba1605817d1ffe-- From nobody Tue Feb 12 08:54:03 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D927128B33 for ; Tue, 12 Feb 2019 08:54:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T_wvhFxEFANb for ; Tue, 12 Feb 2019 08:53:59 -0800 (PST) Received: from beechnut.cse-cst.gc.ca (beechnut.cse-cst.gc.ca [205.193.218.37]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65BA7127287 for ; Tue, 12 Feb 2019 08:53:59 -0800 (PST) From: "Hammell, Jonathan F" To: "'spasm@ietf.org'" CC: "'housley@vigilsec.com'" Thread-Topic: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 Thread-Index: AdTC81vmWkJ+VqpVR1K7L0V4t0lvbQ== Date: Tue, 12 Feb 2019 16:53:57 +0000 Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-classification: UNCLASSIFIED Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Message-Id: <20190212165359.65BA7127287@ietfa.amsl.com> Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 16:54:01 -0000 Classification: UNCLASSIFIED I have a few suggestions to help readers: Section 2.2, Paragraph 3: define q, e.g. "the number of the leaf (q)..." Section 2.3, Last paragraph: y in the LM-OTS signature value is not defined= . Section 4: lms_public_key is not defined. Yes, it is clear if you read [HA= SHSIG], but you are including the expansion of lms_signature and ots_signat= ure. Section 6.1, Paragraph 2: s/must must/must Section 6.1, Paragraphs 4,5: Citations [RANDOM] and [RFC4086] refer to the = same document. Section 6.1: Should the instances of lowercase "must" be uppercase? Note t= hat uppercase "SHOULD" is used in the last paragraph of this section. Section 6.1, Paragraph 3: s/LM-OTP/LM-OTS Section 6.2, Paragraph 4: s/defined to that/defined so that Best regards, Jonathan From nobody Tue Feb 12 12:11:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C82A12785F for ; Tue, 12 Feb 2019 12:11:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tQNQFk5MMCzj for ; Tue, 12 Feb 2019 12:11:18 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 18D5312DF71 for ; Tue, 12 Feb 2019 12:11:18 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 5951E300A99 for ; Tue, 12 Feb 2019 14:53:00 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id B9BTFD1T1nAb for ; Tue, 12 Feb 2019 14:52:59 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 4D0663002B4; Tue, 12 Feb 2019 14:52:59 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <20190212165359.65BA7127287@ietfa.amsl.com> Date: Tue, 12 Feb 2019 15:11:15 -0500 Cc: "spasm@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <9FF5C511-B7C6-483B-A759-9BBCDEBA21C3@vigilsec.com> References: <20190212165359.65BA7127287@ietfa.amsl.com> To: "Hammell, Jonathan F" X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:11:19 -0000 Jonathan: Thanks for the careful read. All of these comments have been addressed = i my edit buffer. I will post an update shortly. Russ > On Feb 12, 2019, at 11:53 AM, Hammell, Jonathan F = wrote: >=20 > Classification: UNCLASSIFIED >=20 > I have a few suggestions to help readers: >=20 > Section 2.2, Paragraph 3: define q, e.g. "the number of the leaf = (q)..." >=20 > Section 2.3, Last paragraph: y in the LM-OTS signature value is not = defined. >=20 > Section 4: lms_public_key is not defined. Yes, it is clear if you = read [HASHSIG], but you are including the expansion of lms_signature and = ots_signature. >=20 > Section 6.1, Paragraph 2: s/must must/must >=20 > Section 6.1, Paragraphs 4,5: Citations [RANDOM] and [RFC4086] refer to = the same document. >=20 > Section 6.1: Should the instances of lowercase "must" be uppercase? = Note that uppercase "SHOULD" is used in the last paragraph of this = section. >=20 > Section 6.1, Paragraph 3: s/LM-OTP/LM-OTS >=20 > Section 6.2, Paragraph 4: s/defined to that/defined so that >=20 >=20 > Best regards, > Jonathan From nobody Tue Feb 12 12:49:01 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA09130E83; Tue, 12 Feb 2019 12:48:42 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155000452277.8545.4830965034572252627@ietfa.amsl.com> Date: Tue, 12 Feb 2019 12:48:42 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-04.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:48:49 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-04.txt Pages : 16 Date : 2019-02-12 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-04 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-04 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Feb 12 12:58:04 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5D84130DBE for ; Tue, 12 Feb 2019 12:58:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2y3hhciaocfL for ; Tue, 12 Feb 2019 12:58:01 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48729130DC2 for ; Tue, 12 Feb 2019 12:58:01 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6B0B030055E for ; Tue, 12 Feb 2019 15:39:43 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Oz1QJK6NjLnp for ; Tue, 12 Feb 2019 15:39:42 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 5A6F2300435 for ; Tue, 12 Feb 2019 15:39:42 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 12 Feb 2019 15:57:59 -0500 References: <155000452277.8545.4830965034572252627@ietfa.amsl.com> To: spasm@ietf.org In-Reply-To: <155000452277.8545.4830965034572252627@ietfa.amsl.com> Message-Id: X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-04.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Feb 2019 20:58:03 -0000 I believe that this addresses all of the WG Last Call comments that I = have received. The WG Last Call ends on Thursday, so I wanted to get = the update out for people to see how their comments were addressed. Russ > On Feb 12, 2019, at 3:48 PM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX and SMIME WG of the IETF. >=20 > Title : Use of the HSS/LMS Hash-based Signature = Algorithm in the Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-04.txt > Pages : 16 > Date : 2019-02-12 >=20 > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-04 > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-04 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-04 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From nobody Thu Feb 14 11:17:46 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 925FC1200ED for ; Thu, 14 Feb 2019 11:17:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8q3bmnwZYEin for ; Thu, 14 Feb 2019 11:17:43 -0800 (PST) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4B051289FA for ; Thu, 14 Feb 2019 11:17:42 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip2.isaracorp.com with ESMTP; 14 Feb 2019 19:17:35 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Thu, 14 Feb 2019 14:17:35 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Thu, 14 Feb 2019 14:17:35 -0500 From: Daniel Van Geest To: "spasm@ietf.org" Thread-Topic: Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP9w== Date: Thu, 14 Feb 2019 19:17:35 +0000 Message-ID: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_23941778AE9E470888A98965F2252EAEisaracom_" MIME-Version: 1.0 Archived-At: Subject: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 19:17:44 -0000 --_000_23941778AE9E470888A98965F2252EAEisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 TGFzdCBtZWV0aW5nIEkgcHJlc2VudGVkIGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzIHRv IFNlY2Rpc3BhdGNoIGFuZCBMQU1QUy4gSXQgd2FzIGRlY2lkZWQgdGhlIGRyYWZ0IHdvdWxkIGJl IHNlbnQgdG8gTEFNUFMgZm9yIHBvdGVudGlhbCBpbmNsdXNpb24gZHVyaW5nIHRoZSByZWNoYXJ0 ZXIuIEJlbG93IEnigJl2ZSBpbmNsdWRlZCBhIGRyYWZ0IG9mIHBvdGVudGlhbCByZWNoYXJ0ZXIg dGV4dCBmb3IgdGhlIFdH4oCZcyBjb25zaWRlcmF0aW9uLiBJIGNhbiBwcmVzZW50IHRoZSBkcmFm dCBhZ2FpbiBpbiBQcmFndWUgaWYgdGhhdOKAmXMgZGVzaXJlZC4NCg0KWC4gU3BlY2lmeSB0aGUg dXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQdWJsaWMgS2V5DQpJbmZyYXN0 cnVjdHVyZS4gSGFzaC1iYXNlZCBzaWduYXR1cmVzIHVzZSBzbWFsbCBwcml2YXRlIGFuZCBwdWJs aWMga2V5cywNCmFuZCB0aGV5IGhhdmUgbG93IGNvbXB1dGF0aW9uYWwgY29zdC4gIFRoZXkgYXJl IHNlY3VyZSBldmVuIGlmIGENCmxhcmdlLXNjYWxlIHF1YW50dW0gY29tcHV0ZXIgaXMgaW52ZW50 ZWQuICBUaGUgbG93IGNvbXB1dGF0aW9uYWwgY29zdA0KZm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRp b24gbWFrZXMgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGF0dHJhY3RpdmUgaW4NCkludGVybmV0IG9m IFRoaW5ncyAoSW9UKSBlbnZpcm9ubWVudHMuICBUaGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0 dXJlcw0KcHJvdmlkZXMgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGkt cGFydHkgSW9UIGVjb3N5c3RlbXMNCndoZXJlIHB1YmxpY2x5IHRydXN0ZWQgY29kZSBzaWduaW5n IGNlcnRpZmljYXRlcyBhcmUgbmVlZGVkLg0KDQpUaGFua3MsDQpEYW5pZWwNCg0K --_000_23941778AE9E470888A98965F2252EAEisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNt Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1j b21wb3NlOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRv d3RleHQ7fQ0KLk1zb0NocERlZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJ Zm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJ e3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4w cHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxl Pg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0EiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0 RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+TGFzdCBtZWV0aW5nIEkgcHJlc2VudGVkIGRy YWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzIHRvIFNlY2Rpc3BhdGNoIGFuZCBMQU1QUy4gSXQg d2FzIGRlY2lkZWQgdGhlIGRyYWZ0IHdvdWxkIGJlIHNlbnQgdG8gTEFNUFMgZm9yIHBvdGVudGlh bCBpbmNsdXNpb24gZHVyaW5nIHRoZSByZWNoYXJ0ZXIuIEJlbG93IEnigJl2ZSBpbmNsdWRlZCBh IGRyYWZ0IG9mDQogcG90ZW50aWFsIHJlY2hhcnRlciB0ZXh0IGZvciB0aGUgV0figJlzIGNvbnNp ZGVyYXRpb24uIEkgY2FuIHByZXNlbnQgdGhlIGRyYWZ0IGFnYWluIGluIFByYWd1ZSBpZiB0aGF0 4oCZcyBkZXNpcmVkLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5YLiBTcGVjaWZ5 IHRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFB1YmxpYyBLZXk8bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3Vy aWVyIj5JbmZyYXN0cnVjdHVyZS4gSGFzaC1iYXNlZCBzaWduYXR1cmVzIHVzZSBzbWFsbCBwcml2 YXRlIGFuZCBwdWJsaWMga2V5cyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5hbmQgdGhleSBoYXZlIGxvdyBjb21wdXRhdGlv bmFsIGNvc3QuJm5ic3A7IFRoZXkgYXJlIHNlY3VyZSBldmVuIGlmIGE8bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5sYXJnZS1z Y2FsZSBxdWFudHVtIGNvbXB1dGVyIGlzIGludmVudGVkLiZuYnNwOyBUaGUgbG93IGNvbXB1dGF0 aW9uYWwgY29zdDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OkNvdXJpZXIiPmZvciBzaWduYXR1cmUgdmVyaWZpY2F0aW9uIG1ha2VzIGhhc2gt YmFzZWQgc2lnbmF0dXJlcyBhdHRyYWN0aXZlIGluPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+SW50ZXJuZXQgb2YgVGhpbmdz IChJb1QpIGVudmlyb25tZW50cy4mbmJzcDsgVGhlIHVzZSBvZiBoYXNoLWJhc2VkIHNpZ25hdHVy ZXM8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTpDb3VyaWVyIj5wcm92aWRlcyBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbiBpbiBt dWx0aS1wYXJ0eSBJb1QgZWNvc3lzdGVtczxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPndoZXJlIHB1YmxpY2x5IHRydXN0ZWQg Y29kZSBzaWduaW5nIGNlcnRpZmljYXRlcyBhcmUgbmVlZGVkLjwvc3Bhbj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5UaGFua3MsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkRhbmllbDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_23941778AE9E470888A98965F2252EAEisaracom_-- From nobody Thu Feb 14 11:56:09 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 932E212EB11 for ; Thu, 14 Feb 2019 11:56:07 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6ne_iMLcSpl for ; Thu, 14 Feb 2019 11:56:05 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6146E12867A for ; Thu, 14 Feb 2019 11:56:04 -0800 (PST) Received: from Jude (192.168.1.166) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 11:55:50 -0800 From: Jim Schaad To: 'Daniel Van Geest' , References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> In-Reply-To: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> Date: Thu, 14 Feb 2019 11:55:48 -0800 Message-ID: <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_003A_01D4C45C.3BA60B80" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQI9YiZ+qGL+44kEz+EYRNIFf1pLv6UOeUdQ Content-Language: en-us X-Originating-IP: [192.168.1.166] Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 19:56:07 -0000 ------=_NextPart_000_003A_01D4C45C.3BA60B80 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable What do you think that is needed to be specified beyond what is = currently in draft-ietf-lamps-cms-hash-sig? That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure. =20 =20 Jim =20 =20 From: Spasm On Behalf Of Daniel Van Geest Sent: Thursday, February 14, 2019 11:18 AM To: spasm@ietf.org Subject: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Last meeting I presented draft-vangeest-x509-hash-sigs to Secdispatch = and LAMPS. It was decided the draft would be sent to LAMPS for potential = inclusion during the recharter. Below I=E2=80=99ve included a draft of = potential recharter text for the WG=E2=80=99s consideration. I can = present the draft again in Prague if that=E2=80=99s desired. =20 X. Specify the use of hash-based signatures in X.509 Public Key Infrastructure. Hash-based signatures use small private and public keys, and they have low computational cost. They are secure even if a large-scale quantum computer is invented. The low computational cost for signature verification makes hash-based signatures attractive in Internet of Things (IoT) environments. The use of hash-based signatures provides quantum resistant authentication in multi-party IoT ecosystems where publicly trusted code signing certificates are needed. =20 Thanks, Daniel =20 ------=_NextPart_000_003A_01D4C45C.3BA60B80 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

What do you think = that is needed to be specified beyond what is currently in = draft-ietf-lamps-cms-hash-sig?=C2=A0 That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure.=C2=A0

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> On = Behalf Of Daniel Van Geest
Sent: Thursday, February 14, = 2019 11:18 AM
To: spasm@ietf.org
Subject: [lamps] = Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Last meeting I presented = draft-vangeest-x509-hash-sigs to Secdispatch and LAMPS. It was decided = the draft would be sent to LAMPS for potential inclusion during the = recharter. Below I=E2=80=99ve included a draft of potential recharter = text for the WG=E2=80=99s consideration. I can present the draft again = in Prague if that=E2=80=99s desired.

 

X. Specify the use of = hash-based signatures in X.509 Public Key

Infrastructure. = Hash-based signatures use small private and public = keys,

and they have low = computational cost.  They are secure even if = a

large-scale quantum = computer is invented.  The low computational = cost

for signature = verification makes hash-based signatures attractive = in

Internet of Things (IoT) = environments.  The use of hash-based = signatures

provides quantum = resistant authentication in multi-party IoT = ecosystems

where publicly trusted = code signing certificates are needed.

 

Thanks,

Daniel

 

------=_NextPart_000_003A_01D4C45C.3BA60B80-- From nobody Thu Feb 14 12:52:36 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F7712D4F2 for ; Thu, 14 Feb 2019 12:52:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vGtIpWTqozh7 for ; Thu, 14 Feb 2019 12:52:33 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A58D012D4F0 for ; Thu, 14 Feb 2019 12:52:32 -0800 (PST) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip1.isaracorp.com with ESMTP; 14 Feb 2019 20:52:31 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Thu, 14 Feb 2019 15:52:28 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Thu, 14 Feb 2019 15:52:28 -0500 From: Daniel Van Geest To: Jim Schaad , "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BAA= Date: Thu, 14 Feb 2019 20:52:28 +0000 Message-ID: <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> In-Reply-To: <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_8E8592C1684F4B64B1E2D039169204CAisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 20:52:35 -0000 --_000_8E8592C1684F4B64B1E2D039169204CAisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SmltLA0KDQpXZSBoYXZlIHNlZW4gaW50ZXJlc3QgaW4gZGVmaW5pbmcgc2ltaWxhciBPSURzIGZv ciBYTVNTIGFuZCBYTVNTXk1ULCB3aGljaCBpcyBub3QgY292ZXJlZCBpbiBkcmFmdC1pZXRmLWxh bXBzLWNtcy1oYXNoLXNpZy4NCg0KRm9yIEhTUy9MTVMsIGF0IHRoZSB0aW1lIHRoZSB4NTA5LWhh c2gtc2lncyBkcmFmdCB3YXMgd3JpdHRlbiwgdGhlIGNtcy1oYXNoLXNpZyBkcmFmdCBkaWRu4oCZ dCBkZWZpbmUgT0lEcyBmb3Igc2lnbmF0dXJlIGFsZ29yaXRobXMgKGl0IHdhcyBzcGVjaWZpZWQg dGhhdCBvbmx5IFNIQS0yNTYgd291bGQgYmUgdXNlZCB3aXRoIENNUykuIFNpbmNlIHRoZSBDTVMg ZHJhZnQgbm93IGRlZmluZXMgdGhlIHNpZ25hdHVyZSBhbGdvcml0aG0gT0lEcyB3ZeKAmWxsIGhh dmUgdG8gcmUtZXZhbHVhdGUgdGhlIEhTUy9MTVMgc2VjdGlvbnMuICBXaGVuIHdyaXR0ZW4sIHRo aXMgZHJhZnQgcmVmZXJyZWQgdG8gdGhlIENNUyBvbmUgZm9yIHNvbWUgZGVmaW5pdGlvbnMgYW5k IGFkZGVkIG90aGVyIG5ldyBvbmVzLg0KDQoNCk5vdyB0aGF0IHRoZSBDTVMgZHJhZnQgZGVmaW5l cyBhbGwgdGhlIE9JRHMsIHlvdeKAmXJlIHJpZ2h0LCB0aGlzIGRyYWZ0IG1pZ2h0IG5vdCBuZWVk IHRvIG1lbnRpb24gSFNTL0xNUyBhdCBhbGwuICBPciBzaG91bGQgdGhlcmUgYXQgbGVhc3QgYmUg c29tZSB0ZXh0IGluIHRoZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDigJxIU1MvTE1TIE9JRHMgYXJl IGRlZmluZWQgaW4gW2Ntcy1oYXNoLXNpZ3NdLCBCVFcgeW91IGNhbiBhbHNvIHVzZSB0aG9zZSBp biBYLjUwOeKAnT8gIFNob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwgZGlmZmVyZW50aWF0 aW5nIHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1TIHNpZ25hdHVyZSBv Y3RldCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/ICBjbXMtaGFzaC1zaWdzIHNh eXMg4oCcVGhlIHNpZ25hdHVyZSB2YWx1ZXMgaXMgYSBsYXJnZSBPQ1RFVCBTVFJJTkcu4oCdLCB3 aGljaCBpcyBhY2N1cmF0ZSBmb3IgQ01TIGJ1dCBmb3IgWC41MDkgdGhlIGVuY29kaW5nIG9mIHRo ZSBzaWduYXR1cmUgb2N0ZXRzIHdpbGwgYmUgYSBCSVQgU1RSSU5HLg0KDQpUaGFua3MsDQpEYW5p ZWwNCg0KDQpPbiAyMDE5LTAyLTE0LCAyOjU2IFBNLCAiSmltIFNjaGFhZCIgPGlldGZAYXVndXN0 Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KV2hh dCBkbyB5b3UgdGhpbmsgdGhhdCBpcyBuZWVkZWQgdG8gYmUgc3BlY2lmaWVkIGJleW9uZCB3aGF0 IGlzIGN1cnJlbnRseSBpbiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZz8gIFRoYXQgZG9j dW1lbnQgY29udGFpbnMgdGhlIHBrLUhTUy1MTVMtSGFzaFNpZyBzdHJ1Y3R1cmUgd2hpY2ggZGVz Y3JpYmVzIGhvdyB0byBwbGFjZSB0aGUgcHVibGljIGtleSBpbnRvIGEgU3ViamVjdCBQdWJsaWMg S2V5IHN0cnVjdHVyZS4NCg0KSmltDQoNCg0KRnJvbTogU3Bhc20gPHNwYXNtLWJvdW5jZXNAaWV0 Zi5vcmc+IE9uIEJlaGFsZiBPZiBEYW5pZWwgVmFuIEdlZXN0DQpTZW50OiBUaHVyc2RheSwgRmVi cnVhcnkgMTQsIDIwMTkgMTE6MTggQU0NClRvOiBzcGFzbUBpZXRmLm9yZw0KU3ViamVjdDogW2xh bXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBY LjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKQ0KDQpMYXN0IG1lZXRpbmcg SSBwcmVzZW50ZWQgZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgdG8gU2VjZGlzcGF0Y2gg YW5kIExBTVBTLiBJdCB3YXMgZGVjaWRlZCB0aGUgZHJhZnQgd291bGQgYmUgc2VudCB0byBMQU1Q UyBmb3IgcG90ZW50aWFsIGluY2x1c2lvbiBkdXJpbmcgdGhlIHJlY2hhcnRlci4gQmVsb3cgSeKA mXZlIGluY2x1ZGVkIGEgZHJhZnQgb2YgcG90ZW50aWFsIHJlY2hhcnRlciB0ZXh0IGZvciB0aGUg V0figJlzIGNvbnNpZGVyYXRpb24uIEkgY2FuIHByZXNlbnQgdGhlIGRyYWZ0IGFnYWluIGluIFBy YWd1ZSBpZiB0aGF04oCZcyBkZXNpcmVkLg0KDQpYLiBTcGVjaWZ5IHRoZSB1c2Ugb2YgaGFzaC1i YXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFB1YmxpYyBLZXkNCkluZnJhc3RydWN0dXJlLiBIYXNo LWJhc2VkIHNpZ25hdHVyZXMgdXNlIHNtYWxsIHByaXZhdGUgYW5kIHB1YmxpYyBrZXlzLA0KYW5k IHRoZXkgaGF2ZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0LiAgVGhleSBhcmUgc2VjdXJlIGV2ZW4g aWYgYQ0KbGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRlciBpcyBpbnZlbnRlZC4gIFRoZSBsb3cg Y29tcHV0YXRpb25hbCBjb3N0DQpmb3Igc2lnbmF0dXJlIHZlcmlmaWNhdGlvbiBtYWtlcyBoYXNo LWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbg0KSW50ZXJuZXQgb2YgVGhpbmdzIChJb1Qp IGVudmlyb25tZW50cy4gIFRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzDQpwcm92aWRl cyBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbiBpbiBtdWx0aS1wYXJ0eSBJb1QgZWNv c3lzdGVtcw0Kd2hlcmUgcHVibGljbHkgdHJ1c3RlZCBjb2RlIHNpZ25pbmcgY2VydGlmaWNhdGVz IGFyZSBuZWVkZWQuDQoNClRoYW5rcywNCkRhbmllbA0KDQo= --_000_8E8592C1684F4B64B1E2D039169204CAisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <84A6A26E471C214B90CA2BC90A39F5B4@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNt Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r OiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5 bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9 DQpzcGFuLkVtYWlsU3R5bGUxOA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1h aWxTdHlsZTE5DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxp YnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjAN Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRD aGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28tc3R5 bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglm b250LWZhbWlseToiQ291cmllciBOZXciO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10 eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24x DQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3 Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0 eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0EiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIj OTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SmltLDxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48 bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdCI+V2UgaGF2ZSBzZWVuIGludGVyZXN0IGluIGRlZmluaW5n IHNpbWlsYXIgT0lEcyBmb3IgWE1TUyBhbmQgWE1TU15NVCwgd2hpY2ggaXMgbm90IGNvdmVyZWQg aW4NCjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ZHJhZnQtaWV0Zi1sYW1w cy1jbXMtaGFzaC1zaWc8L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPi48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkZvciBIU1MvTE1TLCBhdCB0 aGUgdGltZSB0aGUgeDUwOS1oYXNoLXNpZ3MgZHJhZnQgd2FzIHdyaXR0ZW4sIHRoZSBjbXMtaGFz aC1zaWcgZHJhZnQgZGlkbuKAmXQgZGVmaW5lIE9JRHMgZm9yIHNpZ25hdHVyZSBhbGdvcml0aG1z IChpdCB3YXMgc3BlY2lmaWVkIHRoYXQgb25seSBTSEEtMjU2IHdvdWxkIGJlIHVzZWQgd2l0aCBD TVMpLiBTaW5jZSB0aGUgQ01TDQogZHJhZnQgbm93IGRlZmluZXMgdGhlIHNpZ25hdHVyZSBhbGdv cml0aG0gT0lEcyB3ZeKAmWxsIGhhdmUgdG8gcmUtZXZhbHVhdGUgdGhlIEhTUy9MTVMgc2VjdGlv bnMuJm5ic3A7IFdoZW4gd3JpdHRlbiwgdGhpcyBkcmFmdCByZWZlcnJlZCB0byB0aGUgQ01TIG9u ZSBmb3Igc29tZSBkZWZpbml0aW9ucyBhbmQgYWRkZWQgb3RoZXIgbmV3IG9uZXMuPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwcmU+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj5Ob3cgdGhhdCB0aGUgQ01TIGRyYWZ0IGRlZmluZXMgYWxsIHRoZSBPSURzLCB5b3XigJly ZSByaWdodCwgdGhpcyBkcmFmdCBtaWdodCBub3QgbmVlZCB0byBtZW50aW9uIEhTUy9MTVMgYXQg YWxsLiZuYnNwOyBPciBzaG91bGQgdGhlcmUgYXQgbGVhc3QgYmUgc29tZSB0ZXh0IGluIHRoZXJl IGFsb25nIHRoZSBsaW5lcyBvZiDigJxIU1MvTE1TIE9JRHMgYXJlIGRlZmluZWQgaW4gW2Ntcy1o YXNoLXNpZ3NdLCBCVFcgeW91IGNhbiBhbHNvIHVzZSB0aG9zZSBpbiBYLjUwOeKAnT8gJm5ic3A7 U2hvdWxkIHRoZXJlIGFsc28gYmUgc29tZSBzbWFsbCBkaWZmZXJlbnRpYXRpbmcgdGV4dCBpbmRp Y2F0aW5nIHRoYXQgaW4gWC41MDkgdGhlIEhTUy9MTVMgc2lnbmF0dXJlIG9jdGV0IHN0cmluZyBp cyBlbmNvZGVkIGFzIGEgQklUIFNUUklORz8mbmJzcDsgY21zLWhhc2gtc2lncyBzYXlzIOKAnDwv c3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6YmxhY2siPlRoZSBzaWduYXR1cmUgdmFsdWVzIGlzIGEg bGFyZ2UgT0NURVQgU1RSSU5HLjwvc3Bhbj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPuKAnSwgd2hpY2ggaXMg YWNjdXJhdGUgZm9yIENNUyBidXQgZm9yIFguNTA5IHRoZSBlbmNvZGluZyBvZiB0aGUgc2lnbmF0 dXJlIG9jdGV0cyB3aWxsIGJlIGEgQklUIFNUUklORy48L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9y OmJsYWNrIj48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhh bmtzLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0Ij5EYW5pZWw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJz cDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+T24gMjAx OS0wMi0xNCwgMjo1NiBQTSwgJnF1b3Q7SmltIFNjaGFhZCZxdW90OyAmbHQ7PGEgaHJlZj0ibWFp bHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0 OyB3cm90ZTo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD48L286cD48L3NwYW4+ PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPldoYXQgZG8geW91IHRoaW5rIHRoYXQgaXMgbmVlZGVkIHRvIGJlIHNw ZWNpZmllZCBiZXlvbmQgd2hhdCBpcyBjdXJyZW50bHkgaW4gZHJhZnQtaWV0Zi1sYW1wcy1jbXMt aGFzaC1zaWc/Jm5ic3A7IFRoYXQgZG9jdW1lbnQgY29udGFpbnMgdGhlIHBrLUhTUy1MTVMtSGFz aFNpZyBzdHJ1Y3R1cmUgd2hpY2ggZGVzY3JpYmVzDQogaG93IHRvIHBsYWNlIHRoZSBwdWJsaWMg a2V5IGludG8gYSBTdWJqZWN0IFB1YmxpYyBLZXkgc3RydWN0dXJlLiZuYnNwOyA8L3NwYW4+PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkppbTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdiBzdHls ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBjbSAw Y20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9w OnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBjbSI+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48Yj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij4gU3Bhc20gJmx0O3NwYXNtLWJvdW5jZXNAaWV0Zi5vcmcmZ3Q7DQo8Yj5PbiBCZWhh bGYgT2YgPC9iPkRhbmllbCBWYW4gR2Vlc3Q8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEZl YnJ1YXJ5IDE0LCAyMDE5IDExOjE4IEFNPGJyPg0KPGI+VG86PC9iPiBzcGFzbUBpZXRmLm9yZzxi cj4NCjxiPlN1YmplY3Q6PC9iPiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFz aC1iYXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNo LXNpZ3MpPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkxhc3QgbWVldGluZyBJIHByZXNlbnRlZCBkcmFmdC12 YW5nZWVzdC14NTA5LWhhc2gtc2lncyB0byBTZWNkaXNwYXRjaCBhbmQgTEFNUFMuIEl0IHdhcyBk ZWNpZGVkIHRoZSBkcmFmdCB3b3VsZCBiZSBzZW50IHRvIExBTVBTIGZvciBwb3RlbnRpYWwgaW5j bHVzaW9uIGR1cmluZyB0aGUgcmVjaGFydGVyLiBCZWxvdw0KIEnigJl2ZSBpbmNsdWRlZCBhIGRy YWZ0IG9mIHBvdGVudGlhbCByZWNoYXJ0ZXIgdGV4dCBmb3IgdGhlIFdH4oCZcyBjb25zaWRlcmF0 aW9uLiBJIGNhbiBwcmVzZW50IHRoZSBkcmFmdCBhZ2FpbiBpbiBQcmFndWUgaWYgdGhhdOKAmXMg ZGVzaXJlZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6Q291cmllciI+WC4gU3BlY2lmeSB0aGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBp biBYLjUwOSBQdWJsaWMgS2V5PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+SW5mcmFzdHJ1Y3R1cmUuIEhhc2gtYmFzZWQgc2ln bmF0dXJlcyB1c2Ugc21hbGwgcHJpdmF0ZSBhbmQgcHVibGljIGtleXMsPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+YW5kIHRo ZXkgaGF2ZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0LiZuYnNwOyBUaGV5IGFyZSBzZWN1cmUgZXZl biBpZiBhPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m YW1pbHk6Q291cmllciI+bGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRlciBpcyBpbnZlbnRlZC4m bmJzcDsgVGhlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3Q8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5mb3Igc2lnbmF0dXJlIHZl cmlmaWNhdGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbjwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJp ZXIiPkludGVybmV0IG9mIFRoaW5ncyAoSW9UKSBlbnZpcm9ubWVudHMuJm5ic3A7IFRoZSB1c2Ug b2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+cHJvdmlkZXMgcXVhbnR1bSByZXNpc3Rh bnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFydHkgSW9UIGVjb3N5c3RlbXM8L3NwYW4+PG86 cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIu MHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj53 aGVyZSBwdWJsaWNseSB0cnVzdGVkIGNvZGUgc2lnbmluZyBjZXJ0aWZpY2F0ZXMgYXJlIG5lZWRl ZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5rcyw8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RGFuaWVsPC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_8E8592C1684F4B64B1E2D039169204CAisaracom_-- From nobody Thu Feb 14 14:38:05 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57CA3131223 for ; Thu, 14 Feb 2019 14:38:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utsin1E4OGbq for ; Thu, 14 Feb 2019 14:38:00 -0800 (PST) Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E26C131215 for ; Thu, 14 Feb 2019 14:38:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20368; q=dns/txt; s=iport; t=1550183880; x=1551393480; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=5gFfdZL5ycyEJshjKFRqqv5YgePh5hvY+hBlYTSGbbE=; b=Ef6pfAwxNb4B6L2x2HYZGa0TUvLZicoBayYOKfpzLSq7bmFxsTF6c/T9 hotKbkU6MzWjvJqy+WhPZmL36wx/KnPGPJKzyLSak7uRi4nmuIRUhULN4 c9PU/bz4nfkA2fl2SI3dKejYsGDlmpCtSpAk6+iTGbWljLRQWnJAm0L1K Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAADu7GVc/5pdJa1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ11Z4EDJwqDfIgai3CCDZIkhW+Bews?= =?us-ascii?q?BARgBCoRJAheDTCI0CQ0BAwEBAgEBAm0cDIVKAQEBAQMBARsGCkELEAIBCBE?= =?us-ascii?q?EAQEoAwICAiULFAkIAQEEDgUIgxmBDmQPqyWBL4owBYxEF4FAP4ERgxKDHgE?= =?us-ascii?q?BgXgfglOCVwKJYYZCkwsJApJKIYFuhVSDPoY9gTaJapJBAhEUgScfOIFWcBU?= =?us-ascii?q?7gmyCJxiIX4U/QTGPPYEfAQE?= X-IronPort-AV: E=Sophos;i="5.58,370,1544486400"; d="scan'208,217";a="237841895" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Feb 2019 22:37:59 +0000 Received: from XCH-RTP-010.cisco.com (xch-rtp-010.cisco.com [64.101.220.150]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x1EMbwJ7003824 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 14 Feb 2019 22:37:58 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-010.cisco.com (64.101.220.150) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 17:37:57 -0500 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1395.000; Thu, 14 Feb 2019 17:37:58 -0500 From: "Scott Fluhrer (sfluhrer)" To: Russ Housley CC: Tim Hollebeek , SPASM Thread-Topic: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 Thread-Index: AdS40GKoFYXnwsS1QwKY9DVE0d/aRgABY5rQADS+pgACwrctkA== Date: Thu, 14 Feb 2019 22:37:57 +0000 Message-ID: <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> In-Reply-To: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.86.251.167] Content-Type: multipart/alternative; boundary="_000_13aac7fd60a04eb2b56507808b4d17c9XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.150, xch-rtp-010.cisco.com X-Outbound-Node: rcdn-core-3.cisco.com Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 22:38:03 -0000 --_000_13aac7fd60a04eb2b56507808b4d17c9XCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U29ycnkgZm9yIGJlaW5nIGxhdGUsIGJ1dCBJIHdhcyBqdXN0IHJlLXJldmlld2luZyB0aGUgZHJh ZnQsIGFuZCBJIG5vdGljZWQgc29tZXRoaW5nIG9kZDoNCg0KWW91IGRlZmluZSBpZC1hbGctaHNz LWxtcy1oYXNoc2lnLXdpdGgtc2hhMzg0IChhbmQgc2hhNTEyKTsgd2l0aCB0aGUgY29tbWVudCB0 aGF0IHRoaXMgc3BlY2lmaWVzIHRoZSB1c2UgU0hBLTM4NCB0byBoYXNoIHRoZSBjb250ZW50Lg0K DQpUaGF04oCZcyBub3QgaG93IExNUyBpcyBkZXNpZ25lZCB0byB3b3JrOyBjdXJyZW50bHksIGl0 IHVzZXMgdGhlIHNhbWUgaGFzaCBmdW5jdGlvbiB0byBoYXNoIHRoZSBtZXNzYWdlIGFzIGl0IGRv ZXMgZm9yIGFsbCBpdHMgaW50ZXJuYWwgaGFzaGVzLiAgSWYgeW91IHdlcmUgdG8gcmVwbGFjZSB0 aGUgaW5pdGlhbCBTSEEtMjU2IGhhc2ggd2l0aCBzb21ldGhpbmcgbGFyZ2VyLCB3ZWxsLCB5b3Xi gJlkIG5lZWQgdG8gdHdlYWsgdGhlIHNpemUgb2YgdGhlIExNLU9UUyBzaWduYXR1cmUgKHRvIGFj Y29tZW5kYXRlIHRoZSBsYXJnZXIgdmFsdWUgYmVpbmcgc2lnbmVkKSwgYW5kIHNvIHRoYXQgd291 bGRu4oCZdCBiZSBjbGVhbiBhdCBhbGwuDQoNCkZvciB0aGF0IG1hdHRlciwgaUxNUyBkb2VzbuKA mXQgZG8gYSBzdHJhaWdodCBoYXNoIG9mIHRoZSBtZXNzYWdlOyBpbnN0ZWFkLCBpdCBpbmNsdWRl cyBhIHByZWZpeCAodGhlIHBvaW50IG9mIHRoZSBwcmVmaXgsIHdoaWNoIGlzIHJhbmRvbWl6ZWQs IGlzIHRvIGF2b2lkIHJlbHlpbmcgb24gdGhlIGNvbGxpc2lvbiByZXNpc3RhbmNlIG9mIFNIQS0y NTYpLg0KDQpOb3csIEkgc3VwcG9zZSB5b3UgY291bGQgU0hBLTM4NCBoYXNoIHRoZSBtZXNzYWdl LCBhbmQgdGhlbiB0dXJuIGFyb3VuZCBhbmQgZG8gYW4gTE1TIHNpZ25hdHVyZSBnZW5lcmF0ZS92 ZXJpZnkgb24gdGhhdCBoYXNoICh3aGljaCB3b3VsZCwgd2l0aCB0aGUgY3VycmVudGx5IGRlZmlu ZWQgTE1TIHBhcmFtZXRlciBzZXRzLCBpbW1lZGlhdGVseSBwcmVwZW5kIHRoZSBwcmVmaXgsIGFu ZCB0aGF0IFNIQS0yNTYgaGFzaCBpdCkuICBIb3dldmVyLCBpZiBzb21ldGhpbmcgdGhhdCBub25v YnZpb3VzIGlzIHNwZWNpZmllZCwgeW91IG5lZWQgdG8gY2FsbCBpdCBvdXQgZXhwbGljaXRseSAo YW5kIGFsc28gd2hhdCBkbyB5b3UgZG8gd2l0aCBpZC1hbGctaHNzLWxtcy1oYXNoc2lnLXdpdGgt c2hhMjU2OyB3b3VsZCB0aGF0IGFsc28gZG8gYW4gaW5pdGlhbCBTSEEtMjU2IGhhc2g/KS4NCg0K TXkgc3VnZ2VzdGlvbiB3b3VsZCBiZSB0byBjb21iaW5lIGFsbCB0aHJlZSBhbGdvcml0aG0gaWRl bnRpZmllcnMgaW50byBhIHNpbmdsZSBpZC1hbGctaHNzbXMtaGFzaHNpZyAoYW5kIGhhdmUgdGhl IHBhcmFtZXRlciBzZXQgaW5kaWNhdG9yIHdpdGhpbiB0aGUgTE1TIHB1YmxpYyBrZXkgc3BlY2lm eSB3aGljaCBoYXNoIGlzIHRvIGJlIHVzZWQpLg0KDQpBbmQsIHNpbmNlIHNvbWVvbmUgYnJvdWdo dCB1cCBYTVNTLCB3ZWxsLCB0aGF04oCZZCBoYXZlIHByZXR0eSBtdWNoIHRoZSBzYW1lIGlzc3Vl cyAoYW5kIGZvciB0aGUgc2FtZSByZWFzb25z4oCmKQ0KDQpGcm9tOiBSdXNzIEhvdXNsZXkgPGhv dXNsZXlAdmlnaWxzZWMuY29tPg0KU2VudDogVGh1cnNkYXksIEphbnVhcnkgMzEsIDIwMTkgMTE6 MDcgQU0NClRvOiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgPHNmbHVocmVyQGNpc2NvLmNvbT4N CkNjOiBUaW0gSG9sbGViZWVrIDx0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbT47IFNQQVNNIDxz cGFzbUBpZXRmLm9yZz4NClN1YmplY3Q6IFJlOiBbbGFtcHNdIExhc3QgQ2FsbDogZHJhZnQtaWV0 Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDMNCg0KU2NvdHQ6DQoNClRoYW5rcyBmb3IgdGhlIGNhcmVm dWwgcmVhZC4gIEkgaGF2ZSBtYWRlIHRoZXNlIGNoYW5nZXMgaW4gbXkgZWRpdCBidWZmZXIuDQoN ClJ1c3MNCg0KDQoNCk9uIEphbiAzMCwgMjAxOSwgYXQgMzowNCBQTSwgU2NvdHQgRmx1aHJlciAo c2ZsdWhyZXIpIDxzZmx1aHJlckBjaXNjby5jb208bWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbT4+ IHdyb3RlOg0KDQpKdXN0IHR3byBzcGVsbGluZyBjb3JyZWN0aW9uc+KApg0KDQpOaXQ6IGluIHRo ZSBmaXJzdCBsaW5lIG9mIHNlY3Rpb24gNDog4oCcZm9yIGFuIEhIUy9MTVMgcHVibGljIGtleeKA nSBzaG91bGQgYmUg4oCcZm9yIGFuIEhTUy9MTVMgcHVibGljIGtleeKAnQ0KDQpOaXQ6IGluIHRo ZSBmaXJzdCBsaW5lIG9mIHNlY3Rpb24gNi4yOiDigJxvbiB0aGUgY3VycmVudCBzYXRl4oCdIHNo b3VsZCBiZSDigJxvbiB0aGUgY3VycmVudCBzdGF0ZeKAnQ0KDQoNCg0KRnJvbTogU3Bhc20gPHNw YXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+PiBPbiBC ZWhhbGYgT2YgVGltIEhvbGxlYmVlaw0KU2VudDogV2VkbmVzZGF5LCBKYW51YXJ5IDMwLCAyMDE5 IDI6MjUgUE0NClRvOiBTUEFTTSA8c3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3Jn Pj4NClN1YmplY3Q6IFtsYW1wc10gTGFzdCBDYWxsOiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNo LXNpZy0wMw0KDQoNClRoaXMgaXMgdGhlIExBTVBTIFdHIExhc3QgQ2FsbCBmb3Ig4oCcVXNlIG9m IHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlIEFsZ29yaXRobSBpbiB0aGUgQ3J5cHRv Z3JhcGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKeKAnSA8ZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFz aC1zaWctMDM+Lg0KDQpQbGVhc2UgcmV2aWV3IHRoZSBkb2N1bWVudCBhbmQgc2VuZCB5b3VyIGNv bW1lbnRzIHRvIHRoZSBsaXN0IGJ5IDE0IEZlYnJ1YXJ5IDIwMTkuDQoNCklmIG5vIGNvbmNlcm5z IGFyZSByYWlzZWQsIHRoZSBkb2N1bWVudCB3aWxsIGJlIGZvcndhcmRlZCB0byB0aGUgSUVTRyB3 aXRoIGEgcmVxdWVzdCBmb3IgcHVibGljYXRpb24gYXMgUHJvcG9zZWQgU3RhbmRhcmQuDQoNCi1U aW0NCg0KX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NClNw YXNtIG1haWxpbmcgbGlzdA0KU3Bhc21AaWV0Zi5vcmc8bWFpbHRvOlNwYXNtQGlldGYub3JnPg0K aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbQ0KDQo= --_000_13aac7fd60a04eb2b56507808b4d17c9XCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGlu Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJs aW5lO30NCnAuTXNvTGlzdFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xp c3RQYXJhZ3JhcGgNCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGluOw0K CW1hcmdpbi1yaWdodDowaW47DQoJbWFyZ2luLWJvdHRvbTowaW47DQoJbWFyZ2luLWxlZnQ6LjVp bjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAs IGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2lu LXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFs dDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uYXBwbGUtY29udmVydGVkLXNwYWNlDQoJ e21zby1zdHlsZS1uYW1lOmFwcGxlLWNvbnZlcnRlZC1zcGFjZTt9DQpzcGFuLkVtYWlsU3R5bGUx OQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJy aSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0DQoJe21z by1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29y ZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBpbiAxLjBp biAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30NCi8qIExp c3QgRGVmaW5pdGlvbnMgKi8NCkBsaXN0IGwwDQoJe21zby1saXN0LWlkOjEwNjMxOTY4NTsNCglt c28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTEwNDMxODIyMTgg OTcwNzIxMjY0IDY3Njk4NjkxIDY3Njk4NjkzIDY3Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzIDY3 Njk4Njg5IDY3Njk4NjkxIDY3Njk4NjkzO30NCkBsaXN0IGwwOmxldmVsMQ0KCXttc28tbGV2ZWwt c3RhcnQtYXQ6ODAwOw0KCW1zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2 ZWwtdGV4dDotOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXIt cG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLHNhbnMtc2VyaWY7DQoJbXNvLWZhcmVhc3QtZm9udC1mYW1pbHk6Q2FsaWJyaTt9DQpAbGlz dCBsMDpsZXZlbDINCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZl bC10ZXh0Om87DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1w b3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseToiQ291cmll ciBOZXciO30NCkBsaXN0IGwwOmxldmVsMw0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxs ZXQ7DQoJbXNvLWxldmVsLXRleHQ674KnOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1z by1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9u dC1mYW1pbHk6V2luZ2RpbmdzO30NCkBsaXN0IGwwOmxldmVsNA0KCXttc28tbGV2ZWwtbnVtYmVy LWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ674K3Ow0KCW1zby1sZXZlbC10YWItc3Rv cDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDot LjI1aW47DQoJZm9udC1mYW1pbHk6U3ltYm9sO30NCkBsaXN0IGwwOmxldmVsNQ0KCXttc28tbGV2 ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7DQoJbXNvLWxldmVsLXRleHQ6bzsNCgltc28tbGV2ZWwt dGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1p bmRlbnQ6LS4yNWluOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KQGxpc3QgbDA6bGV2 ZWw2DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28tbGV2ZWwtdGV4dDrv gqc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpXaW5nZGluZ3M7fQ0K QGxpc3QgbDA6bGV2ZWw3DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsNCgltc28t bGV2ZWwtdGV4dDrvgrc7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0uMjVpbjsNCglmb250LWZhbWlseTpT eW1ib2w7fQ0KQGxpc3QgbDA6bGV2ZWw4DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxl dDsNCgltc28tbGV2ZWwtdGV4dDpvOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1s ZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotLjI1aW47DQoJZm9udC1m YW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpAbGlzdCBsMDpsZXZlbDkNCgl7bXNvLWxldmVsLW51bWJl ci1mb3JtYXQ6YnVsbGV0Ow0KCW1zby1sZXZlbC10ZXh0Ou+CpzsNCgltc28tbGV2ZWwtdGFiLXN0 b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7DQoJdGV4dC1pbmRlbnQ6 LS4yNWluOw0KCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9DQpvbA0KCXttYXJnaW4tYm90dG9tOjBp bjt9DQp1bA0KCXttYXJnaW4tYm90dG9tOjBpbjt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1z byA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIg Lz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVs YXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8 L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJF Ti1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlv bjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+U29ycnkgZm9yIGJlaW5nIGxhdGUsIGJ1dCBJIHdh cyBqdXN0IHJlLXJldmlld2luZyB0aGUgZHJhZnQsIGFuZCBJIG5vdGljZWQgc29tZXRoaW5nIG9k ZDo8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiPllvdSBkZWZpbmUg aWQtYWxnLWhzcy1sbXMtaGFzaHNpZy13aXRoLXNoYTM4NCAoYW5kIHNoYTUxMik7IHdpdGggdGhl IGNvbW1lbnQgdGhhdCB0aGlzIHNwZWNpZmllcyB0aGUgdXNlIFNIQS0zODQgdG8gaGFzaCB0aGUg Y29udGVudC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBsYW5nPSJFTi1HQiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiPlRoYXTigJlzIG5vdCBob3cgTE1TIGlzIGRlc2ln bmVkIHRvIHdvcms7IGN1cnJlbnRseSwgaXQgdXNlcyB0aGUgc2FtZSBoYXNoIGZ1bmN0aW9uIHRv IGhhc2ggdGhlIG1lc3NhZ2UgYXMgaXQgZG9lcyBmb3IgYWxsIGl0cyBpbnRlcm5hbCBoYXNoZXMu Jm5ic3A7IElmIHlvdSB3ZXJlIHRvIHJlcGxhY2UgdGhlIGluaXRpYWwgU0hBLTI1NiBoYXNoIHdp dGggc29tZXRoaW5nIGxhcmdlciwgd2VsbCwNCiB5b3XigJlkIG5lZWQgdG8gdHdlYWsgdGhlIHNp emUgb2YgdGhlIExNLU9UUyBzaWduYXR1cmUgKHRvIGFjY29tZW5kYXRlIHRoZSBsYXJnZXIgdmFs dWUgYmVpbmcgc2lnbmVkKSwgYW5kIHNvIHRoYXQgd291bGRu4oCZdCBiZSBjbGVhbiBhdCBhbGwu PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0i RU4tR0IiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIGxhbmc9IkVOLUdCIj5Gb3IgdGhhdCBtYXR0ZXIsIGlMTVMgZG9lc27igJl0IGRvIGEg c3RyYWlnaHQgaGFzaCBvZiB0aGUgbWVzc2FnZTsgaW5zdGVhZCwgaXQgaW5jbHVkZXMgYSBwcmVm aXggKHRoZSBwb2ludCBvZiB0aGUgcHJlZml4LCB3aGljaCBpcyByYW5kb21pemVkLCBpcyB0byBh dm9pZCByZWx5aW5nIG9uIHRoZSBjb2xsaXNpb24gcmVzaXN0YW5jZSBvZiBTSEEtMjU2KS48bzpw PjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1H QiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gbGFuZz0iRU4tR0IiPk5vdywgSSBzdXBwb3NlIHlvdSBjb3VsZCBTSEEtMzg0IGhhc2ggdGhl IG1lc3NhZ2UsIGFuZCB0aGVuIHR1cm4gYXJvdW5kIGFuZCBkbyBhbiBMTVMgc2lnbmF0dXJlIGdl bmVyYXRlL3ZlcmlmeSBvbiB0aGF0IGhhc2ggKHdoaWNoIHdvdWxkLCB3aXRoIHRoZSBjdXJyZW50 bHkgZGVmaW5lZCBMTVMgcGFyYW1ldGVyIHNldHMsIGltbWVkaWF0ZWx5IHByZXBlbmQgdGhlIHBy ZWZpeCwNCiBhbmQgdGhhdCBTSEEtMjU2IGhhc2ggaXQpLiZuYnNwOyBIb3dldmVyLCBpZiBzb21l dGhpbmcgdGhhdCBub25vYnZpb3VzIGlzIHNwZWNpZmllZCwgeW91IG5lZWQgdG8gY2FsbCBpdCBv dXQgZXhwbGljaXRseSAoYW5kIGFsc28gd2hhdCBkbyB5b3UgZG8gd2l0aCBpZC1hbGctaHNzLWxt cy1oYXNoc2lnLXdpdGgtc2hhMjU2OyB3b3VsZCB0aGF0IGFsc28gZG8gYW4gaW5pdGlhbCBTSEEt MjU2IGhhc2g/KS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1HQiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tR0IiPk15IHN1Z2dlc3Rpb24gd291bGQgYmUgdG8g Y29tYmluZSBhbGwgdGhyZWUgYWxnb3JpdGhtIGlkZW50aWZpZXJzIGludG8gYSBzaW5nbGUgaWQt YWxnLWhzc21zLWhhc2hzaWcgKGFuZCBoYXZlIHRoZSBwYXJhbWV0ZXIgc2V0IGluZGljYXRvciB3 aXRoaW4gdGhlIExNUyBwdWJsaWMga2V5IHNwZWNpZnkgd2hpY2ggaGFzaCBpcyB0byBiZSB1c2Vk KS48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5n PSJFTi1HQiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gbGFuZz0iRU4tR0IiPkFuZCwgc2luY2Ugc29tZW9uZSBicm91Z2h0IHVwIFhNU1Ms IHdlbGwsIHRoYXTigJlkIGhhdmUgcHJldHR5IG11Y2ggdGhlIHNhbWUgaXNzdWVzIChhbmQgZm9y IHRoZSBzYW1lIHJlYXNvbnPigKYpPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNC4wcHQiPg0K PGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAx LjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxi PkZyb206PC9iPiBSdXNzIEhvdXNsZXkgJmx0O2hvdXNsZXlAdmlnaWxzZWMuY29tJmd0OyA8YnI+ DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEphbnVhcnkgMzEsIDIwMTkgMTE6MDcgQU08YnI+DQo8 Yj5Ubzo8L2I+IFNjb3R0IEZsdWhyZXIgKHNmbHVocmVyKSAmbHQ7c2ZsdWhyZXJAY2lzY28uY29t Jmd0Ozxicj4NCjxiPkNjOjwvYj4gVGltIEhvbGxlYmVlayAmbHQ7dGltLmhvbGxlYmVla0BkaWdp Y2VydC5jb20mZ3Q7OyBTUEFTTSAmbHQ7c3Bhc21AaWV0Zi5vcmcmZ3Q7PGJyPg0KPGI+U3ViamVj dDo8L2I+IFJlOiBbbGFtcHNdIExhc3QgQ2FsbDogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1z aWctMDM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlNjb3R0OjxvOnA+ PC9vOnA+PC9wPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmtzIGZvciB0aGUg Y2FyZWZ1bCByZWFkLiAmbmJzcDtJIGhhdmUgbWFkZSB0aGVzZSBjaGFuZ2VzIGluIG15IGVkaXQg YnVmZmVyLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj5SdXNzPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 YnI+DQo8YnI+DQo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJtYXJnaW4tdG9w OjUuMHB0O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi Pk9uIEphbiAzMCwgMjAxOSwgYXQgMzowNCBQTSwgU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpICZs dDs8YSBocmVmPSJtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tIj5zZmx1aHJlckBjaXNjby5jb208 L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPkp1c3QgdHdvIHNwZWxsaW5nIGNvcnJlY3Rpb25z4oCmPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk5pdDogaW4gdGhlIGZpcnN0IGxpbmUg b2Ygc2VjdGlvbiA0OiDigJxmb3IgYW4gSEhTL0xNUyBwdWJsaWMga2V54oCdIHNob3VsZCBiZSDi gJxmb3IgYW48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+ PGI+SFNTL0xNUzwvYj48c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8 L3NwYW4+cHVibGljIGtleeKAnTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj5OaXQ6IGluIHRoZSBmaXJzdCBsaW5lIG9mIHNlY3Rpb24gNi4yOiDi gJxvbiB0aGUgY3VycmVudCBzYXRl4oCdIHNob3VsZCBiZSDigJxvbiB0aGUgY3VycmVudDxzcGFu IGNsYXNzPSJhcHBsZS1jb252ZXJ0ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj48Yj5zdGF0ZTwvYj7i gJ08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7 Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4N CjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEg MS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PGI+RnJvbTo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i c3A7PC9zcGFuPlNwYXNtICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9y ZyI+PHNwYW4gc3R5bGU9ImNvbG9yOiM5NTRGNzIiPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L3Nw YW4+PC9hPiZndDs8c3BhbiBjbGFzcz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3Nw YW4+PGI+T24gQmVoYWxmIE9mPHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZlcnRlZC1zcGFjZSI+Jm5i c3A7PC9zcGFuPjwvYj5UaW0NCiBIb2xsZWJlZWs8YnI+DQo8Yj5TZW50OjwvYj48c3BhbiBjbGFz cz0iYXBwbGUtY29udmVydGVkLXNwYWNlIj4mbmJzcDs8L3NwYW4+V2VkbmVzZGF5LCBKYW51YXJ5 IDMwLCAyMDE5IDI6MjUgUE08YnI+DQo8Yj5Ubzo8L2I+PHNwYW4gY2xhc3M9ImFwcGxlLWNvbnZl cnRlZC1zcGFjZSI+Jm5ic3A7PC9zcGFuPlNQQVNNICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc21A aWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJjb2xvcjojOTU0RjcyIj5zcGFzbUBpZXRmLm9yZzwvc3Bh bj48L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPjxzcGFuIGNsYXNzPSJhcHBsZS1jb252ZXJ0 ZWQtc3BhY2UiPiZuYnNwOzwvc3Bhbj5bbGFtcHNdIExhc3QgQ2FsbDogZHJhZnQtaWV0Zi1sYW1w cy1jbXMtaGFzaC1zaWctMDM8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhpcyBpcyB0aGUgTEFNUFMgV0cgTGFz dCBDYWxsIGZvciDigJxVc2Ugb2YgdGhlIEhTUy9MTVMgSGFzaC1iYXNlZCBTaWduYXR1cmUgQWxn b3JpdGhtIGluIHRoZSBDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4IChDTVMp4oCdICZsdDtk cmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wMyZndDsuPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlBsZWFzZSByZXZpZXcgdGhlIGRvY3Vt ZW50IGFuZCBzZW5kIHlvdXIgY29tbWVudHMgdG8gdGhlIGxpc3QgYnkgMTQgRmVicnVhcnkgMjAx OS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ SWYgbm8gY29uY2VybnMgYXJlIHJhaXNlZCwgdGhlIGRvY3VtZW50IHdpbGwgYmUgZm9yd2FyZGVk IHRvIHRoZSBJRVNHIHdpdGggYSByZXF1ZXN0IGZvciBwdWJsaWNhdGlvbiBhcyBQcm9wb3NlZCBT dGFuZGFyZC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+LVRpbTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtI ZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+X19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX188YnI+DQpTcGFzbSBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEg aHJlZj0ibWFpbHRvOlNwYXNtQGlldGYub3JnIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiM5NTRG NzIiPlNwYXNtQGlldGYub3JnPC9zcGFuPjwvYT48c3BhbiBzdHlsZT0iZm9udC1zaXplOjkuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0hlbHZldGljYSZxdW90OyxzYW5zLXNlcmlmIj48YnI+DQo8L3Nw YW4+PGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9zcGFzbSI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZhbWlseTomcXVvdDtIZWx2ZXRpY2Em cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojOTU0RjcyIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWls bWFuL2xpc3RpbmZvL3NwYXNtPC9zcGFuPjwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9i bG9ja3F1b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_13aac7fd60a04eb2b56507808b4d17c9XCHRTP006ciscocom_-- From nobody Thu Feb 14 15:06:12 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DC3131053 for ; Thu, 14 Feb 2019 15:06:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXnXrAS5dONb for ; Thu, 14 Feb 2019 15:06:09 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6B7F12F1A5 for ; Thu, 14 Feb 2019 15:06:08 -0800 (PST) Received: from Jude (192.168.1.162) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 15:06:02 -0800 From: Jim Schaad To: 'Daniel Van Geest' , References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> In-Reply-To: <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> Date: Thu, 14 Feb 2019 15:06:01 -0800 Message-ID: <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0061_01D4C476.CDE9BEA0" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQI9YiZ+qGL+44kEz+EYRNIFf1pLvwGyW5meAUkd5aqk9scacA== Content-Language: en-us X-Originating-IP: [192.168.1.162] Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2019 23:06:12 -0000 ------=_NextPart_000_0061_01D4C476.CDE9BEA0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Ok =E2=80=93 so the first change is going to be say which hash-based = signature algorithms you are dealing with, since it is not all of them. =20 As I noted with Russ, there is no guarantee that there is a small = private key. If you use a method of deterministic derivation from a = seed, then it an be. If you use a good external random number generator = then the private key is proportional to the number of nodes in the tree. =20 Jim =20 =20 From: Daniel Van Geest =20 Sent: Thursday, February 14, 2019 12:52 PM To: Jim Schaad ; spasm@ietf.org Subject: Re: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Jim, =20 We have seen interest in defining similar OIDs for XMSS and XMSS^MT, = which is not covered in draft-ietf-lamps-cms-hash-sig. =20 For HSS/LMS, at the time the x509-hash-sigs draft was written, the = cms-hash-sig draft didn=E2=80=99t define OIDs for signature algorithms = (it was specified that only SHA-256 would be used with CMS). Since the = CMS draft now defines the signature algorithm OIDs we=E2=80=99ll have to = re-evaluate the HSS/LMS sections. When written, this draft referred to = the CMS one for some definitions and added other new ones. =20 Now that the CMS draft defines all the OIDs, you=E2=80=99re right, this = draft might not need to mention HSS/LMS at all. Or should there at = least be some text in there along the lines of =E2=80=9CHSS/LMS OIDs are = defined in [cms-hash-sigs], BTW you can also use those in = X.509=E2=80=9D? Should there also be some small differentiating text = indicating that in X.509 the HSS/LMS signature octet string is encoded = as a BIT STRING? cms-hash-sigs says =E2=80=9CThe signature values is a = large OCTET STRING.=E2=80=9D, which is accurate for CMS but for X.509 = the encoding of the signature octets will be a=20 BIT STRING. =20 [JLS] This is just something that is poorly stated in the current = document and is not something that needs to be changed. It would be = more accurate to say that =E2=80=9CThe signature value is a large byte = string.=E2=80=9D (or octet string) without using the ASN.1 type. It is = then just a string of bytes that is wrapped into some ASN.1 type. =20 Jim =20 =20 Thanks, Daniel =20 =20 On 2019-02-14, 2:56 PM, "Jim Schaad" > wrote: =20 What do you think that is needed to be specified beyond what is = currently in draft-ietf-lamps-cms-hash-sig? That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure. =20 =20 Jim =20 =20 From: Spasm > On = Behalf Of Daniel Van Geest Sent: Thursday, February 14, 2019 11:18 AM To: spasm@ietf.org =20 Subject: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Last meeting I presented draft-vangeest-x509-hash-sigs to Secdispatch = and LAMPS. It was decided the draft would be sent to LAMPS for potential = inclusion during the recharter. Below I=E2=80=99ve included a draft of = potential recharter text for the WG=E2=80=99s consideration. I can = present the draft again in Prague if that=E2=80=99s desired. =20 X. Specify the use of hash-based signatures in X.509 Public Key Infrastructure. Hash-based signatures use small private and public keys, and they have low computational cost. They are secure even if a large-scale quantum computer is invented. The low computational cost for signature verification makes hash-based signatures attractive in Internet of Things (IoT) environments. The use of hash-based signatures provides quantum resistant authentication in multi-party IoT ecosystems where publicly trusted code signing certificates are needed. =20 Thanks, Daniel =20 ------=_NextPart_000_0061_01D4C476.CDE9BEA0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Ok =E2=80=93 so the = first change is going to be say which hash-based signature algorithms = you are dealing with, since it is not all of = them.

