From nobody Mon Nov 5 00:50:32 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8745F129AB8 for ; Mon, 5 Nov 2018 00:50:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCyJ15yTcPK6 for ; Mon, 5 Nov 2018 00:50:24 -0800 (PST) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48D561274D0 for ; Mon, 5 Nov 2018 00:50:24 -0800 (PST) Received: by mail-lj1-x232.google.com with SMTP id s15-v6so7257099lji.3 for ; Mon, 05 Nov 2018 00:50:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=subject:references:to:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=ChYeGmLBSOXQAQ13oyM2l8IjveE0tQQmpIJnf056qzE=; b=CE/K5zFStelqt+vq4gmpoobd09qP+tXiV8UpeEY7jOKay4404GQF56AON+0sVd7NxR lKAYh8lfn7YUaghRiXn42UFeeA+7hH+GmCYykcAYt5t7/5GoK+lJFqjIA5hohs001cJm 4Ia0v+CQj6Lbb+jEtt2trTbNum+hlXRUuVrNScCbPT3yHL63ZmgcjF2J7PkXZgqLnxs7 z+VKvV0pCDYLg+QJ/fXIs9eoUqKWrIuAljfKG3pyAFYJ13J9DwJFPSNqNJeBoHC9BiHL puH5G5Z7j0w0fcqclnJlGhz/8J8QkSZ/JuVRaZXOBsPGHrFaLR7XSQU+HyfWZ1FeLNZL Wl6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:to:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=ChYeGmLBSOXQAQ13oyM2l8IjveE0tQQmpIJnf056qzE=; b=l5mOc6rTQtlHMDHUJ8Dzqjc0aHTJjUF8kbTOmoE7w8Z2a7AUomasNaBjxVlxLQO8O1 mR+ELCkcThsMbNtHtfXHTFVuS6M+rBMlUoBMSezB1OJjVzmVx9/DZX3i54roW6HHBWW3 0urYLoSdeo/wGi2GGIils7JPwDLRbvlRRH46hfyLojnRHdyUe0P9mW2uBbJdFqOF2Ei4 F9Xhb7yPJtizzyHmzEgpAoFiJrvU+XoasfpjMoeTA+K0KIhke3On/qaZubf/D3/q2bex ju03p1Hj6ZJxaYXQ+7NcUI8S0H6gUVDe5/uHvSxohwn+5QVqm5jt+cswa5PR2xMFyKCn aI9Q== X-Gm-Message-State: AGRZ1gI/RmeeJZlnDNXhqX9OWgO0lfRlY4nJ80UDpOrETF/lj5z3hgs7 b5wx34JM/YE4Lr9f6Dz/qZpSMESlitg= X-Google-Smtp-Source: AJdET5cQGwTD9QbEOx6cQH7dXzUz2V+Y2gYH62XDachYcl6qx5IPZzhFoAW2kkjJ97bG/NtY3O/4DA== X-Received: by 2002:a2e:83d7:: with SMTP id s23-v6mr10610234ljh.139.1541407822135; Mon, 05 Nov 2018 00:50:22 -0800 (PST) Received: from speedyM.local ([2a02:a446:bd2c:1:d5c8:d252:a73e:8ff6]) by smtp.gmail.com with ESMTPSA id g72-v6sm6784655lfl.21.2018.11.05.00.50.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Nov 2018 00:50:21 -0800 (PST) References: <370d231f-1041-5d28-f097-38882481a256@curity.io> To: scim@ietf.org From: Mark Dobrinic X-Forwarded-Message-Id: <370d231f-1041-5d28-f097-38882481a256@curity.io> Message-ID: Date: Mon, 5 Nov 2018 09:50:28 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <370d231f-1041-5d28-f097-38882481a256@curity.io> Content-Type: multipart/alternative; boundary="------------1DA79CA7DA9FAADF6DF84230" Content-Language: en-US Archived-At: Subject: [scim] Fwd: Escape search filter values X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2018 08:50:30 -0000 This is a multi-part message in MIME format. --------------1DA79CA7DA9FAADF6DF84230 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi guys, have posted this question a month ago and didn't get a follow up. Anybody has thoughts on it? Thanks, Mark -------- Forwarded Message -------- Subject: Escape search filter values Date: Wed, 3 Oct 2018 17:37:07 +0200 From: Mark Dobrinic To: scim@ietf.org Hi scim, I've got a question on how to escape values that are part of the search filter query in scim 2. For example, when sending out a search request for a user with a password, we're posting a JSON-message like this to our SCIM server: {     "schemas": [         "urn:ietf:params:scim:api:messages:2.0:SearchRequest"     ],     "filter": "userName eq \"teddie\" and password eq "\secret\"" } But when the password contains control characters, like a double-quote (") or backslash (\), what should we send to the other end? For now, we've been following the JSON approach, and are JSON-escaping the values inside the filter, such that when the password would be 'sec"ret', the JSON-message as it would be sent over becomes: {     "schemas": [         "urn:ietf:params:scim:api:messages:2.0:SearchRequest"     ],     "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\"" } ... but I could not find out how to deal with this in the spec. What do you think is the right thing to do here? -- Regards, Mark Dobrinic Software Engineer and Identity Specialist Curity AB mark.dobrinic@curity.io www.curity.io --------------1DA79CA7DA9FAADF6DF84230 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Hi guys,

