From nobody Tue May  2 07:15:05 2017
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E16C12704A for <ace@ietfa.amsl.com>; Tue,  2 May 2017 07:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level: 
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alibaba-inc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ow7i6Kb5vIAD for <ace@ietfa.amsl.com>; Tue,  2 May 2017 07:15:00 -0700 (PDT)
Received: from out0-230.mail.aliyun.com (out0-230.mail.aliyun.com [140.205.0.230]) by ietfa.amsl.com (Postfix) with ESMTP id C6541129C4D for <ace@ietf.org>; Tue,  2 May 2017 07:11:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1493734275; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=cwod9VabZ2/YofV2qfCQsH/ILxvVm00ybszDKA7KGLE=; b=XEQ9bcGPg2Uc2Bw2Zi2wiA6V6Z6so4UirmSIRKkTFI6+HCzAec+LgaI6rIkHURFqP5sJGUvBcA/Q+rmDPc44WvjxpfdDEIVtPlnkDpcI9bWW3GVebX+U5ulxKbAW/GYEFkjPMZkGmoSiK/GIxgOkuIT7+sj2JbJUObza81cXe8w=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R941e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03302; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=3; SR=0; TI=SMTPD_---.80R.tV._1493734256; 
Received: from 30.39.46.184(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.73.208) by smtp.aliyun-inc.com(127.0.0.1); Tue, 02 May 2017 22:11:04 +0800
User-Agent: Microsoft-MacOutlook/14.6.8.160830
Date: Tue, 02 May 2017 22:10:55 +0800
From: "Kepeng Li" <kepeng.lkp@alibaba-inc.com>
To: "Kepeng Li" <kepeng.lkp@alibaba-inc.com>, "ace@ietf.org" <ace@ietf.org>
CC: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Message-ID: <D52EB406.55056%kepeng.lkp@alibaba-inc.com>
Thread-Topic: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
Mime-version: 1.0
Content-type: text/plain; charset="GB2312"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/E3jLq1swMmXxAeBOfvKeJvKiOLQ>
Subject: Re: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 14:15:03 -0000

Hello all,

Kindly remind you to review the draft and provide your feedback today.

Thanks,

Kind Regards
Kepeng

=D4=DA 21/04/2017, 9:52 AM=A3=AC "Ace on behalf of Kepeng Li" <ace-bounces@ietf.org
on behalf of kepeng.lkp@alibaba-inc.com> =D0=B4=C8=EB:

>In Chicago, it was decided that we were going to WGLC the ACE CBOR Web
>Token draft.
>
>So this starts a working group last call for draft-ietf-ace-cbor-web-token
>for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday,
>May 2, 2017.
>
>The specification is available at:
>https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04
>
>An HTML-formatted version is also available at:
>http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html
>
>Thanks,
>
>
>Kind Regards
>Kepeng & Hannes
>
>
>_______________________________________________
>Ace mailing list
>Ace@ietf.org
>https://www.ietf.org/mailman/listinfo/ace



From nobody Tue May  2 08:28:24 2017
Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBF4E130F27 for <ace@ietfa.amsl.com>; Tue,  2 May 2017 08:28:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbOcJkbmVg9d for <ace@ietfa.amsl.com>; Tue,  2 May 2017 08:28:22 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E81C129BF9 for <ace@ietf.org>; Tue,  2 May 2017 08:25:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v42FPQsj025901; Tue, 2 May 2017 17:25:26 +0200 (CEST)
Received: from [192.168.217.113] (p5DC7F3A7.dip0.t-ipconnect.de [93.199.243.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3wHQ8k4w64zDHdh; Tue,  2 May 2017 17:25:26 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <D51F862B.53D95%kepeng.lkp@alibaba-inc.com>
Date: Tue, 2 May 2017 17:25:26 +0200
Cc: "ace@ietf.org" <ace@ietf.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
X-Mao-Original-Outgoing-Id: 515431526.095434-df94b263ef4daa118bd4a9a33851ddc8
Content-Transfer-Encoding: quoted-printable
Message-Id: <6BE4C480-C525-45E9-9718-3AD513F7EFC2@tzi.org>
References: <D51F862B.53D95%kepeng.lkp@alibaba-inc.com>
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/doy_O-a6MBv-f2nanVp4FDCRffY>
Subject: Re: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 15:28:24 -0000

Review of draft-ietf-ace-cbor-web-token-04.txt
Reviewer: Carsten Bormann
Review result: A few technical issues; could use an editorial round

This specification sets out to translate JWT (RFC 7519) from JSON to
the CBOR world.  As such, it is relatively straightforward, and there
are only a few technical decisions that need to be made.  Clearly,
this should go ahead quickly, as it is sorely needed.


# Major technical

T1: Most fundamentally, the spec inherits a fundamental problem from =
JWT:
Some entries in the CWT ("claims") are actual independent claims that
can indeed be ignored if not understood, and other entries shape the
meaning of the actual claims in the CWT.  E.g., an nbf entry isn't
really a "claim" at all, it is an implicit parameter to the real
claims in the CWT.  This is, of course, a property that CWT shares
with JWT, but we could use the opportunity of defining CWT to be a bit
more specific.  E.g., we could use negative labels for entries that
shape others and unsigned ones for entries that can be ignored.
(BTW, all labels defined here would be the former category.)

T2: The spec doesn't clearly say that entry labels MUST be unsigned
numbers.  It could simply say that, but this creates an X-Dash
problem: Since people who want to experiment with CWT need to invent
numbers, they will, and there will be squatting galore.  CBOR actually
provides a nice way to solve this problem: Allow text strings as claim
labels for experimentation, replacing the need for a provisional
registration for each experiment.  No "production" CWT should have a
text label, of course; this is extremely easy to check.

T3: Section 7.2 repeats the giant mistake that JWT and the whole of
JOSE are being accused of: It tells you whether the CWT is a valid
CWT, but doesn't tell you whether it actually fulfills the security
objectives that you had.  Maybe add this explicitly to the steps.


# Other technical

T4: There was a recent move away from using CBOR Tag 1 for timestamps.
That move is fine, but why "NOT RECOMMENDED" now instead of completely
ruling it out?  Less options, more interoperability,

T5: The range 1 to 65536 is a seriously weird range.  If we do allow
one value that requires a four-byte representation then why not go for
1..4294967295?

T6: The IANA considerations may want to have different rules for
"good" label values (< 24, < 256 in that order) than for hoi polloi
ones.


# Major editorial

E1: On the editorial side, the abstract starts out by claiming [sic]
that CWT "is a profile" of JWT.  There is a definition of "profile" in
play that is a bit different from what some people might expect: a CWT
is not a JWT.

E2: The text is weirdly obsessed about CBOR serialization details.  It
is really making statements about the data model level, but dives into
serialization immediately instead.  This reads like a JSON spec would
read that would repeatedly talk about "double-quote-delimited strings,
which backslash escaping" each time a string is needed.  That's not
the way JSON is used, and we shouldn't start doing this for CBOR
either.  Just about every case that talks about "major type" really
should talk about the data that is desired.

E3: The definition of NumericDate does not reflect the decision that
using CBOR Tag 1 here is NOT RECOMMENDED.

E4: For those people who aren't the fourth co-author, maybe it would
help to provide the CDDL (not yet taking in any of the suggestions
above):

    cwt =3D {
        ? iss,
        ? sub,
        ? aud,
        ? cti,
        ? exp,
        ? nbf,
        ? iat,
        * otherlabel =3D> value
    }

    iss =3D (1: text)
    sub =3D (2: text)
    aud =3D (3: text)
    exp =3D (4: number) ; interpreted as with CBOR Tag 1
    nbf =3D (5: number) ; interpreted as with CBOR Tag 1
    iat =3D (6: number) ; interpreted as with CBOR Tag 1
    cti =3D (7: bytes)

    otherlabel =3D uint .ge 8
    value =3D any

(We could play a bit with CDDL regexp support to distinguish URIs from
the other strings, but I skipped this.)


# Nits

s/to indicate type/to indicate the type/
s/contributions the specification/contributions to the specification/


Unfortunately, I haven't systematically checked the examples yet.

Gr=C3=BC=C3=9Fe, Carsten


From nobody Wed May  3 07:16:32 2017
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF971129494 for <ace@ietfa.amsl.com>; Wed,  3 May 2017 07:16:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.401
X-Spam-Level: 
X-Spam-Status: No, score=-5.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DK7e7UxVCGh for <ace@ietfa.amsl.com>; Wed,  3 May 2017 07:16:28 -0700 (PDT)
Received: from se-out2.mx-wecloud.net (se-out2.mx-wecloud.net [89.221.255.177]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A52A1298BA for <ace@ietf.org>; Wed,  3 May 2017 07:13:30 -0700 (PDT)
Received: from sp-mail-2.sp.se (unknown [194.218.146.197]) by se-out2.mx-wecloud.net (Postfix) with ESMTPS id 2F71E220BD8 for <ace@ietf.org>; Wed,  3 May 2017 14:13:26 +0000 (UTC)
Received: from [192.168.0.166] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Wed, 3 May 2017 16:13:27 +0200
References: <149382052524.21410.14670291598487245479.idtracker@ietfa.amsl.com>
To: "ace@ietf.org" <ace@ietf.org>
From: Ludwig Seitz <ludwig.seitz@ri.se>
X-Forwarded-Message-Id: <149382052524.21410.14670291598487245479.idtracker@ietfa.amsl.com>
Message-ID: <7002a4be-6a81-e927-3a65-02d4197b3574@ri.se>
Date: Wed, 3 May 2017 16:13:27 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <149382052524.21410.14670291598487245479.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-2.sp.se (10.100.0.162) To sp-mail-2.sp.se (10.100.0.162)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.2 cv=Up4TD64B c=1 sm=1 tr=0 a=L5DDne6A+dD0FbDkt2Fblw==:117 a=L5DDne6A+dD0FbDkt2Fblw==:17 a=sZ8rJzgPlrQA:10 a=IkcTkHD0fZMA:10 a=tJ8p9aeEuA8A:10 a=48vgC7mUAAAA:8 a=0FD05c-RAAAA:8 a=pjWOOh9zCScM1_0H85IA:9 a=QEXdDO2ut3YA:10 a=w1C3t2QeGrPiZgrLijVG:22 a=l1rpMCqCXRGZwUSuRcM3:22
X-Virus-Scanned: clamav-milter 0.99.2 at MailSecurity
X-Virus-Status: Clean
X-MailSecurity-Status: 0
X-Scanned-By: WeCloud MailSecurity
X-MailSecurity-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/oW081j9NFM1e7RLwuF9r7DSjWAM>
Subject: [Ace] Fwd: New Version Notification for draft-seitz-ace-oscoap-profile-02.txt
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 14:16:31 -0000

Hello ACE,

we have updated the OSCOAP profile of ACE to reflect the changes in the 
referred drafts (mostly OSCOAP and EDHOC).

Regards,

Ludwig


-------- Forwarded Message --------
Subject: New Version Notification for draft-seitz-ace-oscoap-profile-02.txt
Date: Wed, 3 May 2017 07:08:45 -0700
From: internet-drafts@ietf.org
To: Ludwig Seitz <ludwig.seitz@ri.se>, Martin Gunnarsson 
<martin.gunnarsson@ri.se>, Francesca Palombini 
<francesca.palombini@ericsson.com>


A new version of I-D, draft-seitz-ace-oscoap-profile-02.txt
has been successfully submitted by Ludwig Seitz and posted to the
IETF repository.

Name:		draft-seitz-ace-oscoap-profile
Revision:	02
Title:		OSCOAP profile of ACE
Document date:	2017-05-03
Group:		Individual Submission
Pages:		14
URL: 
https://www.ietf.org/internet-drafts/draft-seitz-ace-oscoap-profile-02.txt
Status: 
https://datatracker.ietf.org/doc/draft-seitz-ace-oscoap-profile/
Htmlized: 
https://tools.ietf.org/html/draft-seitz-ace-oscoap-profile-02
Htmlized: 
https://datatracker.ietf.org/doc/html/draft-seitz-ace-oscoap-profile-02
Diff: 
https://www.ietf.org/rfcdiff?url2=draft-seitz-ace-oscoap-profile-02

Abstract:
    This memo specifies a profile for the ACE framework for
    Authentication and Authorization.  It utilizes Object Security of
    CoAP (OSCOAP) and Ephemeral Diffie-Hellman over COSE (EDHOC) to
    provide communication security, server authentication, and proof-of-
    possession for a key owned by the client and bound to an OAuth 2.0
    access token.

 


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


From nobody Thu May  4 09:08:48 2017
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC7A1293D6; Thu,  4 May 2017 09:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.201
X-Spam-Level: 
X-Spam-Status: No, score=-2.201 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZLIb4V3MVMy; Thu,  4 May 2017 09:08:37 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01A8A1286CA; Thu,  4 May 2017 09:08:36 -0700 (PDT)
Received: from [192.168.91.191] ([80.92.121.214]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LyEJp-1eBDuh3fpF-015Yn6; Thu, 04 May 2017 18:08:35 +0200
References: <3f78f14c-f050-1f1b-1564-400e23f80d70@gmx.net>
To: "Ace@ietf.org" <Ace@ietf.org>, "core@ietf.org WG" <core@ietf.org>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
X-Forwarded-Message-Id: <3f78f14c-f050-1f1b-1564-400e23f80d70@gmx.net>
Message-ID: <f357a8ab-d15d-6383-20e1-d70cdb0db22a@gmx.net>
Date: Thu, 4 May 2017 18:08:33 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <3f78f14c-f050-1f1b-1564-400e23f80d70@gmx.net>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="7rVGcREMFpwUEOtqGnhowAwAbIstGIov6"
X-Provags-ID: V03:K0:fMCpQ/ny3bRNn1+4+HnQWGXtY5HHA6ut5Dgko+fBZzQLOTql8XQ 3m6yODwRkk/4s0pmxtjrm51uoQOAIXVVsqjDLanwdTsjeiFtCq8Y8QcF6s47+uOZJE+W7HS ON/WZxFVLdKmcaWXvJEIaAREgydTs1901cihcRcNWtYsZNdIPvizEO2l8ms8OPS5ZyG2yhz gwxBsaKJu6andDlx2/bqQ==
X-UI-Out-Filterresults: notjunk:1;V01:K0:Svl1yC57th8=:osTpTA3wQD8eOjVALumgln 9hjxZ5EVuR9SllrlCF+883PR+QGWmshvAqlZO9NPG9NF+teJEbLms8MZNXJjj7oucQn+Yhlss x9Gzgqmf2kYSxV1KSn4lBpiOMOC2TDnHZpM9obwVlsS5nwBUjYnlhyr0RE4XE/jSpWsG8Syt1 cR6j5As6IGdQrF0hIwjKbm6Ima209UEMz81v+LFU9P/wnmPBA3xN9KxzR9P4o1Vh5GFAgvdHj Rk+EQPUVnbjPDGqeAaFrumyEHPZkzt0YmnV4pVuEEbyuGcKyGKLIbKPIYWfc2PmOqlgvEYipv MnW+gf+KDsVVQp0c5DYqvp1JAR3C47LigQBrXJ2jZGhqd3f/mW4S0zUBVJZoDs9/CFvl7YB7U 0akaT/gqI3rKqrJ+JkvB3mhE2VSDPoExnRAK861wZiO3CoA2jhn0G9NCrtGCrPMTtnh8ycA+8 e+9HNMwXLxM+vXkDpww4CplZ2YoZPra3OZV8GLDhh7lieSZSBI8SgNmqcT7oRlsvPSLpVXbV/ Bp4uNvRC1cwuu2GTz+nOS3DjmekjvZ1nmy39GaecL3U5010Wrd55saifFuYJGgEL0zFxGo1+l XFsOS2EimlZkkynwxVtOwcqt11Z09a6nkfR4tYlM24h7HNJMNdOW1FFHgrWWQlmXCqq3GRG09 ee8LX9mwv50X+CnZOtIqzqeh4Exg0FwZBd9ygYq7oypPcRmm7mU4FkgquFTJ6M+RI377UhIFS 6VsAc26r+yI5xHscpmnAzdojfOzMFEsutpDCyI4PHt5hj2Q4JRi3kKaEQhE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/s961U_sOboxesrLabYmAcQeYEP8>
Subject: [Ace] Fwd: 2nd OAuth Security Workshop
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 16:08:39 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--7rVGcREMFpwUEOtqGnhowAwAbIstGIov6
Content-Type: multipart/mixed; boundary="ewhmCM1u9J4OAKBlLJRgrr2w9GTKasWrD";
 protected-headers="v1"
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: "Ace@ietf.org" <Ace@ietf.org>, "core@ietf.org WG" <core@ietf.org>
Message-ID: <f357a8ab-d15d-6383-20e1-d70cdb0db22a@gmx.net>
Subject: Fwd: 2nd OAuth Security Workshop
References: <3f78f14c-f050-1f1b-1564-400e23f80d70@gmx.net>
In-Reply-To: <3f78f14c-f050-1f1b-1564-400e23f80d70@gmx.net>

--ewhmCM1u9J4OAKBlLJRgrr2w9GTKasWrD
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Forwarding also to ACE and CORE because of the relationship with OAuth.
IoT is in scope of this workshop!

-------- Forwarded Message --------
Subject: 2nd OAuth Security Workshop
Date: Thu, 4 May 2017 18:07:43 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
To: saag <saag@ietf.org>

Hi all,

I would like to draw your attention to a workshop on OAuth security,
which is attached to the next IETF meeting. The dates are July 13-14,
2017 in Zurich.

Here is the necessary info:
https://zisc.ethz.ch/oauth-security-workshop-2017-cfp/

This is an attempt to bridge the gap between research and standardization=
=2E

You are welcome to join the workshop. Your input is appreciated!

Ciao
Hannes




--ewhmCM1u9J4OAKBlLJRgrr2w9GTKasWrD--

--7rVGcREMFpwUEOtqGnhowAwAbIstGIov6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCgAGBQJZC1IBAAoJEGhJURNOOiAtfBYH/itIQBBN4fAFXq/CeDoeO3/z
qJtPsnhqy5XIeI9ckhYcdBPmMbdKNUbpuekcU46swxyRgSIDlKA41b3dTGN6tFhg
XUf/Z0+mSUYf/wxsiSGWqsqwp7nrNxwyqtCL6qNn1OPlb8K8hfbWJYAL2JTQcChT
tgxtEtWVFW3GRNbIJ8ak1OV+Mowa/uvginV9uVJEUnh0SyOAPAi4GU65WaIgJclR
7yNhNIO3wWTNYybAMIj1DFBYz0EMiYxDshEmuEvS4qBfRY4OxKJEAuqqZ8XAiTMs
fyUBs4ModfSCVSWPIg5Fg7VMM/32AoFVBH85lOH3MvPEMHPLX3JgIEeoAIt/d4o=
=mLKf
-----END PGP SIGNATURE-----

--7rVGcREMFpwUEOtqGnhowAwAbIstGIov6--


From nobody Thu May 11 00:25:06 2017
Return-Path: <kepeng.lkp@alibaba-inc.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC1F31296D2 for <ace@ietfa.amsl.com>; Thu, 11 May 2017 00:25:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.702
X-Spam-Level: 
X-Spam-Status: No, score=0.702 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alibaba-inc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbOJni0mDtRI for <ace@ietfa.amsl.com>; Thu, 11 May 2017 00:25:02 -0700 (PDT)
Received: from out0-235.mail.aliyun.com (out0-235.mail.aliyun.com [140.205.0.235]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4CE12955F for <Ace@ietf.org>; Thu, 11 May 2017 00:25:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1494487500; h=Date:Subject:From:To:Message-ID:Mime-version:Content-type; bh=aWdpk6te86roa7mMHhIBP7m2EDsamGygSZnd9myxCWI=; b=p+cqnHO1VgTnYgWIdPpdqk9R1WQiwaS6CaZ6ClhMBM4ypA/TKXkMV3yVFlrsXbcyGhOCGrrHgdk62AlLdtkq5hnoMSMhI+R5NahsRqZR46gmCBjmtFBNxfFkyXHOxM92nni2KgyHpk6fWq+vGnzw9TG3QFEVrKpgjz9IbkJjuqU=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R801e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=e02c03274; MF=kepeng.lkp@alibaba-inc.com; NM=1; PH=DS; RN=3; SR=0; TI=SMTPD_---.82udbgI_1494487489; 
Received: from 30.6.243.56(mailfrom:kepeng.lkp@alibaba-inc.com ip:42.120.74.245) by smtp.aliyun-inc.com(127.0.0.1); Thu, 11 May 2017 15:24:57 +0800
User-Agent: Microsoft-MacOutlook/14.6.8.160830
Date: Thu, 11 May 2017 15:24:48 +0800
From: "Kepeng Li" <kepeng.lkp@alibaba-inc.com>
To: <Ace@ietf.org>
CC: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>
Message-ID: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com>
Thread-Topic: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3577361097_2312036"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/la_wPM0q-7Te5F7zms0k3ZR3fy0>
Subject: [Ace]  Call for adoption for draft-gerdes-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 07:25:05 -0000

> 此邮件使用 MIME 格式。由于邮件阅读程序不能识别
此格式，因此，可能无法识别该邮件的分部或部分内容。

--B_3577361097_2312036
Content-type: text/plain;
	charset="US-ASCII"
Content-transfer-encoding: 7bit

Hello all,
 
This note begins a Call For Adoption for draft-gerdes-ace-dtls-authorize [1]
to be adopted as an ACE working group item. The call ends on 26th May, 2017.
 
Keep in mind that adoption of a document does not mean the document as-is is
ready for publication. It is merely acceptance of the document as a starting
point for what will be the final product of the ACE working group. The
working group is free to make changes to the document according to the
normal consensus process.
 
Please reply on this thread with expressions of support or opposition,
preferably with comments, regarding accepting this as a work item.
 
Thanks
 
Kind Regards
Kepeng and Hannes (ACE co-chairs)
 

[1] https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/




--B_3577361097_2312036
Content-type: text/html;
	charset="US-ASCII"
Content-transfer-encoding: quoted-printable

<html><head></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: s=
pace; -webkit-line-break: after-white-space; color: rgb(0, 0, 0);"><div><spa=
n style=3D"font-size: 16px;"><font face=3D"Courier">Hello all,</font></span></di=
v><span id=3D"OLK_SRC_BODY_SECTION"><div><div style=3D"word-wrap: break-word; -w=
ebkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0,=
 0, 0);"><div><div><pre style=3D"margin: 0cm 0cm 0.0001pt; line-height: 13.5pt=
; vertical-align: baseline;"><o:p><font face=3D"Courier" size=3D"4">&nbsp;</font=
></o:p></pre><pre style=3D"margin: 0cm 0cm 0.0001pt; line-height: 13.5pt; vert=
ical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"><span s=
tyle=3D"font-size: 16px;"><font face=3D"Courier">This note begins a Call For Ado=
ption for draft-gerdes-ace-dtls-authorize<span style=3D"background-color: rgb(=
255, 253, 245); background-position: initial initial; background-repeat: ini=
tial initial;"> [1] </span>to be adopted as an ACE working group item. The c=
all ends on 26th May, 2017.</font></span></pre></div></div><div><p class=3D"Ms=
oNormal" style=3D"margin: 0cm 0cm 0.0001pt;"><font face=3D"Courier" style=3D"font-=
size: 16px;">&nbsp;</font></p></div><div><pre style=3D"margin: 0cm 0cm 0.0001p=
t; line-height: 13.5pt; vertical-align: baseline;"><span style=3D"font-size: 1=
6px;"><font face=3D"Courier">Keep in mind that adoption of a document does not=
 mean the document as-is is ready for publication. It is merely acceptance o=
f the document as a starting point for what will be the final product of the=
 ACE working group. The working group is free to make changes to the documen=
t according to the normal consensus process.</font></span></pre><pre style=3D"=
margin: 0cm 0cm 0.0001pt; line-height: 13.5pt; vertical-align: baseline;"><o=
:p><font face=3D"Courier" size=3D"4">&nbsp;</font></o:p></pre><pre style=3D"margin=
: 0cm 0cm 0.0001pt; line-height: 13.5pt; vertical-align: baseline;"><span st=
yle=3D"font-size: 16px;"><font face=3D"Courier">Please reply on this thread with=
 expressions of support or opposition, preferably with comments, regarding a=
ccepting this as a work item.</font></span></pre></div><div><p class=3D"MsoNor=
mal" style=3D"margin: 0cm 0cm 0.0001pt;"><font face=3D"Courier" style=3D"font-size=
: 16px;">&nbsp;</font></p></div><div><pre style=3D"margin: 0cm 0cm 0.0001pt; l=
ine-height: 13.5pt; vertical-align: baseline;"><font face=3D"Courier" style=3D"f=
ont-size: 16px;">Thanks<o:p></o:p></font></pre><pre style=3D"margin: 0cm 0cm 0=
.0001pt; line-height: 13.5pt; vertical-align: baseline; white-space: pre-wra=
p; word-wrap: break-word;"><font face=3D"Courier" style=3D"font-size: 16px;">&nb=
sp;</font></pre><pre style=3D"margin: 0cm 0cm 0.0001pt; line-height: 13.5pt; v=
ertical-align: baseline; white-space: pre-wrap; word-wrap: break-word;"><fon=
t face=3D"Courier" style=3D"font-size: 16px;">Kind Regards<o:p></o:p></font></pr=
e><pre style=3D"margin: 0cm 0cm 0.0001pt; line-height: 13.5pt; vertical-align:=
 baseline; white-space: pre-wrap; word-wrap: break-word;"><font face=3D"Courie=
r" style=3D"font-size: 16px;">Kepeng and Hannes (ACE co-chairs)<o:p></o:p></fo=
nt></pre></div><div><p class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt;"><=
font face=3D"Courier" style=3D"font-size: 16px;">&nbsp;</font></p></div><div><p =
class=3D"MsoNormal" style=3D"margin: 0cm 0cm 0.0001pt;"><span style=3D"font-size: =
16px;"><font face=3D"Courier">[1]&nbsp;<a href=3D"https://datatracker.ietf.org/d=
oc/draft-gerdes-ace-dtls-authorize/">https://datatracker.ietf.org/doc/draft-=
gerdes-ace-dtls-authorize/</a></font></span></p></div></div></div><br></span=
></body></html>

--B_3577361097_2312036--



From nobody Thu May 11 00:35:24 2017
Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E35D4127735 for <ace@ietfa.amsl.com>; Thu, 11 May 2017 00:35:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S_V7xzLzO3qU for <ace@ietfa.amsl.com>; Thu, 11 May 2017 00:35:20 -0700 (PDT)
Received: from se-out1.mx-wecloud.net (se-out1.mx-wecloud.net [89.221.255.93]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 801C9124D68 for <ace@ietf.org>; Thu, 11 May 2017 00:35:20 -0700 (PDT)
Received: from sp-mail-2.sp.se (unknown [194.218.146.197]) by se-out1.mx-wecloud.net (Postfix) with ESMTPS id 289FC202249 for <ace@ietf.org>; Thu, 11 May 2017 07:35:15 +0000 (UTC)
Received: from [10.4.235.53] (10.116.0.226) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.32; Thu, 11 May 2017 09:35:16 +0200
To: <ace@ietf.org>
References: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <c2309342-e17c-1f9a-d7f7-6a9678424d7d@ri.se>
Date: Thu, 11 May 2017 09:35:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com>
Content-Type: text/plain; charset="windows-1252"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.116.0.226]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.2 cv=e692ceh/ c=1 sm=1 tr=0 a=L5DDne6A+dD0FbDkt2Fblw==:117 a=L5DDne6A+dD0FbDkt2Fblw==:17 a=sZ8rJzgPlrQA:10 a=N659UExz7-8A:10 a=tJ8p9aeEuA8A:10 a=xtERp6CFAAAA:8 a=HHqRRZyV3l58i_q40nUA:9 a=pILNOxqGKmIA:10
X-Virus-Scanned: clamav-milter 0.99.2 at MailSecurity
X-Virus-Status: Clean
X-MailSecurity-Status: 0
X-Scanned-By: WeCloud MailSecurity
X-MailSecurity-Score: 0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8NpZ7FpwfCd06AeGI5WhJkBazzc>
Subject: Re: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2017 07:35:23 -0000

On 2017-05-11 09:24, Kepeng Li wrote:
> Hello all,
>
>
>
> This note begins a Call For Adoption for
> draft-gerdes-ace-dtls-authorize[1] to be adopted as an ACE working group
> item. The call ends on 26th May, 2017.
>
>
>
> Keep in mind that adoption of a document does not mean the document
> as-is is ready for publication. It is merely acceptance of the document
> as a starting point for what will be the final product of the ACE
> working group. The working group is free to make changes to the document
> according to the normal consensus process.
>
>
>
> Please reply on this thread with expressions of support or opposition,
> preferably with comments, regarding accepting this as a work item.
>


A quick note concerning that draft: I've implemented it together with 
draft-ietf-ace-oauth-authz. Feel free to have a look at the code here: 
https://bitbucket.org/lseitz/ace-java


Regards,

Ludwig


-- 
Ludwig Seitz, PhD
Security Lab, RISE SICS
Phone +46(0)70-349 92 51


From nobody Fri May 12 01:08:52 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0091812704B for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.198
X-Spam-Level: 
X-Spam-Status: No, score=-1.198 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87CK9r-Oy4jy for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:08:48 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88A3D129BC5 for <Ace@ietf.org>; Fri, 12 May 2017 01:03:29 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id h4so57312490oib.3 for <Ace@ietf.org>; Fri, 12 May 2017 01:03:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:cc; bh=wUh1j6EuFqWpS7u28DmmHlrccW3TtTrlF+Ocn5WIjrA=; b=SWKJJsG24Z4B4BSf+2HmN5XkI+AAceqq9Zns/Pkk31+MzLqbRUqTwA913mYVlV3Wul z25Zn/ZM5qq/Mv75XhzdQwktYtKYLVMNs7+PAz/ZVh3uqlwVyriSGrVCJR5ps9VOSmQ0 BHq9sKfD6YHtLS1LfKxzol9zR+WBU14BDhR3j1mMav39//u8vzZGq1qPOEwvogRgxkS4 6wh/WVa9mtBBtHVxQaGVQ64lnnCl5SioYxtmtze5YbUJBpuFabos01HM42S6hDSUkFea jt+0397pr/cO5bs0+/vipSvR5qqVcw6X7so8lW6xCkZEriz3Epal9evYdfUlzF97GlTd FPng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=wUh1j6EuFqWpS7u28DmmHlrccW3TtTrlF+Ocn5WIjrA=; b=WDHToFamLofi0OovqUuRJOjob/h8HEkTf0okB3imJnrRK7KF2SqoXUf9SgFXk7Yney WFZlIMF9X/RF99JVjZcdkGBDyy1qsL/5LayzQ3Yy6yttIGbXJaLFnghzX9ICKz/l/D+C S6U5R0J8bwczyR1qFC6ARz6UAl8sJtiYqc8+K52yjA8Uy9JFYVO5ia+0FulcjINFkxhX suk2estTmWT6fUL3ogmyducqevXWVk71yLHoNzlgQYy16q1mRswiNMT64mobI64OoXsp Mt/brEKMmZeTMc7nxpdOLY2DkVNuR+KOTBM2mjW7rgBYGY2ZKyoM5k8MxcYyI94zDt5M Obww==
X-Gm-Message-State: AODbwcDyzPwnge0q9KQyyom2YC1e3iQ5AOxqsIAsy01Gr7az+Te+P2Lm VpplYT5HqGFlpzzfMHnnO7bbZ5Be6bVAP2c=
X-Received: by 10.202.190.85 with SMTP id o82mr1116584oif.19.1494576208511; Fri, 12 May 2017 01:03:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.42.193 with HTTP; Fri, 12 May 2017 01:03:28 -0700 (PDT)
From: Samuel Erdtman <samuel@erdtman.se>
Date: Fri, 12 May 2017 10:03:28 +0200
Message-ID: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
To: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Cc: Ludwig Seitz <ludwig.seitz@ri.se>
Content-Type: multipart/alternative; boundary="001a113d6758ff9d1b054f4f2386"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/aFktuOskOv7fmMoon7grCGt307A>
Subject: [Ace] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 08:08:50 -0000

--001a113d6758ff9d1b054f4f2386
Content-Type: text/plain; charset="UTF-8"

Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw Public
Key and Pre Shared Key with (D)TLS as OAuth client credentials,
https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

We think this is valuable to the ACE work since the ACE framework is based
on OAuth, but client credentials as defined in the OAuth framework are not
the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable credentials
for embedded devices for the following reasons:
* Better security by binding to transport layer.
* If PSK DTLS is to be used a key need to be distributed any way, why not
make use of it as credential.
* Client id and client secret accommodates for manual input by a humans.
This does not scale well and requires some for of input device.
* Some/many devices will have crypto-hardware that can protect key
material, to not use that possibility would be a waste.
* There are probably more reasons these was just the once on top of my head.

This is not the first resent initiative to create new client credential
types, the OAuth WG adopted a similar draft for certificate based client
credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
That work is also valuable to ACE but not all devices will be able to work
with certificates or even asymmetric cryptos .

Please review and comment.

Cheers
//Samuel

--001a113d6758ff9d1b054f4f2386
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>Hi ACE and OAuth WGs,<br><br></div>I and Lu=
dwig submitted a new draft yesterday defining how to use Raw Public Key and=
 Pre Shared Key with (D)TLS as OAuth client credentials, <a href=3D"https:/=
/datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/">https://datatracker.ietf=
.org/doc/draft-erdtman-ace-rpcc/</a>.<br></div><div><br></div>We think this=
 is valuable to the ACE work since the ACE framework is based on OAuth, but=
 client credentials as defined in the OAuth framework are not the best matc=
h for embedded devices.<br><br></div><div>We think Raw Public Keys and Pre =
Shared Keys are more suitable credentials for embedded devices for the foll=
owing reasons:<br></div><div>* Better security by binding to transport laye=
r.<br></div><div>* If PSK DTLS is to be used a key need to be distributed a=
ny way, why not make use of it as credential.<br></div><div>* Client id and=
 client secret accommodates for manual input by a humans. This does not sca=
le well and requires some for of input device.<br></div><div>* Some/many de=
vices will have crypto-hardware that can protect key material, to not use t=
hat possibility would be a waste.<br></div><div>* There are probably more r=
easons these was just the once on top of my head.<br></div><div><br></div><=
div>This is not the first resent initiative to create new client credential=
 types, the OAuth WG adopted a similar draft for certificate based client c=
redentials (<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-mtls-00=
.html">https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html</a>). That=
 work is also valuable to ACE but not all devices will be able to work with=
 certificates or even asymmetric cryptos .<br><br></div><div>Please review =
and comment.<br><br></div><div>Cheers<br></div><div>//Samuel<br></div><div>=
<br><br></div></div>

--001a113d6758ff9d1b054f4f2386--


From nobody Fri May 12 01:44:43 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 015A812EB12 for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:44:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Wm0H8hAde4q for <ace@ietfa.amsl.com>; Fri, 12 May 2017 01:44:40 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CD7712EB34 for <Ace@ietf.org>; Fri, 12 May 2017 01:39:22 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id h4so58119300oib.3 for <Ace@ietf.org>; Fri, 12 May 2017 01:39:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=L2bwM3+fesORthz6QKsuE5wvqx8DiBNK1y2RSa0+lEo=; b=eU0MdF0etO95Wm66O/yADTnZ5iQWTu5rbiM+App/1Gan1pcu3+zHuXS1UU9q5T5VBl Cs1bG4ynXR048IC6LYTjBH8A072CkBInjueUhkLimBO0J16Nhq1w5kpxXiKXBu7iVeDp 0kVleblRbn4vvihB/RfUpfWhH4oBZFPVa8iPxmmBiH5LaaA7L4nncwFq+OB2736w9hmI mDQAhHpSFRJxTVUpzNSxLXD3d7Z5m8oSUcfOiZtNvJmLqied9u4Sn4czLuB+hMQKXmhE 9E7aqAkEBXlx+rzPR6lsA3sr6h1ozCpAFiwPreEmqVjubnt2xsNlEzLg6sifTxz57p6/ I4dQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=L2bwM3+fesORthz6QKsuE5wvqx8DiBNK1y2RSa0+lEo=; b=bcfIIOyv+SxNplPNN1mWQVc9W77y3gRyczVk8CWGQAQndRjd2uL/G9jBCnjCAmw7xZ EY8BUvfq95V8Eg5bh0ZIZMsJAup8JKo6mLVrrZyxT78TD/2nEbCvfy0w3JPkBBwQinnU xWAdKEBXL5Gfe3zbgpkWDCxJNFBYWo6leoEM9kxj1XGMid/fWnikJ43Lc3rlQIfJY3aj uDs/XOkdNlM7motH21ESH3Z52U1q8MPOUsB2883eVAyILzieA7j7QqeMc6qX2wJI17O+ AaDUHJ/ZBLLdn4MeqWwNjwpP3Vzb7TRlb++2LNCkGWbSyGj0eQUtXnJEJGudfSn4gopd AgEg==
X-Gm-Message-State: AODbwcCxuEHCTgtLz5v05Yx0uB/GSAjU1LO9PS2Zef3h/eW8Oh0SXvXx B/5iSLDjhJAk68nrd1H4SSWJ25sFHg==
X-Received: by 10.202.190.85 with SMTP id o82mr1163368oif.19.1494578361884; Fri, 12 May 2017 01:39:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.42.193 with HTTP; Fri, 12 May 2017 01:39:21 -0700 (PDT)
In-Reply-To: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com>
References: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Fri, 12 May 2017 10:39:21 +0200
Message-ID: <CAF2hCbYS-dwS+BeOAo3tx4UqSx3ScxdepP5fi2jTT1pjo5TGFg@mail.gmail.com>
To: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Cc: ace <Ace@ietf.org>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>,  "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a113d67585973de054f4fa4b9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/XYhUiRk5Wzm6cYe6xf2Rj9Y9Tus>
Subject: Re: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 08:44:42 -0000

--001a113d67585973de054f4fa4b9
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

+1 on adopting as a working group item.

To me it makes sense to have a DTLS profile for the ACE framework.

Cheers
//Samuel

On Thu, May 11, 2017 at 9:24 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com>
wrote:

> Hello all,
>
>
>
> This note begins a Call For Adoption for draft-gerdes-ace-dtls-authorize =
[1] to be adopted as an ACE working group item. The call ends on 26th May, =
2017.
>
>
>
> Keep in mind that adoption of a document does not mean the document as-is=
 is ready for publication. It is merely acceptance of the document as a sta=
rting point for what will be the final product of the ACE working group. Th=
e working group is free to make changes to the document according to the no=
rmal consensus process.
>
>
>
> Please reply on this thread with expressions of support or opposition, pr=
eferably with comments, regarding accepting this as a work item.
>
>
>
> Thanks
>
>
>
> Kind Regards
>
> Kepeng and Hannes (ACE co-chairs)
>
>
>
> [1] https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>

--001a113d67585973de054f4fa4b9
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>+1 on adopting as a working group item.<br>=
<br></div>To me it makes sense to have a DTLS profile for the ACE framework=
.<br><br></div>Cheers<br></div>//Samuel<br></div><div class=3D"gmail_extra"=
><br><div class=3D"gmail_quote">On Thu, May 11, 2017 at 9:24 AM, Kepeng Li =
<span dir=3D"ltr">&lt;<a href=3D"mailto:kepeng.lkp@alibaba-inc.com" target=
=3D"_blank">kepeng.lkp@alibaba-inc.com</a>&gt;</span> wrote:<br><blockquote=
 class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc soli=
d;padding-left:1ex"><div style=3D"word-wrap:break-word;color:rgb(0,0,0)"><d=
iv><span style=3D"font-size:16px"><font face=3D"Courier">Hello all,</font><=
/span></div><span id=3D"m_8952929091143954209OLK_SRC_BODY_SECTION"><div><di=
v style=3D"word-wrap:break-word;color:rgb(0,0,0)"><div><div><pre style=3D"m=
argin:0cm 0cm 0.0001pt;line-height:13.5pt;vertical-align:baseline"><u></u><=
font size=3D"4" face=3D"Courier">=C2=A0</font><u></u></pre><pre style=3D"ma=
rgin:0cm 0cm 0.0001pt;line-height:13.5pt;vertical-align:baseline;white-spac=
e:pre-wrap;word-wrap:break-word"><span style=3D"font-size:16px"><font face=
=3D"Courier">This note begins a Call For Adoption for draft-gerdes-ace-dtls=
-<wbr>authorize<span style=3D"background-color:rgb(255,253,245);background-=
position:initial initial;background-repeat:initial initial"> [1] </span>to =
be adopted as an ACE working group item. The call ends on 26th May, 2017.</=
font></span></pre></div></div><div><p class=3D"MsoNormal" style=3D"margin:0=
cm 0cm 0.0001pt"><font style=3D"font-size:16px" face=3D"Courier">=C2=A0</fo=
nt></p></div><div><pre style=3D"margin:0cm 0cm 0.0001pt;line-height:13.5pt;=
vertical-align:baseline"><span style=3D"font-size:16px"><font face=3D"Couri=
er">Keep in mind that adoption of a document does not mean the document as-=
is is ready for publication. It is merely acceptance of the document as a s=
tarting point for what will be the final product of the ACE working group. =
The working group is free to make changes to the document according to the =
normal consensus process.</font></span></pre><pre style=3D"margin:0cm 0cm 0=
.0001pt;line-height:13.5pt;vertical-align:baseline"><u></u><font size=3D"4"=
 face=3D"Courier">=C2=A0</font><u></u></pre><pre style=3D"margin:0cm 0cm 0.=
0001pt;line-height:13.5pt;vertical-align:baseline"><span style=3D"font-size=
:16px"><font face=3D"Courier">Please reply on this thread with expressions =
of support or opposition, preferably with comments, regarding accepting thi=
s as a work item.</font></span></pre></div><div><p class=3D"MsoNormal" styl=
e=3D"margin:0cm 0cm 0.0001pt"><font style=3D"font-size:16px" face=3D"Courie=
r">=C2=A0</font></p></div><div><pre style=3D"margin:0cm 0cm 0.0001pt;line-h=
eight:13.5pt;vertical-align:baseline"><font style=3D"font-size:16px" face=
=3D"Courier">Thanks<u></u><u></u></font></pre><pre style=3D"margin:0cm 0cm =
0.0001pt;line-height:13.5pt;vertical-align:baseline;white-space:pre-wrap;wo=
rd-wrap:break-word"><font style=3D"font-size:16px" face=3D"Courier">=C2=A0<=
/font></pre><pre style=3D"margin:0cm 0cm 0.0001pt;line-height:13.5pt;vertic=
al-align:baseline;white-space:pre-wrap;word-wrap:break-word"><font style=3D=
"font-size:16px" face=3D"Courier">Kind Regards<u></u><u></u></font></pre><p=
re style=3D"margin:0cm 0cm 0.0001pt;line-height:13.5pt;vertical-align:basel=
ine;white-space:pre-wrap;word-wrap:break-word"><font style=3D"font-size:16p=
x" face=3D"Courier">Kepeng and Hannes (ACE co-chairs)<u></u><u></u></font><=
/pre></div><div><p class=3D"MsoNormal" style=3D"margin:0cm 0cm 0.0001pt"><f=
ont style=3D"font-size:16px" face=3D"Courier">=C2=A0</font></p></div><div><=
p class=3D"MsoNormal" style=3D"margin:0cm 0cm 0.0001pt"><span style=3D"font=
-size:16px"><font face=3D"Courier">[1]=C2=A0<a href=3D"https://datatracker.=
ietf.org/doc/draft-gerdes-ace-dtls-authorize/" target=3D"_blank">https://da=
tatracker.ietf.<wbr>org/doc/draft-gerdes-ace-dtls-<wbr>authorize/</a></font=
></span></p></div></div></div><br></span></div>
<br>______________________________<wbr>_________________<br>
Ace mailing list<br>
<a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ace" rel=3D"noreferrer" ta=
rget=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/ace</a><br>
<br></blockquote></div><br></div>

--001a113d67585973de054f4fa4b9--


From nobody Sat May 13 03:00:15 2017
Return-Path: <torsten@lodderstedt.net>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC4EA12955A; Sat, 13 May 2017 03:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.279
X-Spam-Level: *
X-Spam-Status: No, score=1.279 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RCVD_IN_SORBS_WEB=1.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TqcPHygGsH_s; Sat, 13 May 2017 03:00:11 -0700 (PDT)
Received: from smtprelay03.ispgateway.de (smtprelay03.ispgateway.de [80.67.31.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDEF1293DF; Sat, 13 May 2017 02:58:04 -0700 (PDT)
Received: from [80.187.102.33] (helo=[10.155.159.117]) by smtprelay03.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1d9ToH-0007sD-TK; Sat, 13 May 2017 11:58:02 +0200
Content-Type: multipart/signed; boundary=Apple-Mail-EE7126E8-91EF-4095-9A38-5C1A7E7C509E; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPhone Mail (14E304)
In-Reply-To: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
Date: Sat, 13 May 2017 11:58:01 +0200
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <22C1AD59-1B76-4596-AAFB-2CF1770FA58B@lodderstedt.net>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ZmIIVWE2UxCvtRrfZXjOrGwQCFg>
Subject: Re: [Ace] [OAUTH-WG] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 May 2017 10:00:14 -0000

--Apple-Mail-EE7126E8-91EF-4095-9A38-5C1A7E7C509E
Content-Type: multipart/alternative;
	boundary=Apple-Mail-768C5DE9-09D7-4D5E-AED8-A00E4F601F98
Content-Transfer-Encoding: 7bit


--Apple-Mail-768C5DE9-09D7-4D5E-AED8-A00E4F601F98
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable

Hi Samuel,

as far as I understand your draft, it utilizes results of the (D)TLS client a=
uthentication for authentication towards the tokens endpoint - similar to ht=
tps://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do you intend to al=
so utilize the binding of the access token to a certain key pair as describe=
d in oauth-ietf-mtls?

best regards,
Torsten.

> Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <samuel@erdtman.se>:
>=20
> Hi ACE and OAuth WGs,
>=20
> I and Ludwig submitted a new draft yesterday defining how to use Raw Publi=
c Key and Pre Shared Key with (D)TLS as OAuth client credentials, https://da=
tatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>=20
> We think this is valuable to the ACE work since the ACE framework is based=
 on OAuth, but client credentials as defined in the OAuth framework are not t=
he best match for embedded devices.
>=20
> We think Raw Public Keys and Pre Shared Keys are more suitable credentials=
 for embedded devices for the following reasons:
> * Better security by binding to transport layer.
> * If PSK DTLS is to be used a key need to be distributed any way, why not m=
ake use of it as credential.
> * Client id and client secret accommodates for manual input by a humans. T=
his does not scale well and requires some for of input device.
> * Some/many devices will have crypto-hardware that can protect key materia=
l, to not use that possibility would be a waste.
> * There are probably more reasons these was just the once on top of my hea=
d.
>=20
> This is not the first resent initiative to create new client credential ty=
pes, the OAuth WG adopted a similar draft for certificate based client crede=
ntials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). That wor=
k is also valuable to ACE but not all devices will be able to work with cert=
ificates or even asymmetric cryptos .
>=20
> Please review and comment.
>=20
> Cheers
> //Samuel
>=20
>=20
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

--Apple-Mail-768C5DE9-09D7-4D5E-AED8-A00E4F601F98
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div></div><div>Hi Samuel,</div><div><br></=
div><div>as far as I understand your draft, it utilizes results of the (D)TL=
S client authentication for authentication towards the tokens endpoint - sim=
ilar to&nbsp;<a href=3D"https://tools.ietf.org/html/draft-ietf-oauth-mtls-00=
.html">https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html</a>. Do you=
 intend to also utilize the binding of the access token to a certain key pai=
r as described in oauth-ietf-mtls?</div><div><br></div><div>best regards,</d=
iv><div>Torsten.</div><div><br>Am 12.05.2017 um 10:03 schrieb Samuel Erdtman=
 &lt;<a href=3D"mailto:samuel@erdtman.se">samuel@erdtman.se</a>&gt;:<br><br>=
</div><blockquote type=3D"cite"><div><div dir=3D"ltr"><div><div><div>Hi ACE a=
nd OAuth WGs,<br><br></div>I and Ludwig submitted a new draft yesterday defi=
ning how to use Raw Public Key and Pre Shared Key with (D)TLS as OAuth clien=
t credentials, <a href=3D"https://datatracker.ietf.org/doc/draft-erdtman-ace=
-rpcc/">https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/</a>.<br></d=
iv><div><br></div>We think this is valuable to the ACE work since the ACE fr=
amework is based on OAuth, but client credentials as defined in the OAuth fr=
amework are not the best match for embedded devices.<br><br></div><div>We th=
ink Raw Public Keys and Pre Shared Keys are more suitable credentials for em=
bedded devices for the following reasons:<br></div><div>* Better security by=
 binding to transport layer.<br></div><div>* If PSK DTLS is to be used a key=
 need to be distributed any way, why not make use of it as credential.<br></=
div><div>* Client id and client secret accommodates for manual input by a hu=
mans. This does not scale well and requires some for of input device.<br></d=
iv><div>* Some/many devices will have crypto-hardware that can protect key m=
aterial, to not use that possibility would be a waste.<br></div><div>* There=
 are probably more reasons these was just the once on top of my head.<br></d=
iv><div><br></div><div>This is not the first resent initiative to create new=
 client credential types, the OAuth WG adopted a similar draft for certifica=
te based client credentials (<a href=3D"https://tools.ietf.org/html/draft-ie=
tf-oauth-mtls-00.html">https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.=
html</a>). That work is also valuable to ACE but not all devices will be abl=
e to work with certificates or even asymmetric cryptos .<br><br></div><div>P=
lease review and comment.<br><br></div><div>Cheers<br></div><div>//Samuel<br=
></div><div><br><br></div></div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>OAuth mailing list</span><br><sp=
an><a href=3D"mailto:OAuth@ietf.org">OAuth@ietf.org</a></span><br><span><a h=
ref=3D"https://www.ietf.org/mailman/listinfo/oauth">https://www.ietf.org/mai=
lman/listinfo/oauth</a></span><br></div></blockquote></body></html>=

--Apple-Mail-768C5DE9-09D7-4D5E-AED8-A00E4F601F98--

--Apple-Mail-EE7126E8-91EF-4095-9A38-5C1A7E7C509E
Content-Type: application/pkcs7-signature;
	name=smime.p7s
Content-Disposition: attachment;
	filename=smime.p7s
Content-Transfer-Encoding: base64

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIFSTCCBUUw
ggQtoAMCAQICEDPbmsaqwjeZa3PxA3uZ8LQwDQYJKoZIhvcNAQELBQAwgZsxCzAJBgNVBAYTAkdC
MRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoT
EUNPTU9ETyBDQSBMaW1pdGVkMUEwPwYDVQQDEzhDT01PRE8gU0hBLTI1NiBDbGllbnQgQXV0aGVu
dGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTAeFw0xNzAxMDkwMDAwMDBaFw0xODAxMDkyMzU5
NTlaMCgxJjAkBgkqhkiG9w0BCQEWF3RvcnN0ZW5AbG9kZGVyc3RlZHQubmV0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEArsGSzZyz9Lq9SRW9Sve5K8n5lWhplOCE6HH3gMye12DjOpkF
FZt0b73t27G17Xsp6WUxHhNevf7ck0AUpvYUPCHBqVGJSIWF9hWAoSFCgQACOoh/cDFbzz1PsMY8
El7OmIus4JXtY4/VdoSIhFP3hzATbNAg32Kp+N8vtTuKTwbgnizJSyzZTYrsttn3LmwY17HU+U9v
XloMus5U/ln4ADZx0zyyDSsA6gtPxXYJpbgSTnHckVZ5zfR80guIZ538Y2qqsqt5VaSRSR2oQzE/
HETkKc/odPVhqBrXLyvnSFkCPrAXV07rcvwkPvHZeYVu4QdVWyO2HIQ4i2x9r5m7SwIDAQABo4IB
9TCCAfEwHwYDVR0jBBgwFoAUkmFrguGioKpP7GfxwqP3tIAAwewwHQYDVR0OBBYEFPngHgVxOZ7G
Sji/IW4YJMBj02PHMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAGA1UdJQQZMBcGCCsG
AQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0gBD8wPTA7BgwrBgEE
AbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwXQYD
VR0fBFYwVDBSoFCgToZMaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU0hBMjU2Q2xpZW50
QXV0aGVudGljYXRpb25hbmRTZWN1cmVFbWFpbENBLmNybDCBkAYIKwYBBQUHAQEEgYMwgYAwWAYI
KwYBBQUHMAKGTGh0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1NIQTI1NkNsaWVudEF1dGhl
bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv
bW9kb2NhLmNvbTAiBgNVHREEGzAZgRd0b3JzdGVuQGxvZGRlcnN0ZWR0Lm5ldDANBgkqhkiG9w0B
AQsFAAOCAQEAAmueyHjiyL1qYgfe+hVSsGuKlgcvjCAfG8Jaq48tC0IjP8pH/tGi4uL9CHVfLnV3
pLDnjg6M2uvpEBp7crZZcnSPLeVss+tkhwv+F7ISYQyT4flNkqVUb8nfewbCPcIN13ObfpU7rlXo
IarEEplQo4SuymYVluQxTLOFKm5QOMF4JBMw/rjy4t95J7Mdp9NFUzQrKPJDaJ2Jr/TcTXFcjLvN
VmMBjK0959a9v1/1miRHd1DBsTh1KvBigEOUNMxvT5uUtB6/tioDZqBDDk8Gvdno/xmye3YiasS7
JgMREq5WcXqpWGu5kMFZMGPEvyPHeBZeqxx3amf4ImVnZ6WvgzGCA8MwggO/AgEBMIGwMIGbMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3Jk
MRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDFBMD8GA1UEAxM4Q09NT0RPIFNIQS0yNTYgQ2xp
ZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEDPbmsaqwjeZa3PxA3uZ8LQw
CQYFKw4DAhoFAKCCAecwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTcwNTEzMDk1ODAxWjAjBgkqhkiG9w0BCQQxFgQUYOEC6XrZA/dpTQeAFfq0ljlifFAwgcEGCSsG
AQQBgjcQBDGBszCBsDCBmzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl
cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMT
OENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENB
AhAz25rGqsI3mWtz8QN7mfC0MIHDBgsqhkiG9w0BCRACCzGBs6CBsDCBmzELMAkGA1UEBhMCR0Ix
GzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxQTA/BgNVBAMTOENPTU9ETyBTSEEtMjU2IENsaWVudCBBdXRoZW50
aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhAz25rGqsI3mWtz8QN7mfC0MA0GCSqGSIb3DQEB
AQUABIIBAHQ40c3DyWzr6dE3lOhaZAb9gtBqDWYfr7u+4bSTutxl58xdnrFClL7+94fNHPM35YfQ
51juPP1qMokJqNUaWeeqtzpdPZer/8FvlF3eXRXAPQziVa5EJgH9nEMwYx9I1VNoz3jlN1Y2qAy5
dEuifBJQLXrQvEhAXXF6kvhGUv+Xm70DhYpvbpYg+bAF2Y2Gbalhu0FgeSR/RU3GKkGsLOX+e8I2
GowyaqiVRFyxzmskyeHZc+DNWRoiNS/RCaf5/98oGBUJPpDaMJG2iXfwjL2MRu7kg+QcYk1cc+N5
8DVknkpX6G/QDrloUlRgCae/XyU+2fZBYFnUekXtjdA9UD0AAAAAAAA=

--Apple-Mail-EE7126E8-91EF-4095-9A38-5C1A7E7C509E--


From nobody Sun May 14 02:11:49 2017
Return-Path: <renzoefra@gmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6627212948A for <ace@ietfa.amsl.com>; Sun, 14 May 2017 02:11:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2i00Drk0aiU2 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 02:11:44 -0700 (PDT)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C94512947E for <Ace@ietf.org>; Sun, 14 May 2017 02:10:41 -0700 (PDT)
Received: by mail-qt0-x22e.google.com with SMTP id c13so12943655qtc.1 for <Ace@ietf.org>; Sun, 14 May 2017 02:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;  h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4XEaB+cNkbPwbPE1fRsx5kcbDp5IIyBw8Pkm7cHFBJ0=; b=bhsq/wzewloR5jDTqwO2UG2OWnJvpi/Sq35ODvuFBn3rbFepyHDAqhKMrTOox0o8Gh MwOSIU343IJ5P5thQrmlk+IkSMfBc9yvaCEnLEMpxE+VLBFowLX4jA9YDMAGGPkQnZr4 1B+Aacxifd5AjA/QSJtO7gK9qmDIkrhFUvyvuULsRfFDWoVUESIytgdfA/8vB2dLpiGl nSs1D/EL5GWIZuxYk3RxA/KCW4RBsnOgofFExoyxnq542KuWQdbFTLMEmgxabcnQqiOM 6gVasutXTS7vKj/H5jzbwkHCcgbuBEL63S3Fg9tSBQM8uKEoNfIP+P+wGvowcyJbRxSx klAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4XEaB+cNkbPwbPE1fRsx5kcbDp5IIyBw8Pkm7cHFBJ0=; b=LoR5Wzd7dYXW8KHcIxoUVe7hIyYYSlhlrQiJT+EsH3vm8VHZ2gWv3yW6ZgIhK6MKwi SL3nzI3nGgwQnrWyXbxIpNH6su0XWDLhoMEMaMqUmYJiqra6hY+by9Uu+QI93Da38bNZ dBYpJYPg7o5u83NDY8492pQfNSWREbUoHOZvFdU8ByOK16MqrfF2zyEO5SjyD7nNXqej dCRqnF0ldIY9y67ZkRdBApTwiGViG9CThHrbpBgPyCR+8GS121BUQbPdcSkIqHwA9BXm jjnXI74iJKWq/dvSb+mugaF7wF0a+Ff6nQ9falR+xojKussOAI4JOSHljQVR2orn5GUf ZkfA==
X-Gm-Message-State: AODbwcDeUtNs8TwF6iAEN7XoisqeX9FQ3zdUY5p6wYfTnPngAi7rr27l yGDL7/V/g2qUWBvr/0e9GatI4o22TQ==
X-Received: by 10.200.49.75 with SMTP id h11mr462613qtb.13.1494753040286; Sun, 14 May 2017 02:10:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.62.227 with HTTP; Sun, 14 May 2017 02:10:19 -0700 (PDT)
In-Reply-To: <CAF2hCbYS-dwS+BeOAo3tx4UqSx3ScxdepP5fi2jTT1pjo5TGFg@mail.gmail.com>
References: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com> <CAF2hCbYS-dwS+BeOAo3tx4UqSx3ScxdepP5fi2jTT1pjo5TGFg@mail.gmail.com>
From: Renzo Navas <renzoefra@gmail.com>
Date: Sun, 14 May 2017 11:10:19 +0200
Message-ID: <CAD2CPUGzQWbC2cu_StFSRKtAFagMaTAYen_o_pqVnEwQJ0W4LA@mail.gmail.com>
To: ace <Ace@ietf.org>
Cc: Kepeng Li <kepeng.lkp@alibaba-inc.com>,  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>,  "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, Samuel Erdtman <samuel@erdtman.se>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/LC-Gp5C67S8TznF_jRV2TKZw4q0>
Subject: Re: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 09:11:46 -0000

+1 for adopting .

yes, we will use (are using) DTLS in ACE(like) environments, having
this profile will be very helpful

good weekend



On Fri, May 12, 2017 at 10:39 AM, Samuel Erdtman <samuel@erdtman.se> wrote:
> +1 on adopting as a working group item.
>
> To me it makes sense to have a DTLS profile for the ACE framework.
>
> Cheers
> //Samuel
>
> On Thu, May 11, 2017 at 9:24 AM, Kepeng Li <kepeng.lkp@alibaba-inc.com>
> wrote:
>>
>> Hello all,
>>
>>
>>
>> This note begins a Call For Adoption for draft-gerdes-ace-dtls-authorize
>> [1] to be adopted as an ACE working group item. The call ends on 26th May,
>> 2017.
>>
>>
>>
>> Keep in mind that adoption of a document does not mean the document as-is
>> is ready for publication. It is merely acceptance of the document as a
>> starting point for what will be the final product of the ACE working group.
>> The working group is free to make changes to the document according to the
>> normal consensus process.
>>
>>
>>
>> Please reply on this thread with expressions of support or opposition,
>> preferably with comments, regarding accepting this as a work item.
>>
>>
>>
>> Thanks
>>
>>
>>
>> Kind Regards
>>
>> Kepeng and Hannes (ACE co-chairs)
>>
>>
>>
>> [1] https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/
>>
>>
>>
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
>>
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>


From nobody Sun May 14 03:14:26 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4537127076 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXp3v3_sxrnJ for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:14:17 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5CDB1287A0 for <Ace@ietf.org>; Sun, 14 May 2017 03:12:23 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id w10so104410601oif.0 for <Ace@ietf.org>; Sun, 14 May 2017 03:12:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Klg4BDvrvlcQmAEwnfMyJ4PGGz53h8XLRx21D+ksuXM=; b=sSq6lExH+aQlhX/o2a1wXsT+ziLLo46C0j8VmWo3PPv1JL3fEjcrHTejSaOW8EXtjE QEjfknocD55ZA4DQJdm7x5USGSifktkUc8bGttekSP8Y/6AgtQmXUGiEETlAjPv9Om/1 mHPuHxd56pI/1BRccSwyzj66XnpmV0ZS2ulYu7gJMayzZjHZZEREYoczCyEkVVZcKarc cHRYeZ3/l8FNCG3kWIHCm26FMDxqRzkHSlCpScvBsLUZW8mGz+WXcYekm1OcGozHZLhV HbQy2a0JaajGEjs85fJgUyaIZBuz5JxSKsPLKTRx7f2B8b/zRPC4QUicH3pUNpGSyj3O 2GtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Klg4BDvrvlcQmAEwnfMyJ4PGGz53h8XLRx21D+ksuXM=; b=oWrYeIezuJez2cjkdpge6xX4xkpvKDJeQZHzAkdMv0KNvWg4tqPPey8u/8htZl1a6/ jNGrq9BQyLyI7zh/ib1QWOkIaSpZ4/vCfG6XTzcJeaMQx6Ba8I+1Pz8bElpnvDHcLwKa HHf2P9cCUfdhqFoHW9UPkZ6KEn9y9ywD7mxdTIK9T2brp5hMehIzw8Hg0TWkLBfWrCs5 kAUVfEMeUcMZ1L1dKiw+Spdux/yr4aoqMNhNslqpURJbFjek7iAKEo8dlBxX1++r8ieQ V1LamwHQRcElFYPoHmVgxQvwk1+HOSRneq7HK4dfqTjVHXixNQjOVq4gQPoYoAPCb7YL ZFuA==
X-Gm-Message-State: AODbwcD2hvz8Bqg0XrKoKrr4OW5LPPJ6cp2Q/9BJbyErYcZR6x6NZziO 6qLc8K++qeqjz0oPLxiyTfKXy1ekGg==
X-Received: by 10.157.82.87 with SMTP id q23mr278733otg.52.1494756742923; Sun, 14 May 2017 03:12:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Sun, 14 May 2017 03:12:22 -0700 (PDT)
In-Reply-To: <22C1AD59-1B76-4596-AAFB-2CF1770FA58B@lodderstedt.net>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com> <22C1AD59-1B76-4596-AAFB-2CF1770FA58B@lodderstedt.net>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 14 May 2017 12:12:22 +0200
Message-ID: <CAF2hCbZqm2+FJnLkNaRO2DSHnBJCdUFwoiMCDyy6trwXmiR5ig@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>
Content-Type: multipart/alternative; boundary="f403043c4becb01b5b054f792c79"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/U-T2vk1Hpz2unrv_6XJBsJnujmk>
Subject: Re: [Ace] [OAUTH-WG] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 10:14:20 -0000

--f403043c4becb01b5b054f792c79
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Torsten,

That is a possibility, I excluded it to keep the scope limited and because
I don=C2=B4t think it is as applicable with these credential types.