 

As I noted with Russ, = there is no guarantee that there is a small private key.=C2=A0 If you = use a method of deterministic derivation from a seed, then it an = be.=C2=A0 If you use a good external random number generator then the = private key is proportional to the number of nodes in the = tree.

 

Jim

 

 

From: Daniel Van Geest = <Daniel.VanGeest@isara.com>
Sent: Thursday, February = 14, 2019 12:52 PM
To: Jim Schaad = <ietf@augustcellars.com>; spasm@ietf.org
Subject: Re: = [lamps] Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Jim,

 

We have = seen interest in defining similar OIDs for XMSS and XMSS^MT, which is = not covered in draft-ietf-lamps-cms-hash-sig.

 

For = HSS/LMS, at the time the x509-hash-sigs draft was written, the = cms-hash-sig draft didn=E2=80=99t define OIDs for signature algorithms = (it was specified that only SHA-256 would be used with CMS). Since the = CMS draft now defines the signature algorithm OIDs we=E2=80=99ll have to = re-evaluate the HSS/LMS sections.  When written, this draft = referred to the CMS one for some definitions and added other new = ones.

 

Now that the =
CMS draft defines all the OIDs, you=E2=80=99re right, this draft might =
not need to mention HSS/LMS at all.  Or should there at least be =
some text in there along the lines of =E2=80=9CHSS/LMS OIDs are defined =
in [cms-hash-sigs], BTW you can also use those in X.509=E2=80=9D? =
 Should there also be some small differentiating text indicating =
that in X.509 the HSS/LMS signature octet string is encoded as a BIT =
STRING?  cms-hash-sigs says =E2=80=9CThe signature values is a large OCTET =
STRING.=E2=80=9D, =
which is accurate for CMS but for X.509 the encoding of the signature =
octets will be a 
BIT =
STRING.
 
[JLS] This =
is just something that is poorly stated in the current document and is =
not something that needs to be changed.=C2=A0 It would be more accurate =
to say that =E2=80=9CThe signature value is a large byte =
string.=E2=80=9D (or octet string) without using the ASN.1 type.=C2=A0 =
It is then just a string of bytes that is wrapped into some ASN.1 =
type.
 
Jim
 

 

Thanks,

Daniel

 

 

On = 2019-02-14, 2:56 PM, "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

What do you think that is needed to be = specified beyond what is currently in = draft-ietf-lamps-cms-hash-sig?  That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure. 

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Daniel Van Geest
Sent: Thursday, February = 14, 2019 11:18 AM
To: spasm@ietf.org
Subject: = [lamps] Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Last meeting I presented = draft-vangeest-x509-hash-sigs to Secdispatch and LAMPS. It was decided = the draft would be sent to LAMPS for potential inclusion during the = recharter. Below I=E2=80=99ve included a draft of potential recharter = text for the WG=E2=80=99s consideration. I can present the draft again = in Prague if that=E2=80=99s desired.

 

X. Specify the use of = hash-based signatures in X.509 Public Key

Infrastructure. = Hash-based signatures use small private and public keys,

and they have low = computational cost.  They are secure even if a

large-scale quantum = computer is invented.  The low computational cost

for signature = verification makes hash-based signatures attractive in

Internet of Things (IoT) = environments.  The use of hash-based signatures

provides quantum = resistant authentication in multi-party IoT ecosystems

where publicly trusted = code signing certificates are needed.

 

Thanks,

Daniel

 

------=_NextPart_000_0061_01D4C476.CDE9BEA0-- From nobody Thu Feb 14 20:38:33 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61469130F1B for ; Thu, 14 Feb 2019 20:38:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Giy2wXdTEG3G for ; Thu, 14 Feb 2019 20:38:29 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4D711295D8 for ; Thu, 14 Feb 2019 20:38:28 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 20:38:22 -0800 From: Jim Schaad To: 'Russ Housley' , References: <155000452277.8545.4830965034572252627@ietfa.amsl.com> In-Reply-To: Date: Thu, 14 Feb 2019 20:38:20 -0800 Message-ID: <008001d4c4e8$48eceb10$dac6c130$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQK/Ex1AoMROceOrXMl2VIHPrpYD8gKAMtGXo/enoUA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-04.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 04:38:31 -0000 Russ, I went through my comments and I believe that there has not yet been an adequate response to the following issues: > > 10. Section 5 - I am unclear on what the text about having a random > > string as part of the hash computation means. This does not appear > > to have anything to do with the actual value of digestAlgorithms so > > clarity about what is being said and why it is of importance would > > be nice > > See Section 4.5 in [HASHSIG]. Step 4 says: > > 4. set C to a uniformly random n-byte string > > And then, it gets passed along in the signature value itself: > > 6. return u32str(type) || C || y[0] || ... || y[p-1] > Right, so this would seem to be something that can be said in the security considerations about the strength of the hash function, but is nothing like the seeded hash functions of RFC 6210 where a random number was generated as carried in the parameters area of the hash function. [JLS] It looks like you might have trimmed this thinking that we were in agreement, but I don't think that is true. > > 8. Section 3 - As I am sure I have said before, I would really like > > to see an id-alg-hss-lms-hashsig-direct version that omits the extra > > hash operation. > > As I have said before, the processing in RFC 5652 assumes that a > signature is > applied to a message digest. How would you describe the processing in this > document? [JLS] There is another message out from you to ask for input on this and while I agree there has been no direct response, I think that the message from Scott Fluhrer is in support of my position. Jim > -----Original Message----- > From: Spasm On Behalf Of Russ Housley > Sent: Tuesday, February 12, 2019 12:58 PM > To: spasm@ietf.org > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-04.txt > > I believe that this addresses all of the WG Last Call comments that I have > received. The WG Last Call ends on Thursday, so I wanted to get the update > out for people to see how their comments were addressed. > > Russ > > > > On Feb 12, 2019, at 3:48 PM, internet-drafts@ietf.org wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Limited Additional Mechanisms for PKIX and > SMIME WG of the IETF. > > > > Title : Use of the HSS/LMS Hash-based Signature Algorithm in the > Cryptographic Message Syntax (CMS) > > Author : Russ Housley > > Filename : draft-ietf-lamps-cms-hash-sig-04.txt > > Pages : 16 > > Date : 2019-02-12 > > > > Abstract: > > This document specifies the conventions for using the the HSS/LMS > > hash-based signature algorithm with the Cryptographic Message Syntax > > (CMS). In addition, the algorithm identifier and public key syntax > > are provided. The HSS/LMS algorithm is one form of hash-based > > digital signature; it is described in [HASHSIG]. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-04 > > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-04 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-04 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Thu Feb 14 20:52:41 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEB8C12F19D for ; Thu, 14 Feb 2019 20:52:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rqhMmpzwRLUZ for ; Thu, 14 Feb 2019 20:52:38 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0230F129741 for ; Thu, 14 Feb 2019 20:52:37 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 14 Feb 2019 20:52:30 -0800 From: Jim Schaad To: "'Scott Fluhrer (sfluhrer)'" , 'Russ Housley' CC: 'SPASM' , 'Tim Hollebeek' References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> In-Reply-To: <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> Date: Thu, 14 Feb 2019 20:52:28 -0800 Message-ID: <008101d4c4ea$42b8ddb0$c82a9910$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0082_01D4C4A7.34979980" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHs2acs3Ap8Rl0zFnLm85YBzdnF+AJ3Vpi/An7G+JECfGOzo6V0iT0A Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 04:52:41 -0000 ------=_NextPart_000_0082_01D4C4A7.34979980 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Scott, =20 The way that this is written has to do to a degree with how CMS works = and how most people think of signature algorithms as working. I have = also raised this point of doing a direct signature of the = =E2=80=9Cmessage=E2=80=9D (which is not necessarily the message content) = without going through an extra hash function. If you think about what = happens for RSA with SHA-384, then you can see that the message needs to = be hashed before the RSA operation can be applied. As you noted, this = is not necessary for any of the hash signature algorithms as there is no = practical maximum message length that would be hashed. =20 =20 My preference would be to have a version which is just = id-alg-hss-lms-hashsig-direct which does not do that extra hash = operation and I have requested that this happens, but it has not been = done at present. =20 I believe that your position would really translate to support of my = position. =20 Jim =20 =20 From: Spasm On Behalf Of Scott Fluhrer = (sfluhrer) Sent: Thursday, February 14, 2019 2:38 PM To: Russ Housley Cc: SPASM ; Tim Hollebeek Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 Sorry for being late, but I was just re-reviewing the draft, and I = noticed something odd: =20 You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the = comment that this specifies the use SHA-384 to hash the content. =20 That=E2=80=99s not how LMS is designed to work; currently, it uses the = same hash function to hash the message as it does for all its internal = hashes. If you were to replace the initial SHA-256 hash with something = larger, well, you=E2=80=99d need to tweak the size of the LM-OTS = signature (to accomendate the larger value being signed), and so that = wouldn=E2=80=99t be clean at all. =20 For that matter, iLMS doesn=E2=80=99t do a straight hash of the message; = instead, it includes a prefix (the point of the prefix, which is = randomized, is to avoid relying on the collision resistance of SHA-256). =20 Now, I suppose you could SHA-384 hash the message, and then turn around = and do an LMS signature generate/verify on that hash (which would, with = the currently defined LMS parameter sets, immediately prepend the = prefix, and that SHA-256 hash it). However, if something that = nonobvious is specified, you need to call it out explicitly (and also = what do you do with id-alg-hss-lms-hashsig-with-sha256; would that also = do an initial SHA-256 hash?). =20 My suggestion would be to combine all three algorithm identifiers into a = single id-alg-hssms-hashsig (and have the parameter set indicator within = the LMS public key specify which hash is to be used). =20 And, since someone brought up XMSS, well, that=E2=80=99d have pretty = much the same issues (and for the same reasons=E2=80=A6) =20 From: Russ Housley > = Sent: Thursday, January 31, 2019 11:07 AM To: Scott Fluhrer (sfluhrer) > Cc: Tim Hollebeek >; SPASM > Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 Scott: =20 Thanks for the careful read. I have made these changes in my edit = buffer. =20 Russ =20 =20 On Jan 30, 2019, at 3:04 PM, Scott Fluhrer (sfluhrer) = > wrote: =20 Just two spelling corrections=E2=80=A6 =20 Nit: in the first line of section 4: =E2=80=9Cfor an HHS/LMS public = key=E2=80=9D should be =E2=80=9Cfor an HSS/LMS public key=E2=80=9D =20 Nit: in the first line of section 6.2: =E2=80=9Con the current = sate=E2=80=9D should be =E2=80=9Con the current state=E2=80=9D =20 =20 =20 From: Spasm < spasm-bounces@ietf.org> On = Behalf Of Tim Hollebeek Sent: Wednesday, January 30, 2019 2:25 PM To: SPASM < spasm@ietf.org> Subject: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 =20 This is the LAMPS WG Last Call for =E2=80=9CUse of the HSS/LMS = Hash-based Signature Algorithm in the Cryptographic Message Syntax = (CMS)=E2=80=9D . =20 Please review the document and send your comments to the list by 14 = February 2019. =20 If no concerns are raised, the document will be forwarded to the IESG = with a request for publication as Proposed Standard. =20 -Tim =20 _______________________________________________ Spasm mailing list Spasm@ietf.org = https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_0082_01D4C4A7.34979980 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Scott,

 

The way that = this is written has to do to a degree with how CMS works and how most = people think of signature algorithms as working.=C2=A0 I have also = raised this point of doing a direct signature of the = =E2=80=9Cmessage=E2=80=9D (which is not necessarily the message content) = without going through an extra hash function.=C2=A0=C2=A0 If you think = about what happens for RSA with SHA-384, then you can see that the = message needs to be hashed before the RSA operation can be = applied.=C2=A0 As you noted, this is not necessary for any of the hash = signature algorithms as there is no practical maximum message length = that would be hashed.=C2=A0

 

My = preference would be to have a version which is just = id-alg-hss-lms-hashsig-direct which does not do that extra hash = operation and I have requested that this happens, but it has not been = done at present.

 

I believe = that your position would really translate to support of my = position.

 

Jim

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Scott Fluhrer = (sfluhrer)
Sent: Thursday, February 14, 2019 2:38 = PM
To: Russ Housley <housley@vigilsec.com>
Cc: = SPASM <spasm@ietf.org>; Tim Hollebeek = <tim.hollebeek@digicert.com>
Subject: Re: [lamps] Last = Call: draft-ietf-lamps-cms-hash-sig-03

 

Sorry for = being late, but I was just re-reviewing the draft, and I noticed = something odd:

 

You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); = with the comment that this specifies the use SHA-384 to hash the = content.

 

That=E2=80=99s not how LMS is designed to work; currently, = it uses the same hash function to hash the message as it does for all = its internal hashes.  If you were to replace the initial SHA-256 = hash with something larger, well, you=E2=80=99d need to tweak the size = of the LM-OTS signature (to accomendate the larger value being signed), = and so that wouldn=E2=80=99t be clean at all.

 

For that matter, iLMS = doesn=E2=80=99t do a straight hash of the message; instead, it includes = a prefix (the point of the prefix, which is randomized, is to avoid = relying on the collision resistance of SHA-256).

 

Now, I suppose you could SHA-384 = hash the message, and then turn around and do an LMS signature = generate/verify on that hash (which would, with the currently defined = LMS parameter sets, immediately prepend the prefix, and that SHA-256 = hash it).  However, if something that nonobvious is specified, you = need to call it out explicitly (and also what do you do with = id-alg-hss-lms-hashsig-with-sha256; would that also do an initial = SHA-256 hash?).

 

My suggestion would be to combine all three algorithm = identifiers into a single id-alg-hssms-hashsig (and have the parameter = set indicator within the LMS public key specify which hash is to be = used).

 

And, since someone brought up XMSS, well, that=E2=80=99d = have pretty much the same issues (and for the same = reasons=E2=80=A6)

 

From: Russ = Housley <housley@vigilsec.com> =
Sent: Thursday, January 31, 2019 11:07 AM
To: Scott = Fluhrer (sfluhrer) <sfluhrer@cisco.com>
Cc: Tim Hollebeek <tim.hollebeek@digicert.com= >; SPASM <spasm@ietf.org>
Subject: = Re: [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03

 

Scott:

 

Thanks for the careful read.  I have made these = changes in my edit buffer.

 

Russ

 

 

On Jan 30, 2019, at 3:04 PM, Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com> = wrote:

 

Just two spelling = corrections=E2=80=A6

 

Nit: in the first line of section 4: =E2=80=9Cfor an = HHS/LMS public key=E2=80=9D should be =E2=80=9Cfor an HSS/LMS public = key=E2=80=9D

 

Nit: in the first line of section 6.2: =E2=80=9Con the = current sate=E2=80=9D should be =E2=80=9Con the current state=E2=80=9D

 

 

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Tim = Hollebeek
Sent: Wednesday, January 30, 2019 = 2:25 PM
To: SPASM <spasm@ietf.org>
Subject:<= span class=3Dapple-converted-space> [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03

 

 

This is the LAMPS WG Last Call for =E2=80=9CUse of the = HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message = Syntax (CMS)=E2=80=9D = <draft-ietf-lamps-cms-hash-sig-03>.

 

Please review the document and send your comments to = the list by 14 February 2019.

 

If no concerns are raised, the document will be = forwarded to the IESG with a request for publication as Proposed = Standard.

 

-Tim

 

____________= ___________________________________
Spasm mailing list
Spasm@ietf.org
<= a href=3D"https://www.ietf.org/mailman/listinfo/spasm">https://www.ietf.org/mailman/listinfo/spasm

 

------=_NextPart_000_0082_01D4C4A7.34979980-- From nobody Fri Feb 15 03:33:42 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE07130FA2 for ; Fri, 15 Feb 2019 03:33:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nist.gov Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u0_3J1kVQEjj for ; Fri, 15 Feb 2019 03:33:33 -0800 (PST) Received: from GCC01-DM2-obe.outbound.protection.outlook.com (mail-eopbgr840110.outbound.protection.outlook.com [40.107.84.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 658C71275F3 for ; Fri, 15 Feb 2019 03:33:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nist.gov; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FOKt0MWT2CI0m6nbwjkCOiVT6qyT9AmvPTguUX6L7yw=; b=hXhXurezkF6X1fvLU+RMp3KKNRG/AuV6qjsQKaslB9GMPUTUfhp8MsPhHSsqWZ8OjCrAuakP6Ko0UZ84r4ZGwJ6SfGy5ouH4VaoaHUsfaQ6Tu2IIgc/OB2ng9qPPnhZ/kko3C2MfBPidECT1ZWPSDcWQ1U8ppdHWFS+B4+EVbKU= Received: from BN8PR09MB3604.namprd09.prod.outlook.com (20.179.76.14) by BN8PR09MB3601.namprd09.prod.outlook.com (20.179.76.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.19; Fri, 15 Feb 2019 11:33:31 +0000 Received: from BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::cd:14aa:42b:5286]) by BN8PR09MB3604.namprd09.prod.outlook.com ([fe80::cd:14aa:42b:5286%3]) with mapi id 15.20.1622.018; Fri, 15 Feb 2019 11:33:31 +0000 From: "Dang, Quynh (Fed)" To: IRTF CFRG , "spasm@ietf.org" Thread-Topic: NIST is requesting comments on protection guidance of the OTS private key re-use (mis-use) issue and on usage restrictions of hash-based signatures. Thread-Index: AQHUxSHOYVED9NIf6E2/gotGVJrKlA== Date: Fri, 15 Feb 2019 11:33:30 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=quynh.dang@nist.gov; x-originating-ip: [2610:20:6005:220::7b] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 0174484d-321b-45e6-f493-08d693396980 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:BN8PR09MB3601; x-ms-traffictypediagnostic: BN8PR09MB3601: x-ms-exchange-purlcount: 1 x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1; BN8PR09MB3601; 23:lK3wAlVs/u7vI6AJNvW0F4ilttwqEquzXJ307G3?= =?iso-8859-1?Q?iv96JkGdMawNsNXiDWxfKtacmddbYqKiQ0t020rcDhsGBJINZDXIuvpRoL?= =?iso-8859-1?Q?SJ2Nb0sMfRtTuSWS0/HSKwPPwE7khCk27o/cdzXSu6J18piUggormgpRvp?= =?iso-8859-1?Q?MB0+8I5OKFu42Oz8v7vx3vRdt0SYUdI1ovMnwqUUtdiMlkMAEGWSS+7t9z?= =?iso-8859-1?Q?ZlCKwtGCdmq29folta2hMXr1dMX8KW7Elj3sGVNQD42wRUbnaYe1C7tEUh?= =?iso-8859-1?Q?NWi9Wcb3DqQFFRerkUbXatuvanU4yO2X6heegnJFdFJJTxmQILKC4LEAn6?= =?iso-8859-1?Q?KgpXj4nuHOMzmYGQBvwBZpyN61Kc3VunKOUf1dfoeCrH9OX5ZeeoTh0zSe?= =?iso-8859-1?Q?MuVFijfx6PCc0cdZQPIkimwd32fUTFafcfZDYkAhMMRKZ8JEtd9XT6VCSR?= =?iso-8859-1?Q?C9XTU4Teboemy5JRNEJmKMNSQ7WvJM/cNvniAWzXDORRkfkZ5fK215bvSe?= =?iso-8859-1?Q?+/rwH4UNsBBBt8D3wCq9s/um7eEvh4RX9E2j4CyzirUo0zCl5XeMCO97xD?= =?iso-8859-1?Q?ly4P3tSmdZLLt9vLfw2sCrxAzUsM44n2jeERjgAB9nGTlqwarjTaa7sdAv?= =?iso-8859-1?Q?FCx0zSgU5OWmaK7+8xvnjNvsfgdqQX8q3DDIf1FuBzWeOdv8KqRk7tTMZ4?= =?iso-8859-1?Q?CHfdDrQn3hOTzGeLKHzvldVQOzdn/3eeoGaT5n53dNyXnIpyeCCP8u8ZIs?= =?iso-8859-1?Q?UboXibXLHjg2xyXP5cs/2iYwG/I6y7Dexb16mM3kQ33QQG/yAo9zl0UERn?= =?iso-8859-1?Q?8PhxkrxBIbC3lczcMVibVCg+7g1pds3BVJXdtKPuGf7nElC+xTMUeOadBm?= =?iso-8859-1?Q?kmm0Xx9XfLkvtOoKVjNS+/A+bUaNQM4wm9yBtavmr5JsDXXG1XQf9Gd0uY?= =?iso-8859-1?Q?/p44Ki9oR2wVaq38ubvChWbz2wTymcYzMSP0HoVDu8tG1pVda0vqqYZ/Hv?= =?iso-8859-1?Q?VKcmG12AKswrQ9CQTYRV709v17x0jEz/KOE+EuH8EZ4GxyrItPN0jJoJwT?= =?iso-8859-1?Q?98MgF+u2kq8RJu24ONCMUlgkrH6jgeQhRMgQvztnFBxM3tjk5oFI4YJphV?= =?iso-8859-1?Q?3XNWdzaLu/nSMkkEkwc0QfL5GNZpAx7eFpxeawuxmfQMYZMTQXn1FxfOzT?= =?iso-8859-1?Q?jN+XJgmTMc0C+l0t/Z9CmJSu/JuGD9Hnww473PVcFjKU5y+uiM7NNlCvj8?= =?iso-8859-1?Q?rpqO22jvFd8TtWH96WOIuedcMQKzhkkPKtBgu+g=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 09497C15EB x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(136003)(366004)(396003)(39860400002)(199004)(189003)(53754006)(71190400001)(2501003)(97736004)(105586002)(7736002)(102836004)(316002)(476003)(110136005)(966005)(478600001)(19627405001)(46003)(106356001)(486006)(54896002)(186003)(6116002)(99286004)(6606003)(2906002)(55016002)(6306002)(4744005)(236005)(9686003)(86362001)(6506007)(74316002)(7696005)(606006)(33656002)(14454004)(1015004)(6436002)(8676002)(15974865002)(8936002)(81156014)(81166006)(256004)(14444005)(71200400001)(25786009)(68736007)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN8PR09MB3601; H:BN8PR09MB3604.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: RkINrYGHJ1yHWaWH3/OI9jI2zYgrOgTpNeEI1zM9dDY/NSQ4r4MoejL2inSOGdtizMOz1H5Hj1ZRfvg1ZnZdA3+31KmM4GO/9LYDkacYq8TD8IXh/Fggj6PPhsnJiWm0XmSGucaRk1ABMlO57VpxypEI/qMg6Yzak8/mNIjaPLDh0HnqS0Lra2G0afstZiQu6EigCU3SiUpdz3lGdWj+L8kWCqXykKdjIDSlVRFnWkpPp2NbmJDgJz5UEH4ggQZPtkuYbvR5STcExkBH5JAyCL4F9SRkNl51rmGI/CS4w2ncSVOOFVOAkB8PFmUYSzHN7MrYPv7Ms0FhbvG7lkL6JS/wLDIaYP/3XaReaCLYLsELlF7HnitYXaSob3/ZGTYFhVTFHtZpYtpr3uUeTDSoQDPbbNCacxWPehd2ax6IQdA= Content-Type: multipart/alternative; boundary="_000_BN8PR09MB36047D73636E89EB5515EC44F3600BN8PR09MB3604namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-Network-Message-Id: 0174484d-321b-45e6-f493-08d693396980 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Feb 2019 11:33:30.9559 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR09MB3601 Archived-At: Subject: [lamps] NIST is requesting comments on protection guidance of the OTS private key re-use (mis-use) issue and on usage restrictions of hash-based signatures. X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 11:33:36 -0000 --_000_BN8PR09MB36047D73636E89EB5515EC44F3600BN8PR09MB3604namp_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hi all, NIST is requesting comments on protection guidance of the OTS private key r= e-use (mis-use) issue and on usage restrictions of hash-based signatures. Please check the link below for more information. https://www.nist.gov/news-events/news/2019/02/request-public-comments-state= ful-hash-based-signatures-hbs Regards, Quynh. Request for Public Comments on Stateful Hash-Based Signatures (HBS) | NIST<= https://www.nist.gov/news-events/news/2019/02/request-public-comments-state= ful-hash-based-signatures-hbs> www.nist.gov Summary. NIST is requesting public comments on the intended approval of LMS= and XMSS as stateful hash-based signature (HBS) schemes. Questions for con= sideration and instructions for providing comments by April 1, 2019 are inc= luded at the bottom of this notice. --_000_BN8PR09MB36047D73636E89EB5515EC44F3600BN8PR09MB3604namp_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hi all,


NIST is requesting comments on protection guidance of the OTS private= key re-use (mis-use) issue and on usage restrictions of hash-based signatu= res.  

Please check the link below for m= ore information.


h= ttps://www.nist.gov/news-events/news/2019/02/request-public-comments-statef= ul-hash-based-signatures-hbs


Regards,

Quynh. 

www.nist.gov
Summary. NIST is requesting public comments on the intended approval of LMS= and XMSS as stateful hash-based signature (HBS) schemes. Questions for con= sideration and instructions for providing comments by April 1, 2019 are inc= luded at the bottom of this notice.