have posted this question a month ago and didn't get a follow up.
Anybody has thoughts on it?

Thanks,

Mark


-------- Forwarded Message --------
Subject: Escape search filter values
Date: Wed, 3 Oct 2018 17:37:07 +0200
From: Mark Dobrinic <mark.dobrinic@curity.io>
To: scim@ietf.org 


Hi scim,

I've got a question on how to escape values that are part of the search
filter query in scim 2.

For example, when sending out a search request for a user with a
password, we're posting a JSON-message like this to our SCIM server:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\secret\""
}

But when the password contains control characters, like a double-quote
(") or backslash (\), what should we send to the other end?

For now, we've been following the JSON approach, and are JSON-escaping
the values inside the filter, such that when the password would be
'sec"ret', the JSON-message as it would be sent over becomes:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\""
}

... but I could not find out how to deal with this in the spec.

What do you think is the right thing to do here?


-- 
Regards,

Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB

mark.dobrinic@curity.io
www.curity.io
--------------1DA79CA7DA9FAADF6DF84230-- From nobody Mon Nov 5 09:26:50 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3F2124408 for ; Mon, 5 Nov 2018 09:26:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.77 X-Spam-Level: X-Spam-Status: No, score=-4.77 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUt9FXdGLuaw for ; Mon, 5 Nov 2018 09:26:46 -0800 (PST) Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F3C0127133 for ; Mon, 5 Nov 2018 09:26:46 -0800 (PST) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wA5HNOqB079261; Mon, 5 Nov 2018 17:26:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=GwOnZmkKVu4ioSB9lyxaDXBDZLO1WPzTfvhDNFfR83g=; b=usN5Ty3htKIyhEsZvITvBMNc+ASCUnlVVbhT1cNnVp4j546aQXR7gelTXNDaa4upX9zh kv30kwL+uNnk7ickXVC3bafLQfO5n8M5TT98nk9lntWOMko/KC8zw+awYYVk6ALz5Cxx bSuagRV8M4eNeXeTarlv9tL0qdGKC+FfE2r/pPRYQ8PUjSafJyiVhz7VvY8PuHHkfRnm 08CCG1L5HKREp7RahZwVizIr10Pr/hHaUtJyRfKBPB4j7AxT+CCXfP9Iwc60oM3JsRpy NxZfq3/ChtPs2P9Vk1fDbsN+M4VLaLkM8l5cSnBnO21093yCs8EjlvfG0tOF9gDPDQcQ tw== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2nh4aqg8cq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 05 Nov 2018 17:26:44 +0000 Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id wA5HQgJ1005990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 5 Nov 2018 17:26:43 GMT Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id wA5HQgEb026881; Mon, 5 Nov 2018 17:26:42 GMT Received: from [10.0.1.20] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Nov 2018 09:26:41 -0800 Content-Type: multipart/alternative; boundary=Apple-Mail-4C0D1A50-52EC-4340-B768-31C8D65D0654 Mime-Version: 1.0 (1.0) From: Phil Hunt X-Mailer: iPhone Mail (16B92) In-Reply-To: Date: Mon, 5 Nov 2018 09:26:36 -0800 Cc: scim@ietf.org Content-Transfer-Encoding: 7bit Message-Id: References: <370d231f-1041-5d28-f097-38882481a256@curity.io> To: Mark Dobrinic X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9068 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811050156 Archived-At: Subject: Re: [scim] Fwd: Escape search filter values X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Nov 2018 17:26:49 -0000 --Apple-Mail-4C0D1A50-52EC-4340-B768-31C8D65D0654 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Mark You are correct. Per sec 3.1, SCIM uses RFC7159/JSON for protocol payload me= ssages as well as resources.