I think these credential types will mostly be used in IoT deployments using
the ACE framework, in that case the token will have its own key that will
most likely be used in the (D)TLS handshake between the client and resource
server see e.g.
https://tools.ietf.org/html/draft-gerdes-ace-dtls-authorize-01.

However if the token would not be a PoP token then it could make sense. Do
you fore see such use cases where it would be useful?

One thing that I did not mention in my earlier email that could be a
possible path forward would be to merge this draft into the mtls one.

//Samuel


On Sat, May 13, 2017 at 11:58 AM, Torsten Lodderstedt <
torsten@lodderstedt.net> wrote:

> Hi Samuel,
>
> as far as I understand your draft, it utilizes results of the (D)TLS
> client authentication for authentication towards the tokens endpoint -
> similar to https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html. Do
> you intend to also utilize the binding of the access token to a certain k=
ey
> pair as described in oauth-ietf-mtls?
>
> best regards,
> Torsten.
>
> Am 12.05.2017 um 10:03 schrieb Samuel Erdtman <samuel@erdtman.se>:
>
> Hi ACE and OAuth WGs,
>
> I and Ludwig submitted a new draft yesterday defining how to use Raw
> Public Key and Pre Shared Key with (D)TLS as OAuth client credentials,
> https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>
> We think this is valuable to the ACE work since the ACE framework is base=
d
> on OAuth, but client credentials as defined in the OAuth framework are no=
t
> the best match for embedded devices.
>
> We think Raw Public Keys and Pre Shared Keys are more suitable credential=
s
> for embedded devices for the following reasons:
> * Better security by binding to transport layer.
> * If PSK DTLS is to be used a key need to be distributed any way, why not
> make use of it as credential.
> * Client id and client secret accommodates for manual input by a humans.
> This does not scale well and requires some for of input device.
> * Some/many devices will have crypto-hardware that can protect key
> material, to not use that possibility would be a waste.
> * There are probably more reasons these was just the once on top of my
> head.
>
> This is not the first resent initiative to create new client credential
> types, the OAuth WG adopted a similar draft for certificate based client
> credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
> That work is also valuable to ACE but not all devices will be able to wor=
k
> with certificates or even asymmetric cryptos .
>
> Please review and comment.
>
> Cheers
> //Samuel
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

--f403043c4becb01b5b054f792c79
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div><div>Hi Torsten, <br><br></div>That is a po=
ssibility, I excluded it to keep the scope limited and because I don=C2=B4t=
 think it is as applicable with these credential types.<br><br></div>I thin=
k these credential types will mostly be used in IoT deployments using the A=
CE framework, in that case the token will have its own key that will most l=
ikely be used in the (D)TLS handshake between the client and resource serve=
r see e.g. <a href=3D"https://tools.ietf.org/html/draft-gerdes-ace-dtls-aut=
horize-01">https://tools.ietf.org/html/draft-gerdes-ace-dtls-authorize-01</=
a>.<br><br></div>However if the token would not be a PoP token then it coul=
d make sense. Do you fore see such use cases where it would be useful?<br><=
br></div><div>One thing that I did not mention in my earlier email that cou=
ld be a possible path forward would be to merge this draft into the mtls on=
e.<br></div><div><br></div>//Samuel<br><div><div><div><br></div></div></div=
></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sat, Ma=
y 13, 2017 at 11:58 AM, Torsten Lodderstedt <span dir=3D"ltr">&lt;<a href=
=3D"mailto:torsten@lodderstedt.net" target=3D"_blank">torsten@lodderstedt.n=
et</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"marg=
in:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto=
"><div></div><div>Hi Samuel,</div><div><br></div><div>as far as I understan=
d your draft, it utilizes results of the (D)TLS client authentication for a=
uthentication towards the tokens endpoint - similar to=C2=A0<a href=3D"http=
s://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html" target=3D"_blank">ht=
tps://tools.ietf.org/<wbr>html/draft-ietf-oauth-mtls-00.<wbr>html</a>. Do y=
ou intend to also utilize the binding of the access token to a certain key =
pair as described in oauth-ietf-mtls?</div><div><br></div><div>best regards=
,</div><div>Torsten.</div><div><div class=3D"h5"><div><br>Am 12.05.2017 um =
10:03 schrieb Samuel Erdtman &lt;<a href=3D"mailto:samuel@erdtman.se" targe=
t=3D"_blank">samuel@erdtman.se</a>&gt;:<br><br></div><blockquote type=3D"ci=
te"><div><div dir=3D"ltr"><div><div><div>Hi ACE and OAuth WGs,<br><br></div=
>I and Ludwig submitted a new draft yesterday defining how to use Raw Publi=
c Key and Pre Shared Key with (D)TLS as OAuth client credentials, <a href=
=3D"https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/" target=3D"_bl=
ank">https://datatracker.ietf.org/<wbr>doc/draft-erdtman-ace-rpcc/</a>.<br>=
</div><div><br></div>We think this is valuable to the ACE work since the AC=
E framework is based on OAuth, but client credentials as defined in the OAu=
th framework are not the best match for embedded devices.<br><br></div><div=
>We think Raw Public Keys and Pre Shared Keys are more suitable credentials=
 for embedded devices for the following reasons:<br></div><div>* Better sec=
urity by binding to transport layer.<br></div><div>* If PSK DTLS is to be u=
sed a key need to be distributed any way, why not make use of it as credent=
ial.<br></div><div>* Client id and client secret accommodates for manual in=
put by a humans. This does not scale well and requires some for of input de=
vice.<br></div><div>* Some/many devices will have crypto-hardware that can =
protect key material, to not use that possibility would be a waste.<br></di=
v><div>* There are probably more reasons these was just the once on top of =
my head.<br></div><div><br></div><div>This is not the first resent initiati=
ve to create new client credential types, the OAuth WG adopted a similar dr=
aft for certificate based client credentials (<a href=3D"https://tools.ietf=
.org/html/draft-ietf-oauth-mtls-00.html" target=3D"_blank">https://tools.ie=
tf.org/html/<wbr>draft-ietf-oauth-mtls-00.html</a>)<wbr>. That work is also=
 valuable to ACE but not all devices will be able to work with certificates=
 or even asymmetric cryptos .<br><br></div><div>Please review and comment.<=
br><br></div><div>Cheers<br></div><div>//Samuel<br></div><div><br><br></div=
></div>
</div></blockquote></div></div><blockquote type=3D"cite"><div><span>_______=
_______________________<wbr>_________________</span><br><span>OAuth mailing=
 list</span><br><span><a href=3D"mailto:OAuth@ietf.org" target=3D"_blank">O=
Auth@ietf.org</a></span><br><span><a href=3D"https://www.ietf.org/mailman/l=
istinfo/oauth" target=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo=
/oauth</a></span><br></div></blockquote></div></blockquote></div><br></div>

--f403043c4becb01b5b054f792c79--


From nobody Sun May 14 03:42:02 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 837EE129435 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:42:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jo1QfTmQs7co for <ace@ietfa.amsl.com>; Sun, 14 May 2017 03:41:59 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 659B3129437 for <Ace@ietf.org>; Sun, 14 May 2017 03:40:07 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id w10so104659663oif.0 for <Ace@ietf.org>; Sun, 14 May 2017 03:40:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5H7LrJoVIBTUjTWm/MRTPTmC/6OamGRDkv/wgq0mbj4=; b=hCjy2KpWnNI/fjnoNKllIITND1mLBOEc0jzmAiSxvjkfHDLIaZ27cXxTOYxAPf0TBD i+fuQn7FPdl81tUiIkfFtpF89cTmlD3sbw9Vsf0Kz4gsqwfeuHGyPm2izdoMYj6hiaAV tjh74KQBNxuJ51IlXrekoW9CCKOTOdkbU/WLRun5of9kT9C6sTaI/49Cpyx5KshgJtT3 mHQIaF9H5Jr/oXc/xoKr8uk7Cbhm5+ijuZ82aRuLQD9jhPC+qY1KEv/taKQ7LgI0sXWA L8BlgJrZMuc1fqGa26I1n+3Mx/mpbMgIieg+UkNkg2j2Ixm7cVxt9dSjTOBBCsBhYri7 MHBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5H7LrJoVIBTUjTWm/MRTPTmC/6OamGRDkv/wgq0mbj4=; b=iUhB6cxMTu/AtfScUIMmqTBRYwCFuwwufg8kqfKcGh0L/ol08T/8oXQLFqrGZxm7Eu /Kej9VKHDramorYj4gQWRZTbqkRbCZsxVi9zANlLwfCe5tLicVGdVDprXmae5RSf4a/0 EIYggn3Ozak3YBNgN+Kz7Xb7qKBXNM7MIwA4bul/Bt/Jwrjw221U4gdINE8FjEkxrfSx YOx3YT2zWqpY+21BHvezXs5RMNmKF/uvRwPFpXROKoejfFdP3Uza4JA4MAfR45lNhZqZ Sb08cZzrJRxSC0CIxP4zvDkwa1cN2uwjrwxg4QDyZsbAejHhfepZr3AWCUk4NiZlHvtv wy0w==
X-Gm-Message-State: AODbwcAEpgTpuU8/LQiC5qcmjF9fJjeVdouzucAon0x09mY766O2GWoD QG0d350GUBFFDWqS9JPMMGSjuNvITA==
X-Received: by 10.157.10.43 with SMTP id 40mr376279otg.7.1494758406745; Sun, 14 May 2017 03:40:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Sun, 14 May 2017 03:40:06 -0700 (PDT)
In-Reply-To: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 14 May 2017 12:40:06 +0200
Message-ID: <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: ace <Ace@ietf.org>
Content-Type: multipart/alternative; boundary="001a11359894dc0cca054f798fe8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/uvUXLECX8qkVLIfZMhxASlViIlk>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 10:42:02 -0000

--001a11359894dc0cca054f798fe8
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Jim,

Thanks for your review and comments, see some initial replies inline.

On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> Not ready to ship.
>
>
> * I find the text for NumericDate confusing and would suggest this is a
> cleaner wording.
>
> The "NumericDate" term has the same meaning, syntax and
> Processing rules as the "NumericDate" term defined in Section 2 of
> JWT [RFC7519], except that the CBOR numeric representation
> (Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
> the leading tag (6.1 or 0xC1) MUST be omitted.
>
> <Note above text kills the direct need for section 5.>
>

Could make sense, I created an issue in the issue tracker to look at this.


>
> * What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  Y=
ou
> should be consistent on how you are using this and the "StringOrURI" type
> identifier.  Either use the CWT prefix or don't.
>

Makes sense to me, created an issue in the issue tracker to address this.


>
> * s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/
>

 Makes sense to me, created an issue in the issue tracker to address this.


> * The algorithm for doing nesting detection is a gross abuse of the conte=
nt
> type parameter and can be far more easily done based on the already prese=
nt
> tagging of the COSE object.
>

Could you please explain a bit more, we are using the COSE tags but have
made
them optional if the application for example only uses one thyme then it
would
always know what to do and would not need to parse the tag saving a byte.


>
> * Break section 8 into multiple paragraphs that deal with different types
> of
> issues.
>

Might be reasonable I have created an issue in the issue tracker so that
the
comment is not lost.


>
> * In section 8, the first sentence implies to me that you believe that CO=
SE
> is more of a problem that breaking of cryptographic algorithms, trust of
> certificates/keys.  Not sure what needs to be done, but better clarity ma=
y
> be a good idea.
>

Added this to the previously mentioned issue to address this to since it is
in the same section

>
> * I have not done any validation of the examples.   You might want to hav=
e
> an example which uses the real for one of the time types.
>

Sorry, but I don=C2=B4t get it could you add some more context.


>
> Jim
>
>
> -----Original Message-----
> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Kepeng Li
> Sent: Thursday, April 20, 2017 2:53 PM
> To: ace@ietf.org
> Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>
> Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
>
> In Chicago, it was decided that we were going to WGLC the ACE CBOR Web
> Token
> draft.
>
> So this starts a working group last call for draft-ietf-ace-cbor-web-toke=
n
> for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday,
> May
> 2, 2017.
>
> The specification is available at:
> https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04
>
> An HTML-formatted version is also available at:
> http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html
>
> Thanks,
>
>
> Kind Regards
> Kepeng & Hannes
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>

--001a11359894dc0cca054f798fe8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Jim,<br><br></div>Thanks for your review and comme=
nts, see some initial replies inline.<br><div class=3D"gmail_extra"><br><di=
v class=3D"gmail_quote">On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <span d=
ir=3D"ltr">&lt;<a href=3D"mailto:ietf@augustcellars.com" target=3D"_blank">=
ietf@augustcellars.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">Not ready to ship.<br>
<br>
<br>
* I find the text for NumericDate confusing and would suggest this is a<br>
cleaner wording.<br>
<br>
The &quot;NumericDate&quot; term has the same meaning, syntax and<br>
Processing rules as the &quot;NumericDate&quot; term defined in Section 2 o=
f<br>
JWT [RFC7519], except that the CBOR numeric representation<br>
(Section 2.4.1 of [RC7049]) is used.=C2=A0 The encoding is modified so that=
<br>
the leading tag (6.1 or 0xC1) MUST be omitted.<br>
<br>
&lt;Note above text kills the direct need for section 5.&gt;<br></blockquot=
e><div><br></div><div>Could make sense, I created an issue in the issue tra=
cker to look at this.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">
<br>
* What is a &quot;CWT NumericDate&quot; ?=C2=A0 Why is this not just a &quo=
t;NumericDate&quot;?=C2=A0 You<br>
should be consistent on how you are using this and the &quot;StringOrURI&qu=
ot; type<br>
identifier.=C2=A0 Either use the CWT prefix or don&#39;t.<br></blockquote><=
div><br>Makes sense to me, created an issue in the issue tracker to address=
 this.<br>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
* s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/<br></=
blockquote><div><br>=C2=A0Makes sense to me, created an issue in the issue =
tracker to address this.<br><br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex">
<br>
* The algorithm for doing nesting detection is a gross abuse of the content=
<br>
type parameter and can be far more easily done based on the already present=
<br>
tagging of the COSE object.<br></blockquote><div><br></div><div>Could you p=
lease explain a bit more, we are using the COSE tags but have made <br>them=
 optional if the application for example only uses one thyme then it would =
<br>always know what to do and would not need to parse the tag saving a byt=
e.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex">
<br>
* Break section 8 into multiple paragraphs that deal with different types o=
f<br>
issues.<br></blockquote><div><br>Might be reasonable I have created an issu=
e in the issue tracker so that the <br>comment is not lost.<br>=C2=A0</div>=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
* In section 8, the first sentence implies to me that you believe that COSE=
<br>
is more of a problem that breaking of cryptographic algorithms, trust of<br=
>
certificates/keys.=C2=A0 Not sure what needs to be done, but better clarity=
 may<br>
be a good idea.<br></blockquote><div><br></div><div>Added this to the previ=
ously mentioned issue to address this to since it is in the same section <b=
r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
* I have not done any validation of the examples.=C2=A0 =C2=A0You might wan=
t to have<br>
an example which uses the real for one of the time types.<br></blockquote><=
div><br></div><div>Sorry, but I don=C2=B4t get it could you add some more c=
ontext.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">
<span class=3D"gmail-HOEnZb"><font color=3D"#888888"><br>
Jim<br>
</font></span><div class=3D"gmail-HOEnZb"><div class=3D"gmail-h5"><br>
<br>
-----Original Message-----<br>
From: Ace [mailto:<a href=3D"mailto:ace-bounces@ietf.org">ace-bounces@ietf.=
org</a>] On Behalf Of Kepeng Li<br>
Sent: Thursday, April 20, 2017 2:53 PM<br>
To: <a href=3D"mailto:ace@ietf.org">ace@ietf.org</a><br>
Cc: Hannes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net">hann=
es.tschofenig@gmx.net</a>&gt;<br>
Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token<br>
<br>
In Chicago, it was decided that we were going to WGLC the ACE CBOR Web Toke=
n<br>
draft.<br>
<br>
So this starts a working group last call for draft-ietf-ace-cbor-web-token<=
br>
for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday, Ma=
y<br>
2, 2017.<br>
<br>
The specification is available at:<br>
<a href=3D"https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04" re=
l=3D"noreferrer" target=3D"_blank">https://tools.ietf.org/html/<wbr>draft-i=
etf-ace-cbor-web-token-<wbr>04</a><br>
<br>
An HTML-formatted version is also available at:<br>
<a href=3D"http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.ht=
ml" rel=3D"noreferrer" target=3D"_blank">http://self-issued.info/docs/<wbr>=
draft-ietf-ace-cbor-web-token-<wbr>04.html</a><br>
<br>
Thanks,<br>
<br>
<br>
Kind Regards<br>
Kepeng &amp; Hannes<br>
<br>
<br>
______________________________<wbr>_________________<br>
Ace mailing list<br>
<a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ace" rel=3D"noreferrer" ta=
rget=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/ace</a><br>
<br>
______________________________<wbr>_________________<br>
Ace mailing list<br>
<a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ace" rel=3D"noreferrer" ta=
rget=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/ace</a><br>
</div></div></blockquote></div><br></div></div>

--001a11359894dc0cca054f798fe8--


From nobody Sun May 14 10:41:53 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40B27129BA1 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 10:41:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level: 
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LPLb3kPmHbUM for <ace@ietfa.amsl.com>; Sun, 14 May 2017 10:41:49 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AFE012969E for <ace@ietf.org>; Sun, 14 May 2017 10:38:24 -0700 (PDT)
Received: by mail-oi0-x22d.google.com with SMTP id l18so109131632oig.2 for <ace@ietf.org>; Sun, 14 May 2017 10:38:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0QKdiLSIXPXmkYYCBNvEbbzuIKMyeXihF46qXP5dPEg=; b=cdhcOyIKJrNcZmzc81zNqOMRQ7sE8wIcICBOv77oIrzUZVDeOGuJA4bI4nGDOpMPES IoywGVej+E6dvKGVg7x6cItUjTL4Ngc+dLuDiLhvBHCQphjZyjQB0gYXVFa6RtnOX5bn wKJdUTvw73ZHx2b1c/+1NTtFwWoH/RTpxbF1n+1FMPkZLAtk82sdlcagRU8IACDAsrO7 FAwdWWOrVDsVQmyv3bIXYXhqRDCGdlldTTrBFIU/kgxQxEMMBn5MYlYNTLFH4Qk6SUBP hqv3BG61qYph1UbD1BOnuR7ichj+T1xRqIU746elrUoZgGeKo7JhFKdRoTTJlHsWc6xX 8ceQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0QKdiLSIXPXmkYYCBNvEbbzuIKMyeXihF46qXP5dPEg=; b=f9Ul0bX6YkpST36MWQTln6APPRqEFIkvLA37rH9tFd0gyr+NbPSzEuj5nEOrpdL2ta hM+lAWP/bKqvNO5tdtv4SOMoZmuHNz8lhC8deM58gWMcb7kz+Ijk6mJnFuEbchR5FASs bg6CvXOwJ1pkIEanaHicRcgT+xpSSUFWE4quYIRoXDCaoF+T+TgjhIaFtX1dEQlG8wy0 tu0l1edimcrlG/NWLtEfXhFBb+pZY/Kki8Eu5Onoes/cTnV6Isyqfd5P30Cm5kgAte5L gBqZI9Codu3WxOeP+ZxgvUWmB6yJbRp/9SbotNmqgePJk7XehJrjVjVnhliZfM/MtR0h u73g==
X-Gm-Message-State: AODbwcByTab8+3u0P+LIWEZG+qGbppz7kY8zBpXA+RC7xVEA43mK2JVW zQPjy/J6fjjHw50b7fCNz++zoD+JZw==
X-Received: by 10.202.81.12 with SMTP id f12mr1059897oib.66.1494783503573; Sun, 14 May 2017 10:38:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Sun, 14 May 2017 10:38:23 -0700 (PDT)
In-Reply-To: <6BE4C480-C525-45E9-9718-3AD513F7EFC2@tzi.org>
References: <D51F862B.53D95%kepeng.lkp@alibaba-inc.com> <6BE4C480-C525-45E9-9718-3AD513F7EFC2@tzi.org>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Sun, 14 May 2017 19:38:23 +0200
Message-ID: <CAF2hCbZVGo-RNnvQNd2Djjuf1Nk-f=w03T4nZZgBDZa40eVadA@mail.gmail.com>
To: Carsten Bormann <cabo@tzi.org>
Cc: Kepeng Li <kepeng.lkp@alibaba-inc.com>,  Hannes Tschofenig <hannes.tschofenig@gmx.net>, "ace@ietf.org" <ace@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d7f12bf3ce1054f7f67ef"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/IvndPnlS_KlzVPkvO4SsgcCzNaI>
Subject: Re: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 17:41:52 -0000

--001a113d7f12bf3ce1054f7f67ef
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Carsten,

Thanks for the review and comments. I have added some initial replies
inline.

On Tue, May 2, 2017 at 5:25 PM, Carsten Bormann <cabo@tzi.org> wrote:

> Review of draft-ietf-ace-cbor-web-token-04.txt
> Reviewer: Carsten Bormann
> Review result: A few technical issues; could use an editorial round
>
> This specification sets out to translate JWT (RFC 7519) from JSON to
> the CBOR world.  As such, it is relatively straightforward, and there
> are only a few technical decisions that need to be made.  Clearly,
> this should go ahead quickly, as it is sorely needed.
>
>
> # Major technical
>
> T1: Most fundamentally, the spec inherits a fundamental problem from JWT:
> Some entries in the CWT ("claims") are actual independent claims that
> can indeed be ignored if not understood, and other entries shape the
> meaning of the actual claims in the CWT.  E.g., an nbf entry isn't
> really a "claim" at all, it is an implicit parameter to the real
> claims in the CWT.  This is, of course, a property that CWT shares
> with JWT, but we could use the opportunity of defining CWT to be a bit
> more specific.  E.g., we could use negative labels for entries that
> shape others and unsigned ones for entries that can be ignored.
> (BTW, all labels defined here would be the former category.)
>


This is an interesting idea. I have added a ticket too look into this.


>
> T2: The spec doesn't clearly say that entry labels MUST be unsigned
> numbers.  It could simply say that, but this creates an X-Dash
> problem: Since people who want to experiment with CWT need to invent
> numbers, they will, and there will be squatting galore.  CBOR actually
> provides a nice way to solve this problem: Allow text strings as claim
> labels for experimentation, replacing the need for a provisional
> registration for each experiment.  No "production" CWT should have a
> text label, of course; this is extremely easy to check.
>

This makes sense, I have created a ticket to look into this.


>
> T3: Section 7.2 repeats the giant mistake that JWT and the whole of
> JOSE are being accused of: It tells you whether the CWT is a valid
> CWT, but doesn't tell you whether it actually fulfills the security
> objectives that you had.  Maybe add this explicitly to the steps.
>

Not sure I get what you mean, do you want an additional step that verifies
the value of the claims e.g. checking validity time of the token or are you
referring to something else?


>
>
> # Other technical
>
> T4: There was a recent move away from using CBOR Tag 1 for timestamps.
> That move is fine, but why "NOT RECOMMENDED" now instead of completely
> ruling it out?  Less options, more interoperability,
>

Agree it makes more sense to remove this recommendation and place a MUST
here. I have created an issue to address this. But it also goes in line
with one of Jim=C2=B4s comments.



>
> T5: The range 1 to 65536 is a seriously weird range.  If we do allow
> one value that requires a four-byte representation then why not go for
> 1..4294967295?
>

Not sure why, I have created an issue to look into this.


>
> T6: The IANA considerations may want to have different rules for
> "good" label values (< 24, < 256 in that order) than for hoi polloi
> ones.
>

Could make sense I have created an issue to look into this.


>
> # Major editorial
>
> E1: On the editorial side, the abstract starts out by claiming [sic]
> that CWT "is a profile" of JWT.  There is a definition of "profile" in
> play that is a bit different from what some people might expect: a CWT
> is not a JWT.
>
>
You have a point, do you have suggestions for better choice of wording. I
looked at how COSE handle its relation to JOSE but there seem to be a wider
gap between COSE and JOSE than CWT and JWT.
How about saying that 'CWT is an adaptation of JWT to a more constrained
environment using CBOR'.



> E2: The text is weirdly obsessed about CBOR serialization details.  It
> is really making statements about the data model level, but dives into
> serialization immediately instead.  This reads like a JSON spec would
> read that would repeatedly talk about "double-quote-delimited strings,
> which backslash escaping" each time a string is needed.  That's not
> the way JSON is used, and we shouldn't start doing this for CBOR
> either.  Just about every case that talks about "major type" really
> should talk about the data that is desired.
>

Make sense to me, I have created an issue to address this.


>
> E3: The definition of NumericDate does not reflect the decision that
> using CBOR Tag 1 here is NOT RECOMMENDED.
>

This goes in line with one of the comments from Jim and and your T4
comment, Issues has been added for both.


>
> E4: For those people who aren't the fourth co-author, maybe it would
> help to provide the CDDL (not yet taking in any of the suggestions
> above):
>
>     cwt =3D {
>         ? iss,
>         ? sub,
>         ? aud,
>         ? cti,
>         ? exp,
>         ? nbf,
>         ? iat,
>         * otherlabel =3D> value
>     }
>
>     iss =3D (1: text)
>     sub =3D (2: text)
>     aud =3D (3: text)
>     exp =3D (4: number) ; interpreted as with CBOR Tag 1
>     nbf =3D (5: number) ; interpreted as with CBOR Tag 1
>     iat =3D (6: number) ; interpreted as with CBOR Tag 1
>     cti =3D (7: bytes)
>
>     otherlabel =3D uint .ge 8
>     value =3D any
>
> (We could play a bit with CDDL regexp support to distinguish URIs from
> the other strings, but I skipped this.)
>

Not sure how this makes things clearer, but that could be because I=C2=B4m =
one
of the co-author. Could we get some other opinions here before we commit to
adding this.


>
>
> # Nits
>
> s/to indicate type/to indicate the type/
> s/contributions the specification/contributions to the specification/
>

Thanks, an issue has been added to not miss this.


>
>
> Unfortunately, I haven't systematically checked the examples yet.
>
> Gr=C3=BC=C3=9Fe, Carsten
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>

--001a113d7f12bf3ce1054f7f67ef
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Carsten,<br><br></div>Thanks for the review and co=
mments. I have added some initial replies inline.<br><div class=3D"gmail_ex=
tra"><br><div class=3D"gmail_quote">On Tue, May 2, 2017 at 5:25 PM, Carsten=
 Bormann <span dir=3D"ltr">&lt;<a href=3D"mailto:cabo@tzi.org" target=3D"_b=
lank">cabo@tzi.org</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">Review of draft-ietf-ace-cbor-web-token-<wbr>04.txt<br>
Reviewer: Carsten Bormann<br>
Review result: A few technical issues; could use an editorial round<br>
<br>
This specification sets out to translate JWT (RFC 7519) from JSON to<br>
the CBOR world.=C2=A0 As such, it is relatively straightforward, and there<=
br>
are only a few technical decisions that need to be made.=C2=A0 Clearly,<br>
this should go ahead quickly, as it is sorely needed.<br>
<br>
<br>
# Major technical<br>
<br>
T1: Most fundamentally, the spec inherits a fundamental problem from JWT:<b=
r>
Some entries in the CWT (&quot;claims&quot;) are actual independent claims =
that<br>
can indeed be ignored if not understood, and other entries shape the<br>
meaning of the actual claims in the CWT.=C2=A0 E.g., an nbf entry isn&#39;t=
<br>
really a &quot;claim&quot; at all, it is an implicit parameter to the real<=
br>
claims in the CWT.=C2=A0 This is, of course, a property that CWT shares<br>
with JWT, but we could use the opportunity of defining CWT to be a bit<br>
more specific.=C2=A0 E.g., we could use negative labels for entries that<br=
>
shape others and unsigned ones for entries that can be ignored.<br>
(BTW, all labels defined here would be the former category.)<br></blockquot=
e><div><br><br></div><div>This is an interesting idea. I have added a ticke=
t too look into this.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">
<br>
T2: The spec doesn&#39;t clearly say that entry labels MUST be unsigned<br>
numbers.=C2=A0 It could simply say that, but this creates an X-Dash<br>
problem: Since people who want to experiment with CWT need to invent<br>
numbers, they will, and there will be squatting galore.=C2=A0 CBOR actually=
<br>
provides a nice way to solve this problem: Allow text strings as claim<br>
labels for experimentation, replacing the need for a provisional<br>
registration for each experiment.=C2=A0 No &quot;production&quot; CWT shoul=
d have a<br>
text label, of course; this is extremely easy to check.<br></blockquote><di=
v><br></div><div>This makes sense, I have created a ticket to look into thi=
s.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"mar=
gin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1=
ex">
<br>
T3: Section 7.2 repeats the giant mistake that JWT and the whole of<br>
JOSE are being accused of: It tells you whether the CWT is a valid<br>
CWT, but doesn&#39;t tell you whether it actually fulfills the security<br>
objectives that you had.=C2=A0 Maybe add this explicitly to the steps.<br><=
/blockquote><div><br></div><div>Not sure I get what you mean, do you want a=
n additional step that verifies the value of the claims e.g. checking valid=
ity time of the token or are you referring to something else?<br></div><div=
>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
# Other technical<br>
<br>
T4: There was a recent move away from using CBOR Tag 1 for timestamps.<br>
That move is fine, but why &quot;NOT RECOMMENDED&quot; now instead of compl=
etely<br>
ruling it out?=C2=A0 Less options, more interoperability,<br></blockquote><=
div><br></div><div>Agree it makes more sense to remove this recommendation =
and place a MUST here. I have created an issue to address this. But it also=
 goes in line with one of Jim=C2=B4s comments.<br></div><div><br>=C2=A0</di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
T5: The range 1 to 65536 is a seriously weird range.=C2=A0 If we do allow<b=
r>
one value that requires a four-byte representation then why not go for<br>
1..4294967295?<br></blockquote><div><br></div><div>Not sure why, I have cre=
ated an issue to look into this.<br></div><div>=C2=A0</div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">
<br>
T6: The IANA considerations may want to have different rules for<br>
&quot;good&quot; label values (&lt; 24, &lt; 256 in that order) than for ho=
i polloi<br>
ones.<br></blockquote><div><br></div><div>Could make sense I have created a=
n issue to look into this.<br><br> </div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
dding-left:1ex">
<br>
<br>
# Major editorial<br>
<br>
E1: On the editorial side, the abstract starts out by claiming [sic]<br>
that CWT &quot;is a profile&quot; of JWT.=C2=A0 There is a definition of &q=
uot;profile&quot; in<br>
play that is a bit different from what some people might expect: a CWT<br>
is not a JWT.<br>
<br></blockquote><div><br>You have a point, do you have suggestions for bet=
ter choice of wording. I looked at how COSE handle its relation to JOSE but=
 there seem to be a wider gap between COSE and JOSE than CWT and JWT.<br></=
div><div>How about saying that &#39;CWT is an adaptation of JWT to a more c=
onstrained environment using CBOR&#39;.<br></div><div><br>=C2=A0</div><bloc=
kquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:=
1px solid rgb(204,204,204);padding-left:1ex">
E2: The text is weirdly obsessed about CBOR serialization details.=C2=A0 It=
<br>
is really making statements about the data model level, but dives into<br>
serialization immediately instead.=C2=A0 This reads like a JSON spec would<=
br>
read that would repeatedly talk about &quot;double-quote-delimited strings,=
<br>
which backslash escaping&quot; each time a string is needed.=C2=A0 That&#39=
;s not<br>
the way JSON is used, and we shouldn&#39;t start doing this for CBOR<br>
either.=C2=A0 Just about every case that talks about &quot;major type&quot;=
 really<br>
should talk about the data that is desired.<br></blockquote><div><br></div>=
<div>Make sense to me, I have created an issue to address this.<br></div><d=
iv>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
E3: The definition of NumericDate does not reflect the decision that<br>
using CBOR Tag 1 here is NOT RECOMMENDED.<br></blockquote><div><br></div><d=
iv>This goes in line with one of the comments from Jim and and your T4 comm=
ent, Issues has been added for both.<br></div><div>=C2=A0</div><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex">
<br>
E4: For those people who aren&#39;t the fourth co-author, maybe it would<br=
>
help to provide the CDDL (not yet taking in any of the suggestions<br>
above):<br>
<br>
=C2=A0 =C2=A0 cwt =3D {<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? iss,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? sub,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? aud,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? cti,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? exp,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? nbf,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ? iat,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 * otherlabel =3D&gt; value<br>
=C2=A0 =C2=A0 }<br>
<br>
=C2=A0 =C2=A0 iss =3D (1: text)<br>
=C2=A0 =C2=A0 sub =3D (2: text)<br>
=C2=A0 =C2=A0 aud =3D (3: text)<br>
=C2=A0 =C2=A0 exp =3D (4: number) ; interpreted as with CBOR Tag 1<br>
=C2=A0 =C2=A0 nbf =3D (5: number) ; interpreted as with CBOR Tag 1<br>
=C2=A0 =C2=A0 iat =3D (6: number) ; interpreted as with CBOR Tag 1<br>
=C2=A0 =C2=A0 cti =3D (7: bytes)<br>
<br>
=C2=A0 =C2=A0 otherlabel =3D uint .ge 8<br>
=C2=A0 =C2=A0 value =3D any<br>
<br>
(We could play a bit with CDDL regexp support to distinguish URIs from<br>
the other strings, but I skipped this.)<br></blockquote><div><br></div><div=
>Not sure how this makes things clearer, but that could be because I=C2=B4m=
 one of the co-author. Could we get some other opinions here before we comm=
it to adding this.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex">
<br>
<br>
# Nits<br>
<br>
s/to indicate type/to indicate the type/<br>
s/contributions the specification/contributions to the specification/<br></=
blockquote><div><br></div><div>Thanks, an issue has been added to not miss =
this.<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
<br>
Unfortunately, I haven&#39;t systematically checked the examples yet.<br>
<br>
Gr=C3=BC=C3=9Fe, Carsten<br>
<div class=3D"gmail-HOEnZb"><div class=3D"gmail-h5"><br>
______________________________<wbr>_________________<br>
Ace mailing list<br>
<a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/ace" rel=3D"noreferrer" ta=
rget=3D"_blank">https://www.ietf.org/mailman/<wbr>listinfo/ace</a><br>
</div></div></blockquote></div><br></div></div>

--001a113d7f12bf3ce1054f7f67ef--


From nobody Sun May 14 13:26:49 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65A0D129485 for <ace@ietfa.amsl.com>; Sun, 14 May 2017 13:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LOCVlx5M1tRO for <ace@ietfa.amsl.com>; Sun, 14 May 2017 13:26:44 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A0C41294C9 for <Ace@ietf.org>; Sun, 14 May 2017 13:23:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0001_01D2CCB3.B1A860A0"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494793381; h=from:subject:to:date:message-id; bh=B8uJAHAEwCnSPl6Va30/BLW6B141F71EKOSL4gc6+EU=; b=PstNAkTqw3hK/GC9/Na3BZQbkhVJ3yyfVlT6PnlunPghRWFiszypNLm2vWPDUf0BVwJTUvGyI1l OaEwv3QUhGXLCmnT+gTqp2T4EtGg/LGAu6rp7JxxoPSJJYh/juWNzIAXUA3mxRHN/d8AziZhjOOdl NC9FBRytsBMC8+UyoAMvf5qahzwprqt8kkwMrFAsZk+mHy+62zEcNb/WE7dRRgkm4JIGLv1cymV/j Pk2o3lIW97W57uerS1RoikwJ3J0qgXgmg5bGOwfLqyEIS1m30elIsbTXxLENNOlXQfXuzD3O82a26 SnvCEYRaCql6X640laj5ysk4DWm3DERXfqmA==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:23:00 -0700
Received: from Hebrews (173.8.216.38) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:22:52 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Samuel Erdtman' <samuel@erdtman.se>
CC: 'ace' <Ace@ietf.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com>
In-Reply-To: <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com>
Date: Sun, 14 May 2017 13:12:06 -0700
Message-ID: <000001d2ccee$5e020880$1a061980$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK7Sbuoqk8BxD8OvOqownlXLriW/AEOhwCloBrPTQA=
X-Originating-IP: [173.8.216.38]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WgJx0iNUQIATWuSw3eiSIvMLSU4>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 20:26:47 -0000

------=_NextPart_000_0001_01D2CCB3.B1A860A0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

=20

=20

From: Samuel Erdtman [mailto:samuel@erdtman.se]=20
Sent: Sunday, May 14, 2017 3:40 AM
To: Jim Schaad <ietf@augustcellars.com>
Cc: ace <Ace@ietf.org>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Hi Jim,

Thanks for your review and comments, see some initial replies inline.

=20

On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com =
<mailto:ietf@augustcellars.com> > wrote:

Not ready to ship.


* I find the text for NumericDate confusing and would suggest this is a
cleaner wording.

The "NumericDate" term has the same meaning, syntax and
Processing rules as the "NumericDate" term defined in Section 2 of
JWT [RFC7519], except that the CBOR numeric representation
(Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
the leading tag (6.1 or 0xC1) MUST be omitted.

<Note above text kills the direct need for section 5.>

=20

Could make sense, I created an issue in the issue tracker to look at =
this.

=20


* What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  =
You
should be consistent on how you are using this and the "StringOrURI" =
type
identifier.  Either use the CWT prefix or don't.


Makes sense to me, created an issue in the issue tracker to address =
this.
=20


* s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/


 Makes sense to me, created an issue in the issue tracker to address =
this.


* The algorithm for doing nesting detection is a gross abuse of the =
content
type parameter and can be far more easily done based on the already =
present
tagging of the COSE object.

=20

Could you please explain a bit more, we are using the COSE tags but have =
made=20
them optional if the application for example only uses one thyme then it =
would=20
always know what to do and would not need to parse the tag saving a =
byte.

=20

[JLS] The concept is pretty easy to explain.

=20

If you are in a situation where the full description of the CWT =
=E2=80=93 including nesting layering =E2=80=93 is known from a profile, =
then there would be no need to have any COSE tags present on any layer =
of the CWT message.  I would however highly discourage using this =
situation for anything but a single layer CWT such as one that is based =
on the COSE_Encrypt0 message without any inner layering.  Doing =
otherwise is going to mean that libraries would be unable to =
automatically unwrap all of the layers on their own, but would need =
guidance on each layer as it was processed.

=20

In the current document in step 5 of section 7.2, there is an assumption =
that a COSE tag is going to exist in order to distinguish between the =
different types of COSE messages =E2=80=93 I would not that these tags =
are not explicitly called for in section 7.1 =E2=80=93 so the algorithm =
that I am going to suggest means that they are supposed to be present =
not implicit in any event.

=20

In section 7.2 in step 7 the algorithm becomes:

If the payload starts with one the of COSE identification tags, then the =
message is recursive =E2=80=93 go to step 1, wash rinse and repeat.

=20


* Break section 8 into multiple paragraphs that deal with different =
types of
issues.


Might be reasonable I have created an issue in the issue tracker so that =
the=20
comment is not lost.
=20


* In section 8, the first sentence implies to me that you believe that =
COSE
is more of a problem that breaking of cryptographic algorithms, trust of
certificates/keys.  Not sure what needs to be done, but better clarity =
may
be a good idea.

=20

Added this to the previously mentioned issue to address this to since it =
is in the same section=20


* I have not done any validation of the examples.   You might want to =
have
an example which uses the real for one of the time types.

=20

Sorry, but I don=C2=B4t get it could you add some more context.

=20

[JLS] Use the value of =E2=80=9C1444064944.5=E2=80=9D for one of the =
time values.  Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good idea.
=20
Jim
=20

=20

=20


Jim



-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org <mailto:ace-bounces@ietf.org> ] =
On Behalf Of Kepeng Li
Sent: Thursday, April 20, 2017 2:53 PM
To: ace@ietf.org <mailto:ace@ietf.org>=20
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net =
<mailto:hannes.tschofenig@gmx.net> >
Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token

In Chicago, it was decided that we were going to WGLC the ACE CBOR Web =
Token
draft.

So this starts a working group last call for =
draft-ietf-ace-cbor-web-token
for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday, =
May
2, 2017.

The specification is available at:
https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04

An HTML-formatted version is also available at:
http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html

Thanks,


Kind Regards
Kepeng & Hannes


_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

=20


------=_NextPart_000_0001_01D2CCB3.B1A860A0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 15 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
	{mso-style-priority:34;
	margin-top:0in;
	margin-right:0in;
	margin-bottom:0in;
	margin-left:.5in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.gmail-hoenzb
	{mso-style-name:gmail-hoenzb;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:"Courier New";}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
/* List Definitions */
@list l0
	{mso-list-id:312300303;
	mso-list-type:hybrid;
	mso-list-template-ids:-1083124588 67698703 67698713 67698715 67698703 =
67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level4
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level5
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level6
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
@list l0:level7
	{mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level8
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
@list l0:level9
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'color:#0070C0'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><b>From:</b> =
Samuel Erdtman [mailto:samuel@erdtman.se] <br><b>Sent:</b> Sunday, May =
14, 2017 3:40 AM<br><b>To:</b> Jim Schaad =
&lt;ietf@augustcellars.com&gt;<br><b>Cc:</b> ace =
&lt;Ace@ietf.org&gt;<br><b>Subject:</b> Re: [Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'>Hi Jim,<o:p></o:p></p></div><p =
class=3DMsoNormal>Thanks for your review and comments, see some initial =
replies inline.<o:p></o:p></p><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><p class=3DMsoNormal>On Sat, =
Apr 22, 2017 at 8:47 PM, Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt; =
wrote:<o:p></o:p></p><blockquote style=3D'border:none;border-left:solid =
#CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal>Not ready =
to ship.<br><br><br>* I find the text for NumericDate confusing and =
would suggest this is a<br>cleaner wording.<br><br>The =
&quot;NumericDate&quot; term has the same meaning, syntax =
and<br>Processing rules as the &quot;NumericDate&quot; term defined in =
Section 2 of<br>JWT [RFC7519], except that the CBOR numeric =
representation<br>(Section 2.4.1 of [RC7049]) is used.&nbsp; The =
encoding is modified so that<br>the leading tag (6.1 or 0xC1) MUST be =
omitted.<br><br>&lt;Note above text kills the direct need for section =
5.&gt;<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>Could make sense, I created an issue in the issue =
tracker to look at this.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* =
What is a &quot;CWT NumericDate&quot; ?&nbsp; Why is this not just a =
&quot;NumericDate&quot;?&nbsp; You<br>should be consistent on how you =
are using this and the &quot;StringOrURI&quot; type<br>identifier.&nbsp; =
Either use the CWT prefix or don't.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><br>Makes sense to me, created an issue in the issue =
tracker to address this.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* =
s/except that a CWT StringOrURI/except that for a CWT, =
StringOrURI/<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'><br>&nbsp;Makes sense to me, created an =
issue in the issue tracker to address =
this.<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* The =
algorithm for doing nesting detection is a gross abuse of the =
content<br>type parameter and can be far more easily done based on the =
already present<br>tagging of the COSE =
object.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>Could you please explain a bit more, we are using the =
COSE tags but have made <br>them optional if the application for example =
only uses one thyme then it would <br>always know what to do and would =
not need to parse the tag saving a byte.<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'color:#0070C0'>[JLS] The concept is pretty easy to =
explain.<o:p></o:p></span></p></div><div><p class=3DMsoNormal><span =
style=3D'color:#0070C0'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#0070C0'>If you are in a =
situation where the full description of the CWT =E2=80=93 including =
nesting layering =E2=80=93 is known from a profile, then there would be =
no need to have any COSE tags present on any layer of the CWT =
message.=C2=A0 I would however highly discourage using this situation =
for anything but a single layer CWT such as one that is based on the =
COSE_Encrypt0 message without any inner layering.=C2=A0 Doing otherwise =
is going to mean that libraries would be unable to automatically unwrap =
all of the layers on their own, but would need guidance on each layer as =
it was processed.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#0070C0'><o:p>&nbsp;</o:p></span></p><p =
class=3DMsoNormal><span style=3D'color:#0070C0'>In the current document =
in </span><span style=3D'color:#0070C0'>step 5 of section 7.2, there is =
an assumption that a COSE tag is going to exist in order to distinguish =
between the different types of COSE messages =E2=80=93 I would not that =
these tags are not explicitly called for in section 7.1 =E2=80=93 so the =
algorithm that I am going to suggest means that they are supposed to be =
present not implicit in any event.<o:p></o:p></span></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'color:#0070C0'>In section 7.2 in step 7 the algorithm =
becomes:<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'color:#0070C0'>If the payload starts with one the of COSE =
identification tags, then the message is recursive =E2=80=93 go to step =
1, wash rinse and repeat.<o:p></o:p></span></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* =
Break section 8 into multiple paragraphs that deal with different types =
of<br>issues.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><br>Might be reasonable I have created an issue in the =
issue tracker so that the <br>comment is not =
lost.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* In =
section 8, the first sentence implies to me that you believe that =
COSE<br>is more of a problem that breaking of cryptographic algorithms, =
trust of<br>certificates/keys.&nbsp; Not sure what needs to be done, but =
better clarity may<br>be a good idea.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>Added this to the previously mentioned issue to =
address this to since it is in the same section =
<o:p></o:p></p></div><blockquote style=3D'border:none;border-left:solid =
#CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><br>* I =
have not done any validation of the examples.&nbsp; &nbsp;You might want =
to have<br>an example which uses the real for one of the time =
types.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>Sorry, but I don=C2=B4t get it could you add some more =
context.<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><pre><span =
style=3D'font-family:"Calibri",sans-serif;color:#0070C0'>[JLS] Use the =
value of =E2=80=9C</span><span =
style=3D'color:#0070C0'>1444064944.5=E2=80=9D for one of the time =
values.=C2=A0 Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good idea.<o:p></o:p></span></pre><pre><span =
style=3D'color:#0070C0'><o:p>&nbsp;</o:p></span></pre><pre><span =
style=3D'color:#0070C0'>Jim<o:p></o:p></span></pre><pre><o:p>&nbsp;</o:p>=
</pre><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-right:0in'><p class=3DMsoNormal><span =
style=3D'color:#888888'><br><span =
class=3Dgmail-hoenzb>Jim</span></span><o:p></o:p></p><div><div><p =
class=3DMsoNormal><br><br>-----Original Message-----<br>From: Ace =
[mailto:<a =
href=3D"mailto:ace-bounces@ietf.org">ace-bounces@ietf.org</a>] On Behalf =
Of Kepeng Li<br>Sent: Thursday, April 20, 2017 2:53 PM<br>To: <a =
href=3D"mailto:ace@ietf.org">ace@ietf.org</a><br>Cc: Hannes Tschofenig =
&lt;<a =
href=3D"mailto:hannes.tschofenig@gmx.net">hannes.tschofenig@gmx.net</a>&g=
t;<br>Subject: [Ace] [ace] WGLC on =
draft-ietf-ace-cbor-web-token<br><br>In Chicago, it was decided that we =
were going to WGLC the ACE CBOR Web Token<br>draft.<br><br>So this =
starts a working group last call for =
draft-ietf-ace-cbor-web-token<br>for submission as a Standards Track =
RFC, ending on 24:00 PDT on Tuesday, May<br>2, 2017.<br><br>The =
specification is available at:<br><a =
href=3D"https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04" =
target=3D"_blank">https://tools.ietf.org/html/draft-ietf-ace-cbor-web-tok=
en-04</a><br><br>An HTML-formatted version is also available at:<br><a =
href=3D"http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.htm=
l" =
target=3D"_blank">http://self-issued.info/docs/draft-ietf-ace-cbor-web-to=
ken-04.html</a><br><br>Thanks,<br><br><br>Kind Regards<br>Kepeng &amp; =
Hannes<br><br><br>_______________________________________________<br>Ace =
mailing list<br><a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><br><br>__=
_____________________________________________<br>Ace mailing list<br><a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><o:p></o:p=
></p></div></div></blockquote></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></div></div></body></html>
------=_NextPart_000_0001_01D2CCB3.B1A860A0--


From nobody Sun May 14 13:33:18 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F18128B8E; Sun, 14 May 2017 13:33:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_dWTlEVBJ8d; Sun, 14 May 2017 13:33:14 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0E04127977; Sun, 14 May 2017 13:29:09 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0006_01D2CCB4.8D30C950"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494793748; h=from:subject:to:date:message-id; bh=STC2dMLkpzH3n6mwKiHt/r7IpIZQlkciAOrTpUvFH2k=; b=SQGP8R8LY0hy8dNSYGFvfmX2oKn4XovTqTU7alsdFdi+Qh6GiZAzBWNjOIHC+uBvaV7/0rwlxHj 7qCVIU3azwCvxL4LR4BImMBO85Q6mOGtIt4xcxff1eO2znDNlKRtLY+RhxKg+DR31Giycof9z8jGs n8S18+hT7jG5HFFRkExBtuc+QSEZh5AP0HFb7r0RrR55RH/KVwuQ78cOK9jC6W2TDFPZzEVg9/FLS NpOUPsGQpQLwFztfScaH+bXFM8E3g2M46jf7m7nEHClp+BU9LQsfwrY1t+5bNz+aYe+QctXB2wD53 2Nm5qQiPQ51TD4exWBd0c83A/QGyO2udf6IA==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:29:07 -0700
Received: from Hebrews (173.8.216.38) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Sun, 14 May 2017 13:29:00 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Samuel Erdtman' <samuel@erdtman.se>, <oauth@ietf.org>, 'ace' <Ace@ietf.org>
CC: 'Ludwig Seitz' <ludwig.seitz@ri.se>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
In-Reply-To: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com>
Date: Sun, 14 May 2017 13:18:14 -0700
Message-ID: <000501d2ccef$398d0940$aca71bc0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQF2pOMAEHj6tEKs9s8Af1VsoCYHA6KslJaw
X-Originating-IP: [173.8.216.38]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/hQ4Z5Jt7sMSkk8sah45lNPLBs1Y>
Subject: Re: [Ace] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 May 2017 20:33:16 -0000

------=_NextPart_000_0006_01D2CCB4.8D30C950
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

How is this draft supposed to interact with =
draft-gerdes-ace-dtls-authorize?

=20

Jim

=20

=20

From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Samuel Erdtman
Sent: Friday, May 12, 2017 1:03 AM
To: <oauth@ietf.org> <oauth@ietf.org>; ace <Ace@ietf.org>
Cc: Ludwig Seitz <ludwig.seitz@ri.se>
Subject: [Ace] New OAuth client credentials RPK and PSK

=20

Hi ACE and OAuth WGs,

I and Ludwig submitted a new draft yesterday defining how to use Raw =
Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, =
https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.

=20

We think this is valuable to the ACE work since the ACE framework is =
based on OAuth, but client credentials as defined in the OAuth framework =
are not the best match for embedded devices.

We think Raw Public Keys and Pre Shared Keys are more suitable =
credentials for embedded devices for the following reasons:

* Better security by binding to transport layer.

* If PSK DTLS is to be used a key need to be distributed any way, why =
not make use of it as credential.

* Client id and client secret accommodates for manual input by a humans. =
This does not scale well and requires some for of input device.

* Some/many devices will have crypto-hardware that can protect key =
material, to not use that possibility would be a waste.

* There are probably more reasons these was just the once on top of my =
head.

=20

This is not the first resent initiative to create new client credential =
types, the OAuth WG adopted a similar draft for certificate based client =
credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html). =
That work is also valuable to ACE but not all devices will be able to =
work with certificates or even asymmetric cryptos .

Please review and comment.

Cheers

//Samuel

=20


------=_NextPart_000_0006_01D2CCB4.8D30C950
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 15 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal>How is =
this draft supposed to interact with =
draft-gerdes-ace-dtls-authorize?<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal>Jim<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><b>From:</b> =
Ace [mailto:ace-bounces@ietf.org] <b>On Behalf Of </b>Samuel =
Erdtman<br><b>Sent:</b> Friday, May 12, 2017 1:03 AM<br><b>To:</b> =
&lt;oauth@ietf.org&gt; &lt;oauth@ietf.org&gt;; ace =
&lt;Ace@ietf.org&gt;<br><b>Cc:</b> Ludwig Seitz =
&lt;ludwig.seitz@ri.se&gt;<br><b>Subject:</b> [Ace] New OAuth client =
credentials RPK and PSK<o:p></o:p></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><div><div><div><p =
class=3DMsoNormal style=3D'margin-bottom:12.0pt'>Hi ACE and OAuth =
WGs,<o:p></o:p></p></div><p class=3DMsoNormal>I and Ludwig submitted a =
new draft yesterday defining how to use Raw Public Key and Pre Shared =
Key with (D)TLS as OAuth client credentials, <a =
href=3D"https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/">https:/=
/datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/</a>.<o:p></o:p></p></di=
v><div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><p =
class=3DMsoNormal style=3D'margin-bottom:12.0pt'>We think this is =
valuable to the ACE work since the ACE framework is based on OAuth, but =
client credentials as defined in the OAuth framework are not the best =
match for embedded devices.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>We think Raw Public Keys and Pre Shared Keys are more =
suitable credentials for embedded devices for the following =
reasons:<o:p></o:p></p></div><div><p class=3DMsoNormal>* Better security =
by binding to transport layer.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>* If PSK DTLS is to be used a key need to be =
distributed any way, why not make use of it as =
credential.<o:p></o:p></p></div><div><p class=3DMsoNormal>* Client id =
and client secret accommodates for manual input by a humans. This does =
not scale well and requires some for of input =
device.<o:p></o:p></p></div><div><p class=3DMsoNormal>* Some/many =
devices will have crypto-hardware that can protect key material, to not =
use that possibility would be a waste.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>* There are probably more reasons these was just the =
once on top of my head.<o:p></o:p></p></div><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'>This is not the first resent initiative =
to create new client credential types, the OAuth WG adopted a similar =
draft for certificate based client credentials (<a =
href=3D"https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html">https:=
//tools.ietf.org/html/draft-ietf-oauth-mtls-00.html</a>). That work is =
also valuable to ACE but not all devices will be able to work with =
certificates or even asymmetric cryptos .<o:p></o:p></p></div><div><p =
class=3DMsoNormal style=3D'margin-bottom:12.0pt'>Please review and =
comment.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>Cheers<o:p></o:p></p></div><div><p =
class=3DMsoNormal>//Samuel<o:p></o:p></p></div><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'><o:p>&nbsp;</o:p></p></div></div></div></b=
ody></html>
------=_NextPart_000_0006_01D2CCB4.8D30C950--


From nobody Mon May 15 01:52:57 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58491129AFA for <ace@ietfa.amsl.com>; Mon, 15 May 2017 01:52:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G0dTfWiAy8cr for <ace@ietfa.amsl.com>; Mon, 15 May 2017 01:52:46 -0700 (PDT)
Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7AD3129C47 for <Ace@ietf.org>; Mon, 15 May 2017 01:49:03 -0700 (PDT)
Received: by mail-oi0-x235.google.com with SMTP id h4so122306836oib.3 for <Ace@ietf.org>; Mon, 15 May 2017 01:49:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Pfs0LLLfbhQWwh8WIOXvB7xvm2mphNTE8Wk+6eB8QPI=; b=xgT2wpclIo2xykcLwAcSIxfkMQ3/OLfV/Ft/J6lbyO3l/+KDoZGl3uzCAyF6apZ+CW 61oZJXoFd6oToGqIkc9GldMtTgJFUggUkeQ5qqQG56AycukNlIZL6CVgn191iWmO1w7a DQTj9BjrHqixZOYMAgqHepQkZB4QfUEV0F8W2o5sq9zUNaalq/k0OqojXCVED9At5SnA RqYvE1S3juxhda/bHvwJHS/PExTldhpXp2ESp2K82tjYkeJQ1ZIpgEs9BtIQ9gF3kJhf UiHtjd7dZF0pMWdtZPkDsoEmQP4Uj4c3PN9IDPBfuRVisaU3t+hrzRcX/CSdtv6Zeiz6 VHGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Pfs0LLLfbhQWwh8WIOXvB7xvm2mphNTE8Wk+6eB8QPI=; b=seEHepFxyIVPICu0C46qE70Q75ddUwz4jXdn/cqItSTn+mkWytEh6YXW5sjWW4kqf6 W2vrlZ1aBma8dQf9L+f4W+kyOVcJPPc53gL2Qi7ArFQG5J+TlLSEpNTp/Modz+/ZPMfu ukp9O9GW90y55YlY+KWDxdD/XfhDuubdN2l9G6bSHh2mxGBv75UZufjt8D9w1JJ9bCb0 +XFQJ4kZgUXk/vav1nAwVz6AZO4q0yc00T+3Jr2LQmRAQ52K/oaFDP8BHSljPwu33l9g XusEJ5wBH5kh1h5WmsQi2YQAz7xBI9ZcfL3xXR16LI1g+PO1lo8f1gzdjf0Mld/daxgz Nluw==
X-Gm-Message-State: AODbwcDSnakLzaLGWtRQxq/6uHruqPa7MUqbvknTHfo9icZhjsGrsrPx TIDF6lO9T4dbma/zYm9ninnUPMhsSg==
X-Received: by 10.157.82.95 with SMTP id q31mr2600441otg.165.1494838142882; Mon, 15 May 2017 01:49:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Mon, 15 May 2017 01:49:02 -0700 (PDT)
In-Reply-To: <000501d2ccef$398d0940$aca71bc0$@augustcellars.com>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com> <000501d2ccef$398d0940$aca71bc0$@augustcellars.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 15 May 2017 10:49:02 +0200
Message-ID: <CAF2hCbY0p=kN3FHWk8+GaQa4drPa8batV9cqLqmehEbBwTnSqw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>, ace <Ace@ietf.org>, Ludwig Seitz <ludwig.seitz@ri.se>
Content-Type: multipart/alternative; boundary="f403043c496480eb1f054f8c2086"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Cmb47z-lbyWN4J3AAFfOufhOBpg>
Subject: Re: [Ace] New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 08:52:48 -0000

--f403043c496480eb1f054f8c2086
Content-Type: text/plain; charset="UTF-8"

In short this draft focuses on the C to AS connection and
draft-gerdes-ace-dtls-authorize focuses on the C to RS connection.

This draft details on how to use RPK or PSK as client credentials to setup
the (D)TLS between C and AS while draft-gerdes-ace-dtls-authorize provides
details for how to use the RPK or PSK bound to an access token to setup the
connection between C and RS.