--_000_BN8PR09MB36047D73636E89EB5515EC44F3600BN8PR09MB3604namp_-- From nobody Fri Feb 15 04:24:14 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2542D130F82 for ; Fri, 15 Feb 2019 04:24:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuguLBRwNP1J for ; Fri, 15 Feb 2019 04:24:09 -0800 (PST) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CBD0128AFB for ; Fri, 15 Feb 2019 04:24:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=27164; q=dns/txt; s=iport; t=1550233448; x=1551443048; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=kXQZz6Ovl6A7M1PdCHEPzbjlbBe/wUeJv6l0HKpKryQ=; b=Qcw9PQreA6UX05h6+8iUI+tAh+5BZixccut6DdZ/qyushfTzITmbZPUd YqcULs64OBOaoynAsB6CMHprOOSxsoLQdeSH1k27qKcXYH4TAGSEv22hZ RBtL7JiAneQbjhRPlWBtSmxbMrni+CVLl18QUysYCH3ED3uJ4HMsHG83T 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAAB0rmZc/49dJa1kGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ11Z4EDJwqDfIgai2SCDXyXG4F7CwE?= =?us-ascii?q?BhGwCF4NRIjQJDQEDAQECAQECbSiFSgEBAQEDIwpcAgEIDgMEAQEkBAMCAgI?= =?us-ascii?q?wFAkIAgQBEgiDGYEOZKtEgS+KMYxEF4FAP4ERgl0HLoUPCR+CU4JXApAlhxe?= =?us-ascii?q?LegkCkkshknmHMoMOkXYCERSBJx84gVZwFYMngiUCGBOOC0ExjxuBHwEB?= X-IronPort-AV: E=Sophos;i="5.58,372,1544486400"; d="scan'208,217";a="238279842" Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Feb 2019 12:24:06 +0000 Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x1FCO6Of027991 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 15 Feb 2019 12:24:06 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 15 Feb 2019 07:24:05 -0500 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1395.000; Fri, 15 Feb 2019 07:24:05 -0500 From: "Scott Fluhrer (sfluhrer)" To: Jim Schaad , "'Daniel Van Geest'" , "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BACAAHkigP///rtg Date: Fri, 15 Feb 2019 12:24:05 +0000 Message-ID: <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> In-Reply-To: <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.86.251.167] Content-Type: multipart/alternative; boundary="_000_9147a087bee84e1db16c2dd75a42f5c5XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.146, xch-rtp-006.cisco.com X-Outbound-Node: rcdn-core-7.cisco.com Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 12:24:13 -0000 --_000_9147a087bee84e1db16c2dd75a42f5c5XCHRTP006ciscocom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQpGcm9tOiBTcGFzbSA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4gT24gQmVoYWxmIE9mIEppbSBT Y2hhYWQNClNlbnQ6IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSA2OjA2IFBNDQpUbzogJ0Rh bmllbCBWYW4gR2Vlc3QnIDxEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPjsgc3Bhc21AaWV0Zi5v cmcNClN1YmplY3Q6IFJlOiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1i YXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNp Z3MpDQoNCk9rIOKAkyBzbyB0aGUgZmlyc3QgY2hhbmdlIGlzIGdvaW5nIHRvIGJlIHNheSB3aGlj aCBoYXNoLWJhc2VkIHNpZ25hdHVyZSBhbGdvcml0aG1zIHlvdSBhcmUgZGVhbGluZyB3aXRoLCBz aW5jZSBpdCBpcyBub3QgYWxsIG9mIHRoZW0uDQoNCkkgYmVsaWV2ZSB0aGF0IGp1c3Qgc2F5aW5n IEhTUyAob3IgWE1TUyBvciBYTVNTXk1UKSB3b3VsZCBiZSBzdWZmaWNpZW50OyB0aGUgcHVibGlj IGtleXMgZm9yIGFsbCB0aHJlZSBpbmNsdWRlIGEgcGFyYW1ldGVyIHNldCBkZXNjcmlwdG9yLCB3 aGljaCBkZWNsYXJlcyB0aGUgaGFzaCBmdW5jdGlvbiB0byBiZSB1c2VkIChhbmQgb3RoZXIgcGFy YW1ldGVycywgc3VjaCBhcyB0aGUgdHJlZSBkZXB0aCkuDQoNCg0KQXMgSSBub3RlZCB3aXRoIFJ1 c3MsIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0IHRoZXJlIGlzIGEgc21hbGwgcHJpdmF0ZSBr ZXkuICBJZiB5b3UgdXNlIGEgbWV0aG9kIG9mIGRldGVybWluaXN0aWMgZGVyaXZhdGlvbiBmcm9t IGEgc2VlZCwgdGhlbiBpdCBhbiBiZS4gIElmIHlvdSB1c2UgYSBnb29kIGV4dGVybmFsIHJhbmRv bSBudW1iZXIgZ2VuZXJhdG9yIHRoZW4gdGhlIHByaXZhdGUga2V5IGlzIHByb3BvcnRpb25hbCB0 byB0aGUgbnVtYmVyIG9mIG5vZGVzIGluIHRoZSB0cmVlLg0KDQpXZWxsLCB5ZXMsIHRoZXJlIGlz IHF1aXRlIGEgcmFuZ2Ugb2YgcG9zc2libGUgdGltZS9tZW1vcnkgdHJhZGUtb2ZmcyBhdmFpbGFi bGUgd2hlbiBzdG9yaW5nIHRoZSBwcml2YXRlIGtleTsgaWYgeW91IG5lZWQgdG8sIHRoZSBwcml2 YXRlIGtleSBjYW4gYmUgZXhwcmVzc2VkIGluIHF1aXRlIGEgc21hbGwgYW1vdW50IG9mIHNwYWNl IChhbGJlaXQgYXQgdGhlIGV4cGVuc2Ugb2YgbWFraW5nIHRoZSBzaWduYXR1cmUgZ2VuZXJhdGlv biBvcGVyYXRpb24gZXhwZW5zaXZlKS4NCg0KSmltDQoNCg0KRnJvbTogRGFuaWVsIFZhbiBHZWVz dCA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWlsdG86RGFuaWVsLlZhbkdlZXN0QGlzYXJh LmNvbT4+DQpTZW50OiBUaHVyc2RheSwgRmVicnVhcnkgMTQsIDIwMTkgMTI6NTIgUE0NClRvOiBK aW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1haWx0bzppZXRmQGF1Z3VzdGNlbGxh cnMuY29tPj47IHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4NClN1YmplY3Q6 IFJlOiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1iYXNlZCBzaWduYXR1 cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MpDQoNCkppbSwN Cg0KV2UgaGF2ZSBzZWVuIGludGVyZXN0IGluIGRlZmluaW5nIHNpbWlsYXIgT0lEcyBmb3IgWE1T UyBhbmQgWE1TU15NVCwgd2hpY2ggaXMgbm90IGNvdmVyZWQgaW4gZHJhZnQtaWV0Zi1sYW1wcy1j bXMtaGFzaC1zaWcuDQoNCkZvciBIU1MvTE1TLCBhdCB0aGUgdGltZSB0aGUgeDUwOS1oYXNoLXNp Z3MgZHJhZnQgd2FzIHdyaXR0ZW4sIHRoZSBjbXMtaGFzaC1zaWcgZHJhZnQgZGlkbuKAmXQgZGVm aW5lIE9JRHMgZm9yIHNpZ25hdHVyZSBhbGdvcml0aG1zIChpdCB3YXMgc3BlY2lmaWVkIHRoYXQg b25seSBTSEEtMjU2IHdvdWxkIGJlIHVzZWQgd2l0aCBDTVMpLiBTaW5jZSB0aGUgQ01TIGRyYWZ0 IG5vdyBkZWZpbmVzIHRoZSBzaWduYXR1cmUgYWxnb3JpdGhtIE9JRHMgd2XigJlsbCBoYXZlIHRv IHJlLWV2YWx1YXRlIHRoZSBIU1MvTE1TIHNlY3Rpb25zLiAgV2hlbiB3cml0dGVuLCB0aGlzIGRy YWZ0IHJlZmVycmVkIHRvIHRoZSBDTVMgb25lIGZvciBzb21lIGRlZmluaXRpb25zIGFuZCBhZGRl ZCBvdGhlciBuZXcgb25lcy4NCg0KDQpOb3cgdGhhdCB0aGUgQ01TIGRyYWZ0IGRlZmluZXMgYWxs IHRoZSBPSURzLCB5b3XigJlyZSByaWdodCwgdGhpcyBkcmFmdCBtaWdodCBub3QgbmVlZCB0byBt ZW50aW9uIEhTUy9MTVMgYXQgYWxsLiAgT3Igc2hvdWxkIHRoZXJlIGF0IGxlYXN0IGJlIHNvbWUg dGV4dCBpbiB0aGVyZSBhbG9uZyB0aGUgbGluZXMgb2Yg4oCcSFNTL0xNUyBPSURzIGFyZSBkZWZp bmVkIGluIFtjbXMtaGFzaC1zaWdzXSwgQlRXIHlvdSBjYW4gYWxzbyB1c2UgdGhvc2UgaW4gWC41 MDnigJ0/ICBTaG91bGQgdGhlcmUgYWxzbyBiZSBzb21lIHNtYWxsIGRpZmZlcmVudGlhdGluZyB0 ZXh0IGluZGljYXRpbmcgdGhhdCBpbiBYLjUwOSB0aGUgSFNTL0xNUyBzaWduYXR1cmUgb2N0ZXQg c3RyaW5nIGlzIGVuY29kZWQgYXMgYSBCSVQgU1RSSU5HPyAgY21zLWhhc2gtc2lncyBzYXlzIOKA nFRoZSBzaWduYXR1cmUgdmFsdWVzIGlzIGEgbGFyZ2UgT0NURVQgU1RSSU5HLuKAnSwgd2hpY2gg aXMgYWNjdXJhdGUgZm9yIENNUyBidXQgZm9yIFguNTA5IHRoZSBlbmNvZGluZyBvZiB0aGUgc2ln bmF0dXJlIG9jdGV0cyB3aWxsIGJlIGENCg0KQklUIFNUUklORy4NCg0KDQoNCltKTFNdIFRoaXMg aXMganVzdCBzb21ldGhpbmcgdGhhdCBpcyBwb29ybHkgc3RhdGVkIGluIHRoZSBjdXJyZW50IGRv Y3VtZW50IGFuZCBpcyBub3Qgc29tZXRoaW5nIHRoYXQgbmVlZHMgdG8gYmUgY2hhbmdlZC4gIEl0 IHdvdWxkIGJlIG1vcmUgYWNjdXJhdGUgdG8gc2F5IHRoYXQg4oCcVGhlIHNpZ25hdHVyZSB2YWx1 ZSBpcyBhIGxhcmdlIGJ5dGUgc3RyaW5nLuKAnSAob3Igb2N0ZXQgc3RyaW5nKSB3aXRob3V0IHVz aW5nIHRoZSBBU04uMSB0eXBlLiAgSXQgaXMgdGhlbiBqdXN0IGEgc3RyaW5nIG9mIGJ5dGVzIHRo YXQgaXMgd3JhcHBlZCBpbnRvIHNvbWUgQVNOLjEgdHlwZS4NCg0KDQoNCkppbQ0KDQoNCg0KVGhh bmtzLA0KRGFuaWVsDQoNCg0KT24gMjAxOS0wMi0xNCwgMjo1NiBQTSwgIkppbSBTY2hhYWQiIDxp ZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3Jv dGU6DQoNCldoYXQgZG8geW91IHRoaW5rIHRoYXQgaXMgbmVlZGVkIHRvIGJlIHNwZWNpZmllZCBi ZXlvbmQgd2hhdCBpcyBjdXJyZW50bHkgaW4gZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWc/ ICBUaGF0IGRvY3VtZW50IGNvbnRhaW5zIHRoZSBway1IU1MtTE1TLUhhc2hTaWcgc3RydWN0dXJl IHdoaWNoIGRlc2NyaWJlcyBob3cgdG8gcGxhY2UgdGhlIHB1YmxpYyBrZXkgaW50byBhIFN1Ympl Y3QgUHVibGljIEtleSBzdHJ1Y3R1cmUuDQoNCkppbQ0KDQoNCkZyb206IFNwYXNtIDxzcGFzbS1i b3VuY2VzQGlldGYub3JnPG1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnPj4gT24gQmVoYWxm IE9mIERhbmllbCBWYW4gR2Vlc3QNClNlbnQ6IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSAx MToxOCBBTQ0KVG86IHNwYXNtQGlldGYub3JnPG1haWx0bzpzcGFzbUBpZXRmLm9yZz4NClN1Ympl Y3Q6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNoLWJhc2VkIHNpZ25hdHVy ZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncykNCg0KTGFzdCBt ZWV0aW5nIEkgcHJlc2VudGVkIGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzIHRvIFNlY2Rp c3BhdGNoIGFuZCBMQU1QUy4gSXQgd2FzIGRlY2lkZWQgdGhlIGRyYWZ0IHdvdWxkIGJlIHNlbnQg dG8gTEFNUFMgZm9yIHBvdGVudGlhbCBpbmNsdXNpb24gZHVyaW5nIHRoZSByZWNoYXJ0ZXIuIEJl bG93IEnigJl2ZSBpbmNsdWRlZCBhIGRyYWZ0IG9mIHBvdGVudGlhbCByZWNoYXJ0ZXIgdGV4dCBm b3IgdGhlIFdH4oCZcyBjb25zaWRlcmF0aW9uLiBJIGNhbiBwcmVzZW50IHRoZSBkcmFmdCBhZ2Fp biBpbiBQcmFndWUgaWYgdGhhdOKAmXMgZGVzaXJlZC4NCg0KWC4gU3BlY2lmeSB0aGUgdXNlIG9m IGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQdWJsaWMgS2V5DQpJbmZyYXN0cnVjdHVy ZS4gSGFzaC1iYXNlZCBzaWduYXR1cmVzIHVzZSBzbWFsbCBwcml2YXRlIGFuZCBwdWJsaWMga2V5 cywNCmFuZCB0aGV5IGhhdmUgbG93IGNvbXB1dGF0aW9uYWwgY29zdC4gIFRoZXkgYXJlIHNlY3Vy ZSBldmVuIGlmIGENCmxhcmdlLXNjYWxlIHF1YW50dW0gY29tcHV0ZXIgaXMgaW52ZW50ZWQuICBU aGUgbG93IGNvbXB1dGF0aW9uYWwgY29zdA0KZm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24gbWFr ZXMgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGF0dHJhY3RpdmUgaW4NCkludGVybmV0IG9mIFRoaW5n cyAoSW9UKSBlbnZpcm9ubWVudHMuICBUaGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJlcw0K cHJvdmlkZXMgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFydHkg SW9UIGVjb3N5c3RlbXMNCndoZXJlIHB1YmxpY2x5IHRydXN0ZWQgY29kZSBzaWduaW5nIGNlcnRp ZmljYXRlcyBhcmUgbmVlZGVkLg0KDQpUaGFua3MsDQpEYW5pZWwNCg0K --_000_9147a087bee84e1db16c2dd75a42f5c5XCHRTP006ciscocom_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q291cmllcjsNCglwYW5vc2UtMToyIDcgNCA5IDIgMiA1IDIgNCA0O30NCkBmb250LWZhY2UNCgl7 Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1 IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBs aS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjt9DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0 eTo5OTsNCgljb2xvcjojMDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2 aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5 OTsNCgljb2xvcjojOTU0RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcHJlDQoJ e21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0 ZWQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJZm9udC1z aXplOjEwLjBwdDsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4uSFRNTFByZWZv cm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9ybWF0dGVkIENoYXIiOw0K CW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoiSFRNTCBQcmVmb3JtYXR0 ZWQiOw0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29u b3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7DQoJbXNv LW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFyZ2luLWJv dHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjExLjBwdDsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9DQpzcGFuLkVtYWlsU3R5bGUyMA0KCXtt c28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJp ZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10 eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9y OndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4 dDt9DQpzcGFuLkVtYWlsU3R5bGUyMw0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250 LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u RW1haWxTdHlsZTI1DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERl ZmF1bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9 DQpAcGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGlu IDEuMGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlv bjE7fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVs dHMgdjpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0t W2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlk bWFwIHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2Vu ZGlmXS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9IiMwNTYzQzEiIHZsaW5r PSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAx LjVwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4g MGluIDBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4g U3Bhc20gJmx0O3NwYXNtLWJvdW5jZXNAaWV0Zi5vcmcmZ3Q7DQo8Yj5PbiBCZWhhbGYgT2YgPC9i PkppbSBTY2hhYWQ8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5 IDY6MDYgUE08YnI+DQo8Yj5Ubzo8L2I+ICdEYW5pZWwgVmFuIEdlZXN0JyAmbHQ7RGFuaWVsLlZh bkdlZXN0QGlzYXJhLmNvbSZndDs7IHNwYXNtQGlldGYub3JnPGJyPg0KPGI+U3ViamVjdDo8L2I+ IFJlOiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1iYXNlZCBzaWduYXR1 cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MpPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQiPk9rIOKAkyBzbyB0aGUgZmlyc3QgY2hhbmdlIGlzIGdvaW5nIHRvIGJlIHNh eSB3aGljaCBoYXNoLWJhc2VkIHNpZ25hdHVyZSBhbGdvcml0aG1zIHlvdSBhcmUgZGVhbGluZyB3 aXRoLCBzaW5jZSBpdCBpcyBub3QgYWxsIG9mIHRoZW0uPG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0QiPkkgYmVsaWV2ZSB0aGF0IGp1c3Qgc2F5 aW5nIEhTUyAob3IgWE1TUyBvciBYTVNTXk1UKSB3b3VsZCBiZSBzdWZmaWNpZW50OyB0aGUgcHVi bGljIGtleXMgZm9yIGFsbCB0aHJlZSBpbmNsdWRlIGEgcGFyYW1ldGVyIHNldCBkZXNjcmlwdG9y LCB3aGljaCBkZWNsYXJlcyB0aGUgaGFzaCBmdW5jdGlvbiB0byBiZSB1c2VkIChhbmQgb3RoZXIN CiBwYXJhbWV0ZXJzLCBzdWNoIGFzIHRoZSB0cmVlIGRlcHRoKS48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5BcyBJIG5v dGVkIHdpdGggUnVzcywgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQgdGhlcmUgaXMgYSBzbWFs bCBwcml2YXRlIGtleS4mbmJzcDsgSWYgeW91IHVzZSBhIG1ldGhvZCBvZiBkZXRlcm1pbmlzdGlj IGRlcml2YXRpb24gZnJvbSBhIHNlZWQsIHRoZW4gaXQgYW4gYmUuJm5ic3A7IElmIHlvdSB1c2Ug YSBnb29kIGV4dGVybmFsIHJhbmRvbSBudW1iZXIgZ2VuZXJhdG9yDQogdGhlbiB0aGUgcHJpdmF0 ZSBrZXkgaXMgcHJvcG9ydGlvbmFsIHRvIHRoZSBudW1iZXIgb2Ygbm9kZXMgaW4gdGhlIHRyZWUu PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9yOiMxRjQ5N0Qi PldlbGwsIHllcywgdGhlcmUgaXMgcXVpdGUgYSByYW5nZSBvZiBwb3NzaWJsZSB0aW1lL21lbW9y eSB0cmFkZS1vZmZzIGF2YWlsYWJsZSB3aGVuIHN0b3JpbmcgdGhlIHByaXZhdGUga2V5OyBpZiB5 b3UgbmVlZCB0bywgdGhlIHByaXZhdGUga2V5IGNhbiBiZSBleHByZXNzZWQgaW4gcXVpdGUgYSBz bWFsbCBhbW91bnQgb2Ygc3BhY2UNCiAoYWxiZWl0IGF0IHRoZSBleHBlbnNlIG9mIG1ha2luZyB0 aGUgc2lnbmF0dXJlIGdlbmVyYXRpb24gb3BlcmF0aW9uIGV4cGVuc2l2ZSkuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5KaW08bzpwPjwvbzpwPjwvc3Bhbj48L3A+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86 cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzow aW4gMGluIDBpbiA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy LXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkZyb206 PC9zcGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+IERhbmllbCBWYW4gR2Vl c3QgJmx0OzxhIGhyZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tIj5EYW5pZWwu VmFuR2Vlc3RAaXNhcmEuY29tPC9hPiZndDsNCjxicj4NCjxiPlNlbnQ6PC9iPiBUaHVyc2RheSwg RmVicnVhcnkgMTQsIDIwMTkgMTI6NTIgUE08YnI+DQo8Yj5Ubzo8L2I+IEppbSBTY2hhYWQgJmx0 OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxh cnMuY29tPC9hPiZndDs7DQo8YSBocmVmPSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGll dGYub3JnPC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW2xhbXBzXSBQcm9wb3NlZCBjaGFy dGVyIHRleHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZh bmdlZXN0LXg1MDktaGFzaC1zaWdzKTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ SmltLDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxh bmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJm b250LXNpemU6MTEuMHB0Ij5XZSBoYXZlIHNlZW4gaW50ZXJlc3QgaW4gZGVmaW5pbmcgc2ltaWxh ciBPSURzIGZvciBYTVNTIGFuZCBYTVNTXk1ULCB3aGljaCBpcyBub3QgY292ZXJlZCBpbiBkcmFm dC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQi PjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu IGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Rm9yIEhTUy9MTVMsIGF0IHRo ZSB0aW1lIHRoZSB4NTA5LWhhc2gtc2lncyBkcmFmdCB3YXMgd3JpdHRlbiwgdGhlIGNtcy1oYXNo LXNpZyBkcmFmdCBkaWRu4oCZdCBkZWZpbmUgT0lEcyBmb3Igc2lnbmF0dXJlIGFsZ29yaXRobXMg KGl0IHdhcyBzcGVjaWZpZWQgdGhhdCBvbmx5IFNIQS0yNTYgd291bGQgYmUgdXNlZCB3aXRoIENN UykuIFNpbmNlDQogdGhlIENNUyBkcmFmdCBub3cgZGVmaW5lcyB0aGUgc2lnbmF0dXJlIGFsZ29y aXRobSBPSURzIHdl4oCZbGwgaGF2ZSB0byByZS1ldmFsdWF0ZSB0aGUgSFNTL0xNUyBzZWN0aW9u cy4mbmJzcDsgV2hlbiB3cml0dGVuLCB0aGlzIGRyYWZ0IHJlZmVycmVkIHRvIHRoZSBDTVMgb25l IGZvciBzb21lIGRlZmluaXRpb25zIGFuZCBhZGRlZCBvdGhlciBuZXcgb25lcy48bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwcmU+ PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Tm93IHRoYXQgdGhlIENNUyBkcmFmdCBkZWZp bmVzIGFsbCB0aGUgT0lEcywgeW914oCZcmUgcmlnaHQsIHRoaXMgZHJhZnQgbWlnaHQgbm90IG5l ZWQgdG8gbWVudGlvbiBIU1MvTE1TIGF0IGFsbC4mbmJzcDsgT3Igc2hvdWxkIHRoZXJlIGF0IGxl YXN0IGJlIHNvbWUgdGV4dCBpbiB0aGVyZSBhbG9uZyB0aGUgbGluZXMgb2Yg4oCcSFNTL0xNUyBP SURzIGFyZSBkZWZpbmVkIGluIFtjbXMtaGFzaC1zaWdzXSwgQlRXIHlvdSBjYW4gYWxzbyB1c2Ug dGhvc2UgaW4gWC41MDnigJ0/ICZuYnNwO1Nob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwg ZGlmZmVyZW50aWF0aW5nIHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1T IHNpZ25hdHVyZSBvY3RldCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/Jm5ic3A7 IGNtcy1oYXNoLXNpZ3Mgc2F5cyDigJw8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJj b2xvcjpibGFjayI+VGhlIHNpZ25hdHVyZSB2YWx1ZXMgaXMgYSBsYXJnZSBPQ1RFVCBTVFJJTkcu PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPuKAnSwgd2hpY2ggaXMgYWNjdXJh dGUgZm9yIENNUyBidXQgZm9yIFguNTA5IHRoZSBlbmNvZGluZyBvZiB0aGUgc2lnbmF0dXJlIG9j dGV0cyB3aWxsIGJlIGEgPG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIGxhbmc9 IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPkJJVCBTVFJJTkcuPHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj48 bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wcmU+DQo8cHJlPjxzcGFuIGxhbmc9IkVOLUNBIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNh bnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBsYW5n PSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy aSZxdW90OyxzYW5zLXNlcmlmIj5bSkxTXSBUaGlzIGlzIGp1c3Qgc29tZXRoaW5nIHRoYXQgaXMg cG9vcmx5IHN0YXRlZCBpbiB0aGUgY3VycmVudCBkb2N1bWVudCBhbmQgaXMgbm90IHNvbWV0aGlu ZyB0aGF0IG5lZWRzIHRvIGJlIGNoYW5nZWQuJm5ic3A7IEl0IHdvdWxkIGJlIG1vcmUgYWNjdXJh dGUgdG8gc2F5IHRoYXQg4oCcVGhlIHNpZ25hdHVyZSB2YWx1ZSBpcyBhIGxhcmdlIGJ5dGUgc3Ry aW5nLuKAnSAob3Igb2N0ZXQgc3RyaW5nKSB3aXRob3V0IHVzaW5nIHRoZSBBU04uMSB0eXBlLiZu YnNwOyBJdCBpcyB0aGVuIGp1c3QgYSBzdHJpbmcgb2YgYnl0ZXMgdGhhdCBpcyB3cmFwcGVkIGlu dG8gc29tZSBBU04uMSB0eXBlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBs YW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2Fs aWJyaSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3ByZT4NCjxw cmU+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+SmltPG86cD48L286cD48L3NwYW4+PC9w cmU+DQo8cHJlPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcHJlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQiPlRoYW5rcyw8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48 c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkRhbmllbDxvOnA+PC9v OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIGxhbmc9IkVOLUNBIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSI+ T24gMjAxOS0wMi0xNCwgMjo1NiBQTSwgJnF1b3Q7SmltIFNjaGFhZCZxdW90OyAmbHQ7PGEgaHJl Zj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208 L2E+Jmd0OyB3cm90ZTo8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJF Ti1DQSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij5XaGF0IGRvIHlvdSB0aGluayB0aGF0IGlzIG5lZWRlZCB0byBi ZSBzcGVjaWZpZWQgYmV5b25kIHdoYXQgaXMgY3VycmVudGx5IGluIGRyYWZ0LWlldGYtbGFtcHMt Y21zLWhhc2gtc2lnPyZuYnNwOyBUaGF0IGRvY3VtZW50IGNvbnRhaW5zIHRoZSBway1IU1MtTE1T LUhhc2hTaWcgc3RydWN0dXJlIHdoaWNoDQogZGVzY3JpYmVzIGhvdyB0byBwbGFjZSB0aGUgcHVi bGljIGtleSBpbnRvIGEgU3ViamVjdCBQdWJsaWMgS2V5IHN0cnVjdHVyZS4mbmJzcDsgPC9zcGFu Pg0KPHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86 cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Smlt PC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0Ei IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0Ei PjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQi PiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtwYWRk aW5nOjBpbiAwaW4gMGluIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PGI+PHNwYW4g bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4gU3Bhc20gJmx0OzxhIGhy ZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj5zcGFzbS1ib3VuY2VzQGlldGYub3Jn PC9hPiZndDsNCjxiPk9uIEJlaGFsZiBPZiA8L2I+RGFuaWVsIFZhbiBHZWVzdDxicj4NCjxiPlNl bnQ6PC9iPiBUaHVyc2RheSwgRmVicnVhcnkgMTQsIDIwMTkgMTE6MTggQU08YnI+DQo8Yj5Ubzo8 L2I+IDxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bhc21AaWV0Zi5vcmc8L2E+PGJy Pg0KPGI+U3ViamVjdDo8L2I+IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNo LWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gt c2lncyk8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwv ZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVp biI+PHNwYW4gbGFuZz0iRU4tQ0EiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1D QSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkxhc3QgbWVldGluZyBJIHByZXNlbnRlZCBkcmFm dC12YW5nZWVzdC14NTA5LWhhc2gtc2lncyB0byBTZWNkaXNwYXRjaCBhbmQgTEFNUFMuIEl0IHdh cyBkZWNpZGVkIHRoZSBkcmFmdCB3b3VsZCBiZSBzZW50IHRvIExBTVBTIGZvciBwb3RlbnRpYWwg aW5jbHVzaW9uIGR1cmluZyB0aGUgcmVjaGFydGVyLg0KIEJlbG93IEnigJl2ZSBpbmNsdWRlZCBh IGRyYWZ0IG9mIHBvdGVudGlhbCByZWNoYXJ0ZXIgdGV4dCBmb3IgdGhlIFdH4oCZcyBjb25zaWRl cmF0aW9uLiBJIGNhbiBwcmVzZW50IHRoZSBkcmFmdCBhZ2FpbiBpbiBQcmFndWUgaWYgdGhhdOKA mXMgZGVzaXJlZC48L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBs YW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48c3BhbiBs YW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+WC4gU3BlY2lmeSB0aGUgdXNlIG9mIGhh c2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQdWJsaWMgS2V5PC9zcGFuPjxzcGFuIGxhbmc9 IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5JbmZyYXN0cnVjdHVyZS4gSGFzaC1iYXNlZCBz aWduYXR1cmVzIHVzZSBzbWFsbCBwcml2YXRlIGFuZCBwdWJsaWMga2V5cyw8L3NwYW4+PHNwYW4g bGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmFuZCB0aGV5IGhhdmUgbG93IGNvbXB1 dGF0aW9uYWwgY29zdC4mbmJzcDsgVGhleSBhcmUgc2VjdXJlIGV2ZW4gaWYgYTwvc3Bhbj48c3Bh biBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+bGFyZ2Utc2NhbGUgcXVhbnR1bSBj b21wdXRlciBpcyBpbnZlbnRlZC4mbmJzcDsgVGhlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3Q8L3Nw YW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmZvciBzaWduYXR1cmUg dmVyaWZpY2F0aW9uIG1ha2VzIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBhdHRyYWN0aXZlIGluPC9z cGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MS4waW4iPjxzcGFuIGxhbmc9IkVOLUNBIiBz dHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5JbnRlcm5ldCBvZiBU aGluZ3MgKElvVCkgZW52aXJvbm1lbnRzLiZuYnNwOyBUaGUgdXNlIG9mIGhhc2gtYmFzZWQgc2ln bmF0dXJlczwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEuMGluIj48c3BhbiBsYW5n PSJFTi1DQSIgc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+cHJv dmlkZXMgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFydHkgSW9U IGVjb3N5c3RlbXM8L3NwYW4+PHNwYW4gbGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxLjBpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIi PndoZXJlIHB1YmxpY2x5IHRydXN0ZWQgY29kZSBzaWduaW5nIGNlcnRpZmljYXRlcyBhcmUgbmVl ZGVkLjwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Oi41aW4iPjxzcGFuIGxhbmc9IkVO LUNBIiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxzcGFuIGxhbmc9IkVO LUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4gbGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5UaGFua3MsPC9zcGFuPjxzcGFuIGxhbmc9IkVOLUNBIj48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6LjVpbiI+PHNwYW4g bGFuZz0iRU4tQ0EiIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5EYW5pZWw8L3NwYW4+PHNwYW4g bGFuZz0iRU4tQ0EiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDouNWluIj48c3BhbiBsYW5nPSJFTi1DQSIgc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48c3BhbiBsYW5nPSJFTi1DQSI+PG86cD48L286cD48 L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0 bWw+DQo= --_000_9147a087bee84e1db16c2dd75a42f5c5XCHRTP006ciscocom_-- From nobody Fri Feb 15 07:32:36 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34189130FE2 for ; Fri, 15 Feb 2019 07:32:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZE4lHwXCkZKc for ; Fri, 15 Feb 2019 07:32:27 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDC42124D68 for ; Fri, 15 Feb 2019 07:32:26 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 15 Feb 2019 07:32:17 -0800 From: Jim Schaad To: "'Scott Fluhrer (sfluhrer)'" , 'Daniel Van Geest' , References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> In-Reply-To: <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> Date: Fri, 15 Feb 2019 07:32:15 -0800 Message-ID: <009e01d4c543$a3068060$e9138120$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_009F_01D4C500.94E478E0" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQI9YiZ+qGL+44kEz+EYRNIFf1pLvwGyW5meAUkd5aoDb2tWuQGm3RzypM80wDA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 15:32:35 -0000 ------=_NextPart_000_009F_01D4C500.94E478E0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable The first point referred to putting which algorithms in your proposed = charter text. =20 From: Scott Fluhrer (sfluhrer) =20 Sent: Friday, February 15, 2019 4:24 AM To: Jim Schaad ; 'Daniel Van Geest' = ; spasm@ietf.org Subject: RE: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 =20 From: Spasm > On = Behalf Of Jim Schaad Sent: Thursday, February 14, 2019 6:06 PM To: 'Daniel Van Geest' >; spasm@ietf.org = =20 Subject: Re: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Ok =E2=80=93 so the first change is going to be say which hash-based = signature algorithms you are dealing with, since it is not all of them. =20 I believe that just saying HSS (or XMSS or XMSS^MT) would be sufficient; = the public keys for all three include a parameter set descriptor, which = declares the hash function to be used (and other parameters, such as the = tree depth). =20 =20 As I noted with Russ, there is no guarantee that there is a small = private key. If you use a method of deterministic derivation from a = seed, then it an be. If you use a good external random number generator = then the private key is proportional to the number of nodes in the tree. =20 Well, yes, there is quite a range of possible time/memory trade-offs = available when storing the private key; if you need to, the private key = can be expressed in quite a small amount of space (albeit at the expense = of making the signature generation operation expensive). =20 Jim =20 =20 From: Daniel Van Geest >=20 Sent: Thursday, February 14, 2019 12:52 PM To: Jim Schaad = >; spasm@ietf.org =20 Subject: Re: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Jim, =20 We have seen interest in defining similar OIDs for XMSS and XMSS^MT, = which is not covered in draft-ietf-lamps-cms-hash-sig. =20 For HSS/LMS, at the time the x509-hash-sigs draft was written, the = cms-hash-sig draft didn=E2=80=99t define OIDs for signature algorithms = (it was specified that only SHA-256 would be used with CMS). Since the = CMS draft now defines the signature algorithm OIDs we=E2=80=99ll have to = re-evaluate the HSS/LMS sections. When written, this draft referred to = the CMS one for some definitions and added other new ones. =20 Now that the CMS draft defines all the OIDs, you=E2=80=99re right, this = draft might not need to mention HSS/LMS at all. Or should there at = least be some text in there along the lines of =E2=80=9CHSS/LMS OIDs are = defined in [cms-hash-sigs], BTW you can also use those in = X.509=E2=80=9D? Should there also be some small differentiating text = indicating that in X.509 the HSS/LMS signature octet string is encoded = as a BIT STRING? cms-hash-sigs says =E2=80=9CThe signature values is a = large OCTET STRING.=E2=80=9D, which is accurate for CMS but for X.509 = the encoding of the signature octets will be a=20 BIT STRING. =20 [JLS] This is just something that is poorly stated in the current = document and is not something that needs to be changed. It would be = more accurate to say that =E2=80=9CThe signature value is a large byte = string.=E2=80=9D (or octet string) without using the ASN.1 type. It is = then just a string of bytes that is wrapped into some ASN.1 type. =20 Jim =20 =20 Thanks, Daniel =20 =20 On 2019-02-14, 2:56 PM, "Jim Schaad" > wrote: =20 What do you think that is needed to be specified beyond what is = currently in draft-ietf-lamps-cms-hash-sig? That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure. =20 =20 Jim =20 =20 From: Spasm > On = Behalf Of Daniel Van Geest Sent: Thursday, February 14, 2019 11:18 AM To: spasm@ietf.org =20 Subject: [lamps] Proposed charter text for hash-based signatures in = X.509 PKI (draft-vangeest-x509-hash-sigs) =20 Last meeting I presented draft-vangeest-x509-hash-sigs to Secdispatch = and LAMPS. It was decided the draft would be sent to LAMPS for potential = inclusion during the recharter. Below I=E2=80=99ve included a draft of = potential recharter text for the WG=E2=80=99s consideration. I can = present the draft again in Prague if that=E2=80=99s desired. =20 X. Specify the use of hash-based signatures in X.509 Public Key Infrastructure. Hash-based signatures use small private and public keys, and they have low computational cost. They are secure even if a large-scale quantum computer is invented. The low computational cost for signature verification makes hash-based signatures attractive in Internet of Things (IoT) environments. The use of hash-based signatures provides quantum resistant authentication in multi-party IoT ecosystems where publicly trusted code signing certificates are needed. =20 Thanks, Daniel =20 ------=_NextPart_000_009F_01D4C500.94E478E0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

The first point = referred to putting which algorithms in your proposed charter = text.

 

From: Scott Fluhrer (sfluhrer) = <sfluhrer@cisco.com>
Sent: Friday, February 15, 2019 = 4:24 AM
To: Jim Schaad <ietf@augustcellars.com>; 'Daniel = Van Geest' <Daniel.VanGeest@isara.com>; = spasm@ietf.org
Subject: RE: [lamps] Proposed charter text for = hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Jim Schaad
Sent: Thursday, February 14, = 2019 6:06 PM
To: 'Daniel Van Geest' <Daniel.VanGeest@isara.com&g= t;; spasm@ietf.org
Subject: Re: = [lamps] Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Ok =E2=80=93 so the first change is going to = be say which hash-based signature algorithms you are dealing with, since = it is not all of them.

 

I = believe that just saying HSS (or XMSS or XMSS^MT) would be sufficient; = the public keys for all three include a parameter set descriptor, which = declares the hash function to be used (and other parameters, such as the = tree depth).

 

 

As I noted with Russ, = there is no guarantee that there is a small private key.  If you = use a method of deterministic derivation from a seed, then it an = be.  If you use a good external random number generator then the = private key is proportional to the number of nodes in the = tree.

 

Well, = yes, there is quite a range of possible time/memory trade-offs available = when storing the private key; if you need to, the private key can be = expressed in quite a small amount of space (albeit at the expense of = making the signature generation operation = expensive).

 

Jim

 

 

From: Daniel Van Geest <Daniel.VanGeest@isara.com&g= t;
Sent: Thursday, February 14, 2019 12:52 PM
To: = Jim Schaad <ietf@augustcellars.com>; = spasm@ietf.org
Subject: = Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Jim,

 

We have = seen interest in defining similar OIDs for XMSS and XMSS^MT, which is = not covered in draft-ietf-lamps-cms-hash-sig.

 

For = HSS/LMS, at the time the x509-hash-sigs draft was written, the = cms-hash-sig draft didn=E2=80=99t define OIDs for signature algorithms = (it was specified that only SHA-256 would be used with CMS). Since the = CMS draft now defines the signature algorithm OIDs we=E2=80=99ll have to = re-evaluate the HSS/LMS sections.  When written, this draft = referred to the CMS one for some definitions and added other new = ones.

 

Now that the =
CMS draft defines all the OIDs, you=E2=80=99re right, this draft might =
not need to mention HSS/LMS at all.  Or should there at least be =
some text in there along the lines of =E2=80=9CHSS/LMS OIDs are defined =
in [cms-hash-sigs], BTW you can also use those in X.509=E2=80=9D? =
 Should there also be some small differentiating text indicating =
that in X.509 the HSS/LMS signature octet string is encoded as a BIT =
STRING?  cms-hash-sigs says =E2=80=9CThe signature values is a large OCTET =
STRING.=E2=80=9D, =
which is accurate for CMS but for X.509 the encoding of the signature =
octets will be a 
BIT =
STRING.
 
[JLS] This =
is just something that is poorly stated in the current document and is =
not something that needs to be changed.  It would be more accurate =
to say that =E2=80=9CThe signature value is a large byte =
string.=E2=80=9D (or octet string) without using the ASN.1 type.  =
It is then just a string of bytes that is wrapped into some ASN.1 =
type.
 
Jim
 

 

Thanks,

Daniel

 

 

On = 2019-02-14, 2:56 PM, "Jim Schaad" <ietf@augustcellars.com> = wrote:

 

What do you think that is needed to be = specified beyond what is currently in = draft-ietf-lamps-cms-hash-sig?  That document contains the = pk-HSS-LMS-HashSig structure which describes how to place the public key = into a Subject Public Key structure. 

 

Jim

 

 

From: Spasm <spasm-bounces@ietf.org> = On Behalf Of Daniel Van Geest
Sent: Thursday, February = 14, 2019 11:18 AM
To: spasm@ietf.org
Subject: = [lamps] Proposed charter text for hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Last meeting I presented = draft-vangeest-x509-hash-sigs to Secdispatch and LAMPS. It was decided = the draft would be sent to LAMPS for potential inclusion during the = recharter. Below I=E2=80=99ve included a draft of potential recharter = text for the WG=E2=80=99s consideration. I can present the draft again = in Prague if that=E2=80=99s desired.

 

X. Specify the use of = hash-based signatures in X.509 Public Key

Infrastructure. = Hash-based signatures use small private and public keys,

and they have low = computational cost.  They are secure even if a

large-scale quantum = computer is invented.  The low computational cost

for signature = verification makes hash-based signatures attractive in

Internet of Things (IoT) = environments.  The use of hash-based signatures

provides quantum = resistant authentication in multi-party IoT ecosystems

where publicly trusted = code signing certificates are needed.

 

Thanks,

Daniel

 