=20 Iow. Escape as specified in json.=20 Phil > On Nov 5, 2018, at 12:50 AM, Mark Dobrinic wrote= : >=20 > Hi guys,=20 >=20 > have posted this question a month ago and didn't get a follow up.=20 > Anybody has thoughts on it? >=20 > Thanks, >=20 > Mark >=20 >=20 > -------- Forwarded Message -------- > Subject: Escape search filter values > Date: Wed, 3 Oct 2018 17:37:07 +0200 > From: Mark Dobrinic > To: scim@ietf.org >=20 >=20 > Hi scim, >=20 > I've got a question on how to escape values that are part of the search > filter query in scim 2. >=20 > For example, when sending out a search request for a user with a > password, we're posting a JSON-message like this to our SCIM server: >=20 > { > "schemas": [ > "urn:ietf:params:scim:api:messages:2.0:SearchRequest" > ], > "filter": "userName eq \"teddie\" and password eq "\secret\"" > } >=20 > But when the password contains control characters, like a double-quote > (") or backslash (\), what should we send to the other end? >=20 > For now, we've been following the JSON approach, and are JSON-escaping > the values inside the filter, such that when the password would be > 'sec"ret', the JSON-message as it would be sent over becomes: >=20 > { > "schemas": [ > "urn:ietf:params:scim:api:messages:2.0:SearchRequest" > ], > "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\"" > } >=20 > .... but I could not find out how to deal with this in the spec. >=20 > What do you think is the right thing to do here? >=20 >=20 > --=20 > Regards, >=20 > Mark Dobrinic > Software Engineer and Identity Specialist > Curity AB >=20 > mark.dobrinic@curity.io > www.curity.io >=20 > _______________________________________________ > scim mailing list > scim@ietf.org > https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r= =3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=3DyuuDrNYVFRE1h4L9M7aHG0iY0= D9sKoCorF5SKqb_du0&s=3DQOewzWBRy4HUgd1QL4mtSXaUd_2SaGPHnZxOuwpIl1I&e=3D --Apple-Mail-4C0D1A50-52EC-4340-B768-31C8D65D0654 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit Mark

You are correct. Per sec 3.1, SCIM uses RFC7159/JSON for protocol payload messages as well as resources. 

Iow. Escape as specified in json. 

Phil

On Nov 5, 2018, at 12:50 AM, Mark Dobrinic <mark.dobrinic@curity.io> wrote:

Hi guys,

have posted this question a month ago and didn't get a follow up.
Anybody has thoughts on it?

Thanks,

Mark


-------- Forwarded Message --------
Subject: Escape search filter values
Date: Wed, 3 Oct 2018 17:37:07 +0200
From: Mark Dobrinic <mark.dobrinic@curity.io>
To: scim@ietf.org 


Hi scim,

I've got a question on how to escape values that are part of the search
filter query in scim 2.

For example, when sending out a search request for a user with a
password, we're posting a JSON-message like this to our SCIM server:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\secret\""
}

But when the password contains control characters, like a double-quote
(") or backslash (\), what should we send to the other end?

For now, we've been following the JSON approach, and are JSON-escaping
the values inside the filter, such that when the password would be
'sec"ret', the JSON-message as it would be sent over becomes:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\""
}

.... but I could not find out how to deal with this in the spec.

What do you think is the right thing to do here?