//Samuel


On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <ietf@augustcellars.com> wrote:

> How is this draft supposed to interact with draft-gerdes-ace-dtls-
> authorize?
>
>
>
> Jim
>
>
>
>
>
> *From:* Ace [mailto:ace-bounces@ietf.org] *On Behalf Of *Samuel Erdtman
> *Sent:* Friday, May 12, 2017 1:03 AM
> *To:* <oauth@ietf.org> <oauth@ietf.org>; ace <Ace@ietf.org>
> *Cc:* Ludwig Seitz <ludwig.seitz@ri.se>
> *Subject:* [Ace] New OAuth client credentials RPK and PSK
>
>
>
> Hi ACE and OAuth WGs,
>
> I and Ludwig submitted a new draft yesterday defining how to use Raw
> Public Key and Pre Shared Key with (D)TLS as OAuth client credentials,
> https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/.
>
>
>
> We think this is valuable to the ACE work since the ACE framework is based
> on OAuth, but client credentials as defined in the OAuth framework are not
> the best match for embedded devices.
>
> We think Raw Public Keys and Pre Shared Keys are more suitable credentials
> for embedded devices for the following reasons:
>
> * Better security by binding to transport layer.
>
> * If PSK DTLS is to be used a key need to be distributed any way, why not
> make use of it as credential.
>
> * Client id and client secret accommodates for manual input by a humans.
> This does not scale well and requires some for of input device.
>
> * Some/many devices will have crypto-hardware that can protect key
> material, to not use that possibility would be a waste.
>
> * There are probably more reasons these was just the once on top of my
> head.
>
>
>
> This is not the first resent initiative to create new client credential
> types, the OAuth WG adopted a similar draft for certificate based client
> credentials (https://tools.ietf.org/html/draft-ietf-oauth-mtls-00.html).
> That work is also valuable to ACE but not all devices will be able to work
> with certificates or even asymmetric cryptos .
>
> Please review and comment.
>
> Cheers
>
> //Samuel
>
>
>

--f403043c496480eb1f054f8c2086
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>In short this draft focuses on the C to AS connection=
 and draft-gerdes-ace-dtls-<wbr>authorize focuses on the C to RS connection=
.<br></div><div><br>This draft details on how to use RPK or PSK as client c=
redentials to setup the (D)TLS between C and AS while draft-gerdes-ace-dtls=
-<wbr>authorize provides details for how to use the RPK or PSK bound to an =
access token to setup the connection between C and RS.<br><br></div><div>//=
Samuel<br></div><div><br></div></div><div class=3D"gmail_extra"><br><div cl=
ass=3D"gmail_quote">On Sun, May 14, 2017 at 10:18 PM, Jim Schaad <span dir=
=3D"ltr">&lt;<a href=3D"mailto:ietf@augustcellars.com" target=3D"_blank">ie=
tf@augustcellars.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
"><div link=3D"blue" vlink=3D"purple" lang=3D"EN-US"><div class=3D"m_813938=
6782209886319WordSection1"><p class=3D"MsoNormal">How is this draft suppose=
d to interact with draft-gerdes-ace-dtls-<wbr>authorize?<u></u><u></u></p><=
p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal">Jim<u>=
</u><u></u></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"M=
soNormal"><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal"><b>From:</b> Ace [=
mailto:<a href=3D"mailto:ace-bounces@ietf.org" target=3D"_blank">ace-bounce=
s@ietf.org</a>] <b>On Behalf Of </b>Samuel Erdtman<br><b>Sent:</b> Friday, =
May 12, 2017 1:03 AM<br><b>To:</b> &lt;<a href=3D"mailto:oauth@ietf.org" ta=
rget=3D"_blank">oauth@ietf.org</a>&gt; &lt;<a href=3D"mailto:oauth@ietf.org=
" target=3D"_blank">oauth@ietf.org</a>&gt;; ace &lt;<a href=3D"mailto:Ace@i=
etf.org" target=3D"_blank">Ace@ietf.org</a>&gt;<br><b>Cc:</b> Ludwig Seitz =
&lt;<a href=3D"mailto:ludwig.seitz@ri.se" target=3D"_blank">ludwig.seitz@ri=
.se</a>&gt;<br><b>Subject:</b> [Ace] New OAuth client credentials RPK and P=
SK<u></u><u></u></p><div><div class=3D"h5"><p class=3D"MsoNormal"><u></u>=
=C2=A0<u></u></p><div><div><div><div><p class=3D"MsoNormal" style=3D"margin=
-bottom:12.0pt">Hi ACE and OAuth WGs,<u></u><u></u></p></div><p class=3D"Ms=
oNormal">I and Ludwig submitted a new draft yesterday defining how to use R=
aw Public Key and Pre Shared Key with (D)TLS as OAuth client credentials, <=
a href=3D"https://datatracker.ietf.org/doc/draft-erdtman-ace-rpcc/" target=
=3D"_blank">https://datatracker.ietf.org/<wbr>doc/draft-erdtman-ace-rpcc/</=
a>.<u></u><u></u></p></div><div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u>=
</p></div><p class=3D"MsoNormal" style=3D"margin-bottom:12.0pt">We think th=
is is valuable to the ACE work since the ACE framework is based on OAuth, b=
ut client credentials as defined in the OAuth framework are not the best ma=
tch for embedded devices.<u></u><u></u></p></div><div><p class=3D"MsoNormal=
">We think Raw Public Keys and Pre Shared Keys are more suitable credential=
s for embedded devices for the following reasons:<u></u><u></u></p></div><d=
iv><p class=3D"MsoNormal">* Better security by binding to transport layer.<=
u></u><u></u></p></div><div><p class=3D"MsoNormal">* If PSK DTLS is to be u=
sed a key need to be distributed any way, why not make use of it as credent=
ial.<u></u><u></u></p></div><div><p class=3D"MsoNormal">* Client id and cli=
ent secret accommodates for manual input by a humans. This does not scale w=
ell and requires some for of input device.<u></u><u></u></p></div><div><p c=
lass=3D"MsoNormal">* Some/many devices will have crypto-hardware that can p=
rotect key material, to not use that possibility would be a waste.<u></u><u=
></u></p></div><div><p class=3D"MsoNormal">* There are probably more reason=
s these was just the once on top of my head.<u></u><u></u></p></div><div><p=
 class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></div><div><p class=3D"MsoNorm=
al" style=3D"margin-bottom:12.0pt">This is not the first resent initiative =
to create new client credential types, the OAuth WG adopted a similar draft=
 for certificate based client credentials (<a href=3D"https://tools.ietf.or=
g/html/draft-ietf-oauth-mtls-00.html" target=3D"_blank">https://tools.ietf.=
org/html/<wbr>draft-ietf-oauth-mtls-00.html</a>)<wbr>. That work is also va=
luable to ACE but not all devices will be able to work with certificates or=
 even asymmetric cryptos .<u></u><u></u></p></div><div><p class=3D"MsoNorma=
l" style=3D"margin-bottom:12.0pt">Please review and comment.<u></u><u></u><=
/p></div><div><p class=3D"MsoNormal">Cheers<u></u><u></u></p></div><div><p =
class=3D"MsoNormal">//Samuel<u></u><u></u></p></div><div><p class=3D"MsoNor=
mal" style=3D"margin-bottom:12.0pt"><u></u>=C2=A0<u></u></p></div></div></d=
iv></div></div></div></blockquote></div><br></div>

--f403043c496480eb1f054f8c2086--


From nobody Mon May 15 02:27:03 2017
Return-Path: <samuel@erdtman.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 454DB128854 for <ace@ietfa.amsl.com>; Mon, 15 May 2017 02:27:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level: 
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=erdtman-se.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CdVHBLtgrtGp for <ace@ietfa.amsl.com>; Mon, 15 May 2017 02:27:00 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B0A12E852 for <Ace@ietf.org>; Mon, 15 May 2017 02:22:59 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id l18so123226038oig.2 for <Ace@ietf.org>; Mon, 15 May 2017 02:22:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=erdtman-se.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=U6LXCAbFF//Fw8h918jeDl/URKsCWXKtJzyKHQK+nUQ=; b=Rp1L3oPLnUq3ZNE3t9Xpy0SBZsakIiC+XMegceHDAtakXcSkut4gnkc15WHki4ziIe eyNhiAl1hmzxxD0LLLayAYV2KC3YSlNZZAYb3MRpHPaLqvw0Us4zP/caRjMWK6l7vwAg 8fKGabzOUPpntHal/SQoDwAJ8ssoELshZDPSpBocBcM7xfUOWe8FzIWP+EGITO0NyJeJ Nb2VVEXxO548CASIiCQ6+CMBR31l/+GDJ2VogWF3yOVZ2EuJuQDdPzqKOMoWfWjuDPrk toNTFhOHvqXlkerryFKbI4v/ruaM6Y1kwpLMUohFmBg9tW6cs35dRxQyO+Ri4ps2hYgb My0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=U6LXCAbFF//Fw8h918jeDl/URKsCWXKtJzyKHQK+nUQ=; b=OIz9+oRxqAdGUERT/wPvYfK4NIDi2nciUVFqDZfsObd7g1p2FSqa8TZ6GNxnaITza+ eNAvogzYxmvz0OaM9DYpl+UBwAUrtsLJAn5XjEQfesbhHCXWbz27iuopCzfL8OePrweg n7WpRbGRVCZK6tMVg1tzg7ICjfVen91Fzs3wVv5+4L7PaQL+zltr2YcAvVkoDhHNdDoM K/9ASX+5nbNnJtMeP+4j6FhH6rCNBS412DwIb82OdwP4DrrO8GsARz1LYvbFVq04lVIg Jl9Iggjoycs67P9ZG0rx2lTJfxOb1K6FYN9+7tYg9dsdoPyhnHROBG48tpn2x5tle/Sq ku6w==
X-Gm-Message-State: AODbwcD2xlmsx5x3g/p6dKarTJxkoVjdFnDrkhsnBtfFpklgzQv6w0Kt ZgXzxEfnrQenDsM9aGvDxJeULiBzeA==
X-Received: by 10.202.81.77 with SMTP id f74mr1931375oib.141.1494840178676; Mon, 15 May 2017 02:22:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.255.137 with HTTP; Mon, 15 May 2017 02:22:58 -0700 (PDT)
In-Reply-To: <000001d2ccee$5e020880$1a061980$@augustcellars.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com>
From: Samuel Erdtman <samuel@erdtman.se>
Date: Mon, 15 May 2017 11:22:58 +0200
Message-ID: <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com>
To: Jim Schaad <ietf@augustcellars.com>, Mike Jones <Michael.Jones@microsoft.com>
Cc: ace <Ace@ietf.org>
Content-Type: multipart/alternative; boundary="001a113d6a0cd8b319054f8c992f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/bHGT5jM8Tm17YfSIBMRNRPF_bgw>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 09:27:02 -0000

--001a113d6a0cd8b319054f8c992f
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Thanks for clarifications Jim, see my comments inline.

Mike, there is a question for you inlined too.

On Sun, May 14, 2017 at 10:12 PM, Jim Schaad <ietf@augustcellars.com> wrote=
:

>
>
>
>
> *From:* Samuel Erdtman [mailto:samuel@erdtman.se]
> *Sent:* Sunday, May 14, 2017 3:40 AM
> *To:* Jim Schaad <ietf@augustcellars.com>
> *Cc:* ace <Ace@ietf.org>
> *Subject:* Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
>
>
>
> Hi Jim,
>
> Thanks for your review and comments, see some initial replies inline.
>
>
>
> On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com>
> wrote:
>
> Not ready to ship.
>
>
> * I find the text for NumericDate confusing and would suggest this is a
> cleaner wording.
>
> The "NumericDate" term has the same meaning, syntax and
> Processing rules as the "NumericDate" term defined in Section 2 of
> JWT [RFC7519], except that the CBOR numeric representation
> (Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
> the leading tag (6.1 or 0xC1) MUST be omitted.
>
> <Note above text kills the direct need for section 5.>
>
>
>
> Could make sense, I created an issue in the issue tracker to look at this=
.
>
>
>
>
> * What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  Y=
ou
> should be consistent on how you are using this and the "StringOrURI" type
> identifier.  Either use the CWT prefix or don't.
>
>
> Makes sense to me, created an issue in the issue tracker to address this.
>
>
>
> * s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/
>
>
>  Makes sense to me, created an issue in the issue tracker to address this=
.
>
>
> * The algorithm for doing nesting detection is a gross abuse of the conte=
nt
> type parameter and can be far more easily done based on the already prese=
nt
> tagging of the COSE object.
>
>
>
> Could you please explain a bit more, we are using the COSE tags but have
> made
> them optional if the application for example only uses one thyme then it
> would
> always know what to do and would not need to parse the tag saving a byte.
>
>
>
> [JLS] The concept is pretty easy to explain.
>
>
>
> If you are in a situation where the full description of the CWT =E2=80=93
> including nesting layering =E2=80=93 is known from a profile, then there =
would be
> no need to have any COSE tags present on any layer of the CWT message.  I
> would however highly discourage using this situation for anything but a
> single layer CWT such as one that is based on the COSE_Encrypt0 message
> without any inner layering.  Doing otherwise is going to mean that
> libraries would be unable to automatically unwrap all of the layers on
> their own, but would need guidance on each layer as it was processed.
>
>
>
> In the current document in step 5 of section 7.2, there is an assumption
> that a COSE tag is going to exist in order to distinguish between the
> different types of COSE messages =E2=80=93 I would not that these tags ar=
e not
> explicitly called for in section 7.1 =E2=80=93 so the algorithm that I am=
 going to
> suggest means that they are supposed to be present not implicit in any
> event.
>
>
>
> In section 7.2 in step 7 the algorithm becomes:
>
> If the payload starts with one the of COSE identification tags, then the
> message is recursive =E2=80=93 go to step 1, wash rinse and repeat.
>

I think I see your point. In the case of nested CWTs you would like to
mandate the inner layer to have a COSE tag indicating the message type. But
in cases where e.g. transport is done over CoAP you don=C2=B4t feel it is a=
s
important.
I personally would like to go all the way and mandate the COSE tag for all
CWT messages nested or not but that would add some extra bytes i.e. not
good in all cases.

Maybe a compromise and mandate it for inner object in nested CWTs.
@Mike would you like to comment to before we decide on a path forward.




>
>
>
> * Break section 8 into multiple paragraphs that deal with different types
> of
> issues.
>
>
> Might be reasonable I have created an issue in the issue tracker so that
> the
> comment is not lost.
>
>
>
> * In section 8, the first sentence implies to me that you believe that CO=
SE
> is more of a problem that breaking of cryptographic algorithms, trust of
> certificates/keys.  Not sure what needs to be done, but better clarity ma=
y
> be a good idea.
>
>
>
> Added this to the previously mentioned issue to address this to since it
> is in the same section
>
>
> * I have not done any validation of the examples.   You might want to hav=
e
> an example which uses the real for one of the time types.
>
>
>
> Sorry, but I don=C2=B4t get it could you add some more context.
>
>
>
> [JLS] Use the value of =E2=80=9C1444064944.5=E2=80=9D for one of the time=
 values.  Although I doubt that less than second resolution is needed in al=
most any case, having an example where it is given is still a good idea.
>
> Makes sense, as you say it might not be a core case but there should be a=
t
least one example of it if we support it. I have created a ticket to
address it.


>
>
> Jim
>
>
>
>
>
>
>
>
> Jim
>
>
>
> -----Original Message-----
> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Kepeng Li
> Sent: Thursday, April 20, 2017 2:53 PM
> To: ace@ietf.org
> Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>
> Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
>
> In Chicago, it was decided that we were going to WGLC the ACE CBOR Web
> Token
> draft.
>
> So this starts a working group last call for draft-ietf-ace-cbor-web-toke=
n
> for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday,
> May
> 2, 2017.
>
> The specification is available at:
> https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04
>
> An HTML-formatted version is also available at:
> http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html
>
> Thanks,
>
>
> Kind Regards
> Kepeng & Hannes
>
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
>
>
>

--001a113d6a0cd8b319054f8c992f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Thanks for clarifications Jim, see my comments inline=
.<br><br></div>Mike, there is a question for you inlined too.<br><div><div =
class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sun, May 14, 2017 a=
t 10:12 PM, Jim Schaad <span dir=3D"ltr">&lt;<a href=3D"mailto:ietf@augustc=
ellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt;</span> wrote:<=
br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang=3D"EN-US"><d=
iv class=3D"m_-6130828547628588374gmail-m_3297967064776043977WordSection1">=
<p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)"><u></u>=C2=A0<u=
></u></span></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><p class=3D"=
MsoNormal"><b>From:</b> Samuel Erdtman [mailto:<a href=3D"mailto:samuel@erd=
tman.se" target=3D"_blank">samuel@erdtman.se</a>] <br><b>Sent:</b> Sunday, =
May 14, 2017 3:40 AM<br><b>To:</b> Jim Schaad &lt;<a href=3D"mailto:ietf@au=
gustcellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt;<br><b>Cc:=
</b> ace &lt;<a href=3D"mailto:Ace@ietf.org" target=3D"_blank">Ace@ietf.org=
</a>&gt;<br><b>Subject:</b> Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token=
<u></u><u></u></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><div><div>=
<div class=3D"m_-6130828547628588374gmail-h5"><div><p class=3D"MsoNormal" s=
tyle=3D"margin-bottom:12pt">Hi Jim,<u></u><u></u></p></div><p class=3D"MsoN=
ormal">Thanks for your review and comments, see some initial replies inline=
.<u></u><u></u></p></div></div><div><p class=3D"MsoNormal"><u></u>=C2=A0<u>=
</u></p><div><div><div class=3D"m_-6130828547628588374gmail-h5"><p class=3D=
"MsoNormal">On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad &lt;<a href=3D"mail=
to:ietf@augustcellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt;=
 wrote:<u></u><u></u></p><blockquote style=3D"border-width:medium medium me=
dium 1pt;border-style:none none none solid;border-color:currentcolor curren=
tcolor currentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.=
8pt;margin-right:0in"><p class=3D"MsoNormal">Not ready to ship.<br><br><br>=
* I find the text for NumericDate confusing and would suggest this is a<br>=
cleaner wording.<br><br>The &quot;NumericDate&quot; term has the same meani=
ng, syntax and<br>Processing rules as the &quot;NumericDate&quot; term defi=
ned in Section 2 of<br>JWT [RFC7519], except that the CBOR numeric represen=
tation<br>(Section 2.4.1 of [RC7049]) is used.=C2=A0 The encoding is modifi=
ed so that<br>the leading tag (6.1 or 0xC1) MUST be omitted.<br><br>&lt;Not=
e above text kills the direct need for section 5.&gt;<u></u><u></u></p></bl=
ockquote><div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></div><div><p =
class=3D"MsoNormal">Could make sense, I created an issue in the issue track=
er to look at this.<u></u><u></u></p></div><div><p class=3D"MsoNormal">=C2=
=A0<u></u><u></u></p></div><blockquote style=3D"border-width:medium medium =
medium 1pt;border-style:none none none solid;border-color:currentcolor curr=
entcolor currentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:=
4.8pt;margin-right:0in"><p class=3D"MsoNormal"><br>* What is a &quot;CWT Nu=
mericDate&quot; ?=C2=A0 Why is this not just a &quot;NumericDate&quot;?=C2=
=A0 You<br>should be consistent on how you are using this and the &quot;Str=
ingOrURI&quot; type<br>identifier.=C2=A0 Either use the CWT prefix or don&#=
39;t.<u></u><u></u></p></blockquote><div><p class=3D"MsoNormal"><br>Makes s=
ense to me, created an issue in the issue tracker to address this.<br>=C2=
=A0<u></u><u></u></p></div><blockquote style=3D"border-width:medium medium =
medium 1pt;border-style:none none none solid;border-color:currentcolor curr=
entcolor currentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:=
4.8pt;margin-right:0in"><p class=3D"MsoNormal"><br>* s/except that a CWT St=
ringOrURI/except that for a CWT, StringOrURI/<u></u><u></u></p></blockquote=
><div><p class=3D"MsoNormal" style=3D"margin-bottom:12pt"><br>=C2=A0Makes s=
ense to me, created an issue in the issue tracker to address this.<u></u><u=
></u></p></div><blockquote style=3D"border-width:medium medium medium 1pt;b=
order-style:none none none solid;border-color:currentcolor currentcolor cur=
rentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin=
-right:0in"><p class=3D"MsoNormal"><br>* The algorithm for doing nesting de=
tection is a gross abuse of the content<br>type parameter and can be far mo=
re easily done based on the already present<br>tagging of the COSE object.<=
u></u><u></u></p></blockquote><div><p class=3D"MsoNormal"><u></u>=C2=A0<u><=
/u></p></div></div></div><div><div><div class=3D"m_-6130828547628588374gmai=
l-h5"><p class=3D"MsoNormal">Could you please explain a bit more, we are us=
ing the COSE tags but have made <br>them optional if the application for ex=
ample only uses one thyme then it would <br>always know what to do and woul=
d not need to parse the tag saving a byte.<u></u><u></u></p><p class=3D"Mso=
Normal"><u></u>=C2=A0<u></u></p></div></div><p class=3D"MsoNormal"><span st=
yle=3D"color:rgb(0,112,192)">[JLS] The concept is pretty easy to explain.<u=
></u><u></u></span></p></div><div><p class=3D"MsoNormal"><span style=3D"col=
or:rgb(0,112,192)"><u></u>=C2=A0<u></u></span></p><p class=3D"MsoNormal"><s=
pan style=3D"color:rgb(0,112,192)">If you are in a situation where the full=
 description of the CWT =E2=80=93 including nesting layering =E2=80=93 is k=
nown from a profile, then there would be no need to have any COSE tags pres=
ent on any layer of the CWT message.=C2=A0 I would however highly discourag=
e using this situation for anything but a single layer CWT such as one that=
 is based on the COSE_Encrypt0 message without any inner layering.=C2=A0 Do=
ing otherwise is going to mean that libraries would be unable to automatica=
lly unwrap all of the layers on their own, but would need guidance on each =
layer as it was processed.<u></u><u></u></span></p><p class=3D"MsoNormal"><=
span style=3D"color:rgb(0,112,192)"><u></u>=C2=A0<u></u></span></p><p class=
=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)">In the current document=
 in </span><span style=3D"color:rgb(0,112,192)">step 5 of section 7.2, ther=
e is an assumption that a COSE tag is going to exist in order to distinguis=
h between the different types of COSE messages =E2=80=93 I would not that t=
hese tags are not explicitly called for in section 7.1 =E2=80=93 so the alg=
orithm that I am going to suggest means that they are supposed to be presen=
t not implicit in any event.<u></u><u></u></span></p><p class=3D"MsoNormal"=
><u></u>=C2=A0<u></u></p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,=
112,192)">In section 7.2 in step 7 the algorithm becomes:<u></u><u></u></sp=
an></p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)">If the p=
ayload starts with one the of COSE identification tags, then the message is=
 recursive =E2=80=93 go to step 1, wash rinse and repeat.</span></p></div><=
/div></div></div></div></div></blockquote><div><br></div><div>I think I see=
 your point. In the case of nested CWTs you would like to mandate the inner=
 layer to have a COSE tag indicating the message type. But in cases where e=
.g. transport is done over CoAP you don=C2=B4t feel it is as important.<br>=
</div><div>I personally would like to go all the way and mandate the COSE t=
ag for all CWT messages nested or not but that would add some extra bytes i=
.e. not good in all cases.<br><br></div><div>Maybe a compromise and mandate=
 it for inner object in nested CWTs.<br></div><div>@Mike would you like to =
comment to before we decide on a path forward.<br></div><div><br><br>=C2=A0=
</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang=3D"EN-US"=
><div class=3D"m_-6130828547628588374gmail-m_3297967064776043977WordSection=
1"><div><div><div><div><p class=3D"MsoNormal"><span style=3D"color:rgb(0,11=
2,192)"><u></u><u></u></span></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u=
></p></div><span class=3D"m_-6130828547628588374gmail-"><blockquote style=
=3D"border-width:medium medium medium 1pt;border-style:none none none solid=
;border-color:currentcolor currentcolor currentcolor rgb(204,204,204);paddi=
ng:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoNorma=
l"><br>* Break section 8 into multiple paragraphs that deal with different =
types of<br>issues.<u></u><u></u></p></blockquote><div><p class=3D"MsoNorma=
l"><br>Might be reasonable I have created an issue in the issue tracker so =
that the <br>comment is not lost.<br>=C2=A0<u></u><u></u></p></div><blockqu=
ote style=3D"border-width:medium medium medium 1pt;border-style:none none n=
one solid;border-color:currentcolor currentcolor currentcolor rgb(204,204,2=
04);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D=
"MsoNormal"><br>* In section 8, the first sentence implies to me that you b=
elieve that COSE<br>is more of a problem that breaking of cryptographic alg=
orithms, trust of<br>certificates/keys.=C2=A0 Not sure what needs to be don=
e, but better clarity may<br>be a good idea.<u></u><u></u></p></blockquote>=
<div><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p></div><div><p class=3D"=
MsoNormal">Added this to the previously mentioned issue to address this to =
since it is in the same section <u></u><u></u></p></div><blockquote style=
=3D"border-width:medium medium medium 1pt;border-style:none none none solid=
;border-color:currentcolor currentcolor currentcolor rgb(204,204,204);paddi=
ng:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoNorma=
l"><br>* I have not done any validation of the examples.=C2=A0 =C2=A0You mi=
ght want to have<br>an example which uses the real for one of the time type=
s.<u></u><u></u></p></blockquote><div><p class=3D"MsoNormal"><u></u>=C2=A0<=
u></u></p></div></span><div><span class=3D"m_-6130828547628588374gmail-"><p=
 class=3D"MsoNormal">Sorry, but I don=C2=B4t get it could you add some more=
 context.<u></u><u></u></p><p class=3D"MsoNormal"><u></u>=C2=A0<u></u></p><=
/span><pre><span style=3D"font-family:&quot;calibri&quot;,sans-serif;color:=
rgb(0,112,192)">[JLS] Use the value of =E2=80=9C</span><span style=3D"color=
:rgb(0,112,192)">1444064944.5=E2=80=9D for one of the time values.=C2=A0 Al=
though I doubt that less than second resolution is needed in almost any cas=
e, having an example where it is given is still a good idea.</span></pre></=
div></div></div></div></div></div></blockquote><div>Makes sense, as you say=
 it might not be a core case but there should be at least one example of it=
 if we support it. I have created a ticket to address it.<br></div><div>=C2=
=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang=3D"EN-=
US"><div class=3D"m_-6130828547628588374gmail-m_3297967064776043977WordSect=
ion1"><div><div><div><div><pre><span style=3D"color:rgb(0,112,192)"><span c=
lass=3D"m_-6130828547628588374gmail-HOEnZb"><font color=3D"#888888"><u></u>=
<u></u></font></span></span></pre><span class=3D"m_-6130828547628588374gmai=
l-HOEnZb"><font color=3D"#888888"><pre><span style=3D"color:rgb(0,112,192)"=
><u></u>=C2=A0<u></u></span></pre><pre><span style=3D"color:rgb(0,112,192)"=
>Jim<u></u><u></u></span></pre><pre><u></u>=C2=A0<u></u></pre><p class=3D"M=
soNormal"><u></u>=C2=A0<u></u></p></font></span></div><div><div class=3D"m_=
-6130828547628588374gmail-h5"><div><p class=3D"MsoNormal">=C2=A0<u></u><u><=
/u></p></div><blockquote style=3D"border-width:medium medium medium 1pt;bor=
der-style:none none none solid;border-color:currentcolor currentcolor curre=
ntcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-r=
ight:0in"><p class=3D"MsoNormal"><span style=3D"color:rgb(136,136,136)"><br=
><span class=3D"m_-6130828547628588374gmail-m_3297967064776043977gmail-hoen=
zb">Jim</span></span><u></u><u></u></p><div><div><p class=3D"MsoNormal"><br=
><br>-----Original Message-----<br>From: Ace [mailto:<a href=3D"mailto:ace-=
bounces@ietf.org" target=3D"_blank">ace-bounces@ietf.org</a>] On Behalf Of =
Kepeng Li<br>Sent: Thursday, April 20, 2017 2:53 PM<br>To: <a href=3D"mailt=
o:ace@ietf.org" target=3D"_blank">ace@ietf.org</a><br>Cc: Hannes Tschofenig=
 &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">hannes.=
tschofenig@gmx.net</a>&gt;<br>Subject: [Ace] [ace] WGLC on draft-ietf-ace-c=
bor-web-token<br><br>In Chicago, it was decided that we were going to WGLC =
the ACE CBOR Web Token<br>draft.<br><br>So this starts a working group last=
 call for draft-ietf-ace-cbor-web-token<br>for submission as a Standards Tr=
ack RFC, ending on 24:00 PDT on Tuesday, May<br>2, 2017.<br><br>The specifi=
cation is available at:<br><a href=3D"https://tools.ietf.org/html/draft-iet=
f-ace-cbor-web-token-04" target=3D"_blank">https://tools.ietf.org/html/dr<w=
br>aft-ietf-ace-cbor-web-token-04</a><br><br>An HTML-formatted version is a=
lso available at:<br><a href=3D"http://self-issued.info/docs/draft-ietf-ace=
-cbor-web-token-04.html" target=3D"_blank">http://self-issued.info/docs/d<w=
br>raft-ietf-ace-cbor-web-token-0<wbr>4.html</a><br><br>Thanks,<br><br><br>=
Kind Regards<br>Kepeng &amp; Hannes<br><br><br>____________________________=
__<wbr>_________________<br>Ace mailing list<br><a href=3D"mailto:Ace@ietf.=
org" target=3D"_blank">Ace@ietf.org</a><br><a href=3D"https://www.ietf.org/=
mailman/listinfo/ace" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>=
istinfo/ace</a><br><br>______________________________<wbr>_________________=
<br>Ace mailing list<br><a href=3D"mailto:Ace@ietf.org" target=3D"_blank">A=
ce@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/listinfo/ace" ta=
rget=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/ace</a><u></u><u=
></u></p></div></div></blockquote></div></div></div><p class=3D"MsoNormal">=
<u></u>=C2=A0<u></u></p></div></div></div></div></blockquote></div><br></di=
v></div></div>

--001a113d6a0cd8b319054f8c992f--


From nobody Mon May 15 04:31:57 2017
Return-Path: <adrianimach@hotmail.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4998127011; Mon, 15 May 2017 04:31:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.146
X-Spam-Level: 
X-Spam-Status: No, score=-1.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1J35wytyzoI; Mon, 15 May 2017 04:31:53 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-oln040092068105.outbound.protection.outlook.com [40.92.68.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D18A012957A; Mon, 15 May 2017 04:27:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=F6NZnywjVGc9lquINQWy3LzM0XSzDIvy2bYKKhvuuUo=; b=Hm3sSY2smJuRR8PihP9tfyXbtHGdj934a0Xp9t67JNtvh1qKr5CgFHxxRqAX62G82QKc231e7gD2K6/Zjs1e+zKEOJsIrodHKsNuRL/tqv2hKX6AZhu/xoKyD0dG7gpcjbJYd/JQik5PYSoEdVDmhdEYIFSnmIKjA8kF7aNYokI9W6p5TweGydriuFP4blW3o7kB0ozPLN6LmNIziLrBDRNlAODp2rPkFp4GZrGLaj+k/r7mJNDxlGze09UzU9uZQ/MSRLtLPdPYYzE1xO/8F7Fy77ZYjPMSuACvksyypasaMyoC9WVqvS1Ux1L9wt3Rsz16wA3w30X4vqxOV9J+MQ==
Received: from HE1EUR02FT030.eop-EUR02.prod.protection.outlook.com (10.152.10.51) by HE1EUR02HT211.eop-EUR02.prod.protection.outlook.com (10.152.11.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1075.5; Mon, 15 May 2017 11:27:57 +0000
Received: from AM4PR09MB0627.eurprd09.prod.outlook.com (10.152.10.51) by HE1EUR02FT030.mail.protection.outlook.com (10.152.10.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.5 via Frontend Transport; Mon, 15 May 2017 11:27:56 +0000
Received: from AM4PR09MB0627.eurprd09.prod.outlook.com ([fe80::b562:3:99a7:9530]) by AM4PR09MB0627.eurprd09.prod.outlook.com ([fe80::b562:3:99a7:9530%14]) with mapi id 15.01.1084.029; Mon, 15 May 2017 11:27:56 +0000
From: Adrian Imach <adrianimach@hotmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
CC: Jim Schaad <ietf@augustcellars.com>, "<oauth@ietf.org>" <oauth@ietf.org>,  ace <Ace@ietf.org>
Thread-Topic: [OAUTH-WG] [Ace] New OAuth client credentials RPK and PSK
Thread-Index: AQF2pOMAEHj6tEKs9s8Af1VsoCYHA6KslJawgADR1wCAACxkKg==
Date: Mon, 15 May 2017 11:27:56 +0000
Message-ID: <AM4PR09MB0627E138F244480420AD4949B0E10@AM4PR09MB0627.eurprd09.prod.outlook.com>
References: <CAF2hCbZpWTCMg617dK7D+F+0w=hxrz4VNdsFZHPGM1rZy+K3TA@mail.gmail.com> <000501d2ccef$398d0940$aca71bc0$@augustcellars.com>, <CAF2hCbY0p=kN3FHWk8+GaQa4drPa8batV9cqLqmehEbBwTnSqw@mail.gmail.com>
In-Reply-To: <CAF2hCbY0p=kN3FHWk8+GaQa4drPa8batV9cqLqmehEbBwTnSqw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: erdtman.se; dkim=none (message not signed) header.d=none;erdtman.se; dmarc=none action=none header.from=hotmail.com;
x-incomingtopheadermarker: OriginalChecksum:EE7621ACA0A9762E1B554070139F5CE68D3A53794B47A2C2FB867CA046B9E5E3; UpperCasedChecksum:06D0C4D13DF55FE168E6C789AF3743D3DA673CBFE176A3A94506B358FD949017; SizeAsReceived:8509; Count:46
x-ms-exchange-messagesentrepresentingtype: 1
x-tmn: [XCWKhpD+KPT/DFLzYEwjPAxDKuT/jMM1]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1EUR02HT211; 5:kb3tqbEtYUdi0h+FXVRzMegPfnuDz2yQnQqTL6TE0IitrtL0MzziT6WlXt6eQHQmdZHGF/XcMtLarvrEtVrmo5v29o4fttQk5y7rUYaa5iK/r14WAogNOp0jG9kBcmdbMRP0dJVewIGDWewnwY59qQ==; 24:swL5xt43+9J4qFJ1GY6QwZHdlVuhk6MEfl2p8wxq61HuitHYXezMv57C/vtq3xZRYGHpkXRX3x06ZRgItCXeKddCPgfsISlHqbuJwj/Xzkw=; 7:a4NoOtzaz3JKDbaf+WiOA1FDZbRYM2AQGCwtDMae7D+XCXi1VYDpFkcCiXvci7GnxMEQUBc58GNhxq4A4dEb5rTjopHrBmdXod9TIXz2W0pm4wAC+Ss6s0x/L9zwFIS+WHpBMuUlTUqZnmHEP97VRsqAgxqz+jKyqs8PWOf/TmHZq8yfSXf1fvFJQB7hLkycweyBV9UiQ9ppILUoI2T7P1xgdBS0Q6VAk6r0RfbDBgU/XyHXkguuZ67uWnpOSg6B0QmmyAKGy/cp0fyP35Zk6zoxWI19KxK1pBY9f5y2Ikp4Pb1Rl6epoPNCMSdOhDlO
x-incomingheadercount: 46
x-eopattributedmessage: 0
x-forefront-antispam-report: EFV:NLI; SFV:NSPM; SFS:(7070007)(98901004); DIR:OUT; SFP:1901; SCL:1; SRVR:HE1EUR02HT211; H:AM4PR09MB0627.eurprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; 
x-ms-office365-filtering-correlation-id: c63e5c8f-c3da-4599-e7bf-08d49b856f60
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1601125374)(1603101448)(1701031045); SRVR:HE1EUR02HT211; 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(444000031); SRVR:HE1EUR02HT211; BCL:0; PCL:0; RULEID:; SRVR:HE1EUR02HT211; 
x-forefront-prvs: 0308EE423E
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_AM4PR09MB0627E138F244480420AD4949B0E10AM4PR09MB0627eurp_"
MIME-Version: 1.0
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 11:27:56.5858 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1EUR02HT211
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/iW09GI7xBbef3dTIIiQuJlZ4VAA>
Subject: Re: [Ace] [OAUTH-WG]  New OAuth client credentials RPK and PSK
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 11:31:56 -0000

--_000_AM4PR09MB0627E138F244480420AD4949B0E10AM4PR09MB0627eurp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

UGxlYXNlIHVuc3Vic2NyaWJlIG1lIGZyb20geW91ciBtYWlsaW5nIGxpc3QuIFRoYW5rIHlvdSAs
DQoNCkFkcmlhbiBJbWFjaA0KDQpPbiAxNSBNYXkgMjAxNywgYXQgMDk6NTIsIFNhbXVlbCBFcmR0
bWFuIDxzYW11ZWxAZXJkdG1hbi5zZTxtYWlsdG86c2FtdWVsQGVyZHRtYW4uc2U+PiB3cm90ZToN
Cg0KSW4gc2hvcnQgdGhpcyBkcmFmdCBmb2N1c2VzIG9uIHRoZSBDIHRvIEFTIGNvbm5lY3Rpb24g
YW5kIGRyYWZ0LWdlcmRlcy1hY2UtZHRscy1hdXRob3JpemUgZm9jdXNlcyBvbiB0aGUgQyB0byBS
UyBjb25uZWN0aW9uLg0KDQpUaGlzIGRyYWZ0IGRldGFpbHMgb24gaG93IHRvIHVzZSBSUEsgb3Ig
UFNLIGFzIGNsaWVudCBjcmVkZW50aWFscyB0byBzZXR1cCB0aGUgKEQpVExTIGJldHdlZW4gQyBh
bmQgQVMgd2hpbGUgZHJhZnQtZ2VyZGVzLWFjZS1kdGxzLWF1dGhvcml6ZSBwcm92aWRlcyBkZXRh
aWxzIGZvciBob3cgdG8gdXNlIHRoZSBSUEsgb3IgUFNLIGJvdW5kIHRvIGFuIGFjY2VzcyB0b2tl
biB0byBzZXR1cCB0aGUgY29ubmVjdGlvbiBiZXR3ZWVuIEMgYW5kIFJTLg0KDQovL1NhbXVlbA0K
DQoNCk9uIFN1biwgTWF5IDE0LCAyMDE3IGF0IDEwOjE4IFBNLCBKaW0gU2NoYWFkIDxpZXRmQGF1
Z3VzdGNlbGxhcnMuY29tPG1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3JvdGU6DQpI
b3cgaXMgdGhpcyBkcmFmdCBzdXBwb3NlZCB0byBpbnRlcmFjdCB3aXRoIGRyYWZ0LWdlcmRlcy1h
Y2UtZHRscy1hdXRob3JpemU/DQoNCkppbQ0KDQoNCkZyb206IEFjZSBbbWFpbHRvOmFjZS1ib3Vu
Y2VzQGlldGYub3JnPG1haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZz5dIE9uIEJlaGFsZiBPZiBT
YW11ZWwgRXJkdG1hbg0KU2VudDogRnJpZGF5LCBNYXkgMTIsIDIwMTcgMTowMyBBTQ0KVG86IDxv
YXV0aEBpZXRmLm9yZzxtYWlsdG86b2F1dGhAaWV0Zi5vcmc+PiA8b2F1dGhAaWV0Zi5vcmc8bWFp
bHRvOm9hdXRoQGlldGYub3JnPj47IGFjZSA8QWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0Zi5v
cmc+Pg0KQ2M6IEx1ZHdpZyBTZWl0eiA8bHVkd2lnLnNlaXR6QHJpLnNlPG1haWx0bzpsdWR3aWcu
c2VpdHpAcmkuc2U+Pg0KU3ViamVjdDogW0FjZV0gTmV3IE9BdXRoIGNsaWVudCBjcmVkZW50aWFs
cyBSUEsgYW5kIFBTSw0KDQpIaSBBQ0UgYW5kIE9BdXRoIFdHcywNCkkgYW5kIEx1ZHdpZyBzdWJt
aXR0ZWQgYSBuZXcgZHJhZnQgeWVzdGVyZGF5IGRlZmluaW5nIGhvdyB0byB1c2UgUmF3IFB1Ymxp
YyBLZXkgYW5kIFByZSBTaGFyZWQgS2V5IHdpdGggKEQpVExTIGFzIE9BdXRoIGNsaWVudCBjcmVk
ZW50aWFscywgaHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtZXJkdG1hbi1h
Y2UtcnBjYy8uDQoNCldlIHRoaW5rIHRoaXMgaXMgdmFsdWFibGUgdG8gdGhlIEFDRSB3b3JrIHNp
bmNlIHRoZSBBQ0UgZnJhbWV3b3JrIGlzIGJhc2VkIG9uIE9BdXRoLCBidXQgY2xpZW50IGNyZWRl
bnRpYWxzIGFzIGRlZmluZWQgaW4gdGhlIE9BdXRoIGZyYW1ld29yayBhcmUgbm90IHRoZSBiZXN0
IG1hdGNoIGZvciBlbWJlZGRlZCBkZXZpY2VzLg0KV2UgdGhpbmsgUmF3IFB1YmxpYyBLZXlzIGFu
ZCBQcmUgU2hhcmVkIEtleXMgYXJlIG1vcmUgc3VpdGFibGUgY3JlZGVudGlhbHMgZm9yIGVtYmVk
ZGVkIGRldmljZXMgZm9yIHRoZSBmb2xsb3dpbmcgcmVhc29uczoNCiogQmV0dGVyIHNlY3VyaXR5
IGJ5IGJpbmRpbmcgdG8gdHJhbnNwb3J0IGxheWVyLg0KKiBJZiBQU0sgRFRMUyBpcyB0byBiZSB1
c2VkIGEga2V5IG5lZWQgdG8gYmUgZGlzdHJpYnV0ZWQgYW55IHdheSwgd2h5IG5vdCBtYWtlIHVz
ZSBvZiBpdCBhcyBjcmVkZW50aWFsLg0KKiBDbGllbnQgaWQgYW5kIGNsaWVudCBzZWNyZXQgYWNj
b21tb2RhdGVzIGZvciBtYW51YWwgaW5wdXQgYnkgYSBodW1hbnMuIFRoaXMgZG9lcyBub3Qgc2Nh
bGUgd2VsbCBhbmQgcmVxdWlyZXMgc29tZSBmb3Igb2YgaW5wdXQgZGV2aWNlLg0KKiBTb21lL21h
bnkgZGV2aWNlcyB3aWxsIGhhdmUgY3J5cHRvLWhhcmR3YXJlIHRoYXQgY2FuIHByb3RlY3Qga2V5
IG1hdGVyaWFsLCB0byBub3QgdXNlIHRoYXQgcG9zc2liaWxpdHkgd291bGQgYmUgYSB3YXN0ZS4N
CiogVGhlcmUgYXJlIHByb2JhYmx5IG1vcmUgcmVhc29ucyB0aGVzZSB3YXMganVzdCB0aGUgb25j
ZSBvbiB0b3Agb2YgbXkgaGVhZC4NCg0KVGhpcyBpcyBub3QgdGhlIGZpcnN0IHJlc2VudCBpbml0
aWF0aXZlIHRvIGNyZWF0ZSBuZXcgY2xpZW50IGNyZWRlbnRpYWwgdHlwZXMsIHRoZSBPQXV0aCBX
RyBhZG9wdGVkIGEgc2ltaWxhciBkcmFmdCBmb3IgY2VydGlmaWNhdGUgYmFzZWQgY2xpZW50IGNy
ZWRlbnRpYWxzIChodHRwczovL3Rvb2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1vYXV0aC1t
dGxzLTAwLmh0bWwpLiBUaGF0IHdvcmsgaXMgYWxzbyB2YWx1YWJsZSB0byBBQ0UgYnV0IG5vdCBh
bGwgZGV2aWNlcyB3aWxsIGJlIGFibGUgdG8gd29yayB3aXRoIGNlcnRpZmljYXRlcyBvciBldmVu
IGFzeW1tZXRyaWMgY3J5cHRvcyAuDQpQbGVhc2UgcmV2aWV3IGFuZCBjb21tZW50Lg0KQ2hlZXJz
DQovL1NhbXVlbA0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fDQpPQXV0aCBtYWlsaW5nIGxpc3QNCk9BdXRoQGlldGYub3JnPG1haWx0bzpPQXV0aEBp
ZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb2F1dGgNCg==

--_000_AM4PR09MB0627E138F244480420AD4949B0E10AM4PR09MB0627eurp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWw+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0i
dGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjwvaGVhZD4NCjxib2R5IGRpcj0iYXV0byI+DQo8
ZGl2PlBsZWFzZSB1bnN1YnNjcmliZSBtZSBmcm9tIHlvdXIgbWFpbGluZyBsaXN0LiBUaGFuayB5
b3UgLDxicj4NCjxicj4NCkFkcmlhbiBJbWFjaDwvZGl2Pg0KPGRpdj48YnI+DQpPbiAxNSBNYXkg
MjAxNywgYXQgMDk6NTIsIFNhbXVlbCBFcmR0bWFuICZsdDs8YSBocmVmPSJtYWlsdG86c2FtdWVs
QGVyZHRtYW4uc2UiPnNhbXVlbEBlcmR0bWFuLnNlPC9hPiZndDsgd3JvdGU6PGJyPg0KPGJyPg0K
PC9kaXY+DQo8ZGl2Pg0KPGRpdiBkaXI9Imx0ciI+DQo8ZGl2PkluIHNob3J0IHRoaXMgZHJhZnQg
Zm9jdXNlcyBvbiB0aGUgQyB0byBBUyBjb25uZWN0aW9uIGFuZCBkcmFmdC1nZXJkZXMtYWNlLWR0
bHMtPHdicj5hdXRob3JpemUgZm9jdXNlcyBvbiB0aGUgQyB0byBSUyBjb25uZWN0aW9uLjxicj4N
CjwvZGl2Pg0KPGRpdj48YnI+DQpUaGlzIGRyYWZ0IGRldGFpbHMgb24gaG93IHRvIHVzZSBSUEsg
b3IgUFNLIGFzIGNsaWVudCBjcmVkZW50aWFscyB0byBzZXR1cCB0aGUgKEQpVExTIGJldHdlZW4g
QyBhbmQgQVMgd2hpbGUgZHJhZnQtZ2VyZGVzLWFjZS1kdGxzLTx3YnI+YXV0aG9yaXplIHByb3Zp
ZGVzIGRldGFpbHMgZm9yIGhvdyB0byB1c2UgdGhlIFJQSyBvciBQU0sgYm91bmQgdG8gYW4gYWNj
ZXNzIHRva2VuIHRvIHNldHVwIHRoZSBjb25uZWN0aW9uIGJldHdlZW4gQyBhbmQgUlMuPGJyPg0K
PGJyPg0KPC9kaXY+DQo8ZGl2Pi8vU2FtdWVsPGJyPg0KPC9kaXY+DQo8ZGl2Pjxicj4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2IGNsYXNzPSJnbWFpbF9leHRyYSI+PGJyPg0KPGRpdiBjbGFzcz0iZ21h
aWxfcXVvdGUiPk9uIFN1biwgTWF5IDE0LCAyMDE3IGF0IDEwOjE4IFBNLCBKaW0gU2NoYWFkIDxz
cGFuIGRpcj0ibHRyIj4NCiZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNv
bSIgdGFyZ2V0PSJfYmxhbmsiPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0Ozwvc3Bhbj4g
d3JvdGU6PGJyPg0KPGJsb2NrcXVvdGUgY2xhc3M9ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2lu
OjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNjY2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+
DQo8ZGl2IGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiIGxhbmc9IkVOLVVTIj4NCjxkaXYgY2xh
c3M9Im1fODEzOTM4Njc4MjIwOTg4NjMxOVdvcmRTZWN0aW9uMSI+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj5Ib3cgaXMgdGhpcyBkcmFmdCBzdXBwb3NlZCB0byBpbnRlcmFjdCB3aXRoIGRyYWZ0LWdl
cmRlcy1hY2UtZHRscy08d2JyPmF1dGhvcml6ZT88dT48L3U+PHU+PC91PjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjx1PjwvdT4mbmJzcDs8dT48L3U+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+SmltPHU+PC91Pjx1PjwvdT48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48dT48L3U+Jm5i
c3A7PHU+PC91PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjx1PjwvdT4mbmJzcDs8dT48L3U+
PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+RnJvbTo8L2I+IEFjZSBbbWFpbHRvOjxhIGhy
ZWY9Im1haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmFjZS1ib3Vu
Y2VzQGlldGYub3JnPC9hPl0NCjxiPk9uIEJlaGFsZiBPZiA8L2I+U2FtdWVsIEVyZHRtYW48YnI+
DQo8Yj5TZW50OjwvYj4gRnJpZGF5LCBNYXkgMTIsIDIwMTcgMTowMyBBTTxicj4NCjxiPlRvOjwv
Yj4gJmx0OzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPm9h
dXRoQGlldGYub3JnPC9hPiZndDsgJmx0OzxhIGhyZWY9Im1haWx0bzpvYXV0aEBpZXRmLm9yZyIg
dGFyZ2V0PSJfYmxhbmsiPm9hdXRoQGlldGYub3JnPC9hPiZndDs7IGFjZSAmbHQ7PGEgaHJlZj0i
bWFpbHRvOkFjZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPkFjZUBpZXRmLm9yZzwvYT4mZ3Q7
PGJyPg0KPGI+Q2M6PC9iPiBMdWR3aWcgU2VpdHogJmx0OzxhIGhyZWY9Im1haWx0bzpsdWR3aWcu
c2VpdHpAcmkuc2UiIHRhcmdldD0iX2JsYW5rIj5sdWR3aWcuc2VpdHpAcmkuc2U8L2E+Jmd0Ozxi
cj4NCjxiPlN1YmplY3Q6PC9iPiBbQWNlXSBOZXcgT0F1dGggY2xpZW50IGNyZWRlbnRpYWxzIFJQ
SyBhbmQgUFNLPHU+PC91Pjx1PjwvdT48L3A+DQo8ZGl2Pg0KPGRpdiBjbGFzcz0iaDUiPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHU+PC91PiZuYnNwOzx1PjwvdT48L3A+DQo8ZGl2Pg0KPGRpdj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206
MTIuMHB0Ij5IaSBBQ0UgYW5kIE9BdXRoIFdHcyw8dT48L3U+PHU+PC91PjwvcD4NCjwvZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBhbmQgTHVkd2lnIHN1Ym1pdHRlZCBhIG5ldyBkcmFmdCB5
ZXN0ZXJkYXkgZGVmaW5pbmcgaG93IHRvIHVzZSBSYXcgUHVibGljIEtleSBhbmQgUHJlIFNoYXJl
ZCBLZXkgd2l0aCAoRClUTFMgYXMgT0F1dGggY2xpZW50IGNyZWRlbnRpYWxzLA0KPGEgaHJlZj0i
aHR0cHM6Ly9kYXRhdHJhY2tlci5pZXRmLm9yZy9kb2MvZHJhZnQtZXJkdG1hbi1hY2UtcnBjYy8i
IHRhcmdldD0iX2JsYW5rIj4NCmh0dHBzOi8vZGF0YXRyYWNrZXIuaWV0Zi5vcmcvPHdicj5kb2Mv
ZHJhZnQtZXJkdG1hbi1hY2UtcnBjYy88L2E+Ljx1PjwvdT48dT48L3U+PC9wPg0KPC9kaXY+DQo8
ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHU+PC91PiZuYnNwOzx1PjwvdT48L3A+DQo8L2Rp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+V2Ug
dGhpbmsgdGhpcyBpcyB2YWx1YWJsZSB0byB0aGUgQUNFIHdvcmsgc2luY2UgdGhlIEFDRSBmcmFt
ZXdvcmsgaXMgYmFzZWQgb24gT0F1dGgsIGJ1dCBjbGllbnQgY3JlZGVudGlhbHMgYXMgZGVmaW5l
ZCBpbiB0aGUgT0F1dGggZnJhbWV3b3JrIGFyZSBub3QgdGhlIGJlc3QgbWF0Y2ggZm9yIGVtYmVk
ZGVkIGRldmljZXMuPHU+PC91Pjx1PjwvdT48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj5XZSB0aGluayBSYXcgUHVibGljIEtleXMgYW5kIFByZSBTaGFyZWQgS2V5cyBh
cmUgbW9yZSBzdWl0YWJsZSBjcmVkZW50aWFscyBmb3IgZW1iZWRkZWQgZGV2aWNlcyBmb3IgdGhl
IGZvbGxvd2luZyByZWFzb25zOjx1PjwvdT48dT48L3U+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+KiBCZXR0ZXIgc2VjdXJpdHkgYnkgYmluZGluZyB0byB0cmFuc3Bv
cnQgbGF5ZXIuPHU+PC91Pjx1PjwvdT48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj4qIElmIFBTSyBEVExTIGlzIHRvIGJlIHVzZWQgYSBrZXkgbmVlZCB0byBiZSBkaXN0
cmlidXRlZCBhbnkgd2F5LCB3aHkgbm90IG1ha2UgdXNlIG9mIGl0IGFzIGNyZWRlbnRpYWwuPHU+
PC91Pjx1PjwvdT48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4qIENs
aWVudCBpZCBhbmQgY2xpZW50IHNlY3JldCBhY2NvbW1vZGF0ZXMgZm9yIG1hbnVhbCBpbnB1dCBi
eSBhIGh1bWFucy4gVGhpcyBkb2VzIG5vdCBzY2FsZSB3ZWxsIGFuZCByZXF1aXJlcyBzb21lIGZv
ciBvZiBpbnB1dCBkZXZpY2UuPHU+PC91Pjx1PjwvdT48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIj4qIFNvbWUvbWFueSBkZXZpY2VzIHdpbGwgaGF2ZSBjcnlwdG8taGFy
ZHdhcmUgdGhhdCBjYW4gcHJvdGVjdCBrZXkgbWF0ZXJpYWwsIHRvIG5vdCB1c2UgdGhhdCBwb3Nz
aWJpbGl0eSB3b3VsZCBiZSBhIHdhc3RlLjx1PjwvdT48dT48L3U+PC9wPg0KPC9kaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+KiBUaGVyZSBhcmUgcHJvYmFibHkgbW9yZSByZWFzb25z
IHRoZXNlIHdhcyBqdXN0IHRoZSBvbmNlIG9uIHRvcCBvZiBteSBoZWFkLjx1PjwvdT48dT48L3U+
PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHU+PC91PiZuYnNwOzx1
PjwvdT48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFy
Z2luLWJvdHRvbToxMi4wcHQiPlRoaXMgaXMgbm90IHRoZSBmaXJzdCByZXNlbnQgaW5pdGlhdGl2
ZSB0byBjcmVhdGUgbmV3IGNsaWVudCBjcmVkZW50aWFsIHR5cGVzLCB0aGUgT0F1dGggV0cgYWRv
cHRlZCBhIHNpbWlsYXIgZHJhZnQgZm9yIGNlcnRpZmljYXRlIGJhc2VkIGNsaWVudCBjcmVkZW50
aWFscyAoPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtb2F1
dGgtbXRscy0wMC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly90b29scy5pZXRmLm9yZy9o
dG1sLzx3YnI+ZHJhZnQtaWV0Zi1vYXV0aC1tdGxzLTAwLmh0bWw8L2E+KTx3YnI+Lg0KIFRoYXQg
d29yayBpcyBhbHNvIHZhbHVhYmxlIHRvIEFDRSBidXQgbm90IGFsbCBkZXZpY2VzIHdpbGwgYmUg
YWJsZSB0byB3b3JrIHdpdGggY2VydGlmaWNhdGVzIG9yIGV2ZW4gYXN5bW1ldHJpYyBjcnlwdG9z
IC48dT48L3U+PHU+PC91PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+UGxlYXNlIHJldmlldyBhbmQgY29tbWVudC48
dT48L3U+PHU+PC91PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkNo
ZWVyczx1PjwvdT48dT48L3U+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+Ly9TYW11ZWw8dT48L3U+PHU+PC91PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+PHU+PC91PiZuYnNwOzx1Pjwv
dT48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8
L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxicj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2PjxzcGFuPl9f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPC9zcGFuPjxicj4N
CjxzcGFuPk9BdXRoIG1haWxpbmcgbGlzdDwvc3Bhbj48YnI+DQo8c3Bhbj48YSBocmVmPSJtYWls
dG86T0F1dGhAaWV0Zi5vcmciPk9BdXRoQGlldGYub3JnPC9hPjwvc3Bhbj48YnI+DQo8c3Bhbj48
YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoIj5odHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL29hdXRoPC9hPjwvc3Bhbj48YnI+DQo8
L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg==

--_000_AM4PR09MB0627E138F244480420AD4949B0E10AM4PR09MB0627eurp_--


From nobody Mon May 15 14:19:36 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB6B128B4E for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:19:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp7PLuyB0TFX for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:19:32 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0096.outbound.protection.outlook.com [104.47.41.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84267129B81 for <Ace@ietf.org>; Mon, 15 May 2017 14:16:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=w61qCgqcqEcIEZWlBmvXRStuYj/jhb0dtcmg7Ws4Pf0=; b=ZfTLNNy3dkA/3O3NmzwNt0wRkOdzxgiTqsg8b6f3JVyIFx72xup1EH8GAQZ2zoq2xrEFeW/+jdOcWMRHe/wepskK9ffOTMBRd70eJab3daCt7oY2AW/j3CHR5L9uStmTnX4JDPcDxCsmOKo0OKknBaJrVRhZ/Do0+iL9yka8MhM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0501.namprd21.prod.outlook.com (10.172.122.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Mon, 15 May 2017 21:16:50 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.002; Mon, 15 May 2017 21:16:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Samuel Erdtman <samuel@erdtman.se>, Jim Schaad <ietf@augustcellars.com>
CC: ace <Ace@ietf.org>
Thread-Topic: [Ace] WGLC on draft-ietf-ace-cbor-web-token
Thread-Index: AdK7gKnlztOgBho8S4qIHrw1QvtzugRHcl8AABP6FAAAG57nAAAX+Arw
Date: Mon, 15 May 2017 21:16:50 +0000
Message-ID: <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com>
In-Reply-To: <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-15T14:16:47.8956247-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: erdtman.se; dkim=none (message not signed) header.d=none;erdtman.se; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:9::517]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0501; 7:WOytEjjt6TbwZXPiFkNNI+8EdNesovXuRnmoOvubdDUvKSFfuPa2+POrHlGZg/mJn1FfCSRq7Xj8PtT2px0CUbHCMVC7XpFISjAn/cHetUSsNgOu+6CFf5shuHrafTZ+dd22xHoNmEODJr23G2WOPBoZHaUJSbmzCYQP5qPJEIKPCt2TB+OjiOsDUWlA99n0iX8AEFgzllzjTrMgHABMCpI/LRck2oeeP+DsYV3gkBGa56ov0HluoMEi2mKYRerNwTcCioP8qmoEzIU0O2qCJysaWvQx9geidqoSB5kC7mZzop5SO2NodFIs5XbXCHecImAsswiA4GPi3t3wV0oqxSD9HdQDmdao69Edy6+md50=
x-ms-traffictypediagnostic: CY4PR21MB0501:
x-ms-office365-filtering-correlation-id: 30a4d68d-f4d3-4d57-f8ba-08d49bd7b3f7
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);  SRVR:CY4PR21MB0501; 
x-microsoft-antispam-prvs: <CY4PR21MB0501DD3C2D48D70193397C1FF5E10@CY4PR21MB0501.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(248736688235697)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(100000703036)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123562025)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0501; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0501; 
x-forefront-prvs: 0308EE423E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39840400002)(39450400003)(39410400002)(39850400002)(39400400002)(209900001)(13464003)(24454002)(377454003)(236005)(38730400002)(6246003)(53376002)(6436002)(53936002)(230783001)(3280700002)(122556002)(53546009)(10090500001)(55016002)(99286003)(4326008)(8676002)(81166006)(790700001)(72206003)(189998001)(9686003)(478600001)(966005)(5005710100001)(102836003)(8990500004)(2906002)(6306002)(19609705001)(10290500003)(6116002)(25786009)(54896002)(74316002)(7736002)(5660300001)(86612001)(76176999)(54356999)(50986999)(33656002)(2950100002)(8936002)(7906003)(229853002)(3660700001)(77096006)(7696004)(2900100001)(606005)(6506006)(93886004)(86362001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0501; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504BC7E953AE6797C71D51CF5E10CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 21:16:50.4947 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0501
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/rFsitBNs0T2di5yuxP5p7x1ACm0>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 21:19:35 -0000