<= /html> ------=_NextPart_000_009F_01D4C500.94E478E0-- From nobody Fri Feb 15 14:41:57 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2803F131119 for ; Fri, 15 Feb 2019 14:41:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LkBv6ayTYjq for ; Fri, 15 Feb 2019 14:41:53 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0446B131117 for ; Fri, 15 Feb 2019 14:41:52 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 15 Feb 2019 22:41:52 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Fri, 15 Feb 2019 17:41:51 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Fri, 15 Feb 2019 17:41:51 -0500 From: Daniel Van Geest To: Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BACAAHkigP///rtggAEU0oCAACQ0AA== Date: Fri, 15 Feb 2019 22:41:51 +0000 Message-ID: <878196B8-C790-4C16-8040-D7365D045A0D@isara.com> References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> <009e01d4c543$a3068060$e9138120$@augustcellars.com> In-Reply-To: <009e01d4c543$a3068060$e9138120$@augustcellars.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_878196B8C7904C168040D7365D045A0Disaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 22:41:56 -0000 --_000_878196B8C7904C168040D7365D045A0Disaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 DQoNClguIFNwZWNpZnkgdGhlIHVzZSBvZiB0aGUgSFNTLCBYTVNTIGFuZCBYTVNTXk1UIGhhc2gt YmFzZWQgc2lnbmF0dXJlDQphbGdvcml0aG1zIGluIFguNTA5IFB1YmxpYyBLZXkgSW5mcmFzdHJ1 Y3R1cmUuIEhhc2gtYmFzZWQgc2lnbmF0dXJlcyB1c2UNCnNtYWxsIHB1YmxpYyBrZXlzLCBhbmQg dGhleSBoYXZlIGxvdyBjb21wdXRhdGlvbmFsIHZlcmlmaWNhdGlvbiBjb3N0Lg0KUHJpdmF0ZSBr ZXkgc2l6ZSBjYW4gYmUgcXVpdGUgc21hbGwsIHRob3VnaCB0aGVyZSBpcyBhIHdpZGUgcmFuZ2Ug b2YNCnRpbWUvbWVtb3J5IHRyYWRlb2ZmcyBiZXR3ZWVuIHByaXZhdGUga2V5IHNpemUsIHByaXZh dGUga2V5IGxvYWRpbmcgdGltZQ0KYW5kIG1lbW9yeSwgYW5kIHNpZ25hdHVyZSBnZW5lcmF0aW9u LiAgVGhleSBhcmUgc2VjdXJlIGV2ZW4gaWYgYQ0KbGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRl ciBpcyBpbnZlbnRlZC4gIFRoZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0DQpmb3Igc2lnbmF0dXJl IHZlcmlmaWNhdGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbg0K SW50ZXJuZXQgb2YgVGhpbmdzIChJb1QpIGVudmlyb25tZW50cy4gIFRoZSB1c2Ugb2YgaGFzaC1i YXNlZCBzaWduYXR1cmVzDQpwcm92aWRlcyBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlv biBpbiBtdWx0aS1wYXJ0eSBJb1QgZWNvc3lzdGVtcw0Kd2hlcmUgcHVibGljbHkgdHJ1c3RlZCBj b2RlIHNpZ25pbmcgY2VydGlmaWNhdGVzIGFyZSBuZWVkZWQuDQoNCg0KT24gMjAxOS0wMi0xNSwg MTA6MzIgQU0sICJKaW0gU2NoYWFkIiA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0 ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0KDQpUaGUgZmlyc3QgcG9pbnQgcmVmZXJyZWQg dG8gcHV0dGluZyB3aGljaCBhbGdvcml0aG1zIGluIHlvdXIgcHJvcG9zZWQgY2hhcnRlciB0ZXh0 Lg0KDQpGcm9tOiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgPHNmbHVocmVyQGNpc2NvLmNvbT4N ClNlbnQ6IEZyaWRheSwgRmVicnVhcnkgMTUsIDIwMTkgNDoyNCBBTQ0KVG86IEppbSBTY2hhYWQg PGlldGZAYXVndXN0Y2VsbGFycy5jb20+OyAnRGFuaWVsIFZhbiBHZWVzdCcgPERhbmllbC5WYW5H ZWVzdEBpc2FyYS5jb20+OyBzcGFzbUBpZXRmLm9yZw0KU3ViamVjdDogUkU6IFtsYW1wc10gUHJv cG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJ IChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncykNCg0KDQpGcm9tOiBTcGFzbSA8c3Bhc20t Ym91bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4+IE9uIEJlaGFs ZiBPZiBKaW0gU2NoYWFkDQpTZW50OiBUaHVyc2RheSwgRmVicnVhcnkgMTQsIDIwMTkgNjowNiBQ TQ0KVG86ICdEYW5pZWwgVmFuIEdlZXN0JyA8RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTxtYWls dG86RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbT4+OyBzcGFzbUBpZXRmLm9yZzxtYWlsdG86c3Bh c21AaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQg Zm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1 MDktaGFzaC1zaWdzKQ0KDQpPayDigJMgc28gdGhlIGZpcnN0IGNoYW5nZSBpcyBnb2luZyB0byBi ZSBzYXkgd2hpY2ggaGFzaC1iYXNlZCBzaWduYXR1cmUgYWxnb3JpdGhtcyB5b3UgYXJlIGRlYWxp bmcgd2l0aCwgc2luY2UgaXQgaXMgbm90IGFsbCBvZiB0aGVtLg0KDQpJIGJlbGlldmUgdGhhdCBq dXN0IHNheWluZyBIU1MgKG9yIFhNU1Mgb3IgWE1TU15NVCkgd291bGQgYmUgc3VmZmljaWVudDsg dGhlIHB1YmxpYyBrZXlzIGZvciBhbGwgdGhyZWUgaW5jbHVkZSBhIHBhcmFtZXRlciBzZXQgZGVz Y3JpcHRvciwgd2hpY2ggZGVjbGFyZXMgdGhlIGhhc2ggZnVuY3Rpb24gdG8gYmUgdXNlZCAoYW5k IG90aGVyIHBhcmFtZXRlcnMsIHN1Y2ggYXMgdGhlIHRyZWUgZGVwdGgpLg0KDQoNCkFzIEkgbm90 ZWQgd2l0aCBSdXNzLCB0aGVyZSBpcyBubyBndWFyYW50ZWUgdGhhdCB0aGVyZSBpcyBhIHNtYWxs IHByaXZhdGUga2V5LiAgSWYgeW91IHVzZSBhIG1ldGhvZCBvZiBkZXRlcm1pbmlzdGljIGRlcml2 YXRpb24gZnJvbSBhIHNlZWQsIHRoZW4gaXQgYW4gYmUuICBJZiB5b3UgdXNlIGEgZ29vZCBleHRl cm5hbCByYW5kb20gbnVtYmVyIGdlbmVyYXRvciB0aGVuIHRoZSBwcml2YXRlIGtleSBpcyBwcm9w b3J0aW9uYWwgdG8gdGhlIG51bWJlciBvZiBub2RlcyBpbiB0aGUgdHJlZS4NCg0KV2VsbCwgeWVz LCB0aGVyZSBpcyBxdWl0ZSBhIHJhbmdlIG9mIHBvc3NpYmxlIHRpbWUvbWVtb3J5IHRyYWRlLW9m ZnMgYXZhaWxhYmxlIHdoZW4gc3RvcmluZyB0aGUgcHJpdmF0ZSBrZXk7IGlmIHlvdSBuZWVkIHRv LCB0aGUgcHJpdmF0ZSBrZXkgY2FuIGJlIGV4cHJlc3NlZCBpbiBxdWl0ZSBhIHNtYWxsIGFtb3Vu dCBvZiBzcGFjZSAoYWxiZWl0IGF0IHRoZSBleHBlbnNlIG9mIG1ha2luZyB0aGUgc2lnbmF0dXJl IGdlbmVyYXRpb24gb3BlcmF0aW9uIGV4cGVuc2l2ZSkuDQoNCkppbQ0KDQoNCkZyb206IERhbmll bCBWYW4gR2Vlc3QgPERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208bWFpbHRvOkRhbmllbC5WYW5H ZWVzdEBpc2FyYS5jb20+Pg0KU2VudDogVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5IDEyOjUy IFBNDQpUbzogSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBh dWd1c3RjZWxsYXJzLmNvbT4+OyBzcGFzbUBpZXRmLm9yZzxtYWlsdG86c3Bhc21AaWV0Zi5vcmc+ DQpTdWJqZWN0OiBSZTogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFz ZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdz KQ0KDQpKaW0sDQoNCldlIGhhdmUgc2VlbiBpbnRlcmVzdCBpbiBkZWZpbmluZyBzaW1pbGFyIE9J RHMgZm9yIFhNU1MgYW5kIFhNU1NeTVQsIHdoaWNoIGlzIG5vdCBjb3ZlcmVkIGluIGRyYWZ0LWll dGYtbGFtcHMtY21zLWhhc2gtc2lnLg0KDQpGb3IgSFNTL0xNUywgYXQgdGhlIHRpbWUgdGhlIHg1 MDktaGFzaC1zaWdzIGRyYWZ0IHdhcyB3cml0dGVuLCB0aGUgY21zLWhhc2gtc2lnIGRyYWZ0IGRp ZG7igJl0IGRlZmluZSBPSURzIGZvciBzaWduYXR1cmUgYWxnb3JpdGhtcyAoaXQgd2FzIHNwZWNp ZmllZCB0aGF0IG9ubHkgU0hBLTI1NiB3b3VsZCBiZSB1c2VkIHdpdGggQ01TKS4gU2luY2UgdGhl IENNUyBkcmFmdCBub3cgZGVmaW5lcyB0aGUgc2lnbmF0dXJlIGFsZ29yaXRobSBPSURzIHdl4oCZ bGwgaGF2ZSB0byByZS1ldmFsdWF0ZSB0aGUgSFNTL0xNUyBzZWN0aW9ucy4gIFdoZW4gd3JpdHRl biwgdGhpcyBkcmFmdCByZWZlcnJlZCB0byB0aGUgQ01TIG9uZSBmb3Igc29tZSBkZWZpbml0aW9u cyBhbmQgYWRkZWQgb3RoZXIgbmV3IG9uZXMuDQoNCg0KTm93IHRoYXQgdGhlIENNUyBkcmFmdCBk ZWZpbmVzIGFsbCB0aGUgT0lEcywgeW914oCZcmUgcmlnaHQsIHRoaXMgZHJhZnQgbWlnaHQgbm90 IG5lZWQgdG8gbWVudGlvbiBIU1MvTE1TIGF0IGFsbC4gIE9yIHNob3VsZCB0aGVyZSBhdCBsZWFz dCBiZSBzb21lIHRleHQgaW4gdGhlcmUgYWxvbmcgdGhlIGxpbmVzIG9mIOKAnEhTUy9MTVMgT0lE cyBhcmUgZGVmaW5lZCBpbiBbY21zLWhhc2gtc2lnc10sIEJUVyB5b3UgY2FuIGFsc28gdXNlIHRo b3NlIGluIFguNTA54oCdPyAgU2hvdWxkIHRoZXJlIGFsc28gYmUgc29tZSBzbWFsbCBkaWZmZXJl bnRpYXRpbmcgdGV4dCBpbmRpY2F0aW5nIHRoYXQgaW4gWC41MDkgdGhlIEhTUy9MTVMgc2lnbmF0 dXJlIG9jdGV0IHN0cmluZyBpcyBlbmNvZGVkIGFzIGEgQklUIFNUUklORz8gIGNtcy1oYXNoLXNp Z3Mgc2F5cyDigJxUaGUgc2lnbmF0dXJlIHZhbHVlcyBpcyBhIGxhcmdlIE9DVEVUIFNUUklORy7i gJ0sIHdoaWNoIGlzIGFjY3VyYXRlIGZvciBDTVMgYnV0IGZvciBYLjUwOSB0aGUgZW5jb2Rpbmcg b2YgdGhlIHNpZ25hdHVyZSBvY3RldHMgd2lsbCBiZSBhDQoNCkJJVCBTVFJJTkcuDQoNCg0KDQpb SkxTXSBUaGlzIGlzIGp1c3Qgc29tZXRoaW5nIHRoYXQgaXMgcG9vcmx5IHN0YXRlZCBpbiB0aGUg Y3VycmVudCBkb2N1bWVudCBhbmQgaXMgbm90IHNvbWV0aGluZyB0aGF0IG5lZWRzIHRvIGJlIGNo YW5nZWQuICBJdCB3b3VsZCBiZSBtb3JlIGFjY3VyYXRlIHRvIHNheSB0aGF0IOKAnFRoZSBzaWdu YXR1cmUgdmFsdWUgaXMgYSBsYXJnZSBieXRlIHN0cmluZy7igJ0gKG9yIG9jdGV0IHN0cmluZykg d2l0aG91dCB1c2luZyB0aGUgQVNOLjEgdHlwZS4gIEl0IGlzIHRoZW4ganVzdCBhIHN0cmluZyBv ZiBieXRlcyB0aGF0IGlzIHdyYXBwZWQgaW50byBzb21lIEFTTi4xIHR5cGUuDQoNCg0KDQpKaW0N Cg0KDQoNClRoYW5rcywNCkRhbmllbA0KDQoNCk9uIDIwMTktMDItMTQsIDI6NTYgUE0sICJKaW0g U2NoYWFkIiA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJz LmNvbT4+IHdyb3RlOg0KDQpXaGF0IGRvIHlvdSB0aGluayB0aGF0IGlzIG5lZWRlZCB0byBiZSBz cGVjaWZpZWQgYmV5b25kIHdoYXQgaXMgY3VycmVudGx5IGluIGRyYWZ0LWlldGYtbGFtcHMtY21z LWhhc2gtc2lnPyAgVGhhdCBkb2N1bWVudCBjb250YWlucyB0aGUgcGstSFNTLUxNUy1IYXNoU2ln IHN0cnVjdHVyZSB3aGljaCBkZXNjcmliZXMgaG93IHRvIHBsYWNlIHRoZSBwdWJsaWMga2V5IGlu dG8gYSBTdWJqZWN0IFB1YmxpYyBLZXkgc3RydWN0dXJlLg0KDQpKaW0NCg0KDQpGcm9tOiBTcGFz bSA8c3Bhc20tYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZz4+ IE9uIEJlaGFsZiBPZiBEYW5pZWwgVmFuIEdlZXN0DQpTZW50OiBUaHVyc2RheSwgRmVicnVhcnkg MTQsIDIwMTkgMTE6MTggQU0NClRvOiBzcGFzbUBpZXRmLm9yZzxtYWlsdG86c3Bhc21AaWV0Zi5v cmc+DQpTdWJqZWN0OiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1iYXNl ZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3Mp DQoNCkxhc3QgbWVldGluZyBJIHByZXNlbnRlZCBkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2ln cyB0byBTZWNkaXNwYXRjaCBhbmQgTEFNUFMuIEl0IHdhcyBkZWNpZGVkIHRoZSBkcmFmdCB3b3Vs ZCBiZSBzZW50IHRvIExBTVBTIGZvciBwb3RlbnRpYWwgaW5jbHVzaW9uIGR1cmluZyB0aGUgcmVj aGFydGVyLiBCZWxvdyBJ4oCZdmUgaW5jbHVkZWQgYSBkcmFmdCBvZiBwb3RlbnRpYWwgcmVjaGFy dGVyIHRleHQgZm9yIHRoZSBXR+KAmXMgY29uc2lkZXJhdGlvbi4gSSBjYW4gcHJlc2VudCB0aGUg ZHJhZnQgYWdhaW4gaW4gUHJhZ3VlIGlmIHRoYXTigJlzIGRlc2lyZWQuDQoNClguIFNwZWNpZnkg dGhlIHVzZSBvZiBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUHVibGljIEtleQ0KSW5m cmFzdHJ1Y3R1cmUuIEhhc2gtYmFzZWQgc2lnbmF0dXJlcyB1c2Ugc21hbGwgcHJpdmF0ZSBhbmQg cHVibGljIGtleXMsDQphbmQgdGhleSBoYXZlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3QuICBUaGV5 IGFyZSBzZWN1cmUgZXZlbiBpZiBhDQpsYXJnZS1zY2FsZSBxdWFudHVtIGNvbXB1dGVyIGlzIGlu dmVudGVkLiAgVGhlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3QNCmZvciBzaWduYXR1cmUgdmVyaWZp Y2F0aW9uIG1ha2VzIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBhdHRyYWN0aXZlIGluDQpJbnRlcm5l dCBvZiBUaGluZ3MgKElvVCkgZW52aXJvbm1lbnRzLiAgVGhlIHVzZSBvZiBoYXNoLWJhc2VkIHNp Z25hdHVyZXMNCnByb3ZpZGVzIHF1YW50dW0gcmVzaXN0YW50IGF1dGhlbnRpY2F0aW9uIGluIG11 bHRpLXBhcnR5IElvVCBlY29zeXN0ZW1zDQp3aGVyZSBwdWJsaWNseSB0cnVzdGVkIGNvZGUgc2ln bmluZyBjZXJ0aWZpY2F0ZXMgYXJlIG5lZWRlZC4NCg0KVGhhbmtzLA0KRGFuaWVsDQoNCg== --_000_878196B8C7904C168040D7365D045A0Disaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <8451F2EF1454B64980D16F21B9A0E64D@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNt Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r OiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5 bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9 DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZv cm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4u RW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxl MjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN Cgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBl OnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndp bmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9 DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1h aWxTdHlsZTI2DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1 bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpA cGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo2MTIuMHB0IDc5Mi4wcHQ7DQoJbWFyZ2luOjcyLjBw dCA3Mi4wcHQgNzIuMHB0IDcyLjBwdDt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNl Y3Rpb24xO30NCi0tPjwvc3R5bGU+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1DQSIgbGluaz0i IzA1NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZu YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+WC4gU3BlY2lmeSB0aGUgdXNlIG9mIHRo ZSBIU1MsIFhNU1MgYW5kIFhNU1NeTVQgaGFzaC1iYXNlZCBzaWduYXR1cmU8bzpwPjwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5hbGdv cml0aG1zIGluIFguNTA5IFB1YmxpYyBLZXkgSW5mcmFzdHJ1Y3R1cmUuIEhhc2gtYmFzZWQgc2ln bmF0dXJlcyB1c2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTpDb3VyaWVyIj5zbWFsbCBwdWJsaWMga2V5cywgYW5kIHRoZXkgaGF2ZSBsb3cg Y29tcHV0YXRpb25hbCB2ZXJpZmljYXRpb24gY29zdC48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5Qcml2YXRlIGtleSBzaXpl IGNhbiBiZSBxdWl0ZSBzbWFsbCwgdGhvdWdoIHRoZXJlIGlzIGEgd2lkZSByYW5nZSBvZjxvOnA+ PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJp ZXIiPnRpbWUvbWVtb3J5IHRyYWRlb2ZmcyBiZXR3ZWVuIHByaXZhdGUga2V5IHNpemUsIHByaXZh dGUga2V5IGxvYWRpbmcgdGltZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmFuZCBtZW1vcnksIGFuZCBzaWduYXR1cmUgZ2Vu ZXJhdGlvbi4mbmJzcDsgVGhleSBhcmUgc2VjdXJlIGV2ZW4gaWYgYTxvOnA+PC9vOnA+PC9zcGFu PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmxhcmdlLXNj YWxlIHF1YW50dW0gY29tcHV0ZXIgaXMgaW52ZW50ZWQuJm5ic3A7IFRoZSBsb3cgY29tcHV0YXRp b25hbCBjb3N0PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6Q291cmllciI+Zm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24gbWFrZXMgaGFzaC1i YXNlZCBzaWduYXR1cmVzIGF0dHJhY3RpdmUgaW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5JbnRlcm5ldCBvZiBUaGluZ3Mg KElvVCkgZW52aXJvbm1lbnRzLiZuYnNwOyBUaGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJl czxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OkNvdXJpZXIiPnByb3ZpZGVzIHF1YW50dW0gcmVzaXN0YW50IGF1dGhlbnRpY2F0aW9uIGluIG11 bHRpLXBhcnR5IElvVCBlY29zeXN0ZW1zPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+d2hlcmUgcHVibGljbHkgdHJ1c3RlZCBj b2RlIHNpZ25pbmcgY2VydGlmaWNhdGVzIGFyZSBuZWVkZWQuPC9zcGFuPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+T24gMjAxOS0wMi0xNSwgMTA6 MzIgQU0sICZxdW90O0ppbSBTY2hhYWQmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1 Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5UaGUgZmlyc3QgcG9pbnQgcmVmZXJyZWQgdG8gcHV0dGluZyB3aGljaCBhbGdvcml0aG1z IGluIHlvdXIgcHJvcG9zZWQgY2hhcnRlciB0ZXh0Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0 eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNt IDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10 b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0O3NmbHVocmVyQGNpc2NvLmNv bSZndDsNCjxicj4NCjxiPlNlbnQ6PC9iPiBGcmlkYXksIEZlYnJ1YXJ5IDE1LCAyMDE5IDQ6MjQg QU08YnI+DQo8Yj5Ubzo8L2I+IEppbSBTY2hhYWQgJmx0O2lldGZAYXVndXN0Y2VsbGFycy5jb20m Z3Q7OyAnRGFuaWVsIFZhbiBHZWVzdCcgJmx0O0RhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20mZ3Q7 OyBzcGFzbUBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSRTogW2xhbXBzXSBQcm9wb3Nl ZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRy YWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpz b2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5n OjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bh bj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBTcGFzbSAmbHQ7PGEgaHJlZj0i bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8L2E+ Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5KaW0gU2NoYWFkPGJyPg0KPGI+U2VudDo8L2I+IFRo dXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSA2OjA2IFBNPGJyPg0KPGI+VG86PC9iPiAnRGFuaWVs IFZhbiBHZWVzdCcgJmx0OzxhIGhyZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29t Ij5EYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPC9hPiZndDs7DQo8YSBocmVmPSJtYWlsdG86c3Bh c21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3JnPC9hPjxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTog W2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBp biBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKTwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5PayDigJMgc28gdGhlIGZpcnN0IGNoYW5nZSBpcyBnb2luZyB0byBiZSBzYXkgd2hpY2gg aGFzaC1iYXNlZCBzaWduYXR1cmUgYWxnb3JpdGhtcyB5b3UgYXJlIGRlYWxpbmcgd2l0aCwgc2lu Y2UgaXQgaXMgbm90IGFsbCBvZiB0aGVtLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtjb2xvcjojMUY0OTdEIj5JIGJlbGlldmUgdGhhdCBqdXN0IHNheWluZyBIU1MgKG9y IFhNU1Mgb3IgWE1TU15NVCkgd291bGQgYmUgc3VmZmljaWVudDsgdGhlIHB1YmxpYyBrZXlzIGZv ciBhbGwgdGhyZWUgaW5jbHVkZSBhIHBhcmFtZXRlciBzZXQgZGVzY3JpcHRvciwgd2hpY2ggZGVj bGFyZXMgdGhlIGhhc2ggZnVuY3Rpb24NCiB0byBiZSB1c2VkIChhbmQgb3RoZXIgcGFyYW1ldGVy cywgc3VjaCBhcyB0aGUgdHJlZSBkZXB0aCkuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdCI+QXMgSSBub3RlZCB3aXRoIFJ1c3MsIHRoZXJlIGlzIG5vIGd1YXJhbnRlZSB0aGF0IHRo ZXJlIGlzIGEgc21hbGwgcHJpdmF0ZSBrZXkuJm5ic3A7IElmIHlvdSB1c2UgYSBtZXRob2Qgb2Yg ZGV0ZXJtaW5pc3RpYyBkZXJpdmF0aW9uIGZyb20gYSBzZWVkLCB0aGVuIGl0IGFuIGJlLiZuYnNw OyBJZiB5b3UgdXNlIGEgZ29vZCBleHRlcm5hbA0KIHJhbmRvbSBudW1iZXIgZ2VuZXJhdG9yIHRo ZW4gdGhlIHByaXZhdGUga2V5IGlzIHByb3BvcnRpb25hbCB0byB0aGUgbnVtYmVyIG9mIG5vZGVz IGluIHRoZSB0cmVlLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xv cjojMUY0OTdEIj5XZWxsLCB5ZXMsIHRoZXJlIGlzIHF1aXRlIGEgcmFuZ2Ugb2YgcG9zc2libGUg dGltZS9tZW1vcnkgdHJhZGUtb2ZmcyBhdmFpbGFibGUgd2hlbiBzdG9yaW5nIHRoZSBwcml2YXRl IGtleTsgaWYgeW91IG5lZWQgdG8sIHRoZSBwcml2YXRlIGtleSBjYW4gYmUgZXhwcmVzc2VkIGlu IHF1aXRlDQogYSBzbWFsbCBhbW91bnQgb2Ygc3BhY2UgKGFsYmVpdCBhdCB0aGUgZXhwZW5zZSBv ZiBtYWtpbmcgdGhlIHNpZ25hdHVyZSBnZW5lcmF0aW9uIG9wZXJhdGlvbiBleHBlbnNpdmUpLjwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SmltPC9zcGFuPjxvOnA+PC9v OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRp bmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPiBEYW5pZWwgVmFuIEdlZXN0ICZsdDs8YSBocmVmPSJtYWlsdG86RGFu aWVsLlZhbkdlZXN0QGlzYXJhLmNvbSI+RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbTwvYT4mZ3Q7 DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5IDEyOjUyIFBN PGJyPg0KPGI+VG86PC9iPiBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1 c3RjZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7Ow0KPGEgaHJlZj0i bWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwvYT48YnI+DQo8Yj5TdWJqZWN0 OjwvYj4gUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNoLWJhc2VkIHNp Z25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncyk8L3Nw YW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdCI+SmltLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dCI+V2UgaGF2ZSBzZWVuIGludGVyZXN0IGluIGRlZmluaW5nIHNpbWlsYXIgT0lEcyBmb3IgWE1T UyBhbmQgWE1TU15NVCwgd2hpY2ggaXMgbm90IGNvdmVyZWQgaW4gZHJhZnQtaWV0Zi1sYW1wcy1j bXMtaGFzaC1zaWcuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQi PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gb3Ig SFNTL0xNUywgYXQgdGhlIHRpbWUgdGhlIHg1MDktaGFzaC1zaWdzIGRyYWZ0IHdhcyB3cml0dGVu LCB0aGUgY21zLWhhc2gtc2lnIGRyYWZ0IGRpZG7igJl0IGRlZmluZSBPSURzIGZvciBzaWduYXR1 cmUgYWxnb3JpdGhtcyAoaXQgd2FzIHNwZWNpZmllZCB0aGF0IG9ubHkgU0hBLTI1NiB3b3VsZCBi ZSB1c2VkDQogd2l0aCBDTVMpLiBTaW5jZSB0aGUgQ01TIGRyYWZ0IG5vdyBkZWZpbmVzIHRoZSBz aWduYXR1cmUgYWxnb3JpdGhtIE9JRHMgd2XigJlsbCBoYXZlIHRvIHJlLWV2YWx1YXRlIHRoZSBI U1MvTE1TIHNlY3Rpb25zLiZuYnNwOyBXaGVuIHdyaXR0ZW4sIHRoaXMgZHJhZnQgcmVmZXJyZWQg dG8gdGhlIENNUyBvbmUgZm9yIHNvbWUgZGVmaW5pdGlvbnMgYW5kIGFkZGVkIG90aGVyIG5ldyBv bmVzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8 L3NwYW4+PG86cD48L286cD48L3A+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv dDssc2Fucy1zZXJpZiI+Tm93IHRoYXQgdGhlIENNUyBkcmFmdCBkZWZpbmVzIGFsbCB0aGUgT0lE cywgeW914oCZcmUgcmlnaHQsIHRoaXMgZHJhZnQgbWlnaHQgbm90IG5lZWQgdG8gbWVudGlvbiBI U1MvTE1TIGF0IGFsbC4mbmJzcDsgT3Igc2hvdWxkIHRoZXJlIGF0IGxlYXN0IGJlIHNvbWUgdGV4 dCBpbiB0aGVyZSBhbG9uZyB0aGUgbGluZXMgb2Yg4oCcSFNTL0xNUyBPSURzIGFyZSBkZWZpbmVk IGluIFtjbXMtaGFzaC1zaWdzXSwgQlRXIHlvdSBjYW4gYWxzbyB1c2UgdGhvc2UgaW4gWC41MDni gJ0/ICZuYnNwO1Nob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwgZGlmZmVyZW50aWF0aW5n IHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1TIHNpZ25hdHVyZSBvY3Rl dCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/Jm5ic3A7IGNtcy1oYXNoLXNpZ3Mg c2F5cyDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5UaGUgc2lnbmF0dXJlIHZh bHVlcyBpcyBhIGxhcmdlIE9DVEVUIFNUUklORy48L3NwYW4+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj7igJ0s IHdoaWNoIGlzIGFjY3VyYXRlIGZvciBDTVMgYnV0IGZvciBYLjUwOSB0aGUgZW5jb2Rpbmcgb2Yg dGhlIHNpZ25hdHVyZSBvY3RldHMgd2lsbCBiZSBhIDwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0K PHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkJJVCBTVFJJ TkcuPC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli cmkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJl IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+W0pMU10gVGhpcyBp cyBqdXN0IHNvbWV0aGluZyB0aGF0IGlzIHBvb3JseSBzdGF0ZWQgaW4gdGhlIGN1cnJlbnQgZG9j dW1lbnQgYW5kIGlzIG5vdCBzb21ldGhpbmcgdGhhdCBuZWVkcyB0byBiZSBjaGFuZ2VkLiZuYnNw OyBJdCB3b3VsZCBiZSBtb3JlIGFjY3VyYXRlIHRvIHNheSB0aGF0IOKAnFRoZSBzaWduYXR1cmUg dmFsdWUgaXMgYSBsYXJnZSBieXRlIHN0cmluZy7igJ0gKG9yIG9jdGV0IHN0cmluZykgd2l0aG91 dCB1c2luZyB0aGUgQVNOLjEgdHlwZS4mbmJzcDsgSXQgaXMgdGhlbiBqdXN0IGEgc3RyaW5nIG9m IGJ5dGVzIHRoYXQgaXMgd3JhcHBlZCBpbnRvIHNvbWUgQVNOLjEgdHlwZS48L3NwYW4+PG86cD48 L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1 b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5KaW08L3NwYW4+PG86cD48L286cD48L3ByZT4N CjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8 L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhhbmtzLDwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5EYW5pZWw8L3NwYW4+PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0Ojcy LjBwdCI+T24gMjAxOS0wMi0xNCwgMjo1NiBQTSwgJnF1b3Q7SmltIFNjaGFhZCZxdW90OyAmbHQ7 PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFy cy5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5XaGF0IGRvIHlv dSB0aGluayB0aGF0IGlzIG5lZWRlZCB0byBiZSBzcGVjaWZpZWQgYmV5b25kIHdoYXQgaXMgY3Vy cmVudGx5IGluIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnPyZuYnNwOyBUaGF0IGRvY3Vt ZW50IGNvbnRhaW5zIHRoZSBway1IU1MtTE1TLUhhc2hTaWcgc3RydWN0dXJlIHdoaWNoIGRlc2Ny aWJlcw0KIGhvdyB0byBwbGFjZSB0aGUgcHVibGljIGtleSBpbnRvIGEgU3ViamVjdCBQdWJsaWMg S2V5IHN0cnVjdHVyZS4mbmJzcDsgPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5KaW08L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0 OnNvbGlkIGJsdWUgMS41cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRp diBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRp bmc6My4wcHQgMGNtIDBjbSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjcyLjBwdCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkZyb206PC9z cGFuPjwvYj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+IFNwYXNtICZsdDs8YSBocmVm PSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwv YT4mZ3Q7DQo8Yj5PbiBCZWhhbGYgT2YgPC9iPkRhbmllbCBWYW4gR2Vlc3Q8YnI+DQo8Yj5TZW50 OjwvYj4gVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5IDExOjE4IEFNPGJyPg0KPGI+VG86PC9i PiA8YSBocmVmPSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3JnPC9hPjxicj4N CjxiPlN1YmplY3Q6PC9iPiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1i YXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNp Z3MpPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkxhc3QgbWVldGluZyBJIHByZXNlbnRlZCBkcmFmdC12YW5n ZWVzdC14NTA5LWhhc2gtc2lncyB0byBTZWNkaXNwYXRjaCBhbmQgTEFNUFMuIEl0IHdhcyBkZWNp ZGVkIHRoZSBkcmFmdCB3b3VsZCBiZSBzZW50IHRvIExBTVBTIGZvciBwb3RlbnRpYWwgaW5jbHVz aW9uIGR1cmluZyB0aGUgcmVjaGFydGVyLiBCZWxvdw0KIEnigJl2ZSBpbmNsdWRlZCBhIGRyYWZ0 IG9mIHBvdGVudGlhbCByZWNoYXJ0ZXIgdGV4dCBmb3IgdGhlIFdH4oCZcyBjb25zaWRlcmF0aW9u LiBJIGNhbiBwcmVzZW50IHRoZSBkcmFmdCBhZ2FpbiBpbiBQcmFndWUgaWYgdGhhdOKAmXMgZGVz aXJlZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OkNvdXJpZXIiPlguIFNwZWNpZnkgdGhlIHVzZSBvZiBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4g WC41MDkgUHVibGljIEtleTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5JbmZyYXN0cnVjdHVyZS4gSGFzaC1iYXNlZCBzaWdu YXR1cmVzIHVzZSBzbWFsbCBwcml2YXRlIGFuZCBwdWJsaWMga2V5cyw8L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+YW5kIHRo ZXkgaGF2ZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0LiZuYnNwOyBUaGV5IGFyZSBzZWN1cmUgZXZl biBpZiBhPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OkNvdXJpZXIiPmxhcmdlLXNjYWxlIHF1YW50dW0gY29tcHV0ZXIgaXMgaW52ZW50ZWQu Jm5ic3A7IFRoZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmZvciBzaWduYXR1cmUg dmVyaWZpY2F0aW9uIG1ha2VzIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBhdHRyYWN0aXZlIGluPC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNv dXJpZXIiPkludGVybmV0IG9mIFRoaW5ncyAoSW9UKSBlbnZpcm9ubWVudHMuJm5ic3A7IFRoZSB1 c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPnByb3ZpZGVzIHF1YW50dW0gcmVz aXN0YW50IGF1dGhlbnRpY2F0aW9uIGluIG11bHRpLXBhcnR5IElvVCBlY29zeXN0ZW1zPC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJp ZXIiPndoZXJlIHB1YmxpY2x5IHRydXN0ZWQgY29kZSBzaWduaW5nIGNlcnRpZmljYXRlcyBhcmUg bmVlZGVkLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJz cDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhhbmtzLDwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5EYW5pZWw8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9k eT4NCjwvaHRtbD4NCg== --_000_878196B8C7904C168040D7365D045A0Disaracom_-- From nobody Fri Feb 15 14:42:11 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D06B131117 for ; Fri, 15 Feb 2019 14:42:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0cja5onT7pb for ; Fri, 15 Feb 2019 14:42:07 -0800 (PST) Received: from esa2.isaracorp.com (esa2.isaracorp.com [207.107.152.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ACC313111A for ; Fri, 15 Feb 2019 14:42:07 -0800 (PST) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip2.isaracorp.com with ESMTP; 15 Feb 2019 22:42:06 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Fri, 15 Feb 2019 17:42:06 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Fri, 15 Feb 2019 17:42:06 -0500 From: Daniel Van Geest To: "Scott Fluhrer (sfluhrer)" , Jim Schaad , "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BACAAHkigP///rtggAE5GIA= Date: Fri, 15 Feb 2019 22:42:05 +0000 Message-ID: References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> In-Reply-To: <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_BE74D53E9834464F961082D11840A6C0isaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 22:42:10 -0000 --_000_BE74D53E9834464F961082D11840A6C0isaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U2NvdHQsDQoNCk9uIDIwMTktMDItMTUsIDc6MjQgQU0sICJTY290dCBGbHVocmVyIChzZmx1aHJl cikiIDxzZmx1aHJlckBjaXNjby5jb208bWFpbHRvOnNmbHVocmVyQGNpc2NvLmNvbT4+IHdyb3Rl Og0KDQoNCkZyb206IFNwYXNtIDxzcGFzbS1ib3VuY2VzQGlldGYub3JnPiBPbiBCZWhhbGYgT2Yg SmltIFNjaGFhZA0KU2VudDogVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5IDY6MDYgUE0NClRv OiAnRGFuaWVsIFZhbiBHZWVzdCcgPERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20+OyBzcGFzbUBp ZXRmLm9yZw0KU3ViamVjdDogUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBo YXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhh c2gtc2lncykNCg0KT2sg4oCTIHNvIHRoZSBmaXJzdCBjaGFuZ2UgaXMgZ29pbmcgdG8gYmUgc2F5 IHdoaWNoIGhhc2gtYmFzZWQgc2lnbmF0dXJlIGFsZ29yaXRobXMgeW91IGFyZSBkZWFsaW5nIHdp dGgsIHNpbmNlIGl0IGlzIG5vdCBhbGwgb2YgdGhlbS4NCg0KSSBiZWxpZXZlIHRoYXQganVzdCBz YXlpbmcgSFNTIChvciBYTVNTIG9yIFhNU1NeTVQpIHdvdWxkIGJlIHN1ZmZpY2llbnQ7IHRoZSBw dWJsaWMga2V5cyBmb3IgYWxsIHRocmVlIGluY2x1ZGUgYSBwYXJhbWV0ZXIgc2V0IGRlc2NyaXB0 b3IsIHdoaWNoIGRlY2xhcmVzIHRoZSBoYXNoIGZ1bmN0aW9uIHRvIGJlIHVzZWQgKGFuZCBvdGhl ciBwYXJhbWV0ZXJzLCBzdWNoIGFzIHRoZSB0cmVlIGRlcHRoKS4NCg0KSSBhZ3JlZSB3aXRoIHRo ZSBmaXJzdCBwYXJ0IG9mIHlvdXIgc3RhdGVtZW50LCBhbmQgd2lsbCB1cGRhdGUgdGhlIGRyYWZ0 IGNoYXJ0ZXIgdGV4dCB0byByZWZsZWN0IHRoYXQuDQoNCkZvciB0aGUgc2Vjb25kIHBhcnQsIEkg YXNzdW1lIHRoZSBwYXJhbWV0ZXIgc2V0IHlvdeKAmXJlIHRhbGtpbmcgYWJvdXQgaXMgdGhlIG9u ZSBlbmNvZGVkIGluIHRoZSBIU1MgcHVibGljIGtleSBpdHNlbGYgKHdpdGhpbiB0aGUgbG1zX3B1 YmxpY19rZXkgb2YgdGhlIGhzc19wdWJsaWNfa2V5IG9mIG1jZ3Jldy1oYXNoLXNpZ3MpLCBzaW5j ZSBjbXMtaGFzaC1zaWdzIHNwZWNpZmllcyB0aGF0IHBhcmFtcyBhcmUgYWJzZW50IGluIHRoZSBB TlMuMSBlbmNvZGluZyBvZiB0aGUgcHVibGljIGtleS4gIFRoZSBoc3NfcHVibGljX2tleSBvbmx5 IGVuY29kZXMgdGhlIHBhcmFtZXRlcnMgb2YgdGhlIHJvb3QgTE1TIGtleSwgYW5kIHNpbmNlIHRo ZSBzaWduYXR1cmUgZW5jb2RlcyB0aGUgcGFyYW1ldGVycyBmb3IgdGhlIExNUyBwdWJsaWMga2V5 IGF0IGVhY2ggbGV2ZWwsIHRoZXJl4oCZcyBub3RoaW5nIGluIG1jZ3Jldy1oYXNoLXNpZ3Mgd2hp Y2ggcHJlY2x1ZGVzIHRoZSBkaWZmZXJlbnQgbGV2ZWxzIG9mIHRoZSBIU1Mgc2lnbmF0dXJlIGZy b20gaGF2aW5nIGRpZmZlcmVudCBwYXJhbWV0ZXJzIHRoYW4gdGhlIHJvb3QgKGluY2x1ZGluZyBk aWZmZXJlbnQgaGFzaCBmdW5jdGlvbnMsIGlmIG5ldyBoYXNoIGZ1bmN0aW9ucyB3ZXJlIGFkZGVk IHRvIEhTUyBpbiB0aGUgZnV0dXJlKS4gIFdoaWxlIEkgZG9u4oCZdCB0aGluayB0aGlzIG5lZWRz IHRvIGFmZmVjdCBjaGFydGVyIHRleHQsIHNob3VsZCB0aGUgZHJhZnQgaXRzZWxmIChhbmQgY21z LWhhc2gtc2lncykgaGF2ZSBhbnkgY29uc2lkZXJhdGlvbnMgdG8gcmVnYXJkaW5nIHRoaXMgcG90 ZW50aWFsLiAgT3Igd291bGQgbmV3IHBhcmFtZXRlciBleHRlbnNpb25zIHRvIEhTUyBuZWVkIHRv IHNwZWNpZnkgd2hldGhlciBvciBub3QgaGFzaCBmdW5jdGlvbnMgY2FuIGJlIG1peGVkIGluIGFu IEhTUyB0cmVlLCBhbmQgdGhlIGltcGxpY2F0aW9ucyBvZiBkb2luZyBzbz8NCg0KDQpBcyBJIG5v dGVkIHdpdGggUnVzcywgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQgdGhlcmUgaXMgYSBzbWFs bCBwcml2YXRlIGtleS4gIElmIHlvdSB1c2UgYSBtZXRob2Qgb2YgZGV0ZXJtaW5pc3RpYyBkZXJp dmF0aW9uIGZyb20gYSBzZWVkLCB0aGVuIGl0IGFuIGJlLiAgSWYgeW91IHVzZSBhIGdvb2QgZXh0 ZXJuYWwgcmFuZG9tIG51bWJlciBnZW5lcmF0b3IgdGhlbiB0aGUgcHJpdmF0ZSBrZXkgaXMgcHJv cG9ydGlvbmFsIHRvIHRoZSBudW1iZXIgb2Ygbm9kZXMgaW4gdGhlIHRyZWUuDQoNCldlbGwsIHll cywgdGhlcmUgaXMgcXVpdGUgYSByYW5nZSBvZiBwb3NzaWJsZSB0aW1lL21lbW9yeSB0cmFkZS1v ZmZzIGF2YWlsYWJsZSB3aGVuIHN0b3JpbmcgdGhlIHByaXZhdGUga2V5OyBpZiB5b3UgbmVlZCB0 bywgdGhlIHByaXZhdGUga2V5IGNhbiBiZSBleHByZXNzZWQgaW4gcXVpdGUgYSBzbWFsbCBhbW91 bnQgb2Ygc3BhY2UgKGFsYmVpdCBhdCB0aGUgZXhwZW5zZSBvZiBtYWtpbmcgdGhlIHNpZ25hdHVy ZSBnZW5lcmF0aW9uIG9wZXJhdGlvbiBleHBlbnNpdmUpLg0KDQpKaW0NCg0KDQpGcm9tOiBEYW5p ZWwgVmFuIEdlZXN0IDxEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPG1haWx0bzpEYW5pZWwuVmFu R2Vlc3RAaXNhcmEuY29tPj4NClNlbnQ6IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSAxMjo1 MiBQTQ0KVG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZA YXVndXN0Y2VsbGFycy5jb20+Pjsgc3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3Jn Pg0KU3ViamVjdDogUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNoLWJh c2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2ln cykNCg0KSmltLA0KDQpXZSBoYXZlIHNlZW4gaW50ZXJlc3QgaW4gZGVmaW5pbmcgc2ltaWxhciBP SURzIGZvciBYTVNTIGFuZCBYTVNTXk1ULCB3aGljaCBpcyBub3QgY292ZXJlZCBpbiBkcmFmdC1p ZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy4NCg0KRm9yIEhTUy9MTVMsIGF0IHRoZSB0aW1lIHRoZSB4 NTA5LWhhc2gtc2lncyBkcmFmdCB3YXMgd3JpdHRlbiwgdGhlIGNtcy1oYXNoLXNpZyBkcmFmdCBk aWRu4oCZdCBkZWZpbmUgT0lEcyBmb3Igc2lnbmF0dXJlIGFsZ29yaXRobXMgKGl0IHdhcyBzcGVj aWZpZWQgdGhhdCBvbmx5IFNIQS0yNTYgd291bGQgYmUgdXNlZCB3aXRoIENNUykuIFNpbmNlIHRo ZSBDTVMgZHJhZnQgbm93IGRlZmluZXMgdGhlIHNpZ25hdHVyZSBhbGdvcml0aG0gT0lEcyB3ZeKA mWxsIGhhdmUgdG8gcmUtZXZhbHVhdGUgdGhlIEhTUy9MTVMgc2VjdGlvbnMuICBXaGVuIHdyaXR0 ZW4sIHRoaXMgZHJhZnQgcmVmZXJyZWQgdG8gdGhlIENNUyBvbmUgZm9yIHNvbWUgZGVmaW5pdGlv bnMgYW5kIGFkZGVkIG90aGVyIG5ldyBvbmVzLg0KDQoNCk5vdyB0aGF0IHRoZSBDTVMgZHJhZnQg ZGVmaW5lcyBhbGwgdGhlIE9JRHMsIHlvdeKAmXJlIHJpZ2h0LCB0aGlzIGRyYWZ0IG1pZ2h0IG5v dCBuZWVkIHRvIG1lbnRpb24gSFNTL0xNUyBhdCBhbGwuICBPciBzaG91bGQgdGhlcmUgYXQgbGVh c3QgYmUgc29tZSB0ZXh0IGluIHRoZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDigJxIU1MvTE1TIE9J RHMgYXJlIGRlZmluZWQgaW4gW2Ntcy1oYXNoLXNpZ3NdLCBCVFcgeW91IGNhbiBhbHNvIHVzZSB0 aG9zZSBpbiBYLjUwOeKAnT8gIFNob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwgZGlmZmVy ZW50aWF0aW5nIHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1TIHNpZ25h dHVyZSBvY3RldCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/ICBjbXMtaGFzaC1z aWdzIHNheXMg4oCcVGhlIHNpZ25hdHVyZSB2YWx1ZXMgaXMgYSBsYXJnZSBPQ1RFVCBTVFJJTkcu 4oCdLCB3aGljaCBpcyBhY2N1cmF0ZSBmb3IgQ01TIGJ1dCBmb3IgWC41MDkgdGhlIGVuY29kaW5n IG9mIHRoZSBzaWduYXR1cmUgb2N0ZXRzIHdpbGwgYmUgYQ0KDQpCSVQgU1RSSU5HLg0KDQoNCg0K W0pMU10gVGhpcyBpcyBqdXN0IHNvbWV0aGluZyB0aGF0IGlzIHBvb3JseSBzdGF0ZWQgaW4gdGhl IGN1cnJlbnQgZG9jdW1lbnQgYW5kIGlzIG5vdCBzb21ldGhpbmcgdGhhdCBuZWVkcyB0byBiZSBj aGFuZ2VkLiAgSXQgd291bGQgYmUgbW9yZSBhY2N1cmF0ZSB0byBzYXkgdGhhdCDigJxUaGUgc2ln bmF0dXJlIHZhbHVlIGlzIGEgbGFyZ2UgYnl0ZSBzdHJpbmcu4oCdIChvciBvY3RldCBzdHJpbmcp IHdpdGhvdXQgdXNpbmcgdGhlIEFTTi4xIHR5cGUuICBJdCBpcyB0aGVuIGp1c3QgYSBzdHJpbmcg b2YgYnl0ZXMgdGhhdCBpcyB3cmFwcGVkIGludG8gc29tZSBBU04uMSB0eXBlLg0KDQoNCg0KSmlt DQoNCg0KDQpUaGFua3MsDQpEYW5pZWwNCg0KDQpPbiAyMDE5LTAyLTE0LCAyOjU2IFBNLCAiSmlt IFNjaGFhZCIgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFy cy5jb20+PiB3cm90ZToNCg0KV2hhdCBkbyB5b3UgdGhpbmsgdGhhdCBpcyBuZWVkZWQgdG8gYmUg c3BlY2lmaWVkIGJleW9uZCB3aGF0IGlzIGN1cnJlbnRseSBpbiBkcmFmdC1pZXRmLWxhbXBzLWNt cy1oYXNoLXNpZz8gIFRoYXQgZG9jdW1lbnQgY29udGFpbnMgdGhlIHBrLUhTUy1MTVMtSGFzaFNp ZyBzdHJ1Y3R1cmUgd2hpY2ggZGVzY3JpYmVzIGhvdyB0byBwbGFjZSB0aGUgcHVibGljIGtleSBp bnRvIGEgU3ViamVjdCBQdWJsaWMgS2V5IHN0cnVjdHVyZS4NCg0KSmltDQoNCg0KRnJvbTogU3Bh c20gPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+ PiBPbiBCZWhhbGYgT2YgRGFuaWVsIFZhbiBHZWVzdA0KU2VudDogVGh1cnNkYXksIEZlYnJ1YXJ5 IDE0LCAyMDE5IDExOjE4IEFNDQpUbzogc3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYu b3JnPg0KU3ViamVjdDogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFz ZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdz KQ0KDQpMYXN0IG1lZXRpbmcgSSBwcmVzZW50ZWQgZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNp Z3MgdG8gU2VjZGlzcGF0Y2ggYW5kIExBTVBTLiBJdCB3YXMgZGVjaWRlZCB0aGUgZHJhZnQgd291 bGQgYmUgc2VudCB0byBMQU1QUyBmb3IgcG90ZW50aWFsIGluY2x1c2lvbiBkdXJpbmcgdGhlIHJl Y2hhcnRlci4gQmVsb3cgSeKAmXZlIGluY2x1ZGVkIGEgZHJhZnQgb2YgcG90ZW50aWFsIHJlY2hh cnRlciB0ZXh0IGZvciB0aGUgV0figJlzIGNvbnNpZGVyYXRpb24uIEkgY2FuIHByZXNlbnQgdGhl IGRyYWZ0IGFnYWluIGluIFByYWd1ZSBpZiB0aGF04oCZcyBkZXNpcmVkLg0KDQpYLiBTcGVjaWZ5 IHRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFB1YmxpYyBLZXkNCklu ZnJhc3RydWN0dXJlLiBIYXNoLWJhc2VkIHNpZ25hdHVyZXMgdXNlIHNtYWxsIHByaXZhdGUgYW5k IHB1YmxpYyBrZXlzLA0KYW5kIHRoZXkgaGF2ZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0LiAgVGhl eSBhcmUgc2VjdXJlIGV2ZW4gaWYgYQ0KbGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRlciBpcyBp bnZlbnRlZC4gIFRoZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0DQpmb3Igc2lnbmF0dXJlIHZlcmlm aWNhdGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbg0KSW50ZXJu ZXQgb2YgVGhpbmdzIChJb1QpIGVudmlyb25tZW50cy4gIFRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBz aWduYXR1cmVzDQpwcm92aWRlcyBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbiBpbiBt dWx0aS1wYXJ0eSBJb1QgZWNvc3lzdGVtcw0Kd2hlcmUgcHVibGljbHkgdHJ1c3RlZCBjb2RlIHNp Z25pbmcgY2VydGlmaWNhdGVzIGFyZSBuZWVkZWQuDQoNClRoYW5rcywNCkRhbmllbA0KDQo= --_000_BE74D53E9834464F961082D11840A6C0isaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <3C5E2A7877873D43ACE761D93D79536A@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNt Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r OiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5 bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9 DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZv cm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4u RW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxl MjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN Cgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBl OnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndp bmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9 DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglm b250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5N c29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZTox MC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rpb24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1h cmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBwdCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtw YWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4t Q0EiIGxpbms9IiMwNTYzQzEiIHZsaW5rPSIjOTU0RjcyIj4NCjxkaXYgY2xhc3M9IldvcmRTZWN0 aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw dCI+U2NvdHQsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4N CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+T24gMjAxOS0wMi0xNSwgNzoyNCBBTSwgJnF1b3Q7U2NvdHQgRmx1aHJlciAoc2ZsdWhy ZXIpJnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86c2ZsdWhyZXJAY2lzY28uY29tIj5zZmx1aHJl ckBjaXNjby5jb208L2E+Jmd0OyB3cm90ZTo8c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIGJsdWUgMS41 cHQ7cGFkZGluZzowY20gMGNtIDBjbSA0LjBwdCI+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVy Om5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGNtIDBj bSAwY20iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+ PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkZyb206PC9zcGFuPjwvYj48c3BhbiBz dHlsZT0iZm9udC1zaXplOjExLjBwdCI+IFNwYXNtICZsdDtzcGFzbS1ib3VuY2VzQGlldGYub3Jn Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5KaW0gU2NoYWFkPGJyPg0KPGI+U2VudDo8L2I+IFRo dXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSA2OjA2IFBNPGJyPg0KPGI+VG86PC9iPiAnRGFuaWVs IFZhbiBHZWVzdCcgJmx0O0RhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20mZ3Q7OyBzcGFzbUBpZXRm Lm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRl eHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0 LXg1MDktaGFzaC1zaWdzKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDs8bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5PayDigJMgc28gdGhlIGZpcnN0IGNo YW5nZSBpcyBnb2luZyB0byBiZSBzYXkgd2hpY2ggaGFzaC1iYXNlZCBzaWduYXR1cmUgYWxnb3Jp dGhtcyB5b3UgYXJlIGRlYWxpbmcgd2l0aCwgc2luY2UgaXQgaXMgbm90IGFsbCBvZiB0aGVtLjwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5JIGJl bGlldmUgdGhhdCBqdXN0IHNheWluZyBIU1MgKG9yIFhNU1Mgb3IgWE1TU15NVCkgd291bGQgYmUg c3VmZmljaWVudDsgdGhlIHB1YmxpYyBrZXlzIGZvciBhbGwgdGhyZWUgaW5jbHVkZSBhIHBhcmFt ZXRlciBzZXQgZGVzY3JpcHRvciwgd2hpY2ggZGVjbGFyZXMgdGhlIGhhc2ggZnVuY3Rpb24NCiB0 byBiZSB1c2VkIChhbmQgb3RoZXIgcGFyYW1ldGVycywgc3VjaCBhcyB0aGUgdHJlZSBkZXB0aCku PC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkkgYWdyZWUgd2l0aCB0aGUgZmlyc3QgcGFydCBvZiB5 b3VyIHN0YXRlbWVudCwgYW5kIHdpbGwgdXBkYXRlIHRoZSBkcmFmdCBjaGFydGVyIHRleHQgdG8g cmVmbGVjdCB0aGF0LjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ Rm9yIHRoZSBzZWNvbmQgcGFydCwgSSBhc3N1bWUgdGhlIHBhcmFtZXRlciBzZXQgeW914oCZcmUg dGFsa2luZyBhYm91dCBpcyB0aGUgb25lIGVuY29kZWQgaW4gdGhlIEhTUyBwdWJsaWMga2V5IGl0 c2VsZiAod2l0aGluIHRoZSBsbXNfcHVibGljX2tleSBvZiB0aGUgaHNzX3B1YmxpY19rZXkgb2Yg bWNncmV3LWhhc2gtc2lncyksIHNpbmNlIGNtcy1oYXNoLXNpZ3MNCiBzcGVjaWZpZXMgdGhhdCBw YXJhbXMgYXJlIGFic2VudCBpbiB0aGUgQU5TLjEgZW5jb2Rpbmcgb2YgdGhlIHB1YmxpYyBrZXku Jm5ic3A7IFRoZSBoc3NfcHVibGljX2tleSBvbmx5IGVuY29kZXMgdGhlIHBhcmFtZXRlcnMgb2Yg dGhlIHJvb3QgTE1TIGtleSwgYW5kIHNpbmNlIHRoZSBzaWduYXR1cmUgZW5jb2RlcyB0aGUgcGFy YW1ldGVycyBmb3IgdGhlIExNUyBwdWJsaWMga2V5IGF0IGVhY2ggbGV2ZWwsIHRoZXJl4oCZcyBu b3RoaW5nIGluIG1jZ3Jldy1oYXNoLXNpZ3MNCiB3aGljaCBwcmVjbHVkZXMgdGhlIGRpZmZlcmVu dCBsZXZlbHMgb2YgdGhlIEhTUyBzaWduYXR1cmUgZnJvbSBoYXZpbmcgZGlmZmVyZW50IHBhcmFt ZXRlcnMgdGhhbiB0aGUgcm9vdCAoaW5jbHVkaW5nIGRpZmZlcmVudCBoYXNoIGZ1bmN0aW9ucywg aWYgbmV3IGhhc2ggZnVuY3Rpb25zIHdlcmUgYWRkZWQgdG8gSFNTIGluIHRoZSBmdXR1cmUpLiZu YnNwOyBXaGlsZSBJIGRvbuKAmXQgdGhpbmsgdGhpcyBuZWVkcyB0byBhZmZlY3QgY2hhcnRlciB0 ZXh0LCBzaG91bGQNCiB0aGUgZHJhZnQgaXRzZWxmIChhbmQgY21zLWhhc2gtc2lncykgaGF2ZSBh bnkgY29uc2lkZXJhdGlvbnMgdG8gcmVnYXJkaW5nIHRoaXMgcG90ZW50aWFsLiZuYnNwOyBPciB3 b3VsZCBuZXcgcGFyYW1ldGVyIGV4dGVuc2lvbnMgdG8gSFNTIG5lZWQgdG8gc3BlY2lmeSB3aGV0 aGVyIG9yIG5vdCBoYXNoIGZ1bmN0aW9ucyBjYW4gYmUgbWl4ZWQgaW4gYW4gSFNTIHRyZWUsIGFu ZCB0aGUgaW1wbGljYXRpb25zIG9mIGRvaW5nIHNvPzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQiPkFzIEkgbm90ZWQgd2l0aCBSdXNzLCB0aGVyZSBpcyBubyBndWFyYW50ZWUgdGhh dCB0aGVyZSBpcyBhIHNtYWxsIHByaXZhdGUga2V5LiZuYnNwOyBJZiB5b3UgdXNlIGEgbWV0aG9k IG9mIGRldGVybWluaXN0aWMgZGVyaXZhdGlvbiBmcm9tIGEgc2VlZCwgdGhlbiBpdCBhbiBiZS4m bmJzcDsgSWYgeW91IHVzZSBhIGdvb2QgZXh0ZXJuYWwNCiByYW5kb20gbnVtYmVyIGdlbmVyYXRv ciB0aGVuIHRoZSBwcml2YXRlIGtleSBpcyBwcm9wb3J0aW9uYWwgdG8gdGhlIG51bWJlciBvZiBu b2RlcyBpbiB0aGUgdHJlZS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7 Y29sb3I6IzFGNDk3RCI+V2VsbCwgeWVzLCB0aGVyZSBpcyBxdWl0ZSBhIHJhbmdlIG9mIHBvc3Np YmxlIHRpbWUvbWVtb3J5IHRyYWRlLW9mZnMgYXZhaWxhYmxlIHdoZW4gc3RvcmluZyB0aGUgcHJp dmF0ZSBrZXk7IGlmIHlvdSBuZWVkIHRvLCB0aGUgcHJpdmF0ZSBrZXkgY2FuIGJlIGV4cHJlc3Nl ZCBpbiBxdWl0ZQ0KIGEgc21hbGwgYW1vdW50IG9mIHNwYWNlIChhbGJlaXQgYXQgdGhlIGV4cGVu c2Ugb2YgbWFraW5nIHRoZSBzaWduYXR1cmUgZ2VuZXJhdGlvbiBvcGVyYXRpb24gZXhwZW5zaXZl KS48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkppbTwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgYmx1ZSAxLjVwdDtw YWRkaW5nOjBjbSAwY20gMGNtIDQuMHB0Ij4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9u ZTtib3JkZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwY20gMGNtIDBj bSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48Yj48 c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij4gRGFuaWVsIFZhbiBHZWVzdCAmbHQ7PGEgaHJlZj0ibWFpbHRv OkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20iPkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208L2E+ Jmd0Ow0KPGJyPg0KPGI+U2VudDo8L2I+IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSAxMjo1 MiBQTTxicj4NCjxiPlRvOjwvYj4gSmltIFNjaGFhZCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZA YXVndXN0Y2VsbGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OzsNCjxhIGhy ZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bhc21AaWV0Zi5vcmc8L2E+PGJyPg0KPGI+U3Vi amVjdDo8L2I+IFJlOiBbbGFtcHNdIFByb3Bvc2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1iYXNl ZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAoZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3Mp PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQiPkppbSw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQiPldlIGhhdmUgc2VlbiBpbnRlcmVzdCBpbiBkZWZpbmluZyBzaW1pbGFyIE9JRHMgZm9y IFhNU1MgYW5kIFhNU1NeTVQsIHdoaWNoIGlzIG5vdCBjb3ZlcmVkIGluIGRyYWZ0LWlldGYtbGFt cHMtY21zLWhhc2gtc2lnLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ Rm9yIEhTUy9MTVMsIGF0IHRoZSB0aW1lIHRoZSB4NTA5LWhhc2gtc2lncyBkcmFmdCB3YXMgd3Jp