-- 
Regards,

Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB

mark.dobrinic@curity.io
www.curity.io
--Apple-Mail-4C0D1A50-52EC-4340-B768-31C8D65D0654-- From nobody Tue Nov 6 00:59:40 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E965E130EE7 for ; Tue, 6 Nov 2018 00:59:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.879 X-Spam-Level: X-Spam-Status: No, score=-0.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1rIWKSlXz-HD for ; Tue, 6 Nov 2018 00:59:32 -0800 (PST) Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E69F7130EDC for ; Tue, 6 Nov 2018 00:59:31 -0800 (PST) Received: by mail-wr1-x433.google.com with SMTP id j17-v6so7366147wrq.11 for ; Tue, 06 Nov 2018 00:59:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=subject:cc:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=b7lbv7uypZXhDgeQwjTDiEuD3BDPE6jtiTAjAl2+b1Q=; b=lyhcd4IGVJVZDbOFZh/+qfrtHOD4RZJtXBpm0cRJpj73i+1MajFRIV+DlbbOy0ufwD d86GUFeVhQM/UrRhJbsYApGhEhw8Lpe1NbaXlyXeErPaeO/BZ5D6ll4825FF7cPdwbcN cIgq6AeZbhiF0s/6KCMvAmpartzTW0I7nn/Jf7ugsqPIOJ176lOKPiIEU0IwwFT+sg6E uLvx7TkFPvbipvBjHTQxaqGiWNVDDUuYr24GtgNRhPY+8CMnko/sqJbTOZ3kB1W0C1aL OWsPlsa8p8X3EJ/gkxR2mpSr9FjOXIx3t5Kt1xBXzh6BFWIQr/vUYZ/XsvzvC4IKxp8J H1wQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=b7lbv7uypZXhDgeQwjTDiEuD3BDPE6jtiTAjAl2+b1Q=; b=BvONxmNu8mqDNkFDcBxy/SguOOHelqp6sGyzGfyYSrnbDQhRxpMfgxIwfcVBKqiyJY y/VYRqoKcOjJHqZE7SrYAGa+UBYSn2xd7lWwfsKz/nx5X6UzYvHP4PaVGlXRbCBIKHde g2YFhuThpoOdRHopeI2ZtoCSKef8mgXv2T6fXpz5r0pIXtP3GOsjUdit0Ve698+fP2bc 110dzCKRHOWZ61wXga7TNW1byE68AKudAwLe/k879vi6AOhuSWJuNHWrqK70cb0rte8y VGFbg95dsv1YEipL6aP3cg9PtRQFA+RZfjCaUTOSk9l8CbU/RYPoaUqCXsauoiC5vN42 r6mg== X-Gm-Message-State: AGRZ1gKrlhPs7Ilfk/HVf2X7ibgavdBOmDew2159PBKYdneYcM9BwHrb V890vHgwAoXLTX3EETfIMd4nR2p33+8= X-Google-Smtp-Source: AJdET5d7PV+M3241p7uUMrczlB2MmG2ASYPV7SjFScxai97uOYDIfHjRw9Wb0LAVvic7LoKxLljdsA== X-Received: by 2002:adf:e3c2:: with SMTP id k2-v6mr10244911wrm.156.1541494769778; Tue, 06 Nov 2018 00:59:29 -0800 (PST) Received: from speedyM.local ([2a02:a446:bd2c:1:139:394b:fa99:273b]) by smtp.gmail.com with ESMTPSA id r126-v6sm700252wmg.1.2018.11.06.00.59.28 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Nov 2018 00:59:29 -0800 (PST) Cc: scim@ietf.org References: <370d231f-1041-5d28-f097-38882481a256@curity.io> From: Mark Dobrinic Message-ID: <1a2b4cff-7761-884c-f680-298126bc2875@curity.io> Date: Tue, 6 Nov 2018 09:59:25 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------421C553D203AF65A7973A519" Content-Language: en-US Archived-At: Subject: Re: [scim] Fwd: Escape search filter values X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Nov 2018 08:59:39 -0000 This is a multi-part message in MIME format. --------------421C553D203AF65A7973A519 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Hi Phil, Gotcha, and thanks for that! We'll continue with the JSON-encoding approach. Kind regards, Mark On 05/11/18 18:26, Phil Hunt wrote: > Mark > > You are correct. Per sec 3.1, SCIM uses RFC7159/JSON for protocol > payload messages as well as resources.  > > Iow. Escape as specified in json.  > > Phil > > On Nov 5, 2018, at 12:50 AM, Mark Dobrinic > wrote: > >> Hi guys, >> >> have posted this question a month ago and didn't get a follow up. >> Anybody has thoughts on it? >> >> Thanks, >> >> Mark >> >> >> -------- Forwarded Message -------- >> Subject: Escape search filter values >> Date: Wed, 3 Oct 2018 17:37:07 +0200 >> From: Mark Dobrinic >> To: scim@ietf.org >> >> >> >> Hi scim, >> >> I've got a question on how to escape values that are part of the search >> filter query in scim 2. >> >> For example, when sending out a search request for a user with a >> password, we're posting a JSON-message like this to our SCIM server: >> >> { >>     "schemas": [ >>         "urn:ietf:params:scim:api:messages:2.0:SearchRequest" >>     ], >>     "filter": "userName eq \"teddie\" and password eq "\secret\"" >> } >> >> But when the password contains control characters, like a double-quote >> (") or backslash (\), what should we send to the other end? >> >> For now, we've been following the JSON approach, and are JSON-escaping >> the values inside the filter, such that when the password would be >> 'sec"ret', the JSON-message as it would be sent over becomes: >> >> { >>     "schemas": [ >>         "urn:ietf:params:scim:api:messages:2.0:SearchRequest" >>     ], >>     "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\"" >> } >> >> .... but I could not find out how to deal with this in the spec. >> >> What do you think is the right thing to do here? >> >> >> -- >> Regards, >> >> Mark Dobrinic >> Software Engineer and Identity Specialist >> Curity AB >> >> mark.dobrinic@curity.io >> www.curity.io >> >> _______________________________________________ >> scim mailing list >> scim@ietf.org >> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=yuuDrNYVFRE1h4L9M7aHG0iY0D9sKoCorF5SKqb_du0&s=QOewzWBRy4HUgd1QL4mtSXaUd_2SaGPHnZxOuwpIl1I&e= -- Regards, Mark Dobrinic Software Engineer and Identity Specialist Curity AB mark.dobrinic@curity.io www.curity.io --------------421C553D203AF65A7973A519 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
Hi Phil,