--_000_CY4PR21MB0504BC7E953AE6797C71D51CF5E10CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SSBhZ3JlZSB0aGF0IGZvciBuZXN0ZWQgQ1dUcywgaXTigJlzIE9LIHRvIG1hbmRhdGUgdGhhdCB0
aGUgYXBwcm9wcmlhdGUgdGFncyBiZSBwcmVmaXhlZCB0byB0aGUgaW5uZXIgQ1dULCBpZiB0aGF0
4oCZcyB0aGUgbWVjaGFuaXNtIHdlIGRlY2lkZSB0byB1c2UgdG8gZW5jb2RlIGFuZCBkZXRlY3Qg
bmVzdGVkIEpXVHMuICBUaGF0IHdvdWxkIHRoZW4gcmFpc2UgdGhlIHF1ZXN0aW9uIHRob3VnaCwg
b2Ygd2hldGhlciB3ZSBhbHNvIHdvdWxkIGNvbnRpbnVlIHRvIG1hbmRhdGUgdGhlIHVzZSBvZiB0
aGUgQ1dUIGNvbnRlbnQtdHlwZSBvciB3aGV0aGVyIHdlIHdvdWxkIGRyb3AgdGhpcy4gIEkgdGhp
bmsgaXTigJlzIGJldHRlciB0aGF0IHdlIHNwZWNpZnkgb25lIG1lY2hhbmlzbSBmb3IgZGV0ZWN0
aW5nIG5lc3RlZCBDV1RzLCByYXRoZXIgdGhhbiBoYXZpbmcgdHdvLg0KDQpCZWZvcmUgd2UgZGVj
aWRlIHRoaXMsIEnigJlkIGxpa2UgdG8gY29uZmlybSBhbiBhc3N1bXB0aW9uIGFib3V0IENPU0Ug
b3BlcmF0aW9ucyBhbmQgQ09TRSBDQk9SIHRhZ3MuICBJIGJlbGlldmUgdGhhdCB0aGUgQ09TRSBj
cnlwdG8gb3BlcmF0aW9ucyAqZG8gbm90KiBjb3ZlciB0aGUgQ0JPUiBDT1NFIHRhZywgc3VjaCBh
cyB0aGUgQ09TRV9TaWduIHRhZyBmb3Igc2lnbmVkIG9iamVjdHMuICBJZiB0aGlzIGlzIHRoZSBj
YXNlLCBpdCBtZWFucyB0aGF0IGEgQ09TRSBvYmplY3Qgd2l0aG91dCB0YWdzIGNhbiBoYXZlIHRo
ZSBhcHByb3ByaWF0ZSB0YWcgcHJlZml4ZWQgdG8gaXQgd2l0aG91dCBjaGFuZ2luZyB0aGUgY3J5
cHRvIChhbmQgdGhhdCBzaW1pbGFybHksIGEgQ1dUIHRhZyBjb3VsZCBhbHNvIGJlIGFkZGVkIHdp
dGhvdXQgY2hhbmdpbmcgdGhlIGNyeXB0bykuICBJcyB0aGlzIGNvcnJlY3Q/ICBJZiBzbywgdGhl
biB1c2luZyBDQk9SIHRhZ3Mgd291bGQgYmUgZmluZSBmb3IgdGhlIGlubmVyIENXVCBpbiBhIG5l
c3RlZCBDV1QsIHNpbmNlIHlvdSBjb3VsZCBjcmVhdGUgdGhlIGlubmVyIENXVCB3aXRob3V0IGFu
eSB0YWdzIGFuZCB0aGVuIGxhdGVyIGRlY2lkZSB0byBwdXQgaXQgaW4gYSBuZXN0ZWQgQ1dUIHdp
dGhvdXQgcmUtc2lnbmluZywgZXRjLiAgSWYgdGhpcyBpcyB0aGUgY2FzZSwgSeKAmWQgYmUgT0sg
d2l0aCBhbHdheXMgcHJlZml4aW5nIHRoZSBpbm5lciBDV1QgaW4gYSBuZXN0ZWQgQ1dUIHdpdGgg
Q1dUIGFuZCBDT1NFIENCT1IgdGFncy4gIFdoZXJlYXMgaWYgYWRkaW5nIHRoZSB0YWdzIHJlcXVp
cmVzIHJlZG9pbmcgdGhlIGNyeXB0bywgSeKAmWQgcmF0aGVyIHN0YXkgd2l0aCB0aGUgY3VycmVu
dCBhcHByb2FjaC4NCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIC0tIE1pa2UNCg0KRnJvbTogU2FtdWVsIEVyZHRtYW4gW21h
aWx0bzpzYW11ZWxAZXJkdG1hbi5zZV0NClNlbnQ6IE1vbmRheSwgTWF5IDE1LCAyMDE3IDI6MjMg
QU0NClRvOiBKaW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPjsgTWlrZSBKb25lcyA8
TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPg0KQ2M6IGFjZSA8QWNlQGlldGYub3JnPg0KU3Vi
amVjdDogUmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4NCg0K
VGhhbmtzIGZvciBjbGFyaWZpY2F0aW9ucyBKaW0sIHNlZSBteSBjb21tZW50cyBpbmxpbmUuDQpN
aWtlLCB0aGVyZSBpcyBhIHF1ZXN0aW9uIGZvciB5b3UgaW5saW5lZCB0b28uDQoNCk9uIFN1biwg
TWF5IDE0LCAyMDE3IGF0IDEwOjEyIFBNLCBKaW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMu
Y29tPG1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3JvdGU6DQoNCg0KRnJvbTogU2Ft
dWVsIEVyZHRtYW4gW21haWx0bzpzYW11ZWxAZXJkdG1hbi5zZTxtYWlsdG86c2FtdWVsQGVyZHRt
YW4uc2U+XQ0KU2VudDogU3VuZGF5LCBNYXkgMTQsIDIwMTcgMzo0MCBBTQ0KVG86IEppbSBTY2hh
YWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+
Pg0KQ2M6IGFjZSA8QWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0Zi5vcmc+Pg0KU3ViamVjdDog
UmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4NCg0KSGkgSmlt
LA0KVGhhbmtzIGZvciB5b3VyIHJldmlldyBhbmQgY29tbWVudHMsIHNlZSBzb21lIGluaXRpYWwg
cmVwbGllcyBpbmxpbmUuDQoNCk9uIFNhdCwgQXByIDIyLCAyMDE3IGF0IDg6NDcgUE0sIEppbSBT
Y2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5j
b20+PiB3cm90ZToNCk5vdCByZWFkeSB0byBzaGlwLg0KDQoNCiogSSBmaW5kIHRoZSB0ZXh0IGZv
ciBOdW1lcmljRGF0ZSBjb25mdXNpbmcgYW5kIHdvdWxkIHN1Z2dlc3QgdGhpcyBpcyBhDQpjbGVh
bmVyIHdvcmRpbmcuDQoNClRoZSAiTnVtZXJpY0RhdGUiIHRlcm0gaGFzIHRoZSBzYW1lIG1lYW5p
bmcsIHN5bnRheCBhbmQNClByb2Nlc3NpbmcgcnVsZXMgYXMgdGhlICJOdW1lcmljRGF0ZSIgdGVy
bSBkZWZpbmVkIGluIFNlY3Rpb24gMiBvZg0KSldUIFtSRkM3NTE5XSwgZXhjZXB0IHRoYXQgdGhl
IENCT1IgbnVtZXJpYyByZXByZXNlbnRhdGlvbg0KKFNlY3Rpb24gMi40LjEgb2YgW1JDNzA0OV0p
IGlzIHVzZWQuICBUaGUgZW5jb2RpbmcgaXMgbW9kaWZpZWQgc28gdGhhdA0KdGhlIGxlYWRpbmcg
dGFnICg2LjEgb3IgMHhDMSkgTVVTVCBiZSBvbWl0dGVkLg0KDQo8Tm90ZSBhYm92ZSB0ZXh0IGtp
bGxzIHRoZSBkaXJlY3QgbmVlZCBmb3Igc2VjdGlvbiA1Lj4NCg0KQ291bGQgbWFrZSBzZW5zZSwg
SSBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0cmFja2VyIHRvIGxvb2sgYXQgdGhpcy4N
Cg0KDQoqIFdoYXQgaXMgYSAiQ1dUIE51bWVyaWNEYXRlIiA/ICBXaHkgaXMgdGhpcyBub3QganVz
dCBhICJOdW1lcmljRGF0ZSI/ICBZb3UNCnNob3VsZCBiZSBjb25zaXN0ZW50IG9uIGhvdyB5b3Ug
YXJlIHVzaW5nIHRoaXMgYW5kIHRoZSAiU3RyaW5nT3JVUkkiIHR5cGUNCmlkZW50aWZpZXIuICBF
aXRoZXIgdXNlIHRoZSBDV1QgcHJlZml4IG9yIGRvbid0Lg0KDQpNYWtlcyBzZW5zZSB0byBtZSwg
Y3JlYXRlZCBhbiBpc3N1ZSBpbiB0aGUgaXNzdWUgdHJhY2tlciB0byBhZGRyZXNzIHRoaXMuDQoN
Cg0KKiBzL2V4Y2VwdCB0aGF0IGEgQ1dUIFN0cmluZ09yVVJJL2V4Y2VwdCB0aGF0IGZvciBhIENX
VCwgU3RyaW5nT3JVUkkvDQoNCiBNYWtlcyBzZW5zZSB0byBtZSwgY3JlYXRlZCBhbiBpc3N1ZSBp
biB0aGUgaXNzdWUgdHJhY2tlciB0byBhZGRyZXNzIHRoaXMuDQoNCiogVGhlIGFsZ29yaXRobSBm
b3IgZG9pbmcgbmVzdGluZyBkZXRlY3Rpb24gaXMgYSBncm9zcyBhYnVzZSBvZiB0aGUgY29udGVu
dA0KdHlwZSBwYXJhbWV0ZXIgYW5kIGNhbiBiZSBmYXIgbW9yZSBlYXNpbHkgZG9uZSBiYXNlZCBv
biB0aGUgYWxyZWFkeSBwcmVzZW50DQp0YWdnaW5nIG9mIHRoZSBDT1NFIG9iamVjdC4NCg0KQ291
bGQgeW91IHBsZWFzZSBleHBsYWluIGEgYml0IG1vcmUsIHdlIGFyZSB1c2luZyB0aGUgQ09TRSB0
YWdzIGJ1dCBoYXZlIG1hZGUNCnRoZW0gb3B0aW9uYWwgaWYgdGhlIGFwcGxpY2F0aW9uIGZvciBl
eGFtcGxlIG9ubHkgdXNlcyBvbmUgdGh5bWUgdGhlbiBpdCB3b3VsZA0KYWx3YXlzIGtub3cgd2hh
dCB0byBkbyBhbmQgd291bGQgbm90IG5lZWQgdG8gcGFyc2UgdGhlIHRhZyBzYXZpbmcgYSBieXRl
Lg0KDQpbSkxTXSBUaGUgY29uY2VwdCBpcyBwcmV0dHkgZWFzeSB0byBleHBsYWluLg0KDQpJZiB5
b3UgYXJlIGluIGEgc2l0dWF0aW9uIHdoZXJlIHRoZSBmdWxsIGRlc2NyaXB0aW9uIG9mIHRoZSBD
V1Qg4oCTIGluY2x1ZGluZyBuZXN0aW5nIGxheWVyaW5nIOKAkyBpcyBrbm93biBmcm9tIGEgcHJv
ZmlsZSwgdGhlbiB0aGVyZSB3b3VsZCBiZSBubyBuZWVkIHRvIGhhdmUgYW55IENPU0UgdGFncyBw
cmVzZW50IG9uIGFueSBsYXllciBvZiB0aGUgQ1dUIG1lc3NhZ2UuICBJIHdvdWxkIGhvd2V2ZXIg
aGlnaGx5IGRpc2NvdXJhZ2UgdXNpbmcgdGhpcyBzaXR1YXRpb24gZm9yIGFueXRoaW5nIGJ1dCBh
IHNpbmdsZSBsYXllciBDV1Qgc3VjaCBhcyBvbmUgdGhhdCBpcyBiYXNlZCBvbiB0aGUgQ09TRV9F
bmNyeXB0MCBtZXNzYWdlIHdpdGhvdXQgYW55IGlubmVyIGxheWVyaW5nLiAgRG9pbmcgb3RoZXJ3
aXNlIGlzIGdvaW5nIHRvIG1lYW4gdGhhdCBsaWJyYXJpZXMgd291bGQgYmUgdW5hYmxlIHRvIGF1
dG9tYXRpY2FsbHkgdW53cmFwIGFsbCBvZiB0aGUgbGF5ZXJzIG9uIHRoZWlyIG93biwgYnV0IHdv
dWxkIG5lZWQgZ3VpZGFuY2Ugb24gZWFjaCBsYXllciBhcyBpdCB3YXMgcHJvY2Vzc2VkLg0KDQpJ
biB0aGUgY3VycmVudCBkb2N1bWVudCBpbiBzdGVwIDUgb2Ygc2VjdGlvbiA3LjIsIHRoZXJlIGlz
IGFuIGFzc3VtcHRpb24gdGhhdCBhIENPU0UgdGFnIGlzIGdvaW5nIHRvIGV4aXN0IGluIG9yZGVy
IHRvIGRpc3Rpbmd1aXNoIGJldHdlZW4gdGhlIGRpZmZlcmVudCB0eXBlcyBvZiBDT1NFIG1lc3Nh
Z2VzIOKAkyBJIHdvdWxkIG5vdCB0aGF0IHRoZXNlIHRhZ3MgYXJlIG5vdCBleHBsaWNpdGx5IGNh
bGxlZCBmb3IgaW4gc2VjdGlvbiA3LjEg4oCTIHNvIHRoZSBhbGdvcml0aG0gdGhhdCBJIGFtIGdv
aW5nIHRvIHN1Z2dlc3QgbWVhbnMgdGhhdCB0aGV5IGFyZSBzdXBwb3NlZCB0byBiZSBwcmVzZW50
IG5vdCBpbXBsaWNpdCBpbiBhbnkgZXZlbnQuDQoNCkluIHNlY3Rpb24gNy4yIGluIHN0ZXAgNyB0
aGUgYWxnb3JpdGhtIGJlY29tZXM6DQpJZiB0aGUgcGF5bG9hZCBzdGFydHMgd2l0aCBvbmUgdGhl
IG9mIENPU0UgaWRlbnRpZmljYXRpb24gdGFncywgdGhlbiB0aGUgbWVzc2FnZSBpcyByZWN1cnNp
dmUg4oCTIGdvIHRvIHN0ZXAgMSwgd2FzaCByaW5zZSBhbmQgcmVwZWF0Lg0KDQpJIHRoaW5rIEkg
c2VlIHlvdXIgcG9pbnQuIEluIHRoZSBjYXNlIG9mIG5lc3RlZCBDV1RzIHlvdSB3b3VsZCBsaWtl
IHRvIG1hbmRhdGUgdGhlIGlubmVyIGxheWVyIHRvIGhhdmUgYSBDT1NFIHRhZyBpbmRpY2F0aW5n
IHRoZSBtZXNzYWdlIHR5cGUuIEJ1dCBpbiBjYXNlcyB3aGVyZSBlLmcuIHRyYW5zcG9ydCBpcyBk
b25lIG92ZXIgQ29BUCB5b3UgZG9uwrR0IGZlZWwgaXQgaXMgYXMgaW1wb3J0YW50Lg0KSSBwZXJz
b25hbGx5IHdvdWxkIGxpa2UgdG8gZ28gYWxsIHRoZSB3YXkgYW5kIG1hbmRhdGUgdGhlIENPU0Ug
dGFnIGZvciBhbGwgQ1dUIG1lc3NhZ2VzIG5lc3RlZCBvciBub3QgYnV0IHRoYXQgd291bGQgYWRk
IHNvbWUgZXh0cmEgYnl0ZXMgaS5lLiBub3QgZ29vZCBpbiBhbGwgY2FzZXMuDQpNYXliZSBhIGNv
bXByb21pc2UgYW5kIG1hbmRhdGUgaXQgZm9yIGlubmVyIG9iamVjdCBpbiBuZXN0ZWQgQ1dUcy4N
CkBNaWtlIHdvdWxkIHlvdSBsaWtlIHRvIGNvbW1lbnQgdG8gYmVmb3JlIHdlIGRlY2lkZSBvbiBh
IHBhdGggZm9yd2FyZC4NCg0KDQoNCg0KDQoqIEJyZWFrIHNlY3Rpb24gOCBpbnRvIG11bHRpcGxl
IHBhcmFncmFwaHMgdGhhdCBkZWFsIHdpdGggZGlmZmVyZW50IHR5cGVzIG9mDQppc3N1ZXMuDQoN
Ck1pZ2h0IGJlIHJlYXNvbmFibGUgSSBoYXZlIGNyZWF0ZWQgYW4gaXNzdWUgaW4gdGhlIGlzc3Vl
IHRyYWNrZXIgc28gdGhhdCB0aGUNCmNvbW1lbnQgaXMgbm90IGxvc3QuDQoNCg0KKiBJbiBzZWN0
aW9uIDgsIHRoZSBmaXJzdCBzZW50ZW5jZSBpbXBsaWVzIHRvIG1lIHRoYXQgeW91IGJlbGlldmUg
dGhhdCBDT1NFDQppcyBtb3JlIG9mIGEgcHJvYmxlbSB0aGF0IGJyZWFraW5nIG9mIGNyeXB0b2dy
YXBoaWMgYWxnb3JpdGhtcywgdHJ1c3Qgb2YNCmNlcnRpZmljYXRlcy9rZXlzLiAgTm90IHN1cmUg
d2hhdCBuZWVkcyB0byBiZSBkb25lLCBidXQgYmV0dGVyIGNsYXJpdHkgbWF5DQpiZSBhIGdvb2Qg
aWRlYS4NCg0KQWRkZWQgdGhpcyB0byB0aGUgcHJldmlvdXNseSBtZW50aW9uZWQgaXNzdWUgdG8g
YWRkcmVzcyB0aGlzIHRvIHNpbmNlIGl0IGlzIGluIHRoZSBzYW1lIHNlY3Rpb24NCg0KKiBJIGhh
dmUgbm90IGRvbmUgYW55IHZhbGlkYXRpb24gb2YgdGhlIGV4YW1wbGVzLiAgIFlvdSBtaWdodCB3
YW50IHRvIGhhdmUNCmFuIGV4YW1wbGUgd2hpY2ggdXNlcyB0aGUgcmVhbCBmb3Igb25lIG9mIHRo
ZSB0aW1lIHR5cGVzLg0KDQpTb3JyeSwgYnV0IEkgZG9uwrR0IGdldCBpdCBjb3VsZCB5b3UgYWRk
IHNvbWUgbW9yZSBjb250ZXh0Lg0KDQoNCltKTFNdIFVzZSB0aGUgdmFsdWUgb2Yg4oCcMTQ0NDA2
NDk0NC414oCdIGZvciBvbmUgb2YgdGhlIHRpbWUgdmFsdWVzLiAgQWx0aG91Z2ggSSBkb3VidCB0
aGF0IGxlc3MgdGhhbiBzZWNvbmQgcmVzb2x1dGlvbiBpcyBuZWVkZWQgaW4gYWxtb3N0IGFueSBj
YXNlLCBoYXZpbmcgYW4gZXhhbXBsZSB3aGVyZSBpdCBpcyBnaXZlbiBpcyBzdGlsbCBhIGdvb2Qg
aWRlYS4NCk1ha2VzIHNlbnNlLCBhcyB5b3Ugc2F5IGl0IG1pZ2h0IG5vdCBiZSBhIGNvcmUgY2Fz
ZSBidXQgdGhlcmUgc2hvdWxkIGJlIGF0IGxlYXN0IG9uZSBleGFtcGxlIG9mIGl0IGlmIHdlIHN1
cHBvcnQgaXQuIEkgaGF2ZSBjcmVhdGVkIGEgdGlja2V0IHRvIGFkZHJlc3MgaXQuDQoNCg0KDQoN
CkppbQ0KDQoNCg0KDQoNCkppbQ0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tDQpGcm9t
OiBBY2UgW21haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86YWNlLWJvdW5jZXNAaWV0
Zi5vcmc+XSBPbiBCZWhhbGYgT2YgS2VwZW5nIExpDQpTZW50OiBUaHVyc2RheSwgQXByaWwgMjAs
IDIwMTcgMjo1MyBQTQ0KVG86IGFjZUBpZXRmLm9yZzxtYWlsdG86YWNlQGlldGYub3JnPg0KQ2M6
IEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PG1haWx0bzpoYW5u
ZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4NClN1YmplY3Q6IFtBY2VdIFthY2VdIFdHTEMgb24gZHJh
ZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4NCg0KSW4gQ2hpY2FnbywgaXQgd2FzIGRlY2lkZWQg
dGhhdCB3ZSB3ZXJlIGdvaW5nIHRvIFdHTEMgdGhlIEFDRSBDQk9SIFdlYiBUb2tlbg0KZHJhZnQu
DQoNClNvIHRoaXMgc3RhcnRzIGEgd29ya2luZyBncm91cCBsYXN0IGNhbGwgZm9yIGRyYWZ0LWll
dGYtYWNlLWNib3Itd2ViLXRva2VuDQpmb3Igc3VibWlzc2lvbiBhcyBhIFN0YW5kYXJkcyBUcmFj
ayBSRkMsIGVuZGluZyBvbiAyNDowMCBQRFQgb24gVHVlc2RheSwgTWF5DQoyLCAyMDE3Lg0KDQpU
aGUgc3BlY2lmaWNhdGlvbiBpcyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rvb2xzLmlldGYub3Jn
L2h0bWwvZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4tMDQNCg0KQW4gSFRNTC1mb3JtYXR0
ZWQgdmVyc2lvbiBpcyBhbHNvIGF2YWlsYWJsZSBhdDoNCmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZv
L2RvY3MvZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4tMDQuaHRtbA0KDQpUaGFua3MsDQoN
Cg0KS2luZCBSZWdhcmRzDQpLZXBlbmcgJiBIYW5uZXMNCg0KDQpfX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KQWNlIG1haWxpbmcgbGlzdA0KQWNlQGlldGYu
b3JnPG1haWx0bzpBY2VAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xp
c3RpbmZvL2FjZQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fXw0KQWNlIG1haWxpbmcgbGlzdA0KQWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0Zi5vcmc+
DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZQ0KDQoNCg==

--_000_CY4PR21MB0504BC7E953AE6797C71D51CF5E10CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpwLm1zb25vcm1hbDAs
IGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1h
bDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIu
MHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4ubS02MTMw
ODI4NTQ3NjI4NTg4Mzc0Z21haWwtDQoJe21zby1zdHlsZS1uYW1lOm1fLTYxMzA4Mjg1NDc2Mjg1
ODgzNzRnbWFpbC07fQ0Kc3Bhbi5IVE1MUHJlZm9ybWF0dGVkQ2hhcg0KCXttc28tc3R5bGUtbmFt
ZToiSFRNTCBQcmVmb3JtYXR0ZWQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCW1z
by1zdHlsZS1saW5rOiJIVE1MIFByZWZvcm1hdHRlZCI7DQoJZm9udC1mYW1pbHk6IkNvbnNvbGFz
IixzZXJpZjt9DQpzcGFuLm0tNjEzMDgyODU0NzYyODU4ODM3NGdtYWlsLWhvZW56Yg0KCXttc28t
c3R5bGUtbmFtZTptXy02MTMwODI4NTQ3NjI4NTg4Mzc0Z21haWwtaG9lbnpiO30NCnNwYW4ubS02
MTMwODI4NTQ3NjI4NTg4Mzc0Z21haWwtbTMyOTc5NjcwNjQ3NzYwNDM5NzdnbWFpbC1ob2VuemIN
Cgl7bXNvLXN0eWxlLW5hbWU6bV8tNjEzMDgyODU0NzYyODU4ODM3NGdtYWlsLW1fMzI5Nzk2NzA2
NDc3NjA0Mzk3N2dtYWlsLWhvZW56Yjt9DQpzcGFuLkVtYWlsU3R5bGUyMw0KCXttc28tc3R5bGUt
dHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsN
Cgljb2xvcjojMDAyMDYwO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHlsZS10eXBlOmV4cG9y
dC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCkBwYWdlIFdvcmRT
ZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4g
MS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0
eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRp
dCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5
XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVk
aXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hl
YWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2
IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl
cmlmO2NvbG9yOiMwMDIwNjAiPkkgYWdyZWUgdGhhdCBmb3IgbmVzdGVkIENXVHMsIGl04oCZcyBP
SyB0byBtYW5kYXRlIHRoYXQgdGhlIGFwcHJvcHJpYXRlIHRhZ3MgYmUgcHJlZml4ZWQgdG8gdGhl
IGlubmVyIENXVCwgaWYgdGhhdOKAmXMgdGhlIG1lY2hhbmlzbSB3ZSBkZWNpZGUgdG8gdXNlIHRv
IGVuY29kZSBhbmQNCiBkZXRlY3QgbmVzdGVkIEpXVHMuJm5ic3A7IFRoYXQgd291bGQgdGhlbiBy
YWlzZSB0aGUgcXVlc3Rpb24gdGhvdWdoLCBvZiB3aGV0aGVyIHdlIGFsc28gd291bGQgY29udGlu
dWUgdG8gbWFuZGF0ZSB0aGUgdXNlIG9mIHRoZSBDV1QgY29udGVudC10eXBlIG9yIHdoZXRoZXIg
d2Ugd291bGQgZHJvcCB0aGlzLiZuYnNwOyBJIHRoaW5rIGl04oCZcyBiZXR0ZXIgdGhhdCB3ZSBz
cGVjaWZ5IG9uZSBtZWNoYW5pc20gZm9yIGRldGVjdGluZyBuZXN0ZWQgQ1dUcywgcmF0aGVyDQog
dGhhbiBoYXZpbmcgdHdvLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2
MCI+QmVmb3JlIHdlIGRlY2lkZSB0aGlzLCBJ4oCZZCBsaWtlIHRvIGNvbmZpcm0gYW4gYXNzdW1w
dGlvbiBhYm91dCBDT1NFIG9wZXJhdGlvbnMgYW5kIENPU0UgQ0JPUiB0YWdzLiZuYnNwOyBJIGJl
bGlldmUgdGhhdCB0aGUgQ09TRSBjcnlwdG8gb3BlcmF0aW9ucyAqPGI+ZG8gbm90PC9iPioNCiBj
b3ZlciB0aGUgQ0JPUiBDT1NFIHRhZywgc3VjaCBhcyB0aGUgQ09TRV9TaWduIHRhZyBmb3Igc2ln
bmVkIG9iamVjdHMuJm5ic3A7IElmIHRoaXMgaXMgdGhlIGNhc2UsIGl0IG1lYW5zIHRoYXQgYSBD
T1NFIG9iamVjdCB3aXRob3V0IHRhZ3MgY2FuIGhhdmUgdGhlIGFwcHJvcHJpYXRlIHRhZyBwcmVm
aXhlZCB0byBpdCB3aXRob3V0IGNoYW5naW5nIHRoZSBjcnlwdG8gKGFuZCB0aGF0IHNpbWlsYXJs
eSwgYSBDV1QgdGFnIGNvdWxkIGFsc28gYmUgYWRkZWQNCiB3aXRob3V0IGNoYW5naW5nIHRoZSBj
cnlwdG8pLiZuYnNwOyBJcyB0aGlzIGNvcnJlY3Q/Jm5ic3A7IElmIHNvLCB0aGVuIHVzaW5nIENC
T1IgdGFncyB3b3VsZCBiZSBmaW5lIGZvciB0aGUgaW5uZXIgQ1dUIGluIGEgbmVzdGVkIENXVCwg
c2luY2UgeW91IGNvdWxkIGNyZWF0ZSB0aGUgaW5uZXIgQ1dUIHdpdGhvdXQgYW55IHRhZ3MgYW5k
IHRoZW4gbGF0ZXIgZGVjaWRlIHRvIHB1dCBpdCBpbiBhIG5lc3RlZCBDV1Qgd2l0aG91dCByZS1z
aWduaW5nLCBldGMuJm5ic3A7IElmDQogdGhpcyBpcyB0aGUgY2FzZSwgSeKAmWQgYmUgT0sgd2l0
aCBhbHdheXMgcHJlZml4aW5nIHRoZSBpbm5lciBDV1QgaW4gYSBuZXN0ZWQgQ1dUIHdpdGggQ1dU
IGFuZCBDT1NFIENCT1IgdGFncy4mbmJzcDsgV2hlcmVhcyBpZiBhZGRpbmcgdGhlIHRhZ3MgcmVx
dWlyZXMgcmVkb2luZyB0aGUgY3J5cHRvLCBJ4oCZZCByYXRoZXIgc3RheSB3aXRoIHRoZSBjdXJy
ZW50IGFwcHJvYWNoLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm
cXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAw
MjA2MCI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJy
aSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6
ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gU2Ft
dWVsIEVyZHRtYW4gW21haWx0bzpzYW11ZWxAZXJkdG1hbi5zZV0NCjxicj4NCjxiPlNlbnQ6PC9i
PiBNb25kYXksIE1heSAxNSwgMjAxNyAyOjIzIEFNPGJyPg0KPGI+VG86PC9iPiBKaW0gU2NoYWFk
ICZsdDtpZXRmQGF1Z3VzdGNlbGxhcnMuY29tJmd0OzsgTWlrZSBKb25lcyAmbHQ7TWljaGFlbC5K
b25lc0BtaWNyb3NvZnQuY29tJmd0Ozxicj4NCjxiPkNjOjwvYj4gYWNlICZsdDtBY2VAaWV0Zi5v
cmcmZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbQWNlXSBXR0xDIG9uIGRyYWZ0LWlldGYt
YWNlLWNib3Itd2ViLXRva2VuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+VGhhbmtzIGZvciBjbGFyaWZpY2F0
aW9ucyBKaW0sIHNlZSBteSBjb21tZW50cyBpbmxpbmUuPG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiPk1pa2UsIHRoZXJlIGlzIGEgcXVlc3Rpb24gZm9yIHlvdSBp
bmxpbmVkIHRvby48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
T24gU3VuLCBNYXkgMTQsIDIwMTcgYXQgMTA6MTIgUE0sIEppbSBTY2hhYWQgJmx0OzxhIGhyZWY9
Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIiB0YXJnZXQ9Il9ibGFuayI+aWV0ZkBhdWd1
c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUg
c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGlu
ZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4N
CjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6
IzAwNzBDMCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGI+RnJv
bTo8L2I+IFNhbXVlbCBFcmR0bWFuIFttYWlsdG86PGEgaHJlZj0ibWFpbHRvOnNhbXVlbEBlcmR0
bWFuLnNlIiB0YXJnZXQ9Il9ibGFuayI+c2FtdWVsQGVyZHRtYW4uc2U8L2E+XQ0KPGJyPg0KPGI+
U2VudDo8L2I+IFN1bmRheSwgTWF5IDE0LCAyMDE3IDM6NDAgQU08YnI+DQo8Yj5Ubzo8L2I+IEpp
bSBTY2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIiB0YXJn
ZXQ9Il9ibGFuayI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7PGJyPg0KPGI+Q2M6PC9i
PiBhY2UgJmx0OzxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5B
Y2VAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSZTogW0FjZV0gV0dMQyBv
biBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPkhpIEppbSw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj5UaGFua3MgZm9yIHlvdXIgcmV2aWV3IGFuZCBjb21tZW50
cywgc2VlIHNvbWUgaW5pdGlhbCByZXBsaWVzIGlubGluZS48bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpw
PjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+T24gU2F0
LCBBcHIgMjIsIDIwMTcgYXQgODo0NyBQTSwgSmltIFNjaGFhZCAmbHQ7PGEgaHJlZj0ibWFpbHRv
OmlldGZAYXVndXN0Y2VsbGFycy5jb20iIHRhcmdldD0iX2JsYW5rIj5pZXRmQGF1Z3VzdGNlbGxh
cnMuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8YmxvY2txdW90ZSBzdHlsZT0i
Ym9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBp
biAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2lu
LXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3Ig
Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv
bS1hbHQ6YXV0byI+Tm90IHJlYWR5IHRvIHNoaXAuPGJyPg0KPGJyPg0KPGJyPg0KKiBJIGZpbmQg
dGhlIHRleHQgZm9yIE51bWVyaWNEYXRlIGNvbmZ1c2luZyBhbmQgd291bGQgc3VnZ2VzdCB0aGlz
IGlzIGE8YnI+DQpjbGVhbmVyIHdvcmRpbmcuPGJyPg0KPGJyPg0KVGhlICZxdW90O051bWVyaWNE
YXRlJnF1b3Q7IHRlcm0gaGFzIHRoZSBzYW1lIG1lYW5pbmcsIHN5bnRheCBhbmQ8YnI+DQpQcm9j
ZXNzaW5nIHJ1bGVzIGFzIHRoZSAmcXVvdDtOdW1lcmljRGF0ZSZxdW90OyB0ZXJtIGRlZmluZWQg
aW4gU2VjdGlvbiAyIG9mPGJyPg0KSldUIFtSRkM3NTE5XSwgZXhjZXB0IHRoYXQgdGhlIENCT1Ig
bnVtZXJpYyByZXByZXNlbnRhdGlvbjxicj4NCihTZWN0aW9uIDIuNC4xIG9mIFtSQzcwNDldKSBp
cyB1c2VkLiZuYnNwOyBUaGUgZW5jb2RpbmcgaXMgbW9kaWZpZWQgc28gdGhhdDxicj4NCnRoZSBs
ZWFkaW5nIHRhZyAoNi4xIG9yIDB4QzEpIE1VU1QgYmUgb21pdHRlZC48YnI+DQo8YnI+DQombHQ7
Tm90ZSBhYm92ZSB0ZXh0IGtpbGxzIHRoZSBkaXJlY3QgbmVlZCBmb3Igc2VjdGlvbiA1LiZndDs8
bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs
dDphdXRvIj5Db3VsZCBtYWtlIHNlbnNlLCBJIGNyZWF0ZWQgYW4gaXNzdWUgaW4gdGhlIGlzc3Vl
IHRyYWNrZXIgdG8gbG9vayBhdCB0aGlzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs
b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3RleHQg
MS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4t
dG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDtib3JkZXItY29s
b3I6Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIwNCwyMDQsMjA0
KSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCiogV2hhdCBpcyBhICZxdW90O0NXVCBO
dW1lcmljRGF0ZSZxdW90OyA/Jm5ic3A7IFdoeSBpcyB0aGlzIG5vdCBqdXN0IGEgJnF1b3Q7TnVt
ZXJpY0RhdGUmcXVvdDs/Jm5ic3A7IFlvdTxicj4NCnNob3VsZCBiZSBjb25zaXN0ZW50IG9uIGhv
dyB5b3UgYXJlIHVzaW5nIHRoaXMgYW5kIHRoZSAmcXVvdDtTdHJpbmdPclVSSSZxdW90OyB0eXBl
PGJyPg0KaWRlbnRpZmllci4mbmJzcDsgRWl0aGVyIHVzZSB0aGUgQ1dUIHByZWZpeCBvciBkb24n
dC48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPjxicj4NCk1ha2VzIHNlbnNlIHRvIG1lLCBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBp
c3N1ZSB0cmFja2VyIHRvIGFkZHJlc3MgdGhpcy48YnI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlk
IHdpbmRvd3RleHQgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0
LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBw
dDtib3JkZXItY29sb3I6Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3Igcmdi
KDIwNCwyMDQsMjA0KSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10
b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCiogcy9leGNlcHQg
dGhhdCBhIENXVCBTdHJpbmdPclVSSS9leGNlcHQgdGhhdCBmb3IgYSBDV1QsIFN0cmluZ09yVVJJ
LzxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdCI+
PGJyPg0KJm5ic3A7TWFrZXMgc2Vuc2UgdG8gbWUsIGNyZWF0ZWQgYW4gaXNzdWUgaW4gdGhlIGlz
c3VlIHRyYWNrZXIgdG8gYWRkcmVzcyB0aGlzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8Ymxv
Y2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAx
LjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10
b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xv
cjpjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQp
Ij4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0KKiBUaGUgYWxnb3JpdGhtIGZvciBkb2lu
ZyBuZXN0aW5nIGRldGVjdGlvbiBpcyBhIGdyb3NzIGFidXNlIG9mIHRoZSBjb250ZW50PGJyPg0K
dHlwZSBwYXJhbWV0ZXIgYW5kIGNhbiBiZSBmYXIgbW9yZSBlYXNpbHkgZG9uZSBiYXNlZCBvbiB0
aGUgYWxyZWFkeSBwcmVzZW50PGJyPg0KdGFnZ2luZyBvZiB0aGUgQ09TRSBvYmplY3QuPG86cD48
L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Q291bGQgeW91IHBsZWFzZSBleHBsYWlu
IGEgYml0IG1vcmUsIHdlIGFyZSB1c2luZyB0aGUgQ09TRSB0YWdzIGJ1dCBoYXZlIG1hZGUNCjxi
cj4NCnRoZW0gb3B0aW9uYWwgaWYgdGhlIGFwcGxpY2F0aW9uIGZvciBleGFtcGxlIG9ubHkgdXNl
cyBvbmUgdGh5bWUgdGhlbiBpdCB3b3VsZCA8YnI+DQphbHdheXMga25vdyB3aGF0IHRvIGRvIGFu
ZCB3b3VsZCBub3QgbmVlZCB0byBwYXJzZSB0aGUgdGFnIHNhdmluZyBhIGJ5dGUuPG86cD48L286
cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9k
aXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMw
MDcwQzAiPltKTFNdIFRoZSBjb25jZXB0IGlzIHByZXR0eSBlYXN5IHRvIGV4cGxhaW4uPC9zcGFu
PjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48
c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+SWYgeW91
IGFyZSBpbiBhIHNpdHVhdGlvbiB3aGVyZSB0aGUgZnVsbCBkZXNjcmlwdGlvbiBvZiB0aGUgQ1dU
IOKAkyBpbmNsdWRpbmcgbmVzdGluZyBsYXllcmluZyDigJMgaXMga25vd24gZnJvbSBhIHByb2Zp
bGUsIHRoZW4gdGhlcmUgd291bGQgYmUgbm8gbmVlZCB0bw0KIGhhdmUgYW55IENPU0UgdGFncyBw
cmVzZW50IG9uIGFueSBsYXllciBvZiB0aGUgQ1dUIG1lc3NhZ2UuJm5ic3A7IEkgd291bGQgaG93
ZXZlciBoaWdobHkgZGlzY291cmFnZSB1c2luZyB0aGlzIHNpdHVhdGlvbiBmb3IgYW55dGhpbmcg
YnV0IGEgc2luZ2xlIGxheWVyIENXVCBzdWNoIGFzIG9uZSB0aGF0IGlzIGJhc2VkIG9uIHRoZSBD
T1NFX0VuY3J5cHQwIG1lc3NhZ2Ugd2l0aG91dCBhbnkgaW5uZXIgbGF5ZXJpbmcuJm5ic3A7IERv
aW5nIG90aGVyd2lzZSBpcyBnb2luZw0KIHRvIG1lYW4gdGhhdCBsaWJyYXJpZXMgd291bGQgYmUg
dW5hYmxlIHRvIGF1dG9tYXRpY2FsbHkgdW53cmFwIGFsbCBvZiB0aGUgbGF5ZXJzIG9uIHRoZWly
IG93biwgYnV0IHdvdWxkIG5lZWQgZ3VpZGFuY2Ugb24gZWFjaCBsYXllciBhcyBpdCB3YXMgcHJv
Y2Vzc2VkLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxl
PSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNw
YW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy
Z2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPkluIHRoZSBj
dXJyZW50IGRvY3VtZW50IGluIHN0ZXAgNSBvZiBzZWN0aW9uIDcuMiwgdGhlcmUgaXMgYW4gYXNz
dW1wdGlvbiB0aGF0IGEgQ09TRSB0YWcgaXMgZ29pbmcgdG8gZXhpc3QgaW4gb3JkZXIgdG8gZGlz
dGluZ3Vpc2ggYmV0d2VlbiB0aGUgZGlmZmVyZW50DQogdHlwZXMgb2YgQ09TRSBtZXNzYWdlcyDi
gJMgSSB3b3VsZCBub3QgdGhhdCB0aGVzZSB0YWdzIGFyZSBub3QgZXhwbGljaXRseSBjYWxsZWQg
Zm9yIGluIHNlY3Rpb24gNy4xIOKAkyBzbyB0aGUgYWxnb3JpdGhtIHRoYXQgSSBhbSBnb2luZyB0
byBzdWdnZXN0IG1lYW5zIHRoYXQgdGhleSBhcmUgc3VwcG9zZWQgdG8gYmUgcHJlc2VudCBub3Qg
aW1wbGljaXQgaW4gYW55IGV2ZW50Ljwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv
bS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8i
PjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj5JbiBzZWN0aW9uIDcuMiBpbiBzdGVwIDcgdGhl
IGFsZ29yaXRobSBiZWNvbWVzOjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPklmIHRoZSBwYXlsb2FkIHN0YXJ0
cyB3aXRoIG9uZSB0aGUgb2YgQ09TRSBpZGVudGlmaWNhdGlvbiB0YWdzLCB0aGVuIHRoZSBtZXNz
YWdlIGlzIHJlY3Vyc2l2ZSDigJMgZ28gdG8gc3RlcCAxLCB3YXNoIHJpbnNlIGFuZCByZXBlYXQu
PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8
L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
PjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCI+SSB0aGluayBJIHNlZSB5b3VyIHBvaW50LiBJbiB0aGUgY2FzZSBvZiBuZXN0ZWQgQ1dUcyB5
b3Ugd291bGQgbGlrZSB0byBtYW5kYXRlIHRoZSBpbm5lciBsYXllciB0byBoYXZlIGEgQ09TRSB0
YWcgaW5kaWNhdGluZyB0aGUgbWVzc2FnZSB0eXBlLiBCdXQgaW4gY2FzZXMgd2hlcmUgZS5nLiB0
cmFuc3BvcnQgaXMgZG9uZSBvdmVyIENvQVAgeW91IGRvbsK0dCBmZWVsIGl0IGlzIGFzIGltcG9y
dGFudC48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+SSBwZXJzb25hbGx5IHdvdWxkIGxpa2UgdG8g
Z28gYWxsIHRoZSB3YXkgYW5kIG1hbmRhdGUgdGhlIENPU0UgdGFnIGZvciBhbGwgQ1dUIG1lc3Nh
Z2VzIG5lc3RlZCBvciBub3QgYnV0IHRoYXQgd291bGQgYWRkIHNvbWUgZXh0cmEgYnl0ZXMgaS5l
LiBub3QgZ29vZCBpbiBhbGwgY2FzZXMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj5NYXliZSBhIGNvbXByb21pc2UgYW5kIG1hbmRhdGUgaXQgZm9y
IGlubmVyIG9iamVjdCBpbiBuZXN0ZWQgQ1dUcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkBNaWtlIHdvdWxkIHlvdSBsaWtlIHRvIGNvbW1lbnQg
dG8gYmVmb3JlIHdlIGRlY2lkZSBvbiBhIHBhdGggZm9yd2FyZC48bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCiZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy
LWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdp
bi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRp
dj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpw
PjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0
OnNvbGlkIHdpbmRvd3RleHQgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4t
bGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRv
bTo1LjBwdDtib3JkZXItY29sb3I6Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29s
b3IgcmdiKDIwNCwyMDQsMjA0KSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCiogQnJl
YWsgc2VjdGlvbiA4IGludG8gbXVsdGlwbGUgcGFyYWdyYXBocyB0aGF0IGRlYWwgd2l0aCBkaWZm
ZXJlbnQgdHlwZXMgb2Y8YnI+DQppc3N1ZXMuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQpNaWdodCBiZSByZWFzb25hYmxl
IEkgaGF2ZSBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0cmFja2VyIHNvIHRoYXQgdGhl
IDxicj4NCmNvbW1lbnQgaXMgbm90IGxvc3QuPGJyPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3
aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44
cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7
Ym9yZGVyLWNvbG9yOmN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigy
MDQsMjA0LDIwNCkiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIEluIHNlY3Rpb24g
OCwgdGhlIGZpcnN0IHNlbnRlbmNlIGltcGxpZXMgdG8gbWUgdGhhdCB5b3UgYmVsaWV2ZSB0aGF0
IENPU0U8YnI+DQppcyBtb3JlIG9mIGEgcHJvYmxlbSB0aGF0IGJyZWFraW5nIG9mIGNyeXB0b2dy
YXBoaWMgYWxnb3JpdGhtcywgdHJ1c3Qgb2Y8YnI+DQpjZXJ0aWZpY2F0ZXMva2V5cy4mbmJzcDsg
Tm90IHN1cmUgd2hhdCBuZWVkcyB0byBiZSBkb25lLCBidXQgYmV0dGVyIGNsYXJpdHkgbWF5PGJy
Pg0KYmUgYSBnb29kIGlkZWEuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bztt
c28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+QWRkZWQgdGhpcyB0byB0aGUgcHJldmlvdXNseSBt
ZW50aW9uZWQgaXNzdWUgdG8gYWRkcmVzcyB0aGlzIHRvIHNpbmNlIGl0IGlzIGluIHRoZSBzYW1l
IHNlY3Rpb24NCjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9y
ZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiAw
aW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJp
Z2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3IgY3Vy
cmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0byI+PGJyPg0KKiBJIGhhdmUgbm90IGRvbmUgYW55IHZhbGlkYXRpb24gb2YgdGhlIGV4
YW1wbGVzLiZuYnNwOyAmbmJzcDtZb3UgbWlnaHQgd2FudCB0byBoYXZlPGJyPg0KYW4gZXhhbXBs
ZSB3aGljaCB1c2VzIHRoZSByZWFsIGZvciBvbmUgb2YgdGhlIHRpbWUgdHlwZXMuPG86cD48L286
cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJz
cDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+
U29ycnksIGJ1dCBJIGRvbsK0dCBnZXQgaXQgY291bGQgeW91IGFkZCBzb21lIG1vcmUgY29udGV4
dC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286
cD48L3A+DQo8cHJlPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7
LHNhbnMtc2VyaWY7Y29sb3I6IzAwNzBDMCI+W0pMU10gVXNlIHRoZSB2YWx1ZSBvZiDigJw8L3Nw
YW4+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPjE0NDQwNjQ5NDQuNeKAnSBmb3Igb25lIG9m
IHRoZSB0aW1lIHZhbHVlcy4mbmJzcDsgQWx0aG91Z2ggSSBkb3VidCB0aGF0IGxlc3MgdGhhbiBz
ZWNvbmQgcmVzb2x1dGlvbiBpcyBuZWVkZWQgaW4gYWxtb3N0IGFueSBjYXNlLCBoYXZpbmcgYW4g
ZXhhbXBsZSB3aGVyZSBpdCBpcyBnaXZlbiBpcyBzdGlsbCBhIGdvb2QgaWRlYS48L3NwYW4+PG86
cD48L286cD48L3ByZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8
L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NYWtlcyBz
ZW5zZSwgYXMgeW91IHNheSBpdCBtaWdodCBub3QgYmUgYSBjb3JlIGNhc2UgYnV0IHRoZXJlIHNo
b3VsZCBiZSBhdCBsZWFzdCBvbmUgZXhhbXBsZSBvZiBpdCBpZiB3ZSBzdXBwb3J0IGl0LiBJIGhh
dmUgY3JlYXRlZCBhIHRpY2tldCB0byBhZGRyZXNzIGl0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0ND
Q0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFy
Z2luLXJpZ2h0OjBpbiI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+
DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5
bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHByZT48c3BhbiBz
dHlsZT0iY29sb3I6IzAwNzBDMCI+SmltPC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4
Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4
ODgiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+Jm5ic3A7PG86cD48L286cD48L3NwYW4+PC9w
Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZu
YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5v
bmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGlu
IDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBp
bjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3IgY3VycmVudGNv
bG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0
byI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxicj4NCjxzcGFuIGNsYXNzPSJtLTYxMzA4
Mjg1NDc2Mjg1ODgzNzRnbWFpbC1tMzI5Nzk2NzA2NDc3NjA0Mzk3N2dtYWlsLWhvZW56YiI+Smlt
PC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z
b05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvIj48YnI+DQo8YnI+DQotLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLTxicj4NCkZy
b206IEFjZSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZyIgdGFy
Z2V0PSJfYmxhbmsiPmFjZS1ib3VuY2VzQGlldGYub3JnPC9hPl0gT24gQmVoYWxmIE9mIEtlcGVu
ZyBMaTxicj4NClNlbnQ6IFRodXJzZGF5LCBBcHJpbCAyMCwgMjAxNyAyOjUzIFBNPGJyPg0KVG86
IDxhIGhyZWY9Im1haWx0bzphY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5hY2VAaWV0Zi5v
cmc8L2E+PGJyPg0KQ2M6IEhhbm5lcyBUc2Nob2ZlbmlnICZsdDs8YSBocmVmPSJtYWlsdG86aGFu
bmVzLnRzY2hvZmVuaWdAZ214Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmhhbm5lcy50c2Nob2Zlbmln
QGdteC5uZXQ8L2E+Jmd0Ozxicj4NClN1YmplY3Q6IFtBY2VdIFthY2VdIFdHTEMgb24gZHJhZnQt
aWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48YnI+DQo8YnI+DQpJbiBDaGljYWdvLCBpdCB3YXMgZGVj
aWRlZCB0aGF0IHdlIHdlcmUgZ29pbmcgdG8gV0dMQyB0aGUgQUNFIENCT1IgV2ViIFRva2VuPGJy
Pg0KZHJhZnQuPGJyPg0KPGJyPg0KU28gdGhpcyBzdGFydHMgYSB3b3JraW5nIGdyb3VwIGxhc3Qg
Y2FsbCBmb3IgZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48YnI+DQpmb3Igc3VibWlzc2lv
biBhcyBhIFN0YW5kYXJkcyBUcmFjayBSRkMsIGVuZGluZyBvbiAyNDowMCBQRFQgb24gVHVlc2Rh
eSwgTWF5PGJyPg0KMiwgMjAxNy48YnI+DQo8YnI+DQpUaGUgc3BlY2lmaWNhdGlvbiBpcyBhdmFp
bGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0
LWlldGYtYWNlLWNib3Itd2ViLXRva2VuLTA0IiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly90b29s
cy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuLTA0PC9hPjxicj4N
Cjxicj4NCkFuIEhUTUwtZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFpbGFibGUgYXQ6PGJy
Pg0KPGEgaHJlZj0iaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLWFjZS1j
Ym9yLXdlYi10b2tlbi0wNC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDovL3NlbGYtaXNzdWVk
LmluZm8vZG9jcy9kcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNC5odG1sPC9hPjxicj4N
Cjxicj4NClRoYW5rcyw8YnI+DQo8YnI+DQo8YnI+DQpLaW5kIFJlZ2FyZHM8YnI+DQpLZXBlbmcg
JmFtcDsgSGFubmVzPGJyPg0KPGJyPg0KPGJyPg0KX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX188YnI+DQpBY2UgbWFpbGluZyBsaXN0PGJyPg0KPGEgaHJlZj0i
bWFpbHRvOkFjZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPkFjZUBpZXRmLm9yZzwvYT48YnI+
DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZSIgdGFy
Z2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYWNlPC9h
Pjxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fPGJyPg0KQWNlIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5v
cmciIHRhcmdldD0iX2JsYW5rIj5BY2VAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6
Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9hY2UiIHRhcmdldD0iX2JsYW5rIj5odHRw
czovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZTwvYT48bzpwPjwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rp
dj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9k
aXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_CY4PR21MB0504BC7E953AE6797C71D51CF5E10CY4PR21MB0504namp_--


From nobody Mon May 15 14:29:02 2017
Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97DE12940B for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level: 
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gC3mz7eLryw for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:28:57 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDB0B129BE0 for <Ace@ietf.org>; Mon, 15 May 2017 14:26:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [134.102.201.11]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v4FLPOI1002575; Mon, 15 May 2017 23:25:24 +0200 (CEST)
Received: from [100.99.161.249] (ip-109-84-0-57.web.vodafone.de [109.84.0.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3wRYX35HFqzDGyF; Mon, 15 May 2017 23:25:23 +0200 (CEST)
Content-Type: multipart/alternative; boundary=Apple-Mail-D48E653B-04FA-475F-AB0A-40A8EAD61539
Mime-Version: 1.0 (1.0)
From: Carsten Bormann <cabo@tzi.org>
X-Mailer: iPhone Mail (14E304)
In-Reply-To: <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com>
Date: Mon, 15 May 2017 23:25:21 +0200
Cc: Jim Schaad <ietf@augustcellars.com>, Mike Jones <Michael.Jones@microsoft.com>, ace <Ace@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <405BC458-8ECA-43EB-B78A-C606EF4342EA@tzi.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8ZiFBVpbJfmwSDSUCDS0TxcSAhc>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 21:29:01 -0000

--Apple-Mail-D48E653B-04FA-475F-AB0A-40A8EAD61539
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

I'd say use a tag unless there is information from the context, such as a me=
dia type or coap content format.=20

Sent from mobile

> On 15. May 2017, at 11:22, Samuel Erdtman <samuel@erdtman.se> wrote:
>=20
> Thanks for clarifications Jim, see my comments inline.
>=20
> Mike, there is a question for you inlined too.
>=20
>> On Sun, May 14, 2017 at 10:12 PM, Jim Schaad <ietf@augustcellars.com> wro=
te:
>> =20
>>=20
>> =20
>>=20
>> From: Samuel Erdtman [mailto:samuel@erdtman.se]=20
>> Sent: Sunday, May 14, 2017 3:40 AM
>> To: Jim Schaad <ietf@augustcellars.com>
>> Cc: ace <Ace@ietf.org>
>> Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
>>=20
>> =20
>>=20
>> Hi Jim,
>>=20
>> Thanks for your review and comments, see some initial replies inline.
>>=20
>> =20
>>=20
>> On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com> wrot=
e:
>>=20
>> Not ready to ship.
>>=20
>>=20
>> * I find the text for NumericDate confusing and would suggest this is a
>> cleaner wording.
>>=20
>> The "NumericDate" term has the same meaning, syntax and
>> Processing rules as the "NumericDate" term defined in Section 2 of
>> JWT [RFC7519], except that the CBOR numeric representation
>> (Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
>> the leading tag (6.1 or 0xC1) MUST be omitted.
>>=20
>> <Note above text kills the direct need for section 5.>
>>=20
>> =20
>>=20
>> Could make sense, I created an issue in the issue tracker to look at this=
.
>>=20
>> =20
>>=20
>>=20
>> * What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  Y=
ou
>> should be consistent on how you are using this and the "StringOrURI" type=

>> identifier.  Either use the CWT prefix or don't.
>>=20
>>=20
>> Makes sense to me, created an issue in the issue tracker to address this.=

>> =20
>>=20
>>=20
>> * s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/
>>=20
>>=20
>>  Makes sense to me, created an issue in the issue tracker to address this=
.
>>=20
>>=20
>> * The algorithm for doing nesting detection is a gross abuse of the conte=
nt
>> type parameter and can be far more easily done based on the already prese=
nt
>> tagging of the COSE object.
>>=20
>> =20
>>=20
>> Could you please explain a bit more, we are using the COSE tags but have m=
ade=20
>> them optional if the application for example only uses one thyme then it w=
ould=20
>> always know what to do and would not need to parse the tag saving a byte.=

>>=20
>> =20
>>=20
>> [JLS] The concept is pretty easy to explain.
>>=20
>> =20
>>=20
>> If you are in a situation where the full description of the CWT =E2=80=93=
 including nesting layering =E2=80=93 is known from a profile, then there wo=
uld be no need to have any COSE tags present on any layer of the CWT message=
.  I would however highly discourage using this situation for anything but a=
 single layer CWT such as one that is based on the COSE_Encrypt0 message wit=
hout any inner layering.  Doing otherwise is going to mean that libraries wo=
uld be unable to automatically unwrap all of the layers on their own, but wo=
uld need guidance on each layer as it was processed.
>>=20
>> =20
>>=20
>> In the current document in step 5 of section 7.2, there is an assumption t=
hat a COSE tag is going to exist in order to distinguish between the differe=
nt types of COSE messages =E2=80=93 I would not that these tags are not expl=
icitly called for in section 7.1 =E2=80=93 so the algorithm that I am going t=
o suggest means that they are supposed to be present not implicit in any eve=
nt.
>>=20
>> =20
>>=20
>> In section 7.2 in step 7 the algorithm becomes:
>>=20
>> If the payload starts with one the of COSE identification tags, then the m=
essage is recursive =E2=80=93 go to step 1, wash rinse and repeat.
>>=20
>=20
> I think I see your point. In the case of nested CWTs you would like to man=
date the inner layer to have a COSE tag indicating the message type. But in c=
ases where e.g. transport is done over CoAP you don=C2=B4t feel it is as imp=
ortant.
> I personally would like to go all the way and mandate the COSE tag for all=
 CWT messages nested or not but that would add some extra bytes i.e. not goo=
d in all cases.
>=20
> Maybe a compromise and mandate it for inner object in nested CWTs.
> @Mike would you like to comment to before we decide on a path forward.
>=20
>=20
> =20
>> =20
>>=20
>>=20
>> * Break section 8 into multiple paragraphs that deal with different types=
 of
>> issues.
>>=20
>>=20
>> Might be reasonable I have created an issue in the issue tracker so that t=
he=20
>> comment is not lost.
>> =20
>>=20
>>=20
>> * In section 8, the first sentence implies to me that you believe that CO=
SE
>> is more of a problem that breaking of cryptographic algorithms, trust of
>> certificates/keys.  Not sure what needs to be done, but better clarity ma=
y
>> be a good idea.
>>=20
>> =20
>>=20
>> Added this to the previously mentioned issue to address this to since it i=
s in the same section
>>=20
>>=20
>> * I have not done any validation of the examples.   You might want to hav=
e
>> an example which uses the real for one of the time types.
>>=20
>> =20
>>=20
>> Sorry, but I don=C2=B4t get it could you add some more context.
>>=20
>> =20
>>=20
>> [JLS] Use the value of =E2=80=9C1444064944.5=E2=80=9D for one of the time=
 values.  Although I doubt that less than second resolution is needed in alm=
ost any case, having an example where it is given is still a good idea.
> Makes sense, as you say it might not be a core case but there should be at=
 least one example of it if we support it. I have created a ticket to addres=
s it.
> =20
>> =20
>> Jim
>> =20
>> =20
>>=20
>> =20
>>=20
>>=20
>> Jim
>>=20
>>=20
>>=20
>> -----Original Message-----
>> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Kepeng Li
>> Sent: Thursday, April 20, 2017 2:53 PM
>> To: ace@ietf.org
>> Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>
>> Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token
>>=20
>> In Chicago, it was decided that we were going to WGLC the ACE CBOR Web To=
ken
>> draft.
>>=20
>> So this starts a working group last call for draft-ietf-ace-cbor-web-toke=
n
>> for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday, M=
ay
>> 2, 2017.
>>=20
>> The specification is available at:
>> https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04
>>=20
>> An HTML-formatted version is also available at:
>> http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html
>>=20
>> Thanks,
>>=20
>>=20
>> Kind Regards
>> Kepeng & Hannes
>>=20
>>=20
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
>>=20
>> _______________________________________________
>> Ace mailing list
>> Ace@ietf.org
>> https://www.ietf.org/mailman/listinfo/ace
>>=20
>> =20
>>=20
>=20
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace

--Apple-Mail-D48E653B-04FA-475F-AB0A-40A8EAD61539
Content-Type: text/html;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head><meta http-equiv=3D"content-type" content=3D"text/html; charset=3D=
utf-8"></head><body dir=3D"auto"><div>I'd say use a tag unless there is info=
rmation from the context, such as a media type or coap content format.&nbsp;=
<br><br>Sent from&nbsp;<span style=3D"font-size: 13pt;">mobile</span></div><=
div><br>On 15. May 2017, at 11:22, Samuel Erdtman &lt;<a href=3D"mailto:samu=
el@erdtman.se">samuel@erdtman.se</a>&gt; wrote:<br><br></div><blockquote typ=
e=3D"cite"><div><div dir=3D"ltr"><div>Thanks for clarifications Jim, see my c=
omments inline.<br><br></div>Mike, there is a question for you inlined too.<=
br><div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Sun, Ma=
y 14, 2017 at 10:12 PM, Jim Schaad <span dir=3D"ltr">&lt;<a href=3D"mailto:i=
etf@augustcellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt;</spa=
n> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang=3D"E=
N-US"><div class=3D"m_-6130828547628588374gmail-m_3297967064776043977WordSec=
tion1"><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)"><u></u>&n=
bsp;<u></u></span></p><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p><p clas=
s=3D"MsoNormal"><b>From:</b> Samuel Erdtman [mailto:<a href=3D"mailto:samuel=
@erdtman.se" target=3D"_blank">samuel@erdtman.se</a>] <br><b>Sent:</b> Sunda=
y, May 14, 2017 3:40 AM<br><b>To:</b> Jim Schaad &lt;<a href=3D"mailto:ietf@=
augustcellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt;<br><b>Cc=
:</b> ace &lt;<a href=3D"mailto:Ace@ietf.org" target=3D"_blank">Ace@ietf.org=
</a>&gt;<br><b>Subject:</b> Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token<=
u></u><u></u></p><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p><div><div><d=
iv class=3D"m_-6130828547628588374gmail-h5"><div><p class=3D"MsoNormal" styl=
e=3D"margin-bottom:12pt">Hi Jim,<u></u><u></u></p></div><p class=3D"MsoNorma=
l">Thanks for your review and comments, see some initial replies inline.<u><=
/u><u></u></p></div></div><div><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></=
p><div><div><div class=3D"m_-6130828547628588374gmail-h5"><p class=3D"MsoNor=
mal">On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad &lt;<a href=3D"mailto:ietf@=
augustcellars.com" target=3D"_blank">ietf@augustcellars.com</a>&gt; wrote:<u=
></u><u></u></p><blockquote style=3D"border-width:medium medium medium 1pt;b=
order-style:none none none solid;border-color:currentcolor currentcolor curr=
entcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-r=
ight:0in"><p class=3D"MsoNormal">Not ready to ship.<br><br><br>* I find the t=
ext for NumericDate confusing and would suggest this is a<br>cleaner wording=
.<br><br>The "NumericDate" term has the same meaning, syntax and<br>Processi=
ng rules as the "NumericDate" term defined in Section 2 of<br>JWT [RFC7519],=
 except that the CBOR numeric representation<br>(Section 2.4.1 of [RC7049]) i=
s used.&nbsp; The encoding is modified so that<br>the leading tag (6.1 or 0x=
C1) MUST be omitted.<br><br>&lt;Note above text kills the direct need for se=
ction 5.&gt;<u></u><u></u></p></blockquote><div><p class=3D"MsoNormal"><u></=
u>&nbsp;<u></u></p></div><div><p class=3D"MsoNormal">Could make sense, I cre=
ated an issue in the issue tracker to look at this.<u></u><u></u></p></div><=
div><p class=3D"MsoNormal">&nbsp;<u></u><u></u></p></div><blockquote style=3D=
"border-width:medium medium medium 1pt;border-style:none none none solid;bor=
der-color:currentcolor currentcolor currentcolor rgb(204,204,204);padding:0i=
n 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoNormal"><br=
>* What is a "CWT NumericDate" ?&nbsp; Why is this not just a "NumericDate"?=
&nbsp; You<br>should be consistent on how you are using this and the "String=
OrURI" type<br>identifier.&nbsp; Either use the CWT prefix or don't.<u></u><=
u></u></p></blockquote><div><p class=3D"MsoNormal"><br>Makes sense to me, cr=
eated an issue in the issue tracker to address this.<br>&nbsp;<u></u><u></u>=
</p></div><blockquote style=3D"border-width:medium medium medium 1pt;border-=
style:none none none solid;border-color:currentcolor currentcolor currentcol=
or rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0=
in"><p class=3D"MsoNormal"><br>* s/except that a CWT StringOrURI/except that=
 for a CWT, StringOrURI/<u></u><u></u></p></blockquote><div><p class=3D"MsoN=
ormal" style=3D"margin-bottom:12pt"><br>&nbsp;Makes sense to me, created an i=
ssue in the issue tracker to address this.<u></u><u></u></p></div><blockquot=
e style=3D"border-width:medium medium medium 1pt;border-style:none none none=
 solid;border-color:currentcolor currentcolor currentcolor rgb(204,204,204);=
padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoN=
ormal"><br>* The algorithm for doing nesting detection is a gross abuse of t=
he content<br>type parameter and can be far more easily done based on the al=
ready present<br>tagging of the COSE object.<u></u><u></u></p></blockquote><=
div><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p></div></div></div><div><d=
iv><div class=3D"m_-6130828547628588374gmail-h5"><p class=3D"MsoNormal">Coul=
d you please explain a bit more, we are using the COSE tags but have made <b=
r>them optional if the application for example only uses one thyme then it w=
ould <br>always know what to do and would not need to parse the tag saving a=
 byte.<u></u><u></u></p><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p></div=
></div><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)">[JLS] The=
 concept is pretty easy to explain.<u></u><u></u></span></p></div><div><p cl=
ass=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)"><u></u>&nbsp;<u></u><=
/span></p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)">If you=
 are in a situation where the full description of the CWT =E2=80=93 includin=
g nesting layering =E2=80=93 is known from a profile, then there would be no=
 need to have any COSE tags present on any layer of the CWT message.&nbsp; I=
 would however highly discourage using this situation for anything but a sin=
gle layer CWT such as one that is based on the COSE_Encrypt0 message without=
 any inner layering.&nbsp; Doing otherwise is going to mean that libraries w=
ould be unable to automatically unwrap all of the layers on their own, but w=
ould need guidance on each layer as it was processed.<u></u><u></u></span></=
p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)"><u></u>&nbsp;<=
u></u></span></p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)"=
>In the current document in </span><span style=3D"color:rgb(0,112,192)">step=
 5 of section 7.2, there is an assumption that a COSE tag is going to exist i=
n order to distinguish between the different types of COSE messages =E2=80=93=
 I would not that these tags are not explicitly called for in section 7.1 =E2=
=80=93 so the algorithm that I am going to suggest means that they are suppo=
sed to be present not implicit in any event.<u></u><u></u></span></p><p clas=
s=3D"MsoNormal"><u></u>&nbsp;<u></u></p><p class=3D"MsoNormal"><span style=3D=
"color:rgb(0,112,192)">In section 7.2 in step 7 the algorithm becomes:<u></u=
><u></u></span></p><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192=
)">If the payload starts with one the of COSE identification tags, then the m=
essage is recursive =E2=80=93 go to step 1, wash rinse and repeat.</span></p=
></div></div></div></div></div></div></blockquote><div><br></div><div>I thin=
k I see your point. In the case of nested CWTs you would like to mandate the=
 inner layer to have a COSE tag indicating the message type. But in cases wh=
ere e.g. transport is done over CoAP you don=C2=B4t feel it is as important.=
<br></div><div>I personally would like to go all the way and mandate the COS=
E tag for all CWT messages nested or not but that would add some extra bytes=
 i.e. not good in all cases.<br><br></div><div>Maybe a compromise and mandat=
e it for inner object in nested CWTs.<br></div><div>@Mike would you like to c=
omment to before we decide on a path forward.<br></div><div><br><br>&nbsp;</=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex"><div lang=3D"EN-US"><di=
v class=3D"m_-6130828547628588374gmail-m_3297967064776043977WordSection1"><d=
iv><div><div><div><p class=3D"MsoNormal"><span style=3D"color:rgb(0,112,192)=
"><u></u><u></u></span></p><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p></=
div><span class=3D"m_-6130828547628588374gmail-"><blockquote style=3D"border=
-width:medium medium medium 1pt;border-style:none none none solid;border-col=
or:currentcolor currentcolor currentcolor rgb(204,204,204);padding:0in 0in 0=
in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoNormal"><br>* Brea=
k section 8 into multiple paragraphs that deal with different types of<br>is=
sues.<u></u><u></u></p></blockquote><div><p class=3D"MsoNormal"><br>Might be=
 reasonable I have created an issue in the issue tracker so that the <br>com=
ment is not lost.<br>&nbsp;<u></u><u></u></p></div><blockquote style=3D"bord=
er-width:medium medium medium 1pt;border-style:none none none solid;border-c=
olor:currentcolor currentcolor currentcolor rgb(204,204,204);padding:0in 0in=
 0in 6pt;margin-left:4.8pt;margin-right:0in"><p class=3D"MsoNormal"><br>* In=
 section 8, the first sentence implies to me that you believe that COSE<br>i=
s more of a problem that breaking of cryptographic algorithms, trust of<br>c=
ertificates/keys.&nbsp; Not sure what needs to be done, but better clarity m=
ay<br>be a good idea.<u></u><u></u></p></blockquote><div><p class=3D"MsoNorm=
al"><u></u>&nbsp;<u></u></p></div><div><p class=3D"MsoNormal">Added this to t=
he previously mentioned issue to address this to since it is in the same sec=
tion <u></u><u></u></p></div><blockquote style=3D"border-width:medium medium=
 medium 1pt;border-style:none none none solid;border-color:currentcolor curr=
entcolor currentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4=
.8pt;margin-right:0in"><p class=3D"MsoNormal"><br>* I have not done any vali=
dation of the examples.&nbsp; &nbsp;You might want to have<br>an example whi=
ch uses the real for one of the time types.<u></u><u></u></p></blockquote><d=
iv><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p></div></span><div><span cl=
ass=3D"m_-6130828547628588374gmail-"><p class=3D"MsoNormal">Sorry, but I don=
=C2=B4t get it could you add some more context.<u></u><u></u></p><p class=3D=
"MsoNormal"><u></u>&nbsp;<u></u></p></span><pre><span style=3D"font-family:&=
quot;calibri&quot;,sans-serif;color:rgb(0,112,192)">[JLS] Use the value of =E2=
=80=9C</span><span style=3D"color:rgb(0,112,192)">1444064944.5=E2=80=9D for o=
ne of the time values.&nbsp; Although I doubt that less than second resoluti=
on is needed in almost any case, having an example where it is given is stil=
l a good idea.</span></pre></div></div></div></div></div></div></blockquote>=
<div>Makes sense, as you say it might not be a core case but there should be=
 at least one example of it if we support it. I have created a ticket to add=
ress it.<br></div><div>&nbsp;</div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div lang=3D"EN-US"><div class=3D"m_-6130828547628588374gmail-m_32979=
67064776043977WordSection1"><div><div><div><div><pre><span style=3D"color:rg=
b(0,112,192)"><span class=3D"m_-6130828547628588374gmail-HOEnZb"><font color=
=3D"#888888"><u></u><u></u></font></span></span></pre><span class=3D"m_-6130=
828547628588374gmail-HOEnZb"><font color=3D"#888888"><pre><span style=3D"col=
or:rgb(0,112,192)"><u></u>&nbsp;<u></u></span></pre><pre><span style=3D"colo=
r:rgb(0,112,192)">Jim<u></u><u></u></span></pre><pre><u></u>&nbsp;<u></u></p=
re><p class=3D"MsoNormal"><u></u>&nbsp;<u></u></p></font></span></div><div><=
div class=3D"m_-6130828547628588374gmail-h5"><div><p class=3D"MsoNormal">&nb=
sp;<u></u><u></u></p></div><blockquote style=3D"border-width:medium medium m=
edium 1pt;border-style:none none none solid;border-color:currentcolor curren=
tcolor currentcolor rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8=
pt;margin-right:0in"><p class=3D"MsoNormal"><span style=3D"color:rgb(136,136=
,136)"><br><span class=3D"m_-6130828547628588374gmail-m_3297967064776043977g=
mail-hoenzb">Jim</span></span><u></u><u></u></p><div><div><p class=3D"MsoNor=
mal"><br><br>-----Original Message-----<br>From: Ace [mailto:<a href=3D"mail=
to:ace-bounces@ietf.org" target=3D"_blank">ace-bounces@ietf.org</a>] On Beha=
lf Of Kepeng Li<br>Sent: Thursday, April 20, 2017 2:53 PM<br>To: <a href=3D"=
mailto:ace@ietf.org" target=3D"_blank">ace@ietf.org</a><br>Cc: Hannes Tschof=
enig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" target=3D"_blank">hann=
es.tschofenig@gmx.net</a>&gt;<br>Subject: [Ace] [ace] WGLC on draft-ietf-ace=
-cbor-web-token<br><br>In Chicago, it was decided that we were going to WGLC=
 the ACE CBOR Web Token<br>draft.<br><br>So this starts a working group last=
 call for draft-ietf-ace-cbor-web-token<br>for submission as a Standards Tra=
ck RFC, ending on 24:00 PDT on Tuesday, May<br>2, 2017.<br><br>The specifica=
tion is available at:<br><a href=3D"https://tools.ietf.org/html/draft-ietf-a=
ce-cbor-web-token-04" target=3D"_blank">https://tools.ietf.org/html/dr<wbr>a=
ft-ietf-ace-cbor-web-token-04</a><br><br>An HTML-formatted version is also a=
vailable at:<br><a href=3D"http://self-issued.info/docs/draft-ietf-ace-cbor-=
web-token-04.html" target=3D"_blank">http://self-issued.info/docs/d<wbr>raft=
-ietf-ace-cbor-web-token-0<wbr>4.html</a><br><br>Thanks,<br><br><br>Kind Reg=
ards<br>Kepeng &amp; Hannes<br><br><br>______________________________<wbr>__=
_______________<br>Ace mailing list<br><a href=3D"mailto:Ace@ietf.org" targe=
t=3D"_blank">Ace@ietf.org</a><br><a href=3D"https://www.ietf.org/mailman/lis=
tinfo/ace" target=3D"_blank">https://www.ietf.org/mailman/l<wbr>istinfo/ace<=
/a><br><br>______________________________<wbr>_________________<br>Ace maili=
ng list<br><a href=3D"mailto:Ace@ietf.org" target=3D"_blank">Ace@ietf.org</a=
><br><a href=3D"https://www.ietf.org/mailman/listinfo/ace" target=3D"_blank"=
>https://www.ietf.org/mailman/l<wbr>istinfo/ace</a><u></u><u></u></p></div><=
/div></blockquote></div></div></div><p class=3D"MsoNormal"><u></u>&nbsp;<u><=
/u></p></div></div></div></div></blockquote></div><br></div></div></div>
</div></blockquote><blockquote type=3D"cite"><div><span>____________________=
___________________________</span><br><span>Ace mailing list</span><br><span=
><a href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a></span><br><span><a href=3D=
"https://www.ietf.org/mailman/listinfo/ace">https://www.ietf.org/mailman/lis=
tinfo/ace</a></span><br></div></blockquote></body></html>=

--Apple-Mail-D48E653B-04FA-475F-AB0A-40A8EAD61539--


From nobody Mon May 15 14:45:40 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8897129B6C for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZT0q7Dd8ZcQ for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:45:34 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7227129B66 for <Ace@ietf.org>; Mon, 15 May 2017 14:42:19 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_009E_01D2CD87.E13B3AC0"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494884537; h=from:subject:to:date:message-id; bh=bRv9Vnu9AuOkqjSMH30tEwvsNEozx/TWZ5GdMs4x050=; b=d0zxOn+pWD74L9F7k0i7O7FornQgAivsfHaJPQetZwr95iiDJxp2NiZkF5HvREXBYf2yt9cbZr9 ftWdQl0+QK3rC8tZVrHoA9Z2W9Du/FuqcB0TU60J6dyTHmU0UZoarf1RhfrjfKI5tQzEQ3SMuPWe2 TaNO8MqtfoWPjNm4/uGCWtII8oxDtpOSfYFbJMA/72pkQdvouuiAxG8vOdZVq/SV9bBT5VETOa9Au mTyoqwgfGTtfUg0tKk9TcI8dQLxPk+4zcngGhPi04mbkG/Mf1i5+0TRjYniqR5phi9mqKezASIUV3 KrEzacl/neGXr4Nz0bXvwu6qV7FVDrAKuOew==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 15 May 2017 14:42:16 -0700
Received: from Hebrews (192.168.1.157) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 15 May 2017 14:41:46 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, 'Samuel Erdtman' <samuel@erdtman.se>
CC: 'ace' <Ace@ietf.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
Date: Mon, 15 May 2017 14:31:00 -0700
Message-ID: <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK7Sbuoqk8BxD8OvOqownlXLriW/AEOhwClAnNLQvUDFt5ZygHazl2Hn+FU4xA=
X-Originating-IP: [192.168.1.157]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/WDLw688O8pcQ651JWsz-eib5N04>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 21:45:39 -0000

------=_NextPart_000_009E_01D2CD87.E13B3AC0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

It is correct that the tag can be added and subtracted at will w/o =
changing anything.