dHRlbiwgdGhlIGNtcy1oYXNoLXNpZyBkcmFmdCBkaWRu4oCZdCBkZWZpbmUgT0lEcyBmb3Igc2ln bmF0dXJlIGFsZ29yaXRobXMgKGl0IHdhcyBzcGVjaWZpZWQgdGhhdCBvbmx5IFNIQS0yNTYgd291 bGQgYmUgdXNlZA0KIHdpdGggQ01TKS4gU2luY2UgdGhlIENNUyBkcmFmdCBub3cgZGVmaW5lcyB0 aGUgc2lnbmF0dXJlIGFsZ29yaXRobSBPSURzIHdl4oCZbGwgaGF2ZSB0byByZS1ldmFsdWF0ZSB0 aGUgSFNTL0xNUyBzZWN0aW9ucy4mbmJzcDsgV2hlbiB3cml0dGVuLCB0aGlzIGRyYWZ0IHJlZmVy cmVkIHRvIHRoZSBDTVMgb25lIGZvciBzb21lIGRlZmluaXRpb25zIGFuZCBhZGRlZCBvdGhlciBu ZXcgb25lcy48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp JnF1b3Q7LHNhbnMtc2VyaWYiPk5vdyB0aGF0IHRoZSBDTVMgZHJhZnQgZGVmaW5lcyBhbGwgdGhl IE9JRHMsIHlvdeKAmXJlIHJpZ2h0LCB0aGlzIGRyYWZ0IG1pZ2h0IG5vdCBuZWVkIHRvIG1lbnRp b24gSFNTL0xNUyBhdCBhbGwuJm5ic3A7IE9yIHNob3VsZCB0aGVyZSBhdCBsZWFzdCBiZSBzb21l IHRleHQgaW4gdGhlcmUgYWxvbmcgdGhlIGxpbmVzIG9mIOKAnEhTUy9MTVMgT0lEcyBhcmUgZGVm aW5lZCBpbiBbY21zLWhhc2gtc2lnc10sIEJUVyB5b3UgY2FuIGFsc28gdXNlIHRob3NlIGluIFgu NTA54oCdPyAmbmJzcDtTaG91bGQgdGhlcmUgYWxzbyBiZSBzb21lIHNtYWxsIGRpZmZlcmVudGlh dGluZyB0ZXh0IGluZGljYXRpbmcgdGhhdCBpbiBYLjUwOSB0aGUgSFNTL0xNUyBzaWduYXR1cmUg b2N0ZXQgc3RyaW5nIGlzIGVuY29kZWQgYXMgYSBCSVQgU1RSSU5HPyZuYnNwOyBjbXMtaGFzaC1z aWdzIHNheXMg4oCcPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+VGhlIHNpZ25hdHVy ZSB2YWx1ZXMgaXMgYSBsYXJnZSBPQ1RFVCBTVFJJTkcuPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+ 4oCdLCB3aGljaCBpcyBhY2N1cmF0ZSBmb3IgQ01TIGJ1dCBmb3IgWC41MDkgdGhlIGVuY29kaW5n IG9mIHRoZSBzaWduYXR1cmUgb2N0ZXRzIHdpbGwgYmUgYSA8L3NwYW4+PG86cD48L286cD48L3By ZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5CSVQg U1RSSU5HLjwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6 MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0K PHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPltKTFNdIFRo aXMgaXMganVzdCBzb21ldGhpbmcgdGhhdCBpcyBwb29ybHkgc3RhdGVkIGluIHRoZSBjdXJyZW50 IGRvY3VtZW50IGFuZCBpcyBub3Qgc29tZXRoaW5nIHRoYXQgbmVlZHMgdG8gYmUgY2hhbmdlZC4m bmJzcDsgSXQgd291bGQgYmUgbW9yZSBhY2N1cmF0ZSB0byBzYXkgdGhhdCDigJxUaGUgc2lnbmF0 dXJlIHZhbHVlIGlzIGEgbGFyZ2UgYnl0ZSBzdHJpbmcu4oCdIChvciBvY3RldCBzdHJpbmcpIHdp dGhvdXQgdXNpbmcgdGhlIEFTTi4xIHR5cGUuJm5ic3A7IEl0IGlzIHRoZW4ganVzdCBhIHN0cmlu ZyBvZiBieXRlcyB0aGF0IGlzIHdyYXBwZWQgaW50byBzb21lIEFTTi4xIHR5cGUuPC9zcGFuPjxv OnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu cy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+SmltPC9zcGFuPjxvOnA+PC9vOnA+PC9w cmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7 PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5rcyw8L3Nw YW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxl ZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RGFuaWVsPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2 LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPk9uIDIwMTktMDItMTQsIDI6NTYgUE0sICZxdW90O0ppbSBTY2hhYWQmcXVvdDsg Jmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNl bGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+V2hhdCBk byB5b3UgdGhpbmsgdGhhdCBpcyBuZWVkZWQgdG8gYmUgc3BlY2lmaWVkIGJleW9uZCB3aGF0IGlz IGN1cnJlbnRseSBpbiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZz8mbmJzcDsgVGhhdCBk b2N1bWVudCBjb250YWlucyB0aGUgcGstSFNTLUxNUy1IYXNoU2lnIHN0cnVjdHVyZSB3aGljaCBk ZXNjcmliZXMNCiBob3cgdG8gcGxhY2UgdGhlIHB1YmxpYyBrZXkgaW50byBhIFN1YmplY3QgUHVi bGljIEtleSBzdHJ1Y3R1cmUuJm5ic3A7IDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdCI+SmltPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg c3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQi PiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJz cDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt bGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4N CjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtw YWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDo3Mi4wcHQiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9t Ojwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBTcGFzbSAmbHQ7PGEg aHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNAaWV0Zi5v cmc8L2E+Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5EYW5pZWwgVmFuIEdlZXN0PGJyPg0KPGI+ U2VudDo8L2I+IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSAxMToxOCBBTTxicj4NCjxiPlRv OjwvYj4gPGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwvYT48 YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhh c2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFz aC1zaWdzKTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5MYXN0IG1lZXRpbmcgSSBwcmVzZW50ZWQgZHJhZnQt dmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgdG8gU2VjZGlzcGF0Y2ggYW5kIExBTVBTLiBJdCB3YXMg ZGVjaWRlZCB0aGUgZHJhZnQgd291bGQgYmUgc2VudCB0byBMQU1QUyBmb3IgcG90ZW50aWFsIGlu Y2x1c2lvbiBkdXJpbmcgdGhlIHJlY2hhcnRlci4gQmVsb3cNCiBJ4oCZdmUgaW5jbHVkZWQgYSBk cmFmdCBvZiBwb3RlbnRpYWwgcmVjaGFydGVyIHRleHQgZm9yIHRoZSBXR+KAmXMgY29uc2lkZXJh dGlvbi4gSSBjYW4gcHJlc2VudCB0aGUgZHJhZnQgYWdhaW4gaW4gUHJhZ3VlIGlmIHRoYXTigJlz IGRlc2lyZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZu YnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZh bWlseTpDb3VyaWVyIj5YLiBTcGVjaWZ5IHRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVz IGluIFguNTA5IFB1YmxpYyBLZXk8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+SW5mcmFzdHJ1Y3R1cmUuIEhhc2gtYmFzZWQg c2lnbmF0dXJlcyB1c2Ugc21hbGwgcHJpdmF0ZSBhbmQgcHVibGljIGtleXMsPC9zcGFuPjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4w cHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPmFu ZCB0aGV5IGhhdmUgbG93IGNvbXB1dGF0aW9uYWwgY29zdC4mbmJzcDsgVGhleSBhcmUgc2VjdXJl IGV2ZW4gaWYgYTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm b250LWZhbWlseTpDb3VyaWVyIj5sYXJnZS1zY2FsZSBxdWFudHVtIGNvbXB1dGVyIGlzIGludmVu dGVkLiZuYnNwOyBUaGUgbG93IGNvbXB1dGF0aW9uYWwgY29zdDwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5mb3Igc2lnbmF0 dXJlIHZlcmlmaWNhdGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBp bjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWls eTpDb3VyaWVyIj5JbnRlcm5ldCBvZiBUaGluZ3MgKElvVCkgZW52aXJvbm1lbnRzLiZuYnNwOyBU aGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJlczwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5wcm92aWRlcyBxdWFudHVt IHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbiBpbiBtdWx0aS1wYXJ0eSBJb1QgZWNvc3lzdGVtczwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4t bGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpD b3VyaWVyIj53aGVyZSBwdWJsaWNseSB0cnVzdGVkIGNvZGUgc2lnbmluZyBjZXJ0aWZpY2F0ZXMg YXJlIG5lZWRlZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz dHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+ Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5r cyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy Z2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+RGFuaWVsPC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0K PC9odG1sPg0K --_000_BE74D53E9834464F961082D11840A6C0isaracom_-- From nobody Fri Feb 15 14:45:47 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5387F12E036 for ; Fri, 15 Feb 2019 14:45:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJ8jMn_rs_c8 for ; Fri, 15 Feb 2019 14:45:41 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E03CA13110A for ; Fri, 15 Feb 2019 14:45:40 -0800 (PST) Received: from unknown (HELO V0501WEXGPR02.isaracorp.com) ([10.5.9.20]) by ip1.isaracorp.com with ESMTP; 15 Feb 2019 22:45:40 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR02.isaracorp.com (10.5.9.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Fri, 15 Feb 2019 17:45:39 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Fri, 15 Feb 2019 17:45:39 -0500 From: Daniel Van Geest To: Jim Schaad , "'Scott Fluhrer (sfluhrer)'" , "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BACAAHkigP///rtggAEU0oCAACQ0AIAAARAA Date: Fri, 15 Feb 2019 22:45:39 +0000 Message-ID: References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> <009e01d4c543$a3068060$e9138120$@augustcellars.com> <878196B8-C790-4C16-8040-D7365D045A0D@isara.com> In-Reply-To: <878196B8-C790-4C16-8040-D7365D045A0D@isara.com> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_CE5C7C53D70E4268B2D72C7342868C2Cisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Feb 2019 22:45:44 -0000 --_000_CE5C7C53D70E4268B2D72C7342868C2Cisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 U29ycnksIHRoaXMgb25lIGdvdCBzZW50IHByZW1hdHVyZWx5LiBUaGUgdGV4dCBiZWxvdyBpcyB0 aGUgdXBkYXRlZCBwcm9wb3NlZCBjaGFydGVyIHRleHQgYmFzZWQgb24gSmlt4oCZcyBjb21tZW50 cy4gSW4gYWRkaXRpb24gdG8gbWVudGlvbmluZyB0aGUgc3BlY2lmaWMgYWxnb3JpdGhtcywgSSBh ZGRlZCB0ZXh0IGluZGljYXRpbmcgdGhhdCB0aGVyZSBhcmUgdGltZS9tZW1vcnkgdHJhZGVvZmZz IGZvciBwcml2YXRlIGtleXMsIGFsdGhvdWdoIEnigJltIG5vdCBzdXJlIGhvdyBhcHByb3ByaWF0 ZSB0aGF0IGlzIGZvciBjaGFydGVyIHRleHQgc2luY2UgdGhlIGRyYWZ0IHdhc27igJl0IHBsYW5u aW5nIG9uIGRpc2N1c3NpbmcgdGhvc2UgdHJhZGVvZmZzLg0KDQpYLiBTcGVjaWZ5IHRoZSB1c2Ug b2YgdGhlIEhTUywgWE1TUyBhbmQgWE1TU15NVCBoYXNoLWJhc2VkIHNpZ25hdHVyZQ0KYWxnb3Jp dGhtcyBpbiBYLjUwOSBQdWJsaWMgS2V5IEluZnJhc3RydWN0dXJlLiBIYXNoLWJhc2VkIHNpZ25h dHVyZXMgdXNlDQpzbWFsbCBwdWJsaWMga2V5cywgYW5kIHRoZXkgaGF2ZSBsb3cgY29tcHV0YXRp b25hbCB2ZXJpZmljYXRpb24gY29zdC4NClByaXZhdGUga2V5IHNpemUgY2FuIGJlIHF1aXRlIHNt YWxsLCB0aG91Z2ggdGhlcmUgaXMgYSB3aWRlIHJhbmdlIG9mDQp0aW1lL21lbW9yeSB0cmFkZW9m ZnMgYmV0d2VlbiBwcml2YXRlIGtleSBzaXplLCBwcml2YXRlIGtleSBsb2FkaW5nIHRpbWUNCmFu ZCBtZW1vcnksIGFuZCBzaWduYXR1cmUgZ2VuZXJhdGlvbi4gIFRoZXkgYXJlIHNlY3VyZSBldmVu IGlmIGENCmxhcmdlLXNjYWxlIHF1YW50dW0gY29tcHV0ZXIgaXMgaW52ZW50ZWQuICBUaGUgbG93 IGNvbXB1dGF0aW9uYWwgY29zdA0KZm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24gbWFrZXMgaGFz aC1iYXNlZCBzaWduYXR1cmVzIGF0dHJhY3RpdmUgaW4NCkludGVybmV0IG9mIFRoaW5ncyAoSW9U KSBlbnZpcm9ubWVudHMuICBUaGUgdXNlIG9mIGhhc2gtYmFzZWQgc2lnbmF0dXJlcw0KcHJvdmlk ZXMgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFydHkgSW9UIGVj b3N5c3RlbXMNCndoZXJlIHB1YmxpY2x5IHRydXN0ZWQgY29kZSBzaWduaW5nIGNlcnRpZmljYXRl cyBhcmUgbmVlZGVkLg0KDQpUaGFua3MsDQpEYW5pZWwNCg0KDQoNCk9uIDIwMTktMDItMTUsIDEw OjMyIEFNLCAiSmltIFNjaGFhZCIgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZA YXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KVGhlIGZpcnN0IHBvaW50IHJlZmVycmVkIHRv IHB1dHRpbmcgd2hpY2ggYWxnb3JpdGhtcyBpbiB5b3VyIHByb3Bvc2VkIGNoYXJ0ZXIgdGV4dC4N Cg0KRnJvbTogU2NvdHQgRmx1aHJlciAoc2ZsdWhyZXIpIDxzZmx1aHJlckBjaXNjby5jb20+DQpT ZW50OiBGcmlkYXksIEZlYnJ1YXJ5IDE1LCAyMDE5IDQ6MjQgQU0NClRvOiBKaW0gU2NoYWFkIDxp ZXRmQGF1Z3VzdGNlbGxhcnMuY29tPjsgJ0RhbmllbCBWYW4gR2Vlc3QnIDxEYW5pZWwuVmFuR2Vl c3RAaXNhcmEuY29tPjsgc3Bhc21AaWV0Zi5vcmcNClN1YmplY3Q6IFJFOiBbbGFtcHNdIFByb3Bv c2VkIGNoYXJ0ZXIgdGV4dCBmb3IgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFBLSSAo ZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MpDQoNCg0KRnJvbTogU3Bhc20gPHNwYXNtLWJv dW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+PiBPbiBCZWhhbGYg T2YgSmltIFNjaGFhZA0KU2VudDogVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAyMDE5IDY6MDYgUE0N ClRvOiAnRGFuaWVsIFZhbiBHZWVzdCcgPERhbmllbC5WYW5HZWVzdEBpc2FyYS5jb208bWFpbHRv OkRhbmllbC5WYW5HZWVzdEBpc2FyYS5jb20+Pjsgc3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNt QGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZv ciBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5 LWhhc2gtc2lncykNCg0KT2sg4oCTIHNvIHRoZSBmaXJzdCBjaGFuZ2UgaXMgZ29pbmcgdG8gYmUg c2F5IHdoaWNoIGhhc2gtYmFzZWQgc2lnbmF0dXJlIGFsZ29yaXRobXMgeW91IGFyZSBkZWFsaW5n IHdpdGgsIHNpbmNlIGl0IGlzIG5vdCBhbGwgb2YgdGhlbS4NCg0KSSBiZWxpZXZlIHRoYXQganVz dCBzYXlpbmcgSFNTIChvciBYTVNTIG9yIFhNU1NeTVQpIHdvdWxkIGJlIHN1ZmZpY2llbnQ7IHRo ZSBwdWJsaWMga2V5cyBmb3IgYWxsIHRocmVlIGluY2x1ZGUgYSBwYXJhbWV0ZXIgc2V0IGRlc2Ny aXB0b3IsIHdoaWNoIGRlY2xhcmVzIHRoZSBoYXNoIGZ1bmN0aW9uIHRvIGJlIHVzZWQgKGFuZCBv dGhlciBwYXJhbWV0ZXJzLCBzdWNoIGFzIHRoZSB0cmVlIGRlcHRoKS4NCg0KDQpBcyBJIG5vdGVk IHdpdGggUnVzcywgdGhlcmUgaXMgbm8gZ3VhcmFudGVlIHRoYXQgdGhlcmUgaXMgYSBzbWFsbCBw cml2YXRlIGtleS4gIElmIHlvdSB1c2UgYSBtZXRob2Qgb2YgZGV0ZXJtaW5pc3RpYyBkZXJpdmF0 aW9uIGZyb20gYSBzZWVkLCB0aGVuIGl0IGFuIGJlLiAgSWYgeW91IHVzZSBhIGdvb2QgZXh0ZXJu YWwgcmFuZG9tIG51bWJlciBnZW5lcmF0b3IgdGhlbiB0aGUgcHJpdmF0ZSBrZXkgaXMgcHJvcG9y dGlvbmFsIHRvIHRoZSBudW1iZXIgb2Ygbm9kZXMgaW4gdGhlIHRyZWUuDQoNCldlbGwsIHllcywg dGhlcmUgaXMgcXVpdGUgYSByYW5nZSBvZiBwb3NzaWJsZSB0aW1lL21lbW9yeSB0cmFkZS1vZmZz IGF2YWlsYWJsZSB3aGVuIHN0b3JpbmcgdGhlIHByaXZhdGUga2V5OyBpZiB5b3UgbmVlZCB0bywg dGhlIHByaXZhdGUga2V5IGNhbiBiZSBleHByZXNzZWQgaW4gcXVpdGUgYSBzbWFsbCBhbW91bnQg b2Ygc3BhY2UgKGFsYmVpdCBhdCB0aGUgZXhwZW5zZSBvZiBtYWtpbmcgdGhlIHNpZ25hdHVyZSBn ZW5lcmF0aW9uIG9wZXJhdGlvbiBleHBlbnNpdmUpLg0KDQpKaW0NCg0KDQpGcm9tOiBEYW5pZWwg VmFuIEdlZXN0IDxEYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPG1haWx0bzpEYW5pZWwuVmFuR2Vl c3RAaXNhcmEuY29tPj4NClNlbnQ6IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSAxMjo1MiBQ TQ0KVG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVn dXN0Y2VsbGFycy5jb20+Pjsgc3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3JnPg0K U3ViamVjdDogUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBoYXNoLWJhc2Vk IHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhhc2gtc2lncykN Cg0KSmltLA0KDQpXZSBoYXZlIHNlZW4gaW50ZXJlc3QgaW4gZGVmaW5pbmcgc2ltaWxhciBPSURz IGZvciBYTVNTIGFuZCBYTVNTXk1ULCB3aGljaCBpcyBub3QgY292ZXJlZCBpbiBkcmFmdC1pZXRm LWxhbXBzLWNtcy1oYXNoLXNpZy4NCg0KRm9yIEhTUy9MTVMsIGF0IHRoZSB0aW1lIHRoZSB4NTA5 LWhhc2gtc2lncyBkcmFmdCB3YXMgd3JpdHRlbiwgdGhlIGNtcy1oYXNoLXNpZyBkcmFmdCBkaWRu 4oCZdCBkZWZpbmUgT0lEcyBmb3Igc2lnbmF0dXJlIGFsZ29yaXRobXMgKGl0IHdhcyBzcGVjaWZp ZWQgdGhhdCBvbmx5IFNIQS0yNTYgd291bGQgYmUgdXNlZCB3aXRoIENNUykuIFNpbmNlIHRoZSBD TVMgZHJhZnQgbm93IGRlZmluZXMgdGhlIHNpZ25hdHVyZSBhbGdvcml0aG0gT0lEcyB3ZeKAmWxs IGhhdmUgdG8gcmUtZXZhbHVhdGUgdGhlIEhTUy9MTVMgc2VjdGlvbnMuICBXaGVuIHdyaXR0ZW4s IHRoaXMgZHJhZnQgcmVmZXJyZWQgdG8gdGhlIENNUyBvbmUgZm9yIHNvbWUgZGVmaW5pdGlvbnMg YW5kIGFkZGVkIG90aGVyIG5ldyBvbmVzLg0KDQoNCk5vdyB0aGF0IHRoZSBDTVMgZHJhZnQgZGVm aW5lcyBhbGwgdGhlIE9JRHMsIHlvdeKAmXJlIHJpZ2h0LCB0aGlzIGRyYWZ0IG1pZ2h0IG5vdCBu ZWVkIHRvIG1lbnRpb24gSFNTL0xNUyBhdCBhbGwuICBPciBzaG91bGQgdGhlcmUgYXQgbGVhc3Qg YmUgc29tZSB0ZXh0IGluIHRoZXJlIGFsb25nIHRoZSBsaW5lcyBvZiDigJxIU1MvTE1TIE9JRHMg YXJlIGRlZmluZWQgaW4gW2Ntcy1oYXNoLXNpZ3NdLCBCVFcgeW91IGNhbiBhbHNvIHVzZSB0aG9z ZSBpbiBYLjUwOeKAnT8gIFNob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwgZGlmZmVyZW50 aWF0aW5nIHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1TIHNpZ25hdHVy ZSBvY3RldCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/ICBjbXMtaGFzaC1zaWdz IHNheXMg4oCcVGhlIHNpZ25hdHVyZSB2YWx1ZXMgaXMgYSBsYXJnZSBPQ1RFVCBTVFJJTkcu4oCd LCB3aGljaCBpcyBhY2N1cmF0ZSBmb3IgQ01TIGJ1dCBmb3IgWC41MDkgdGhlIGVuY29kaW5nIG9m IHRoZSBzaWduYXR1cmUgb2N0ZXRzIHdpbGwgYmUgYQ0KDQpCSVQgU1RSSU5HLg0KDQoNCg0KW0pM U10gVGhpcyBpcyBqdXN0IHNvbWV0aGluZyB0aGF0IGlzIHBvb3JseSBzdGF0ZWQgaW4gdGhlIGN1 cnJlbnQgZG9jdW1lbnQgYW5kIGlzIG5vdCBzb21ldGhpbmcgdGhhdCBuZWVkcyB0byBiZSBjaGFu Z2VkLiAgSXQgd291bGQgYmUgbW9yZSBhY2N1cmF0ZSB0byBzYXkgdGhhdCDigJxUaGUgc2lnbmF0 dXJlIHZhbHVlIGlzIGEgbGFyZ2UgYnl0ZSBzdHJpbmcu4oCdIChvciBvY3RldCBzdHJpbmcpIHdp dGhvdXQgdXNpbmcgdGhlIEFTTi4xIHR5cGUuICBJdCBpcyB0aGVuIGp1c3QgYSBzdHJpbmcgb2Yg Ynl0ZXMgdGhhdCBpcyB3cmFwcGVkIGludG8gc29tZSBBU04uMSB0eXBlLg0KDQoNCg0KSmltDQoN Cg0KDQpUaGFua3MsDQpEYW5pZWwNCg0KDQpPbiAyMDE5LTAyLTE0LCAyOjU2IFBNLCAiSmltIFNj aGFhZCIgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5j b20+PiB3cm90ZToNCg0KV2hhdCBkbyB5b3UgdGhpbmsgdGhhdCBpcyBuZWVkZWQgdG8gYmUgc3Bl Y2lmaWVkIGJleW9uZCB3aGF0IGlzIGN1cnJlbnRseSBpbiBkcmFmdC1pZXRmLWxhbXBzLWNtcy1o YXNoLXNpZz8gIFRoYXQgZG9jdW1lbnQgY29udGFpbnMgdGhlIHBrLUhTUy1MTVMtSGFzaFNpZyBz dHJ1Y3R1cmUgd2hpY2ggZGVzY3JpYmVzIGhvdyB0byBwbGFjZSB0aGUgcHVibGljIGtleSBpbnRv IGEgU3ViamVjdCBQdWJsaWMgS2V5IHN0cnVjdHVyZS4NCg0KSmltDQoNCg0KRnJvbTogU3Bhc20g PHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc+PiBP biBCZWhhbGYgT2YgRGFuaWVsIFZhbiBHZWVzdA0KU2VudDogVGh1cnNkYXksIEZlYnJ1YXJ5IDE0 LCAyMDE5IDExOjE4IEFNDQpUbzogc3Bhc21AaWV0Zi5vcmc8bWFpbHRvOnNwYXNtQGlldGYub3Jn Pg0KU3ViamVjdDogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQg c2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKQ0K DQpMYXN0IG1lZXRpbmcgSSBwcmVzZW50ZWQgZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3Mg dG8gU2VjZGlzcGF0Y2ggYW5kIExBTVBTLiBJdCB3YXMgZGVjaWRlZCB0aGUgZHJhZnQgd291bGQg YmUgc2VudCB0byBMQU1QUyBmb3IgcG90ZW50aWFsIGluY2x1c2lvbiBkdXJpbmcgdGhlIHJlY2hh cnRlci4gQmVsb3cgSeKAmXZlIGluY2x1ZGVkIGEgZHJhZnQgb2YgcG90ZW50aWFsIHJlY2hhcnRl ciB0ZXh0IGZvciB0aGUgV0figJlzIGNvbnNpZGVyYXRpb24uIEkgY2FuIHByZXNlbnQgdGhlIGRy YWZ0IGFnYWluIGluIFByYWd1ZSBpZiB0aGF04oCZcyBkZXNpcmVkLg0KDQpYLiBTcGVjaWZ5IHRo ZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWduYXR1cmVzIGluIFguNTA5IFB1YmxpYyBLZXkNCkluZnJh c3RydWN0dXJlLiBIYXNoLWJhc2VkIHNpZ25hdHVyZXMgdXNlIHNtYWxsIHByaXZhdGUgYW5kIHB1 YmxpYyBrZXlzLA0KYW5kIHRoZXkgaGF2ZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0LiAgVGhleSBh cmUgc2VjdXJlIGV2ZW4gaWYgYQ0KbGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRlciBpcyBpbnZl bnRlZC4gIFRoZSBsb3cgY29tcHV0YXRpb25hbCBjb3N0DQpmb3Igc2lnbmF0dXJlIHZlcmlmaWNh dGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbg0KSW50ZXJuZXQg b2YgVGhpbmdzIChJb1QpIGVudmlyb25tZW50cy4gIFRoZSB1c2Ugb2YgaGFzaC1iYXNlZCBzaWdu YXR1cmVzDQpwcm92aWRlcyBxdWFudHVtIHJlc2lzdGFudCBhdXRoZW50aWNhdGlvbiBpbiBtdWx0 aS1wYXJ0eSBJb1QgZWNvc3lzdGVtcw0Kd2hlcmUgcHVibGljbHkgdHJ1c3RlZCBjb2RlIHNpZ25p bmcgY2VydGlmaWNhdGVzIGFyZSBuZWVkZWQuDQoNClRoYW5rcywNCkRhbmllbA0KDQo= --_000_CE5C7C53D70E4268B2D72C7342868C2Cisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: <2D8DE69157B8DE489CD6B825484F5695@isara.com> Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseTpDb3VyaWVyOw0KCXBhbm9zZS0xOjAgMCAwIDAgMCAwIDAgMCAwIDA7 fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToy IDQgNSAzIDUgNCA2IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsN CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNt Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiMwNTYzQzE7DQoJdGV4dC1kZWNvcmF0aW9u OnVuZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNv LXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOiM5NTRGNzI7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQpwcmUNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1zdHlsZS1saW5r OiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0b206 LjAwMDFwdDsNCglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDb3VyaWVyIE5ldyI7 fQ0KcC5tc29ub3JtYWwwLCBsaS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5 bGUtbmFtZTptc29ub3JtYWw7DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJp Z2h0OjBjbTsNCgltc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowY207 DQoJZm9udC1zaXplOjExLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjt9 DQpzcGFuLkhUTUxQcmVmb3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZv cm1hdHRlZCBDaGFyIjsNCgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6 IkhUTUwgUHJlZm9ybWF0dGVkIjsNCglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCnNwYW4u RW1haWxTdHlsZTIwDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxl MjENCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNh bnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkVtYWlsU3R5bGUyMg0KCXttc28t c3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN Cgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1haWxTdHlsZTIzDQoJe21zby1zdHlsZS10eXBl OnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndp bmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjQNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWw7 DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9 DQpzcGFuLkVtYWlsU3R5bGUyNQ0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250LWZh bWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4uRW1h aWxTdHlsZTI2DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJDYWxp YnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjcN Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28t c3R5bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRT ZWN0aW9uMQ0KCXtzaXplOjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3 Mi4wcHQgNzIuMHB0O30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LS0+PC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5IGxhbmc9IkVOLUNBIiBsaW5rPSIjMDU2M0MxIiB2 bGluaz0iIzk1NEY3MiI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlNvcnJ5LCB0aGlzIG9uZSBn b3Qgc2VudCBwcmVtYXR1cmVseS4gVGhlIHRleHQgYmVsb3cgaXMgdGhlIHVwZGF0ZWQgcHJvcG9z ZWQgY2hhcnRlciB0ZXh0IGJhc2VkIG9uIEppbeKAmXMgY29tbWVudHMuIEluIGFkZGl0aW9uIHRv IG1lbnRpb25pbmcgdGhlIHNwZWNpZmljIGFsZ29yaXRobXMsIEkgYWRkZWQgdGV4dCBpbmRpY2F0 aW5nIHRoYXQgdGhlcmUgYXJlDQogdGltZS9tZW1vcnkgdHJhZGVvZmZzIGZvciBwcml2YXRlIGtl eXMsIGFsdGhvdWdoIEnigJltIG5vdCBzdXJlIGhvdyBhcHByb3ByaWF0ZSB0aGF0IGlzIGZvciBj aGFydGVyIHRleHQgc2luY2UgdGhlIGRyYWZ0IHdhc27igJl0IHBsYW5uaW5nIG9uIGRpc2N1c3Np bmcgdGhvc2UgdHJhZGVvZmZzLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5YLiBT cGVjaWZ5IHRoZSB1c2Ugb2YgdGhlIEhTUywgWE1TUyBhbmQgWE1TU15NVCBoYXNoLWJhc2VkIHNp Z25hdHVyZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OkNvdXJpZXIiPmFsZ29yaXRobXMgaW4gWC41MDkgUHVibGljIEtleSBJbmZyYXN0cnVj dHVyZS4gSGFzaC1iYXNlZCBzaWduYXR1cmVzIHVzZTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPnNtYWxsIHB1YmxpYyBrZXlz LCBhbmQgdGhleSBoYXZlIGxvdyBjb21wdXRhdGlvbmFsIHZlcmlmaWNhdGlvbiBjb3N0Ljwvc3Bh bj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJp ZXIiPlByaXZhdGUga2V5IHNpemUgY2FuIGJlIHF1aXRlIHNtYWxsLCB0aG91Z2ggdGhlcmUgaXMg YSB3aWRlIHJhbmdlIG9mPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4w cHQ7Zm9udC1mYW1pbHk6Q291cmllciI+dGltZS9tZW1vcnkgdHJhZGVvZmZzIGJldHdlZW4gcHJp dmF0ZSBrZXkgc2l6ZSwgcHJpdmF0ZSBrZXkgbG9hZGluZyB0aW1lPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+YW5kIG1lbW9y eSwgYW5kIHNpZ25hdHVyZSBnZW5lcmF0aW9uLiZuYnNwOyBUaGV5IGFyZSBzZWN1cmUgZXZlbiBp ZiBhPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p bHk6Q291cmllciI+bGFyZ2Utc2NhbGUgcXVhbnR1bSBjb21wdXRlciBpcyBpbnZlbnRlZC4mbmJz cDsgVGhlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3Q8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj5mb3Igc2lnbmF0dXJlIHZlcmlm aWNhdGlvbiBtYWtlcyBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgYXR0cmFjdGl2ZSBpbjwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoz Ni4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIi PkludGVybmV0IG9mIFRoaW5ncyAoSW9UKSBlbnZpcm9ubWVudHMuJm5ic3A7IFRoZSB1c2Ugb2Yg aGFzaC1iYXNlZCBzaWduYXR1cmVzPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+cHJvdmlkZXMgcXVhbnR1bSByZXNpc3RhbnQg YXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFydHkgSW9UIGVjb3N5c3RlbXM8L3NwYW4+PG86cD48 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTpDb3VyaWVyIj53aGVy ZSBwdWJsaWNseSB0cnVzdGVkIGNvZGUgc2lnbmluZyBjZXJ0aWZpY2F0ZXMgYXJlIG5lZWRlZC48 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPlRoYW5rcyw8bzpwPjwv bzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdCI+RGFuaWVsPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5i c3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij5PbiAyMDE5LTAyLTE1LCAxMDozMiBBTSwg JnF1b3Q7SmltIFNjaGFhZCZxdW90OyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2Vs bGFycy5jb20iPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9 Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0Ij5UaGUgZmlyc3QgcG9pbnQgcmVmZXJyZWQgdG8gcHV0dGluZyB3aGlj aCBhbGdvcml0aG1zIGluIHlvdXIgcHJvcG9zZWQgY2hhcnRlciB0ZXh0Ljwvc3Bhbj48bzpwPjwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48 L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0 O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpu b25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20g MGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxi PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBTY290dCBGbHVocmVyIChzZmx1aHJlcikgJmx0O3NmbHVo cmVyQGNpc2NvLmNvbSZndDsNCjxicj4NCjxiPlNlbnQ6PC9iPiBGcmlkYXksIEZlYnJ1YXJ5IDE1 LCAyMDE5IDQ6MjQgQU08YnI+DQo8Yj5Ubzo8L2I+IEppbSBTY2hhYWQgJmx0O2lldGZAYXVndXN0 Y2VsbGFycy5jb20mZ3Q7OyAnRGFuaWVsIFZhbiBHZWVzdCcgJmx0O0RhbmllbC5WYW5HZWVzdEBp c2FyYS5jb20mZ3Q7OyBzcGFzbUBpZXRmLm9yZzxicj4NCjxiPlN1YmplY3Q6PC9iPiBSRTogW2xh bXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBY LjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKTwvc3Bhbj48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTti b3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0K PGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAx LjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBTcGFzbSAm bHQ7PGEgaHJlZj0ibWFpbHRvOnNwYXNtLWJvdW5jZXNAaWV0Zi5vcmciPnNwYXNtLWJvdW5jZXNA aWV0Zi5vcmc8L2E+Jmd0Ow0KPGI+T24gQmVoYWxmIE9mIDwvYj5KaW0gU2NoYWFkPGJyPg0KPGI+ U2VudDo8L2I+IFRodXJzZGF5LCBGZWJydWFyeSAxNCwgMjAxOSA2OjA2IFBNPGJyPg0KPGI+VG86 PC9iPiAnRGFuaWVsIFZhbiBHZWVzdCcgJmx0OzxhIGhyZWY9Im1haWx0bzpEYW5pZWwuVmFuR2Vl c3RAaXNhcmEuY29tIj5EYW5pZWwuVmFuR2Vlc3RAaXNhcmEuY29tPC9hPiZndDs7DQo8YSBocmVm PSJtYWlsdG86c3Bhc21AaWV0Zi5vcmciPnNwYXNtQGlldGYub3JnPC9hPjxicj4NCjxiPlN1Ympl Y3Q6PC9iPiBSZTogW2xhbXBzXSBQcm9wb3NlZCBjaGFydGVyIHRleHQgZm9yIGhhc2gtYmFzZWQg c2lnbmF0dXJlcyBpbiBYLjUwOSBQS0kgKGRyYWZ0LXZhbmdlZXN0LXg1MDktaGFzaC1zaWdzKTwv c3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs IiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0Ij5PayDigJMgc28gdGhlIGZpcnN0IGNoYW5nZSBpcyBnb2luZyB0byBi ZSBzYXkgd2hpY2ggaGFzaC1iYXNlZCBzaWduYXR1cmUgYWxnb3JpdGhtcyB5b3UgYXJlIGRlYWxp bmcgd2l0aCwgc2luY2UgaXQgaXMgbm90IGFsbCBvZiB0aGVtLjwvc3Bhbj48bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHls ZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjojMUY0OTdEIj5JIGJlbGlldmUgdGhhdCBqdXN0IHNh eWluZyBIU1MgKG9yIFhNU1Mgb3IgWE1TU15NVCkgd291bGQgYmUgc3VmZmljaWVudDsgdGhlIHB1 YmxpYyBrZXlzIGZvciBhbGwgdGhyZWUgaW5jbHVkZSBhIHBhcmFtZXRlciBzZXQgZGVzY3JpcHRv ciwgd2hpY2ggZGVjbGFyZXMgdGhlIGhhc2ggZnVuY3Rpb24NCiB0byBiZSB1c2VkIChhbmQgb3Ro ZXIgcGFyYW1ldGVycywgc3VjaCBhcyB0aGUgdHJlZSBkZXB0aCkuPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0 eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdCI+QXMgSSBub3RlZCB3aXRoIFJ1c3MsIHRoZXJlIGlzIG5vIGd1YXJh bnRlZSB0aGF0IHRoZXJlIGlzIGEgc21hbGwgcHJpdmF0ZSBrZXkuJm5ic3A7IElmIHlvdSB1c2Ug YSBtZXRob2Qgb2YgZGV0ZXJtaW5pc3RpYyBkZXJpdmF0aW9uIGZyb20gYSBzZWVkLCB0aGVuIGl0 IGFuIGJlLiZuYnNwOyBJZiB5b3UgdXNlIGEgZ29vZCBleHRlcm5hbA0KIHJhbmRvbSBudW1iZXIg Z2VuZXJhdG9yIHRoZW4gdGhlIHByaXZhdGUga2V5IGlzIHByb3BvcnRpb25hbCB0byB0aGUgbnVt YmVyIG9mIG5vZGVzIGluIHRoZSB0cmVlLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdDtjb2xvcjojMUY0OTdEIj5XZWxsLCB5ZXMsIHRoZXJlIGlzIHF1aXRlIGEgcmFuZ2Ug b2YgcG9zc2libGUgdGltZS9tZW1vcnkgdHJhZGUtb2ZmcyBhdmFpbGFibGUgd2hlbiBzdG9yaW5n IHRoZSBwcml2YXRlIGtleTsgaWYgeW91IG5lZWQgdG8sIHRoZSBwcml2YXRlIGtleSBjYW4gYmUg ZXhwcmVzc2VkIGluIHF1aXRlDQogYSBzbWFsbCBhbW91bnQgb2Ygc3BhY2UgKGFsYmVpdCBhdCB0 aGUgZXhwZW5zZSBvZiBtYWtpbmcgdGhlIHNpZ25hdHVyZSBnZW5lcmF0aW9uIG9wZXJhdGlvbiBl eHBlbnNpdmUpLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4m bmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i bWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SmltPC9z cGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48 bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3 Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48 L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVl IDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBj bSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4w cHQiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5Gcm9tOjwvc3Bhbj48L2I+PHNw YW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiBEYW5pZWwgVmFuIEdlZXN0ICZsdDs8YSBocmVm PSJtYWlsdG86RGFuaWVsLlZhbkdlZXN0QGlzYXJhLmNvbSI+RGFuaWVsLlZhbkdlZXN0QGlzYXJh LmNvbTwvYT4mZ3Q7DQo8YnI+DQo8Yj5TZW50OjwvYj4gVGh1cnNkYXksIEZlYnJ1YXJ5IDE0LCAy MDE5IDEyOjUyIFBNPGJyPg0KPGI+VG86PC9iPiBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWls dG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7 Ow0KPGEgaHJlZj0ibWFpbHRvOnNwYXNtQGlldGYub3JnIj5zcGFzbUBpZXRmLm9yZzwvYT48YnI+ DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtsYW1wc10gUHJvcG9zZWQgY2hhcnRlciB0ZXh0IGZvciBo YXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12YW5nZWVzdC14NTA5LWhh c2gtc2lncyk8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+Jm5ic3A7PG86cD48L286cD48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+SmltLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdCI+V2UgaGF2ZSBzZWVuIGludGVyZXN0IGluIGRlZmluaW5nIHNpbWlsYXIg T0lEcyBmb3IgWE1TUyBhbmQgWE1TU15NVCwgd2hpY2ggaXMgbm90IGNvdmVyZWQgaW4gZHJhZnQt aWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWcuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0Ij5Gb3IgSFNTL0xNUywgYXQgdGhlIHRpbWUgdGhlIHg1MDktaGFzaC1zaWdzIGRyYWZ0 IHdhcyB3cml0dGVuLCB0aGUgY21zLWhhc2gtc2lnIGRyYWZ0IGRpZG7igJl0IGRlZmluZSBPSURz IGZvciBzaWduYXR1cmUgYWxnb3JpdGhtcyAoaXQgd2FzIHNwZWNpZmllZCB0aGF0IG9ubHkgU0hB LTI1NiB3b3VsZCBiZSB1c2VkDQogd2l0aCBDTVMpLiBTaW5jZSB0aGUgQ01TIGRyYWZ0IG5vdyBk ZWZpbmVzIHRoZSBzaWduYXR1cmUgYWxnb3JpdGhtIE9JRHMgd2XigJlsbCBoYXZlIHRvIHJlLWV2 YWx1YXRlIHRoZSBIU1MvTE1TIHNlY3Rpb25zLiZuYnNwOyBXaGVuIHdyaXR0ZW4sIHRoaXMgZHJh ZnQgcmVmZXJyZWQgdG8gdGhlIENNUyBvbmUgZm9yIHNvbWUgZGVmaW5pdGlvbnMgYW5kIGFkZGVk IG90aGVyIG5ldyBvbmVzLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVm dDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90 O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Tm93IHRoYXQgdGhlIENNUyBkcmFmdCBkZWZpbmVz IGFsbCB0aGUgT0lEcywgeW914oCZcmUgcmlnaHQsIHRoaXMgZHJhZnQgbWlnaHQgbm90IG5lZWQg dG8gbWVudGlvbiBIU1MvTE1TIGF0IGFsbC4mbmJzcDsgT3Igc2hvdWxkIHRoZXJlIGF0IGxlYXN0 IGJlIHNvbWUgdGV4dCBpbiB0aGVyZSBhbG9uZyB0aGUgbGluZXMgb2Yg4oCcSFNTL0xNUyBPSURz IGFyZSBkZWZpbmVkIGluIFtjbXMtaGFzaC1zaWdzXSwgQlRXIHlvdSBjYW4gYWxzbyB1c2UgdGhv c2UgaW4gWC41MDnigJ0/ICZuYnNwO1Nob3VsZCB0aGVyZSBhbHNvIGJlIHNvbWUgc21hbGwgZGlm ZmVyZW50aWF0aW5nIHRleHQgaW5kaWNhdGluZyB0aGF0IGluIFguNTA5IHRoZSBIU1MvTE1TIHNp Z25hdHVyZSBvY3RldCBzdHJpbmcgaXMgZW5jb2RlZCBhcyBhIEJJVCBTVFJJTkc/Jm5ic3A7IGNt cy1oYXNoLXNpZ3Mgc2F5cyDigJw8L3NwYW4+PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj5UaGUg c2lnbmF0dXJlIHZhbHVlcyBpcyBhIGxhcmdlIE9DVEVUIFNUUklORy48L3NwYW4+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmIj7igJ0sIHdoaWNoIGlzIGFjY3VyYXRlIGZvciBDTVMgYnV0IGZvciBYLjUwOSB0aGUg ZW5jb2Rpbmcgb2YgdGhlIHNpZ25hdHVyZSBvY3RldHMgd2lsbCBiZSBhIDwvc3Bhbj48bzpwPjwv bzpwPjwvcHJlPg0KPHByZSBzdHlsZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0i Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy aWYiPkJJVCBTVFJJTkcuPC9zcGFuPjxvOnA+PC9vOnA+PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJn aW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5 OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+ PC9wcmU+DQo8cHJlIHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250 LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+ W0pMU10gVGhpcyBpcyBqdXN0IHNvbWV0aGluZyB0aGF0IGlzIHBvb3JseSBzdGF0ZWQgaW4gdGhl IGN1cnJlbnQgZG9jdW1lbnQgYW5kIGlzIG5vdCBzb21ldGhpbmcgdGhhdCBuZWVkcyB0byBiZSBj aGFuZ2VkLiZuYnNwOyBJdCB3b3VsZCBiZSBtb3JlIGFjY3VyYXRlIHRvIHNheSB0aGF0IOKAnFRo ZSBzaWduYXR1cmUgdmFsdWUgaXMgYSBsYXJnZSBieXRlIHN0cmluZy7igJ0gKG9yIG9jdGV0IHN0 cmluZykgd2l0aG91dCB1c2luZyB0aGUgQVNOLjEgdHlwZS4mbmJzcDsgSXQgaXMgdGhlbiBqdXN0 IGEgc3RyaW5nIG9mIGJ5dGVzIHRoYXQgaXMgd3JhcHBlZCBpbnRvIHNvbWUgQVNOLjEgdHlwZS48 L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OyxzYW5zLXNlcmlmIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwcmUgc3R5 bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5KaW08L3NwYW4+PG86cD48 L286cD48L3ByZT4NCjxwcmUgc3R5bGU9Im1hcmdpbi1sZWZ0OjcyLjBwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl cmlmIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls ZT0ibWFyZ2luLWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+VGhh bmtzLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDo3Mi4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5EYW5pZWw8 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6NzIuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFu PjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjcyLjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQiPiZuYnNwOzwvc3Bhbj48bzpw PjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjEwOC4wcHQiPk9uIDIwMTktMDItMTQsIDI6NTYgUE0sICZxdW90O0ppbSBTY2hh YWQmcXVvdDsgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRm QGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDox MDguMHB0Ij4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEu MHB0Ij5XaGF0IGRvIHlvdSB0aGluayB0aGF0IGlzIG5lZWRlZCB0byBiZSBzcGVjaWZpZWQgYmV5 b25kIHdoYXQgaXMgY3VycmVudGx5IGluIGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnPyZu YnNwOyBUaGF0IGRvY3VtZW50IGNvbnRhaW5zIHRoZSBway1IU1MtTE1TLUhhc2hTaWcgc3RydWN0 dXJlIHdoaWNoIGRlc2NyaWJlcw0KIGhvdyB0byBwbGFjZSB0aGUgcHVibGljIGtleSBpbnRvIGEg U3ViamVjdCBQdWJsaWMgS2V5IHN0cnVjdHVyZS4mbmJzcDsgPC9zcGFuPjxvOnA+PC9vOnA+PC9w Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFu IHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQiPkppbTwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9u dC1zaXplOjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNp emU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8ZGl2IHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRpbmc6MGNtIDBjbSAwY20g NC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQg I0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBjbSAwY20gMGNtIj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48Yj48c3BhbiBzdHlsZT0iZm9udC1z aXplOjExLjBwdCI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0 Ij4gU3Bhc20gJmx0OzxhIGhyZWY9Im1haWx0bzpzcGFzbS1ib3VuY2VzQGlldGYub3JnIj5zcGFz bS1ib3VuY2VzQGlldGYub3JnPC9hPiZndDsNCjxiPk9uIEJlaGFsZiBPZiA8L2I+RGFuaWVsIFZh biBHZWVzdDxicj4NCjxiPlNlbnQ6PC9iPiBUaHVyc2RheSwgRmVicnVhcnkgMTQsIDIwMTkgMTE6 MTggQU08YnI+DQo8Yj5Ubzo8L2I+IDxhIGhyZWY9Im1haWx0bzpzcGFzbUBpZXRmLm9yZyI+c3Bh c21AaWV0Zi5vcmc8L2E+PGJyPg0KPGI+U3ViamVjdDo8L2I+IFtsYW1wc10gUHJvcG9zZWQgY2hh cnRlciB0ZXh0IGZvciBoYXNoLWJhc2VkIHNpZ25hdHVyZXMgaW4gWC41MDkgUEtJIChkcmFmdC12 YW5nZWVzdC14NTA5LWhhc2gtc2lncyk8L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPiZu YnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1s ZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0Ij5MYXN0IG1lZXRpbmcg SSBwcmVzZW50ZWQgZHJhZnQtdmFuZ2Vlc3QteDUwOS1oYXNoLXNpZ3MgdG8gU2VjZGlzcGF0Y2gg YW5kIExBTVBTLiBJdCB3YXMgZGVjaWRlZCB0aGUgZHJhZnQgd291bGQgYmUgc2VudCB0byBMQU1Q UyBmb3IgcG90ZW50aWFsIGluY2x1c2lvbiBkdXJpbmcgdGhlIHJlY2hhcnRlci4gQmVsb3cNCiBJ 4oCZdmUgaW5jbHVkZWQgYSBkcmFmdCBvZiBwb3RlbnRpYWwgcmVjaGFydGVyIHRleHQgZm9yIHRo ZSBXR+KAmXMgY29uc2lkZXJhdGlvbi4gSSBjYW4gcHJlc2VudCB0aGUgZHJhZnQgYWdhaW4gaW4g UHJhZ3VlIGlmIHRoYXTigJlzIGRlc2lyZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTQ0LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+WC4gU3BlY2lmeSB0aGUgdXNlIG9mIGhh c2gtYmFzZWQgc2lnbmF0dXJlcyBpbiBYLjUwOSBQdWJsaWMgS2V5PC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjE0NC4wcHQiPjxz cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OkNvdXJpZXIiPkluZnJhc3Ry dWN0dXJlLiBIYXNoLWJhc2VkIHNpZ25hdHVyZXMgdXNlIHNtYWxsIHByaXZhdGUgYW5kIHB1Ymxp YyBrZXlzLDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl PSJtYXJnaW4tbGVmdDoxNDQuMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250 LWZhbWlseTpDb3VyaWVyIj5hbmQgdGhleSBoYXZlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3QuJm5i c3A7IFRoZXkgYXJlIHNlY3VyZSBldmVuIGlmIGE8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTQ0LjBwdCI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+bGFyZ2Utc2NhbGUgcXVhbnR1 bSBjb21wdXRlciBpcyBpbnZlbnRlZC4mbmJzcDsgVGhlIGxvdyBjb21wdXRhdGlvbmFsIGNvc3Q8 L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2lu LWxlZnQ6MTQ0LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6 Q291cmllciI+Zm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRpb24gbWFrZXMgaGFzaC1iYXNlZCBzaWdu YXR1cmVzIGF0dHJhY3RpdmUgaW48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTQ0LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6 ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+SW50ZXJuZXQgb2YgVGhpbmdzIChJb1QpIGVu dmlyb25tZW50cy4mbmJzcDsgVGhlIHVzZSBvZiBoYXNoLWJhc2VkIHNpZ25hdHVyZXM8L3NwYW4+ PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6 MTQ0LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6Q291cmll ciI+cHJvdmlkZXMgcXVhbnR1bSByZXNpc3RhbnQgYXV0aGVudGljYXRpb24gaW4gbXVsdGktcGFy dHkgSW9UIGVjb3N5c3RlbXM8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTQ0LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6Q291cmllciI+d2hlcmUgcHVibGljbHkgdHJ1c3RlZCBjb2RlIHNp Z25pbmcgY2VydGlmaWNhdGVzIGFyZSBuZWVkZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjEwOC4wcHQiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0Ij4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PHNwYW4gc3R5bGU9ImZv bnQtc2l6ZToxMS4wcHQiPlRoYW5rcyw8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MTA4LjBwdCI+PHNwYW4gc3R5bGU9ImZvbnQt c2l6ZToxMS4wcHQiPkRhbmllbDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDoxMDguMHB0Ij48c3BhbiBzdHlsZT0iZm9udC1zaXpl OjExLjBwdCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwv ZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_CE5C7C53D70E4268B2D72C7342868C2Cisaracom_-- From nobody Mon Feb 18 09:39:18 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12493130F3E for ; Mon, 18 Feb 2019 09:39:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KOsr8BVbioMr for ; Mon, 18 Feb 2019 09:39:15 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E363912D4F0 for ; Mon, 18 Feb 2019 09:39:14 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 085EE300AB7 for ; Mon, 18 Feb 2019 12:20:57 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jz1G58ghJ3Mm for ; Mon, 18 Feb 2019 12:20:54 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 35BF030017E; Mon, 18 Feb 2019 12:20:54 -0500 (EST) From: Russ Housley Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_6A4D3ADE-E808-4615-A76E-C105F644B993" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Mon, 18 Feb 2019 12:39:10 -0500 In-Reply-To: <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> Cc: SPASM To: Scott Fluhrer References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 17:39:18 -0000 --Apple-Mail=_6A4D3ADE-E808-4615-A76E-C105F644B993 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Scott: > Sorry for being late, but I was just re-reviewing the draft, and I = noticed something odd: > =20 > You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the = comment that this specifies the use SHA-384 to hash the content. > =20 > That=E2=80=99s not how LMS is designed to work; currently, it uses the = same hash function to hash the message as it does for all its internal = hashes. If you were to replace the initial SHA-256 hash with something = larger, well, you=E2=80=99d need to tweak the size of the LM-OTS = signature (to accomendate the larger value being signed), and so that = wouldn=E2=80=99t be clean at all. Thanks for taking another look. I am glad that you did! You are correct that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256. They were added in -02 in response to comments. There are two cases to consider when signing with CMS: 1) When signed attributes are absent: the signer hashes the content, and = then signs the resulting message digest. 2) When signed attributes are present: the signer hashes the content and = places the resulting message digest in the message-digest attribute, = DER-encodes the set of signed attributes, hashes the encoded attributes, = and then signs the resulting message digest. It was observed that the hash of the content is the weakest link because = the HSS/LMS signature calculation includes a random value, C. The = thought was to allow the larger hash value to compensate. (See = https://mailarchive.ietf.org/arch/msg/spasm/cXkpVmAnfFwfp6MxgUHJWjSMHZw = )= > For that matter, iLMS doesn=E2=80=99t do a straight hash of the = message; instead, it includes a prefix (the point of the prefix, which = is randomized, is to avoid relying on the collision resistance of = SHA-256). > =20 > Now, I suppose you could SHA-384 hash the message, and then turn = around and do an LMS signature generate/verify on that hash (which = would, with the currently defined LMS parameter sets, immediately = prepend the prefix, and that SHA-256 hash it). However, if something = that nonobvious is specified, you need to call it out explicitly (and = also what do you do with id-alg-hss-lms-hashsig-with-sha256; would that = also do an initial SHA-256 hash?). > =20 > My suggestion would be to combine all three algorithm identifiers into = a single id-alg-hssms-hashsig (and have the parameter set indicator = within the LMS public key specify which hash is to be used). I realize the hash function identifier for the HSS/LMS tree(s) is = embedded in the signature value itself. The reason for the hash = function identifier in the OID is explained above. If others are comfortable requiring that the same hash function is used = throughout, then we can collapse back to one algorithm identifier. Russ --Apple-Mail=_6A4D3ADE-E808-4615-A76E-C105F644B993 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Scott:

Sorry for being late, but = I was just re-reviewing the draft, and I noticed something odd:
 
You define id-alg-hss-lms-hashsig-with-sha384 = (and sha512); with the comment that this specifies the use SHA-384 to = hash the content.
 
That=E2=80=99s not how LMS is = designed to work; currently, it uses the same hash function to hash the = message as it does for all its internal hashes.  If you were to = replace the initial SHA-256 hash with something larger, well, you=E2=80=99= d need to tweak the size of the LM-OTS signature (to accomendate the = larger value being signed), and so that wouldn=E2=80=99t be clean at = all.

Thanks for taking another look.  I am glad = that you did!

You are correct = that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256.  They were added in -02 in response to = comments.

There are two cases to = consider when signing with CMS:

1) When signed attributes are absent: the = signer hashes the content, and then signs the resulting message = digest.

2) When signed attributes = are present: the signer hashes the content and places the resulting = message digest in the message-digest attribute, DER-encodes the set of = signed attributes, hashes the encoded attributes, and then signs = the resulting message digest.

It was = observed that the hash of the content is the weakest link because the = HSS/LMS signature calculation includes a random value, C.  The = thought was to allow the larger hash value to compensate.


For that matter, iLMS = doesn=E2=80=99t do a straight hash of the message; instead, it includes = a prefix (the point of the prefix, which is randomized, is to avoid = relying on the collision resistance of SHA-256).
 
Now, I = suppose you could SHA-384 hash the message, and then turn around and do = an LMS signature generate/verify on that hash (which would, with the = currently defined LMS parameter sets, immediately prepend the prefix, = and that SHA-256 hash it).  However, if something that nonobvious = is specified, you need to call it out explicitly (and also what do you = do with id-alg-hss-lms-hashsig-with-sha256; would that also do an = initial SHA-256 hash?).
 
My suggestion would be to = combine all three algorithm identifiers into a single = id-alg-hssms-hashsig (and have the parameter set indicator within the = LMS public key specify which hash is to be = used).

I = realize the hash function identifier for the HSS/LMS tree(s) is embedded = in the signature value itself.  The reason for the hash function = identifier in the OID is explained above.

If others are comfortable requiring that the same = hash function is used throughout, then we can collapse back to one = algorithm identifier.

Russ

= --Apple-Mail=_6A4D3ADE-E808-4615-A76E-C105F644B993-- From nobody Mon Feb 18 09:52:44 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10979130F46 for ; Mon, 18 Feb 2019 09:52:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wJgqHSiONBV8 for ; Mon, 18 Feb 2019 09:52:42 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA0F0130F3E for ; Mon, 18 Feb 2019 09:52:41 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 3885A300A3D for ; Mon, 18 Feb 2019 12:34:24 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TFZJxWrhcx-E for ; Mon, 18 Feb 2019 12:34:22 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 5AFA030017E; Mon, 18 Feb 2019 12:34:22 -0500 (EST) From: Russ Housley Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_B336E630-8566-4E08-8A4E-7E84A3BBF114" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Mon, 18 Feb 2019 12:52:38 -0500 In-Reply-To: <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> Cc: "spasm@ietf.org" To: Scott Fluhrer , Jim Schaad References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 17:52:43 -0000 --Apple-Mail=_B336E630-8566-4E08-8A4E-7E84A3BBF114 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Jim and Scott: > As I noted with Russ, there is no guarantee that there is a small = private key. If you use a method of deterministic derivation from a = seed, then it an be. If you use a good external random number generator = then the private key is proportional to the number of nodes in the tree. > =20 > Well, yes, there is quite a range of possible time/memory trade-offs = available when storing the private key; if you need to, the private key = can be expressed in quite a small amount of space (albeit at the expense = of making the signature generation operation expensive). For draft-ietf-lamps-cms-hash-sig, does this capture your point? ... The HSS/LMS private key can be very small when the signer is willing to perform additional computation at signing time; alternatively, the private key can consume additional memory and provide a faster signing time. Russ= --Apple-Mail=_B336E630-8566-4E08-8A4E-7E84A3BBF114 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Jim = and Scott:

As I noted with Russ, there is no = guarantee that there is a small private key.  If you use a method = of deterministic derivation from a seed, then it an be.  If you use = a good external random number generator then the private key is = proportional to the number of nodes in the tree.
 
Well, yes, there is quite a range of possible = time/memory trade-offs available when storing the private key; if you = need to, the private key can be expressed in quite a small amount of = space (albeit at the expense of making the signature generation = operation expensive).


For draft-ietf-lamps-cms-hash-sig, does this = capture your point?

   ... The HSS/LMS private key can be = very
   small when the signer is willing = to perform additional computation at
  =  signing time; alternatively, the private key can consume = additional
   memory and provide a faster = signing time.

Russ
= --Apple-Mail=_B336E630-8566-4E08-8A4E-7E84A3BBF114-- From nobody Mon Feb 18 10:13:07 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4216A130F01 for ; Mon, 18 Feb 2019 10:13:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBeKzPPbh4M2 for ; Mon, 18 Feb 2019 10:13:03 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 812C712D861 for ; Mon, 18 Feb 2019 10:13:02 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Feb 2019 10:12:56 -0800 From: Jim Schaad To: 'Russ Housley' , 'Scott Fluhrer' CC: References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> In-Reply-To: Date: Mon, 18 Feb 2019 10:12:55 -0800 Message-ID: <01a001d4c7b5$94302c20$bc908460$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01A1_01D4C772.860D8860" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQI9YiZ+qGL+44kEz+EYRNIFf1pLvwGyW5meAUkd5aoDb2tWuQGm3RzyAhqFMkqkw0RtcA== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 18:13:05 -0000 ------=_NextPart_000_01A1_01D4C772.860D8860 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Yes that would capture my issue. I keep wondering if it is good text for a charter, but that is a completely different question and one I don't really care about. Jim From: Russ Housley Sent: Monday, February 18, 2019 9:53 AM To: Scott Fluhrer ; Jim Schaad Cc: spasm@ietf.org Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Jim and Scott: As I noted with Russ, there is no guarantee that there is a small private key. If you use a method of deterministic derivation from a seed, then it an be. If you use a good external random number generator then the private key is proportional to the number of nodes in the tree. Well, yes, there is quite a range of possible time/memory trade-offs available when storing the private key; if you need to, the private key can be expressed in quite a small amount of space (albeit at the expense of making the signature generation operation expensive). For draft-ietf-lamps-cms-hash-sig, does this capture your point? ... The HSS/LMS private key can be very small when the signer is willing to perform additional computation at signing time; alternatively, the private key can consume additional memory and provide a faster signing time. Russ ------=_NextPart_000_01A1_01D4C772.860D8860 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Yes that would capture my issue.  I keep = wondering if it is good text for a charter, but that is a completely = different question and one I don’t really care = about.

 

Jim

 

 

From: Russ = Housley <housley@vigilsec.com>
Sent: Monday, February = 18, 2019 9:53 AM
To: Scott Fluhrer <sfluhrer@cisco.com>; = Jim Schaad <ietf@augustcellars.com>
Cc: = spasm@ietf.org
Subject: Re: [lamps] Proposed charter text for = hash-based signatures in X.509 PKI = (draft-vangeest-x509-hash-sigs)

 

Jim and = Scott:

 

As I noted with Russ, there is no guarantee that there = is a small private key.  If you use a method of deterministic = derivation from a seed, then it an be.  If you use a good external = random number generator then the private key is proportional to the = number of nodes in the tree.

 

Well, yes, there is = quite a range of possible time/memory trade-offs available when storing = the private key; if you need to, the private key can be expressed in = quite a small amount of space (albeit at the expense of making the = signature generation operation expensive).

 

 

For draft-ietf-lamps-cms-hash-sig, does this = capture your point?

 

   ... The HSS/LMS private key can be = very

   small = when the signer is willing to perform additional computation = at

   signing = time; alternatively, the private key can consume = additional

  =  memory and provide a faster signing = time.

 

Russ

------=_NextPart_000_01A1_01D4C772.860D8860-- From nobody Mon Feb 18 10:45:16 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4087129508 for ; Mon, 18 Feb 2019 10:45:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9pqqJarkvC57 for ; Mon, 18 Feb 2019 10:45:10 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57953128AFB for ; Mon, 18 Feb 2019 10:45:09 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Feb 2019 10:45:02 -0800 From: Jim Schaad To: 'Russ Housley' , 'Scott Fluhrer' CC: 'SPASM' References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> In-Reply-To: Date: Mon, 18 Feb 2019 10:45:01 -0800 Message-ID: <01ae01d4c7ba$0ff165f0$2fd431d0$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_01AF_01D4C777.01CF1050" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHs2acs3Ap8Rl0zFnLm85YBzdnF+AJ3Vpi/An7G+JECfGOzowJlsgkVpWb5sAA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 18:45:12 -0000 ------=_NextPart_000_01AF_01D4C777.01CF1050 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Russ, =20 In the message below I am getting confused about what hash is being used = for what and where it is being identified. =20 Case #1 =E2=80=93 No signed attributes HashContent =3D H1(content) Signature =3D HSS-Sign(key, HashContent) =20 Case #2 =E2=80=93 Signed Attributes HashContent =3D H1(content) SignerInfo =3D > Signature =3D HSS-Sign(key, H2(signedAttributes)) =20 The hash algorithm identified in the signature algorithm OID is H1 for = case #1 and H2 for case #2. (Note: I want these hash algorithms to be = identity.) =20 In addition there is a third hash algorithm H3 which is the hash = algorithm used for the one-time-signature. Note that there may be other = hash algorithms H4=E2=80=A6.Hn as the hash algorithm at each layer in = the HSS tree could be using a different hash algorithm. =20 When you say that you want to use the same hash algorithm consistently = through all of the processing, what hash algorithms are you talking = about? =20 =20 jim =20 From: Spasm On Behalf Of Russ Housley Sent: Monday, February 18, 2019 9:39 AM To: Scott Fluhrer Cc: SPASM Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 Scott: =20 Sorry for being late, but I was just re-reviewing the draft, and I = noticed something odd: =20 You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the = comment that this specifies the use SHA-384 to hash the content. =20 That=E2=80=99s not how LMS is designed to work; currently, it uses the = same hash function to hash the message as it does for all its internal = hashes. If you were to replace the initial SHA-256 hash with something = larger, well, you=E2=80=99d need to tweak the size of the LM-OTS = signature (to accomendate the larger value being signed), and so that = wouldn=E2=80=99t be clean at all. =20 Thanks for taking another look. I am glad that you did! =20 You are correct that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256. They were added in -02 in response to comments. =20 There are two cases to consider when signing with CMS: =20 1) When signed attributes are absent: the signer hashes the content, and = then signs the resulting message digest. =20 2) When signed attributes are present: the signer hashes the content and = places the resulting message digest in the message-digest attribute, = DER-encodes the set of signed attributes, hashes the encoded attributes, = and then signs the resulting message digest. =20 It was observed that the hash of the content is the weakest link because = the HSS/LMS signature calculation includes a random value, C. The = thought was to allow the larger hash value to compensate. =20 (See = https://mailarchive.ietf.org/arch/msg/spasm/cXkpVmAnfFwfp6MxgUHJWjSMHZw) =20 For that matter, iLMS doesn=E2=80=99t do a straight hash of the message; = instead, it includes a prefix (the point of the prefix, which is = randomized, is to avoid relying on the collision resistance of SHA-256). =20 Now, I suppose you could SHA-384 hash the message, and then turn around = and do an LMS signature generate/verify on that hash (which would, with = the currently defined LMS parameter sets, immediately prepend the = prefix, and that SHA-256 hash it). However, if something that = nonobvious is specified, you need to call it out explicitly (and also = what do you do with id-alg-hss-lms-hashsig-with-sha256; would that also = do an initial SHA-256 hash?). =20 My suggestion would be to combine all three algorithm identifiers into a = single id-alg-hssms-hashsig (and have the parameter set indicator within = the LMS public key specify which hash is to be used). =20 I realize the hash function identifier for the HSS/LMS tree(s) is = embedded in the signature value itself. The reason for the hash = function identifier in the OID is explained above. =20 If others are comfortable requiring that the same hash function is used = throughout, then we can collapse back to one algorithm identifier. =20 Russ =20 ------=_NextPart_000_01AF_01D4C777.01CF1050 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Russ,

 

In the = message below I am getting confused about what hash is being used for = what and where it is being identified.

 

Case #1 = =E2=80=93 No signed attributes

=

HashContent =3D = H1(content)

Signature =3D = HSS-Sign(key, HashContent)

 

Case #2 = =E2=80=93 Signed Attributes

HashContent =3D H1(content)

SignerInfo =3D <digestAlgorithm =3D H1, = signedAttributes=3D<MessageDigest=3DHashContent>>

=

Signature =3D HSS-Sign(key, = H2(signedAttributes))

 

The hash = algorithm identified in the signature algorithm OID is H1 for case #1 = and H2 for case #2.=C2=A0 (Note: I want these hash algorithms to be = identity.)

 

In addition there is a third hash algorithm H3 which = is the hash algorithm used for the one-time-signature.=C2=A0 Note that = there may be other hash algorithms H4=E2=80=A6.Hn as the hash algorithm = at each layer in the HSS tree could be using a different hash = algorithm.

 

When you say that you want to use the same hash = algorithm consistently through all of the processing, what hash = algorithms are you talking about?=C2=A0

 

jim

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Russ = Housley
Sent: Monday, February 18, 2019 9:39 AM
To: = Scott Fluhrer <sfluhrer@cisco.com>
Cc: SPASM = <spasm@ietf.org>
Subject: Re: [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03

 

Scott:

 

Sorry for being late, but I was just re-reviewing the = draft, and I noticed something odd:

 

You define = id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the comment that = this specifies the use SHA-384 to hash the = content.

 

That=E2=80=99s not how LMS is = designed to work; currently, it uses the same hash function to hash the = message as it does for all its internal hashes.  If you were to = replace the initial SHA-256 hash with something larger, well, = you=E2=80=99d need to tweak the size of the LM-OTS signature (to = accomendate the larger value being signed), and so that wouldn=E2=80=99t = be clean at all.

 

Thanks for taking another look.  I am glad that = you did!

 

You are correct = that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256.  They were added in -02 in response to = comments.

 

There are two cases to consider when signing with = CMS:

 

1) When signed attributes are absent: the signer = hashes the content, and then signs the resulting message = digest.

 

2) When signed attributes are present: the signer = hashes the content and places the resulting message digest in the = message-digest attribute, DER-encodes the set of signed attributes, = hashes the encoded attributes, and then signs the resulting message = digest.

 

It was observed that the hash of the content is the = weakest link because the HSS/LMS signature calculation includes a random = value, C.  The thought was to allow the larger hash value to = compensate.

 

 

For that matter, iLMS = doesn=E2=80=99t do a straight hash of the message; instead, it includes = a prefix (the point of the prefix, which is randomized, is to avoid = relying on the collision resistance of = SHA-256).

 

Now, I suppose you could SHA-384 = hash the message, and then turn around and do an LMS signature = generate/verify on that hash (which would, with the currently defined = LMS parameter sets, immediately prepend the prefix, and that SHA-256 = hash it).  However, if something that nonobvious is specified, you = need to call it out explicitly (and also what do you do with = id-alg-hss-lms-hashsig-with-sha256; would that also do an initial = SHA-256 hash?).

 

My suggestion would be to combine = all three algorithm identifiers into a single id-alg-hssms-hashsig (and = have the parameter set indicator within the LMS public key specify which = hash is to be used).

 

I = realize the hash function identifier for the HSS/LMS tree(s) is embedded = in the signature value itself.  The reason for the hash function = identifier in the OID is explained above.

 

If others are comfortable requiring that the same hash = function is used throughout, then we can collapse back to one algorithm = identifier.

 

Russ

 

------=_NextPart_000_01AF_01D4C777.01CF1050-- From nobody Mon Feb 18 10:48:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAC8B129508 for ; Mon, 18 Feb 2019 10:48:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.5 X-Spam-Level: X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBCdlyN3v26X for ; Mon, 18 Feb 2019 10:48:16 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E35B8128AFB for ; Mon, 18 Feb 2019 10:48:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6451; q=dns/txt; s=iport; t=1550515695; x=1551725295; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=b/x0c+TyWi7W6RCw8yu0f68ns+ptkZUm2ABDMGnnp/c=; b=DlkfnEOp9Y8mCo/blpNNa6NCL7woqPJbE5qti5lme4L6Szbi1voHzosh aytLYm7O8NO23Q1QhQ1XOOiASM0hjgoeZlzO+paMkc1hTP4QxkZK16roa +cA8bRjpLlwpHd2ajs3KsxXGlcp11iIhGXXpf11w1xpvfDkkNLxkskKS2 k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAAD7/Gpc/5FdJa1jGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ12Z4EDJwqMFo1ykieFcIF7CwEBhGw?= =?us-ascii?q?Cg3AiNAkNAQMBAQIBAQJtKIVKAQEBAQMtTBACAQgRBAEBJAsyHQgCBAENBQi?= =?us-ascii?q?DGYEOZK0tiimMRBeBQD+DbgcuimECkCaTFAkCkkwhknqHM4MOkXcCERSBJx8?= =?us-ascii?q?4gVZwFYMngicYE44LQTGPGYEfAQE?= X-IronPort-AV: E=Sophos;i="5.58,385,1544486400"; d="scan'208,217";a="520401899" Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 18 Feb 2019 18:48:14 +0000 Received: from XCH-RTP-008.cisco.com (xch-rtp-008.cisco.com [64.101.220.148]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x1IImEGE030647 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 18 Feb 2019 18:48:14 GMT Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-008.cisco.com (64.101.220.148) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 18 Feb 2019 13:48:13 -0500 Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1395.000; Mon, 18 Feb 2019 13:48:13 -0500 From: "Scott Fluhrer (sfluhrer)" To: Russ Housley , Jim Schaad CC: "spasm@ietf.org" Thread-Topic: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) Thread-Index: AQHUxJnxVohEhVQVQUevr0ST0lgP96XgCSwA//+8BACAAHkigP///rtggAXzCQD//7uQgA== Date: Mon, 18 Feb 2019 18:48:13 +0000 Message-ID: <818077042bba4cca9518b1c91657f5c8@XCH-RTP-006.cisco.com> References: <23941778-AE9E-4708-88A9-8965F2252EAE@isara.com> <003901d4c49f$49c7c4e0$dd574ea0$@augustcellars.com> <8E8592C1-684F-4B64-B1E2-D039169204CA@isara.com> <006001d4c4b9$dc0bc620$94235260$@augustcellars.com> <9147a087bee84e1db16c2dd75a42f5c5@XCH-RTP-006.cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.98.2.51] Content-Type: multipart/alternative; boundary="_000_818077042bba4cca9518b1c91657f5c8XCHRTP006ciscocom_" MIME-Version: 1.0 X-Outbound-SMTP-Client: 64.101.220.148, xch-rtp-008.cisco.com X-Outbound-Node: rcdn-core-9.cisco.com Archived-At: Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.509 PKI (draft-vangeest-x509-hash-sigs) X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 18:48:18 -0000 --_000_818077042bba4cca9518b1c91657f5c8XCHRTP006ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable That works for me... From: Russ Housley Sent: Monday, February 18, 2019 12:53 PM To: Scott Fluhrer (sfluhrer) ; Jim Schaad Cc: spasm@ietf.org Subject: Re: [lamps] Proposed charter text for hash-based signatures in X.5= 09 PKI (draft-vangeest-x509-hash-sigs) Jim and Scott: As I noted with Russ, there is no guarantee that there is a small private k= ey. If you use a method of deterministic derivation from a seed, then it a= n be. If you use a good external random number generator then the private = key is proportional to the number of nodes in the tree. Well, yes, there is quite a range of possible time/memory trade-offs availa= ble when storing the private key; if you need to, the private key can be ex= pressed in quite a small amount of space (albeit at the expense of making t= he signature generation operation expensive). For draft-ietf-lamps-cms-hash-sig, does this capture your point? ... The HSS/LMS private key can be very small when the signer is willing to perform additional computation at signing time; alternatively, the private key can consume additional memory and provide a faster signing time. Russ --_000_818077042bba4cca9518b1c91657f5c8XCHRTP006ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

That works for me̷= 0;

 

From: Russ Housley <housley@vigilsec.com&g= t;
Sent: Monday, February 18, 2019 12:53 PM
To: Scott Fluhrer (sfluhrer) <sfluhrer@cisco.com>; Jim Schaad = <ietf@augustcellars.com>
Cc: spasm@ietf.org
Subject: Re: [lamps] Proposed charter text for hash-based signatures= in X.509 PKI (draft-vangeest-x509-hash-sigs)

 

Jim and Scott:

 

As I noted with Russ, there is no guarantee that the= re is a small private key.  If you use a method of deterministic deriv= ation from a seed, then it an be.  If you use a good external random n= umber generator then the private key is proportional to the number of nodes in the tree.<= /o:p>

 

Well, yes, there is qu= ite a range of possible time/memory trade-offs available when storing the p= rivate key; if you need to, the private key can be expressed in quite a sma= ll amount of space (albeit at the expense of making the signature generation operation expensive).

 

 

For draft-ietf-lamps-cms-hash-sig, does this ca= pture your point?

 

   ... The HSS/LMS private key can be very=

   small when the signer is willing to per= form additional computation at

   signing time; alternatively, the privat= e key can consume additional

   memory and provide a faster signing tim= e.

 

Russ

--_000_818077042bba4cca9518b1c91657f5c8XCHRTP006ciscocom_-- From nobody Fri Feb 22 13:14:20 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09688130E79 for ; Fri, 22 Feb 2019 13:14:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gca0jt3xz_LX for ; Fri, 22 Feb 2019 13:14:15 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A755130E5F for ; Fri, 22 Feb 2019 13:14:15 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 90FDD300ABA for ; Fri, 22 Feb 2019 15:55:57 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id FGRoHKXN_QSf for ; Fri, 22 Feb 2019 15:55:54 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 8FED3300595; Fri, 22 Feb 2019 15:55:54 -0500 (EST) From: Russ Housley Message-Id: <34B766D5-17BF-47B3-BC76-02EAECF8FB7C@vigilsec.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_130DBAF0-B878-48BD-9BAB-4EA1E0608BAA" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Fri, 22 Feb 2019 16:14:11 -0500 In-Reply-To: <01ae01d4c7ba$0ff165f0$2fd431d0$@augustcellars.com> Cc: SPASM To: Jim Schaad , Scott Fluhrer References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> <01ae01d4c7ba$0ff165f0$2fd431d0$@augustcellars.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 21:14:19 -0000 --Apple-Mail=_130DBAF0-B878-48BD-9BAB-4EA1E0608BAA Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Jim and Scott: Instead of saying what the current draft says, let's focus on what we = want it to say. I think that the draft can be less complex. In all cases, (1) the digestAlgorithm in SignerInfo MUST be set to the hash algorithm = used in the HSS/LMS tree, which is currently only SHA-256; and (2) the signatureAlgorithm in SignerInfo MUST contain = id-alg-hss-lms-hashsig. Note that the "with-sha256" is removed. The = hash function used by the signer can be learned from the digestAlgorithm = or from the signature value itself. Then, we need to specify two cases: Case #1 -- No signed attributes -- the HSS/LMS signature is computed = over the content as specified in [HASHSIG]. Case #2 -- Signed Attributes -- there are a few steps: (a) compute a hash over the content using the hash function identified = in digestAlgorithm: HashContent =3D H(content) (b) gather all of the attributes to be signed, which MUST include a = content-type attribute and a message-digest attribute. Then, DER encode = the set of attributes. DER(SET(attr1, attr2, ...)) (c) the HSS/LMS signature is computed over the output of the DER encode = operation as specified in [HASHSIG]. Does this address all of the comments that have been raised to date? Russ > On Feb 18, 2019, at 1:45 PM, Jim Schaad = wrote: >=20 > Russ, > =20 > In the message below I am getting confused about what hash is being = used for what and where it is being identified. > =20 > Case #1 =E2=80=93 No signed attributes > HashContent =3D H1(content) > Signature =3D HSS-Sign(key, HashContent) > =20 > Case #2 =E2=80=93 Signed Attributes > HashContent =3D H1(content) > SignerInfo =3D > > Signature =3D HSS-Sign(key, H2(signedAttributes)) > =20 > The hash algorithm identified in the signature algorithm OID is H1 for = case #1 and H2 for case #2. (Note: I want these hash algorithms to be = identity.) > =20 > In addition there is a third hash algorithm H3 which is the hash = algorithm used for the one-time-signature. Note that there may be other = hash algorithms H4=E2=80=A6.Hn as the hash algorithm at each layer in = the HSS tree could be using a different hash algorithm. > =20 > When you say that you want to use the same hash algorithm consistently = through all of the processing, what hash algorithms are you talking = about? =20 > =20 > jim > =20 > From: Spasm > = On Behalf Of Russ Housley > Sent: Monday, February 18, 2019 9:39 AM > To: Scott Fluhrer > > Cc: SPASM > > Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 > =20 > Scott: > =20 >> Sorry for being late, but I was just re-reviewing the draft, and I = noticed something odd: >> =20 >> You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the = comment that this specifies the use SHA-384 to hash the content. >> =20 >> That=E2=80=99s not how LMS is designed to work; currently, it uses = the same hash function to hash the message as it does for all its = internal hashes. If you were to replace the initial SHA-256 hash with = something larger, well, you=E2=80=99d need to tweak the size of the = LM-OTS signature (to accomendate the larger value being signed), and so = that wouldn=E2=80=99t be clean at all. > =20 > Thanks for taking another look. I am glad that you did! > =20 > You are correct that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256. They were added in -02 in response to comments. > =20 > There are two cases to consider when signing with CMS: > =20 > 1) When signed attributes are absent: the signer hashes the content, = and then signs the resulting message digest. > =20 > 2) When signed attributes are present: the signer hashes the content = and places the resulting message digest in the message-digest attribute, = DER-encodes the set of signed attributes, hashes the encoded attributes, = and then signs the resulting message digest. > =20 > It was observed that the hash of the content is the weakest link = because the HSS/LMS signature calculation includes a random value, C. = The thought was to allow the larger hash value to compensate. > =20 > (See = https://mailarchive.ietf.org/arch/msg/spasm/cXkpVmAnfFwfp6MxgUHJWjSMHZw = )= > =20 >> For that matter, iLMS doesn=E2=80=99t do a straight hash of the = message; instead, it includes a prefix (the point of the prefix, which = is randomized, is to avoid relying on the collision resistance of = SHA-256). >> =20 >> Now, I suppose you could SHA-384 hash the message, and then turn = around and do an LMS signature generate/verify on that hash (which = would, with the currently defined LMS parameter sets, immediately = prepend the prefix, and that SHA-256 hash it). However, if something = that nonobvious is specified, you need to call it out explicitly (and = also what do you do with id-alg-hss-lms-hashsig-with-sha256; would that = also do an initial SHA-256 hash?). >> =20 >> My suggestion would be to combine all three algorithm identifiers = into a single id-alg-hssms-hashsig (and have the parameter set indicator = within the LMS public key specify which hash is to be used). > =20 > I realize the hash function identifier for the HSS/LMS tree(s) is = embedded in the signature value itself. The reason for the hash = function identifier in the OID is explained above. > =20 > If others are comfortable requiring that the same hash function is = used throughout, then we can collapse back to one algorithm identifier. > =20 > Russ > =20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm = --Apple-Mail=_130DBAF0-B878-48BD-9BAB-4EA1E0608BAA Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Jim = and Scott:

Instead = of saying what the current draft says, let's focus on what we want it to = say.

I think = that the draft can be less complex.  In all cases,

(1) = the digestAlgorithm in SignerInfo MUST be set to the hash algorithm = used in the HSS/LMS tree, which is currently only SHA-256; and

(2) the = signatureAlgorithm  in SignerInfo MUST contain = id-alg-hss-lms-hashsig.  Note that the "with-sha256" is removed. =  The hash function used by the signer can be learned from the = digestAlgorithm or from the signature value itself.

Then, we need to specify = two cases:

Case #1 -- No signed attributes -- the HSS/LMS signature is = computed over the content as specified in [HASHSIG].

Case #2 -- Signed = Attributes -- there are a few steps:

(a) compute a hash over the content = using the hash function identified in digestAlgorithm:

= HashContent =3D H(content)

(b) gather all of the attributes to be = signed, which MUST include a content-type attribute and = a message-digest attribute.  Then, DER encode the set of = attributes.

= DER(SET(attr1, attr2, ...))

(c) the HSS/LMS = signature is computed over the output of the DER encode operation as = specified in [HASHSIG].

Does this address all of the comments = that have been raised to date?

Russ


On Feb 18, 2019, at 1:45 PM, = Jim Schaad <ietf@augustcellars.com> wrote:

Russ,
 
In the = message below I am getting confused about what hash is being used for = what and where it is being identified.
 
Case #1 =E2=80=93 No signed = attributes
HashContent =3D H1(content)
Signature =3D HSS-Sign(key, = HashContent)
 
Case #2 =E2=80=93 Signed Attributes
HashContent= =3D H1(content)
SignerInfo =3D <digestAlgorithm =3D H1, = signedAttributes=3D<MessageDigest=3DHashContent>>
Signature = =3D HSS-Sign(key, H2(signedAttributes))
 
The hash algorithm identified in the = signature algorithm OID is H1 for case #1 and H2 for case #2.  = (Note: I want these hash algorithms to be identity.)
 
In = addition there is a third hash algorithm H3 which is the hash algorithm = used for the one-time-signature.  Note that there may be other hash = algorithms H4=E2=80=A6.Hn as the hash algorithm at each layer in the HSS = tree could be using a different hash algorithm.
 
When you = say that you want to use the same hash algorithm consistently through = all of the processing, what hash algorithms are you talking = about?  
 
jim
 
From: Spasm <spasm-bounces@ietf.org> On Behalf = Of Russ Housley
Sent: Monday, February 18, 2019 = 9:39 AM
To: Scott Fluhrer <sfluhrer@cisco.com>
Cc: SPASM <spasm@ietf.org>
Subject: Re: [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03
 
Scott:
 
Sorry for being late, but I was just = re-reviewing the draft, and I noticed something odd:
 
You = define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the comment = that this specifies the use SHA-384 to hash the content.
 
That=E2=80=99s not how LMS is = designed to work; currently, it uses the same hash function to hash the = message as it does for all its internal hashes.  If you were to = replace the initial SHA-256 hash with something larger, well, you=E2=80=99= d need to tweak the size of the LM-OTS signature (to accomendate the = larger value being signed), and so that wouldn=E2=80=99t be clean at = all.
 
Thanks for taking another look.  I am glad that you = did!
 
You are correct that draft-ietf-lamps-cms-hash-sig-01 = did not include AlgorithmIdentifiers for signatures with any hash = function other than SHA-256.  They were added in -02 in response to = comments.
 
There are two cases to consider when signing with CMS:
 
1) When signed attributes = are absent: the signer hashes the content, and then signs the resulting = message digest.
 
2) When signed attributes are present: the signer hashes the = content and places the resulting message digest in the message-digest = attribute, DER-encodes the set of signed attributes, hashes the encoded = attributes, and then signs the resulting message digest.
 
It was observed that the hash of the = content is the weakest link because the HSS/LMS signature calculation = includes a random value, C.  The thought was to allow the larger = hash value to compensate.
 
 
For = that matter, iLMS doesn=E2=80=99t do a straight hash of the message; = instead, it includes a prefix (the point of the prefix, which is = randomized, is to avoid relying on the collision resistance of = SHA-256).
 
Now, I suppose you could SHA-384 hash the message, and then = turn around and do an LMS signature generate/verify on that hash (which = would, with the currently defined LMS parameter sets, immediately = prepend the prefix, and that SHA-256 hash it).  However, if = something that nonobvious is specified, you need to call it out = explicitly (and also what do you do with = id-alg-hss-lms-hashsig-with-sha256; would that also do an initial = SHA-256 hash?).
 
My suggestion would be to combine all three algorithm = identifiers into a single id-alg-hssms-hashsig (and have the parameter = set indicator within the LMS public key specify which hash is to be = used).
 
I realize the hash function identifier for the HSS/LMS = tree(s) is embedded in the signature value itself.  The reason for = the hash function identifier in the OID is explained above.
 
If others are comfortable requiring = that the same hash function is used throughout, then we can collapse = back to one algorithm identifier.
 
Russ
 
_______________________________________________
Spasm mailing list
Spasm@ietf.org
https://www.ietf.org/mailman/listinfo/spasm

= --Apple-Mail=_130DBAF0-B878-48BD-9BAB-4EA1E0608BAA-- From nobody Fri Feb 22 14:19:11 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61687130E83 for ; Fri, 22 Feb 2019 14:19:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQh7LkPMYC_q for ; Fri, 22 Feb 2019 14:19:06 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7979F12D861 for ; Fri, 22 Feb 2019 14:19:05 -0800 (PST) Received: from Jude (50.252.25.182) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 22 Feb 2019 14:19:00 -0800 From: Jim Schaad To: 'Russ Housley' , 'Scott Fluhrer' CC: 'SPASM' References: <29800B65-CE39-4BA4-B6D1-F2E6F870E1D6@vigilsec.com> <13aac7fd60a04eb2b56507808b4d17c9@XCH-RTP-006.cisco.com> <01ae01d4c7ba$0ff165f0$2fd431d0$@augustcellars.com> <34B766D5-17BF-47B3-BC76-02EAECF8FB7C@vigilsec.com> In-Reply-To: <34B766D5-17BF-47B3-BC76-02EAECF8FB7C@vigilsec.com> Date: Fri, 22 Feb 2019 14:18:58 -0800 Message-ID: <03a401d4cafc$9d27d630$d7778290$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_03A5_01D4CAB9.8F0B7400" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQHs2acs3Ap8Rl0zFnLm85YBzdnF+AJ3Vpi/An7G+JECfGOzowJlsgkVAb1HJ0sBm9S9W6VSu11Q Content-Language: en-us X-Originating-IP: [50.252.25.182] Archived-At: Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 22:19:09 -0000 ------=_NextPart_000_03A5_01D4CAB9.8F0B7400 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Yes I think that this is what the document needs to say. =20 From: Russ Housley =20 Sent: Friday, February 22, 2019 1:14 PM To: Jim Schaad ; Scott Fluhrer = Cc: SPASM Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 Jim and Scott: =20 Instead of saying what the current draft says, let's focus on what we = want it to say. =20 I think that the draft can be less complex. In all cases, =20 (1) the digestAlgorithm in SignerInfo MUST be set to the hash algorithm = used in the HSS/LMS tree, which is currently only SHA-256; and =20 (2) the signatureAlgorithm in SignerInfo MUST contain = id-alg-hss-lms-hashsig. Note that the "with-sha256" is removed. The = hash function used by the signer can be learned from the digestAlgorithm = or from the signature value itself. =20 Then, we need to specify two cases: =20 Case #1 -- No signed attributes -- the HSS/LMS signature is computed = over the content as specified in [HASHSIG]. =20 Case #2 -- Signed Attributes -- there are a few steps: =20 (a) compute a hash over the content using the hash function identified = in digestAlgorithm: =20 HashContent =3D H(content) =20 (b) gather all of the attributes to be signed, which MUST include a = content-type attribute and a message-digest attribute. Then, DER encode = the set of attributes. =20 DER(SET(attr1, attr2, ...)) =20 (c) the HSS/LMS signature is computed over the output of the DER encode = operation as specified in [HASHSIG]. =20 Does this address all of the comments that have been raised to date? =20 Russ =20 =20 On Feb 18, 2019, at 1:45 PM, Jim Schaad > wrote: =20 Russ, =20 In the message below I am getting confused about what hash is being used = for what and where it is being identified. =20 Case #1 =E2=80=93 No signed attributes HashContent =3D H1(content) Signature =3D HSS-Sign(key, HashContent) =20 Case #2 =E2=80=93 Signed Attributes HashContent =3D H1(content) SignerInfo =3D > Signature =3D HSS-Sign(key, H2(signedAttributes)) =20 The hash algorithm identified in the signature algorithm OID is H1 for = case #1 and H2 for case #2. (Note: I want these hash algorithms to be = identity.) =20 In addition there is a third hash algorithm H3 which is the hash = algorithm used for the one-time-signature. Note that there may be other = hash algorithms H4=E2=80=A6.Hn as the hash algorithm at each layer in = the HSS tree could be using a different hash algorithm. =20 When you say that you want to use the same hash algorithm consistently = through all of the processing, what hash algorithms are you talking = about? =20 =20 jim =20 From: Spasm < spasm-bounces@ietf.org> On = Behalf Of Russ Housley Sent: Monday, February 18, 2019 9:39 AM To: Scott Fluhrer < sfluhrer@cisco.com> Cc: SPASM < spasm@ietf.org> Subject: Re: [lamps] Last Call: draft-ietf-lamps-cms-hash-sig-03 =20 Scott: =20 Sorry for being late, but I was just re-reviewing the draft, and I = noticed something odd: =20 You define id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the = comment that this specifies the use SHA-384 to hash the content. =20 That=E2=80=99s not how LMS is designed to work; currently, it uses the = same hash function to hash the message as it does for all its internal = hashes. If you were to replace the initial SHA-256 hash with something = larger, well, you=E2=80=99d need to tweak the size of the LM-OTS = signature (to accomendate the larger value being signed), and so that = wouldn=E2=80=99t be clean at all. =20 Thanks for taking another look. I am glad that you did! =20 You are correct that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256. They were added in -02 in response to comments. =20 There are two cases to consider when signing with CMS: =20 1) When signed attributes are absent: the signer hashes the content, and = then signs the resulting message digest. =20 2) When signed attributes are present: the signer hashes the content and = places the resulting message digest in the message-digest attribute, = DER-encodes the set of signed attributes, hashes the encoded attributes, = and then signs the resulting message digest. =20 It was observed that the hash of the content is the weakest link because = the HSS/LMS signature calculation includes a random value, C. The = thought was to allow the larger hash value to compensate. =20 (See = = = https://mailarchive.ietf.org/arch/msg/spasm/cXkpVmAnfFwfp6MxgUHJWjSMHZw) =20 For that matter, iLMS doesn=E2=80=99t do a straight hash of the message; = instead, it includes a prefix (the point of the prefix, which is = randomized, is to avoid relying on the collision resistance of SHA-256). =20 Now, I suppose you could SHA-384 hash the message, and then turn around = and do an LMS signature generate/verify on that hash (which would, with = the currently defined LMS parameter sets, immediately prepend the = prefix, and that SHA-256 hash it). However, if something that = nonobvious is specified, you need to call it out explicitly (and also = what do you do with id-alg-hss-lms-hashsig-with-sha256; would that also = do an initial SHA-256 hash?). =20 My suggestion would be to combine all three algorithm identifiers into a = single id-alg-hssms-hashsig (and have the parameter set indicator within = the LMS public key specify which hash is to be used). =20 I realize the hash function identifier for the HSS/LMS tree(s) is = embedded in the signature value itself. The reason for the hash = function identifier in the OID is explained above. =20 If others are comfortable requiring that the same hash function is used = throughout, then we can collapse back to one algorithm identifier. =20 Russ =20 _______________________________________________ Spasm mailing list Spasm@ietf.org = https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_03A5_01D4CAB9.8F0B7400 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

Yes I = think that this is what the document needs to say.

 

From: Russ = Housley <housley@vigilsec.com>
Sent: Friday, February = 22, 2019 1:14 PM
To: Jim Schaad = <ietf@augustcellars.com>; Scott Fluhrer = <sfluhrer@cisco.com>
Cc: SPASM = <spasm@ietf.org>
Subject: Re: [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03

 

Jim and = Scott:

 

Instead of saying what the current draft says, let's = focus on what we want it to say.

 

I = think that the draft can be less complex.  In all = cases,

 

(1) the digestAlgorithm in SignerInfo MUST be set = to the hash algorithm used in the HSS/LMS tree, which is currently only = SHA-256; and

 

(2) the signatureAlgorithm  in SignerInfo = MUST contain id-alg-hss-lms-hashsig.  Note that the = "with-sha256" is removed.  The hash function used by the = signer can be learned from the digestAlgorithm or from the signature = value itself.

 

Then, we need to specify two = cases:

 

Case #1 -- No signed attributes -- the HSS/LMS = signature is computed over the content as specified in = [HASHSIG].

 

Case #2 -- Signed Attributes -- there are a few = steps:

 

(a) compute a hash over the content using the hash = function identified in digestAlgorithm:

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 HashContent =3D = H(content)

 

(b) gather all of the attributes to be signed, which = MUST include a content-type attribute and a message-digest = attribute.  Then, DER encode the set of = attributes.