Gotcha, and thanks for that!

We'll continue with the JSON-encoding approach.

Kind regards,

Mark

On 05/11/18 18:26, Phil Hunt wrote:
Mark

You are correct. Per sec 3.1, SCIM uses RFC7159/JSON for protocol payload messages as well as resources. 

Iow. Escape as specified in json. 

Phil

On Nov 5, 2018, at 12:50 AM, Mark Dobrinic <mark.dobrinic@curity.io> wrote:

Hi guys,

have posted this question a month ago and didn't get a follow up.
Anybody has thoughts on it?

Thanks,

Mark


-------- Forwarded Message --------
Subject: Escape search filter values
Date: Wed, 3 Oct 2018 17:37:07 +0200
From: Mark Dobrinic <mark.dobrinic@curity.io>
To: scim@ietf.org 


Hi scim,

I've got a question on how to escape values that are part of the search
filter query in scim 2.

For example, when sending out a search request for a user with a
password, we're posting a JSON-message like this to our SCIM server:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\secret\""
}

But when the password contains control characters, like a double-quote
(") or backslash (\), what should we send to the other end?

For now, we've been following the JSON approach, and are JSON-escaping
the values inside the filter, such that when the password would be
'sec"ret', the JSON-message as it would be sent over becomes:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:SearchRequest"
    ],
    "filter": "userName eq \"teddie\" and password eq "\sec\\\"ret\""
}

.... but I could not find out how to deal with this in the spec.

What do you think is the right thing to do here?