=20

=20

=20

From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20
Sent: Monday, May 15, 2017 2:17 PM
To: Samuel Erdtman <samuel@erdtman.se>; Jim Schaad =
<ietf@augustcellars.com>
Cc: ace <Ace@ietf.org>
Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

I agree that for nested CWTs, it=E2=80=99s OK to mandate that the =
appropriate tags be prefixed to the inner CWT, if that=E2=80=99s the =
mechanism we decide to use to encode and detect nested JWTs.  That would =
then raise the question though, of whether we also would continue to =
mandate the use of the CWT content-type or whether we would drop this.  =
I think it=E2=80=99s better that we specify one mechanism for detecting =
nested CWTs, rather than having two.

=20

Before we decide this, I=E2=80=99d like to confirm an assumption about =
COSE operations and COSE CBOR tags.  I believe that the COSE crypto =
operations *do not* cover the CBOR COSE tag, such as the COSE_Sign tag =
for signed objects.  If this is the case, it means that a COSE object =
without tags can have the appropriate tag prefixed to it without =
changing the crypto (and that similarly, a CWT tag could also be added =
without changing the crypto).  Is this correct?  If so, then using CBOR =
tags would be fine for the inner CWT in a nested CWT, since you could =
create the inner CWT without any tags and then later decide to put it in =
a nested CWT without re-signing, etc.  If this is the case, I=E2=80=99d =
be OK with always prefixing the inner CWT in a nested CWT with CWT and =
COSE CBOR tags.  Whereas if adding the tags requires redoing the crypto, =
I=E2=80=99d rather stay with the current approach.

=20

                                                                -- Mike

=20

From: Samuel Erdtman [mailto:samuel@erdtman.se]=20
Sent: Monday, May 15, 2017 2:23 AM
To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> =
>; Mike Jones <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com> >
Cc: ace <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Thanks for clarifications Jim, see my comments inline.

Mike, there is a question for you inlined too.

=20

On Sun, May 14, 2017 at 10:12 PM, Jim Schaad <ietf@augustcellars.com =
<mailto:ietf@augustcellars.com> > wrote:

=20

=20

From: Samuel Erdtman [mailto:samuel@erdtman.se =
<mailto:samuel@erdtman.se> ]=20
Sent: Sunday, May 14, 2017 3:40 AM
To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >
Cc: ace <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Hi Jim,

Thanks for your review and comments, see some initial replies inline.

=20

On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com =
<mailto:ietf@augustcellars.com> > wrote:

Not ready to ship.


* I find the text for NumericDate confusing and would suggest this is a
cleaner wording.

The "NumericDate" term has the same meaning, syntax and
Processing rules as the "NumericDate" term defined in Section 2 of
JWT [RFC7519], except that the CBOR numeric representation
(Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
the leading tag (6.1 or 0xC1) MUST be omitted.

<Note above text kills the direct need for section 5.>

=20

Could make sense, I created an issue in the issue tracker to look at =
this.

=20


* What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  =
You
should be consistent on how you are using this and the "StringOrURI" =
type
identifier.  Either use the CWT prefix or don't.


Makes sense to me, created an issue in the issue tracker to address =
this.
=20


* s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/


 Makes sense to me, created an issue in the issue tracker to address =
this.


* The algorithm for doing nesting detection is a gross abuse of the =
content
type parameter and can be far more easily done based on the already =
present
tagging of the COSE object.

=20

Could you please explain a bit more, we are using the COSE tags but have =
made=20
them optional if the application for example only uses one thyme then it =
would=20
always know what to do and would not need to parse the tag saving a =
byte.

=20

[JLS] The concept is pretty easy to explain.

=20

If you are in a situation where the full description of the CWT =
=E2=80=93 including nesting layering =E2=80=93 is known from a profile, =
then there would be no need to have any COSE tags present on any layer =
of the CWT message.  I would however highly discourage using this =
situation for anything but a single layer CWT such as one that is based =
on the COSE_Encrypt0 message without any inner layering.  Doing =
otherwise is going to mean that libraries would be unable to =
automatically unwrap all of the layers on their own, but would need =
guidance on each layer as it was processed.

=20

In the current document in step 5 of section 7.2, there is an assumption =
that a COSE tag is going to exist in order to distinguish between the =
different types of COSE messages =E2=80=93 I would not that these tags =
are not explicitly called for in section 7.1 =E2=80=93 so the algorithm =
that I am going to suggest means that they are supposed to be present =
not implicit in any event.

=20

In section 7.2 in step 7 the algorithm becomes:

If the payload starts with one the of COSE identification tags, then the =
message is recursive =E2=80=93 go to step 1, wash rinse and repeat.

=20

I think I see your point. In the case of nested CWTs you would like to =
mandate the inner layer to have a COSE tag indicating the message type. =
But in cases where e.g. transport is done over CoAP you don=C2=B4t feel =
it is as important.

I personally would like to go all the way and mandate the COSE tag for =
all CWT messages nested or not but that would add some extra bytes i.e. =
not good in all cases.

Maybe a compromise and mandate it for inner object in nested CWTs.

@Mike would you like to comment to before we decide on a path forward.



=20

=20


* Break section 8 into multiple paragraphs that deal with different =
types of
issues.


Might be reasonable I have created an issue in the issue tracker so that =
the=20
comment is not lost.
=20


* In section 8, the first sentence implies to me that you believe that =
COSE
is more of a problem that breaking of cryptographic algorithms, trust of
certificates/keys.  Not sure what needs to be done, but better clarity =
may
be a good idea.

=20

Added this to the previously mentioned issue to address this to since it =
is in the same section=20


* I have not done any validation of the examples.   You might want to =
have
an example which uses the real for one of the time types.

=20

Sorry, but I don=C2=B4t get it could you add some more context.

=20

[JLS] Use the value of =E2=80=9C1444064944.5=E2=80=9D for one of the =
time values.  Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good idea.

Makes sense, as you say it might not be a core case but there should be =
at least one example of it if we support it. I have created a ticket to =
address it.

=20

=20
Jim
=20

=20

=20


Jim



-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org <mailto:ace-bounces@ietf.org> ] =
On Behalf Of Kepeng Li
Sent: Thursday, April 20, 2017 2:53 PM
To: ace@ietf.org <mailto:ace@ietf.org>=20
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net =
<mailto:hannes.tschofenig@gmx.net> >
Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token

In Chicago, it was decided that we were going to WGLC the ACE CBOR Web =
Token
draft.

So this starts a working group last call for =
draft-ietf-ace-cbor-web-token
for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday, =
May
2, 2017.

The specification is available at:
https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04

An HTML-formatted version is also available at:
http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html

Thanks,


Kind Regards
Kepeng & Hannes


_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

=20

=20


------=_NextPart_000_009E_01D2CD87.E13B3AC0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 15 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
span.m-6130828547628588374gmail-
	{mso-style-name:m_-6130828547628588374gmail-;}
span.m-6130828547628588374gmail-hoenzb
	{mso-style-name:m_-6130828547628588374gmail-hoenzb;}
span.m-6130828547628588374gmail-m3297967064776043977gmail-hoenzb
	=
{mso-style-name:m_-6130828547628588374gmail-m_3297967064776043977gmail-ho=
enzb;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#002060;}
span.EmailStyle25
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>It is =
correct that the tag can be added and subtracted at will w/o changing =
anything.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><div><div style=3D'border:none;border-top:solid #E1E1E1 =
1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Mike Jones [mailto:Michael.Jones@microsoft.com] <br><b>Sent:</b> Monday, =
May 15, 2017 2:17 PM<br><b>To:</b> Samuel Erdtman =
&lt;samuel@erdtman.se&gt;; Jim Schaad =
&lt;ietf@augustcellars.com&gt;<br><b>Cc:</b> ace =
&lt;Ace@ietf.org&gt;<br><b>Subject:</b> RE: [Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>I agree that for nested CWTs, it=E2=80=99s OK to mandate that the =
appropriate tags be prefixed to the inner CWT, if that=E2=80=99s the =
mechanism we decide to use to encode and detect nested JWTs.&nbsp; That =
would then raise the question though, of whether we also would continue =
to mandate the use of the CWT content-type or whether we would drop =
this.&nbsp; I think it=E2=80=99s better that we specify one mechanism =
for detecting nested CWTs, rather than having =
two.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>Before we decide this, I=E2=80=99d like to confirm an assumption about =
COSE operations and COSE CBOR tags.&nbsp; I believe that the COSE crypto =
operations *<b>do not</b>* cover the CBOR COSE tag, such as the =
COSE_Sign tag for signed objects.&nbsp; If this is the case, it means =
that a COSE object without tags can have the appropriate tag prefixed to =
it without changing the crypto (and that similarly, a CWT tag could also =
be added without changing the crypto).&nbsp; Is this correct?&nbsp; If =
so, then using CBOR tags would be fine for the inner CWT in a nested =
CWT, since you could create the inner CWT without any tags and then =
later decide to put it in a nested CWT without re-signing, etc.&nbsp; If =
this is the case, I=E2=80=99d be OK with always prefixing the inner CWT =
in a nested CWT with CWT and COSE CBOR tags.&nbsp; Whereas if adding the =
tags requires redoing the crypto, I=E2=80=99d rather stay with the =
current approach.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; -- Mike<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Samuel Erdtman [<a =
href=3D"mailto:samuel@erdtman.se">mailto:samuel@erdtman.se</a>] =
<br><b>Sent:</b> Monday, May 15, 2017 2:23 AM<br><b>To:</b> Jim Schaad =
&lt;<a =
href=3D"mailto:ietf@augustcellars.com">ietf@augustcellars.com</a>&gt;; =
Mike Jones &lt;<a =
href=3D"mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</=
a>&gt;<br><b>Cc:</b> ace &lt;<a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a>&gt;<br><b>Subject:</b> Re: =
[Ace] WGLC on draft-ietf-ace-cbor-web-token<o:p></o:p></span></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'>Thanks for clarifications Jim, see my =
comments inline.<o:p></o:p></p></div><p class=3DMsoNormal>Mike, there is =
a question for you inlined too.<o:p></o:p></p><div><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><p class=3DMsoNormal>On Sun, =
May 14, 2017 at 10:12 PM, Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt; =
wrote:<o:p></o:p></p><blockquote style=3D'border:none;border-left:solid =
#CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b>=
 Samuel Erdtman [mailto:<a href=3D"mailto:samuel@erdtman.se" =
target=3D"_blank">samuel@erdtman.se</a>] <br><b>Sent:</b> Sunday, May =
14, 2017 3:40 AM<br><b>To:</b> Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt;<br><b>Cc:</b> ace =
&lt;<a href=3D"mailto:Ace@ietf.org" =
target=3D"_blank">Ace@ietf.org</a>&gt;<br><b>Subject:</b> Re: [Ace] WGLC =
on draft-ietf-ace-cbor-web-token<o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;margin-bottom:12.0pt'>Hi =
Jim,<o:p></o:p></p></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks for =
your review and comments, see some initial replies =
inline.<o:p></o:p></p></div></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Sat, Apr =
22, 2017 at 8:47 PM, Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt; =
wrote:<o:p></o:p></p><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Not ready =
to ship.<br><br><br>* I find the text for NumericDate confusing and =
would suggest this is a<br>cleaner wording.<br><br>The =
&quot;NumericDate&quot; term has the same meaning, syntax =
and<br>Processing rules as the &quot;NumericDate&quot; term defined in =
Section 2 of<br>JWT [RFC7519], except that the CBOR numeric =
representation<br>(Section 2.4.1 of [RC7049]) is used.&nbsp; The =
encoding is modified so that<br>the leading tag (6.1 or 0xC1) MUST be =
omitted.<br><br>&lt;Note above text kills the direct need for section =
5.&gt;<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Could make =
sense, I created an issue in the issue tracker to look at =
this.<o:p></o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* What =
is a &quot;CWT NumericDate&quot; ?&nbsp; Why is this not just a =
&quot;NumericDate&quot;?&nbsp; You<br>should be consistent on how you =
are using this and the &quot;StringOrURI&quot; type<br>identifier.&nbsp; =
Either use the CWT prefix or don't.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Makes =
sense to me, created an issue in the issue tracker to address =
this.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* =
s/except that a CWT StringOrURI/except that for a CWT, =
StringOrURI/<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>&nbsp;Makes =
sense to me, created an issue in the issue tracker to address =
this.<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* The =
algorithm for doing nesting detection is a gross abuse of the =
content<br>type parameter and can be far more easily done based on the =
already present<br>tagging of the COSE =
object.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div></div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Could you =
please explain a bit more, we are using the COSE tags but have made =
<br>them optional if the application for example only uses one thyme =
then it would <br>always know what to do and would not need to parse the =
tag saving a byte.<o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>[JLS] The concept is pretty easy to =
explain.</span><o:p></o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>If you are in a situation where the full =
description of the CWT =E2=80=93 including nesting layering =E2=80=93 is =
known from a profile, then there would be no need to have any COSE tags =
present on any layer of the CWT message.&nbsp; I would however highly =
discourage using this situation for anything but a single layer CWT such =
as one that is based on the COSE_Encrypt0 message without any inner =
layering.&nbsp; Doing otherwise is going to mean that libraries would be =
unable to automatically unwrap all of the layers on their own, but would =
need guidance on each layer as it was processed.</span><o:p></o:p></p><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>In the current document in step 5 of section =
7.2, there is an assumption that a COSE tag is going to exist in order =
to distinguish between the different types of COSE messages =E2=80=93 I =
would not that these tags are not explicitly called for in section 7.1 =
=E2=80=93 so the algorithm that I am going to suggest means that they =
are supposed to be present not implicit in any =
event.</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>In section 7.2 in step 7 the algorithm =
becomes:</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>If the payload starts with one the of COSE =
identification tags, then the message is recursive =E2=80=93 go to step =
1, wash rinse and =
repeat.</span><o:p></o:p></p></div></div></div></div></div></div></blockq=
uote><div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>I think I see your point. In the case of nested CWTs =
you would like to mandate the inner layer to have a COSE tag indicating =
the message type. But in cases where e.g. transport is done over CoAP =
you don=C2=B4t feel it is as important.<o:p></o:p></p></div><div><p =
class=3DMsoNormal style=3D'margin-bottom:12.0pt'>I personally would like =
to go all the way and mandate the COSE tag for all CWT messages nested =
or not but that would add some extra bytes i.e. not good in all =
cases.<o:p></o:p></p></div><div><p class=3DMsoNormal>Maybe a compromise =
and mandate it for inner object in nested =
CWTs.<o:p></o:p></p></div><div><p class=3DMsoNormal>@Mike would you like =
to comment to before we decide on a path =
forward.<o:p></o:p></p></div><div><p =
class=3DMsoNormal><br><br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* Break =
section 8 into multiple paragraphs that deal with different types =
of<br>issues.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Might =
be reasonable I have created an issue in the issue tracker so that the =
<br>comment is not lost.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* In =
section 8, the first sentence implies to me that you believe that =
COSE<br>is more of a problem that breaking of cryptographic algorithms, =
trust of<br>certificates/keys.&nbsp; Not sure what needs to be done, but =
better clarity may<br>be a good idea.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Added this =
to the previously mentioned issue to address this to since it is in the =
same section <o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* I =
have not done any validation of the examples.&nbsp; &nbsp;You might want =
to have<br>an example which uses the real for one of the time =
types.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Sorry, but =
I don=C2=B4t get it could you add some more context.<o:p></o:p></p><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><pre><span =
style=3D'font-family:"Calibri",sans-serif;color:#0070C0'>[JLS] Use the =
value of =E2=80=9C</span><span =
style=3D'color:#0070C0'>1444064944.5=E2=80=9D for one of the time =
values.&nbsp; Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good =
idea.</span><o:p></o:p></pre></div></div></div></div></div></div></blockq=
uote><div><p class=3DMsoNormal>Makes sense, as you say it might not be a =
core case but there should be at least one example of it if we support =
it. I have created a ticket to address it.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><div><div><div><div><pre><span =
style=3D'color:#0070C0'>&nbsp;</span><span =
style=3D'color:#888888'><o:p></o:p></span></pre><pre><span =
style=3D'color:#0070C0'>Jim</span><span =
style=3D'color:#888888'><o:p></o:p></span></pre><pre><span =
style=3D'color:#888888'>&nbsp;<o:p></o:p></span></pre><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#888888'>&nbsp;<o:p></o:p></span></p></div><div><div><div>=
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#888888'><br><span =
class=3Dm-6130828547628588374gmail-m3297967064776043977gmail-hoenzb>Jim</=
span></span><o:p></o:p></p><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br>----=
-Original Message-----<br>From: Ace [mailto:<a =
href=3D"mailto:ace-bounces@ietf.org" =
target=3D"_blank">ace-bounces@ietf.org</a>] On Behalf Of Kepeng =
Li<br>Sent: Thursday, April 20, 2017 2:53 PM<br>To: <a =
href=3D"mailto:ace@ietf.org" target=3D"_blank">ace@ietf.org</a><br>Cc: =
Hannes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" =
target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt;<br>Subject: [Ace] =
[ace] WGLC on draft-ietf-ace-cbor-web-token<br><br>In Chicago, it was =
decided that we were going to WGLC the ACE CBOR Web =
Token<br>draft.<br><br>So this starts a working group last call for =
draft-ietf-ace-cbor-web-token<br>for submission as a Standards Track =
RFC, ending on 24:00 PDT on Tuesday, May<br>2, 2017.<br><br>The =
specification is available at:<br><a =
href=3D"https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04" =
target=3D"_blank">https://tools.ietf.org/html/draft-ietf-ace-cbor-web-tok=
en-04</a><br><br>An HTML-formatted version is also available at:<br><a =
href=3D"http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.htm=
l" =
target=3D"_blank">http://self-issued.info/docs/draft-ietf-ace-cbor-web-to=
ken-04.html</a><br><br>Thanks,<br><br><br>Kind Regards<br>Kepeng &amp; =
Hannes<br><br><br>_______________________________________________<br>Ace =
mailing list<br><a href=3D"mailto:Ace@ietf.org" =
target=3D"_blank">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><br><br>__=
_____________________________________________<br>Ace mailing list<br><a =
href=3D"mailto:Ace@ietf.org" target=3D"_blank">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><o:p></o:p=
></p></div></div></blockquote></div></div></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div></div></div></blockquote></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></div></div></div></body></h=
tml>
------=_NextPart_000_009E_01D2CD87.E13B3AC0--


From nobody Mon May 15 14:47:21 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D158129524 for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:47:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UON834P_7beu for <ace@ietfa.amsl.com>; Mon, 15 May 2017 14:47:16 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0105.outbound.protection.outlook.com [104.47.34.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AE5D12951F for <Ace@ietf.org>; Mon, 15 May 2017 14:43:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=UbE9+2KAMRgYG0PXpi5sWiOqWQI+rW/pkdicDOHZ7ao=; b=UXC8wGWXxtblTGpik1tjSvQlEAW5IGHLwp2ADm/+t69UcaqfulHcRf/piEjLsr9VkjD+iuOpmcxEChRkV7LTYlAUbhW7/2RU2UBBzXIpc0tHxHjIagkatOvmj/MKxJuUGKkkIYrFKM9+pn33yUyMWb1zC6W93o5xd2hcubdqkvM=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0167.namprd21.prod.outlook.com (10.173.192.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Mon, 15 May 2017 21:43:57 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.002; Mon, 15 May 2017 21:43:57 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Samuel Erdtman' <samuel@erdtman.se>
CC: 'ace' <Ace@ietf.org>
Thread-Topic: [Ace] WGLC on draft-ietf-ace-cbor-web-token
Thread-Index: AdK7gKnlztOgBho8S4qIHrw1QvtzugRHcl8AABP6FAAAG57nAAAX+ArwAAF1FgAAAGvQkA==
Date: Mon, 15 May 2017 21:43:57 +0000
Message-ID: <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com>
In-Reply-To: <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-15T14:43:56.6667858-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:9::517]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0167; 7:UrVNSaZlyMsPiaHEcus+N/qJIg7cG57iz1whBlDmJKSwd/V2fRo7pVNZjqwh7hdBzkw6LAoc6IZvSq7iz4MYRs5RhUa0ZqKyCSo5TvRFiN06TiP3mlyoX1tvjOuVCmAIXYp8MO/S2fWQjIlc5kUbO67GnhoWHPkQcumLb4wMeIljtkucv0H/MzxeFdlfQA5HKvhYa0oyAMjznfKV8h1e+Sf/k+AvKdN4XYmM0twQavDGsov2PsXDk3nrWVu0HzaJaMI9sjKswGxPTo1z7Q1swuqTmrT8mAf9HdJJ3C4zv7Mxwm2rA+/sGBRFIkYSFUbvUnUzNk5wR68HkgeQASvOroCjMRePZKv3drpQCrsau5M=
x-ms-traffictypediagnostic: CY4PR21MB0167:
x-ms-office365-filtering-correlation-id: 75d71236-c942-43b5-95e9-08d49bdb7dfb
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0167; 
x-microsoft-antispam-prvs: <CY4PR21MB01670998C0C74CEC41BF5E38F5E10@CY4PR21MB0167.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(248736688235697)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(100000703036)(100105400095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123555025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0167; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0167; 
x-forefront-prvs: 0308EE423E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39400400002)(39410400002)(39840400002)(39450400003)(39860400002)(209900001)(24454002)(13464003)(377454003)(2900100001)(3280700002)(10090500001)(74316002)(86362001)(93886004)(7906003)(4326008)(99286003)(33656002)(54896002)(6306002)(9686003)(8936002)(5660300001)(72206003)(122556002)(86612001)(5005710100001)(229853002)(189998001)(53546009)(3660700001)(19609705001)(230783001)(7736002)(25786009)(2906002)(55016002)(2950100002)(8990500004)(50986999)(10290500003)(76176999)(54356999)(478600001)(6116002)(102836003)(790700001)(81166006)(38730400002)(53376002)(606005)(236005)(6506006)(6436002)(7696004)(8676002)(77096006)(53936002)(6246003)(966005)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0167; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05046964C07A2B5745651C3EF5E10CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 21:43:57.8928 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0167
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/z68Zm7pNWBGjU2rc-u95qztuzWc>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 21:47:20 -0000

--_000_CY4PR21MB05046964C07A2B5745651C3EF5E10CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

VGhhbmtzIGZvciBjb25maXJtaW5nIHRoaXMsIEppbS4gIFNpbmNlIHRoYXTigJlzIHRoZSBjYXNl
LCBJ4oCZbSBmaW5lIHdpdGggdXMgZ29pbmcgd2l0aCByZXF1aXJpbmcgdGFncyBmb3IgdGhlIGlu
bmVyIG5lc3RlZCBDV1RzIGFuZCBkcm9wcGluZyB0aGUgdXNlIG9mIHRoZSBDV1QgY29udGVudC10
eXBlIGZvciB0aGlzIHB1cnBvc2UuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEppbSBTY2hh
YWQgW21haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tXQ0KU2VudDogTW9uZGF5LCBNYXkgMTUs
IDIwMTcgMjozMSBQTQ0KVG86IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNv
bT47ICdTYW11ZWwgRXJkdG1hbicgPHNhbXVlbEBlcmR0bWFuLnNlPg0KQ2M6ICdhY2UnIDxBY2VA
aWV0Zi5vcmc+DQpTdWJqZWN0OiBSRTogW0FjZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9y
LXdlYi10b2tlbg0KDQpJdCBpcyBjb3JyZWN0IHRoYXQgdGhlIHRhZyBjYW4gYmUgYWRkZWQgYW5k
IHN1YnRyYWN0ZWQgYXQgd2lsbCB3L28gY2hhbmdpbmcgYW55dGhpbmcuDQoNCg0KDQpGcm9tOiBN
aWtlIEpvbmVzIFttYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tXQ0KU2VudDogTW9u
ZGF5LCBNYXkgMTUsIDIwMTcgMjoxNyBQTQ0KVG86IFNhbXVlbCBFcmR0bWFuIDxzYW11ZWxAZXJk
dG1hbi5zZTxtYWlsdG86c2FtdWVsQGVyZHRtYW4uc2U+PjsgSmltIFNjaGFhZCA8aWV0ZkBhdWd1
c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+DQpDYzogYWNlIDxB
Y2VAaWV0Zi5vcmc8bWFpbHRvOkFjZUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSRTogW0FjZV0gV0dM
QyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbg0KDQpJIGFncmVlIHRoYXQgZm9yIG5l
c3RlZCBDV1RzLCBpdOKAmXMgT0sgdG8gbWFuZGF0ZSB0aGF0IHRoZSBhcHByb3ByaWF0ZSB0YWdz
IGJlIHByZWZpeGVkIHRvIHRoZSBpbm5lciBDV1QsIGlmIHRoYXTigJlzIHRoZSBtZWNoYW5pc20g
d2UgZGVjaWRlIHRvIHVzZSB0byBlbmNvZGUgYW5kIGRldGVjdCBuZXN0ZWQgSldUcy4gIFRoYXQg
d291bGQgdGhlbiByYWlzZSB0aGUgcXVlc3Rpb24gdGhvdWdoLCBvZiB3aGV0aGVyIHdlIGFsc28g
d291bGQgY29udGludWUgdG8gbWFuZGF0ZSB0aGUgdXNlIG9mIHRoZSBDV1QgY29udGVudC10eXBl
IG9yIHdoZXRoZXIgd2Ugd291bGQgZHJvcCB0aGlzLiAgSSB0aGluayBpdOKAmXMgYmV0dGVyIHRo
YXQgd2Ugc3BlY2lmeSBvbmUgbWVjaGFuaXNtIGZvciBkZXRlY3RpbmcgbmVzdGVkIENXVHMsIHJh
dGhlciB0aGFuIGhhdmluZyB0d28uDQoNCkJlZm9yZSB3ZSBkZWNpZGUgdGhpcywgSeKAmWQgbGlr
ZSB0byBjb25maXJtIGFuIGFzc3VtcHRpb24gYWJvdXQgQ09TRSBvcGVyYXRpb25zIGFuZCBDT1NF
IENCT1IgdGFncy4gIEkgYmVsaWV2ZSB0aGF0IHRoZSBDT1NFIGNyeXB0byBvcGVyYXRpb25zICpk
byBub3QqIGNvdmVyIHRoZSBDQk9SIENPU0UgdGFnLCBzdWNoIGFzIHRoZSBDT1NFX1NpZ24gdGFn
IGZvciBzaWduZWQgb2JqZWN0cy4gIElmIHRoaXMgaXMgdGhlIGNhc2UsIGl0IG1lYW5zIHRoYXQg
YSBDT1NFIG9iamVjdCB3aXRob3V0IHRhZ3MgY2FuIGhhdmUgdGhlIGFwcHJvcHJpYXRlIHRhZyBw
cmVmaXhlZCB0byBpdCB3aXRob3V0IGNoYW5naW5nIHRoZSBjcnlwdG8gKGFuZCB0aGF0IHNpbWls
YXJseSwgYSBDV1QgdGFnIGNvdWxkIGFsc28gYmUgYWRkZWQgd2l0aG91dCBjaGFuZ2luZyB0aGUg
Y3J5cHRvKS4gIElzIHRoaXMgY29ycmVjdD8gIElmIHNvLCB0aGVuIHVzaW5nIENCT1IgdGFncyB3
b3VsZCBiZSBmaW5lIGZvciB0aGUgaW5uZXIgQ1dUIGluIGEgbmVzdGVkIENXVCwgc2luY2UgeW91
IGNvdWxkIGNyZWF0ZSB0aGUgaW5uZXIgQ1dUIHdpdGhvdXQgYW55IHRhZ3MgYW5kIHRoZW4gbGF0
ZXIgZGVjaWRlIHRvIHB1dCBpdCBpbiBhIG5lc3RlZCBDV1Qgd2l0aG91dCByZS1zaWduaW5nLCBl
dGMuICBJZiB0aGlzIGlzIHRoZSBjYXNlLCBJ4oCZZCBiZSBPSyB3aXRoIGFsd2F5cyBwcmVmaXhp
bmcgdGhlIGlubmVyIENXVCBpbiBhIG5lc3RlZCBDV1Qgd2l0aCBDV1QgYW5kIENPU0UgQ0JPUiB0
YWdzLiAgV2hlcmVhcyBpZiBhZGRpbmcgdGhlIHRhZ3MgcmVxdWlyZXMgcmVkb2luZyB0aGUgY3J5
cHRvLCBJ4oCZZCByYXRoZXIgc3RheSB3aXRoIHRoZSBjdXJyZW50IGFwcHJvYWNoLg0KDQogICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgLS0gTWlrZQ0KDQpGcm9tOiBTYW11ZWwgRXJkdG1hbiBbbWFpbHRvOnNhbXVlbEBlcmR0bWFu
LnNlXQ0KU2VudDogTW9uZGF5LCBNYXkgMTUsIDIwMTcgMjoyMyBBTQ0KVG86IEppbSBTY2hhYWQg
PGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5jb20+Pjsg
TWlrZSBKb25lcyA8TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPG1haWx0bzpNaWNoYWVsLkpv
bmVzQG1pY3Jvc29mdC5jb20+Pg0KQ2M6IGFjZSA8QWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0
Zi5vcmc+Pg0KU3ViamVjdDogUmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13
ZWItdG9rZW4NCg0KVGhhbmtzIGZvciBjbGFyaWZpY2F0aW9ucyBKaW0sIHNlZSBteSBjb21tZW50
cyBpbmxpbmUuDQpNaWtlLCB0aGVyZSBpcyBhIHF1ZXN0aW9uIGZvciB5b3UgaW5saW5lZCB0b28u
DQoNCk9uIFN1biwgTWF5IDE0LCAyMDE3IGF0IDEwOjEyIFBNLCBKaW0gU2NoYWFkIDxpZXRmQGF1
Z3VzdGNlbGxhcnMuY29tPG1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tPj4gd3JvdGU6DQoN
Cg0KRnJvbTogU2FtdWVsIEVyZHRtYW4gW21haWx0bzpzYW11ZWxAZXJkdG1hbi5zZTxtYWlsdG86
c2FtdWVsQGVyZHRtYW4uc2U+XQ0KU2VudDogU3VuZGF5LCBNYXkgMTQsIDIwMTcgMzo0MCBBTQ0K
VG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVndXN0
Y2VsbGFycy5jb20+Pg0KQ2M6IGFjZSA8QWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0Zi5vcmc+
Pg0KU3ViamVjdDogUmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9r
ZW4NCg0KSGkgSmltLA0KVGhhbmtzIGZvciB5b3VyIHJldmlldyBhbmQgY29tbWVudHMsIHNlZSBz
b21lIGluaXRpYWwgcmVwbGllcyBpbmxpbmUuDQoNCk9uIFNhdCwgQXByIDIyLCAyMDE3IGF0IDg6
NDcgUE0sIEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmlldGZAYXVn
dXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCk5vdCByZWFkeSB0byBzaGlwLg0KDQoNCiogSSBmaW5k
IHRoZSB0ZXh0IGZvciBOdW1lcmljRGF0ZSBjb25mdXNpbmcgYW5kIHdvdWxkIHN1Z2dlc3QgdGhp
cyBpcyBhDQpjbGVhbmVyIHdvcmRpbmcuDQoNClRoZSAiTnVtZXJpY0RhdGUiIHRlcm0gaGFzIHRo
ZSBzYW1lIG1lYW5pbmcsIHN5bnRheCBhbmQNClByb2Nlc3NpbmcgcnVsZXMgYXMgdGhlICJOdW1l
cmljRGF0ZSIgdGVybSBkZWZpbmVkIGluIFNlY3Rpb24gMiBvZg0KSldUIFtSRkM3NTE5XSwgZXhj
ZXB0IHRoYXQgdGhlIENCT1IgbnVtZXJpYyByZXByZXNlbnRhdGlvbg0KKFNlY3Rpb24gMi40LjEg
b2YgW1JDNzA0OV0pIGlzIHVzZWQuICBUaGUgZW5jb2RpbmcgaXMgbW9kaWZpZWQgc28gdGhhdA0K
dGhlIGxlYWRpbmcgdGFnICg2LjEgb3IgMHhDMSkgTVVTVCBiZSBvbWl0dGVkLg0KDQo8Tm90ZSBh
Ym92ZSB0ZXh0IGtpbGxzIHRoZSBkaXJlY3QgbmVlZCBmb3Igc2VjdGlvbiA1Lj4NCg0KQ291bGQg
bWFrZSBzZW5zZSwgSSBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0cmFja2VyIHRvIGxv
b2sgYXQgdGhpcy4NCg0KDQoqIFdoYXQgaXMgYSAiQ1dUIE51bWVyaWNEYXRlIiA/ICBXaHkgaXMg
dGhpcyBub3QganVzdCBhICJOdW1lcmljRGF0ZSI/ICBZb3UNCnNob3VsZCBiZSBjb25zaXN0ZW50
IG9uIGhvdyB5b3UgYXJlIHVzaW5nIHRoaXMgYW5kIHRoZSAiU3RyaW5nT3JVUkkiIHR5cGUNCmlk
ZW50aWZpZXIuICBFaXRoZXIgdXNlIHRoZSBDV1QgcHJlZml4IG9yIGRvbid0Lg0KDQpNYWtlcyBz
ZW5zZSB0byBtZSwgY3JlYXRlZCBhbiBpc3N1ZSBpbiB0aGUgaXNzdWUgdHJhY2tlciB0byBhZGRy
ZXNzIHRoaXMuDQoNCg0KKiBzL2V4Y2VwdCB0aGF0IGEgQ1dUIFN0cmluZ09yVVJJL2V4Y2VwdCB0
aGF0IGZvciBhIENXVCwgU3RyaW5nT3JVUkkvDQoNCiBNYWtlcyBzZW5zZSB0byBtZSwgY3JlYXRl
ZCBhbiBpc3N1ZSBpbiB0aGUgaXNzdWUgdHJhY2tlciB0byBhZGRyZXNzIHRoaXMuDQoNCiogVGhl
IGFsZ29yaXRobSBmb3IgZG9pbmcgbmVzdGluZyBkZXRlY3Rpb24gaXMgYSBncm9zcyBhYnVzZSBv
ZiB0aGUgY29udGVudA0KdHlwZSBwYXJhbWV0ZXIgYW5kIGNhbiBiZSBmYXIgbW9yZSBlYXNpbHkg
ZG9uZSBiYXNlZCBvbiB0aGUgYWxyZWFkeSBwcmVzZW50DQp0YWdnaW5nIG9mIHRoZSBDT1NFIG9i
amVjdC4NCg0KQ291bGQgeW91IHBsZWFzZSBleHBsYWluIGEgYml0IG1vcmUsIHdlIGFyZSB1c2lu
ZyB0aGUgQ09TRSB0YWdzIGJ1dCBoYXZlIG1hZGUNCnRoZW0gb3B0aW9uYWwgaWYgdGhlIGFwcGxp
Y2F0aW9uIGZvciBleGFtcGxlIG9ubHkgdXNlcyBvbmUgdGh5bWUgdGhlbiBpdCB3b3VsZA0KYWx3
YXlzIGtub3cgd2hhdCB0byBkbyBhbmQgd291bGQgbm90IG5lZWQgdG8gcGFyc2UgdGhlIHRhZyBz
YXZpbmcgYSBieXRlLg0KDQpbSkxTXSBUaGUgY29uY2VwdCBpcyBwcmV0dHkgZWFzeSB0byBleHBs
YWluLg0KDQpJZiB5b3UgYXJlIGluIGEgc2l0dWF0aW9uIHdoZXJlIHRoZSBmdWxsIGRlc2NyaXB0
aW9uIG9mIHRoZSBDV1Qg4oCTIGluY2x1ZGluZyBuZXN0aW5nIGxheWVyaW5nIOKAkyBpcyBrbm93
biBmcm9tIGEgcHJvZmlsZSwgdGhlbiB0aGVyZSB3b3VsZCBiZSBubyBuZWVkIHRvIGhhdmUgYW55
IENPU0UgdGFncyBwcmVzZW50IG9uIGFueSBsYXllciBvZiB0aGUgQ1dUIG1lc3NhZ2UuICBJIHdv
dWxkIGhvd2V2ZXIgaGlnaGx5IGRpc2NvdXJhZ2UgdXNpbmcgdGhpcyBzaXR1YXRpb24gZm9yIGFu
eXRoaW5nIGJ1dCBhIHNpbmdsZSBsYXllciBDV1Qgc3VjaCBhcyBvbmUgdGhhdCBpcyBiYXNlZCBv
biB0aGUgQ09TRV9FbmNyeXB0MCBtZXNzYWdlIHdpdGhvdXQgYW55IGlubmVyIGxheWVyaW5nLiAg
RG9pbmcgb3RoZXJ3aXNlIGlzIGdvaW5nIHRvIG1lYW4gdGhhdCBsaWJyYXJpZXMgd291bGQgYmUg
dW5hYmxlIHRvIGF1dG9tYXRpY2FsbHkgdW53cmFwIGFsbCBvZiB0aGUgbGF5ZXJzIG9uIHRoZWly
IG93biwgYnV0IHdvdWxkIG5lZWQgZ3VpZGFuY2Ugb24gZWFjaCBsYXllciBhcyBpdCB3YXMgcHJv
Y2Vzc2VkLg0KDQpJbiB0aGUgY3VycmVudCBkb2N1bWVudCBpbiBzdGVwIDUgb2Ygc2VjdGlvbiA3
LjIsIHRoZXJlIGlzIGFuIGFzc3VtcHRpb24gdGhhdCBhIENPU0UgdGFnIGlzIGdvaW5nIHRvIGV4
aXN0IGluIG9yZGVyIHRvIGRpc3Rpbmd1aXNoIGJldHdlZW4gdGhlIGRpZmZlcmVudCB0eXBlcyBv
ZiBDT1NFIG1lc3NhZ2VzIOKAkyBJIHdvdWxkIG5vdCB0aGF0IHRoZXNlIHRhZ3MgYXJlIG5vdCBl
eHBsaWNpdGx5IGNhbGxlZCBmb3IgaW4gc2VjdGlvbiA3LjEg4oCTIHNvIHRoZSBhbGdvcml0aG0g
dGhhdCBJIGFtIGdvaW5nIHRvIHN1Z2dlc3QgbWVhbnMgdGhhdCB0aGV5IGFyZSBzdXBwb3NlZCB0
byBiZSBwcmVzZW50IG5vdCBpbXBsaWNpdCBpbiBhbnkgZXZlbnQuDQoNCkluIHNlY3Rpb24gNy4y
IGluIHN0ZXAgNyB0aGUgYWxnb3JpdGhtIGJlY29tZXM6DQpJZiB0aGUgcGF5bG9hZCBzdGFydHMg
d2l0aCBvbmUgdGhlIG9mIENPU0UgaWRlbnRpZmljYXRpb24gdGFncywgdGhlbiB0aGUgbWVzc2Fn
ZSBpcyByZWN1cnNpdmUg4oCTIGdvIHRvIHN0ZXAgMSwgd2FzaCByaW5zZSBhbmQgcmVwZWF0Lg0K
DQpJIHRoaW5rIEkgc2VlIHlvdXIgcG9pbnQuIEluIHRoZSBjYXNlIG9mIG5lc3RlZCBDV1RzIHlv
dSB3b3VsZCBsaWtlIHRvIG1hbmRhdGUgdGhlIGlubmVyIGxheWVyIHRvIGhhdmUgYSBDT1NFIHRh
ZyBpbmRpY2F0aW5nIHRoZSBtZXNzYWdlIHR5cGUuIEJ1dCBpbiBjYXNlcyB3aGVyZSBlLmcuIHRy
YW5zcG9ydCBpcyBkb25lIG92ZXIgQ29BUCB5b3UgZG9uwrR0IGZlZWwgaXQgaXMgYXMgaW1wb3J0
YW50Lg0KSSBwZXJzb25hbGx5IHdvdWxkIGxpa2UgdG8gZ28gYWxsIHRoZSB3YXkgYW5kIG1hbmRh
dGUgdGhlIENPU0UgdGFnIGZvciBhbGwgQ1dUIG1lc3NhZ2VzIG5lc3RlZCBvciBub3QgYnV0IHRo
YXQgd291bGQgYWRkIHNvbWUgZXh0cmEgYnl0ZXMgaS5lLiBub3QgZ29vZCBpbiBhbGwgY2FzZXMu
DQpNYXliZSBhIGNvbXByb21pc2UgYW5kIG1hbmRhdGUgaXQgZm9yIGlubmVyIG9iamVjdCBpbiBu
ZXN0ZWQgQ1dUcy4NCkBNaWtlIHdvdWxkIHlvdSBsaWtlIHRvIGNvbW1lbnQgdG8gYmVmb3JlIHdl
IGRlY2lkZSBvbiBhIHBhdGggZm9yd2FyZC4NCg0KDQoNCg0KDQoqIEJyZWFrIHNlY3Rpb24gOCBp
bnRvIG11bHRpcGxlIHBhcmFncmFwaHMgdGhhdCBkZWFsIHdpdGggZGlmZmVyZW50IHR5cGVzIG9m
DQppc3N1ZXMuDQoNCk1pZ2h0IGJlIHJlYXNvbmFibGUgSSBoYXZlIGNyZWF0ZWQgYW4gaXNzdWUg
aW4gdGhlIGlzc3VlIHRyYWNrZXIgc28gdGhhdCB0aGUNCmNvbW1lbnQgaXMgbm90IGxvc3QuDQoN
Cg0KKiBJbiBzZWN0aW9uIDgsIHRoZSBmaXJzdCBzZW50ZW5jZSBpbXBsaWVzIHRvIG1lIHRoYXQg
eW91IGJlbGlldmUgdGhhdCBDT1NFDQppcyBtb3JlIG9mIGEgcHJvYmxlbSB0aGF0IGJyZWFraW5n
IG9mIGNyeXB0b2dyYXBoaWMgYWxnb3JpdGhtcywgdHJ1c3Qgb2YNCmNlcnRpZmljYXRlcy9rZXlz
LiAgTm90IHN1cmUgd2hhdCBuZWVkcyB0byBiZSBkb25lLCBidXQgYmV0dGVyIGNsYXJpdHkgbWF5
DQpiZSBhIGdvb2QgaWRlYS4NCg0KQWRkZWQgdGhpcyB0byB0aGUgcHJldmlvdXNseSBtZW50aW9u
ZWQgaXNzdWUgdG8gYWRkcmVzcyB0aGlzIHRvIHNpbmNlIGl0IGlzIGluIHRoZSBzYW1lIHNlY3Rp
b24NCg0KKiBJIGhhdmUgbm90IGRvbmUgYW55IHZhbGlkYXRpb24gb2YgdGhlIGV4YW1wbGVzLiAg
IFlvdSBtaWdodCB3YW50IHRvIGhhdmUNCmFuIGV4YW1wbGUgd2hpY2ggdXNlcyB0aGUgcmVhbCBm
b3Igb25lIG9mIHRoZSB0aW1lIHR5cGVzLg0KDQpTb3JyeSwgYnV0IEkgZG9uwrR0IGdldCBpdCBj
b3VsZCB5b3UgYWRkIHNvbWUgbW9yZSBjb250ZXh0Lg0KDQoNCltKTFNdIFVzZSB0aGUgdmFsdWUg
b2Yg4oCcMTQ0NDA2NDk0NC414oCdIGZvciBvbmUgb2YgdGhlIHRpbWUgdmFsdWVzLiAgQWx0aG91
Z2ggSSBkb3VidCB0aGF0IGxlc3MgdGhhbiBzZWNvbmQgcmVzb2x1dGlvbiBpcyBuZWVkZWQgaW4g
YWxtb3N0IGFueSBjYXNlLCBoYXZpbmcgYW4gZXhhbXBsZSB3aGVyZSBpdCBpcyBnaXZlbiBpcyBz
dGlsbCBhIGdvb2QgaWRlYS4NCk1ha2VzIHNlbnNlLCBhcyB5b3Ugc2F5IGl0IG1pZ2h0IG5vdCBi
ZSBhIGNvcmUgY2FzZSBidXQgdGhlcmUgc2hvdWxkIGJlIGF0IGxlYXN0IG9uZSBleGFtcGxlIG9m
IGl0IGlmIHdlIHN1cHBvcnQgaXQuIEkgaGF2ZSBjcmVhdGVkIGEgdGlja2V0IHRvIGFkZHJlc3Mg
aXQuDQoNCg0KDQoNCkppbQ0KDQoNCg0KDQoNCkppbQ0KDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2Fn
ZS0tLS0tDQpGcm9tOiBBY2UgW21haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZzxtYWlsdG86YWNl
LWJvdW5jZXNAaWV0Zi5vcmc+XSBPbiBCZWhhbGYgT2YgS2VwZW5nIExpDQpTZW50OiBUaHVyc2Rh
eSwgQXByaWwgMjAsIDIwMTcgMjo1MyBQTQ0KVG86IGFjZUBpZXRmLm9yZzxtYWlsdG86YWNlQGll
dGYub3JnPg0KQ2M6IEhhbm5lcyBUc2Nob2ZlbmlnIDxoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0
PG1haWx0bzpoYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0Pj4NClN1YmplY3Q6IFtBY2VdIFthY2Vd
IFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4NCg0KSW4gQ2hpY2FnbywgaXQg
d2FzIGRlY2lkZWQgdGhhdCB3ZSB3ZXJlIGdvaW5nIHRvIFdHTEMgdGhlIEFDRSBDQk9SIFdlYiBU
b2tlbg0KZHJhZnQuDQoNClNvIHRoaXMgc3RhcnRzIGEgd29ya2luZyBncm91cCBsYXN0IGNhbGwg
Zm9yIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuDQpmb3Igc3VibWlzc2lvbiBhcyBhIFN0
YW5kYXJkcyBUcmFjayBSRkMsIGVuZGluZyBvbiAyNDowMCBQRFQgb24gVHVlc2RheSwgTWF5DQoy
LCAyMDE3Lg0KDQpUaGUgc3BlY2lmaWNhdGlvbiBpcyBhdmFpbGFibGUgYXQ6DQpodHRwczovL3Rv
b2xzLmlldGYub3JnL2h0bWwvZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4tMDQNCg0KQW4g
SFRNTC1mb3JtYXR0ZWQgdmVyc2lvbiBpcyBhbHNvIGF2YWlsYWJsZSBhdDoNCmh0dHA6Ly9zZWxm
LWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4tMDQuaHRtbA0K
DQpUaGFua3MsDQoNCg0KS2luZCBSZWdhcmRzDQpLZXBlbmcgJiBIYW5uZXMNCg0KDQpfX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXw0KQWNlIG1haWxpbmcgbGlz
dA0KQWNlQGlldGYub3JnPG1haWx0bzpBY2VAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9y
Zy9tYWlsbWFuL2xpc3RpbmZvL2FjZQ0KDQpfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fXw0KQWNlIG1haWxpbmcgbGlzdA0KQWNlQGlldGYub3JnPG1haWx0bzpB
Y2VAaWV0Zi5vcmc+DQpodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZQ0K
DQoNCg==