 

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 DER(SET(attr1, attr2, = ...))

 

(c) the HSS/LMS signature is computed over the output = of the DER encode operation as specified in = [HASHSIG].

 

Does this address all of the comments that have been = raised to date?

 

Russ

 

 

On Feb 18, 2019, at 1:45 PM, Jim Schaad <ietf@augustcellars.com> = wrote:

 

Russ,

 

In the message below I am getting confused about what = hash is being used for what and where it is being = identified.

 

Case #1 =E2=80=93 No signed = attributes

HashContent =3D = H1(content)

Signature =3D = HSS-Sign(key, HashContent)

 

Case #2 =E2=80=93 Signed = Attributes

HashContent =3D = H1(content)

SignerInfo =3D = <digestAlgorithm =3D H1, = signedAttributes=3D<MessageDigest=3DHashContent>>

=

Signature =3D HSS-Sign(key, = H2(signedAttributes))

 

The hash algorithm identified in the signature = algorithm OID is H1 for case #1 and H2 for case #2.  (Note: I want = these hash algorithms to be identity.)

 

In addition there is a third hash algorithm H3 which = is the hash algorithm used for the one-time-signature.  Note that = there may be other hash algorithms H4=E2=80=A6.Hn as the hash algorithm = at each layer in the HSS tree could be using a different hash = algorithm.

 

When you say that you want to use the same hash = algorithm consistently through all of the processing, what hash = algorithms are you talking about?  

 

jim

 

From: Spasm <spasm-bounces@ietf.org> On Behalf Of Russ = Housley
Sent: Monday, February 18, 2019 = 9:39 AM
To: Scott Fluhrer <sfluhrer@cisco.com>
Cc: SPASM <spasm@ietf.org>
Subject: Re: [lamps] Last Call: = draft-ietf-lamps-cms-hash-sig-03

 

Scott:

 

Sorry for being late, but I was just re-reviewing the = draft, and I noticed something = odd:

 

You define = id-alg-hss-lms-hashsig-with-sha384 (and sha512); with the comment that = this specifies the use SHA-384 to hash the = content.

 

That=E2=80=99s not how LMS is = designed to work; currently, it uses the same hash function to hash the = message as it does for all its internal hashes.  If you were to = replace the initial SHA-256 hash with something larger, well, = you=E2=80=99d need to tweak the size of the LM-OTS signature (to = accomendate the larger value being signed), and so that wouldn=E2=80=99t = be clean at = all.

 

Thanks for taking another look.  I am glad that = you did!

 

You are correct = that draft-ietf-lamps-cms-hash-sig-01 did not include = AlgorithmIdentifiers for signatures with any hash function other than = SHA-256.  They were added in -02 in response to = comments.

 

There are two cases to consider when signing with = CMS:

 

1) When signed attributes are absent: the signer = hashes the content, and then signs the resulting message = digest.

 

2) When signed attributes are present: the signer = hashes the content and places the resulting message digest in the = message-digest attribute, DER-encodes the set of signed attributes, = hashes the encoded attributes, and then signs the resulting message = digest.

 

It was observed that the hash of the content is the = weakest link because the HSS/LMS signature calculation includes a random = value, C.  The thought was to allow the larger hash value to = compensate.

 

 

For that matter, iLMS = doesn=E2=80=99t do a straight hash of the message; instead, it includes = a prefix (the point of the prefix, which is randomized, is to avoid = relying on the collision resistance of = SHA-256).

 

Now, I suppose you could SHA-384 = hash the message, and then turn around and do an LMS signature = generate/verify on that hash (which would, with the currently defined = LMS parameter sets, immediately prepend the prefix, and that SHA-256 = hash it).  However, if something that nonobvious is specified, you = need to call it out explicitly (and also what do you do with = id-alg-hss-lms-hashsig-with-sha256; would that also do an initial = SHA-256 hash?).

 

My suggestion would be to combine = all three algorithm identifiers into a single id-alg-hssms-hashsig (and = have the parameter set indicator within the LMS public key specify which = hash is to be = used).

 

I realize the hash function identifier for the HSS/LMS = tree(s) is embedded in the signature value itself.  The reason for = the hash function identifier in the OID is explained = above.

 

If others are comfortable requiring that the same hash = function is used throughout, then we can collapse back to one algorithm = identifier.

 

Russ

 

____________= ___________________________________
Spasm mailing list
Spasm@ietf.org
<= a href=3D"https://www.ietf.org/mailman/listinfo/spasm">https://www.ietf.org/mailman/listinfo/spasm

 

------=_NextPart_000_03A5_01D4CAB9.8F0B7400-- From nobody Fri Feb 22 14:46:20 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 605D71294FA; Fri, 22 Feb 2019 14:46:11 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.91.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155087557134.5448.17119096929558965858@ietfa.amsl.com> Date: Fri, 22 Feb 2019 14:46:11 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 22:46:12 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-05.txt Pages : 14 Date : 2019-02-22 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-05 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Feb 22 14:48:52 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C240712950A for ; Fri, 22 Feb 2019 14:48:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-2U2gMLBWlR for ; Fri, 22 Feb 2019 14:48:48 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44DE21294FA for ; Fri, 22 Feb 2019 14:48:48 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 7E364300464 for ; Fri, 22 Feb 2019 17:30:30 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bwTfNeRrXz7J for ; Fri, 22 Feb 2019 17:30:29 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 4BD003002AD for ; Fri, 22 Feb 2019 17:30:29 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Fri, 22 Feb 2019 17:48:45 -0500 References: <155087557134.5448.17119096929558965858@ietfa.amsl.com> To: spasm@ietf.org In-Reply-To: <155087557134.5448.17119096929558965858@ietfa.amsl.com> Message-Id: X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Feb 2019 22:48:51 -0000 I believe that this version resolves the comments from Scott and Jim. Russ > On Feb 22, 2019, at 5:46 PM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX and SMIME WG of the IETF. >=20 > Title : Use of the HSS/LMS Hash-based Signature = Algorithm in the Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-05.txt > Pages : 14 > Date : 2019-02-22 >=20 > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-05 > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-05 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-05 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Feb 25 09:20:01 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA5B130F53 for ; Mon, 25 Feb 2019 09:20:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.898 X-Spam-Level: X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hEKE7BDy8oS2 for ; Mon, 25 Feb 2019 09:19:58 -0800 (PST) Received: from esa1.isaracorp.com (esa1.isaracorp.com [207.107.152.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80DEB130F55 for ; Mon, 25 Feb 2019 09:19:57 -0800 (PST) Received: from unknown (HELO V0501WEXGPR01.isaracorp.com) ([10.5.8.20]) by ip1.isaracorp.com with ESMTP; 25 Feb 2019 17:19:56 +0000 Received: from V0501WEXGPR01.isaracorp.com (10.5.8.20) by V0501WEXGPR01.isaracorp.com (10.5.8.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1466.3; Mon, 25 Feb 2019 12:19:55 -0500 Received: from V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba]) by V0501WEXGPR01.isaracorp.com ([fe80::d802:5aec:db34:beba%7]) with mapi id 15.01.1466.012; Mon, 25 Feb 2019 12:19:55 -0500 From: Daniel Van Geest To: Russ Housley , "spasm@ietf.org" Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt Thread-Index: AQHUywB6GN6pb36250SN764Yu0k8rKXsv1iAgAQHTYA= Date: Mon, 25 Feb 2019 17:19:55 +0000 Message-ID: References: <155087557134.5448.17119096929558965858@ietfa.amsl.com> In-Reply-To: Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.5.52] Content-Type: multipart/alternative; boundary="_000_E85BF27C3EE74FA4853948E9C1C4B2CEisaracom_" MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 17:20:01 -0000 --_000_E85BF27C3EE74FA4853948E9C1C4B2CEisaracom_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SSB0aGluayB5b3UgZGlkbuKAmXQgbWVhbiB0byBpbmNsdWRlIHRoaXMgdmVyYmF0aW0gcXVvdGUg ZnJvbSBTY290dCBpbiB0aGUgZHJhZnQsIHNpbmNlIHlvdXIgZWRpdHMgdG8gdGhlIHByZXZpb3Vz IHBhcmFncmFwaCBpbmNsdWRlIHRoZSBzYW1lIGluZm9ybWF0aW9uLg0KDQogICBXZWxsLCB5ZXMs IHRoZXJlIGlzIHF1aXRlIGEgcmFuZ2Ugb2YgcG9zc2libGUgdGltZS9tZW1vcnkgdHJhZGUtb2Zm cw0KICAgYXZhaWxhYmxlIHdoZW4gc3RvcmluZyB0aGUgcHJpdmF0ZSBrZXk7IGlmIHlvdSBuZWVk IHRvLCB0aGUgcHJpdmF0ZQ0KICAga2V5IGNhbiBiZSBleHByZXNzZWQgaW4gcXVpdGUgYSBzbWFs bCBhbW91bnQgb2Ygc3BhY2UgKGFsYmVpdCBhdCB0aGUNCiAgIGV4cGVuc2Ugb2YgbWFraW5nIHRo ZSBzaWduYXR1cmUgZ2VuZXJhdGlvbiBvcGVyYXRpb24gZXhwZW5zaXZlKS4NCg0KV2l0aCB0aGUg Y2hhbmdlcyBpbiB0aGUgbGF0ZXN0IGRyYWZ0LCBhIHByZS1oYXNoIGlzIG5vIGxvbmdlciBzaWdu ZWQsIGl04oCZcyBlaXRoZXIgdGhlIGNvbnRlbnQgZGlyZWN0bHkgb3IgdGhlIERFUl9lbmNvZGVk IHNpZ25lZCBhdHRyaWJ1dGVzICh3aGljaCB3aWxsIGNvbnRhaW4gYSBoYXNoIG9mIHRoZSBjb250 ZW50KS4gSSBhZ3JlZSB0aGF0IHRoaXMgaXMgdGhlIGNsZWFuZXN0IChhbmQgcG9zc2libHkgaW50 ZW5kZWQpIHdheSBvZiB1c2luZyBIU1MuICBIb3dldmVyLCBmcm9tIGEgcHJhY3RpY2FsIHBlcnNw ZWN0aXZlIEkgaGF2ZSBjb25jZXJucy4gSeKAmW0gbm90IGFuIGV4cGVydCBpbiBob3cgQ01TIGlz IHVzZWQgaW4gdGhlIHJlYWwgd29ybGQsIHNvIG1heWJlIHNvbWVvbmUgY2FuIGFkZHJlc3MgdGhl c2UgY29uY2VybnMuICBUaGUgcHJpbWFyeSB1c2UgY2FzZSBmb3IgdGhpcyBkcmFmdCBpcyBjb2Rl IHNpZ25pbmcuICBDb2RlIGNhbiBiZSB2ZXJ5IGxhcmdlLiAgSWYgdGhlcmUgYXJlIG5vIHNpZ25l ZCBhdHRyaWJ1dGVzLCB0aGUgZW50aXJlIGNvbnRlbnQgaXMgcHJvY2Vzc2VkIGFuZCBzaWduZWQg YnkgdGhlIEhTUyBhbGdvcml0aG0uICBTbywgaWYgdGhlIEhTUyBhbGdvcml0aG0gaXMgaW1wbGVt ZW50ZWQgaW4gYW4gSFNNIChhbmQgZHVlIHRvIHRoZSBzdGF0ZWZ1bG5lc3Mgb2YgdGhlIGFsZ29y aXRobSBpdCBzaG91bGQgcmVhbGx5IGJlIGltcGxlbWVudGVkIGluIGFuIEhTTSkgdGhlbiB0aGUg ZW50aXJlIGNvbnRlbnQgdG8gYmUgc2lnbmVkIG5lZWRzIHRvIGJlIHRyYW5zZmVycmVkIHRvIHRo ZSBIU00uIERvIEhTTXMgaGF2ZSBlbm91Z2ggbWVtb3J5IHRvIHJlY2VpdmUgYW5kIHN0b3JlIHRo ZSBlbnRpcmUgY29udGVudCBzbyB0aGF0IGl0IGNhbiBiZSBzaWduZWQ/IENvdWxkIHRoZXJlIGJl IHJlcXVpcmVtZW50cyBvbiBob3cgcXVpY2tseSBIU01zIHNob3VsZCBwcm9jZXNzIHNpZ25pbmcg cmVxdWVzdHM/IFdvdWxkIHRob3NlIHJlcXVpcmVtZW50cyBiZSB0b28gbmVnYXRpdmVseSBhZmZl Y3RlZCBieSB0aGUgdGltZSByZXF1aXJlZCB0byB0cmFuc21pdCB0aGUgZW50aXJlIGNvbnRlbnQs IGFuZCBwcm9jZXNzIHRoZSBlbnRpcmUgY29udGVudCB3aXRoaW4gdGhlIEhTTSByYXRoZXIgdGhh biBqdXN0IHRyYW5zbWl0dGluZyBhbmQgcHJvY2Vzc2luZyBhIHByZS1oYXNoPw0KDQpUaGFua3Ms DQpEYW5pZWwNCg0KDQpPbiAyMDE5LTAyLTIyLCA1OjQ4IFBNLCAiU3Bhc20gb24gYmVoYWxmIG9m IFJ1c3MgSG91c2xleSIgPHNwYXNtLWJvdW5jZXNAaWV0Zi5vcmc8bWFpbHRvOnNwYXNtLWJvdW5j ZXNAaWV0Zi5vcmc+IG9uIGJlaGFsZiBvZiBob3VzbGV5QHZpZ2lsc2VjLmNvbTxtYWlsdG86aG91 c2xleUB2aWdpbHNlYy5jb20+PiB3cm90ZToNCg0KSSBiZWxpZXZlIHRoYXQgdGhpcyB2ZXJzaW9u IHJlc29sdmVzIHRoZSBjb21tZW50cyBmcm9tIFNjb3R0IGFuZCBKaW0uDQoNClJ1c3MNCg0KDQpP biBGZWIgMjIsIDIwMTksIGF0IDU6NDYgUE0sIGludGVybmV0LWRyYWZ0c0BpZXRmLm9yZzxtYWls dG86aW50ZXJuZXQtZHJhZnRzQGlldGYub3JnPiB3cm90ZToNCkEgTmV3IEludGVybmV0LURyYWZ0 IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURyYWZ0cyBkaXJlY3Rvcmll cy4NClRoaXMgZHJhZnQgaXMgYSB3b3JrIGl0ZW0gb2YgdGhlIExpbWl0ZWQgQWRkaXRpb25hbCBN ZWNoYW5pc21zIGZvciBQS0lYIGFuZCBTTUlNRSBXRyBvZiB0aGUgSUVURi4NCiAgICAgICAgVGl0 bGUgICAgICAgICAgIDogVXNlIG9mIHRoZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlIEFs Z29yaXRobSBpbiB0aGUgQ3J5cHRvZ3JhcGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKQ0KICAgICAg ICBBdXRob3IgICAgICAgICAgOiBSdXNzIEhvdXNsZXkNCiAgICAgICAgICAgRmlsZW5hbWUgICAg ICAgIDogZHJhZnQtaWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDUudHh0DQogICAgICAgICAgIFBh Z2VzICAgICAgICAgICA6IDE0DQogICAgICAgICAgIERhdGUgICAgICAgICAgICA6IDIwMTktMDIt MjINCkFic3RyYWN0Og0KICAgVGhpcyBkb2N1bWVudCBzcGVjaWZpZXMgdGhlIGNvbnZlbnRpb25z IGZvciB1c2luZyB0aGUgdGhlIEhTUy9MTVMNCiAgIGhhc2gtYmFzZWQgc2lnbmF0dXJlIGFsZ29y aXRobSB3aXRoIHRoZSBDcnlwdG9ncmFwaGljIE1lc3NhZ2UgU3ludGF4DQogICAoQ01TKS4gIElu IGFkZGl0aW9uLCB0aGUgYWxnb3JpdGhtIGlkZW50aWZpZXIgYW5kIHB1YmxpYyBrZXkgc3ludGF4 DQogICBhcmUgcHJvdmlkZWQuICBUaGUgSFNTL0xNUyBhbGdvcml0aG0gaXMgb25lIGZvcm0gb2Yg aGFzaC1iYXNlZA0KICAgZGlnaXRhbCBzaWduYXR1cmU7IGl0IGlzIGRlc2NyaWJlZCBpbiBbSEFT SFNJR10uDQpUaGUgSUVURiBkYXRhdHJhY2tlciBzdGF0dXMgcGFnZSBmb3IgdGhpcyBkcmFmdCBp czoNCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2RyYWZ0LWlldGYtbGFtcHMtY21z LWhhc2gtc2lnLw0KVGhlcmUgYXJlIGFsc28gaHRtbGl6ZWQgdmVyc2lvbnMgYXZhaWxhYmxlIGF0 Og0KaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gt c2lnLTA1DQpodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9odG1sL2RyYWZ0LWlldGYt bGFtcHMtY21zLWhhc2gtc2lnLTA1DQpBIGRpZmYgZnJvbSB0aGUgcHJldmlvdXMgdmVyc2lvbiBp cyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3d3dy5pZXRmLm9yZy9yZmNkaWZmP3VybDI9ZHJhZnQt aWV0Zi1sYW1wcy1jbXMtaGFzaC1zaWctMDUNClBsZWFzZSBub3RlIHRoYXQgaXQgbWF5IHRha2Ug YSBjb3VwbGUgb2YgbWludXRlcyBmcm9tIHRoZSB0aW1lIG9mIHN1Ym1pc3Npb24NCnVudGlsIHRo ZSBodG1saXplZCB2ZXJzaW9uIGFuZCBkaWZmIGFyZSBhdmFpbGFibGUgYXQgdG9vbHMuaWV0Zi5v cmcuDQpJbnRlcm5ldC1EcmFmdHMgYXJlIGFsc28gYXZhaWxhYmxlIGJ5IGFub255bW91cyBGVFAg YXQ6DQpmdHA6Ly9mdHAuaWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLw0KDQpfX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KU3Bhc20gbWFpbGluZyBsaXN0DQpT cGFzbUBpZXRmLm9yZzxtYWlsdG86U3Bhc21AaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9y Zy9tYWlsbWFuL2xpc3RpbmZvL3NwYXNtDQoNCg== --_000_E85BF27C3EE74FA4853948E9C1C4B2CEisaracom_ Content-Type: text/html; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIiB4 bWxuczp3PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOm9mZmljZTp3b3JkIiB4bWxuczptPSJo dHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL29mZmljZS8yMDA0LzEyL29tbWwiIHhtbG5zPSJo dHRwOi8vd3d3LnczLm9yZy9UUi9SRUMtaHRtbDQwIj4NCjxoZWFkPg0KPG1ldGEgaHR0cC1lcXVp dj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPg0KPG1l dGEgbmFtZT0iR2VuZXJhdG9yIiBjb250ZW50PSJNaWNyb3NvZnQgV29yZCAxNSAoZmlsdGVyZWQg bWVkaXVtKSI+DQo8c3R5bGU+PCEtLQ0KLyogRm9udCBEZWZpbml0aW9ucyAqLw0KQGZvbnQtZmFj ZQ0KCXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2 IDMgMiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToy IDE1IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3Jt YWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5 Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0 dGVkIENoYXIiOw0KCW1hcmdpbjowY207DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAs IGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1h bDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGNtOw0KCW1zby1t YXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBjbTsNCglmb250LXNpemU6MTEu MHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNwYW4uYXBwbGUtdGFi LXNwYW4NCgl7bXNvLXN0eWxlLW5hbWU6YXBwbGUtdGFiLXNwYW47fQ0Kc3Bhbi5FbWFpbFN0eWxl MTkNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGli cmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2luZG93dGV4dDt9DQpzcGFuLkhUTUxQcmVmb3JtYXR0 ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsNCgltc28t c3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0dGVkIjsN Cglmb250LWZhbWlseToiQ291cmllciBOZXciO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBhZ2UgV29yZFNlY3Rp b24xDQoJe3NpemU6NjEyLjBwdCA3OTIuMHB0Ow0KCW1hcmdpbjo3Mi4wcHQgNzIuMHB0IDcyLjBw dCA3Mi4wcHQ7fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48 L3N0eWxlPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tQ0EiIGxpbms9ImJsdWUiIHZsaW5rPSJw dXJwbGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PkkgdGhpbmsgeW91IGRpZG7igJl0IG1lYW4gdG8gaW5jbHVkZSB0aGlzIHZlcmJhdGltIHF1b3Rl IGZyb20gU2NvdHQgaW4gdGhlIGRyYWZ0LCBzaW5jZSB5b3VyIGVkaXRzIHRvIHRoZSBwcmV2aW91 cyBwYXJhZ3JhcGggaW5jbHVkZSB0aGUgc2FtZSBpbmZvcm1hdGlvbi48bzpwPjwvbzpwPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMC4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q291cmllciBOZXcmcXVvdDs7Y29sb3I6YmxhY2siPiZuYnNwOyZuYnNwOyBXZWxsLCB5ZXMsIHRo ZXJlIGlzIHF1aXRlIGEgcmFuZ2Ugb2YgcG9zc2libGUgdGltZS9tZW1vcnkgdHJhZGUtb2Zmczxv OnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTAuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9y OmJsYWNrIj4mbmJzcDsmbmJzcDsgYXZhaWxhYmxlIHdoZW4gc3RvcmluZyB0aGUgcHJpdmF0ZSBr ZXk7IGlmIHlvdSBuZWVkIHRvLCB0aGUgcHJpdmF0ZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAuMHB0O2ZvbnQtZmFt aWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7O2NvbG9yOmJsYWNrIj4mbmJzcDsmbmJzcDsga2V5 IGNhbiBiZSBleHByZXNzZWQgaW4gcXVpdGUgYSBzbWFsbCBhbW91bnQgb2Ygc3BhY2UgKGFsYmVp dCBhdCB0aGU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjEwLjBwdDtmb250LWZhbWlseTomcXVvdDtDb3VyaWVyIE5ldyZx dW90Oztjb2xvcjpibGFjayI+Jm5ic3A7Jm5ic3A7IGV4cGVuc2Ugb2YgbWFraW5nIHRoZSBzaWdu YXR1cmUgZ2VuZXJhdGlvbiBvcGVyYXRpb24gZXhwZW5zaXZlKS48bzpwPjwvbzpwPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPldpdGggdGhlIGNoYW5nZXMgaW4gdGhlIGxhdGVzdCBkcmFmdCwgYSBwcmUt aGFzaCBpcyBubyBsb25nZXIgc2lnbmVkLCBpdOKAmXMgZWl0aGVyIHRoZSBjb250ZW50IGRpcmVj dGx5IG9yIHRoZSBERVJfZW5jb2RlZCBzaWduZWQgYXR0cmlidXRlcyAod2hpY2ggd2lsbCBjb250 YWluIGEgaGFzaCBvZiB0aGUgY29udGVudCkuIEkgYWdyZWUgdGhhdCB0aGlzIGlzIHRoZSBjbGVh bmVzdCAoYW5kIHBvc3NpYmx5IGludGVuZGVkKQ0KIHdheSBvZiB1c2luZyBIU1MuJm5ic3A7IEhv d2V2ZXIsIGZyb20gYSBwcmFjdGljYWwgcGVyc3BlY3RpdmUgSSBoYXZlIGNvbmNlcm5zLiBJ4oCZ bSBub3QgYW4gZXhwZXJ0IGluIGhvdyBDTVMgaXMgdXNlZCBpbiB0aGUgcmVhbCB3b3JsZCwgc28g bWF5YmUgc29tZW9uZSBjYW4gYWRkcmVzcyB0aGVzZSBjb25jZXJucy4mbmJzcDsgVGhlIHByaW1h cnkgdXNlIGNhc2UgZm9yIHRoaXMgZHJhZnQgaXMgY29kZSBzaWduaW5nLiZuYnNwOyBDb2RlIGNh biBiZSB2ZXJ5IGxhcmdlLiZuYnNwOyBJZg0KIHRoZXJlIGFyZSBubyBzaWduZWQgYXR0cmlidXRl cywgdGhlIGVudGlyZSBjb250ZW50IGlzIHByb2Nlc3NlZCBhbmQgc2lnbmVkIGJ5IHRoZSBIU1Mg YWxnb3JpdGhtLiZuYnNwOyBTbywgaWYgdGhlIEhTUyBhbGdvcml0aG0gaXMgaW1wbGVtZW50ZWQg aW4gYW4gSFNNIChhbmQgZHVlIHRvIHRoZSBzdGF0ZWZ1bG5lc3Mgb2YgdGhlIGFsZ29yaXRobSBp dCBzaG91bGQgcmVhbGx5IGJlIGltcGxlbWVudGVkIGluIGFuIEhTTSkgdGhlbiB0aGUgZW50aXJl IGNvbnRlbnQNCiB0byBiZSBzaWduZWQgbmVlZHMgdG8gYmUgdHJhbnNmZXJyZWQgdG8gdGhlIEhT TS4gRG8gSFNNcyBoYXZlIGVub3VnaCBtZW1vcnkgdG8gcmVjZWl2ZSBhbmQgc3RvcmUgdGhlIGVu dGlyZSBjb250ZW50IHNvIHRoYXQgaXQgY2FuIGJlIHNpZ25lZD8gQ291bGQgdGhlcmUgYmUgcmVx dWlyZW1lbnRzIG9uIGhvdyBxdWlja2x5IEhTTXMgc2hvdWxkIHByb2Nlc3Mgc2lnbmluZyByZXF1 ZXN0cz8gV291bGQgdGhvc2UgcmVxdWlyZW1lbnRzIGJlIHRvbyBuZWdhdGl2ZWx5DQogYWZmZWN0 ZWQgYnkgdGhlIHRpbWUgcmVxdWlyZWQgdG8gdHJhbnNtaXQgdGhlIGVudGlyZSBjb250ZW50LCBh bmQgcHJvY2VzcyB0aGUgZW50aXJlIGNvbnRlbnQgd2l0aGluIHRoZSBIU00gcmF0aGVyIHRoYW4g anVzdCB0cmFuc21pdHRpbmcgYW5kIHByb2Nlc3NpbmcgYSBwcmUtaGFzaD88bzpwPjwvbzpwPjwv cD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+VGhhbmtzLDxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ RGFuaWVsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0 Ij5PbiAyMDE5LTAyLTIyLCA1OjQ4IFBNLCAmcXVvdDtTcGFzbSBvbiBiZWhhbGYgb2YgUnVzcyBI b3VzbGV5JnF1b3Q7ICZsdDs8YSBocmVmPSJtYWlsdG86c3Bhc20tYm91bmNlc0BpZXRmLm9yZyI+ c3Bhc20tYm91bmNlc0BpZXRmLm9yZzwvYT4gb24gYmVoYWxmIG9mDQo8YSBocmVmPSJtYWlsdG86 aG91c2xleUB2aWdpbHNlYy5jb20iPmhvdXNsZXlAdmlnaWxzZWMuY29tPC9hPiZndDsgd3JvdGU6 PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+SSBiZWxpZXZlIHRoYXQgdGhpcyB2ZXJzaW9uIHJlc29sdmVzIHRoZSBjb21tZW50cyBmcm9t IFNjb3R0IGFuZCBKaW0uPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPlJ1c3M8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0 OjM2LjBwdCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQjVDNERGIDQuNXB0O3BhZGRpbmc6MGNt IDBjbSAwY20gNC4wcHQ7bWFyZ2luLWxlZnQ6My43NXB0O21hcmdpbi1yaWdodDowY20iIGlkPSJN QUNfT1VUTE9PS19BVFRSSUJVVElPTl9CTE9DS1FVT1RFIj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij5PbiBGZWIgMjIsIDIwMTksIGF0IDU6 NDYgUE0sIDxhIGhyZWY9Im1haWx0bzppbnRlcm5ldC1kcmFmdHNAaWV0Zi5vcmciPg0KaW50ZXJu ZXQtZHJhZnRzQGlldGYub3JnPC9hPiB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkEgTmV3 IEludGVybmV0LURyYWZ0IGlzIGF2YWlsYWJsZSBmcm9tIHRoZSBvbi1saW5lIEludGVybmV0LURy YWZ0cyBkaXJlY3Rvcmllcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlRoaXMgZHJhZnQgaXMgYSB3 b3JrIGl0ZW0gb2YgdGhlIExpbWl0ZWQgQWRkaXRpb25hbCBNZWNoYW5pc21zIGZvciBQS0lYIGFu ZCBTTUlNRSBXRyBvZiB0aGUgSUVURi48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwO1RpdGxlJm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IDogVXNlIG9mIHRo ZSBIU1MvTE1TIEhhc2gtYmFzZWQgU2lnbmF0dXJlIEFsZ29yaXRobSBpbiB0aGUgQ3J5cHRvZ3Jh cGhpYyBNZXNzYWdlIFN5bnRheCAoQ01TKTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7QXV0aG9yJm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7OiBSdXNzIEhv dXNsZXk8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi IHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxzcGFuIGNsYXNzPSJhcHBsZS10YWItc3BhbiI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7DQo8L3NwYW4+RmlsZW5hbWUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDs6IGRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA1LnR4dDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdp bi1sZWZ0OjM2LjBwdCI+PHNwYW4gY2xhc3M9ImFwcGxlLXRhYi1zcGFuIj4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsNCjwvc3Bhbj5Q YWdlcyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyA6IDE0PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij48c3BhbiBjbGFzcz0iYXBwbGUtdGFi LXNwYW4iPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOw0KPC9zcGFuPkRhdGUmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDs6IDIwMTktMDItMjI8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJn aW4tbGVmdDozNi4wcHQiPkFic3RyYWN0OjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5i c3A7IFRoaXMgZG9jdW1lbnQgc3BlY2lmaWVzIHRoZSBjb252ZW50aW9ucyBmb3IgdXNpbmcgdGhl IHRoZSBIU1MvTE1TPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYuMHB0Ij4mbmJzcDsmbmJzcDsgaGFzaC1iYXNl ZCBzaWduYXR1cmUgYWxnb3JpdGhtIHdpdGggdGhlIENyeXB0b2dyYXBoaWMgTWVzc2FnZSBTeW50 YXg8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0 eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPiZuYnNwOyZuYnNwOyAoQ01TKS4mbmJzcDsmbmJzcDtJ biBhZGRpdGlvbiwgdGhlIGFsZ29yaXRobSBpZGVudGlmaWVyIGFuZCBwdWJsaWMga2V5IHN5bnRh eDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5 bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7IGFyZSBwcm92aWRlZC4mbmJzcDsm bmJzcDtUaGUgSFNTL0xNUyBhbGdvcml0aG0gaXMgb25lIGZvcm0gb2YgaGFzaC1iYXNlZDxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+Jm5ic3A7Jm5ic3A7IGRpZ2l0YWwgc2lnbmF0dXJlOyBpdCBpcyBk ZXNjcmliZWQgaW4gW0hBU0hTSUddLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+VGhlIElFVEYgZGF0 YXRyYWNrZXIgc3RhdHVzIHBhZ2UgZm9yIHRoaXMgZHJhZnQgaXM6PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48YSBocmVmPSJodHRwczovL2RhdGF0cmFja2VyLmlldGYub3JnL2RvYy9kcmFmdC1pZXRm LWxhbXBzLWNtcy1oYXNoLXNpZy8iPmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvZG9jL2Ry YWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlRo ZXJlIGFyZSBhbHNvIGh0bWxpemVkIHZlcnNpb25zIGF2YWlsYWJsZSBhdDo8bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRm LWxhbXBzLWNtcy1oYXNoLXNpZy0wNSI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0 LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA1PC9hPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEg aHJlZj0iaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRtbC9kcmFmdC1pZXRmLWxh bXBzLWNtcy1oYXNoLXNpZy0wNSI+aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvaHRt bC9kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNTwvYT48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4w cHQiPkEgZGlmZiBmcm9tIHRoZSBwcmV2aW91cyB2ZXJzaW9uIGlzIGF2YWlsYWJsZSBhdDo8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt YXJnaW4tbGVmdDozNi4wcHQiPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL3JmY2RpZmY/ dXJsMj1kcmFmdC1pZXRmLWxhbXBzLWNtcy1oYXNoLXNpZy0wNSI+aHR0cHM6Ly93d3cuaWV0Zi5v cmcvcmZjZGlmZj91cmwyPWRyYWZ0LWlldGYtbGFtcHMtY21zLWhhc2gtc2lnLTA1PC9hPjxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1h cmdpbi1sZWZ0OjM2LjBwdCI+UGxlYXNlIG5vdGUgdGhhdCBpdCBtYXkgdGFrZSBhIGNvdXBsZSBv ZiBtaW51dGVzIGZyb20gdGhlIHRpbWUgb2Ygc3VibWlzc2lvbjxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBw dCI+dW50aWwgdGhlIGh0bWxpemVkIHZlcnNpb24gYW5kIGRpZmYgYXJlIGF2YWlsYWJsZSBhdCB0 b29scy5pZXRmLm9yZy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPkludGVybmV0LURyYWZ0cyBhcmUg YWxzbyBhdmFpbGFibGUgYnkgYW5vbnltb3VzIEZUUCBhdDo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQi PjxhIGhyZWY9ImZ0cDovL2Z0cC5pZXRmLm9yZy9pbnRlcm5ldC1kcmFmdHMvIj5mdHA6Ly9mdHAu aWV0Zi5vcmcvaW50ZXJuZXQtZHJhZnRzLzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9i bG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVm dDozNi4wcHQiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+X19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX188bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPlNwYXNt IG1haWxpbmcgbGlzdDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCIgc3R5bGU9Im1hcmdpbi1sZWZ0OjM2LjBwdCI+PGEgaHJlZj0ibWFpbHRvOlNwYXNt QGlldGYub3JnIj5TcGFzbUBpZXRmLm9yZzwvYT48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDozNi4wcHQiPjxhIGhy ZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc20iPmh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vc3Bhc208L2E+PG86cD48L286cD48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWxlZnQ6MzYu MHB0Ij48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0 bWw+DQo= --_000_E85BF27C3EE74FA4853948E9C1C4B2CEisaracom_-- From nobody Mon Feb 25 09:55:37 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71A83129284 for ; Mon, 25 Feb 2019 09:55:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnLoW5Qu_g9w for ; Mon, 25 Feb 2019 09:55:34 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E20E126D00 for ; Mon, 25 Feb 2019 09:55:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id CCF2E300AAD for ; Mon, 25 Feb 2019 12:37:16 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Pe_0bnBQjzQB for ; Mon, 25 Feb 2019 12:37:15 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id F17DF3002B4; Mon, 25 Feb 2019 12:37:14 -0500 (EST) From: Russ Housley Message-Id: Content-Type: multipart/alternative; boundary="Apple-Mail=_C4908DB5-7C01-4A7B-B0CE-B947AD47D8B3" Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Mon, 25 Feb 2019 12:55:31 -0500 In-Reply-To: Cc: "spasm@ietf.org" To: Daniel Van Geest References: <155087557134.5448.17119096929558965858@ietfa.amsl.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 17:55:36 -0000 --Apple-Mail=_C4908DB5-7C01-4A7B-B0CE-B947AD47D8B3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Daniel: > I think you didn=E2=80=99t mean to include this verbatim quote from = Scott in the draft, since your edits to the previous paragraph include = the same information. > =20 > Well, yes, there is quite a range of possible time/memory = trade-offs > available when storing the private key; if you need to, the private > key can be expressed in quite a small amount of space (albeit at = the > expense of making the signature generation operation expensive). Indeed. That was clearly an editing mistake. > With the changes in the latest draft, a pre-hash is no longer signed, = it=E2=80=99s either the content directly or the DER_encoded signed = attributes (which will contain a hash of the content). I agree that this = is the cleanest (and possibly intended) way of using HSS. However, from = a practical perspective I have concerns. I=E2=80=99m not an expert in = how CMS is used in the real world, so maybe someone can address these = concerns. The primary use case for this draft is code signing. Code = can be very large. If there are no signed attributes, the entire = content is processed and signed by the HSS algorithm. So, if the HSS = algorithm is implemented in an HSM (and due to the statefulness of the = algorithm it should really be implemented in an HSM) then the entire = content to be signed needs to be transferred to the HSM. Do HSMs have = enough memory to receive and store the entire content so that it can be = signed? Could there be requirements on how quickly HSMs should process = signing requests? Would those requirements be too negatively affected by = the time required to transmit the entire content, and process the entire = content within the HSM rather than just transmitting and processing a = pre-hash? I am aware of some HSMs that allow a stream-like interface for hash = calculation. Something like the interface original used by Ron Rivest = for MD2 in RFC 1319 ... MD2Init (context); MD2Update (context, input, input_length); MD2Final (hash_value, context); In the case of code signing, releases do not get signed too frequently, = so an interface like this seems viable. I am sure that improvements are = possible. If there are signed attributes, the information passed to the HSM is = quite small, but the hash of the content does not include a salt value. Russ --Apple-Mail=_C4908DB5-7C01-4A7B-B0CE-B947AD47D8B3 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Daniel:

I think you didn=E2=80=99t mean = to include this verbatim quote from Scott in the draft, since your edits = to the previous paragraph include the same information.
 
   Well, yes, there is quite a range of possible = time/memory trade-offs
   available = when storing the private key; if you need to, the private
   key can be expressed in quite a small amount of = space (albeit at the
   expense = of making the signature generation operation = expensive).

Indeed.  That was clearly an editing = mistake.

With the = changes in the latest draft, a pre-hash is no longer signed, it=E2=80=99s = either the content directly or the DER_encoded signed attributes (which = will contain a hash of the content). I agree that this is the cleanest = (and possibly intended) way of using HSS.  However, from a = practical perspective I have concerns. I=E2=80=99m not an expert in how = CMS is used in the real world, so maybe someone can address these = concerns.  The primary use case for this draft is code = signing.  Code can be very large.  If there are no signed = attributes, the entire content is processed and signed by the HSS = algorithm.  So, if the HSS algorithm is implemented in an HSM (and = due to the statefulness of the algorithm it should really be implemented = in an HSM) then the entire content to be signed needs to be transferred = to the HSM. Do HSMs have enough memory to receive and store the entire = content so that it can be signed? Could there be requirements on how = quickly HSMs should process signing requests? Would those requirements = be too negatively affected by the time required to transmit the entire = content, and process the entire content within the HSM rather than just = transmitting and processing a pre-hash?

I am aware of some HSMs that allow a stream-like = interface for hash calculation.  Something like the interface = original used by Ron Rivest for MD2 in RFC 1319 ...

MD2Init = (context);
MD2Update (context, input, = input_length);
MD2Final (hash_value, = context);

In the case of code = signing, releases do not get signed too frequently, so an interface like = this seems viable.  I am sure that improvements are = possible.

If there are signed = attributes, the information passed to the HSM is quite small, but the = hash of the content does not include a salt value.

Russ

= --Apple-Mail=_C4908DB5-7C01-4A7B-B0CE-B947AD47D8B3-- From nobody Mon Feb 25 10:06:31 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93C4C129284 for ; Mon, 25 Feb 2019 10:06:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lqyxBFlpq3Ji for ; Mon, 25 Feb 2019 10:06:28 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86A28126D00 for ; Mon, 25 Feb 2019 10:06:27 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Mon, 25 Feb 2019 10:06:19 -0800 From: Jim Schaad To: 'Daniel Van Geest' , 'Russ Housley' , References: <155087557134.5448.17119096929558965858@ietfa.amsl.com> In-Reply-To: Date: Mon, 25 Feb 2019 10:06:16 -0800 Message-ID: <00ca01d4cd34$cef1bed0$6cd53c70$@augustcellars.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00CB_01D4CCF1.C0D116E0" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQF9r9e4Uf0PWpAmAAgxgzaeB7VzjQGm6PvTAhNqkBimgTUywA== Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2019 18:06:30 -0000 ------=_NextPart_000_00CB_01D4CCF1.C0D116E0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable In regards to the issue of code signing: =20 1. If you use a content type other than id-data, then the use of = SignedAttributes is required. I am a strong advocate of identifying = contents by OIDs if they are not just plain text string. This means = that I think that SignedAttributes is always present. 2. Unlike the use of EdDSA, if you have identified the key and algorithm = to the HSM prior to sending the content to the HSM then the content can = be sent to the HSM in chucks and hashed in chucks as you go along. = EdDSA does have a requirement that the entire message be held in memory = as the content is processed in two separate passes. 3. My understanding is that in many cases what is to be signed is the = manifest and the code image is going to be indirectly signed rather than = being directly included in the manifest. That means that you might be = in the situation of already doing something similar to signed attributes = already. =20 Jim =20 =20 =20 From: Spasm On Behalf Of Daniel Van Geest Sent: Monday, February 25, 2019 9:20 AM To: Russ Housley ; spasm@ietf.org Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-05.txt =20 I think you didn=E2=80=99t mean to include this verbatim quote from = Scott in the draft, since your edits to the previous paragraph include = the same information. =20 Well, yes, there is quite a range of possible time/memory trade-offs available when storing the private key; if you need to, the private key can be expressed in quite a small amount of space (albeit at the expense of making the signature generation operation expensive). =20 With the changes in the latest draft, a pre-hash is no longer signed, = it=E2=80=99s either the content directly or the DER_encoded signed = attributes (which will contain a hash of the content). I agree that this = is the cleanest (and possibly intended) way of using HSS. However, from = a practical perspective I have concerns. I=E2=80=99m not an expert in = how CMS is used in the real world, so maybe someone can address these = concerns. The primary use case for this draft is code signing. Code = can be very large. If there are no signed attributes, the entire = content is processed and signed by the HSS algorithm. So, if the HSS = algorithm is implemented in an HSM (and due to the statefulness of the = algorithm it should really be implemented in an HSM) then the entire = content to be signed needs to be transferred to the HSM. Do HSMs have = enough memory to receive and store the entire content so that it can be = signed? Could there be requirements on how quickly HSMs should process = signing requests? Would those requirements be too negatively affected by = the time required to transmit the entire content, and process the entire = content within the HSM rather than just transmitting and processing a = pre-hash? =20 Thanks, Daniel =20 =20 On 2019-02-22, 5:48 PM, "Spasm on behalf of Russ Housley" = on behalf of = housley@vigilsec.com > wrote: =20 I believe that this version resolves the comments from Scott and Jim. =20 Russ =20 =20 On Feb 22, 2019, at 5:46 PM, internet-drafts@ietf.org = wrote: A New Internet-Draft is available from the on-line Internet-Drafts = directories. This draft is a work item of the Limited Additional Mechanisms for PKIX = and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature = Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-05.txt Pages : 14 Date : 2019-02-22 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-05 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-05 Please note that it may take a couple of minutes from the time of = submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ =20 _______________________________________________ Spasm mailing list Spasm@ietf.org =20 https://www.ietf.org/mailman/listinfo/spasm =20 ------=_NextPart_000_00CB_01D4CCF1.C0D116E0 Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable

In regards = to the issue of code signing:

 

  1. If you use a content = type other than id-data, then the use of SignedAttributes is = required.=C2=A0 I am a strong advocate of identifying contents by OIDs = if they are not just plain text string.=C2=A0 This means that I think = that SignedAttributes is always present.
  2. Unlike the use of EdDSA, if you have identified the key and = algorithm to the HSM prior to sending the content to the HSM then the = content can be sent to the HSM in chucks and hashed in chucks as you go = along.=C2=A0 EdDSA does have a requirement that the entire message be = held in memory as the content is processed in two separate = passes.
  3. My understanding is = that in many cases what is to be signed is the manifest and the code = image is going to be indirectly signed rather than being directly = included in the manifest.=C2=A0 That means that you might be in the = situation of already doing something similar to signed attributes = already.

 

Jim

 

 

 

From: Spasm = <spasm-bounces@ietf.org> On Behalf Of Daniel Van = Geest
Sent: Monday, February 25, 2019 9:20 AM
To: = Russ Housley <housley@vigilsec.com>; = spasm@ietf.org
Subject: Re: [lamps] I-D Action: = draft-ietf-lamps-cms-hash-sig-05.txt

 

I think you didn=E2=80=99t mean to include this verbatim = quote from Scott in the draft, since your edits to the previous = paragraph include the same information.

 

   Well, yes, there is quite a range of = possible time/memory trade-offs

   available when storing the private key; = if you need to, the private

   key can be expressed in quite a small = amount of space (albeit at the

   expense of making the signature = generation operation expensive).

 

With the changes in the latest = draft, a pre-hash is no longer signed, it=E2=80=99s either the content = directly or the DER_encoded signed attributes (which will contain a hash = of the content). I agree that this is the cleanest (and possibly = intended) way of using HSS.  However, from a practical perspective = I have concerns. I=E2=80=99m not an expert in how CMS is used in the = real world, so maybe someone can address these concerns.  The = primary use case for this draft is code signing.  Code can be very = large.  If there are no signed attributes, the entire content is = processed and signed by the HSS algorithm.  So, if the HSS = algorithm is implemented in an HSM (and due to the statefulness of the = algorithm it should really be implemented in an HSM) then the entire = content to be signed needs to be transferred to the HSM. Do HSMs have = enough memory to receive and store the entire content so that it can be = signed? Could there be requirements on how quickly HSMs should process = signing requests? Would those requirements be too negatively affected by = the time required to transmit the entire content, and process the entire = content within the HSM rather than just transmitting and processing a = pre-hash?

 

Thanks,

Daniel

 

 

On 2019-02-22, 5:48 PM, = "Spasm on behalf of Russ Housley" <spasm-bounces@ietf.org on = behalf of housley@vigilsec.com> = wrote:

 

I believe that this = version resolves the comments from Scott and = Jim.

 

Russ

 

 

On Feb = 22, 2019, at 5:46 PM, internet-drafts@ietf.org = wrote:

A New Internet-Draft is = available from the on-line Internet-Drafts = directories.

This draft is a work item = of the Limited Additional Mechanisms for PKIX and SMIME WG of the = IETF.

        Title &= nbsp;         : Use of the = HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message = Syntax (CMS)

        Author =          : Russ = Housley

          = Filename        : = draft-ietf-lamps-cms-hash-sig-05.txt

          = Pages         &= nbsp; : 14

          = Date         &n= bsp;  : 2019-02-22

Abstract:

   This document specifies the conventions for = using the the HSS/LMS

   hash-based signature algorithm with the = Cryptographic Message Syntax

   (CMS).  In addition, the algorithm = identifier and public key syntax

   are provided.  The HSS/LMS algorithm = is one form of hash-based

   digital signature; it is described in = [HASHSIG].

The IETF datatracker = status page for this draft is:

There are also htmlized = versions available at:

A diff from the previous = version is available at:

Please note that it may = take a couple of minutes from the time of = submission

until the htmlized version = and diff are available at = tools.ietf.org.