-- 
Regards,

Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB

mark.dobrinic@curity.io
www.curity.io




-- 
Regards,

Mark Dobrinic
Software Engineer and Identity Specialist
Curity AB

mark.dobrinic@curity.io
www.curity.io
--------------421C553D203AF65A7973A519-- From nobody Wed Nov 14 05:00:54 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74806130E41 for ; Wed, 14 Nov 2018 05:00:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sap.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mkFnmwtcbrbq for ; Wed, 14 Nov 2018 05:00:45 -0800 (PST) Received: from smtpgw04.sap-ag.de (smtpgw04.sap-ag.de [155.56.66.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 030B5130E3F for ; Wed, 14 Nov 2018 05:00:43 -0800 (PST) Received: from EUR03-DB5-obe.outbound.protection.outlook.com (94.245.120.88) by smtpgw04.sap-ag.de (155.56.66.99) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Wed, 14 Nov 2018 14:00:41 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sap.onmicrosoft.com; s=selector1-sap-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8hNVJz8bOdZ7I4vPz64eWfekDiNw65TI5EnaLt9CFzY=; b=TqZuKFFnesr6sZzsmvi5geaLe0JnAkROnjYChf1qNMg+fV7QwYo3XB3o1spWQQa3czoMAYQtP6qChUs22XW7uNIX2/aoKH5YFcmQ1mqLDrGoVa0/YmKQdv0H0lOMM9NaxGtdRdO0CGhBrlAaAsn0KBaTNsGsOYufqNHbtD1+iEg= Received: from HE1PR0202MB2652.eurprd02.prod.outlook.com (10.168.184.144) by HE1PR0202MB2699.eurprd02.prod.outlook.com (10.168.185.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.45; Wed, 14 Nov 2018 13:00:40 +0000 Received: from HE1PR0202MB2652.eurprd02.prod.outlook.com ([fe80::71e8:6eda:e9aa:954]) by HE1PR0202MB2652.eurprd02.prod.outlook.com ([fe80::71e8:6eda:e9aa:954%7]) with mapi id 15.20.1294.045; Wed, 14 Nov 2018 13:00:40 +0000 From: "Karaimin, Aleyidin" To: "scim@ietf.org" Thread-Topic: SCIM 2.0 PATCH - modifying custom or enterprise schema attributes with missing "path" Thread-Index: AdR8GgIZyKvGosNgRwGaACDFfh7sjQ== Date: Wed, 14 Nov 2018 13:00:40 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=aleyidin.karaimin@sap.com; x-originating-ip: [193.57.20.13] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; HE1PR0202MB2699; 6:Y0ZR7i7L8maRq9yg3AAApRhpuWYXsWHjvhApRzS0RGNIOoZ1PmOCX2weThF9NVjwtUEk3TutmFp0taGYYQ4sgdJ86trglB/vCqTDIl8sgmaXKixJHyYklSNA6bYfy/aAFo6fhMyYhMxd8oxIk5QTbvc7wQkF0v524AATqUAocDvExwBttf+sg7+PHkAe6kZ+35UidWlOfxJ3Eh9WF9Zs3DPIb7QNbR7q8HKXe5W8mQUHH+mrbBBoFcj668qEMCm9nyRPOwbX80AF/eLF7rFggMH6N5Wv6eyp0uYJMhPiOXX0RBkdtXJrivG4E0fcFtBU32vjaCxtehpuJf7HX89fZGisRr6dZG7ZxRPHLcMVKCrLLKXoTvRMu5DnOc05tLa2GJJEhZvL73O8d96UKEeF5bTuFR04sHjIHaeYaPsNwlz8e2eMPztOB7/xocuIzNmEaBzW2NC9rdFXwUbEYxbVrw==; 5:AflQpGp8CL3CrBbFAGnna9yPOuKIWXhADDnIvbQMTbTArjevk6XHBDbT6bT+E0GfdgTZhiw90Smp3M71kMtj8ovTTEBLtFQDhBtno6YQvfwd3NQYnJqbGgvQN7BNpFOJJKP7jZf3Ki1E7eI4NWkeCJNOO/RDSnBulkkfmnVWW4c=; 7:xnxmbUvFGSwiiWBi5/rZ81WNLt0f4EqPdzRHywe40u931DK3wEO8ixH2c5zFa63wV4Gq25obvun9TESsroZjs0BSlwJE2vWh+UgtvRO1XXXd3afCz2lXIWX0L2a5md5YTpo1psjxtdiH25QlQqsCTg== x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 68a64acf-6c03-4195-7bb6-08d64a312df3 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR0202MB2699; x-ms-traffictypediagnostic: HE1PR0202MB2699: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(788757137089)(21748063052155)(28532068793085)(190501279198761)(227612066756510); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(3231410)(944501410)(52105112)(93006095)(93001095)(10201501046)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:HE1PR0202MB2699; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0202MB2699; x-forefront-prvs: 