--_000_CY4PR21MB05046964C07A2B5745651C3EF5E10CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVm
b3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsN
Cgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1h
bDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFy
Z2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQt
ZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4ubS02MTMwODI4NTQ3NjI4NTg4
Mzc0Z21haWwtDQoJe21zby1zdHlsZS1uYW1lOm1fLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC07
fQ0Kc3Bhbi5tLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC1ob2VuemINCgl7bXNvLXN0eWxlLW5h
bWU6bV8tNjEzMDgyODU0NzYyODU4ODM3NGdtYWlsLWhvZW56Yjt9DQpzcGFuLm0tNjEzMDgyODU0
NzYyODU4ODM3NGdtYWlsLW0zMjk3OTY3MDY0Nzc2MDQzOTc3Z21haWwtaG9lbnpiDQoJe21zby1z
dHlsZS1uYW1lOm1fLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC1tXzMyOTc5NjcwNjQ3NzYwNDM5
NzdnbWFpbC1ob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5cGU6cGVy
c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzAwMjA2
MDt9DQpzcGFuLkVtYWlsU3R5bGUyNA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u
RW1haWxTdHlsZTI1DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFt
aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0KLk1zb0NocERlZmF1
bHQNCgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpA
cGFnZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEu
MGluIDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7
fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMg
djpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lm
IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFw
IHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlm
XS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJw
bGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz
cGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVv
dDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj5UaGFua3MgZm9yIGNvbmZpcm1pbmcgdGhpcywg
SmltLiZuYnNwOyBTaW5jZSB0aGF04oCZcyB0aGUgY2FzZSwgSeKAmW0gZmluZSB3aXRoIHVzIGdv
aW5nIHdpdGggcmVxdWlyaW5nIHRhZ3MgZm9yIHRoZSBpbm5lciBuZXN0ZWQgQ1dUcyBhbmQgZHJv
cHBpbmcgdGhlIHVzZSBvZiB0aGUgQ1dUDQogY29udGVudC10eXBlIGZvciB0aGlzIHB1cnBvc2Uu
PG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNl
cmlmO2NvbG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj4mbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFt
aWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZu
YnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9y
ZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+
PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx
dW90OyxzYW5zLXNlcmlmIj4gSmltIFNjaGFhZCBbbWFpbHRvOmlldGZAYXVndXN0Y2VsbGFycy5j
b21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBNYXkgMTUsIDIwMTcgMjozMSBQTTxicj4N
CjxiPlRvOjwvYj4gTWlrZSBKb25lcyAmbHQ7TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tJmd0
OzsgJ1NhbXVlbCBFcmR0bWFuJyAmbHQ7c2FtdWVsQGVyZHRtYW4uc2UmZ3Q7PGJyPg0KPGI+Q2M6
PC9iPiAnYWNlJyAmbHQ7QWNlQGlldGYub3JnJmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9iPiBSRTog
W0FjZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbjxvOnA+PC9vOnA+PC9z
cGFuPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw
OzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+SXQgaXMg
Y29ycmVjdCB0aGF0IHRoZSB0YWcgY2FuIGJlIGFkZGVkIGFuZCBzdWJ0cmFjdGVkIGF0IHdpbGwg
dy9vIGNoYW5naW5nIGFueXRoaW5nLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90
O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwv
c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx
LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5i
c3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxkaXY+DQo8ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3Jk
ZXItdG9wOnNvbGlkICNFMUUxRTEgMS4wcHQ7cGFkZGluZzozLjBwdCAwaW4gMGluIDBpbiI+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250
LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LHNhbnMtc2VyaWYiPiBNaWtlIEpvbmVzIFs8YSBocmVmPSJtYWlsdG86TWljaGFlbC5Kb25l
c0BtaWNyb3NvZnQuY29tIj5tYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPC9hPl0N
Cjxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIE1heSAxNSwgMjAxNyAyOjE3IFBNPGJyPg0KPGI+
VG86PC9iPiBTYW11ZWwgRXJkdG1hbiAmbHQ7PGEgaHJlZj0ibWFpbHRvOnNhbXVlbEBlcmR0bWFu
LnNlIj5zYW11ZWxAZXJkdG1hbi5zZTwvYT4mZ3Q7OyBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJt
YWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4m
Z3Q7PGJyPg0KPGI+Q2M6PC9iPiBhY2UgJmx0OzxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5vcmci
PkFjZUBpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbQWNlXSBXR0xD
IG9uIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuPG86cD48L286cD48L3NwYW4+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPkkg
YWdyZWUgdGhhdCBmb3IgbmVzdGVkIENXVHMsIGl04oCZcyBPSyB0byBtYW5kYXRlIHRoYXQgdGhl
IGFwcHJvcHJpYXRlIHRhZ3MgYmUgcHJlZml4ZWQgdG8gdGhlIGlubmVyIENXVCwgaWYgdGhhdOKA
mXMgdGhlIG1lY2hhbmlzbSB3ZSBkZWNpZGUgdG8gdXNlIHRvIGVuY29kZSBhbmQNCiBkZXRlY3Qg
bmVzdGVkIEpXVHMuJm5ic3A7IFRoYXQgd291bGQgdGhlbiByYWlzZSB0aGUgcXVlc3Rpb24gdGhv
dWdoLCBvZiB3aGV0aGVyIHdlIGFsc28gd291bGQgY29udGludWUgdG8gbWFuZGF0ZSB0aGUgdXNl
IG9mIHRoZSBDV1QgY29udGVudC10eXBlIG9yIHdoZXRoZXIgd2Ugd291bGQgZHJvcCB0aGlzLiZu
YnNwOyBJIHRoaW5rIGl04oCZcyBiZXR0ZXIgdGhhdCB3ZSBzcGVjaWZ5IG9uZSBtZWNoYW5pc20g
Zm9yIGRldGVjdGluZyBuZXN0ZWQgQ1dUcywgcmF0aGVyDQogdGhhbiBoYXZpbmcgdHdvLjxvOnA+
PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtj
b2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+QmVmb3JlIHdlIGRlY2lkZSB0
aGlzLCBJ4oCZZCBsaWtlIHRvIGNvbmZpcm0gYW4gYXNzdW1wdGlvbiBhYm91dCBDT1NFIG9wZXJh
dGlvbnMgYW5kIENPU0UgQ0JPUiB0YWdzLiZuYnNwOyBJIGJlbGlldmUgdGhhdCB0aGUgQ09TRSBj
cnlwdG8gb3BlcmF0aW9ucyAqPGI+ZG8gbm90PC9iPioNCiBjb3ZlciB0aGUgQ0JPUiBDT1NFIHRh
Zywgc3VjaCBhcyB0aGUgQ09TRV9TaWduIHRhZyBmb3Igc2lnbmVkIG9iamVjdHMuJm5ic3A7IElm
IHRoaXMgaXMgdGhlIGNhc2UsIGl0IG1lYW5zIHRoYXQgYSBDT1NFIG9iamVjdCB3aXRob3V0IHRh
Z3MgY2FuIGhhdmUgdGhlIGFwcHJvcHJpYXRlIHRhZyBwcmVmaXhlZCB0byBpdCB3aXRob3V0IGNo
YW5naW5nIHRoZSBjcnlwdG8gKGFuZCB0aGF0IHNpbWlsYXJseSwgYSBDV1QgdGFnIGNvdWxkIGFs
c28gYmUgYWRkZWQNCiB3aXRob3V0IGNoYW5naW5nIHRoZSBjcnlwdG8pLiZuYnNwOyBJcyB0aGlz
IGNvcnJlY3Q/Jm5ic3A7IElmIHNvLCB0aGVuIHVzaW5nIENCT1IgdGFncyB3b3VsZCBiZSBmaW5l
IGZvciB0aGUgaW5uZXIgQ1dUIGluIGEgbmVzdGVkIENXVCwgc2luY2UgeW91IGNvdWxkIGNyZWF0
ZSB0aGUgaW5uZXIgQ1dUIHdpdGhvdXQgYW55IHRhZ3MgYW5kIHRoZW4gbGF0ZXIgZGVjaWRlIHRv
IHB1dCBpdCBpbiBhIG5lc3RlZCBDV1Qgd2l0aG91dCByZS1zaWduaW5nLCBldGMuJm5ic3A7IElm
DQogdGhpcyBpcyB0aGUgY2FzZSwgSeKAmWQgYmUgT0sgd2l0aCBhbHdheXMgcHJlZml4aW5nIHRo
ZSBpbm5lciBDV1QgaW4gYSBuZXN0ZWQgQ1dUIHdpdGggQ1dUIGFuZCBDT1NFIENCT1IgdGFncy4m
bmJzcDsgV2hlcmVhcyBpZiBhZGRpbmcgdGhlIHRhZ3MgcmVxdWlyZXMgcmVkb2luZyB0aGUgY3J5
cHRvLCBJ4oCZZCByYXRoZXIgc3RheSB3aXRoIHRoZSBjdXJyZW50IGFwcHJvYWNoLjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNp
emU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xv
cjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv
dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286
cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5G
cm9tOjwvc3Bhbj48L2I+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6
JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj4gU2FtdWVsIEVyZHRtYW4gWzxhIGhyZWY9
Im1haWx0bzpzYW11ZWxAZXJkdG1hbi5zZSI+bWFpbHRvOnNhbXVlbEBlcmR0bWFuLnNlPC9hPl0N
Cjxicj4NCjxiPlNlbnQ6PC9iPiBNb25kYXksIE1heSAxNSwgMjAxNyAyOjIzIEFNPGJyPg0KPGI+
VG86PC9iPiBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJz
LmNvbSI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7OyBNaWtlIEpvbmVzICZsdDs8YSBo
cmVmPSJtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tIj5NaWNoYWVsLkpvbmVzQG1p
Y3Jvc29mdC5jb208L2E+Jmd0Ozxicj4NCjxiPkNjOjwvYj4gYWNlICZsdDs8YSBocmVmPSJtYWls
dG86QWNlQGlldGYub3JnIj5BY2VAaWV0Zi5vcmc8L2E+Jmd0Ozxicj4NCjxiPlN1YmplY3Q6PC9i
PiBSZTogW0FjZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbjxvOnA+PC9v
OnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibWFyZ2luLWJvdHRv
bToxMi4wcHQiPlRoYW5rcyBmb3IgY2xhcmlmaWNhdGlvbnMgSmltLCBzZWUgbXkgY29tbWVudHMg
aW5saW5lLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NaWtl
LCB0aGVyZSBpcyBhIHF1ZXN0aW9uIGZvciB5b3UgaW5saW5lZCB0b28uPG86cD48L286cD48L3A+
DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk9uIFN1biwgTWF5IDE0LCAyMDE3IGF0IDEw
OjEyIFBNLCBKaW0gU2NoYWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJz
LmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OyB3cm90
ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXIt
bGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2lu
LWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0
b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0
eWxlPSJjb2xvcjojMDA3MEMwIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvIj48Yj5Gcm9tOjwvYj4gU2FtdWVsIEVyZHRtYW4gW21haWx0bzo8YSBocmVmPSJtYWlsdG86
c2FtdWVsQGVyZHRtYW4uc2UiIHRhcmdldD0iX2JsYW5rIj5zYW11ZWxAZXJkdG1hbi5zZTwvYT5d
DQo8YnI+DQo8Yj5TZW50OjwvYj4gU3VuZGF5LCBNYXkgMTQsIDIwMTcgMzo0MCBBTTxicj4NCjxi
PlRvOjwvYj4gSmltIFNjaGFhZCAmbHQ7PGEgaHJlZj0ibWFpbHRvOmlldGZAYXVndXN0Y2VsbGFy
cy5jb20iIHRhcmdldD0iX2JsYW5rIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDs8YnI+
DQo8Yj5DYzo8L2I+IGFjZSAmbHQ7PGEgaHJlZj0ibWFpbHRvOkFjZUBpZXRmLm9yZyIgdGFyZ2V0
PSJfYmxhbmsiPkFjZUBpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBb
QWNlXSBXR0xDIG9uIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuPG86cD48L286cD48L3A+
DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxk
aXY+DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttYXJnaW4tYm90dG9tOjEyLjBwdCI+SGkgSmltLDxvOnA+PC9vOnA+PC9w
Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPlRoYW5rcyBmb3IgeW91ciByZXZpZXcg
YW5kIGNvbW1lbnRzLCBzZWUgc29tZSBpbml0aWFsIHJlcGxpZXMgaW5saW5lLjxvOnA+PC9vOnA+
PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0i
bXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNw
OzxvOnA+PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h
bCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDph
dXRvIj5PbiBTYXQsIEFwciAyMiwgMjAxNyBhdCA4OjQ3IFBNLCBKaW0gU2NoYWFkICZsdDs8YSBo
cmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSIgdGFyZ2V0PSJfYmxhbmsiPmlldGZA
YXVndXN0Y2VsbGFycy5jb208L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjxibG9ja3F1
b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3aW5kb3d0ZXh0IDEuMHB0
O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7Ym9yZGVyLWNvbG9yOmN1
cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigyMDQsMjA0LDIwNCkiPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj5Ob3QgcmVhZHkgdG8gc2hpcC48YnI+DQo8YnI+DQo8YnI+
DQoqIEkgZmluZCB0aGUgdGV4dCBmb3IgTnVtZXJpY0RhdGUgY29uZnVzaW5nIGFuZCB3b3VsZCBz
dWdnZXN0IHRoaXMgaXMgYTxicj4NCmNsZWFuZXIgd29yZGluZy48YnI+DQo8YnI+DQpUaGUgJnF1
b3Q7TnVtZXJpY0RhdGUmcXVvdDsgdGVybSBoYXMgdGhlIHNhbWUgbWVhbmluZywgc3ludGF4IGFu
ZDxicj4NClByb2Nlc3NpbmcgcnVsZXMgYXMgdGhlICZxdW90O051bWVyaWNEYXRlJnF1b3Q7IHRl
cm0gZGVmaW5lZCBpbiBTZWN0aW9uIDIgb2Y8YnI+DQpKV1QgW1JGQzc1MTldLCBleGNlcHQgdGhh
dCB0aGUgQ0JPUiBudW1lcmljIHJlcHJlc2VudGF0aW9uPGJyPg0KKFNlY3Rpb24gMi40LjEgb2Yg
W1JDNzA0OV0pIGlzIHVzZWQuJm5ic3A7IFRoZSBlbmNvZGluZyBpcyBtb2RpZmllZCBzbyB0aGF0
PGJyPg0KdGhlIGxlYWRpbmcgdGFnICg2LjEgb3IgMHhDMSkgTVVTVCBiZSBvbWl0dGVkLjxicj4N
Cjxicj4NCiZsdDtOb3RlIGFib3ZlIHRleHQga2lsbHMgdGhlIGRpcmVjdCBuZWVkIGZvciBzZWN0
aW9uIDUuJmd0OzxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBj
bGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdp
bi1ib3R0b20tYWx0OmF1dG8iPkNvdWxkIG1ha2Ugc2Vuc2UsIEkgY3JlYXRlZCBhbiBpc3N1ZSBp
biB0aGUgaXNzdWUgdHJhY2tlciB0byBsb29rIGF0IHRoaXMuPG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQg
d2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQu
OHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0
O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2Io
MjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0KKiBXaGF0IGlzIGEg
JnF1b3Q7Q1dUIE51bWVyaWNEYXRlJnF1b3Q7ID8mbmJzcDsgV2h5IGlzIHRoaXMgbm90IGp1c3Qg
YSAmcXVvdDtOdW1lcmljRGF0ZSZxdW90Oz8mbmJzcDsgWW91PGJyPg0Kc2hvdWxkIGJlIGNvbnNp
c3RlbnQgb24gaG93IHlvdSBhcmUgdXNpbmcgdGhpcyBhbmQgdGhlICZxdW90O1N0cmluZ09yVVJJ
JnF1b3Q7IHR5cGU8YnI+DQppZGVudGlmaWVyLiZuYnNwOyBFaXRoZXIgdXNlIHRoZSBDV1QgcHJl
Zml4IG9yIGRvbid0LjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0KTWFrZXMgc2Vuc2UgdG8gbWUsIGNyZWF0ZWQgYW4gaXNz
dWUgaW4gdGhlIGlzc3VlIHRyYWNrZXIgdG8gYWRkcmVzcyB0aGlzLjxicj4NCiZuYnNwOzxvOnA+
PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVy
LWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21h
cmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4t
Ym90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIGN1cnJl
bnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0K
KiBzL2V4Y2VwdCB0aGF0IGEgQ1dUIFN0cmluZ09yVVJJL2V4Y2VwdCB0aGF0IGZvciBhIENXVCwg
U3RyaW5nT3JVUkkvPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21hcmdpbi1ib3R0
b206MTIuMHB0Ij48YnI+DQombmJzcDtNYWtlcyBzZW5zZSB0byBtZSwgY3JlYXRlZCBhbiBpc3N1
ZSBpbiB0aGUgaXNzdWUgdHJhY2tlciB0byBhZGRyZXNzIHRoaXMuPG86cD48L286cD48L3A+DQo8
L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3
aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44
cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7
Ym9yZGVyLWNvbG9yOmN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigy
MDQsMjA0LDIwNCkiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9w
LWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIFRoZSBhbGdvcml0
aG0gZm9yIGRvaW5nIG5lc3RpbmcgZGV0ZWN0aW9uIGlzIGEgZ3Jvc3MgYWJ1c2Ugb2YgdGhlIGNv
bnRlbnQ8YnI+DQp0eXBlIHBhcmFtZXRlciBhbmQgY2FuIGJlIGZhciBtb3JlIGVhc2lseSBkb25l
IGJhc2VkIG9uIHRoZSBhbHJlYWR5IHByZXNlbnQ8YnI+DQp0YWdnaW5nIG9mIHRoZSBDT1NFIG9i
amVjdC48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Db3VsZCB5b3UgcGxl
YXNlIGV4cGxhaW4gYSBiaXQgbW9yZSwgd2UgYXJlIHVzaW5nIHRoZSBDT1NFIHRhZ3MgYnV0IGhh
dmUgbWFkZQ0KPGJyPg0KdGhlbSBvcHRpb25hbCBpZiB0aGUgYXBwbGljYXRpb24gZm9yIGV4YW1w
bGUgb25seSB1c2VzIG9uZSB0aHltZSB0aGVuIGl0IHdvdWxkIDxicj4NCmFsd2F5cyBrbm93IHdo
YXQgdG8gZG8gYW5kIHdvdWxkIG5vdCBuZWVkIHRvIHBhcnNlIHRoZSB0YWcgc2F2aW5nIGEgYnl0
ZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2lu
LXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1t
YXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHls
ZT0iY29sb3I6IzAwNzBDMCI+W0pMU10gVGhlIGNvbmNlcHQgaXMgcHJldHR5IGVhc3kgdG8gZXhw
bGFpbi48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj4mbmJzcDs8L3NwYW4+PG86cD48
L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3
MEMwIj5JZiB5b3UgYXJlIGluIGEgc2l0dWF0aW9uIHdoZXJlIHRoZSBmdWxsIGRlc2NyaXB0aW9u
IG9mIHRoZSBDV1Qg4oCTIGluY2x1ZGluZyBuZXN0aW5nIGxheWVyaW5nIOKAkyBpcyBrbm93biBm
cm9tIGEgcHJvZmlsZSwgdGhlbiB0aGVyZSB3b3VsZCBiZSBubyBuZWVkIHRvDQogaGF2ZSBhbnkg
Q09TRSB0YWdzIHByZXNlbnQgb24gYW55IGxheWVyIG9mIHRoZSBDV1QgbWVzc2FnZS4mbmJzcDsg
SSB3b3VsZCBob3dldmVyIGhpZ2hseSBkaXNjb3VyYWdlIHVzaW5nIHRoaXMgc2l0dWF0aW9uIGZv
ciBhbnl0aGluZyBidXQgYSBzaW5nbGUgbGF5ZXIgQ1dUIHN1Y2ggYXMgb25lIHRoYXQgaXMgYmFz
ZWQgb24gdGhlIENPU0VfRW5jcnlwdDAgbWVzc2FnZSB3aXRob3V0IGFueSBpbm5lciBsYXllcmlu
Zy4mbmJzcDsgRG9pbmcgb3RoZXJ3aXNlIGlzIGdvaW5nDQogdG8gbWVhbiB0aGF0IGxpYnJhcmll
cyB3b3VsZCBiZSB1bmFibGUgdG8gYXV0b21hdGljYWxseSB1bndyYXAgYWxsIG9mIHRoZSBsYXll
cnMgb24gdGhlaXIgb3duLCBidXQgd291bGQgbmVlZCBndWlkYW5jZSBvbiBlYWNoIGxheWVyIGFz
IGl0IHdhcyBwcm9jZXNzZWQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05v
cm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFs
dDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+Jm5ic3A7PC9zcGFuPjxvOnA+PC9v
OnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBD
MCI+SW4gdGhlIGN1cnJlbnQgZG9jdW1lbnQgaW4gc3RlcCA1IG9mIHNlY3Rpb24gNy4yLCB0aGVy
ZSBpcyBhbiBhc3N1bXB0aW9uIHRoYXQgYSBDT1NFIHRhZyBpcyBnb2luZyB0byBleGlzdCBpbiBv
cmRlciB0byBkaXN0aW5ndWlzaCBiZXR3ZWVuIHRoZSBkaWZmZXJlbnQNCiB0eXBlcyBvZiBDT1NF
IG1lc3NhZ2VzIOKAkyBJIHdvdWxkIG5vdCB0aGF0IHRoZXNlIHRhZ3MgYXJlIG5vdCBleHBsaWNp
dGx5IGNhbGxlZCBmb3IgaW4gc2VjdGlvbiA3LjEg4oCTIHNvIHRoZSBhbGdvcml0aG0gdGhhdCBJ
IGFtIGdvaW5nIHRvIHN1Z2dlc3QgbWVhbnMgdGhhdCB0aGV5IGFyZSBzdXBwb3NlZCB0byBiZSBw
cmVzZW50IG5vdCBpbXBsaWNpdCBpbiBhbnkgZXZlbnQuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRv
bS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPkluIHNlY3Rpb24gNy4yIGlu
IHN0ZXAgNyB0aGUgYWxnb3JpdGhtIGJlY29tZXM6PC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJn
aW4tYm90dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+SWYgdGhlIHBh
eWxvYWQgc3RhcnRzIHdpdGggb25lIHRoZSBvZiBDT1NFIGlkZW50aWZpY2F0aW9uIHRhZ3MsIHRo
ZW4gdGhlIG1lc3NhZ2UgaXMgcmVjdXJzaXZlIOKAkyBnbyB0byBzdGVwIDEsIHdhc2ggcmluc2Ug
YW5kIHJlcGVhdC48L3NwYW4+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+
DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIj5JIHRoaW5rIEkgc2VlIHlvdXIgcG9pbnQuIEluIHRoZSBjYXNlIG9mIG5l
c3RlZCBDV1RzIHlvdSB3b3VsZCBsaWtlIHRvIG1hbmRhdGUgdGhlIGlubmVyIGxheWVyIHRvIGhh
dmUgYSBDT1NFIHRhZyBpbmRpY2F0aW5nIHRoZSBtZXNzYWdlIHR5cGUuIEJ1dCBpbiBjYXNlcyB3
aGVyZSBlLmcuIHRyYW5zcG9ydCBpcyBkb25lIG92ZXIgQ29BUCB5b3UgZG9uwrR0IGZlZWwgaXQg
aXMgYXMgaW1wb3J0YW50LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1hcmdpbi1ib3R0b206MTIuMHB0Ij5JIHBlcnNvbmFsbHkgd291
bGQgbGlrZSB0byBnbyBhbGwgdGhlIHdheSBhbmQgbWFuZGF0ZSB0aGUgQ09TRSB0YWcgZm9yIGFs
bCBDV1QgbWVzc2FnZXMgbmVzdGVkIG9yIG5vdCBidXQgdGhhdCB3b3VsZCBhZGQgc29tZSBleHRy
YSBieXRlcyBpLmUuIG5vdCBnb29kIGluIGFsbCBjYXNlcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk1heWJlIGEgY29tcHJvbWlzZSBhbmQgbWFu
ZGF0ZSBpdCBmb3IgaW5uZXIgb2JqZWN0IGluIG5lc3RlZCBDV1RzLjxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QE1pa2Ugd291bGQgeW91IGxpa2Ug
dG8gY29tbWVudCB0byBiZWZvcmUgd2UgZGVjaWRlIG9uIGEgcGF0aCBmb3J3YXJkLjxvOnA+PC9v
OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGJyPg0KPGJyPg0K
Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6
bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4g
Ni4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGlu
O21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwv
ZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdp
bmRvd3RleHQgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0Ljhw
dDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDti
b3JkZXItY29sb3I6Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIw
NCwyMDQsMjA0KSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3At
YWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCiogQnJlYWsgc2VjdGlv
biA4IGludG8gbXVsdGlwbGUgcGFyYWdyYXBocyB0aGF0IGRlYWwgd2l0aCBkaWZmZXJlbnQgdHlw
ZXMgb2Y8YnI+DQppc3N1ZXMuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQpNaWdodCBiZSByZWFzb25hYmxlIEkgaGF2ZSBj
cmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0cmFja2VyIHNvIHRoYXQgdGhlIDxicj4NCmNv
bW1lbnQgaXMgbm90IGxvc3QuPGJyPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxi
bG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3aW5kb3d0ZXh0
IDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2lu
LXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7Ym9yZGVyLWNv
bG9yOmN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigyMDQsMjA0LDIw
NCkiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRv
O21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIEluIHNlY3Rpb24gOCwgdGhlIGZp
cnN0IHNlbnRlbmNlIGltcGxpZXMgdG8gbWUgdGhhdCB5b3UgYmVsaWV2ZSB0aGF0IENPU0U8YnI+
DQppcyBtb3JlIG9mIGEgcHJvYmxlbSB0aGF0IGJyZWFraW5nIG9mIGNyeXB0b2dyYXBoaWMgYWxn
b3JpdGhtcywgdHJ1c3Qgb2Y8YnI+DQpjZXJ0aWZpY2F0ZXMva2V5cy4mbmJzcDsgTm90IHN1cmUg
d2hhdCBuZWVkcyB0byBiZSBkb25lLCBidXQgYmV0dGVyIGNsYXJpdHkgbWF5PGJyPg0KYmUgYSBn
b29kIGlkZWEuPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+QWRkZWQgdGhpcyB0byB0aGUgcHJldmlvdXNseSBtZW50aW9uZWQg
aXNzdWUgdG8gYWRkcmVzcyB0aGlzIHRvIHNpbmNlIGl0IGlzIGluIHRoZSBzYW1lIHNlY3Rpb24N
CjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7
Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYu
MHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLXJpZ2h0OjBpbjtt
YXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29sb3IgY3VycmVudGNvbG9y
IGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+
PGJyPg0KKiBJIGhhdmUgbm90IGRvbmUgYW55IHZhbGlkYXRpb24gb2YgdGhlIGV4YW1wbGVzLiZu
YnNwOyAmbmJzcDtZb3UgbWlnaHQgd2FudCB0byBoYXZlPGJyPg0KYW4gZXhhbXBsZSB3aGljaCB1
c2VzIHRoZSByZWFsIGZvciBvbmUgb2YgdGhlIHRpbWUgdHlwZXMuPG86cD48L286cD48L3A+DQo8
L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJn
aW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwv
bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28t
bWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+U29ycnksIGJ1
dCBJIGRvbsK0dCBnZXQgaXQgY291bGQgeW91IGFkZCBzb21lIG1vcmUgY29udGV4dC48bzpwPjwv
bzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8
cHJlPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy
aWY7Y29sb3I6IzAwNzBDMCI+W0pMU10gVXNlIHRoZSB2YWx1ZSBvZiDigJw8L3NwYW4+PHNwYW4g
c3R5bGU9ImNvbG9yOiMwMDcwQzAiPjE0NDQwNjQ5NDQuNeKAnSBmb3Igb25lIG9mIHRoZSB0aW1l
IHZhbHVlcy4mbmJzcDsgQWx0aG91Z2ggSSBkb3VidCB0aGF0IGxlc3MgdGhhbiBzZWNvbmQgcmVz
b2x1dGlvbiBpcyBuZWVkZWQgaW4gYWxtb3N0IGFueSBjYXNlLCBoYXZpbmcgYW4gZXhhbXBsZSB3
aGVyZSBpdCBpcyBnaXZlbiBpcyBzdGlsbCBhIGdvb2QgaWRlYS48L3NwYW4+PG86cD48L286cD48
L3ByZT4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwv
YmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5NYWtlcyBzZW5zZSwgYXMg
eW91IHNheSBpdCBtaWdodCBub3QgYmUgYSBjb3JlIGNhc2UgYnV0IHRoZXJlIHNob3VsZCBiZSBh
dCBsZWFzdCBvbmUgZXhhbXBsZSBvZiBpdCBpZiB3ZSBzdXBwb3J0IGl0LiBJIGhhdmUgY3JlYXRl
ZCBhIHRpY2tldCB0byBhZGRyZXNzIGl0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9j
a3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0
O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQiPg0KPGRpdj4NCjxkaXY+
DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHByZT48c3BhbiBzdHlsZT0iY29sb3I6IzAw
NzBDMCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij48bzpwPjwvbzpw
Pjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPkppbTwvc3Bh
bj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+PG86cD48L286cD48L3NwYW4+PC9wcmU+DQo8
cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4Ij4mbmJzcDs8bzpwPjwvbzpwPjwvc3Bhbj48
L3ByZT4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0
bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgi
PiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3Rl
eHQgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJn
aW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDtib3JkZXIt
Y29sb3I6Y3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIwNCwyMDQs
MjA0KSI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojODg4ODg4
Ij48YnI+DQo8c3BhbiBjbGFzcz0ibS02MTMwODI4NTQ3NjI4NTg4Mzc0Z21haWwtbTMyOTc5Njcw
NjQ3NzYwNDM5NzdnbWFpbC1ob2VuemIiPkppbTwvc3Bhbj48L3NwYW4+PG86cD48L286cD48L3A+
DQo8ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRv
cC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0KPGJyPg0KLS0tLS1P
cmlnaW5hbCBNZXNzYWdlLS0tLS08YnI+DQpGcm9tOiBBY2UgW21haWx0bzo8YSBocmVmPSJtYWls
dG86YWNlLWJvdW5jZXNAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5hY2UtYm91bmNlc0BpZXRm
Lm9yZzwvYT5dIE9uIEJlaGFsZiBPZiBLZXBlbmcgTGk8YnI+DQpTZW50OiBUaHVyc2RheSwgQXBy
aWwgMjAsIDIwMTcgMjo1MyBQTTxicj4NClRvOiA8YSBocmVmPSJtYWlsdG86YWNlQGlldGYub3Jn
IiB0YXJnZXQ9Il9ibGFuayI+YWNlQGlldGYub3JnPC9hPjxicj4NCkNjOiBIYW5uZXMgVHNjaG9m
ZW5pZyAmbHQ7PGEgaHJlZj0ibWFpbHRvOmhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQiIHRhcmdl
dD0iX2JsYW5rIj5oYW5uZXMudHNjaG9mZW5pZ0BnbXgubmV0PC9hPiZndDs8YnI+DQpTdWJqZWN0
OiBbQWNlXSBbYWNlXSBXR0xDIG9uIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuPGJyPg0K
PGJyPg0KSW4gQ2hpY2FnbywgaXQgd2FzIGRlY2lkZWQgdGhhdCB3ZSB3ZXJlIGdvaW5nIHRvIFdH
TEMgdGhlIEFDRSBDQk9SIFdlYiBUb2tlbjxicj4NCmRyYWZ0Ljxicj4NCjxicj4NClNvIHRoaXMg
c3RhcnRzIGEgd29ya2luZyBncm91cCBsYXN0IGNhbGwgZm9yIGRyYWZ0LWlldGYtYWNlLWNib3It
d2ViLXRva2VuPGJyPg0KZm9yIHN1Ym1pc3Npb24gYXMgYSBTdGFuZGFyZHMgVHJhY2sgUkZDLCBl
bmRpbmcgb24gMjQ6MDAgUERUIG9uIFR1ZXNkYXksIE1heTxicj4NCjIsIDIwMTcuPGJyPg0KPGJy
Pg0KVGhlIHNwZWNpZmljYXRpb24gaXMgYXZhaWxhYmxlIGF0Ojxicj4NCjxhIGhyZWY9Imh0dHBz
Oi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNCIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1pZXRmLWFj
ZS1jYm9yLXdlYi10b2tlbi0wNDwvYT48YnI+DQo8YnI+DQpBbiBIVE1MLWZvcm1hdHRlZCB2ZXJz
aW9uIGlzIGFsc28gYXZhaWxhYmxlIGF0Ojxicj4NCjxhIGhyZWY9Imh0dHA6Ly9zZWxmLWlzc3Vl
ZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW4tMDQuaHRtbCIgdGFyZ2V0
PSJfYmxhbmsiPmh0dHA6Ly9zZWxmLWlzc3VlZC5pbmZvL2RvY3MvZHJhZnQtaWV0Zi1hY2UtY2Jv
ci13ZWItdG9rZW4tMDQuaHRtbDwvYT48YnI+DQo8YnI+DQpUaGFua3MsPGJyPg0KPGJyPg0KPGJy
Pg0KS2luZCBSZWdhcmRzPGJyPg0KS2VwZW5nICZhbXA7IEhhbm5lczxicj4NCjxicj4NCjxicj4N
Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fPGJyPg0KQWNl
IG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5vcmciIHRhcmdldD0i
X2JsYW5rIj5BY2VAaWV0Zi5vcmc8L2E+PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5v
cmcvbWFpbG1hbi9saXN0aW5mby9hY2UiIHRhcmdldD0iX2JsYW5rIj5odHRwczovL3d3dy5pZXRm
Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZTwvYT48YnI+DQo8YnI+DQpfX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fXzxicj4NCkFjZSBtYWlsaW5nIGxpc3Q8YnI+
DQo8YSBocmVmPSJtYWlsdG86QWNlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+QWNlQGlldGYu
b3JnPC9hPjxicj4NCjxhIGhyZWY9Imh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGlu
Zm8vYWNlIiB0YXJnZXQ9Il9ibGFuayI+aHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0
aW5mby9hY2U8L2E+PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3Rl
Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1z
by1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8
bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1
b3RlPg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K

--_000_CY4PR21MB05046964C07A2B5745651C3EF5E10CY4PR21MB0504namp_--


From nobody Mon May 15 15:19:58 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7210712EAC6 for <ace@ietfa.amsl.com>; Mon, 15 May 2017 15:19:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hc5uoW9u7ZHh for <ace@ietfa.amsl.com>; Mon, 15 May 2017 15:19:51 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0105.outbound.protection.outlook.com [104.47.42.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC8CB128896 for <Ace@ietf.org>; Mon, 15 May 2017 15:16:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=NimwdB3C06i7TtRXQcO8ywu9rBnzULNZJ72YWwPMN0Q=; b=Ln5yRGkBse9ETPszkYFTwKVb6SYipG0HWhngbha8Re+Jp7A6ZJx+JSznoxbXu7Jl4yLQdLUApPcAd8bULw5g2JXDdARyiQQaRpQj6wet3JJqASWkQaeyZhsM7Y9sT8LgZ73Yz9Azz2wBvdzwsnib27V3b4eh3r5Ksy+ucEUmAUs=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0471.namprd21.prod.outlook.com (10.172.121.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Mon, 15 May 2017 22:16:58 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.002; Mon, 15 May 2017 22:16:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, 'Samuel Erdtman' <samuel@erdtman.se>
CC: 'ace' <Ace@ietf.org>
Thread-Topic: [Ace] WGLC on draft-ietf-ace-cbor-web-token
Thread-Index: AdK7gKnlztOgBho8S4qIHrw1QvtzugRHcl8AABP6FAAAG57nAAAX+ArwAAF1FgAAAGvQkAABDzlg
Date: Mon, 15 May 2017 22:16:57 +0000
Message-ID: <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-15T14:43:56.6667858-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: augustcellars.com; dkim=none (message not signed) header.d=none;augustcellars.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:9::517]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0471; 7:OKH2do8mofJeAS4zxDkh+HQwq3D42DY91vhVXYyZJiqULJwLZ92/LXNQLQA3tv5qRXYA6MM2X2rujiE8cIDxzLk5sa1aSb/WvN/iZjo74D8VmIhgHu+I+z8+WsDKoilupnbqEIE1ybt6dCCsuMB/zGzP7lBwYw7EuPSTkLCMigEb9RacWUkYYuDJigvM2vLykZJTw9t6cXr60m7NpBR57CGLb8xjBzUMTQXSa8QRzsgcUeyQ49eE1572DB/ZRYxL8VtfiRW/3u/SOwqwjoOpuvBXeEJ1Rt0O/lPGoRD7BAa2/8kdhi0EOL5CtiqAVtqusboiUZp4Autwepuf/tyAZ4gE2UsOzo5VZRKWOlzi9fI=
x-ms-traffictypediagnostic: CY4PR21MB0471:
x-ms-office365-filtering-correlation-id: d0c63970-a557-4630-2f38-08d49be01a3a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);  SRVR:CY4PR21MB0471; 
x-microsoft-antispam-prvs: <CY4PR21MB04719CCE59251F6E20C84546F5E10@CY4PR21MB0471.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(166708455590820)(248736688235697)(21748063052155); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(100000703036)(100105400095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558100)(20161123560025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0471; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0471; 
x-forefront-prvs: 0308EE423E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(39840400002)(39450400003)(39850400002)(39410400002)(39400400002)(209900001)(13464003)(24454002)(377454003)(10090500001)(8936002)(72206003)(33656002)(5660300001)(3280700002)(6246003)(38730400002)(53376002)(5005710100001)(53936002)(81166006)(86362001)(8676002)(86612001)(4326008)(53546009)(25786009)(478600001)(76176999)(189998001)(7906003)(77096006)(10290500003)(122556002)(7736002)(2900100001)(74316002)(102836003)(790700001)(6116002)(93886004)(54896002)(230783001)(2950100002)(3660700001)(8990500004)(99286003)(6306002)(9686003)(236005)(7696004)(6506006)(55016002)(19609705001)(606005)(6436002)(229853002)(2906002)(966005)(54356999)(50986999)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0471; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05045E9E335BF1349AE52D40F5E10CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2017 22:16:57.9207 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0471
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/CDd8z05mt_cNZ_qm3akwWkrcOAw>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 22:19:55 -0000

--_000_CY4PR21MB05045E9E335BF1349AE52D40F5E10CY4PR21MB0504namp_
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

SeKAmXZlIGdvbmUgdGhyb3VnaCBhbGwgdGhlIHJldmlldyBmZWVkYmFjayBhbmQgYWdyZWUgd2l0
aCBtb3N0IG9mIGl0LiAgVGhlcmXigJlzIG9ubHkgdHdvIG9mIHRoZSBjb21tZW50cyB0aGF0IEkg
aGF2ZSBpc3N1ZXMgd2l0aC4NCg0KSSBkaXNhZ3JlZSB3aXRoIHRoZSBzdWdnZXN0aW9uICh0cmFj
a2VkIGluIGh0dHBzOi8vZ2l0aHViLmNvbS9lcndhaC9pZXRmL2lzc3Vlcy8zNykgYWJvdXQgY2xh
aW1zIHRoYXQgbXVzdCBiZSB1bmRlcnN0b29kLiAgV2Ugc2hvdWxkbuKAmXQgZm9yY2UgaW1wbGVt
ZW50YXRpb25zIHRvIHVuZGVyc3RhbmQgY2xhaW1zIG5vdCB1c2VkIGJ5IHRoZWlyIGFwcGxpY2F0
aW9uLiAgU2VlIG15IGNvbW1lbnQgaW4gdGhlIGlzc3VlLg0KDQpJIGFncmVlIHdpdGggdGhlIHN1
Z2dlc3Rpb24gKHRyYWNrZWQgaW4gaHR0cHM6Ly9naXRodWIuY29tL2Vyd2FoL2lldGYvaXNzdWVz
LzM4KSB0aGF0IHdlIGFsbG93IHN0cmluZy12YWx1ZWQgbGFiZWxzLCBidXQgZGlzYWdyZWUgdGhh
dCB0aGV5IHNob3VsZCBiZSByZXN0cmljdGVkIHRvIG5vbi1wcm9kdWN0aW9uIHVzZS4gIFJhdGhl
ciwgcGVyIG15IGNvbW1lbnQgaW4gaHR0cHM6Ly9naXRodWIuY29tL2Vyd2FoL2lldGYvaXNzdWVz
LzQwLCBJIHRoaW5rIHdlIHNob3VsZCB1c2UgdGhlIHNhbWUgcnVsZXMgZm9yIGFsbG9jYXRpbmcg
bGFiZWxzIGFzIENPU0UgZGlkLiAgVGhhdCBhcHByb2FjaCBoYXMgYWxyZWFkeSBiZWVuIHdpZGVs
eSByZXZpZXdlZCBhbmQgSSBiZWxpZXZlIGlzIHBlcmZlY3RseSB2aWFibGUuICBOb3RlIHRoYXQg
dGhpcyB3aWxsIGFsc28gYWRkcmVzcyB0aGUgY29tbWVudCBhYm91dCB0aGUgMS02NTUzNiBsYWJl
bCByYW5nZS4NCg0KVGhhbmtzIGZvciB5b3VyIGRldGFpbGVkIHJldmlldywgYXMgYWx3YXlzLCBK
aW0uDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEFjZSBbbWFpbHRvOmFjZS1ib3VuY2VzQGll
dGYub3JnXSBPbiBCZWhhbGYgT2YgTWlrZSBKb25lcw0KU2VudDogTW9uZGF5LCBNYXkgMTUsIDIw
MTcgMjo0NCBQTQ0KVG86IEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb20+OyAnU2Ft
dWVsIEVyZHRtYW4nIDxzYW11ZWxAZXJkdG1hbi5zZT4NCkNjOiAnYWNlJyA8QWNlQGlldGYub3Jn
Pg0KU3ViamVjdDogUmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9r
ZW4NCg0KVGhhbmtzIGZvciBjb25maXJtaW5nIHRoaXMsIEppbS4gIFNpbmNlIHRoYXTigJlzIHRo
ZSBjYXNlLCBJ4oCZbSBmaW5lIHdpdGggdXMgZ29pbmcgd2l0aCByZXF1aXJpbmcgdGFncyBmb3Ig
dGhlIGlubmVyIG5lc3RlZCBDV1RzIGFuZCBkcm9wcGluZyB0aGUgdXNlIG9mIHRoZSBDV1QgY29u
dGVudC10eXBlIGZvciB0aGlzIHB1cnBvc2UuDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IEpp
bSBTY2hhYWQgW21haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tXQ0KU2VudDogTW9uZGF5LCBN
YXkgMTUsIDIwMTcgMjozMSBQTQ0KVG86IE1pa2UgSm9uZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9z
b2Z0LmNvbTxtYWlsdG86TWljaGFlbC5Kb25lc0BtaWNyb3NvZnQuY29tPj47ICdTYW11ZWwgRXJk
dG1hbicgPHNhbXVlbEBlcmR0bWFuLnNlPG1haWx0bzpzYW11ZWxAZXJkdG1hbi5zZT4+DQpDYzog
J2FjZScgPEFjZUBpZXRmLm9yZzxtYWlsdG86QWNlQGlldGYub3JnPj4NClN1YmplY3Q6IFJFOiBb
QWNlXSBXR0xDIG9uIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuDQoNCkl0IGlzIGNvcnJl
Y3QgdGhhdCB0aGUgdGFnIGNhbiBiZSBhZGRlZCBhbmQgc3VidHJhY3RlZCBhdCB3aWxsIHcvbyBj
aGFuZ2luZyBhbnl0aGluZy4NCg0KDQoNCkZyb206IE1pa2UgSm9uZXMgW21haWx0bzpNaWNoYWVs
LkpvbmVzQG1pY3Jvc29mdC5jb21dDQpTZW50OiBNb25kYXksIE1heSAxNSwgMjAxNyAyOjE3IFBN
DQpUbzogU2FtdWVsIEVyZHRtYW4gPHNhbXVlbEBlcmR0bWFuLnNlPG1haWx0bzpzYW11ZWxAZXJk
dG1hbi5zZT4+OyBKaW0gU2NoYWFkIDxpZXRmQGF1Z3VzdGNlbGxhcnMuY29tPG1haWx0bzppZXRm
QGF1Z3VzdGNlbGxhcnMuY29tPj4NCkNjOiBhY2UgPEFjZUBpZXRmLm9yZzxtYWlsdG86QWNlQGll
dGYub3JnPj4NClN1YmplY3Q6IFJFOiBbQWNlXSBXR0xDIG9uIGRyYWZ0LWlldGYtYWNlLWNib3It
d2ViLXRva2VuDQoNCkkgYWdyZWUgdGhhdCBmb3IgbmVzdGVkIENXVHMsIGl04oCZcyBPSyB0byBt
YW5kYXRlIHRoYXQgdGhlIGFwcHJvcHJpYXRlIHRhZ3MgYmUgcHJlZml4ZWQgdG8gdGhlIGlubmVy
IENXVCwgaWYgdGhhdOKAmXMgdGhlIG1lY2hhbmlzbSB3ZSBkZWNpZGUgdG8gdXNlIHRvIGVuY29k
ZSBhbmQgZGV0ZWN0IG5lc3RlZCBKV1RzLiAgVGhhdCB3b3VsZCB0aGVuIHJhaXNlIHRoZSBxdWVz
dGlvbiB0aG91Z2gsIG9mIHdoZXRoZXIgd2UgYWxzbyB3b3VsZCBjb250aW51ZSB0byBtYW5kYXRl
IHRoZSB1c2Ugb2YgdGhlIENXVCBjb250ZW50LXR5cGUgb3Igd2hldGhlciB3ZSB3b3VsZCBkcm9w
IHRoaXMuICBJIHRoaW5rIGl04oCZcyBiZXR0ZXIgdGhhdCB3ZSBzcGVjaWZ5IG9uZSBtZWNoYW5p
c20gZm9yIGRldGVjdGluZyBuZXN0ZWQgQ1dUcywgcmF0aGVyIHRoYW4gaGF2aW5nIHR3by4NCg0K
QmVmb3JlIHdlIGRlY2lkZSB0aGlzLCBJ4oCZZCBsaWtlIHRvIGNvbmZpcm0gYW4gYXNzdW1wdGlv
biBhYm91dCBDT1NFIG9wZXJhdGlvbnMgYW5kIENPU0UgQ0JPUiB0YWdzLiAgSSBiZWxpZXZlIHRo
YXQgdGhlIENPU0UgY3J5cHRvIG9wZXJhdGlvbnMgKmRvIG5vdCogY292ZXIgdGhlIENCT1IgQ09T
RSB0YWcsIHN1Y2ggYXMgdGhlIENPU0VfU2lnbiB0YWcgZm9yIHNpZ25lZCBvYmplY3RzLiAgSWYg
dGhpcyBpcyB0aGUgY2FzZSwgaXQgbWVhbnMgdGhhdCBhIENPU0Ugb2JqZWN0IHdpdGhvdXQgdGFn
cyBjYW4gaGF2ZSB0aGUgYXBwcm9wcmlhdGUgdGFnIHByZWZpeGVkIHRvIGl0IHdpdGhvdXQgY2hh
bmdpbmcgdGhlIGNyeXB0byAoYW5kIHRoYXQgc2ltaWxhcmx5LCBhIENXVCB0YWcgY291bGQgYWxz
byBiZSBhZGRlZCB3aXRob3V0IGNoYW5naW5nIHRoZSBjcnlwdG8pLiAgSXMgdGhpcyBjb3JyZWN0
PyAgSWYgc28sIHRoZW4gdXNpbmcgQ0JPUiB0YWdzIHdvdWxkIGJlIGZpbmUgZm9yIHRoZSBpbm5l
ciBDV1QgaW4gYSBuZXN0ZWQgQ1dULCBzaW5jZSB5b3UgY291bGQgY3JlYXRlIHRoZSBpbm5lciBD
V1Qgd2l0aG91dCBhbnkgdGFncyBhbmQgdGhlbiBsYXRlciBkZWNpZGUgdG8gcHV0IGl0IGluIGEg
bmVzdGVkIENXVCB3aXRob3V0IHJlLXNpZ25pbmcsIGV0Yy4gIElmIHRoaXMgaXMgdGhlIGNhc2Us
IEnigJlkIGJlIE9LIHdpdGggYWx3YXlzIHByZWZpeGluZyB0aGUgaW5uZXIgQ1dUIGluIGEgbmVz
dGVkIENXVCB3aXRoIENXVCBhbmQgQ09TRSBDQk9SIHRhZ3MuICBXaGVyZWFzIGlmIGFkZGluZyB0
aGUgdGFncyByZXF1aXJlcyByZWRvaW5nIHRoZSBjcnlwdG8sIEnigJlkIHJhdGhlciBzdGF5IHdp
dGggdGhlIGN1cnJlbnQgYXBwcm9hY2guDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtLSBNaWtlDQoNCkZyb206IFNhbXVl
bCBFcmR0bWFuIFttYWlsdG86c2FtdWVsQGVyZHRtYW4uc2VdDQpTZW50OiBNb25kYXksIE1heSAx
NSwgMjAxNyAyOjIzIEFNDQpUbzogSmltIFNjaGFhZCA8aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTxt
YWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+OyBNaWtlIEpvbmVzIDxNaWNoYWVsLkpvbmVz
QG1pY3Jvc29mdC5jb208bWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4+DQpDYzog
YWNlIDxBY2VAaWV0Zi5vcmc8bWFpbHRvOkFjZUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW0Fj
ZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbg0KDQpUaGFua3MgZm9yIGNs
YXJpZmljYXRpb25zIEppbSwgc2VlIG15IGNvbW1lbnRzIGlubGluZS4NCk1pa2UsIHRoZXJlIGlz
IGEgcXVlc3Rpb24gZm9yIHlvdSBpbmxpbmVkIHRvby4NCg0KT24gU3VuLCBNYXkgMTQsIDIwMTcg
YXQgMTA6MTIgUE0sIEppbSBTY2hhYWQgPGlldGZAYXVndXN0Y2VsbGFycy5jb208bWFpbHRvOmll
dGZAYXVndXN0Y2VsbGFycy5jb20+PiB3cm90ZToNCg0KDQpGcm9tOiBTYW11ZWwgRXJkdG1hbiBb
bWFpbHRvOnNhbXVlbEBlcmR0bWFuLnNlPG1haWx0bzpzYW11ZWxAZXJkdG1hbi5zZT5dDQpTZW50
OiBTdW5kYXksIE1heSAxNCwgMjAxNyAzOjQwIEFNDQpUbzogSmltIFNjaGFhZCA8aWV0ZkBhdWd1
c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+DQpDYzogYWNlIDxB
Y2VAaWV0Zi5vcmc8bWFpbHRvOkFjZUBpZXRmLm9yZz4+DQpTdWJqZWN0OiBSZTogW0FjZV0gV0dM
QyBvbiBkcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbg0KDQpIaSBKaW0sDQpUaGFua3MgZm9y
IHlvdXIgcmV2aWV3IGFuZCBjb21tZW50cywgc2VlIHNvbWUgaW5pdGlhbCByZXBsaWVzIGlubGlu
ZS4NCg0KT24gU2F0LCBBcHIgMjIsIDIwMTcgYXQgODo0NyBQTSwgSmltIFNjaGFhZCA8aWV0ZkBh
dWd1c3RjZWxsYXJzLmNvbTxtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbT4+IHdyb3RlOg0K
Tm90IHJlYWR5IHRvIHNoaXAuDQoNCg0KKiBJIGZpbmQgdGhlIHRleHQgZm9yIE51bWVyaWNEYXRl
IGNvbmZ1c2luZyBhbmQgd291bGQgc3VnZ2VzdCB0aGlzIGlzIGENCmNsZWFuZXIgd29yZGluZy4N
Cg0KVGhlICJOdW1lcmljRGF0ZSIgdGVybSBoYXMgdGhlIHNhbWUgbWVhbmluZywgc3ludGF4IGFu
ZA0KUHJvY2Vzc2luZyBydWxlcyBhcyB0aGUgIk51bWVyaWNEYXRlIiB0ZXJtIGRlZmluZWQgaW4g
U2VjdGlvbiAyIG9mDQpKV1QgW1JGQzc1MTldLCBleGNlcHQgdGhhdCB0aGUgQ0JPUiBudW1lcmlj
IHJlcHJlc2VudGF0aW9uDQooU2VjdGlvbiAyLjQuMSBvZiBbUkM3MDQ5XSkgaXMgdXNlZC4gIFRo
ZSBlbmNvZGluZyBpcyBtb2RpZmllZCBzbyB0aGF0DQp0aGUgbGVhZGluZyB0YWcgKDYuMSBvciAw
eEMxKSBNVVNUIGJlIG9taXR0ZWQuDQoNCjxOb3RlIGFib3ZlIHRleHQga2lsbHMgdGhlIGRpcmVj
dCBuZWVkIGZvciBzZWN0aW9uIDUuPg0KDQpDb3VsZCBtYWtlIHNlbnNlLCBJIGNyZWF0ZWQgYW4g
aXNzdWUgaW4gdGhlIGlzc3VlIHRyYWNrZXIgdG8gbG9vayBhdCB0aGlzLg0KDQoNCiogV2hhdCBp
cyBhICJDV1QgTnVtZXJpY0RhdGUiID8gIFdoeSBpcyB0aGlzIG5vdCBqdXN0IGEgIk51bWVyaWNE
YXRlIj8gIFlvdQ0Kc2hvdWxkIGJlIGNvbnNpc3RlbnQgb24gaG93IHlvdSBhcmUgdXNpbmcgdGhp
cyBhbmQgdGhlICJTdHJpbmdPclVSSSIgdHlwZQ0KaWRlbnRpZmllci4gIEVpdGhlciB1c2UgdGhl
IENXVCBwcmVmaXggb3IgZG9uJ3QuDQoNCk1ha2VzIHNlbnNlIHRvIG1lLCBjcmVhdGVkIGFuIGlz
c3VlIGluIHRoZSBpc3N1ZSB0cmFja2VyIHRvIGFkZHJlc3MgdGhpcy4NCg0KDQoqIHMvZXhjZXB0
IHRoYXQgYSBDV1QgU3RyaW5nT3JVUkkvZXhjZXB0IHRoYXQgZm9yIGEgQ1dULCBTdHJpbmdPclVS
SS8NCg0KIE1ha2VzIHNlbnNlIHRvIG1lLCBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0
cmFja2VyIHRvIGFkZHJlc3MgdGhpcy4NCg0KKiBUaGUgYWxnb3JpdGhtIGZvciBkb2luZyBuZXN0
aW5nIGRldGVjdGlvbiBpcyBhIGdyb3NzIGFidXNlIG9mIHRoZSBjb250ZW50DQp0eXBlIHBhcmFt
ZXRlciBhbmQgY2FuIGJlIGZhciBtb3JlIGVhc2lseSBkb25lIGJhc2VkIG9uIHRoZSBhbHJlYWR5
IHByZXNlbnQNCnRhZ2dpbmcgb2YgdGhlIENPU0Ugb2JqZWN0Lg0KDQpDb3VsZCB5b3UgcGxlYXNl
IGV4cGxhaW4gYSBiaXQgbW9yZSwgd2UgYXJlIHVzaW5nIHRoZSBDT1NFIHRhZ3MgYnV0IGhhdmUg
bWFkZQ0KdGhlbSBvcHRpb25hbCBpZiB0aGUgYXBwbGljYXRpb24gZm9yIGV4YW1wbGUgb25seSB1
c2VzIG9uZSB0aHltZSB0aGVuIGl0IHdvdWxkDQphbHdheXMga25vdyB3aGF0IHRvIGRvIGFuZCB3
b3VsZCBub3QgbmVlZCB0byBwYXJzZSB0aGUgdGFnIHNhdmluZyBhIGJ5dGUuDQoNCltKTFNdIFRo
ZSBjb25jZXB0IGlzIHByZXR0eSBlYXN5IHRvIGV4cGxhaW4uDQoNCklmIHlvdSBhcmUgaW4gYSBz
aXR1YXRpb24gd2hlcmUgdGhlIGZ1bGwgZGVzY3JpcHRpb24gb2YgdGhlIENXVCDigJMgaW5jbHVk
aW5nIG5lc3RpbmcgbGF5ZXJpbmcg4oCTIGlzIGtub3duIGZyb20gYSBwcm9maWxlLCB0aGVuIHRo
ZXJlIHdvdWxkIGJlIG5vIG5lZWQgdG8gaGF2ZSBhbnkgQ09TRSB0YWdzIHByZXNlbnQgb24gYW55
IGxheWVyIG9mIHRoZSBDV1QgbWVzc2FnZS4gIEkgd291bGQgaG93ZXZlciBoaWdobHkgZGlzY291
cmFnZSB1c2luZyB0aGlzIHNpdHVhdGlvbiBmb3IgYW55dGhpbmcgYnV0IGEgc2luZ2xlIGxheWVy
IENXVCBzdWNoIGFzIG9uZSB0aGF0IGlzIGJhc2VkIG9uIHRoZSBDT1NFX0VuY3J5cHQwIG1lc3Nh
Z2Ugd2l0aG91dCBhbnkgaW5uZXIgbGF5ZXJpbmcuICBEb2luZyBvdGhlcndpc2UgaXMgZ29pbmcg
dG8gbWVhbiB0aGF0IGxpYnJhcmllcyB3b3VsZCBiZSB1bmFibGUgdG8gYXV0b21hdGljYWxseSB1
bndyYXAgYWxsIG9mIHRoZSBsYXllcnMgb24gdGhlaXIgb3duLCBidXQgd291bGQgbmVlZCBndWlk
YW5jZSBvbiBlYWNoIGxheWVyIGFzIGl0IHdhcyBwcm9jZXNzZWQuDQoNCkluIHRoZSBjdXJyZW50
IGRvY3VtZW50IGluIHN0ZXAgNSBvZiBzZWN0aW9uIDcuMiwgdGhlcmUgaXMgYW4gYXNzdW1wdGlv
biB0aGF0IGEgQ09TRSB0YWcgaXMgZ29pbmcgdG8gZXhpc3QgaW4gb3JkZXIgdG8gZGlzdGluZ3Vp
c2ggYmV0d2VlbiB0aGUgZGlmZmVyZW50IHR5cGVzIG9mIENPU0UgbWVzc2FnZXMg4oCTIEkgd291
bGQgbm90IHRoYXQgdGhlc2UgdGFncyBhcmUgbm90IGV4cGxpY2l0bHkgY2FsbGVkIGZvciBpbiBz
ZWN0aW9uIDcuMSDigJMgc28gdGhlIGFsZ29yaXRobSB0aGF0IEkgYW0gZ29pbmcgdG8gc3VnZ2Vz
dCBtZWFucyB0aGF0IHRoZXkgYXJlIHN1cHBvc2VkIHRvIGJlIHByZXNlbnQgbm90IGltcGxpY2l0
IGluIGFueSBldmVudC4NCg0KSW4gc2VjdGlvbiA3LjIgaW4gc3RlcCA3IHRoZSBhbGdvcml0aG0g
YmVjb21lczoNCklmIHRoZSBwYXlsb2FkIHN0YXJ0cyB3aXRoIG9uZSB0aGUgb2YgQ09TRSBpZGVu
dGlmaWNhdGlvbiB0YWdzLCB0aGVuIHRoZSBtZXNzYWdlIGlzIHJlY3Vyc2l2ZSDigJMgZ28gdG8g
c3RlcCAxLCB3YXNoIHJpbnNlIGFuZCByZXBlYXQuDQoNCkkgdGhpbmsgSSBzZWUgeW91ciBwb2lu
dC4gSW4gdGhlIGNhc2Ugb2YgbmVzdGVkIENXVHMgeW91IHdvdWxkIGxpa2UgdG8gbWFuZGF0ZSB0
aGUgaW5uZXIgbGF5ZXIgdG8gaGF2ZSBhIENPU0UgdGFnIGluZGljYXRpbmcgdGhlIG1lc3NhZ2Ug
dHlwZS4gQnV0IGluIGNhc2VzIHdoZXJlIGUuZy4gdHJhbnNwb3J0IGlzIGRvbmUgb3ZlciBDb0FQ
IHlvdSBkb27CtHQgZmVlbCBpdCBpcyBhcyBpbXBvcnRhbnQuDQpJIHBlcnNvbmFsbHkgd291bGQg
bGlrZSB0byBnbyBhbGwgdGhlIHdheSBhbmQgbWFuZGF0ZSB0aGUgQ09TRSB0YWcgZm9yIGFsbCBD
V1QgbWVzc2FnZXMgbmVzdGVkIG9yIG5vdCBidXQgdGhhdCB3b3VsZCBhZGQgc29tZSBleHRyYSBi
eXRlcyBpLmUuIG5vdCBnb29kIGluIGFsbCBjYXNlcy4NCk1heWJlIGEgY29tcHJvbWlzZSBhbmQg
bWFuZGF0ZSBpdCBmb3IgaW5uZXIgb2JqZWN0IGluIG5lc3RlZCBDV1RzLg0KQE1pa2Ugd291bGQg
eW91IGxpa2UgdG8gY29tbWVudCB0byBiZWZvcmUgd2UgZGVjaWRlIG9uIGEgcGF0aCBmb3J3YXJk
Lg0KDQoNCg0KDQoNCiogQnJlYWsgc2VjdGlvbiA4IGludG8gbXVsdGlwbGUgcGFyYWdyYXBocyB0
aGF0IGRlYWwgd2l0aCBkaWZmZXJlbnQgdHlwZXMgb2YNCmlzc3Vlcy4NCg0KTWlnaHQgYmUgcmVh
c29uYWJsZSBJIGhhdmUgY3JlYXRlZCBhbiBpc3N1ZSBpbiB0aGUgaXNzdWUgdHJhY2tlciBzbyB0
aGF0IHRoZQ0KY29tbWVudCBpcyBub3QgbG9zdC4NCg0KDQoqIEluIHNlY3Rpb24gOCwgdGhlIGZp
cnN0IHNlbnRlbmNlIGltcGxpZXMgdG8gbWUgdGhhdCB5b3UgYmVsaWV2ZSB0aGF0IENPU0UNCmlz
IG1vcmUgb2YgYSBwcm9ibGVtIHRoYXQgYnJlYWtpbmcgb2YgY3J5cHRvZ3JhcGhpYyBhbGdvcml0
aG1zLCB0cnVzdCBvZg0KY2VydGlmaWNhdGVzL2tleXMuICBOb3Qgc3VyZSB3aGF0IG5lZWRzIHRv
IGJlIGRvbmUsIGJ1dCBiZXR0ZXIgY2xhcml0eSBtYXkNCmJlIGEgZ29vZCBpZGVhLg0KDQpBZGRl
ZCB0aGlzIHRvIHRoZSBwcmV2aW91c2x5IG1lbnRpb25lZCBpc3N1ZSB0byBhZGRyZXNzIHRoaXMg
dG8gc2luY2UgaXQgaXMgaW4gdGhlIHNhbWUgc2VjdGlvbg0KDQoqIEkgaGF2ZSBub3QgZG9uZSBh
bnkgdmFsaWRhdGlvbiBvZiB0aGUgZXhhbXBsZXMuICAgWW91IG1pZ2h0IHdhbnQgdG8gaGF2ZQ0K
YW4gZXhhbXBsZSB3aGljaCB1c2VzIHRoZSByZWFsIGZvciBvbmUgb2YgdGhlIHRpbWUgdHlwZXMu
DQoNClNvcnJ5LCBidXQgSSBkb27CtHQgZ2V0IGl0IGNvdWxkIHlvdSBhZGQgc29tZSBtb3JlIGNv
bnRleHQuDQoNCg0KW0pMU10gVXNlIHRoZSB2YWx1ZSBvZiDigJwxNDQ0MDY0OTQ0LjXigJ0gZm9y
IG9uZSBvZiB0aGUgdGltZSB2YWx1ZXMuICBBbHRob3VnaCBJIGRvdWJ0IHRoYXQgbGVzcyB0aGFu
IHNlY29uZCByZXNvbHV0aW9uIGlzIG5lZWRlZCBpbiBhbG1vc3QgYW55IGNhc2UsIGhhdmluZyBh
biBleGFtcGxlIHdoZXJlIGl0IGlzIGdpdmVuIGlzIHN0aWxsIGEgZ29vZCBpZGVhLg0KTWFrZXMg
c2Vuc2UsIGFzIHlvdSBzYXkgaXQgbWlnaHQgbm90IGJlIGEgY29yZSBjYXNlIGJ1dCB0aGVyZSBz
aG91bGQgYmUgYXQgbGVhc3Qgb25lIGV4YW1wbGUgb2YgaXQgaWYgd2Ugc3VwcG9ydCBpdC4gSSBo
YXZlIGNyZWF0ZWQgYSB0aWNrZXQgdG8gYWRkcmVzcyBpdC4NCg0KDQoNCg0KSmltDQoNCg0KDQoN
Cg0KSmltDQoNCg0KLS0tLS1PcmlnaW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IEFjZSBbbWFpbHRv
OmFjZS1ib3VuY2VzQGlldGYub3JnPG1haWx0bzphY2UtYm91bmNlc0BpZXRmLm9yZz5dIE9uIEJl
aGFsZiBPZiBLZXBlbmcgTGkNClNlbnQ6IFRodXJzZGF5LCBBcHJpbCAyMCwgMjAxNyAyOjUzIFBN
DQpUbzogYWNlQGlldGYub3JnPG1haWx0bzphY2VAaWV0Zi5vcmc+DQpDYzogSGFubmVzIFRzY2hv
ZmVuaWcgPGhhbm5lcy50c2Nob2ZlbmlnQGdteC5uZXQ8bWFpbHRvOmhhbm5lcy50c2Nob2Zlbmln
QGdteC5uZXQ+Pg0KU3ViamVjdDogW0FjZV0gW2FjZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFjZS1j
Ym9yLXdlYi10b2tlbg0KDQpJbiBDaGljYWdvLCBpdCB3YXMgZGVjaWRlZCB0aGF0IHdlIHdlcmUg
Z29pbmcgdG8gV0dMQyB0aGUgQUNFIENCT1IgV2ViIFRva2VuDQpkcmFmdC4NCg0KU28gdGhpcyBz
dGFydHMgYSB3b3JraW5nIGdyb3VwIGxhc3QgY2FsbCBmb3IgZHJhZnQtaWV0Zi1hY2UtY2Jvci13
ZWItdG9rZW4NCmZvciBzdWJtaXNzaW9uIGFzIGEgU3RhbmRhcmRzIFRyYWNrIFJGQywgZW5kaW5n
IG9uIDI0OjAwIFBEVCBvbiBUdWVzZGF5LCBNYXkNCjIsIDIwMTcuDQoNClRoZSBzcGVjaWZpY2F0
aW9uIGlzIGF2YWlsYWJsZSBhdDoNCmh0dHBzOi8vdG9vbHMuaWV0Zi5vcmcvaHRtbC9kcmFmdC1p
ZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNA0KDQpBbiBIVE1MLWZvcm1hdHRlZCB2ZXJzaW9uIGlz
IGFsc28gYXZhaWxhYmxlIGF0Og0KaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1p
ZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNC5odG1sDQoNClRoYW5rcywNCg0KDQpLaW5kIFJlZ2Fy
ZHMNCktlcGVuZyAmIEhhbm5lcw0KDQoNCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fDQpBY2UgbWFpbGluZyBsaXN0DQpBY2VAaWV0Zi5vcmc8bWFpbHRvOkFj
ZUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYWNlDQoN
Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpBY2UgbWFp
bGluZyBsaXN0DQpBY2VAaWV0Zi5vcmc8bWFpbHRvOkFjZUBpZXRmLm9yZz4NCmh0dHBzOi8vd3d3
LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vYWNlDQoNCg0K