Internet-Drafts are also = available by anonymous FTP at:

 

_______________________________________________

Spasm mailing = list

------=_NextPart_000_00CB_01D4CCF1.C0D116E0-- From nobody Tue Feb 26 07:40:37 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80234130EC1 for ; Tue, 26 Feb 2019 07:40:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oSA9Mid6_NYf for ; Tue, 26 Feb 2019 07:40:34 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 362E8130EA0 for ; Tue, 26 Feb 2019 07:40:34 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 73D2A300AAF for ; Tue, 26 Feb 2019 10:22:16 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id uSVnzikRADx2 for ; Tue, 26 Feb 2019 10:22:15 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 6282030017E for ; Tue, 26 Feb 2019 10:22:15 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Message-Id: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> Date: Tue, 26 Feb 2019 10:40:31 -0500 To: SPASM X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 15:40:36 -0000 Please review and comment. Russ = = = = = = = LAMPS WG Agenda at IETF 104 in Prague, CZ 0) Minute Taker, Jabber Scribe, Bluesheets 1) Agenda Bash 2) Documents with the IESG a) draft-ietf-lamps-rfc6844bis (Jacob and Phillip) b) draft-ietf-lamps-hash-of-root-key-cert-extn (Russ) c) draft-ietf-lamps-pkix-shake (Panos and Quynh) d) draft-ietf-lamps-cms-shakes (Quynh and Panos) 3) Documents in WG Last Call a) draft-ietf-lamps-cms-hash-sig (Russ) 4) Active Working Group Documents a) draft-ietf-lamps-cms-mix-with-psk (Russ) 5) Other Business (if time allows) a) draft-vangeest-x509-hash-sigs (Daniel) b) quantum-safe certificates (Scott) c) lightweight profile of CMP (Hendrik) 6) Wrap Up From nobody Tue Feb 26 08:38:59 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030F11200ED for ; Tue, 26 Feb 2019 08:38:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.003 X-Spam-Level: X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zun4NRFznFh8 for ; Tue, 26 Feb 2019 08:38:56 -0800 (PST) Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 837C212F1A5 for ; Tue, 26 Feb 2019 08:38:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=60vwclfKvbtr9wO7rGgzSSOQSkdLojAO2cTOQZgQzJs=; b=GtjLY8NFc4ybePkfLrtxrnbLYT jhhYGgnsDmsrFjs67ObSAy+S7nDe6B/PaXdBneBa2NxeiAwkmG/GqXEkrViWqAvS03xwiXLBLOGK5 TkUa8jQgpo/xQMkocWrJ1ZPGljNNMcSHaJs1WeoYLtq8NqL+VFxjmkji721toRdOVgzQ=; Received: ; Tue, 26 Feb 2019 08:38:54 -0800 To: Russ Housley , SPASM References: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> From: Jacob Hoffman-Andrews Message-ID: Date: Tue, 26 Feb 2019 08:38:53 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0 MIME-Version: 1.0 In-Reply-To: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Archived-At: Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 16:38:58 -0000 I think we don't need a slot for RFC 6844 bis. We're just waiting on AD review now. From nobody Tue Feb 26 09:23:13 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66CB12785F for ; Tue, 26 Feb 2019 09:23:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t820I1RsCC4s for ; Tue, 26 Feb 2019 09:23:10 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C93124B0C for ; Tue, 26 Feb 2019 09:23:10 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B761D300A9A for ; Tue, 26 Feb 2019 12:04:52 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id JyeBMo7h_Eq4 for ; Tue, 26 Feb 2019 12:04:51 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 9C0EB30017E; Tue, 26 Feb 2019 12:04:51 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: Date: Tue, 26 Feb 2019 12:23:08 -0500 Cc: SPASM Content-Transfer-Encoding: quoted-printable Message-Id: References: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> To: Jacob Hoffman-Andrews X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 17:23:12 -0000 Correct. I put a slot on the agenda to handle any review comments that = we receive. If we do not get any, then that item will be very short ;-) Russ > On Feb 26, 2019, at 11:38 AM, Jacob Hoffman-Andrews = wrote: >=20 > I think we don't need a slot for RFC 6844 bis. We're just waiting on = AD review now. From nobody Tue Feb 26 10:41:45 2019 Return-Path: X-Original-To: spasm@ietf.org Delivered-To: spasm@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 30C6E128766; Tue, 26 Feb 2019 10:41:37 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: spasm@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.92.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: spasm@ietf.org Message-ID: <155120649715.695.14410208917743275760@ietfa.amsl.com> Date: Tue, 26 Feb 2019 10:41:37 -0800 Archived-At: Subject: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 18:41:37 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Limited Additional Mechanisms for PKIX and SMIME WG of the IETF. Title : Use of the HSS/LMS Hash-based Signature Algorithm in the Cryptographic Message Syntax (CMS) Author : Russ Housley Filename : draft-ietf-lamps-cms-hash-sig-06.txt Pages : 14 Date : 2019-02-26 Abstract: This document specifies the conventions for using the the HSS/LMS hash-based signature algorithm with the Cryptographic Message Syntax (CMS). In addition, the algorithm identifier and public key syntax are provided. The HSS/LMS algorithm is one form of hash-based digital signature; it is described in [HASHSIG]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Feb 26 10:44:02 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93CC91288BD for ; Tue, 26 Feb 2019 10:44:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLxgiN6wGgDx for ; Tue, 26 Feb 2019 10:43:58 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B2C3128766 for ; Tue, 26 Feb 2019 10:43:58 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 8DF8F300A99 for ; Tue, 26 Feb 2019 13:25:40 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dVymlr9GQE46 for ; Tue, 26 Feb 2019 13:25:39 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 5621E300473 for ; Tue, 26 Feb 2019 13:25:39 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Date: Tue, 26 Feb 2019 13:43:55 -0500 References: <155120649715.695.14410208917743275760@ietfa.amsl.com> To: SPASM In-Reply-To: <155120649715.695.14410208917743275760@ietfa.amsl.com> Message-Id: <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 18:44:01 -0000 This removes the extraneous paragraph that was pointed out by Daniel. I believe that all comments have been resolved, and the document is now = ready to go to the IESG. Russ > On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Limited Additional Mechanisms for = PKIX and SMIME WG of the IETF. >=20 > Title : Use of the HSS/LMS Hash-based Signature = Algorithm in the Cryptographic Message Syntax (CMS) > Author : Russ Housley > Filename : draft-ietf-lamps-cms-hash-sig-06.txt > Pages : 14 > Date : 2019-02-26 >=20 > Abstract: > This document specifies the conventions for using the the HSS/LMS > hash-based signature algorithm with the Cryptographic Message Syntax > (CMS). In addition, the algorithm identifier and public key syntax > are provided. The HSS/LMS algorithm is one form of hash-based > digital signature; it is described in [HASHSIG]. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-06 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Feb 26 13:06:36 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED812129A85 for ; Tue, 26 Feb 2019 13:06:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cAX3C3GiQs_W for ; Tue, 26 Feb 2019 13:06:32 -0800 (PST) Received: from us-smtp-delivery-213.mimecast.com (us-smtp-delivery-213.mimecast.com [216.205.24.213]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12652129741 for ; Tue, 26 Feb 2019 13:06:31 -0800 (PST) Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-dm3nam05lp2058.outbound.protection.outlook.com [104.47.49.58]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-257-fF7AXGMDPw2VIxpSFFwY9Q-1; Tue, 26 Feb 2019 16:06:29 -0500 X-MC-Unique: fF7AXGMDPw2VIxpSFFwY9Q-1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GApVNlR60+HT8tA0UyCnhl8TqWMyxNU05/zXy3DHF+A=; b=p+/mFUarpO8h016lDFgpHMJsEHMhX9yUfhkE29XQrpWmfSt5OAw7/1X6/8D4dEtd22b+/OmuGOFPxxzPpt0qT9XBI9KLHr2dT6hVwLgUGMQgdgd+tjvzCblqNYwq48fpaILW71Z5pDU4uEAATH37Fj3+sAKoCoYScDN/DY4OWd8= Received: from BN6PR14MB1106.namprd14.prod.outlook.com (10.173.161.15) by BN6PR14MB1617.namprd14.prod.outlook.com (10.171.175.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.18; Tue, 26 Feb 2019 21:06:26 +0000 Received: from BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941]) by BN6PR14MB1106.namprd14.prod.outlook.com ([fe80::e49b:fa9c:9718:9941%4]) with mapi id 15.20.1643.019; Tue, 26 Feb 2019 21:06:26 +0000 From: Tim Hollebeek To: Russ Housley , SPASM Thread-Topic: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt Thread-Index: AQHUzgMGiWtSA22mqkO8lIK6GGEouKXyam2AgAAnykA= Date: Tue, 26 Feb 2019 21:06:26 +0000 Message-ID: References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> In-Reply-To: <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=tim.hollebeek@digicert.com; x-originating-ip: [12.251.181.46] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b84b6a58-bf60-4848-63cf-08d69c2e4584 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(49563074)(7193020); SRVR:BN6PR14MB1617; x-ms-traffictypediagnostic: BN6PR14MB1617: x-microsoft-exchange-diagnostics: 1; BN6PR14MB1617; 20:QqGvzm08nvHCrAL4gm1OntXRCskI50j1iIunMVIEAi9CTnq/0P6jG5Kawpd7zdxRORsE12BySLmRj0DI9dtGd+vjDzLfMNp2b97G+K3pan6X7VVOwBjal0c9to9FKRqS0j1QV3eIIyUHlUKTE2us0TmHAalcKLuoxreDNl28G/g= x-microsoft-antispam-prvs: x-forefront-prvs: 096029FF66 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(396003)(39860400002)(136003)(366004)(13464003)(199004)(189003)(9686003)(3846002)(6306002)(6116002)(110136005)(74316002)(6246003)(229853002)(305945005)(86362001)(966005)(55016002)(53936002)(7736002)(6436002)(33656002)(44832011)(99286004)(14454004)(66066001)(76176011)(99936001)(7696005)(106356001)(26005)(2906002)(186003)(105586002)(53546011)(6506007)(478600001)(102836004)(486006)(446003)(476003)(52536013)(81166006)(81156014)(8676002)(8936002)(25786009)(316002)(97736004)(71200400001)(71190400001)(5660300002)(11346002)(66574012)(256004)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR14MB1617; H:BN6PR14MB1106.namprd14.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: o6ce54HcTDEpYCQHzMmJ06eEJ6KjRL6u1pSfHqlxO88xYtqdJpTw7FDQVkf8w+5BoNyxDXX1f4mMxPi9Phg4X7EAnxSMlwKvzQZNga8Ue/TR9aPHDqtPmyBsu0Tovcv96Qf7dNCJopSB4LLXn0/AQkZA61eEHfGstt3P6G4x8+Hlb0vlPZ8jFaabfLGZyfxgT9QHCpiNBwWpsOd061byAiTMmHW5SPcJJqv8cX9kAS6yStBRXzlNmgyWGZRFSY0he4cwkkAtprbwhZmpfg7JlCsGhKSvZnVbL28wHYAKaIbdjIQ3JXbrx+tqRNLsW2hFG2+eNEn6vGURdqNnnXXB+TlA8RuA8Ar+eQLeZnPhY71IyVHiM4qpdnUA7dzNy52S/NyzAMYgBQczKrR7rX/rzHlZZ0mnoSk1cB1PBMFgzhg= Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_0043_01D4CDED.397B9290" MIME-Version: 1.0 X-OriginatorOrg: digicert.com X-MS-Exchange-CrossTenant-Network-Message-Id: b84b6a58-bf60-4848-63cf-08d69c2e4584 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2019 21:06:26.6805 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR14MB1617 Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 21:06:35 -0000 ------=_NextPart_000_0043_01D4CDED.397B9290 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I agree. -Tim > -----Original Message----- > From: Spasm On Behalf Of Russ Housley > Sent: Tuesday, February 26, 2019 1:44 PM > To: SPASM > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt > > This removes the extraneous paragraph that was pointed out by Daniel. > > I believe that all comments have been resolved, and the document is now > ready to go to the IESG. > > Russ > > > > On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Limited Additional Mechanisms for PKIX and > SMIME WG of the IETF. > > > > Title : Use of the HSS/LMS Hash-based Signature Algorithm in the > Cryptographic Message Syntax (CMS) > > Author : Russ Housley > > Filename : draft-ietf-lamps-cms-hash-sig-06.txt > > Pages : 14 > > Date : 2019-02-26 > > > > Abstract: > > This document specifies the conventions for using the the HSS/LMS > > hash-based signature algorithm with the Cryptographic Message Syntax > > (CMS). In addition, the algorithm identifier and public key syntax > > are provided. The HSS/LMS algorithm is one form of hash-based > > digital signature; it is described in [HASHSIG]. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 > > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm ------=_NextPart_000_0043_01D4CDED.397B9290 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCD0sw ggO3MIICn6ADAgECAhAM5+DlF9hG/o/lYPwb8DA5MA0GCSqGSIb3DQEBBQUAMGUxCzAJBgNVBAYT AlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAi BgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTAeFw0wNjExMTAwMDAwMDBaFw0zMTEx MTAwMDAwMDBaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsT EHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0RpZ2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK0OFc7kQ4BcsYfzt2D5cRKlrtwmlIiq9M71 IDkoWGAM+IDaqRWVMmE8tbEohIqK3J8KDIMXeo+QrIrneVNcMYQq9g+YMjZ2zN7dPKii72r7IfJS Yd+fINcf4rHZ/hhk0hJbX/lYGDW8R82hNvlrf9SwOD7BG8OMM9nYLxj+KA+zp4PWw25EwGE1lhb+ WZyLdm3X8aJLDSv/C3LanmDQjpA1xnhVhyChz+VtCshJfDGYM2wi6YfQMlqiuhOCEe05F52ZOnKh 5vqk2dUXMXWuhX0irj8BRob2KHnIsdrkVxfEfhwOsLSSplazvbKX7aqn8LfFqD+VFtD/oZbrCF8Y d08CAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEXr oq/0ksuCMS1Ri6enIZ3zbcgPMB8GA1UdIwQYMBaAFEXroq/0ksuCMS1Ri6enIZ3zbcgPMA0GCSqG SIb3DQEBBQUAA4IBAQCiDrzf4u3w43JzemSUv/dyZtgy5EJ1Yq6H6/LV2d5Ws5/MzhQouQ2XYFwS TFjk0z2DSUVYlzVpGqhH6lbGeasS2GeBhN9/CTyU5rgmLCC9PbMoifdf/yLil4Qf6WXvh+DfwWdJ s13rsgkq6ybteL59PyvztyY1bV+JAbZJW58BBZurPSXBzLZ/wvFvhsb6ZGjrgS2U60K3+owe3WLx vlBnt2y98/Efaww2BxZ/N3ypW2168RJGYIPXJwS+S86XvsNnKmgR34DnDDNmvxMNFG7zfx9jEB76 jRslbWyPpbdhAbHSoyahEHGdreLD+cOZUbcrBwjOLuZQsqf6CkUvovDyMIIFOjCCBCKgAwIBAgIQ Di7WjgxCjxTrYbReNHesEzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJVUzEVMBMGA1UEChMM RGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2Vy dCBTSEEyIEFzc3VyZWQgSUQgQ0EwHhcNMTcxMTI4MDAwMDAwWhcNMjIwMjI1MTIwMDAwWjBWMQsw CQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDENMAsGA1UEBxMETGVoaTERMA8GA1UEChMIRGlnaUNl cnQxFjAUBgNVBAMTDVRpbSBIb2xsZWJlZWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDKUTIS9F3d7CfkCjsf4my28pYoZJDkEAiXVqGP4jzbFkszUQNfW3PYpFUo1GnKQykl/tM0qnzw 05bfVLo1+ce0e9fyAwYfulr+HaAVCPqx+PZw9CDY6c0NYd7Fc7S0scONxKekNF4q1mUucfGuGapW sEsyix0CuR0NMuJ4I+w8qMn9MzjzI7bvduG+uVLmZIi0p6D8+2R5BOQFy0tVeQ/aLfS91fG1DTYF YkPF+a/6JlFxzywPzCth8KW2Po4w8JqQWtam/ADKrgMaOnEJs9csefTW/FWRDeGQk5t3rnyS19FP QfpyPPau4ChB5xokfRcg3VEwqfOoIIexjUhZY5X9AgMBAAGjggHzMIIB7zAfBgNVHSMEGDAWgBTn AiOAAE/Y17yUC9k/dDlJMjyKeTAdBgNVHQ4EFgQUjqBhf3GcBV6YGYSmp2iS4Wi/3N4wDAYDVR0T AQH/BAIwADAlBgNVHREEHjAcgRp0aW0uaG9sbGViZWVrQGRpZ2ljZXJ0LmNvbTAOBgNVHQ8BAf8E BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMEMGA1UdIAQ8MDowOAYKYIZIAYb9 bAQBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMIGIBgNVHR8E gYAwfjA9oDugOYY3aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFzc3VyZWRJ RENBLWcyLmNybDA9oDugOYY3aHR0cDovL2NybDQuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkFz c3VyZWRJRENBLWcyLmNybDB5BggrBgEFBQcBAQRtMGswJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmRpZ2ljZXJ0LmNvbTBDBggrBgEFBQcwAoY3aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp Z2lDZXJ0U0hBMkFzc3VyZWRJRENBLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAmOLw9+cVMHn8tJ0k 76baCfFZwkvfvxSAlCXo+Fcsv55/og0V065Rpb4HvVTi0e0qKCMbBxc71NWxhMvKJHt+sfSmVatX mAOPNDRvtVvJBkcd0bvzMut/r3npQqs1wezHLtAq+MlQZDjgiJB+DkNblnnphzEQSp7q/4K9oMoP KViRxBv+/kseA8GOfhHU6EVmeu9xQrBqexH1DPUrUSGpNGDyvtUaU+bBy8Kz2hQfOu6f/73wLqUx e583C9y2Gqn1xCB77yPxXqRSLLRC6FbrToJbKiFYQJ4znZZyhPYJHL0SOpWyXfVKp4PEO54A/xr5 oVyPhEQhOtasoIRCLtHZrzCCBk4wggU2oAMCAQICEASueWBmZpAaucV/pmxb3M0wDQYJKoZIhvcN AQELBQAwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgQXNzdXJlZCBJRCBSb290IENBMB4XDTEz MTEwNTEyMDAwMFoXDTI4MTEwNTEyMDAwMFowZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lD ZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hB MiBBc3N1cmVkIElEIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3PgRIz9qte/A J3kbLQWHohBDMd8O1BUbT3ekIs4+jHDwvgeO3ScqvAEdtiwKyt1pWB9B7WoFH9pjeFkeIiwr+Lp+ yTU7VvEffEJ+JbAjGcZFONc9RPkgfGCuHLBaGAS+jzv3qfCUmqYMY0m2QRdTQDK9T+ZQelAfJUXo 8Ymvzf9e/1Dz8BcR/73FifW9YrnY+45FBIVtmc3FSE39JqsCNkXqNtdfauIagkEK3OnZ9ZEXjsYh rTg8E+Yef2ac1U3ZRtr2z1KnfTskw7TBUTXGm+vU737kewPhRL16CzfgT8uCig1xGOSm4IksG/Oy czzBsJKeGH29q33FfQihLMKfcwIDAQABo4IC+DCCAvQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp Y2VydC5jb20wgYEGA1UdHwR6MHgwOqA4oDaGNGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdp Q2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwOqA4oDaGNGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9E aWdpQ2VydEFzc3VyZWRJRFJvb3RDQS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwME MIIBswYDVR0gBIIBqjCCAaYwggGiBgpghkgBhv1sAAIEMIIBkjAoBggrBgEFBQcCARYcaHR0cHM6 Ly93d3cuZGlnaWNlcnQuY29tL0NQUzCCAWQGCCsGAQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMA ZQAgAG8AZgAgAHQAaABpAHMAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0 AHUAdABlAHMAIABhAGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMA ZQByAHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBnACAAUABh AHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABsAGkAbQBpAHQAIABsAGkA YQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABpAG4AYwBvAHIAcABvAHIAYQB0AGUAZAAg AGgAZQByAGUAaQBuACAAYgB5ACAAcgBlAGYAZQByAGUAbgBjAGUALjAdBgNVHQ4EFgQU5wIjgABP 2Ne8lAvZP3Q5STI8inkwHwYDVR0jBBgwFoAUReuir/SSy4IxLVGLp6chnfNtyA8wDQYJKoZIhvcN AQELBQADggEBAE7UiSe5/R2Hd34PKAWQ8QovyTs+vZOckMav+pFRhzJUa+jKwXFRXJmOtfrgYhmZ pgeafBMn2+UCooQS2RX2CkRXxDSPbXMfOtagAT3e44LkRWuy6yX9gF4dOZC+W0L2zpFg4/mgVgxI EM4zaHvNk6vwastPWA+5e10bBIGepyLiV0kn7pKTCL5pCFMCOi5dyBn0UIBOAtmwXZG0k4f5lpaB VUCOZu2C2LsoX+1MYe0GWCgZUxFEvEcgKbIEbNiJVJk7ddtneCweknjGVT1YEhEybr1DDE0023vG QtvsvqubYUwGkuOO3yEqUFcEwGCiNdUknmY3CUnP1fhls+DibsIxggO/MIIDuwIBATB5MGUxCzAJ BgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xJDAiBgNVBAMTG0RpZ2lDZXJ0IFNIQTIgQXNzdXJlZCBJRCBDQQIQDi7WjgxCjxTrYbReNHes EzANBglghkgBZQMEAgEFAKCCAhcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMTkwMjI2MjEwNjI1WjAvBgkqhkiG9w0BCQQxIgQgLCE5eTiyx3W4GAv0kuT81KOh0qDq RW6sfYcaJ/3BRR0wgYgGCSsGAQQBgjcQBDF7MHkwZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERp Z2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2ljZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQg U0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOthtF40d6wTMIGKBgsqhkiG9w0BCRACCzF7oHkw ZTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3LmRpZ2lj ZXJ0LmNvbTEkMCIGA1UEAxMbRGlnaUNlcnQgU0hBMiBBc3N1cmVkIElEIENBAhAOLtaODEKPFOth tF40d6wTMIGTBgkqhkiG9w0BCQ8xgYUwgYIwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBFjAKBggq hkiG9w0DBzALBglghkgBZQMEAQIwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAsGCWCG SAFlAwQCATALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUA BIIBAD+eeFPAaJVXaN0Eil6Sk4c+Wo2WITKcKtDeGwHBtOfND498goKmRVHFUnZsokwmrSblh8NT c1cU8k3N+3tHK/RqOm+tjJ+bcS84xRcejP+3IFIa+fGJsmEn7/SbQR6mQnp7ikxHXz1JyaJLQWTT pgANUsTFTo0hVN/M0u0sHcHLQ+bmrxASWFQ3WenhavcKY9nrdjWb4hpWA8pMT2hMQ0dOeCjVPqC3 3N2yRboLoW3GrFxtWO01EbSEVtdIeDPpazlnXAOOPUM/002rtTcOAp9re+FVIfNq5gxE2nmekOue 25y3K0Z2bnfmj8B4HtAWV0Fmnj28s2A6IBJJdiy+7EsAAAAAAAA= ------=_NextPart_000_0043_01D4CDED.397B9290-- From nobody Tue Feb 26 13:14:01 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79ABD130E7A for ; Tue, 26 Feb 2019 13:14:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.502 X-Spam-Level: X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id el_QjAe_DnsW for ; Tue, 26 Feb 2019 13:13:58 -0800 (PST) Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A18CB129A87 for ; Tue, 26 Feb 2019 13:13:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=603; q=dns/txt; s=iport; t=1551215638; x=1552425238; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=vHyeOJfTZIE77XCjdiB1T2aHguWv+sWDSQHs9X5oNxs=; b=KOmJV7hx2UvWOeULQ/8koLg8p7SlRGkifvQvyuHNxz2gnGegxJJRFq2A 1rfrvK3PNIR3kPrlSAHlSSkDrqxfb0lhvJ4zviZwHSq8//6f5cmeqIScw dzYzKe8oWzJp7dUk4AuDNco6lU5pUHFMxnPiEZYeafjdp5YRg6gt1/itZ c=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAADDq3Vc/5JdJa1lGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBggNngQMnCowYjWqYHoF7CwEBGAuESQK?= =?us-ascii?q?EAiI0CQ0BAwEBAgEBAm0cDIVKAQEBAQMBATg0CwwEAgEIEQQBAR8QJwsdCAI?= =?us-ascii?q?EDgUIgxmBcg+sS4otBYxIF4FAP4QjgUGBXQEBh0ICo2UJApJeIYFkkTacbgI?= =?us-ascii?q?RFIEoHziBVnAVO4Jsix6FP0ExkTSBHwEB?= X-IronPort-AV: E=Sophos;i="5.58,416,1544486400"; d="scan'208";a="241438242" Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Feb 2019 21:13:37 +0000 Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x1QLDbf6024661 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Feb 2019 21:13:37 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Feb 2019 15:13:36 -0600 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1395.000; Tue, 26 Feb 2019 15:13:36 -0600 From: "Panos Kampanakis (pkampana)" To: Russ Housley CC: SPASM Thread-Topic: [lamps] DRAFT LAMPS WG Agenda for IETF 104 Thread-Index: AQHUzemkqOy5TkirDUqM8MjeAlBN+qXyrEaA///hmjA= Date: Tue, 26 Feb 2019 21:13:36 +0000 Message-ID: References: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.82.241.79] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Outbound-SMTP-Client: 173.36.7.17, xch-aln-007.cisco.com X-Outbound-Node: rcdn-core-10.cisco.com Archived-At: Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 21:14:01 -0000 Hi Russ, I take it the same goes for draft-ietf-lamps-pkix-shake and draft-ietf-lamp= s-cms-shakes?=20 Panos -----Original Message----- From: Spasm On Behalf Of Jacob Hoffman-Andrews Sent: Tuesday, February 26, 2019 11:39 AM To: Russ Housley ; SPASM Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 I think we don't need a slot for RFC 6844 bis. We're just waiting on AD rev= iew now. _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm From nobody Tue Feb 26 13:19:41 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8030312941A for ; Tue, 26 Feb 2019 13:19:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qd18msFqCJ8o for ; Tue, 26 Feb 2019 13:19:38 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0263129A85 for ; Tue, 26 Feb 2019 13:19:38 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id C580C300435 for ; Tue, 26 Feb 2019 16:01:20 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 0zDFBRgZ0IFB for ; Tue, 26 Feb 2019 16:01:19 -0500 (EST) Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 7BE3530017E; Tue, 26 Feb 2019 16:01:19 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: Date: Tue, 26 Feb 2019 16:19:35 -0500 Cc: SPASM Content-Transfer-Encoding: quoted-printable Message-Id: References: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> To: Panos Kampanakis X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2019 21:19:41 -0000 Yes, indeed. > On Feb 26, 2019, at 4:13 PM, Panos Kampanakis (pkampana) = wrote: >=20 > Hi Russ, > I take it the same goes for draft-ietf-lamps-pkix-shake and = draft-ietf-lamps-cms-shakes?=20 > Panos >=20 > -----Original Message----- > From: Spasm On Behalf Of Jacob = Hoffman-Andrews > Sent: Tuesday, February 26, 2019 11:39 AM > To: Russ Housley ; SPASM > Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 >=20 > I think we don't need a slot for RFC 6844 bis. We're just waiting on = AD review now. >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Tue Feb 26 17:25:31 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 240D812E04D for ; Tue, 26 Feb 2019 17:25:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0YwY53Bsc9zu for ; Tue, 26 Feb 2019 17:25:27 -0800 (PST) Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6AF9130F28 for ; Tue, 26 Feb 2019 17:25:26 -0800 (PST) Received: from Jude (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 26 Feb 2019 17:25:20 -0800 From: Jim Schaad To: 'Russ Housley' , 'SPASM' References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> In-Reply-To: <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> Date: Tue, 26 Feb 2019 17:25:15 -0800 Message-ID: <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQJP3EtmxFxA6hXc3uR6jg4mJmaNhgIcsAfkpOvXxYA= Content-Language: en-us X-Originating-IP: [73.180.8.170] Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 01:25:30 -0000 I have a small change to request. I am happy if you deal with it at a later date as long as it does not get lost. In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an empty or absent HASHES field. There are no hash functions which are to be applied prior to given the input to the signing function. This would match what I did for EdDSA. Jim > -----Original Message----- > From: Spasm On Behalf Of Russ Housley > Sent: Tuesday, February 26, 2019 10:44 AM > To: SPASM > Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt > > This removes the extraneous paragraph that was pointed out by Daniel. > > I believe that all comments have been resolved, and the document is now > ready to go to the IESG. > > Russ > > > > On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Limited Additional Mechanisms for PKIX and > SMIME WG of the IETF. > > > > Title : Use of the HSS/LMS Hash-based Signature Algorithm in the > Cryptographic Message Syntax (CMS) > > Author : Russ Housley > > Filename : draft-ietf-lamps-cms-hash-sig-06.txt > > Pages : 14 > > Date : 2019-02-26 > > > > Abstract: > > This document specifies the conventions for using the the HSS/LMS > > hash-based signature algorithm with the Cryptographic Message Syntax > > (CMS). In addition, the algorithm identifier and public key syntax > > are provided. The HSS/LMS algorithm is one form of hash-based > > digital signature; it is described in [HASHSIG]. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 > > https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-lamps-cms-hash-sig-06 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Tue Feb 26 23:25:19 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C8E6130E6C for ; Tue, 26 Feb 2019 23:25:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zcrm43-hNm37 for ; Tue, 26 Feb 2019 23:25:15 -0800 (PST) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5FD7130E67 for ; Tue, 26 Feb 2019 23:25:14 -0800 (PST) Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x1R7PBi1020998 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 27 Feb 2019 08:25:11 +0100 Received: from DEFTHW99ERMMSX.ww902.siemens.net (defthw99ermmsx.ww902.siemens.net [139.22.70.142]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTPS id x1R7PA8p020600 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 27 Feb 2019 08:25:10 +0100 Received: from DENBGAT9ERKMSX.ww902.siemens.net (139.22.70.145) by DEFTHW99ERMMSX.ww902.siemens.net (139.22.70.142) with Microsoft SMTP Server (TLS) id 14.3.435.0; Wed, 27 Feb 2019 08:25:10 +0100 Received: from DENBGAT9EJ0MSX.ww902.siemens.net ([169.254.7.245]) by DENBGAT9ERKMSX.ww902.siemens.net ([139.22.70.145]) with mapi id 14.03.0435.000; Wed, 27 Feb 2019 08:25:10 +0100 From: "Brockhaus, Hendrik" To: Russ Housley CC: SPASM Thread-Topic: [lamps] DRAFT LAMPS WG Agenda for IETF 104 Thread-Index: AQHUzg3hdk+fJdarD0KLa1KQzdvP3aXzPltg Date: Wed, 27 Feb 2019 07:25:09 +0000 Message-ID: References: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> In-Reply-To: <1B5E3413-3102-4A1E-A202-065EC9F8D86C@vigilsec.com> Accept-Language: en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-document-confidentiality: NotClassified x-originating-ip: [139.22.70.41] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: Re: [lamps] DRAFT LAMPS WG Agenda for IETF 104 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 07:25:18 -0000 Thanks for putting me on the agenda. I will provide the I-D probably next w= eek. Hendrik > -----Urspr=FCngliche Nachricht----- > Von: Russ Housley > Gesendet: Dienstag, 26. Februar 2019 16:41 > An: SPASM > Betreff: [lamps] DRAFT LAMPS WG Agenda for IETF 104 >=20 > Please review and comment. >=20 > Russ >=20 > =3D =3D =3D =3D =3D =3D =3D >=20 > LAMPS WG Agenda at IETF 104 in Prague, CZ >=20 > 0) Minute Taker, Jabber Scribe, Bluesheets >=20 > 1) Agenda Bash >=20 > 2) Documents with the IESG > a) draft-ietf-lamps-rfc6844bis (Jacob and Phillip) > b) draft-ietf-lamps-hash-of-root-key-cert-extn (Russ) > c) draft-ietf-lamps-pkix-shake (Panos and Quynh) > d) draft-ietf-lamps-cms-shakes (Quynh and Panos) >=20 > 3) Documents in WG Last Call > a) draft-ietf-lamps-cms-hash-sig (Russ) >=20 > 4) Active Working Group Documents > a) draft-ietf-lamps-cms-mix-with-psk (Russ) >=20 > 5) Other Business (if time allows) > a) draft-vangeest-x509-hash-sigs (Daniel) > b) quantum-safe certificates (Scott) > c) lightweight profile of CMP (Hendrik) >=20 > 6) Wrap Up >=20 From nobody Wed Feb 27 09:26:37 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 229E01310E9 for ; Wed, 27 Feb 2019 09:26:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79lwFJpLU0Ml for ; Wed, 27 Feb 2019 09:26:28 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF7671310FB for ; Wed, 27 Feb 2019 09:26:26 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 248F7300AB7 for ; Wed, 27 Feb 2019 12:08:09 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ty1oYExuSyTk for ; Wed, 27 Feb 2019 12:08:07 -0500 (EST) Received: from [172.31.98.183] (wsip-70-163-25-197.dc.dc.cox.net [70.163.25.197]) by mail.smeinc.net (Postfix) with ESMTPSA id 442D63005D6; Wed, 27 Feb 2019 12:08:07 -0500 (EST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) From: Russ Housley In-Reply-To: <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> Date: Wed, 27 Feb 2019 12:26:23 -0500 Cc: SPASM Content-Transfer-Encoding: quoted-printable Message-Id: <782D8ACC-6B57-4067-BC14-9D11A7B02269@vigilsec.com> References: <155120649715.695.14410208917743275760@ietfa.amsl.com> <9B90A5E8-00BC-43FE-ACC1-E7DBB184ED8C@vigilsec.com> <01fa01d4ce3b$4c716840$e55438c0$@augustcellars.com> To: Jim Schaad X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2019 17:26:35 -0000 Jim: You are correct. I missed this when I made the last update. I will = make the change now in my edit buffer. I'll post it along with any = other changes that result from IETF Last Call. Russ > On Feb 26, 2019, at 8:25 PM, Jim Schaad = wrote: >=20 > I have a small change to request. I am happy if you deal with it at a = later > date as long as it does not get lost. >=20 >=20 > In the ASN.1 module, the SIGNATURE-ALGORITHM definition should have an = empty > or absent HASHES field. There are no hash functions which are to be = applied > prior to given the input to the signing function. This would match = what I > did for EdDSA. >=20 > Jim >=20 >=20 >> -----Original Message----- >> From: Spasm On Behalf Of Russ Housley >> Sent: Tuesday, February 26, 2019 10:44 AM >> To: SPASM >> Subject: Re: [lamps] I-D Action: draft-ietf-lamps-cms-hash-sig-06.txt >>=20 >> This removes the extraneous paragraph that was pointed out by Daniel. >>=20 >> I believe that all comments have been resolved, and the document is = now >> ready to go to the IESG. >>=20 >> Russ >>=20 >>=20 >>> On Feb 26, 2019, at 1:41 PM, internet-drafts@ietf.org wrote: >>>=20 >>>=20 >>> A New Internet-Draft is available from the on-line Internet-Drafts >> directories. >>> This draft is a work item of the Limited Additional Mechanisms for = PKIX > and >> SMIME WG of the IETF. >>>=20 >>> Title : Use of the HSS/LMS Hash-based Signature > Algorithm in the >> Cryptographic Message Syntax (CMS) >>> Author : Russ Housley >>> Filename : draft-ietf-lamps-cms-hash-sig-06.txt >>> Pages : 14 >>> Date : 2019-02-26 >>>=20 >>> Abstract: >>> This document specifies the conventions for using the the HSS/LMS >>> hash-based signature algorithm with the Cryptographic Message = Syntax >>> (CMS). In addition, the algorithm identifier and public key syntax >>> are provided. The HSS/LMS algorithm is one form of hash-based >>> digital signature; it is described in [HASHSIG]. >>>=20 >>>=20 >>> The IETF datatracker status page for this draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-hash-sig/ >>>=20 >>> There are also htmlized versions available at: >>> https://tools.ietf.org/html/draft-ietf-lamps-cms-hash-sig-06 >>> = https://datatracker.ietf.org/doc/html/draft-ietf-lamps-cms-hash-sig-06 >>>=20 >>> A diff from the previous version is available at: >>> https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-lamps-cms-hash-sig-06 >>>=20 >>>=20 >>> Please note that it may take a couple of minutes from the time of >>> submission until the htmlized version and diff are available at > tools.ietf.org. >>>=20 >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>=20 >> _______________________________________________ >> Spasm mailing list >> Spasm@ietf.org >> https://www.ietf.org/mailman/listinfo/spasm >=20 > _______________________________________________ > Spasm mailing list > Spasm@ietf.org > https://www.ietf.org/mailman/listinfo/spasm From nobody Thu Feb 28 14:10:32 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2D79129532 for ; Thu, 28 Feb 2019 14:10:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uYIRfj2JwZuu for ; Thu, 28 Feb 2019 14:10:29 -0800 (PST) Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 361A7124408 for ; Thu, 28 Feb 2019 14:10:29 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 4B583300A9A for ; Thu, 28 Feb 2019 16:52:11 -0500 (EST) X-Virus-Scanned: amavisd-new at mail.smeinc.net Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id TI3ru_a70Mjv for ; Thu, 28 Feb 2019 16:52:10 -0500 (EST) Received: from a860b60074bd.fios-router.home (unknown [138.88.156.37]) by mail.smeinc.net (Postfix) with ESMTPSA id 6B72A300400 for ; Thu, 28 Feb 2019 16:52:10 -0500 (EST) From: Russ Housley Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\)) Message-Id: <8A2F741C-3E8A-4D7A-B70C-F570932DD96C@vigilsec.com> Date: Thu, 28 Feb 2019 17:10:26 -0500 To: SPASM X-Mailer: Apple Mail (2.3445.102.3) Archived-At: Subject: [lamps] draft-ietf-lamps-cms-shakes-07 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 22:10:31 -0000 I was just looking at this document, and an inconsistency jumped out at = me. Section 4.1 says that id-shake128-len and id-shake256-len have no = parameters. However, as used in RFC 8419 has a parameter: hashAlg-SHAKE256-LEN ALGORITHM ::=3D { OID id-shake256-len PARMS ShakeOutputLen } id-shake256-len OBJECT IDENTIFIER ::=3D { hashAlgs 18 } ShakeOutputLen ::=3D INTEGER -- Output length in bits On the other hand, id-shake256 has no parameters: hashAlg-SHAKE256 ALGORITHM ::=3D { OID id-shake256 } id-shake256 OBJECT IDENTIFIER ::=3D { hashAlgs 12 } I think this needs to get sorted out before draft-ietf-lamps-cms-shakes = goes to IETF Last Call. Russ From nobody Thu Feb 28 14:38:00 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB4C0131057 for ; Thu, 28 Feb 2019 14:37:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDYUWi_bXNiU for ; Thu, 28 Feb 2019 14:37:56 -0800 (PST) Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DE8D13104E for ; Thu, 28 Feb 2019 14:37:56 -0800 (PST) Received: by mail-it1-x132.google.com with SMTP id 188so18416978itb.0 for ; Thu, 28 Feb 2019 14:37:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=oOIWjExDqqipVIeRnHeL0g3k/aVzbvYKopMZ7IrbJlM=; b=F2P9bckInhYd5kyH4kQVrsoZVxKFk3aidOhGC+N4+YhBat3/SvH+Xd+W1X3HcJVPqx dyniDssLV5mbAbuVnj0calXFX3BH647baGXuR/oa6gx2jIBkecpMLGYwS1bZzWOamrGp jWRlofJRPurv4bLkZlEzeTf7qvHWWjftPP2FtEZ/7cf2tnDDuCzjaKtiynES4sc/nRSj CbVZzg0EVqHmIICwDm55QyCBGZceeKW6BOcBdMl3cuYnrb9aP6KthBnM4nvM3bL8tQZA +U9vCaywKQ2hNdIZaTxBHqhYdMpRh4JKOXWlyEHhs9locNvoOFcJsJN1q6t0H7P8jmHZ VZ/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=oOIWjExDqqipVIeRnHeL0g3k/aVzbvYKopMZ7IrbJlM=; b=GlRZVnYXVkXdIxQwPT81RjJ5l175tAwpm0hDucHTjkYmCG0Z+JuuONC9fgmVeqOl51 KNESp852Ua9PZqnU097MCeqnDvjx9ZJzeVqluBo7VyaAyrTjJ1Bm+Txi3KCuq5qczH3N dFpV0WQe0DwUT+Gdx+5jcJqp+Ong72NN2ZoXucrMxb1R+ZUkLKPsWqhO0o4WrdXaAt8y FfvuYRDFCWZjFSxl5mm0wxDFavqM7UPOUDQthhbn8gTCYg5ua69AyzjyBd5ddWXImAuO db0Gk7iER6x53q1O4tcBhXgguGrzOAkoWjjKhAj5cKoK9sD1NUrgxWCH7UM1kEpc0qKg rfsQ== X-Gm-Message-State: APjAAAWiwkDldeHdQkOO6wEA0DbZXscRV3qo1HKALIAHrEUYlKD5eWUj sIlZ8jvkAKqDg8Y9uDP9lbWYLVjVMNhfdXj5OV3o1M3w X-Google-Smtp-Source: APXvYqy9P+W40LIyX92bwFkVAudWiyvPiZoYUZzdrZUcWKmJk3ieToX7DbCWIfF7YLAk1Kx2zsl/Di9ldycpSFR4iJ0= X-Received: by 2002:a24:3a12:: with SMTP id m18mr1325338itm.5.1551393475654; Thu, 28 Feb 2019 14:37:55 -0800 (PST) MIME-Version: 1.0 References: <8A2F741C-3E8A-4D7A-B70C-F570932DD96C@vigilsec.com> In-Reply-To: <8A2F741C-3E8A-4D7A-B70C-F570932DD96C@vigilsec.com> Reply-To: noloader@gmail.com From: Jeffrey Walton Date: Thu, 28 Feb 2019 17:37:36 -0500 Message-ID: To: Russ Housley Cc: SPASM Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [lamps] draft-ietf-lamps-cms-shakes-07 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Feb 2019 22:37:59 -0000 On Thu, Feb 28, 2019 at 5:10 PM Russ Housley wrote: > > I was just looking at this document, and an inconsistency jumped out at me. > > Section 4.1 says that id-shake128-len and id-shake256-len have no parameters. > > However, as used in RFC 8419 has a parameter: > > hashAlg-SHAKE256-LEN ALGORITHM ::= { OID id-shake256-len > PARMS ShakeOutputLen } > > id-shake256-len OBJECT IDENTIFIER ::= { hashAlgs 18 } > > ShakeOutputLen ::= INTEGER -- Output length in bits > > On the other hand, id-shake256 has no parameters: > > hashAlg-SHAKE256 ALGORITHM ::= { OID id-shake256 } > > id-shake256 OBJECT IDENTIFIER ::= { hashAlgs 12 } > > I think this needs to get sorted out before draft-ietf-lamps-cms-shakes goes to IETF Last Call. >From the algorithmic point of view, SHAKE digests can be truncated in the traditional way. The truncated digest does not affect the output of the hash. That is, a smaller digest size produces a prefix of a longer one. cSHAKE is different. The digest size affects the calculation of the digest. Different digest sizes will produce different hashes, and the prefix behavior does not hold. The one area of confusion I have observed is, what is the default output size of SHAKE-128 or SHAKE-256. For example, for SHAKE-128, some libraries use 16, and some use 32 as the default digest size. The SHAKE digest size is probably not needed as long as the digest size is unambiguously stated for interop purposes. Jeff From nobody Thu Feb 28 20:20:25 2019 Return-Path: X-Original-To: spasm@ietfa.amsl.com Delivered-To: spasm@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1F14130F3E for ; Thu, 28 Feb 2019 20:20:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.501 X-Spam-Level: X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id en_z5nU_J4ri for ; Thu, 28 Feb 2019 20:20:21 -0800 (PST) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAFD8128B14 for ; Thu, 28 Feb 2019 20:20:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1774; q=dns/txt; s=iport; t=1551414020; x=1552623620; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=IrfM5VOmEQgUUn+mjA+WXbMHt+LyofmbJKNQcjc1JCI=; b=hwaFG11kcWTSKP1j1ibdSv4gYIwN828J9oIKBiz9c+BlznZnV4YhKKNj LKGtLZbhmRnJigjqZowU4f1sIwlPGPi/7+IWrFPZDmAHjU5KRwuI4NG4S VJFNWKqwXd5wC5G4fwDp/glgexV09NSiTbuoVf4YDpLVbx3LrpCICbfrf 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAACasnhc/5RdJa1lGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAQGBUQQBAQEBAQsBggRogQMnCowYi0+CDZgggXsLAQEYDYR?= =?us-ascii?q?HAoQUIjQJDQEDAQEDAQMCbRwMhUoBAQEBAwEBODQXBAIBCBEEAQEfECcLHQg?= =?us-ascii?q?CBAESCIMZgXIPrReELwGGAQWMSBeBQD+BEYMSgx4BAYdCAqNsCQKHQIsgIZM?= =?us-ascii?q?fil6FV4xBAhEUgSgfOIFWcBU7gmyCJQMXg0uFFIU/QTEKjnuBHwEB?= X-IronPort-AV: E=Sophos;i="5.58,425,1544486400"; d="scan'208";a="526695896" Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Mar 2019 04:19:51 +0000 Received: from XCH-ALN-008.cisco.com (xch-aln-008.cisco.com [173.36.7.18]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id x214Jpxa031047 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 1 Mar 2019 04:19:51 GMT Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-ALN-008.cisco.com (173.36.7.18) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Thu, 28 Feb 2019 22:19:50 -0600 Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1395.000; Thu, 28 Feb 2019 22:19:50 -0600 From: "Panos Kampanakis (pkampana)" To: Russ Housley , SPASM Thread-Topic: [lamps] draft-ietf-lamps-cms-shakes-07 Thread-Index: AQHUz7Jy9dijgKCATEmHOHKqPf0BDaX2Kk9A Date: Fri, 1 Mar 2019 04:19:50 +0000 Message-ID: References: <8A2F741C-3E8A-4D7A-B70C-F570932DD96C@vigilsec.com> In-Reply-To: <8A2F741C-3E8A-4D7A-B70C-F570932DD96C@vigilsec.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.82.253.241] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Outbound-SMTP-Client: 173.36.7.18, xch-aln-008.cisco.com X-Outbound-Node: rcdn-core-12.cisco.com Archived-At: Subject: Re: [lamps] draft-ietf-lamps-cms-shakes-07 X-BeenThere: spasm@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Mar 2019 04:20:24 -0000 Hi Russ, Good catch. Coincidentally we just caught this yesterday. id-shake128-len a= nd id-shake256-len were replaced with id-sha128 with 32 bytes output length= and id-shake256 with 64 bytes output length. We didn't need the -len OIDs = that include parameters any more. It was left in there from previous versio= ns.=20 We also fixed a discrepancy between section 3 and 4.4 about the KMAC OIDs t= hat have parameters as optional.=20 These two changes are reflected here https://github.com/csosto-pk/adding-sh= ake-to-pkix/commit/d34de0a3903429101bb8e93f4456551c4fb8fc96=20 We will push the next iteration by the end of next week.=20 Panos -----Original Message----- From: Spasm On Behalf Of Russ Housley Sent: Thursday, February 28, 2019 5:10 PM To: SPASM Subject: [lamps] draft-ietf-lamps-cms-shakes-07 I was just looking at this document, and an inconsistency jumped out at me. Section 4.1 says that id-shake128-len and id-shake256-len have no parameter= s. However, as used in RFC 8419 has a parameter: hashAlg-SHAKE256-LEN ALGORITHM ::=3D { OID id-shake256-len PARMS ShakeOutputLen } id-shake256-len OBJECT IDENTIFIER ::=3D { hashAlgs 18 } ShakeOutputLen ::=3D INTEGER -- Output length in bits On the other hand, id-shake256 has no parameters: hashAlg-SHAKE256 ALGORITHM ::=3D { OID id-shake256 } id-shake256 OBJECT IDENTIFIER ::=3D { hashAlgs 12 } I think this needs to get sorted out before draft-ietf-lamps-cms-shakes goe= s to IETF Last Call. Russ _______________________________________________ Spasm mailing list Spasm@ietf.org https://www.ietf.org/mailman/listinfo/spasm