085634EFF4 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(366004)(396003)(39860400002)(199004)(189003)(66066001)(14454004)(186003)(478600001)(6916009)(2501003)(97736004)(86362001)(316002)(26005)(790700001)(6116002)(71200400001)(256004)(3846002)(71190400001)(102836004)(6506007)(2906002)(99286004)(5660300001)(7736002)(2351001)(7696005)(74316002)(33656002)(9326002)(476003)(486006)(81166006)(2900100001)(8676002)(1730700003)(81156014)(68736007)(6436002)(8936002)(105586002)(54896002)(6306002)(9686003)(53936002)(55016002)(25786009)(106356001)(5640700003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0202MB2699; H:HE1PR0202MB2652.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1; received-spf: None (protection.outlook.com: sap.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: EkIAQDX7wHKnRs3YlRmSzsZE2jJalIib13eMrYeIy4fmGE6w6kF/YEHPNsBlKM59vgGmxRQTv8Hm0M9X8h5uXMokA6WcRO870o9jphFBrZkl7k1YzUM+hJfWDg6Hu51XqR5gRx/yifm8wneX17g7RpRhdtDLEKElAdG3CyNOdt0Xa7M3zkCgU2SPe9uZRFo4fo1qbbNkUHG+70KuujvY/TSoZz2nuw5/lHB5MTFlzyQc07pV0bEIDLlnMtgPwlQYGZDQArA7V4fXu5ZOxNLccUxy9H69cn31MCSvgBMWKRtxLDKK0DeLHBvmtBWUSH6Vm3ISOQU+3jXPOxIXBt/OgpZwExbIY1zQ2FJv5tpgSJY= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_HE1PR0202MB2652CEB4D38C2400F443E95EF8C30HE1PR0202MB2652_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 68a64acf-6c03-4195-7bb6-08d64a312df3 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Nov 2018 13:00:40.3347 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 42f7676c-f455-423c-82f6-dc2d99791af7 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0202MB2699 Archived-At: Subject: [scim] SCIM 2.0 PATCH - modifying custom or enterprise schema attributes with missing "path" X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2018 13:00:53 -0000 --_000_HE1PR0202MB2652CEB4D38C2400F443E95EF8C30HE1PR0202MB2652_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, According to the RFC 7644-System for Cross-domain Identity Management: Prot= ocol, section 3.5.2-Modifying with PATCH, 'The "path" attribute is OPTIONAL for "add" and "replace" and is REQUIRED for "remove" ' Let's assume that in some case, "path" is not provided for add or replace o= peration. Is it possible to assign value to custom schema attribute (or ext= ension Enterprise for User) ?. Suppose we have the following bodies of PATCH Requests Example 1: { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[ { "op":"add", "value": { "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"= : { "employeeNumber" : "12345" }, "nickname" : "simpleNickname" } } ] } Is the above example valid ? Can we assign custom attribute to correspondin= g value in "value" body ? Example 2: { "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], "Operations":[ { "op":"add", "value": { "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:= employeeNumber" : "12345", "nickname" : "simpleNickname" } } ] } If the Example 1 is valid, is it allowed to specify full attribute path in = the "value" body ? Thank you, Aleydin Karaimin --_000_HE1PR0202MB2652CEB4D38C2400F443E95EF8C30HE1PR0202MB2652_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello,