--_000_CY4PR21MB05045E9E335BF1349AE52D40F5E10CY4PR21MB0504namp_
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg
Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv
ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl
PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6
IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m
YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy
IDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsNCglwYW5vc2UtMToyIDEx
IDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws
IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGluOw0KCW1hcmdpbi1ib3R0
b206LjAwMDFwdDsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQtZmFtaWx5OiJUaW1lcyBOZXcg
Um9tYW4iLHNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXBy
aW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQph
OnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5
Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnByZQ0K
CXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAwMXB0Ow0KCWZvbnQt
c2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpzcGFuLkhUTUxQcmVm
b3JtYXR0ZWRDaGFyDQoJe21zby1zdHlsZS1uYW1lOiJIVE1MIFByZWZvcm1hdHRlZCBDaGFyIjsN
Cgltc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhUTUwgUHJlZm9ybWF0
dGVkIjsNCglmb250LWZhbWlseTpDb25zb2xhczt9DQpwLm1zb25vcm1hbDAsIGxpLm1zb25vcm1h
bDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1uYW1lOm1zb25vcm1hbDsNCgltc28tbWFy
Z2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6MGluOw0KCW1zby1tYXJnaW4tYm90dG9t
LWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglmb250LXNpemU6MTIuMHB0Ow0KCWZvbnQt
ZmFtaWx5OiJUaW1lcyBOZXcgUm9tYW4iLHNlcmlmO30NCnNwYW4ubS02MTMwODI4NTQ3NjI4NTg4
Mzc0Z21haWwtDQoJe21zby1zdHlsZS1uYW1lOm1fLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC07
fQ0Kc3Bhbi5tLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC1ob2VuemINCgl7bXNvLXN0eWxlLW5h
bWU6bV8tNjEzMDgyODU0NzYyODU4ODM3NGdtYWlsLWhvZW56Yjt9DQpzcGFuLm0tNjEzMDgyODU0
NzYyODU4ODM3NGdtYWlsLW0zMjk3OTY3MDY0Nzc2MDQzOTc3Z21haWwtaG9lbnpiDQoJe21zby1z
dHlsZS1uYW1lOm1fLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC1tXzMyOTc5NjcwNjQ3NzYwNDM5
NzdnbWFpbC1ob2VuemI7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjMNCgl7bXNvLXN0eWxlLXR5cGU6cGVy
c29uYWw7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6IzAwMjA2
MDt9DQpzcGFuLkVtYWlsU3R5bGUyNA0KCXttc28tc3R5bGUtdHlwZTpwZXJzb25hbDsNCglmb250
LWZhbWlseToiQ2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCnNwYW4u
RW1haWxTdHlsZTI1DQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOiMwMDIwNjA7fQ0Kc3Bhbi5FbWFpbFN0eWxlMjYN
Cgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki
LHNhbnMtc2VyaWY7DQoJY29sb3I6IzAwMjA2MDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5
bGUtdHlwZTpleHBvcnQtb25seTsNCglmb250LXNpemU6MTAuMHB0O30NCkBwYWdlIFdvcmRTZWN0
aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4w
aW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9uMTt9DQotLT48L3N0eWxl
PjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIg
c3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1baWYgZ3RlIG1zbyA5XT48
eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRtYXAgdjpleHQ9ImVkaXQi
IGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5kaWZdLS0+DQo8L2hlYWQ+
DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1cnBsZSI+DQo8ZGl2IGNs
YXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlm
O2NvbG9yOiMwMDIwNjAiPknigJl2ZSBnb25lIHRocm91Z2ggYWxsIHRoZSByZXZpZXcgZmVlZGJh
Y2sgYW5kIGFncmVlIHdpdGggbW9zdCBvZiBpdC4mbmJzcDsgVGhlcmXigJlzIG9ubHkgdHdvIG9m
IHRoZSBjb21tZW50cyB0aGF0IEkgaGF2ZSBpc3N1ZXMgd2l0aC48bzpwPjwvbzpwPjwvc3Bhbj48
L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtm
b250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+
PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz
YW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPkkgZGlzYWdyZWUgd2l0aCB0aGUgc3VnZ2VzdGlvbiAo
dHJhY2tlZCBpbg0KPGEgaHJlZj0iaHR0cHM6Ly9naXRodWIuY29tL2Vyd2FoL2lldGYvaXNzdWVz
LzM3Ij5odHRwczovL2dpdGh1Yi5jb20vZXJ3YWgvaWV0Zi9pc3N1ZXMvMzc8L2E+KSBhYm91dCBj
bGFpbXMgdGhhdCBtdXN0IGJlIHVuZGVyc3Rvb2QuJm5ic3A7IFdlIHNob3VsZG7igJl0IGZvcmNl
IGltcGxlbWVudGF0aW9ucyB0byB1bmRlcnN0YW5kIGNsYWltcyBub3QgdXNlZCBieSB0aGVpciBh
cHBsaWNhdGlvbi4mbmJzcDsgU2VlIG15IGNvbW1lbnQgaW4gdGhlIGlzc3VlLjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj
MDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+SSBhZ3JlZSB3aXRoIHRoZSBzdWdnZXN0
aW9uICh0cmFja2VkIGluDQo8YSBocmVmPSJodHRwczovL2dpdGh1Yi5jb20vZXJ3YWgvaWV0Zi9p
c3N1ZXMvMzgiPmh0dHBzOi8vZ2l0aHViLmNvbS9lcndhaC9pZXRmL2lzc3Vlcy8zODwvYT4pIHRo
YXQgd2UgYWxsb3cgc3RyaW5nLXZhbHVlZCBsYWJlbHMsIGJ1dCBkaXNhZ3JlZSB0aGF0IHRoZXkg
c2hvdWxkIGJlIHJlc3RyaWN0ZWQgdG8gbm9uLXByb2R1Y3Rpb24gdXNlLiZuYnNwOyBSYXRoZXIs
IHBlciBteSBjb21tZW50IGluDQo8YSBocmVmPSJodHRwczovL2dpdGh1Yi5jb20vZXJ3YWgvaWV0
Zi9pc3N1ZXMvNDAiPmh0dHBzOi8vZ2l0aHViLmNvbS9lcndhaC9pZXRmL2lzc3Vlcy80MDwvYT4s
IEkgdGhpbmsgd2Ugc2hvdWxkIHVzZSB0aGUgc2FtZSBydWxlcyBmb3IgYWxsb2NhdGluZyBsYWJl
bHMgYXMgQ09TRSBkaWQuJm5ic3A7IFRoYXQgYXBwcm9hY2ggaGFzIGFscmVhZHkgYmVlbiB3aWRl
bHkgcmV2aWV3ZWQgYW5kIEkgYmVsaWV2ZSBpcyBwZXJmZWN0bHkgdmlhYmxlLiZuYnNwOyBOb3Rl
IHRoYXQNCiB0aGlzIHdpbGwgYWxzbyBhZGRyZXNzIHRoZSBjb21tZW50IGFib3V0IHRoZSAxLTY1
NTM2IGxhYmVsIHJhbmdlLjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGli
cmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bh
bj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBw
dDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2
MCI+VGhhbmtzIGZvciB5b3VyIGRldGFpbGVkIHJldmlldywgYXMgYWx3YXlzLCBKaW0uPG86cD48
L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQt
c2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2Nv
bG9yOiMwMDIwNjAiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsgLS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwv
bzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRv
cDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5Gcm9tOjwvc3Bhbj48L2I+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz
YW5zLXNlcmlmIj4gQWNlIFttYWlsdG86YWNlLWJvdW5jZXNAaWV0Zi5vcmddDQo8Yj5PbiBCZWhh
bGYgT2YgPC9iPk1pa2UgSm9uZXM8YnI+DQo8Yj5TZW50OjwvYj4gTW9uZGF5LCBNYXkgMTUsIDIw
MTcgMjo0NCBQTTxicj4NCjxiPlRvOjwvYj4gSmltIFNjaGFhZCAmbHQ7aWV0ZkBhdWd1c3RjZWxs
YXJzLmNvbSZndDs7ICdTYW11ZWwgRXJkdG1hbicgJmx0O3NhbXVlbEBlcmR0bWFuLnNlJmd0Ozxi
cj4NCjxiPkNjOjwvYj4gJ2FjZScgJmx0O0FjZUBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJqZWN0
OjwvYj4gUmU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48bzpw
PjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+
PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0i
Zm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2Vy
aWY7Y29sb3I6IzAwMjA2MCI+VGhhbmtzIGZvciBjb25maXJtaW5nIHRoaXMsIEppbS4mbmJzcDsg
U2luY2UgdGhhdOKAmXMgdGhlIGNhc2UsIEnigJltIGZpbmUgd2l0aCB1cyBnb2luZyB3aXRoIHJl
cXVpcmluZyB0YWdzIGZvciB0aGUgaW5uZXIgbmVzdGVkIENXVHMgYW5kIGRyb3BwaW5nIHRoZSB1
c2Ugb2YgdGhlIENXVA0KIGNvbnRlbnQtdHlwZSBmb3IgdGhpcyBwdXJwb3NlLjxvOnA+PC9vOnA+
PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6
MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj
MDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJp
JnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i
c3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7
Jm5ic3A7Jm5ic3A7IC0tIE1pa2U8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+PG86cD4mbmJzcDs8L286cD48
L3NwYW4+PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29s
aWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJN
c29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZx
dW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z
ZXJpZiI+IEppbSBTY2hhYWQgWzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29t
Ij5tYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT5dDQo8YnI+DQo8Yj5TZW50OjwvYj4g
TW9uZGF5LCBNYXkgMTUsIDIwMTcgMjozMSBQTTxicj4NCjxiPlRvOjwvYj4gTWlrZSBKb25lcyAm
bHQ7PGEgaHJlZj0ibWFpbHRvOk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbSI+TWljaGFlbC5K
b25lc0BtaWNyb3NvZnQuY29tPC9hPiZndDs7ICdTYW11ZWwgRXJkdG1hbicgJmx0OzxhIGhyZWY9
Im1haWx0bzpzYW11ZWxAZXJkdG1hbi5zZSI+c2FtdWVsQGVyZHRtYW4uc2U8L2E+Jmd0Ozxicj4N
CjxiPkNjOjwvYj4gJ2FjZScgJmx0OzxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5vcmciPkFjZUBp
ZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJFOiBbQWNlXSBXR0xDIG9uIGRy
YWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuPG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+
DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPHAg
Y2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1p
bHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmIj5JdCBpcyBjb3JyZWN0IHRoYXQgdGhl
IHRhZyBjYW4gYmUgYWRkZWQgYW5kIHN1YnRyYWN0ZWQgYXQgd2lsbCB3L28gY2hhbmdpbmcgYW55
dGhpbmcuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4g
c3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90Oyxz
YW5zLXNlcmlmIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp
YnJpJnF1b3Q7LHNhbnMtc2VyaWYiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5
OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+
PC9wPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci10b3A6c29saWQgI0Ux
RTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4NCjxwIGNsYXNzPSJNc29Ob3Jt
YWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh
bGlicmkmcXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250
LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+
IE1pa2UgSm9uZXMgWzxhIGhyZWY9Im1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20i
Pm1haWx0bzpNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb208L2E+XQ0KPGJyPg0KPGI+U2VudDo8
L2I+IE1vbmRheSwgTWF5IDE1LCAyMDE3IDI6MTcgUE08YnI+DQo8Yj5Ubzo8L2I+IFNhbXVlbCBF
cmR0bWFuICZsdDs8YSBocmVmPSJtYWlsdG86c2FtdWVsQGVyZHRtYW4uc2UiPnNhbXVlbEBlcmR0
bWFuLnNlPC9hPiZndDs7IEppbSBTY2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3Vz
dGNlbGxhcnMuY29tIj5pZXRmQGF1Z3VzdGNlbGxhcnMuY29tPC9hPiZndDs8YnI+DQo8Yj5DYzo8
L2I+IGFjZSAmbHQ7PGEgaHJlZj0ibWFpbHRvOkFjZUBpZXRmLm9yZyI+QWNlQGlldGYub3JnPC9h
PiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUkU6IFtBY2VdIFdHTEMgb24gZHJhZnQtaWV0Zi1h
Y2UtY2Jvci13ZWItdG9rZW48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtD
YWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzAwMjA2MCI+SSBhZ3JlZSB0aGF0IGZvciBu
ZXN0ZWQgQ1dUcywgaXTigJlzIE9LIHRvIG1hbmRhdGUgdGhhdCB0aGUgYXBwcm9wcmlhdGUgdGFn
cyBiZSBwcmVmaXhlZCB0byB0aGUgaW5uZXIgQ1dULCBpZiB0aGF04oCZcyB0aGUgbWVjaGFuaXNt
IHdlIGRlY2lkZSB0byB1c2UgdG8gZW5jb2RlIGFuZA0KIGRldGVjdCBuZXN0ZWQgSldUcy4mbmJz
cDsgVGhhdCB3b3VsZCB0aGVuIHJhaXNlIHRoZSBxdWVzdGlvbiB0aG91Z2gsIG9mIHdoZXRoZXIg
d2UgYWxzbyB3b3VsZCBjb250aW51ZSB0byBtYW5kYXRlIHRoZSB1c2Ugb2YgdGhlIENXVCBjb250
ZW50LXR5cGUgb3Igd2hldGhlciB3ZSB3b3VsZCBkcm9wIHRoaXMuJm5ic3A7IEkgdGhpbmsgaXTi
gJlzIGJldHRlciB0aGF0IHdlIHNwZWNpZnkgb25lIG1lY2hhbmlzbSBmb3IgZGV0ZWN0aW5nIG5l
c3RlZCBDV1RzLCByYXRoZXINCiB0aGFuIGhhdmluZyB0d28uPG86cD48L286cD48L3NwYW4+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9u
dC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPjxv
OnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0
eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fu
cy1zZXJpZjtjb2xvcjojMDAyMDYwIj5CZWZvcmUgd2UgZGVjaWRlIHRoaXMsIEnigJlkIGxpa2Ug
dG8gY29uZmlybSBhbiBhc3N1bXB0aW9uIGFib3V0IENPU0Ugb3BlcmF0aW9ucyBhbmQgQ09TRSBD
Qk9SIHRhZ3MuJm5ic3A7IEkgYmVsaWV2ZSB0aGF0IHRoZSBDT1NFIGNyeXB0byBvcGVyYXRpb25z
ICo8Yj5kbyBub3Q8L2I+Kg0KIGNvdmVyIHRoZSBDQk9SIENPU0UgdGFnLCBzdWNoIGFzIHRoZSBD
T1NFX1NpZ24gdGFnIGZvciBzaWduZWQgb2JqZWN0cy4mbmJzcDsgSWYgdGhpcyBpcyB0aGUgY2Fz
ZSwgaXQgbWVhbnMgdGhhdCBhIENPU0Ugb2JqZWN0IHdpdGhvdXQgdGFncyBjYW4gaGF2ZSB0aGUg
YXBwcm9wcmlhdGUgdGFnIHByZWZpeGVkIHRvIGl0IHdpdGhvdXQgY2hhbmdpbmcgdGhlIGNyeXB0
byAoYW5kIHRoYXQgc2ltaWxhcmx5LCBhIENXVCB0YWcgY291bGQgYWxzbyBiZSBhZGRlZA0KIHdp
dGhvdXQgY2hhbmdpbmcgdGhlIGNyeXB0bykuJm5ic3A7IElzIHRoaXMgY29ycmVjdD8mbmJzcDsg
SWYgc28sIHRoZW4gdXNpbmcgQ0JPUiB0YWdzIHdvdWxkIGJlIGZpbmUgZm9yIHRoZSBpbm5lciBD
V1QgaW4gYSBuZXN0ZWQgQ1dULCBzaW5jZSB5b3UgY291bGQgY3JlYXRlIHRoZSBpbm5lciBDV1Qg
d2l0aG91dCBhbnkgdGFncyBhbmQgdGhlbiBsYXRlciBkZWNpZGUgdG8gcHV0IGl0IGluIGEgbmVz
dGVkIENXVCB3aXRob3V0IHJlLXNpZ25pbmcsIGV0Yy4mbmJzcDsgSWYNCiB0aGlzIGlzIHRoZSBj
YXNlLCBJ4oCZZCBiZSBPSyB3aXRoIGFsd2F5cyBwcmVmaXhpbmcgdGhlIGlubmVyIENXVCBpbiBh
IG5lc3RlZCBDV1Qgd2l0aCBDV1QgYW5kIENPU0UgQ0JPUiB0YWdzLiZuYnNwOyBXaGVyZWFzIGlm
IGFkZGluZyB0aGUgdGFncyByZXF1aXJlcyByZWRvaW5nIHRoZSBjcnlwdG8sIEnigJlkIHJhdGhl
ciBzdGF5IHdpdGggdGhlIGN1cnJlbnQgYXBwcm9hY2guPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1m
YW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMwMDIwNjAiPjxvOnA+
Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl
PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z
ZXJpZjtjb2xvcjojMDAyMDYwIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm
bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz
cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsg
LS0gTWlrZTxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFu
IHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDss
c2Fucy1zZXJpZjtjb2xvcjojMDAyMDYwIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj48Yj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250
LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWYiPkZyb206PC9zcGFuPjwvYj48
c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1
b3Q7LHNhbnMtc2VyaWYiPiBTYW11ZWwgRXJkdG1hbiBbPGEgaHJlZj0ibWFpbHRvOnNhbXVlbEBl
cmR0bWFuLnNlIj5tYWlsdG86c2FtdWVsQGVyZHRtYW4uc2U8L2E+XQ0KPGJyPg0KPGI+U2VudDo8
L2I+IE1vbmRheSwgTWF5IDE1LCAyMDE3IDI6MjMgQU08YnI+DQo8Yj5Ubzo8L2I+IEppbSBTY2hh
YWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIj5pZXRmQGF1Z3Vz
dGNlbGxhcnMuY29tPC9hPiZndDs7IE1pa2UgSm9uZXMgJmx0OzxhIGhyZWY9Im1haWx0bzpNaWNo
YWVsLkpvbmVzQG1pY3Jvc29mdC5jb20iPk1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbTwvYT4m
Z3Q7PGJyPg0KPGI+Q2M6PC9iPiBhY2UgJmx0OzxhIGhyZWY9Im1haWx0bzpBY2VAaWV0Zi5vcmci
PkFjZUBpZXRmLm9yZzwvYT4mZ3Q7PGJyPg0KPGI+U3ViamVjdDo8L2I+IFJlOiBbQWNlXSBXR0xD
IG9uIGRyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuPG86cD48L286cD48L3NwYW4+PC9wPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4N
CjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tYm90dG9tOjEyLjBwdCI+VGhhbmtz
IGZvciBjbGFyaWZpY2F0aW9ucyBKaW0sIHNlZSBteSBjb21tZW50cyBpbmxpbmUuPG86cD48L286
cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk1pa2UsIHRoZXJlIGlzIGEgcXVl
c3Rpb24gZm9yIHlvdSBpbmxpbmVkIHRvby48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+T24gU3VuLCBNYXkgMTQsIDIwMTcgYXQgMTA6MTIgUE0sIEppbSBTY2hh
YWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRmQGF1Z3VzdGNlbGxhcnMuY29tIiB0YXJnZXQ9Il9i
bGFuayI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9w
Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0ND
Q0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJn
aW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2
Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6
YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcw
QzAiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0
eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+
Jm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxiPkZyb206PC9i
PiBTYW11ZWwgRXJkdG1hbiBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzpzYW11ZWxAZXJkdG1hbi5z
ZSIgdGFyZ2V0PSJfYmxhbmsiPnNhbXVlbEBlcmR0bWFuLnNlPC9hPl0NCjxicj4NCjxiPlNlbnQ6
PC9iPiBTdW5kYXksIE1heSAxNCwgMjAxNyAzOjQwIEFNPGJyPg0KPGI+VG86PC9iPiBKaW0gU2No
YWFkICZsdDs8YSBocmVmPSJtYWlsdG86aWV0ZkBhdWd1c3RjZWxsYXJzLmNvbSIgdGFyZ2V0PSJf
YmxhbmsiPmlldGZAYXVndXN0Y2VsbGFycy5jb208L2E+Jmd0Ozxicj4NCjxiPkNjOjwvYj4gYWNl
ICZsdDs8YSBocmVmPSJtYWlsdG86QWNlQGlldGYub3JnIiB0YXJnZXQ9Il9ibGFuayI+QWNlQGll
dGYub3JnPC9hPiZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtBY2VdIFdHTEMgb24gZHJh
ZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29O
b3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1h
bHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21h
cmdpbi1ib3R0b206MTIuMHB0Ij5IaSBKaW0sPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+VGhhbmtzIGZvciB5b3VyIHJldmlldyBhbmQgY29tbWVudHMsIHNl
ZSBzb21lIGluaXRpYWwgcmVwbGllcyBpbmxpbmUuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwv
ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1h
bHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+
DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1h
cmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPk9uIFNhdCwgQXBy
IDIyLCAyMDE3IGF0IDg6NDcgUE0sIEppbSBTY2hhYWQgJmx0OzxhIGhyZWY9Im1haWx0bzppZXRm
QGF1Z3VzdGNlbGxhcnMuY29tIiB0YXJnZXQ9Il9ibGFuayI+aWV0ZkBhdWd1c3RjZWxsYXJzLmNv
bTwvYT4mZ3Q7IHdyb3RlOjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRl
cjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3RleHQgMS4wcHQ7cGFkZGluZzowaW4gMGlu
IDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdo
dDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDtib3JkZXItY29sb3I6Y3VycmVudGNvbG9yIGN1cnJl
bnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIwNCwyMDQsMjA0KSI+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPk5vdCByZWFkeSB0byBzaGlwLjxicj4NCjxicj4NCjxicj4NCiogSSBmaW5kIHRoZSB0
ZXh0IGZvciBOdW1lcmljRGF0ZSBjb25mdXNpbmcgYW5kIHdvdWxkIHN1Z2dlc3QgdGhpcyBpcyBh
PGJyPg0KY2xlYW5lciB3b3JkaW5nLjxicj4NCjxicj4NClRoZSAmcXVvdDtOdW1lcmljRGF0ZSZx
dW90OyB0ZXJtIGhhcyB0aGUgc2FtZSBtZWFuaW5nLCBzeW50YXggYW5kPGJyPg0KUHJvY2Vzc2lu
ZyBydWxlcyBhcyB0aGUgJnF1b3Q7TnVtZXJpY0RhdGUmcXVvdDsgdGVybSBkZWZpbmVkIGluIFNl
Y3Rpb24gMiBvZjxicj4NCkpXVCBbUkZDNzUxOV0sIGV4Y2VwdCB0aGF0IHRoZSBDQk9SIG51bWVy
aWMgcmVwcmVzZW50YXRpb248YnI+DQooU2VjdGlvbiAyLjQuMSBvZiBbUkM3MDQ5XSkgaXMgdXNl
ZC4mbmJzcDsgVGhlIGVuY29kaW5nIGlzIG1vZGlmaWVkIHNvIHRoYXQ8YnI+DQp0aGUgbGVhZGlu
ZyB0YWcgKDYuMSBvciAweEMxKSBNVVNUIGJlIG9taXR0ZWQuPGJyPg0KPGJyPg0KJmx0O05vdGUg
YWJvdmUgdGV4dCBraWxscyB0aGUgZGlyZWN0IG5lZWQgZm9yIHNlY3Rpb24gNS4mZ3Q7PG86cD48
L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5
bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4m
bmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi
IHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0
byI+Q291bGQgbWFrZSBzZW5zZSwgSSBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0cmFj
a2VyIHRvIGxvb2sgYXQgdGhpcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1
b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3aW5kb3d0ZXh0IDEuMHB0
O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXRvcDo1
LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7Ym9yZGVyLWNvbG9yOmN1
cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigyMDQsMjA0LDIwNCkiPg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIFdoYXQgaXMgYSAmcXVvdDtDV1QgTnVtZXJp
Y0RhdGUmcXVvdDsgPyZuYnNwOyBXaHkgaXMgdGhpcyBub3QganVzdCBhICZxdW90O051bWVyaWNE
YXRlJnF1b3Q7PyZuYnNwOyBZb3U8YnI+DQpzaG91bGQgYmUgY29uc2lzdGVudCBvbiBob3cgeW91
IGFyZSB1c2luZyB0aGlzIGFuZCB0aGUgJnF1b3Q7U3RyaW5nT3JVUkkmcXVvdDsgdHlwZTxicj4N
CmlkZW50aWZpZXIuJm5ic3A7IEVpdGhlciB1c2UgdGhlIENXVCBwcmVmaXggb3IgZG9uJ3QuPG86
cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij48YnI+DQpNYWtlcyBzZW5zZSB0byBtZSwgY3JlYXRlZCBhbiBpc3N1ZSBpbiB0aGUgaXNzdWUg
dHJhY2tlciB0byBhZGRyZXNzIHRoaXMuPGJyPg0KJm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rp
dj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCB3aW5k
b3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7
bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4wcHQ7Ym9y
ZGVyLWNvbG9yOmN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJnYigyMDQs
MjA0LDIwNCkiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFs
dDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIHMvZXhjZXB0IHRoYXQg
YSBDV1QgU3RyaW5nT3JVUkkvZXhjZXB0IHRoYXQgZm9yIGEgQ1dULCBTdHJpbmdPclVSSS88bzpw
PjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBz
dHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bWFyZ2luLWJvdHRvbToxMi4wcHQiPjxicj4N
CiZuYnNwO01ha2VzIHNlbnNlIHRvIG1lLCBjcmVhdGVkIGFuIGlzc3VlIGluIHRoZSBpc3N1ZSB0
cmFja2VyIHRvIGFkZHJlc3MgdGhpcy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVv
dGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3RleHQgMS4wcHQ7
cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUu
MHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDtib3JkZXItY29sb3I6Y3Vy
cmVudGNvbG9yIGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIwNCwyMDQsMjA0KSI+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1h
cmdpbi1ib3R0b20tYWx0OmF1dG8iPjxicj4NCiogVGhlIGFsZ29yaXRobSBmb3IgZG9pbmcgbmVz
dGluZyBkZXRlY3Rpb24gaXMgYSBncm9zcyBhYnVzZSBvZiB0aGUgY29udGVudDxicj4NCnR5cGUg
cGFyYW1ldGVyIGFuZCBjYW4gYmUgZmFyIG1vcmUgZWFzaWx5IGRvbmUgYmFzZWQgb24gdGhlIGFs
cmVhZHkgcHJlc2VudDxicj4NCnRhZ2dpbmcgb2YgdGhlIENPU0Ugb2JqZWN0LjxvOnA+PC9vOnA+
PC9wPg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+Jm5ic3A7
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPkNvdWxkIHlvdSBwbGVhc2UgZXhwbGFpbiBhIGJp
dCBtb3JlLCB3ZSBhcmUgdXNpbmcgdGhlIENPU0UgdGFncyBidXQgaGF2ZSBtYWRlDQo8YnI+DQp0
aGVtIG9wdGlvbmFsIGlmIHRoZSBhcHBsaWNhdGlvbiBmb3IgZXhhbXBsZSBvbmx5IHVzZXMgb25l
IHRoeW1lIHRoZW4gaXQgd291bGQgPGJyPg0KYWx3YXlzIGtub3cgd2hhdCB0byBkbyBhbmQgd291
bGQgbm90IG5lZWQgdG8gcGFyc2UgdGhlIHRhZyBzYXZpbmcgYSBieXRlLjxvOnA+PC9vOnA+PC9w
Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21z
by1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K
PC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1
dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMw
Ij5bSkxTXSBUaGUgY29uY2VwdCBpcyBwcmV0dHkgZWFzeSB0byBleHBsYWluLjwvc3Bhbj48bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJt
c28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4g
c3R5bGU9ImNvbG9yOiMwMDcwQzAiPiZuYnNwOzwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNs
YXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2lu
LWJvdHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiMwMDcwQzAiPklmIHlvdSBhcmUg
aW4gYSBzaXR1YXRpb24gd2hlcmUgdGhlIGZ1bGwgZGVzY3JpcHRpb24gb2YgdGhlIENXVCDigJMg
aW5jbHVkaW5nIG5lc3RpbmcgbGF5ZXJpbmcg4oCTIGlzIGtub3duIGZyb20gYSBwcm9maWxlLCB0
aGVuIHRoZXJlIHdvdWxkIGJlIG5vIG5lZWQgdG8NCiBoYXZlIGFueSBDT1NFIHRhZ3MgcHJlc2Vu
dCBvbiBhbnkgbGF5ZXIgb2YgdGhlIENXVCBtZXNzYWdlLiZuYnNwOyBJIHdvdWxkIGhvd2V2ZXIg
aGlnaGx5IGRpc2NvdXJhZ2UgdXNpbmcgdGhpcyBzaXR1YXRpb24gZm9yIGFueXRoaW5nIGJ1dCBh
IHNpbmdsZSBsYXllciBDV1Qgc3VjaCBhcyBvbmUgdGhhdCBpcyBiYXNlZCBvbiB0aGUgQ09TRV9F
bmNyeXB0MCBtZXNzYWdlIHdpdGhvdXQgYW55IGlubmVyIGxheWVyaW5nLiZuYnNwOyBEb2luZyBv
dGhlcndpc2UgaXMgZ29pbmcNCiB0byBtZWFuIHRoYXQgbGlicmFyaWVzIHdvdWxkIGJlIHVuYWJs
ZSB0byBhdXRvbWF0aWNhbGx5IHVud3JhcCBhbGwgb2YgdGhlIGxheWVycyBvbiB0aGVpciBvd24s
IGJ1dCB3b3VsZCBuZWVkIGd1aWRhbmNlIG9uIGVhY2ggbGF5ZXIgYXMgaXQgd2FzIHByb2Nlc3Nl
ZC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNv
LW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0
eWxlPSJjb2xvcjojMDA3MEMwIj4mbmJzcDs8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj5JbiB0aGUgY3VycmVu
dCBkb2N1bWVudCBpbiBzdGVwIDUgb2Ygc2VjdGlvbiA3LjIsIHRoZXJlIGlzIGFuIGFzc3VtcHRp
b24gdGhhdCBhIENPU0UgdGFnIGlzIGdvaW5nIHRvIGV4aXN0IGluIG9yZGVyIHRvIGRpc3Rpbmd1
aXNoIGJldHdlZW4gdGhlIGRpZmZlcmVudA0KIHR5cGVzIG9mIENPU0UgbWVzc2FnZXMg4oCTIEkg
d291bGQgbm90IHRoYXQgdGhlc2UgdGFncyBhcmUgbm90IGV4cGxpY2l0bHkgY2FsbGVkIGZvciBp
biBzZWN0aW9uIDcuMSDigJMgc28gdGhlIGFsZ29yaXRobSB0aGF0IEkgYW0gZ29pbmcgdG8gc3Vn
Z2VzdCBtZWFucyB0aGF0IHRoZXkgYXJlIHN1cHBvc2VkIHRvIGJlIHByZXNlbnQgbm90IGltcGxp
Y2l0IGluIGFueSBldmVudC48L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9
Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48c3Bh
biBzdHlsZT0iY29sb3I6IzAwNzBDMCI+SW4gc2VjdGlvbiA3LjIgaW4gc3RlcCA3IHRoZSBhbGdv
cml0aG0gYmVjb21lczo8L3NwYW4+PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs
IiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1
dG8iPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj5JZiB0aGUgcGF5bG9hZCBzdGFydHMgd2l0
aCBvbmUgdGhlIG9mIENPU0UgaWRlbnRpZmljYXRpb24gdGFncywgdGhlbiB0aGUgbWVzc2FnZSBp
cyByZWN1cnNpdmUg4oCTIGdvIHRvIHN0ZXAgMSwgd2FzaCByaW5zZSBhbmQgcmVwZWF0Ljwvc3Bh
bj48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+
DQo8L2Rpdj4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpw
PiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkg
dGhpbmsgSSBzZWUgeW91ciBwb2ludC4gSW4gdGhlIGNhc2Ugb2YgbmVzdGVkIENXVHMgeW91IHdv
dWxkIGxpa2UgdG8gbWFuZGF0ZSB0aGUgaW5uZXIgbGF5ZXIgdG8gaGF2ZSBhIENPU0UgdGFnIGlu
ZGljYXRpbmcgdGhlIG1lc3NhZ2UgdHlwZS4gQnV0IGluIGNhc2VzIHdoZXJlIGUuZy4gdHJhbnNw
b3J0IGlzIGRvbmUgb3ZlciBDb0FQIHlvdSBkb27CtHQgZmVlbCBpdCBpcyBhcyBpbXBvcnRhbnQu
PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibWFyZ2luLWJvdHRvbToxMi4wcHQiPkkgcGVyc29uYWxseSB3b3VsZCBsaWtlIHRvIGdvIGFs
bCB0aGUgd2F5IGFuZCBtYW5kYXRlIHRoZSBDT1NFIHRhZyBmb3IgYWxsIENXVCBtZXNzYWdlcyBu
ZXN0ZWQgb3Igbm90IGJ1dCB0aGF0IHdvdWxkIGFkZCBzb21lIGV4dHJhIGJ5dGVzIGkuZS4gbm90
IGdvb2QgaW4gYWxsIGNhc2VzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCI+TWF5YmUgYSBjb21wcm9taXNlIGFuZCBtYW5kYXRlIGl0IGZvciBpbm5l
ciBvYmplY3QgaW4gbmVzdGVkIENXVHMuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8
cCBjbGFzcz0iTXNvTm9ybWFsIj5ATWlrZSB3b3VsZCB5b3UgbGlrZSB0byBjb21tZW50IHRvIGJl
Zm9yZSB3ZSBkZWNpZGUgb24gYSBwYXRoIGZvcndhcmQuPG86cD48L286cD48L3A+DQo8L2Rpdj4N
CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQo8YnI+DQombmJzcDs8bzpwPjwvbzpw
PjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0
OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVm
dDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1
LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFz
cz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1i
b3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90
ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtw
YWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4w
cHQ7bWFyZ2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJy
ZW50Y29sb3IgY3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFy
Z2luLWJvdHRvbS1hbHQ6YXV0byI+PGJyPg0KKiBCcmVhayBzZWN0aW9uIDggaW50byBtdWx0aXBs
ZSBwYXJhZ3JhcGhzIHRoYXQgZGVhbCB3aXRoIGRpZmZlcmVudCB0eXBlcyBvZjxicj4NCmlzc3Vl
cy48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0
OmF1dG8iPjxicj4NCk1pZ2h0IGJlIHJlYXNvbmFibGUgSSBoYXZlIGNyZWF0ZWQgYW4gaXNzdWUg
aW4gdGhlIGlzc3VlIHRyYWNrZXIgc28gdGhhdCB0aGUgPGJyPg0KY29tbWVudCBpcyBub3QgbG9z
dC48YnI+DQombmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9
ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkIHdpbmRvd3RleHQgMS4wcHQ7cGFkZGluZzow
aW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdp
bi1yaWdodDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdDtib3JkZXItY29sb3I6Y3VycmVudGNvbG9y
IGN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgcmdiKDIwNCwyMDQsMjA0KSI+DQo8cCBjbGFzcz0i
TXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0
b20tYWx0OmF1dG8iPjxicj4NCiogSW4gc2VjdGlvbiA4LCB0aGUgZmlyc3Qgc2VudGVuY2UgaW1w
bGllcyB0byBtZSB0aGF0IHlvdSBiZWxpZXZlIHRoYXQgQ09TRTxicj4NCmlzIG1vcmUgb2YgYSBw
cm9ibGVtIHRoYXQgYnJlYWtpbmcgb2YgY3J5cHRvZ3JhcGhpYyBhbGdvcml0aG1zLCB0cnVzdCBv
Zjxicj4NCmNlcnRpZmljYXRlcy9rZXlzLiZuYnNwOyBOb3Qgc3VyZSB3aGF0IG5lZWRzIHRvIGJl
IGRvbmUsIGJ1dCBiZXR0ZXIgY2xhcml0eSBtYXk8YnI+DQpiZSBhIGdvb2QgaWRlYS48bzpwPjwv
bzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHls
ZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZu
YnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIg
c3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRv
Ij5BZGRlZCB0aGlzIHRvIHRoZSBwcmV2aW91c2x5IG1lbnRpb25lZCBpc3N1ZSB0byBhZGRyZXNz
IHRoaXMgdG8gc2luY2UgaXQgaXMgaW4gdGhlIHNhbWUgc2VjdGlvbg0KPG86cD48L286cD48L3A+
DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp
ZCB3aW5kb3d0ZXh0IDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6
NC44cHQ7bWFyZ2luLXRvcDo1LjBwdDttYXJnaW4tcmlnaHQ6MGluO21hcmdpbi1ib3R0b206NS4w
cHQ7Ym9yZGVyLWNvbG9yOmN1cnJlbnRjb2xvciBjdXJyZW50Y29sb3IgY3VycmVudGNvbG9yIHJn
YigyMDQsMjA0LDIwNCkiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4t
dG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQoqIEkgaGF2ZSBu
b3QgZG9uZSBhbnkgdmFsaWRhdGlvbiBvZiB0aGUgZXhhbXBsZXMuJm5ic3A7ICZuYnNwO1lvdSBt
aWdodCB3YW50IHRvIGhhdmU8YnI+DQphbiBleGFtcGxlIHdoaWNoIHVzZXMgdGhlIHJlYWwgZm9y
IG9uZSBvZiB0aGUgdGltZSB0eXBlcy48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxk
aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87
bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+
DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDph
dXRvO21zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvIj5Tb3JyeSwgYnV0IEkgZG9uwrR0IGdldCBp
dCBjb3VsZCB5b3UgYWRkIHNvbWUgbW9yZSBjb250ZXh0LjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh
c3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4t
Ym90dG9tLWFsdDphdXRvIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjxwcmU+PHNwYW4gc3R5bGU9
ImZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMDA3MEMw
Ij5bSkxTXSBVc2UgdGhlIHZhbHVlIG9mIOKAnDwvc3Bhbj48c3BhbiBzdHlsZT0iY29sb3I6IzAw
NzBDMCI+MTQ0NDA2NDk0NC414oCdIGZvciBvbmUgb2YgdGhlIHRpbWUgdmFsdWVzLiZuYnNwOyBB
bHRob3VnaCBJIGRvdWJ0IHRoYXQgbGVzcyB0aGFuIHNlY29uZCByZXNvbHV0aW9uIGlzIG5lZWRl
ZCBpbiBhbG1vc3QgYW55IGNhc2UsIGhhdmluZyBhbiBleGFtcGxlIHdoZXJlIGl0IGlzIGdpdmVu
IGlzIHN0aWxsIGEgZ29vZCBpZGVhLjwvc3Bhbj48bzpwPjwvbzpwPjwvcHJlPg0KPC9kaXY+DQo8
L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ibG9ja3F1b3RlPg0KPGRp
dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPk1ha2VzIHNlbnNlLCBhcyB5b3Ugc2F5IGl0IG1pZ2h0
IG5vdCBiZSBhIGNvcmUgY2FzZSBidXQgdGhlcmUgc2hvdWxkIGJlIGF0IGxlYXN0IG9uZSBleGFt
cGxlIG9mIGl0IGlmIHdlIHN1cHBvcnQgaXQuIEkgaGF2ZSBjcmVhdGVkIGEgdGlja2V0IHRvIGFk
ZHJlc3MgaXQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y
bWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJv
cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGlu
IDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tdG9wOjUuMHB0O21hcmdpbi1yaWdo
dDowaW47bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0K
PGRpdj4NCjxkaXY+DQo8cHJlPjxzcGFuIHN0eWxlPSJjb2xvcjojMDA3MEMwIj4mbmJzcDs8L3Nw
YW4+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0K
PHByZT48c3BhbiBzdHlsZT0iY29sb3I6IzAwNzBDMCI+SmltPC9zcGFuPjxzcGFuIHN0eWxlPSJj
b2xvcjojODg4ODg4Ij48bzpwPjwvbzpwPjwvc3Bhbj48L3ByZT4NCjxwcmU+PHNwYW4gc3R5bGU9
ImNvbG9yOiM4ODg4ODgiPiZuYnNwOzxvOnA+PC9vOnA+PC9zcGFuPjwvcHJlPg0KPHAgY2xhc3M9
Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1tYXJnaW4tYm90
dG9tLWFsdDphdXRvIj48c3BhbiBzdHlsZT0iY29sb3I6Izg4ODg4OCI+Jm5ic3A7PG86cD48L286
cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv
Tm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20t
YWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHls
ZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgd2luZG93dGV4dCAxLjBwdDtwYWRkaW5n
OjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi10b3A6NS4wcHQ7bWFy
Z2luLXJpZ2h0OjBpbjttYXJnaW4tYm90dG9tOjUuMHB0O2JvcmRlci1jb2xvcjpjdXJyZW50Y29s
b3IgY3VycmVudGNvbG9yIGN1cnJlbnRjb2xvciByZ2IoMjA0LDIwNCwyMDQpIj4NCjxwIGNsYXNz
PSJNc29Ob3JtYWwiIHN0eWxlPSJtc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzttc28tbWFyZ2luLWJv
dHRvbS1hbHQ6YXV0byI+PHNwYW4gc3R5bGU9ImNvbG9yOiM4ODg4ODgiPjxicj4NCjxzcGFuIGNs
YXNzPSJtLTYxMzA4Mjg1NDc2Mjg1ODgzNzRnbWFpbC1tMzI5Nzk2NzA2NDc3NjA0Mzk3N2dtYWls
LWhvZW56YiI+SmltPC9zcGFuPjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0K
PHAgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1tYXJnaW4tdG9wLWFsdDphdXRvO21zby1t
YXJnaW4tYm90dG9tLWFsdDphdXRvIj48YnI+DQo8YnI+DQotLS0tLU9yaWdpbmFsIE1lc3NhZ2Ut
LS0tLTxicj4NCkZyb206IEFjZSBbbWFpbHRvOjxhIGhyZWY9Im1haWx0bzphY2UtYm91bmNlc0Bp
ZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPmFjZS1ib3VuY2VzQGlldGYub3JnPC9hPl0gT24gQmVo
YWxmIE9mIEtlcGVuZyBMaTxicj4NClNlbnQ6IFRodXJzZGF5LCBBcHJpbCAyMCwgMjAxNyAyOjUz
IFBNPGJyPg0KVG86IDxhIGhyZWY9Im1haWx0bzphY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5r
Ij5hY2VAaWV0Zi5vcmc8L2E+PGJyPg0KQ2M6IEhhbm5lcyBUc2Nob2ZlbmlnICZsdDs8YSBocmVm
PSJtYWlsdG86aGFubmVzLnRzY2hvZmVuaWdAZ214Lm5ldCIgdGFyZ2V0PSJfYmxhbmsiPmhhbm5l
cy50c2Nob2ZlbmlnQGdteC5uZXQ8L2E+Jmd0Ozxicj4NClN1YmplY3Q6IFtBY2VdIFthY2VdIFdH
TEMgb24gZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48YnI+DQo8YnI+DQpJbiBDaGljYWdv
LCBpdCB3YXMgZGVjaWRlZCB0aGF0IHdlIHdlcmUgZ29pbmcgdG8gV0dMQyB0aGUgQUNFIENCT1Ig
V2ViIFRva2VuPGJyPg0KZHJhZnQuPGJyPg0KPGJyPg0KU28gdGhpcyBzdGFydHMgYSB3b3JraW5n
IGdyb3VwIGxhc3QgY2FsbCBmb3IgZHJhZnQtaWV0Zi1hY2UtY2Jvci13ZWItdG9rZW48YnI+DQpm
b3Igc3VibWlzc2lvbiBhcyBhIFN0YW5kYXJkcyBUcmFjayBSRkMsIGVuZGluZyBvbiAyNDowMCBQ
RFQgb24gVHVlc2RheSwgTWF5PGJyPg0KMiwgMjAxNy48YnI+DQo8YnI+DQpUaGUgc3BlY2lmaWNh
dGlvbiBpcyBhdmFpbGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cHM6Ly90b29scy5pZXRmLm9y
Zy9odG1sL2RyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2VuLTA0IiB0YXJnZXQ9Il9ibGFuayI+
aHR0cHM6Ly90b29scy5pZXRmLm9yZy9odG1sL2RyYWZ0LWlldGYtYWNlLWNib3Itd2ViLXRva2Vu
LTA0PC9hPjxicj4NCjxicj4NCkFuIEhUTUwtZm9ybWF0dGVkIHZlcnNpb24gaXMgYWxzbyBhdmFp
bGFibGUgYXQ6PGJyPg0KPGEgaHJlZj0iaHR0cDovL3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFm
dC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNC5odG1sIiB0YXJnZXQ9Il9ibGFuayI+aHR0cDov
L3NlbGYtaXNzdWVkLmluZm8vZG9jcy9kcmFmdC1pZXRmLWFjZS1jYm9yLXdlYi10b2tlbi0wNC5o
dG1sPC9hPjxicj4NCjxicj4NClRoYW5rcyw8YnI+DQo8YnI+DQo8YnI+DQpLaW5kIFJlZ2FyZHM8
YnI+DQpLZXBlbmcgJmFtcDsgSGFubmVzPGJyPg0KPGJyPg0KPGJyPg0KX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX188YnI+DQpBY2UgbWFpbGluZyBsaXN0PGJy
Pg0KPGEgaHJlZj0ibWFpbHRvOkFjZUBpZXRmLm9yZyIgdGFyZ2V0PSJfYmxhbmsiPkFjZUBpZXRm
Lm9yZzwvYT48YnI+DQo8YSBocmVmPSJodHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3Rp
bmZvL2FjZSIgdGFyZ2V0PSJfYmxhbmsiPmh0dHBzOi8vd3d3LmlldGYub3JnL21haWxtYW4vbGlz
dGluZm8vYWNlPC9hPjxicj4NCjxicj4NCl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fPGJyPg0KQWNlIG1haWxpbmcgbGlzdDxicj4NCjxhIGhyZWY9Im1haWx0
bzpBY2VAaWV0Zi5vcmciIHRhcmdldD0iX2JsYW5rIj5BY2VAaWV0Zi5vcmc8L2E+PGJyPg0KPGEg
aHJlZj0iaHR0cHM6Ly93d3cuaWV0Zi5vcmcvbWFpbG1hbi9saXN0aW5mby9hY2UiIHRhcmdldD0i
X2JsYW5rIj5odHRwczovL3d3dy5pZXRmLm9yZy9tYWlsbWFuL2xpc3RpbmZvL2FjZTwvYT48bzpw
PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjwvZGl2
Pg0KPC9kaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIiBzdHlsZT0ibXNvLW1hcmdpbi10b3AtYWx0
OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8iPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0K
PC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Jsb2NrcXVvdGU+DQo8L2Rpdj4NCjxw
IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4N
CjwvZGl2Pg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo=

--_000_CY4PR21MB05045E9E335BF1349AE52D40F5E10CY4PR21MB0504namp_--


From nobody Tue May 16 09:37:24 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAAA112ACAF for <ace@ietfa.amsl.com>; Tue, 16 May 2017 09:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level: 
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9,  DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com header.b=YjPilP4G; dkim=pass (2048-bit key) header.d=augustcellars.com header.b=FnX/jsHa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id al_KlTNCrJTY for <ace@ietfa.amsl.com>; Tue, 16 May 2017 09:37:13 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8179012D0C3 for <Ace@ietf.org>; Tue, 16 May 2017 09:33:03 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_00B3_01D2CD98.BAFB9A60"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494952063; h=from:subject:to:date:message-id; bh=Hq9jbjLG+jQJIg3TOdeyZcrUMWs9r0Fx48jEazS+joc=; b=YjPilP4GmBlSuXpzS/GHSQ0rDQ+Io5xwZ8D1GWjazLjgpXvmEW97Kli92NGHv7ZIYl6Va7+YvVb np0FMEKxnrZXcEImjI0Xi+mCVD7KQSRo2lgBur7y2cDse2l2o/oZIsmocuBSDkdLDQ99yE8NKQv9g NqvoKUScfBA4NSCGm3WuNjIgur5qLkFxREHWV2cZoZbn14q2Tr5Tb0YlCYpwyaKUHVgPSPyiEcO3o EzjFYPO7bKIkbp8aIrl+VMHl4YvFmX15pWeHwGWwNGgvBAoqw5897g7ro6mAF7dr+uw7b3j3ZpGBr 3fz2mRXOaoGVP6WxevwUzwBMiOveH7wqf9RA==
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494891755; h=from:subject:to:date:message-id; bh=Hq9jbjLG+jQJIg3TOdeyZcrUMWs9r0Fx48jEazS+joc=; b=FnX/jsHayKK1odKyPTnfJny2rNqNODp19yZQb3agFB0ncy2HGTMMaSNq4VEm2Yi+VZsO3xlPWc2 MtHWqz1ivSofnzPEDbav7aOQ1GpusL3v8X8+qDOfJIBOndjjWipl+YTKdXgZ7GStK1dMjr/mS5mP6 P9J5SPZN9Ql/7jQFrA9K7ltNH4SWGHHDyeBNf30J4pWHmnaK1boQpTzRqMqrn4EktSiF6tgarqhUj oGS4xsR+vGsUE25Iu3/qBejZREMBAhXmPfKvo/vC3av8Xr1Me0hB/ETu8DkckFaKXwqwWxnl16QiR ItmHhe05VGakqPFJqMWPw5AAJhluh96dEE6A==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 15 May 2017 16:42:33 -0700
Received: from Hebrews (192.168.0.11) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 15 May 2017 16:42:23 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, 'Samuel Erdtman' <samuel@erdtman.se>
CC: 'ace' <Ace@ietf.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
Date: Mon, 15 May 2017 16:31:37 -0700
Message-ID: <00b201d2cdd3$6757b340$360719c0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK7Sbuoqk8BxD8OvOqownlXLriW/AEOhwClAnNLQvUDFt5ZygHazl2HAiynCroBfr1tjwLs/fS+n6yz1yA=
X-Originating-IP: [192.168.0.11]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/YTNLhr38t48TADtNuJLFmWTy_9Q>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 16:37:18 -0000

------=_NextPart_000_00B3_01D2CD98.BAFB9A60
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Actually, I think both of those were Carsten not me

=20

From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20
Sent: Monday, May 15, 2017 3:17 PM
To: Jim Schaad <ietf@augustcellars.com>; 'Samuel Erdtman' =
<samuel@erdtman.se>
Cc: 'ace' <Ace@ietf.org>
Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

I=E2=80=99ve gone through all the review feedback and agree with most of =
it.  There=E2=80=99s only two of the comments that I have issues with.

=20

I disagree with the suggestion (tracked in =
https://github.com/erwah/ietf/issues/37) about claims that must be =
understood.  We shouldn=E2=80=99t force implementations to understand =
claims not used by their application.  See my comment in the issue.

=20

I agree with the suggestion (tracked in =
https://github.com/erwah/ietf/issues/38) that we allow string-valued =
labels, but disagree that they should be restricted to non-production =
use.  Rather, per my comment in https://github.com/erwah/ietf/issues/40, =
I think we should use the same rules for allocating labels as COSE did.  =
That approach has already been widely reviewed and I believe is =
perfectly viable.  Note that this will also address the comment about =
the 1-65536 label range.

=20

Thanks for your detailed review, as always, Jim.

=20

                                                                -- Mike

=20

From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Monday, May 15, 2017 2:44 PM
To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> =
>; 'Samuel Erdtman' <samuel@erdtman.se <mailto:samuel@erdtman.se> >
Cc: 'ace' <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Thanks for confirming this, Jim.  Since that=E2=80=99s the case, =
I=E2=80=99m fine with us going with requiring tags for the inner nested =
CWTs and dropping the use of the CWT content-type for this purpose.

=20

                                                                -- Mike

=20

From: Jim Schaad [mailto:ietf@augustcellars.com]=20
Sent: Monday, May 15, 2017 2:31 PM
To: Mike Jones <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com> >; 'Samuel Erdtman' =
<samuel@erdtman.se <mailto:samuel@erdtman.se> >
Cc: 'ace' <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

It is correct that the tag can be added and subtracted at will w/o =
changing anything.

=20

=20

=20

From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20
Sent: Monday, May 15, 2017 2:17 PM
To: Samuel Erdtman <samuel@erdtman.se <mailto:samuel@erdtman.se> >; Jim =
Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >
Cc: ace <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

I agree that for nested CWTs, it=E2=80=99s OK to mandate that the =
appropriate tags be prefixed to the inner CWT, if that=E2=80=99s the =
mechanism we decide to use to encode and detect nested JWTs.  That would =
then raise the question though, of whether we also would continue to =
mandate the use of the CWT content-type or whether we would drop this.  =
I think it=E2=80=99s better that we specify one mechanism for detecting =
nested CWTs, rather than having two.

=20

Before we decide this, I=E2=80=99d like to confirm an assumption about =
COSE operations and COSE CBOR tags.  I believe that the COSE crypto =
operations *do not* cover the CBOR COSE tag, such as the COSE_Sign tag =
for signed objects.  If this is the case, it means that a COSE object =
without tags can have the appropriate tag prefixed to it without =
changing the crypto (and that similarly, a CWT tag could also be added =
without changing the crypto).  Is this correct?  If so, then using CBOR =
tags would be fine for the inner CWT in a nested CWT, since you could =
create the inner CWT without any tags and then later decide to put it in =
a nested CWT without re-signing, etc.  If this is the case, I=E2=80=99d =
be OK with always prefixing the inner CWT in a nested CWT with CWT and =
COSE CBOR tags.  Whereas if adding the tags requires redoing the crypto, =
I=E2=80=99d rather stay with the current approach.

=20

                                                                -- Mike

=20

From: Samuel Erdtman [mailto:samuel@erdtman.se]=20
Sent: Monday, May 15, 2017 2:23 AM
To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> =
>; Mike Jones <Michael.Jones@microsoft.com =
<mailto:Michael.Jones@microsoft.com> >
Cc: ace <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Thanks for clarifications Jim, see my comments inline.

Mike, there is a question for you inlined too.

=20

On Sun, May 14, 2017 at 10:12 PM, Jim Schaad <ietf@augustcellars.com =
<mailto:ietf@augustcellars.com> > wrote:

=20

=20

From: Samuel Erdtman [mailto:samuel@erdtman.se =
<mailto:samuel@erdtman.se> ]=20
Sent: Sunday, May 14, 2017 3:40 AM
To: Jim Schaad <ietf@augustcellars.com <mailto:ietf@augustcellars.com> >
Cc: ace <Ace@ietf.org <mailto:Ace@ietf.org> >
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

=20

Hi Jim,

Thanks for your review and comments, see some initial replies inline.

=20

On Sat, Apr 22, 2017 at 8:47 PM, Jim Schaad <ietf@augustcellars.com =
<mailto:ietf@augustcellars.com> > wrote:

Not ready to ship.


* I find the text for NumericDate confusing and would suggest this is a
cleaner wording.

The "NumericDate" term has the same meaning, syntax and
Processing rules as the "NumericDate" term defined in Section 2 of
JWT [RFC7519], except that the CBOR numeric representation
(Section 2.4.1 of [RC7049]) is used.  The encoding is modified so that
the leading tag (6.1 or 0xC1) MUST be omitted.

<Note above text kills the direct need for section 5.>

=20

Could make sense, I created an issue in the issue tracker to look at =
this.

=20


* What is a "CWT NumericDate" ?  Why is this not just a "NumericDate"?  =
You
should be consistent on how you are using this and the "StringOrURI" =
type
identifier.  Either use the CWT prefix or don't.


Makes sense to me, created an issue in the issue tracker to address =
this.
=20


* s/except that a CWT StringOrURI/except that for a CWT, StringOrURI/


 Makes sense to me, created an issue in the issue tracker to address =
this.


* The algorithm for doing nesting detection is a gross abuse of the =
content
type parameter and can be far more easily done based on the already =
present
tagging of the COSE object.

=20

Could you please explain a bit more, we are using the COSE tags but have =
made=20
them optional if the application for example only uses one thyme then it =
would=20
always know what to do and would not need to parse the tag saving a =
byte.

=20

[JLS] The concept is pretty easy to explain.

=20

If you are in a situation where the full description of the CWT =
=E2=80=93 including nesting layering =E2=80=93 is known from a profile, =
then there would be no need to have any COSE tags present on any layer =
of the CWT message.  I would however highly discourage using this =
situation for anything but a single layer CWT such as one that is based =
on the COSE_Encrypt0 message without any inner layering.  Doing =
otherwise is going to mean that libraries would be unable to =
automatically unwrap all of the layers on their own, but would need =
guidance on each layer as it was processed.

=20

In the current document in step 5 of section 7.2, there is an assumption =
that a COSE tag is going to exist in order to distinguish between the =
different types of COSE messages =E2=80=93 I would not that these tags =
are not explicitly called for in section 7.1 =E2=80=93 so the algorithm =
that I am going to suggest means that they are supposed to be present =
not implicit in any event.

=20

In section 7.2 in step 7 the algorithm becomes:

If the payload starts with one the of COSE identification tags, then the =
message is recursive =E2=80=93 go to step 1, wash rinse and repeat.

=20

I think I see your point. In the case of nested CWTs you would like to =
mandate the inner layer to have a COSE tag indicating the message type. =
But in cases where e.g. transport is done over CoAP you don=C2=B4t feel =
it is as important.

I personally would like to go all the way and mandate the COSE tag for =
all CWT messages nested or not but that would add some extra bytes i.e. =
not good in all cases.

Maybe a compromise and mandate it for inner object in nested CWTs.

@Mike would you like to comment to before we decide on a path forward.



=20

=20


* Break section 8 into multiple paragraphs that deal with different =
types of
issues.


Might be reasonable I have created an issue in the issue tracker so that =
the=20
comment is not lost.
=20


* In section 8, the first sentence implies to me that you believe that =
COSE
is more of a problem that breaking of cryptographic algorithms, trust of
certificates/keys.  Not sure what needs to be done, but better clarity =
may
be a good idea.

=20

Added this to the previously mentioned issue to address this to since it =
is in the same section=20


* I have not done any validation of the examples.   You might want to =
have
an example which uses the real for one of the time types.

=20

Sorry, but I don=C2=B4t get it could you add some more context.

=20

[JLS] Use the value of =E2=80=9C1444064944.5=E2=80=9D for one of the =
time values.  Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good idea.

Makes sense, as you say it might not be a core case but there should be =
at least one example of it if we support it. I have created a ticket to =
address it.

=20

=20
Jim
=20

=20

=20


Jim



-----Original Message-----
From: Ace [mailto:ace-bounces@ietf.org <mailto:ace-bounces@ietf.org> ] =
On Behalf Of Kepeng Li
Sent: Thursday, April 20, 2017 2:53 PM
To: ace@ietf.org <mailto:ace@ietf.org>=20
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net =
<mailto:hannes.tschofenig@gmx.net> >
Subject: [Ace] [ace] WGLC on draft-ietf-ace-cbor-web-token

In Chicago, it was decided that we were going to WGLC the ACE CBOR Web =
Token
draft.

So this starts a working group last call for =
draft-ietf-ace-cbor-web-token
for submission as a Standards Track RFC, ending on 24:00 PDT on Tuesday, =
May
2, 2017.

The specification is available at:
https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04

An HTML-formatted version is also available at:
http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.html

Thanks,


Kind Regards
Kepeng & Hannes


_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

_______________________________________________
Ace mailing list
Ace@ietf.org <mailto:Ace@ietf.org>=20
https://www.ietf.org/mailman/listinfo/ace

=20

=20


------=_NextPart_000_00B3_01D2CD98.BAFB9A60
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><meta =
http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta =
name=3DGenerator content=3D"Microsoft Word 15 (filtered =
medium)"><style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:12.0pt;
	font-family:"Times New Roman",serif;}
span.m-6130828547628588374gmail-
	{mso-style-name:m_-6130828547628588374gmail-;}
span.m-6130828547628588374gmail-hoenzb
	{mso-style-name:m_-6130828547628588374gmail-hoenzb;}
span.m-6130828547628588374gmail-m3297967064776043977gmail-hoenzb
	=
{mso-style-name:m_-6130828547628588374gmail-m_3297967064776043977gmail-ho=
enzb;}
span.EmailStyle23
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#002060;}
span.EmailStyle24
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
span.EmailStyle25
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#002060;}
span.EmailStyle26
	{mso-style-type:personal;
	font-family:"Calibri",sans-serif;
	color:#002060;}
span.EmailStyle28
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US link=3Dblue =
vlink=3Dpurple><div class=3DWordSection1><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>Actually, I =
think both of those were Carsten not me<o:p></o:p></span></p><p =
class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><div><div style=3D'border:none;border-top:solid #E1E1E1 =
1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Mike Jones [mailto:Michael.Jones@microsoft.com] <br><b>Sent:</b> Monday, =
May 15, 2017 3:17 PM<br><b>To:</b> Jim Schaad =
&lt;ietf@augustcellars.com&gt;; 'Samuel Erdtman' =
&lt;samuel@erdtman.se&gt;<br><b>Cc:</b> 'ace' =
&lt;Ace@ietf.org&gt;<br><b>Subject:</b> RE: [Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>I=E2=80=99ve gone through all the review feedback and agree with most =
of it.&nbsp; There=E2=80=99s only two of the comments that I have issues =
with.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>I disagree with the suggestion (tracked in <a =
href=3D"https://github.com/erwah/ietf/issues/37">https://github.com/erwah=
/ietf/issues/37</a>) about claims that must be understood.&nbsp; We =
shouldn=E2=80=99t force implementations to understand claims not used by =
their application.&nbsp; See my comment in the =
issue.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>I agree with the suggestion (tracked in <a =
href=3D"https://github.com/erwah/ietf/issues/38">https://github.com/erwah=
/ietf/issues/38</a>) that we allow string-valued labels, but disagree =
that they should be restricted to non-production use.&nbsp; Rather, per =
my comment in <a =
href=3D"https://github.com/erwah/ietf/issues/40">https://github.com/erwah=
/ietf/issues/40</a>, I think we should use the same rules for allocating =
labels as COSE did.&nbsp; That approach has already been widely reviewed =
and I believe is perfectly viable.&nbsp; Note that this will also =
address the comment about the 1-65536 label =
range.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>Thanks for your detailed review, as always, =
Jim.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; -- Mike<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><div><div =
style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Ace [<a =
href=3D"mailto:ace-bounces@ietf.org">mailto:ace-bounces@ietf.org</a>] =
<b>On Behalf Of </b>Mike Jones<br><b>Sent:</b> Monday, May 15, 2017 2:44 =
PM<br><b>To:</b> Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com">ietf@augustcellars.com</a>&gt;; =
'Samuel Erdtman' &lt;<a =
href=3D"mailto:samuel@erdtman.se">samuel@erdtman.se</a>&gt;<br><b>Cc:</b>=
 'ace' &lt;<a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a>&gt;<br><b>Subject:</b> Re: =
[Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>Thanks for confirming this, Jim.&nbsp; Since that=E2=80=99s the case, =
I=E2=80=99m fine with us going with requiring tags for the inner nested =
CWTs and dropping the use of the CWT content-type for this =
purpose.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; -- Mike<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><div><div =
style=3D'border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Jim Schaad [<a =
href=3D"mailto:ietf@augustcellars.com">mailto:ietf@augustcellars.com</a>]=
 <br><b>Sent:</b> Monday, May 15, 2017 2:31 PM<br><b>To:</b> Mike Jones =
&lt;<a =
href=3D"mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</=
a>&gt;; 'Samuel Erdtman' &lt;<a =
href=3D"mailto:samuel@erdtman.se">samuel@erdtman.se</a>&gt;<br><b>Cc:</b>=
 'ace' &lt;<a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a>&gt;<br><b>Subject:</b> RE: =
[Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>It is =
correct that the tag can be added and subtracted at will w/o changing =
anything.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'><o:p>&nbsp;</=
o:p></span></p><div><div style=3D'border:none;border-top:solid #E1E1E1 =
1.0pt;padding:3.0pt 0in 0in 0in'><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Mike Jones [<a =
href=3D"mailto:Michael.Jones@microsoft.com">mailto:Michael.Jones@microsof=
t.com</a>] <br><b>Sent:</b> Monday, May 15, 2017 2:17 PM<br><b>To:</b> =
Samuel Erdtman &lt;<a =
href=3D"mailto:samuel@erdtman.se">samuel@erdtman.se</a>&gt;; Jim Schaad =
&lt;<a =
href=3D"mailto:ietf@augustcellars.com">ietf@augustcellars.com</a>&gt;<br>=
<b>Cc:</b> ace &lt;<a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a>&gt;<br><b>Subject:</b> RE: =
[Ace] WGLC on =
draft-ietf-ace-cbor-web-token<o:p></o:p></span></p></div></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>I agree that for nested CWTs, it=E2=80=99s OK to mandate that the =
appropriate tags be prefixed to the inner CWT, if that=E2=80=99s the =
mechanism we decide to use to encode and detect nested JWTs.&nbsp; That =
would then raise the question though, of whether we also would continue =
to mandate the use of the CWT content-type or whether we would drop =
this.&nbsp; I think it=E2=80=99s better that we specify one mechanism =
for detecting nested CWTs, rather than having =
two.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>Before we decide this, I=E2=80=99d like to confirm an assumption about =
COSE operations and COSE CBOR tags.&nbsp; I believe that the COSE crypto =
operations *<b>do not</b>* cover the CBOR COSE tag, such as the =
COSE_Sign tag for signed objects.&nbsp; If this is the case, it means =
that a COSE object without tags can have the appropriate tag prefixed to =
it without changing the crypto (and that similarly, a CWT tag could also =
be added without changing the crypto).&nbsp; Is this correct?&nbsp; If =
so, then using CBOR tags would be fine for the inner CWT in a nested =
CWT, since you could create the inner CWT without any tags and then =
later decide to put it in a nested CWT without re-signing, etc.&nbsp; If =
this is the case, I=E2=80=99d be OK with always prefixing the inner CWT =
in a nested CWT with CWT and COSE CBOR tags.&nbsp; Whereas if adding the =
tags requires redoing the crypto, I=E2=80=99d rather stay with the =
current approach.<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; -- Mike<o:p></o:p></span></p><p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif;color:#002060'=
><o:p>&nbsp;</o:p></span></p><p class=3DMsoNormal><b><span =
style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span><=
/b><span style=3D'font-size:11.0pt;font-family:"Calibri",sans-serif'> =
Samuel Erdtman [<a =
href=3D"mailto:samuel@erdtman.se">mailto:samuel@erdtman.se</a>] =
<br><b>Sent:</b> Monday, May 15, 2017 2:23 AM<br><b>To:</b> Jim Schaad =
&lt;<a =
href=3D"mailto:ietf@augustcellars.com">ietf@augustcellars.com</a>&gt;; =
Mike Jones &lt;<a =
href=3D"mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</=
a>&gt;<br><b>Cc:</b> ace &lt;<a =
href=3D"mailto:Ace@ietf.org">Ace@ietf.org</a>&gt;<br><b>Subject:</b> Re: =
[Ace] WGLC on draft-ietf-ace-cbor-web-token<o:p></o:p></span></p><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><div><p class=3DMsoNormal =
style=3D'margin-bottom:12.0pt'>Thanks for clarifications Jim, see my =
comments inline.<o:p></o:p></p></div><p class=3DMsoNormal>Mike, there is =
a question for you inlined too.<o:p></o:p></p><div><div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p><div><p class=3DMsoNormal>On Sun, =
May 14, 2017 at 10:12 PM, Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt; =
wrote:<o:p></o:p></p><blockquote style=3D'border:none;border-left:solid =
#CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><b>From:</b>=
 Samuel Erdtman [mailto:<a href=3D"mailto:samuel@erdtman.se" =
target=3D"_blank">samuel@erdtman.se</a>] <br><b>Sent:</b> Sunday, May =
14, 2017 3:40 AM<br><b>To:</b> Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt;<br><b>Cc:</b> ace =
&lt;<a href=3D"mailto:Ace@ietf.org" =
target=3D"_blank">Ace@ietf.org</a>&gt;<br><b>Subject:</b> Re: [Ace] WGLC =
on draft-ietf-ace-cbor-web-token<o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;margin-bottom:12.0pt'>Hi =
Jim,<o:p></o:p></p></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Thanks for =
your review and comments, see some initial replies =
inline.<o:p></o:p></p></div></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>On Sat, Apr =
22, 2017 at 8:47 PM, Jim Schaad &lt;<a =
href=3D"mailto:ietf@augustcellars.com" =
target=3D"_blank">ietf@augustcellars.com</a>&gt; =
wrote:<o:p></o:p></p><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Not ready =
to ship.<br><br><br>* I find the text for NumericDate confusing and =
would suggest this is a<br>cleaner wording.<br><br>The =
&quot;NumericDate&quot; term has the same meaning, syntax =
and<br>Processing rules as the &quot;NumericDate&quot; term defined in =
Section 2 of<br>JWT [RFC7519], except that the CBOR numeric =
representation<br>(Section 2.4.1 of [RC7049]) is used.&nbsp; The =
encoding is modified so that<br>the leading tag (6.1 or 0xC1) MUST be =
omitted.<br><br>&lt;Note above text kills the direct need for section =
5.&gt;<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Could make =
sense, I created an issue in the issue tracker to look at =
this.<o:p></o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* What =
is a &quot;CWT NumericDate&quot; ?&nbsp; Why is this not just a =
&quot;NumericDate&quot;?&nbsp; You<br>should be consistent on how you =
are using this and the &quot;StringOrURI&quot; type<br>identifier.&nbsp; =
Either use the CWT prefix or don't.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Makes =
sense to me, created an issue in the issue tracker to address =
this.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* =
s/except that a CWT StringOrURI/except that for a CWT, =
StringOrURI/<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;margin-bottom:12.0pt'><br>&nbsp;Makes =
sense to me, created an issue in the issue tracker to address =
this.<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* The =
algorithm for doing nesting detection is a gross abuse of the =
content<br>type parameter and can be far more easily done based on the =
already present<br>tagging of the COSE =
object.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div></div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Could you =
please explain a bit more, we are using the COSE tags but have made =
<br>them optional if the application for example only uses one thyme =
then it would <br>always know what to do and would not need to parse the =
tag saving a byte.<o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>[JLS] The concept is pretty easy to =
explain.</span><o:p></o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>If you are in a situation where the full =
description of the CWT =E2=80=93 including nesting layering =E2=80=93 is =
known from a profile, then there would be no need to have any COSE tags =
present on any layer of the CWT message.&nbsp; I would however highly =
discourage using this situation for anything but a single layer CWT such =
as one that is based on the COSE_Encrypt0 message without any inner =
layering.&nbsp; Doing otherwise is going to mean that libraries would be =
unable to automatically unwrap all of the layers on their own, but would =
need guidance on each layer as it was processed.</span><o:p></o:p></p><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>&nbsp;</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>In the current document in step 5 of section =
7.2, there is an assumption that a COSE tag is going to exist in order =
to distinguish between the different types of COSE messages =E2=80=93 I =
would not that these tags are not explicitly called for in section 7.1 =
=E2=80=93 so the algorithm that I am going to suggest means that they =
are supposed to be present not implicit in any =
event.</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>In section 7.2 in step 7 the algorithm =
becomes:</span><o:p></o:p></p><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#0070C0'>If the payload starts with one the of COSE =
identification tags, then the message is recursive =E2=80=93 go to step =
1, wash rinse and =
repeat.</span><o:p></o:p></p></div></div></div></div></div></div></blockq=
uote><div><p class=3DMsoNormal><o:p>&nbsp;</o:p></p></div><div><p =
class=3DMsoNormal>I think I see your point. In the case of nested CWTs =
you would like to mandate the inner layer to have a COSE tag indicating =
the message type. But in cases where e.g. transport is done over CoAP =
you don=C2=B4t feel it is as important.<o:p></o:p></p></div><div><p =
class=3DMsoNormal style=3D'margin-bottom:12.0pt'>I personally would like =
to go all the way and mandate the COSE tag for all CWT messages nested =
or not but that would add some extra bytes i.e. not good in all =
cases.<o:p></o:p></p></div><div><p class=3DMsoNormal>Maybe a compromise =
and mandate it for inner object in nested =
CWTs.<o:p></o:p></p></div><div><p class=3DMsoNormal>@Mike would you like =
to comment to before we decide on a path =
forward.<o:p></o:p></p></div><div><p =
class=3DMsoNormal><br><br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><div><div><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* Break =
section 8 into multiple paragraphs that deal with different types =
of<br>issues.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>Might =
be reasonable I have created an issue in the issue tracker so that the =
<br>comment is not lost.<br>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* In =
section 8, the first sentence implies to me that you believe that =
COSE<br>is more of a problem that breaking of cryptographic algorithms, =
trust of<br>certificates/keys.&nbsp; Not sure what needs to be done, but =
better clarity may<br>be a good idea.<o:p></o:p></p></blockquote><div><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Added this =
to the previously mentioned issue to address this to since it is in the =
same section <o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid windowtext 1.0pt;padding:0in 0in =
0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br>* I =
have not done any validation of the examples.&nbsp; &nbsp;You might want =
to have<br>an example which uses the real for one of the time =
types.<o:p></o:p></p></blockquote><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Sorry, but =
I don=C2=B4t get it could you add some more context.<o:p></o:p></p><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p><pre><span =
style=3D'font-family:"Calibri",sans-serif;color:#0070C0'>[JLS] Use the =
value of =E2=80=9C</span><span =
style=3D'color:#0070C0'>1444064944.5=E2=80=9D for one of the time =
values.&nbsp; Although I doubt that less than second resolution is =
needed in almost any case, having an example where it is given is still =
a good =
idea.</span><o:p></o:p></pre></div></div></div></div></div></div></blockq=
uote><div><p class=3DMsoNormal>Makes sense, as you say it might not be a =
core case but there should be at least one example of it if we support =
it. I have created a ticket to address it.<o:p></o:p></p></div><div><p =
class=3DMsoNormal>&nbsp;<o:p></o:p></p></div><blockquote =
style=3D'border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt'><div><div><div><div><div><div><pre><span =
style=3D'color:#0070C0'>&nbsp;</span><span =
style=3D'color:#888888'><o:p></o:p></span></pre><pre><span =
style=3D'color:#0070C0'>Jim</span><span =
style=3D'color:#888888'><o:p></o:p></span></pre><pre><span =
style=3D'color:#888888'>&nbsp;<o:p></o:p></span></pre><p =
class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#888888'>&nbsp;<o:p></o:p></span></p></div><div><div><div>=
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div><blockquote style=3D'border:none;border-left:solid =
windowtext 1.0pt;padding:0in 0in 0in =
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5=
.0pt;border-color:currentcolor currentcolor currentcolor =
rgb(204,204,204)'><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span =
style=3D'color:#888888'><br><span =
class=3Dm-6130828547628588374gmail-m3297967064776043977gmail-hoenzb>Jim</=
span></span><o:p></o:p></p><div><div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><br><br>----=
-Original Message-----<br>From: Ace [mailto:<a =
href=3D"mailto:ace-bounces@ietf.org" =
target=3D"_blank">ace-bounces@ietf.org</a>] On Behalf Of Kepeng =
Li<br>Sent: Thursday, April 20, 2017 2:53 PM<br>To: <a =
href=3D"mailto:ace@ietf.org" target=3D"_blank">ace@ietf.org</a><br>Cc: =
Hannes Tschofenig &lt;<a href=3D"mailto:hannes.tschofenig@gmx.net" =
target=3D"_blank">hannes.tschofenig@gmx.net</a>&gt;<br>Subject: [Ace] =
[ace] WGLC on draft-ietf-ace-cbor-web-token<br><br>In Chicago, it was =
decided that we were going to WGLC the ACE CBOR Web =
Token<br>draft.<br><br>So this starts a working group last call for =
draft-ietf-ace-cbor-web-token<br>for submission as a Standards Track =
RFC, ending on 24:00 PDT on Tuesday, May<br>2, 2017.<br><br>The =
specification is available at:<br><a =
href=3D"https://tools.ietf.org/html/draft-ietf-ace-cbor-web-token-04" =
target=3D"_blank">https://tools.ietf.org/html/draft-ietf-ace-cbor-web-tok=
en-04</a><br><br>An HTML-formatted version is also available at:<br><a =
href=3D"http://self-issued.info/docs/draft-ietf-ace-cbor-web-token-04.htm=
l" =
target=3D"_blank">http://self-issued.info/docs/draft-ietf-ace-cbor-web-to=
ken-04.html</a><br><br>Thanks,<br><br><br>Kind Regards<br>Kepeng &amp; =
Hannes<br><br><br>_______________________________________________<br>Ace =
mailing list<br><a href=3D"mailto:Ace@ietf.org" =
target=3D"_blank">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><br><br>__=
_____________________________________________<br>Ace mailing list<br><a =
href=3D"mailto:Ace@ietf.org" target=3D"_blank">Ace@ietf.org</a><br><a =
href=3D"https://www.ietf.org/mailman/listinfo/ace" =
target=3D"_blank">https://www.ietf.org/mailman/listinfo/ace</a><o:p></o:p=
></p></div></div></blockquote></div></div></div><p class=3DMsoNormal =
style=3D'mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>&nbsp;<o:p><=
/o:p></p></div></div></div></div></blockquote></div><p =
class=3DMsoNormal><o:p>&nbsp;</o:p></p></div></div></div></div></body></h=
tml>
------=_NextPart_000_00B3_01D2CD98.BAFB9A60--


From nobody Tue May 16 15:32:17 2017
Return-Path: <cabo@tzi.org>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E0B124D6C for <ace@ietfa.amsl.com>; Tue, 16 May 2017 15:32:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level: 
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pY8oz-6l7ct for <ace@ietfa.amsl.com>; Tue, 16 May 2017 15:32:14 -0700 (PDT)
Received: from mailhost.informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66BB4129526 for <Ace@ietf.org>; Tue, 16 May 2017 15:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de
Received: from submithost.informatik.uni-bremen.de (submithost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::b]) by mailhost.informatik.uni-bremen.de (8.14.5/8.14.5) with ESMTP id v4GMQVpW014199; Wed, 17 May 2017 00:26:31 +0200 (CEST)
Received: from client-0037.vpn.uni-bremen.de (client-0037.vpn.uni-bremen.de [134.102.107.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by submithost.informatik.uni-bremen.de (Postfix) with ESMTPSA id 3wSBr717VDzDHPJ; Wed, 17 May 2017 00:26:31 +0200 (CEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Carsten Bormann <cabo@tzi.org>
In-Reply-To: <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
Date: Wed, 17 May 2017 00:26:29 +0200
Cc: Jim Schaad <ietf@augustcellars.com>, Samuel Erdtman <samuel@erdtman.se>, ace <Ace@ietf.org>
X-Mao-Original-Outgoing-Id: 516666388.880973-e8504d1c1fe335df2ee461a76ffd5113
Content-Transfer-Encoding: quoted-printable
Message-Id: <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/6I9grarVNOrqIcNu8F6mgTL_n78>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 22:32:16 -0000

On May 16, 2017, at 00:16, Mike Jones <Michael.Jones@microsoft.com> =
wrote:
>=20
> I disagree with the suggestion (tracked in =
https://github.com/erwah/ietf/issues/37) about claims that must be =
understood.  We shouldn=E2=80=99t force implementations to understand =
claims not used by their application.  See my comment in the issue.

Not sure what is the =E2=80=9Cimplementation=E2=80=9D and what is the =
=E2=80=9Capplication=E2=80=9D here.

If an application puts in a =E2=80=9Cmust understand=E2=80=9D claim key, =
I=E2=80=99m not sure who is forcing what here.

If we don=E2=80=99t have =E2=80=9Cmust understand=E2=80=9D claim keys, =
then there is no way for an application to signal that necessity.
Security issues with recipient applications that don=E2=80=99t correctly =
interpret the CWT they received, follow.  Not good.

Gr=C3=BC=C3=9Fe, Carsten


From nobody Tue May 16 16:02:53 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2DF212ECBF for <ace@ietfa.amsl.com>; Tue, 16 May 2017 16:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level: 
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XPYJs3Kvn7R for <ace@ietfa.amsl.com>; Tue, 16 May 2017 16:02:50 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0133.outbound.protection.outlook.com [104.47.37.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D26C412EABD for <Ace@ietf.org>; Tue, 16 May 2017 15:58:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8H8ph4/isjPWfihefcVZhRSPTdzIdjQ2j+JkOI1ce90=; b=opujhUqpc3iAaE2b4oIQF70pXkb3NIws+lhafK46ZtMAGnN0Kc5T51MExb78N97oF9/LnijmAXgZe0ph79f+rknKWffju5n3N0DcRrfj777SYQMbmt0dPKXyWqSi1pESF185/w0U0Lgs0HR76Iw4WJ84Z/4lCiX83Xa/ldqq+Qg=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0184.namprd21.prod.outlook.com (10.173.193.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Tue, 16 May 2017 22:58:28 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.004; Tue, 16 May 2017 22:58:28 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Carsten Bormann <cabo@tzi.org>
CC: Jim Schaad <ietf@augustcellars.com>, Samuel Erdtman <samuel@erdtman.se>, ace <Ace@ietf.org>
Thread-Topic: [Ace] WGLC on draft-ietf-ace-cbor-web-token
Thread-Index: AdK7gKnlztOgBho8S4qIHrw1QvtzugRHcl8AABP6FAAAG57nAAAX+ArwAAF1FgAAAGvQkAABDzlgADK/oIAAAMvV8A==
Date: Tue, 16 May 2017 22:58:28 +0000
Message-ID: <CY4PR21MB050491005DF8CA1B3FF1803EF5E60@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org>
In-Reply-To: <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-05-16T15:58:26.6960660-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: tzi.org; dkim=none (message not signed) header.d=none;tzi.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:b::517]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0184; 7:gCWxlLBTEDk8BDIb1+6XRR3dc5djRoI15Vuri4zcRtn6GY5q7kG8xsgNY9OII2BiA7HuSgIlltCM8wtkTxZkuauZhqwvSrH6U/Bhf2ZOXY3ueHWbhYHHWMZF/jHT38jUnTf7HsmM5DxjHVLtnbGCmIIf2Pa2fxvciqyYPlU7VYIOqWeev7fHD9aKysT53KcaD3/78YW9Nr9ywaJMbqdqSise0WH0+EffSdQ7nY2riNR0/bWKdmlfZ6U2ragmR8m1bO5A6vYY7OfZJpJhqDTe8ePLYU48RMFhT+MjPauowzHINg89s3Tqh6e4pOqeweqf7o9fPeOAwObznl6U2tUC2HAPXHYab+vwqbDyb8SDojc=
x-ms-traffictypediagnostic: CY4PR21MB0184:
x-ms-office365-filtering-correlation-id: 2f47649b-6b27-413f-8ad2-08d49caf10ea
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081);  SRVR:CY4PR21MB0184; 
x-microsoft-antispam-prvs: <CY4PR21MB0184EE2FEBF71FE6FF5A8B78F5E60@CY4PR21MB0184.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(166708455590820)(192374486261705)(21532816269658); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(100000703036)(100105400095)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123564025)(20161123558100)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0184; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0184; 
x-forefront-prvs: 03094A4065
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39850400002)(39400400002)(39410400002)(39860400002)(39450400003)(39840400002)(24454002)(13464003)(377454003)(53546009)(6506006)(6436002)(25786009)(4326008)(77096006)(478600001)(10290500003)(7696004)(189998001)(53936002)(53376002)(38730400002)(110136004)(54356999)(76176999)(33656002)(6246003)(72206003)(50986999)(2906002)(3280700002)(3660700001)(229853002)(6306002)(54906002)(55016002)(2950100002)(6916009)(99286003)(86612001)(9686003)(86362001)(8676002)(8936002)(81166006)(5660300001)(7736002)(102836003)(6116002)(305945005)(122556002)(966005)(10090500001)(2900100001)(74316002)(5005710100001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0184; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 May 2017 22:58:28.1380 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0184
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/IUf8jOBhbNCYKmVBSyoCqbVcw_U>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 23:02:52 -0000

UHJvZmlsZXMgb2YgQ1dUcyB3aWxsIHZhcnkgaW4gd2hpY2ggY2xhaW1zIG11c3QgYmUgcHJlc2Vu
dCwgd2hpY2ggYXJlIG9wdGlvbmFsLCBhbmQgd2hhdCB0aGUgZm9ybWF0IG9mIHRob3NlIGNsYWlt
cyBhcmUsIHdoZW4gYXBwbGljYWJsZS4gIFRoaXMgaXMganVzdCBsaWtlIEpXVCwgd2hlcmUgYXBw
bGljYXRpb24gcHJvZmlsZXMgcHJvdmlkZSB0aGF0IGluZm9ybWF0aW9uLiAgVG8gbWFrZSB0aGlz
IGNvbmNyZXRlLCBPcGVuSUQgQ29ubmVjdCBkZWZpbmVzIGEgcHJvZmlsZSBvZiBhIEpXVCBjYWxs
ZWQgYW4gSUQgVG9rZW4gYXQgaHR0cDovL29wZW5pZC5uZXQvc3BlY3Mvb3BlbmlkLWNvbm5lY3Qt
Y29yZS0xXzAuaHRtbCNJRFRva2VuLiAgTm90ZSB0aGF0IGlzIHNheXMgd2hpY2ggY2xhaW1zIGFy
ZSBSRVFVSVJFRCBhbmQgT1BUSU9OQUwuICBUaGUgcHJvZmlsZSBhbHNvIGRlZmluZXMgYWRkaXRp
b25hbCBJRCBUb2tlbiB2YWxpZGF0aW9uIHJ1bGVzIGF0IGh0dHA6Ly9vcGVuaWQubmV0L3NwZWNz
L29wZW5pZC1jb25uZWN0LWNvcmUtMV8wLmh0bWwjSURUb2tlblZhbGlkYXRpb24sIHdoaWNoIGdv
IGJleW9uZCB0aG9zZSBpbiB0aGUgSldUIHNwZWMgaXRzZWxmLiAgVGhpcyBpcyBob3cgYXBwbGlj
YXRpb24gcHJvZmlsZXMgd29yay4NCg0KQXMgYSBoeXBvdGhldGljYWwgZXhhbXBsZSwgaXQgd291
bGQgYmUgdW5oZWxwZnVsIGZvciB0aGUgSUQgVG9rZW4gcHJvZmlsZSBpZiB0aGUgdW5kZXJseWlu
ZyBKV1Qgc3BlYyBoYWQgc2FpZCB0aGF0IHRoZSAibmJmIiAobm90IGJlZm9yZSkgY2xhaW0gbXVz
dCBiZSB1bmRlcnN0b29kIGJ5IGFsbCBpbXBsZW1lbnRhdGlvbnMsIHdoZW4gdGhpcyBwcm9maWxl
IGRvZXNuJ3QgdXNlIGl0IG9yIGNvbnRhaW4gdmFsaWRhdGlvbiBydWxlcyBmb3IgaXQuICBFdmVu
IGlmIGEgcHJvZHVjZXIgaW5jbHVkZWQgYSAibmJmIiBjbGFpbSwgdGhlIGNvbnN1bWVyIGZvciB0
aGlzIHByb2ZpbGUgY2FuIHNhZmVseSBpZ25vcmUgaXQsIHNpbmNlIG5vIHZhbGlkYXRpb24gcnVs
ZXMgYWNjb21wYW55IGl0IGZvciBJRCBUb2tlbnMuICBUaGUgc2FtZSBpcyB0cnVlIG9mIGFsbCBv
dGhlciBKV1QtZGVmaW5lZCBjbGFpbXMuICBBbmQgdGhlIHNhbWUgbmVlZHMgdG8gYmUgdHJ1ZSBv
ZiB0aGUgcGFyYWxsZWwgQ1dUIGNsYWltcyBhcyB3ZWxsLiAgRm9yIGluc3RhbmNlLCB3ZSBzaG91
bGRuJ3QgZm9yY2UgYWxsIENXVCBhcHBsaWNhdGlvbnMgdG8gdW5kZXJzdGFuZCBhbmQgcHJvY2Vz
cyAibmJmIiBhbnkgbW9yZSB0aGFuIHdlIGZvcmNlIGFsbCBKV1QgYXBwbGljYXRpb25zIHRvLg0K
DQpUaGVyZSdzIG5vdGhpbmcgaW5zZWN1cmUgYWJvdXQgdGhpcyBidXQgdGhlcmUgaXMgc29tZXRo
aW5nIGVmZmljaWVudCBpdCB0aGF0IHdlIG11c3QgcHJlc2VydmUgLSBwYXJ0aWN1bGFybHkgZm9y
IGNvbnN0cmFpbmVkIGltcGxlbWVudGF0aW9ucy4NCg0KCQkJCS0tIE1pa2UNCg0KLS0tLS1Pcmln
aW5hbCBNZXNzYWdlLS0tLS0NCkZyb206IENhcnN0ZW4gQm9ybWFubiBbbWFpbHRvOmNhYm9AdHpp
Lm9yZ10gDQpTZW50OiBUdWVzZGF5LCBNYXkgMTYsIDIwMTcgMzoyNiBQTQ0KVG86IE1pa2UgSm9u
ZXMgPE1pY2hhZWwuSm9uZXNAbWljcm9zb2Z0LmNvbT4NCkNjOiBKaW0gU2NoYWFkIDxpZXRmQGF1
Z3VzdGNlbGxhcnMuY29tPjsgU2FtdWVsIEVyZHRtYW4gPHNhbXVlbEBlcmR0bWFuLnNlPjsgYWNl
IDxBY2VAaWV0Zi5vcmc+DQpTdWJqZWN0OiBSZTogW0FjZV0gV0dMQyBvbiBkcmFmdC1pZXRmLWFj
ZS1jYm9yLXdlYi10b2tlbg0KDQpPbiBNYXkgMTYsIDIwMTcsIGF0IDAwOjE2LCBNaWtlIEpvbmVz
IDxNaWNoYWVsLkpvbmVzQG1pY3Jvc29mdC5jb20+IHdyb3RlOg0KPiANCj4gSSBkaXNhZ3JlZSB3
aXRoIHRoZSBzdWdnZXN0aW9uICh0cmFja2VkIGluIGh0dHBzOi8vZ2l0aHViLmNvbS9lcndhaC9p
ZXRmL2lzc3Vlcy8zNykgYWJvdXQgY2xhaW1zIHRoYXQgbXVzdCBiZSB1bmRlcnN0b29kLiAgV2Ug
c2hvdWxkbuKAmXQgZm9yY2UgaW1wbGVtZW50YXRpb25zIHRvIHVuZGVyc3RhbmQgY2xhaW1zIG5v
dCB1c2VkIGJ5IHRoZWlyIGFwcGxpY2F0aW9uLiAgU2VlIG15IGNvbW1lbnQgaW4gdGhlIGlzc3Vl
Lg0KDQpOb3Qgc3VyZSB3aGF0IGlzIHRoZSDigJxpbXBsZW1lbnRhdGlvbuKAnSBhbmQgd2hhdCBp
cyB0aGUg4oCcYXBwbGljYXRpb27igJ0gaGVyZS4NCg0KSWYgYW4gYXBwbGljYXRpb24gcHV0cyBp
biBhIOKAnG11c3QgdW5kZXJzdGFuZOKAnSBjbGFpbSBrZXksIEnigJltIG5vdCBzdXJlIHdobyBp
cyBmb3JjaW5nIHdoYXQgaGVyZS4NCg0KSWYgd2UgZG9u4oCZdCBoYXZlIOKAnG11c3QgdW5kZXJz
dGFuZOKAnSBjbGFpbSBrZXlzLCB0aGVuIHRoZXJlIGlzIG5vIHdheSBmb3IgYW4gYXBwbGljYXRp
b24gdG8gc2lnbmFsIHRoYXQgbmVjZXNzaXR5Lg0KU2VjdXJpdHkgaXNzdWVzIHdpdGggcmVjaXBp
ZW50IGFwcGxpY2F0aW9ucyB0aGF0IGRvbuKAmXQgY29ycmVjdGx5IGludGVycHJldCB0aGUgQ1dU
IHRoZXkgcmVjZWl2ZWQsIGZvbGxvdy4gIE5vdCBnb29kLg0KDQpHcsO8w59lLCBDYXJzdGVuDQoN
Cg==


From nobody Tue May 16 17:13:53 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7EEE13145C for <ace@ietfa.amsl.com>; Tue, 16 May 2017 17:13:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level: 
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysF1_-T3Nvim for <ace@ietfa.amsl.com>; Tue, 16 May 2017 17:13:50 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74BAF12EC3D for <Ace@ietf.org>; Tue, 16 May 2017 17:10:15 -0700 (PDT)
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1494979803; h=from:subject:to:date:message-id; bh=O7S4wNelOFlM+x/8L5MxdgfsYBj03bbfp99rL9He/WI=; b=IGegfeA9YLEq0h9iGGrgKr0TCfVu5IZcjCIFRr8MrkOwB60O4OFP2e8vd8y5VJChgAOJiP9lJqa 32rdHbqAogmQCJ1Fe1dwty8QF93ZGDzrwuRXaQsKUkQLuNFz4jTn0rTCYdTqz/ajivg9JDqoYbw/W rGdT02dh/aiKKlwIoCej1FVlmqIAPwEdBlicmmo38y5ZuhxUpxAAGXSiXqVlUIA4wQ009OQh9zP93 vBL9Biy/A4R1oGt2ZodmrAG1sFiQoHFtaLrUk2s8s9rOYgn69/7tW3MXuri7+TV9HRTMoqJXuxmQX G1MdZK0qgo8oJkcMYyRq8Pb3sf6POWX03Nsg==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 16 May 2017 17:10:03 -0700
Received: from Hebrews (192.168.1.157) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 16 May 2017 17:09:59 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Carsten Bormann' <cabo@tzi.org>, 'Mike Jones' <Michael.Jones@microsoft.com>
CC: 'Samuel Erdtman' <samuel@erdtman.se>, 'ace' <Ace@ietf.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org>
In-Reply-To: <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org>
Date: Tue, 16 May 2017 16:58:09 -0700
Message-ID: <00d101d2cea0$6be75e60$43b61b20$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK7Sbuoqk8BxD8OvOqownlXLriW/AEOhwClAnNLQvUDFt5ZygHazl2HAiynCroBfr1tjwLs/fS+AdMJydafn7WPcA==
X-Originating-IP: [192.168.1.157]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/7R2YfrFYp6aFELCRu1V9OOz885E>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 00:13:52 -0000

As things currently stand, I do not know that there is any way for an =
issuer to say that you must understand this claim to use this.  This is =
partly profile, but not entirely.

Jim


-----Original Message-----
From: Carsten Bormann [mailto:cabo@tzi.org]=20
Sent: Tuesday, May 16, 2017 3:26 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Jim Schaad <ietf@augustcellars.com>; Samuel Erdtman =
<samuel@erdtman.se>; ace <Ace@ietf.org>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

On May 16, 2017, at 00:16, Mike Jones <Michael.Jones@microsoft.com> =
wrote:
>=20
> I disagree with the suggestion (tracked in =
https://github.com/erwah/ietf/issues/37) about claims that must be =
understood.  We shouldn=E2=80=99t force implementations to understand =
claims not used by their application.  See my comment in the issue.

Not sure what is the =E2=80=9Cimplementation=E2=80=9D and what is the =
=E2=80=9Capplication=E2=80=9D here.

If an application puts in a =E2=80=9Cmust understand=E2=80=9D claim key, =
I=E2=80=99m not sure who is forcing what here.

If we don=E2=80=99t have =E2=80=9Cmust understand=E2=80=9D claim keys, =
then there is no way for an application to signal that necessity.
Security issues with recipient applications that don=E2=80=99t correctly =
interpret the CWT they received, follow.  Not good.

Gr=C3=BC=C3=9Fe, Carsten



From nobody Wed May 17 01:10:30 2017
Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 462981296B3 for <ace@ietfa.amsl.com>; Wed, 17 May 2017 01:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level: 
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E9pf60CZvB9I for <ace@ietfa.amsl.com>; Wed, 17 May 2017 01:10:27 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFBB912E85E for <Ace@ietf.org>; Wed, 17 May 2017 01:06:03 -0700 (PDT)
X-AuditID: c1b4fb30-29dff7000000015f-1a-591c046917f7
Received: from ESESSHC006.ericsson.se (Unknown_Domain [153.88.183.36]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 08.B7.00351.9640C195; Wed, 17 May 2017 10:06:01 +0200 (CEST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.36) with Microsoft SMTP Server (TLS) id 14.3.339.0; Wed, 17 May 2017 10:06:00 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5yHzL1yramr0GvBiO3Sg1lA4wEjn9X0KFp6iJB0Sh9U=; b=Gnc9fjCWN80djqsix1JvmeJB5DCxw34cvqNvVJ08YYjHEr5NwxDUdfcoau9qA/t0cEKCDAPBPgrahfAC7QJ1DuawLz/cMA1g4ZbI2KkJ1QEF7/ZBa7Dz18v4OPvL553JUvPzoxtrvvY2WmvMSYMcaGSTAO7FeUTQa6afEfewvzA=
Received: from HE1PR0701MB2539.eurprd07.prod.outlook.com (10.168.129.17) by HE1PR0701MB2539.eurprd07.prod.outlook.com (10.168.129.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.8; Wed, 17 May 2017 08:05:59 +0000
Received: from HE1PR0701MB2539.eurprd07.prod.outlook.com ([fe80::6d69:e225:d48f:ba36]) by HE1PR0701MB2539.eurprd07.prod.outlook.com ([fe80::6d69:e225:d48f:ba36%18]) with mapi id 15.01.1101.011; Wed, 17 May 2017 08:05:59 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: ace <Ace@ietf.org>
CC: "Hannes.Tschofenig@gmx.net" <Hannes.Tschofenig@gmx.net>, Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, Kepeng Li <kepeng.lkp@alibaba-inc.com>
Thread-Topic: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
Thread-Index: AQHSyvwoXQu4gsIU5EKLtKx5WZsCV6HzjdiAgASieJA=
Date: Wed, 17 May 2017 08:05:58 +0000
Message-ID: <HE1PR0701MB2539A8AA837651BEA28E736D98E70@HE1PR0701MB2539.eurprd07.prod.outlook.com>
References: <D53A317B.560F4%kepeng.lkp@alibaba-inc.com> <CAF2hCbYS-dwS+BeOAo3tx4UqSx3ScxdepP5fi2jTT1pjo5TGFg@mail.gmail.com> <CAD2CPUGzQWbC2cu_StFSRKtAFagMaTAYen_o_pqVnEwQJ0W4LA@mail.gmail.com>
In-Reply-To: <CAD2CPUGzQWbC2cu_StFSRKtAFagMaTAYen_o_pqVnEwQJ0W4LA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.36.157.200]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR0701MB2539; 7:3NEZyeEox4itX3ulFEwvwqYKH5IArDTAn513T1srNrsP4cn5NGy27oZKix4BbDrT3Joqo++9osSQesKyBD3CXQWPwfP7LuNV04HaWp0HJGeUKO8WOtM0LqAXnGZZpicMpGFx5p0SEHcgrnSHPU2Rpkvw+h3Y0nTAwJz+LJe8HIqb3c7hbGaUfLwQ7fz0CxDUoYEr7nsqKi/4OBGOk/65JpGjB5hbQL5HYSscbHHXnS0Jr+bcmluc6JEGLrJD7WnY0nTDYYh8HWrmtyMvWGZUMPU8ORPCW2idplmJwlT4SDtT7cVkQ2Po6GMDU0ejFMgta+sdxLMo/1lCNE4V+tmkXA==
x-ms-traffictypediagnostic: HE1PR0701MB2539:
x-ms-office365-filtering-correlation-id: 0937bcf0-724b-419b-47df-08d49cfb8da2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:HE1PR0701MB2539; 
x-microsoft-antispam-prvs: <HE1PR0701MB25399A1F932484F3EDC186B398E70@HE1PR0701MB2539.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(248736688235697)(100405760836317); 
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(100000703036)(100105400095)(6041248)(20161123560025)(20161123555025)(20161123558100)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:HE1PR0701MB2539; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:HE1PR0701MB2539; 
x-forefront-prvs: 0310C78181
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(39860400002)(39850400002)(39400400002)(39840400002)(39450400003)(39410400002)(13464003)(53754006)(24454002)(377454003)(478600001)(66066001)(3660700001)(7736002)(99286003)(5660300001)(9686003)(305945005)(6306002)(2900100001)(39060400002)(4326008)(6916009)(38730400002)(54906002)(229853002)(966005)(3280700002)(110136004)(6246003)(53546009)(81166006)(25786009)(2950100002)(54356999)(86362001)(6506006)(33656002)(53936002)(6436002)(8676002)(76176999)(55016002)(3846002)(7696004)(50986999)(230783001)(2906002)(6116002)(5250100002)(8936002)(74316002)(102836003)(189998001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2539; H:HE1PR0701MB2539.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 May 2017 08:05:58.5693 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2539
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0iTYRTHefa+W++Wo0fn5aCOYNkXNVMpEhFRJFhUUqCm0cWlL7qaU/aq pB9CLbu4EhMLneUU5yVHBSY6dSVe0sRC0TLJTKOhjjIvmWbqatu7oG+/c/4/znMOPBThouF6 UnJlJq1SyhQSnoCsiG/z2ScnvRMCZ28Fhqyv3SZC6to/cUPy2tNDxrSqCFJ6d2GZlLZrpnZI a5u7eFKdboNzgjwtCEumFfJsWrU/PFGQOrC9jTJmRJfLerc4eejdriLEpwAfgKH5aaIICSgX 3Iego2AescUrBI2T1+0Jie8QYGko5bCJhgOz6hJHMYegosbEtQ3j4TAY+bxoZ1fsDpul3aRN InAlgmZtL2ELRFgKo7+LrExZpSOwMhTB+qEw3Lhtb5N4LywaYm0oxInwvEnIPvUSQdXkBGnT +fgkFDYsc2yMsBhW8/X26QT2gA8mLYe9DYPOOEyw7AbmLxaubRDCagRLVeMOSQKGgkqHJIZR rdp+P+BiAv5cMzgkf/jZNoJYPg7GBxs8VspD8MP8zCGlQ9cvvUM6C+uNN0hW6udCa/FNh+QN rd1zBBsU8KCk+yNRgvw0/+3Osj9Ud67wWPaD+pqvhI2F2BkGK0xkNSKbkBtDMxfSUoKDA2iV PIlh0pUBSjqzGVl/THfLZqABmeciexCmkMRJODHkleDClWUzOWk9CChC4ircvWVtCZNlObm0 Kv28KktBMz3IiyIlHsLIFyPxLjhFlklfoukMWvUv5VB8zzwkms5+L49cqvEVBSn02mhjXAIT U5f4UE2VW449WTj4qM8n4lxq+Vgu/62p099ijG6j7+vXBnRJ+vFYt9pV19dx+dJv9Qafp+Hi wfbAozuzBI9DD8+Md7RZ+Hu4G1evyJzMhQuk7OJU9ewp96iWenF+Wb8hyi/m+5n4N86L934d kpBMqizIl1Axsr+mwnY1LQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/oQBOkURDwlOPQwrMYLidim1ktPE>
Subject: Re: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 08:10:29 -0000

+1 for adoption.

I think profiles for the ACE framework, starting with the DTLS one, should =
be adopted for the ACE work to be implementable and deployable.

Francesca

> -----Original Message-----
> From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of Renzo Navas
> Sent: den 14 maj 2017 11:10
> To: ace <Ace@ietf.org>
> Cc: Hannes.Tschofenig@gmx.net; Samuel Erdtman <samuel@erdtman.se>;
> Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>; Kepeng Li
> <kepeng.lkp@alibaba-inc.com>
> Subject: Re: [Ace] Call for adoption for draft-gerdes-ace-dtls-authorize
>=20
> +1 for adopting .
>=20
> yes, we will use (are using) DTLS in ACE(like) environments, having this =
profile
> will be very helpful
>=20
> good weekend
>=20
>=20
>=20
> On Fri, May 12, 2017 at 10:39 AM, Samuel Erdtman <samuel@erdtman.se>
> wrote:
> > +1 on adopting as a working group item.
> >
> > To me it makes sense to have a DTLS profile for the ACE framework.
> >
> > Cheers
> > //Samuel
> >
> > On Thu, May 11, 2017 at 9:24 AM, Kepeng Li
> > <kepeng.lkp@alibaba-inc.com>
> > wrote:
> >>
> >> Hello all,
> >>
> >>
> >>
> >> This note begins a Call For Adoption for
> >> draft-gerdes-ace-dtls-authorize [1] to be adopted as an ACE working
> >> group item. The call ends on 26th May, 2017.
> >>
> >>
> >>
> >> Keep in mind that adoption of a document does not mean the document
> >> as-is is ready for publication. It is merely acceptance of the
> >> document as a starting point for what will be the final product of the=
 ACE
> working group.
> >> The working group is free to make changes to the document according
> >> to the normal consensus process.
> >>
> >>
> >>
> >> Please reply on this thread with expressions of support or
> >> opposition, preferably with comments, regarding accepting this as a wo=
rk
> item.
> >>
> >>
> >>
> >> Thanks
> >>
> >>
> >>
> >> Kind Regards
> >>
> >> Kepeng and Hannes (ACE co-chairs)
> >>
> >>
> >>
> >> [1] https://datatracker.ietf.org/doc/draft-gerdes-ace-dtls-authorize/
> >>
> >>
> >>
> >> _______________________________________________
> >> Ace mailing list
> >> Ace@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ace
> >>
> >
> >
> > _______________________________________________
> > Ace mailing list
> > Ace@ietf.org
> > https://www.ietf.org/mailman/listinfo/ace
> >
>=20
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace


From nobody Wed May 17 16:26:18 2017
Return-Path: <ietf@augustcellars.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46A93124E15 for <ace@ietfa.amsl.com>; Wed, 17 May 2017 16:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level: 
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hP8deC18GMfK for <ace@ietfa.amsl.com>; Wed, 17 May 2017 16:26:15 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 868E3124234 for <Ace@ietf.org>; Wed, 17 May 2017 16:26:15 -0700 (PDT)
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1495063567; h=from:subject:to:date:message-id; bh=VWuqYT0MU/Nf1SHxDTwdsKOZORatNLcDQBqv0cdeD8Q=; b=fip1rlWAU/3HClhsE7OrMVJR3BZhVihznkg3dwc2zxSqmGmCJswuB/3WuAtQvr0ot9taPl4lxQD 5EK1QIcNA1QAp5N80zcODUHT3Mlub0yYsYkSaFuuGbH0eMPqu56xRDyQ7O+utuKNhsFwZgr4l0My2 WHIoMZ+YaZ8vlMuCTHAdguLca1by94yEflnit7R6n3Z5q3b0FaYSBTe7ZDjutN8EKz4vqTIt1SPtI kjuFu8BnC68dYaD2095ONU2YnytF7/JiOaV+kqZOwtxVdPl0PsADDUA2wIojNdm9gQU8eUcbZCZ1h FRD9muk0VGdXzp/eP4nPPgWiG/6b5ku83qQQ==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 17 May 2017 16:26:07 -0700
Received: from Hebrews (192.168.1.157) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 17 May 2017 16:25:44 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Mike Jones' <Michael.Jones@microsoft.com>, 'Carsten Bormann' <cabo@tzi.org>
CC: 'ace' <Ace@ietf.org>
References: <00f001d2bb98$dd2be430$9783ac90$@augustcellars.com> <CAF2hCbbo9=Sz7YkuHOWZS-XvQ978xd9H_qhViwqgZNQ7EzE9Qw@mail.gmail.com> <000001d2ccee$5e020880$1a061980$@augustcellars.com> <CAF2hCbaJ8ES-bjV=6yPK8WBGf-BLyx+4TLNuO_AQTr3CXGY_aw@mail.gmail.com> <CY4PR21MB0504BC7E953AE6797C71D51CF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <009d01d2cdc2$8d93d130$a8bb7390$@augustcellars.com> <CY4PR21MB05046964C07A2B5745651C3EF5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <CY4PR21MB05045E9E335BF1349AE52D40F5E10@CY4PR21MB0504.namprd21.prod.outlook.com> <D526A91D-C3FF-43D7-863C-3E1CC3DE374C@tzi.org> <CY4PR21MB050491005DF8CA1B3FF1803EF5E60@CY4PR21MB0504.namprd21.prod.outlook.com>
In-Reply-To: <CY4PR21MB050491005DF8CA1B3FF1803EF5E60@CY4PR21MB0504.namprd21.prod.outlook.com>
Date: Wed, 17 May 2017 16:14:52 -0700
Message-ID: <013501d2cf63$67074f90$3515eeb0$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQK7Sbuoqk8BxD8OvOqownlXLriW/AEOhwClAnNLQvUDFt5ZygHazl2HAiynCroBfr1tjwLs/fS+AdMJydYBs0E4Sp+TF7zQ
X-Originating-IP: [192.168.1.157]
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/I1zup2mf4-Cbhj72x0Jq1oEKISY>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2017 23:26:17 -0000

I don't know that I agree with several of the statements below.  I have =
problems with the view that just doing a profile is sufficient for a =
very simple reason.  What if I am presented with a CWT that is from a =
different profile?

In your example below, if an issuer was creating a "nbf" claim in an ID =
Token profile then it is not conforming to the profile and I would not =
have a real problem with the fact that the token could not be used by an =
entity that did not understand the profile.  What happens to the space =
when the ID Token profile gets updated in five years and the "nbf" claim =
becomes a mandatory field to be included and understood?  All of a =
sudden there is going to be a large number of entities in the system =
that are using the token without enforcing all of the constraints that =
are considered to be of importance to the issuer.  This is a security =
problem.

There is nothing that is being placed in a CWT to identify the profile =
that is being used.  This means that if a token issuer is creating =
tokens that match different profiles and it does not use different keys =
for each of those profiles, then a token issued under one profile and =
with a specific set of assumptions about what is in the token and what =
it can be used for, can be provided to an application that is expecting =
the second profile and it might allow operations which would otherwise =
not be permitted.  This is a security issue.

Identifying the profile in the token is one possible answer, but it is =
one with lots of other problems.  Who defines and identifies the =
profiles?  How are they uniquely identified? How do you do the =
configuration on a small device to deal with company identified =
profiles?=20

 A more generic way of allowing for identification of what is and what =
is not so important might be one way to get around some of these issue

Jim


-----Original Message-----
From: Mike Jones [mailto:Michael.Jones@microsoft.com]=20
Sent: Tuesday, May 16, 2017 3:58 PM
To: Carsten Bormann <cabo@tzi.org>
Cc: Jim Schaad <ietf@augustcellars.com>; Samuel Erdtman =
<samuel@erdtman.se>; ace <Ace@ietf.org>
Subject: RE: [Ace] WGLC on draft-ietf-ace-cbor-web-token

Profiles of CWTs will vary in which claims must be present, which are =
optional, and what the format of those claims are, when applicable.  =
This is just like JWT, where application profiles provide that =
information.  To make this concrete, OpenID Connect defines a profile of =
a JWT called an ID Token at =
http://openid.net/specs/openid-connect-core-1_0.html#IDToken.  Note that =
is says which claims are REQUIRED and OPTIONAL.  The profile also =
defines additional ID Token validation rules at =
http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, =
which go beyond those in the JWT spec itself.  This is how application =
profiles work.

As a hypothetical example, it would be unhelpful for the ID Token =
profile if the underlying JWT spec had said that the "nbf" (not before) =
claim must be understood by all implementations, when this profile =
doesn't use it or contain validation rules for it.  Even if a producer =
included a "nbf" claim, the consumer for this profile can safely ignore =
it, since no validation rules accompany it for ID Tokens.  The same is =
true of all other JWT-defined claims.  And the same needs to be true of =
the parallel CWT claims as well.  For instance, we shouldn't force all =
CWT applications to understand and process "nbf" any more than we force =
all JWT applications to.

There's nothing insecure about this but there is something efficient it =
that we must preserve - particularly for constrained implementations.

				-- Mike

-----Original Message-----
From: Carsten Bormann [mailto:cabo@tzi.org]=20
Sent: Tuesday, May 16, 2017 3:26 PM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Jim Schaad <ietf@augustcellars.com>; Samuel Erdtman =
<samuel@erdtman.se>; ace <Ace@ietf.org>
Subject: Re: [Ace] WGLC on draft-ietf-ace-cbor-web-token

On May 16, 2017, at 00:16, Mike Jones <Michael.Jones@microsoft.com> =
wrote:
>=20
> I disagree with the suggestion (tracked in =
https://github.com/erwah/ietf/issues/37) about claims that must be =
understood.  We shouldn=E2=80=99t force implementations to understand =
claims not used by their application.  See my comment in the issue.

Not sure what is the =E2=80=9Cimplementation=E2=80=9D and what is the =
=E2=80=9Capplication=E2=80=9D here.

If an application puts in a =E2=80=9Cmust understand=E2=80=9D claim key, =
I=E2=80=99m not sure who is forcing what here.

If we don=E2=80=99t have =E2=80=9Cmust understand=E2=80=9D claim keys, =
then there is no way for an application to signal that necessity.
Security issues with recipient applications that don=E2=80=99t correctly =
interpret the CWT they received, follow.  Not good.

Gr=C3=BC=C3=9Fe, Carsten



From nobody Thu May 18 09:56:57 2017
Return-Path: <peter@filament.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09B03129B98 for <ace@ietfa.amsl.com>; Thu, 18 May 2017 09:56:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filament-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eImcYXTD3UFd for <ace@ietfa.amsl.com>; Thu, 18 May 2017 09:56:27 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3014D12EB4B for <ace@ietf.org>; Thu, 18 May 2017 09:50:36 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id a10so20900113itg.1 for <ace@ietf.org>; Thu, 18 May 2017 09:50:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filament-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:cc:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=yzkhS/oU0BK7crDewMjcmjH7JS+p/86JRLlDkRxckXc=; b=qR2/DYugGsGcyD3zsDKtzMUcBXlJLWGwhWqKQAQvuKPe0QcgU+qHG2IjZg+mfoyrD3 I2ulqTlYG9EWNUO9we20R1zdhgrDZbPR4gW8vsm2VgEhsMbOF72jvcofuYfc1e0+29ii cvz0DokjlWFLwffxvCrdk9cQ0ML6104PiVme3DwCif74ciojjUhTQpzPscdx6oud5qUr SCSBlGehOi9GcgaWvjfdEL+RXYWGIE0faoVpE2OqUozeU9ZHOme3RNtXcIigxVi4Mwdp 8zgB55XPLySyzkuhLMA7kYVGOb4aRaZB8Tx7w/CzDgCeoL7uUKNX64N3A4NTvGhZD3f2 r/XA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:cc:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=yzkhS/oU0BK7crDewMjcmjH7JS+p/86JRLlDkRxckXc=; b=TNaepD+CpQWDjwTMUSKMvJzYQy9rfyv+xz1ZjWibUDIt7LuxXtcSNrR1EQOms5PupV jW69epBcdgfySt73JvPPm0lb3oPFKXb4vaflGii3qho3KPDoT86pTpixy1ku8p3EdCR1 oLZqf2dCJ3oiQU/rdzcpp3in0yBPnWwu8Y6ZDUc3e0bZ5BjkbOBtbNI0fzSYyWtD7/9w FY/UeSx6ys1m/t8iOqy40QzQsadNOz/W8uKYFQiBV40CZvvEiDafTLJ6tXNA1RAUrP6K MTxL8EKKGWaQkzPvLS84efE0O/8+gZZb72xPnCLaTWaXVUIh5ka09q5K8epr1b8w0/iz gQ+A==
X-Gm-Message-State: AODbwcDIp+ggU0mLeSN2zzKTUpY1lX1JuqLUjXIscjqgKoFvwgWhKuJ7 w0LBucm2WxizJLdw
X-Received: by 10.36.150.193 with SMTP id z184mr5481280itd.89.1495126235557; Thu, 18 May 2017 09:50:35 -0700 (PDT)
Received: from aither.local ([2601:282:4202:67d3:5008:a309:499a:146f]) by smtp.gmail.com with ESMTPSA id n22sm2670629itg.25.2017.05.18.09.50.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 18 May 2017 09:50:34 -0700 (PDT)
To: cbor@ietf.org, ace@ietf.org, json@ietf.org, jose@ietf.org
From: Peter Saint-Andre - Filament <peter@filament.com>
Cc: Jeremie Miller <jeremie@jabber.org>
Message-ID: <b98255e6-3e3d-c3ce-cf67-f93df13ef6af@filament.com>
Date: Thu, 18 May 2017 10:50:33 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/rKq9B_RbdmHhFx_jI_BeNJdRzg8>
Subject: [Ace] FYI: JSON Constrained Notation
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 16:56:29 -0000

[Cross-posted to ACE, CBOR, JOSE, JSON because it might be of interest
to folks on all four lists.]

Folks here might have an interest in an I-D that Jeremie Miller and I
just submitted, defining a set of mapping rules from JSON to CBOR that
preserves all semantic information. The intent is to use the JOSE
standards (and related work such as OpenID Connect) unmodified in
constrained environments.

https://tools.ietf.org/html/draft-miller-json-constrained-notation-00

For now, please send feedback directly to the authors.

Thanks!

Peter

-- 
Peter Saint-Andre
https://filament.com/


From nobody Mon May 22 11:16:56 2017
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670B4127342 for <ace@ietfa.amsl.com>; Mon, 22 May 2017 11:16:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Level: 
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQZD472SXtPR for <ace@ietfa.amsl.com>; Mon, 22 May 2017 11:16:53 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF741127137 for <ace@ietf.org>; Mon, 22 May 2017 11:16:53 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A67C3200A3; Mon, 22 May 2017 14:43:53 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 01406636E0; Mon, 22 May 2017 14:16:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Mike Jones <Michael.Jones@microsoft.com>
cc: "ace\@ietf.org" <ace@ietf.org>
In-Reply-To: <BN6PR21MB0500BCCDEF248F5E6EB43E02F51B0@BN6PR21MB0500.namprd21.prod.outlook.com>
References: <BN6PR21MB0500BCCDEF248F5E6EB43E02F51B0@BN6PR21MB0500.namprd21.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Mon, 22 May 2017 14:16:49 -0400
Message-ID: <10297.1495477009@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/rhJKJ1mdnIg9H7jknrL_QUQymrk>
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 18:16:55 -0000

--=-=-=
Content-Type: text/plain


Come to the discussion late, cleaning my inbox.

section 3 says:

     "The value of the cnf claim is a JSON object and the members of that object
     identify the proof-of-possession key."

And somehow, I think that the claim ought to be a CBOR object?
Same for the paragraph of 3.4.

I found the next paragraph about whether the sub or iss is the presenter to
be obtuse.  Maybe it is lacking some ACE RS/C/AS terminology?

I am trying to figure out if the nonce-full mechanism that we describe
in draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to
be re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should
reference RFC 7800 and this document instead.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-




--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAlkjKwcACgkQgItw+93Q
3WXKFggAvVyAcZONv5GQ/d/YEG5k6aDYR9NOWE3+96DAvNslFyd62vtmGW2cTzAZ
RovRw9x/TeIUlWxcdD+oDGW3Mc/0shhESwDJXnmaUNkkIkPgf9uqAce9X/LfjN0S
5AvsmoBlxPBBjq44Qg3gVi0iW61r2ih6OH3cJXUMe1hRokiFMeQI5x84g6GuOBP7
2/wCFvqwO7soStLTY05Huvywg0u47sw2wG3EUrEIlIG3j5R+7OeFLcY3fE6HfC3+
s4kPXpVXaIJuWBus+633EIC0xCDxlMx6L67HoyfqdMc8TK0kVJdtDrPCdUyTHl0r
YDvqngul+aD+uBg8kK4q9yW6iLahWg==
=CU3R
-----END PGP SIGNATURE-----
--=-=-=--


From nobody Mon May 22 11:35:15 2017
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05D76128AB0 for <ace@ietfa.amsl.com>; Mon, 22 May 2017 11:34:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level: 
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95oh9h9cj4_t for <ace@ietfa.amsl.com>; Mon, 22 May 2017 11:34:53 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0120.outbound.protection.outlook.com [104.47.41.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A180212EB43 for <ace@ietf.org>; Mon, 22 May 2017 11:34:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=faYhWdON3XDpULijQfpdOMln07d336udepYyWc3B2ok=; b=BQ6whMsXIM83Ar1iJsHQDvlWnkHKMxUnKbey55NlDoNTrKNu8FCI355D81kdUcUQEqTxCAZxE2xvTbke6ugdqIlkMTvMNuM/phkJzU+fpRCLlo+qfLfqvV35kkzUINpYlVuZ4gdco+6NgODu1DqNFfCtKOeFqbBzknJZWT5yypY=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1124.0; Mon, 22 May 2017 18:34:52 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1124.007; Mon, 22 May 2017 18:34:52 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)
Thread-Index: AdK6Bb2+fFzDaH8tQi+ibomgYAgxlwZIdZqAAAChVRo=
Date: Mon, 22 May 2017 18:34:52 +0000
Message-ID: <CY4PR21MB050483AF34A6F70E6B6AE2DEF5F80@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <BN6PR21MB0500BCCDEF248F5E6EB43E02F51B0@BN6PR21MB0500.namprd21.prod.outlook.com>, <10297.1495477009@obiwan.sandelman.ca>
In-Reply-To: <10297.1495477009@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none; sandelman.ca; dmarc=none action=none header.from=microsoft.com; 
x-originating-ip: [107.77.226.204]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:mvkZkOGfEyzMM0LUArD9wEc2Tm9n+5AQzIeY+tjRa48b4Nav1cIjMggXP1I+Y9XntbdHRCYpwixW2Eq0fsAWv/ewFHjzF3/fDh8TzjuSV4715BLOr3giIb4kKMivgFqt8LZqmN1wnF7iG/YYLUUNGeIvUPuSuV6KErccXMxdKPkgvmiMaEuRXQsaJ1eo/YqDThVqV7Lh4YoCL7QbCCLkLwZesl56zDCXiO3bK+HkuGZfbrIXCFzOMAdObrPLyVKrbPWjRuvFt4yFblUPSESqw1vSLvlp9vMgd51D5VVSKAspQriO1woOgA3y7rpGGI0peH2uk925XVagiiLVZEqC1VmC3ihJ1jyZOmkD5U0irLU=
x-ms-traffictypediagnostic: CY4PR21MB0502:
x-ms-office365-filtering-correlation-id: 27000438-333d-437d-61f4-08d4a1413c48
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081)(201702281549075); SRVR:CY4PR21MB0502; 
x-microsoft-antispam-prvs: <CY4PR21MB0502E74C91C5AA572584C3F7F5F80@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700036)(100105000095)(100000701036)(100105300095)(100000702036)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703036)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123558100)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123555025)(6072148)(100000704036)(100105200095)(100000705036)(100105500095); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:(100000800036)(100110000095)(100000801036)(100110300095)(100000802036)(100110100095)(100000803036)(100110400095)(100000804036)(100110200095)(100000805036)(100110500095); SRVR:CY4PR21MB0502; 
x-forefront-prvs: 03152A99FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39850400002)(39400400002)(39860400002)(39410400002)(39840400002)(51914003)(51444003)(377454003)(53546009)(10290500003)(25786009)(5005710100001)(53936002)(9686003)(236005)(4326008)(8990500004)(6116002)(102836003)(3846002)(99286003)(55016002)(478600001)(7696004)(74316002)(7736002)(66066001)(72206003)(2950100002)(6506006)(77096006)(6436002)(10090500001)(230783001)(76176999)(8676002)(3660700001)(6246003)(33656002)(189998001)(2900100001)(229853002)(50986999)(54356999)(5660300001)(86612001)(54896002)(2906002)(110136004)(38730400002)(8936002)(86362001)(122556002)(3280700002)(81166006)(19627235001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; 
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050483AF34A6F70E6B6AE2DEF5F80CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2017 18:34:52.0343 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/3eXlkQhN2xIHsf215aw7uWUKc14>
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 18:34:56 -0000

--_000_CY4PR21MB050483AF34A6F70E6B6AE2DEF5F80CY4PR21MB0504namp_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Thanks for the catch. Yes, this should be a CBOR map. I failed to make this=
 change when transforming RFC 7800 into this draft. I'll correct it in the =
next version.



=96 Mike



From: Michael Richardson<mailto:mcr+ietf@sandelman.ca>
Sent: Monday, May 22, 2017 2:19 PM
To: Mike Jones<mailto:Michael.Jones@microsoft.com>
Cc: ace@ietf.org<mailto:ace@ietf.org>
Subject: Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web Tokens (C=
WTs)



Come to the discussion late, cleaning my inbox.

section 3 says:

     "The value of the cnf claim is a JSON object and the members of that o=
bject
     identify the proof-of-possession key."

And somehow, I think that the claim ought to be a CBOR object?
Same for the paragraph of 3.4.

I found the next paragraph about whether the sub or iss is the presenter to
be obtuse.  Maybe it is lacking some ACE RS/C/AS terminology?

I am trying to figure out if the nonce-full mechanism that we describe
in draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to
be re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should
reference RFC 7800 and this document instead.


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -=3D IPv6 IoT consulting =3D-




--_000_CY4PR21MB050483AF34A6F70E6B6AE2DEF5F80CY4PR21MB0504namp_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3DWindows-1=
252">
<meta name=3D"Generator" content=3D"Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; pad=
ding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<meta name=3D"x_Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style>
<!--
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif}
a:x_link, span.x_MsoHyperlink
	{color:blue;
	text-decoration:underline}
a:x_visited, span.x_MsoHyperlinkFollowed
	{color:#954F72;
	text-decoration:underline}
.x_MsoChpDefault
	{}
div.x_WordSection1
	{}
-->
</style>
<div lang=3D"EN-US" link=3D"blue" vlink=3D"#954F72">
<div class=3D"x_WordSection1">
<p class=3D"x_MsoNormal">Thanks for the catch. Yes, this should be a CBOR m=
ap. I failed to make this change when transforming RFC 7800 into this draft=
. I'll correct it in the next version.</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<p class=3D"x_MsoNormal">=96 Mike</p>
<p class=3D"x_MsoNormal">&nbsp;</p>
<div style=3D"border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0i=
n 0in 0in">
<p class=3D"x_MsoNormal" style=3D"border:none; padding:0in"><b>From: </b><a=
 href=3D"mailto:mcr&#43;ietf@sandelman.ca">Michael Richardson</a><br>
<b>Sent: </b>Monday, May 22, 2017 2:19 PM<br>
<b>To: </b><a href=3D"mailto:Michael.Jones@microsoft.com">Mike Jones</a><br=
>
<b>Cc: </b><a href=3D"mailto:ace@ietf.org">ace@ietf.org</a><br>
<b>Subject: </b>Re: [Ace] Proof-of-Possession Key Semantics for CBOR Web To=
kens (CWTs)</p>
</div>
<p class=3D"x_MsoNormal">&nbsp;</p>
</div>
</div>
<font size=3D"2"><span style=3D"font-size:10pt;">
<div class=3D"PlainText"><br>
Come to the discussion late, cleaning my inbox.<br>
<br>
section 3 says:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; &quot;The value of the cnf claim is a JSON object =
and the members of that object<br>
&nbsp;&nbsp;&nbsp;&nbsp; identify the proof-of-possession key.&quot;<br>
<br>
And somehow, I think that the claim ought to be a CBOR object?<br>
Same for the paragraph of 3.4.<br>
<br>
I found the next paragraph about whether the sub or iss is the presenter to=
<br>
be obtuse.&nbsp; Maybe it is lacking some ACE RS/C/AS terminology?<br>
<br>
I am trying to figure out if the nonce-full mechanism that we describe<br>
in draft-ietf-anima-bootstrapping-keyinfra or anima-voucher, and later to<b=
r>
be re-interpreted as CWT in draft-ietf-6tisch-dtsecurity-secure-join should=
<br>
reference RFC 7800 and this document instead.<br>
<br>
<br>
--<br>
Michael Richardson &lt;mcr&#43;IETF@sandelman.ca&gt;, Sandelman Software Wo=
rks<br>
&nbsp;-=3D IPv6 IoT consulting =3D-<br>
<br>
<br>
<br>
</div>
</span></font>
</body>
</html>

--_000_CY4PR21MB050483AF34A6F70E6B6AE2DEF5F80CY4PR21MB0504namp_--