According to the RFC 7644-System for Cross-domain Id= entity Management: Protocol, section 3.5.2-Modifying with PATCH,=

 

The "path" attribute is

   OPTIONAL for "add" and = "replace" and is REQUIRED for "remove"

Let’s assume that in some case, “path= 221; is not provided for add or replace operation. Is it possible to assign= value to custom schema attribute (or extension Enterprise for User) ?.

Suppose we have the following bodies of PATCH Reques= ts

 

Example 1:

 

{ "schemas":

       ["urn:ietf= :params:scim:api:messages:2.0:PatchOp"],

     "Operations":[

       {

        "op&= quot;:"add",

        "val= ue":       {

         &nb= sp;     "urn:ietf:params:scim:schemas:extension:en= terprise:2.0:User" : {

         &nb= sp;            =          "employeeNumber"= : "12345"

         &nb= sp;     },

         &nb= sp;     "nickname" : "simpleNickname&quo= t;

         &nb= sp;      }

       }

    ]

}

Is the above example valid ? Can we assign custom at= tribute to corresponding value in “value” body ?

 

Example 2:

{ "schemas":

       ["urn:ietf= :params:scim:api:messages:2.0:PatchOp"],

     "Operations":[

       {

        "op&= quot;:"add",

        "val= ue":       {

         &nb= sp;     "urn:ietf:params:scim:schemas:extension:en= terprise:2.0:User:employeeNumber" : "12345",

         &nb= sp;     "nickname" : "simpleNickname&quo= t;

         &nb= sp;      }

       }

    ]

}

 

If the Example 1 is valid, is it allowed to specify = full attribute path in the “value” body ?

 

Thank you,

Aleydin Karaimin

 

--_000_HE1PR0202MB2652CEB4D38C2400F443E95EF8C30HE1PR0202MB2652_-- From nobody Wed Nov 14 11:27:01 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE11130DBE for ; Wed, 14 Nov 2018 11:26:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.769 X-Spam-Level: X-Spam-Status: No, score=-4.769 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aYJ1boMcqImm for ; Wed, 14 Nov 2018 11:26:56 -0800 (PST) Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7086F12777C for ; Wed, 14 Nov 2018 11:26:56 -0800 (PST) Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id wAEJJMqx055412; Wed, 14 Nov 2018 19:26:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : message-id : references : to; s=corp-2018-07-02; bh=skMkh6W5wtBUHBVW6tUXv9DTnrORzU5e5zmp4CcpKxs=; b=AtYJbFch/63Qk81D+QfZ/y5ddWwAr8mVlB9HkvspK3YWM89Z6c+TjUOE3B6xMLLnltVR ymXeavysUcdexrZNZ0KcsuDGU1L1OCe1saP6mJrIHFRvKLzxpcNx3KvwtDCjfrKrGw2x zZ5MxFN/zkFESdIEcub2in1/m5oMrcAoSAqjH3kNeK88/sLlpKeUyAnFTqxJyw74rY0a UYEgj67CM6+FVNE1bdlt3AAmb5Tv75oOVnhYocu88krWm2TB3puYrmuBx7vKryKXN/J7 k55ziIsWiTWxQaRPPJle/RVWTLfh+cPyElH5cK6vluAez0usvTmgaSXE/5VoPI3hYUkp 6g== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp2120.oracle.com with ESMTP id 2nr7cs5j8j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Nov 2018 19:26:54 +0000 Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id wAEJQnPo026127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Nov 2018 19:26:49 GMT Received: from abhmp0003.oracle.com (abhmp0003.oracle.com [141.146.116.9]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id wAEJQmpd014432; Wed, 14 Nov 2018 19:26:48 GMT Received: from [10.0.1.37] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 14 Nov 2018 11:26:48 -0800 Content-Type: multipart/alternative; boundary="Apple-Mail=_E54F82A2-3E9A-47FE-BA85-CE6BB9052337" Mime-Version: 1.0 (Mac OS X Mail 12.1 \(3445.101.1\)) From: Phil Hunt In-Reply-To: Date: Wed, 14 Nov 2018 11:26:45 -0800 Cc: "scim@ietf.org" Message-Id: <983AD2BE-E40F-4AF9-B738-8B75FAFE473A@oracle.com> References: To: "Karaimin, Aleyidin" X-Mailer: Apple Mail (2.3445.101.1) X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9077 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811140172 Archived-At: Subject: Re: [scim] SCIM 2.0 PATCH - modifying custom or enterprise schema attributes with missing "path" X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2018 19:26:59 -0000 --Apple-Mail=_E54F82A2-3E9A-47FE-BA85-CE6BB9052337 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Aleydin, Thanks for the interesting example. IMO both examples are valid.=20 A rule of thumb for me, is if you can understand it clearly, you should = accept it. If you are writing a client, be aware that there are lots of server = implementations that aren=E2=80=99t as =E2=80=9Crobust=E2=80=9D as they = might be and may fail on this one. Phil Oracle Corporation, Cloud Security and Identity Architect @independentid www.independentid.com = phil.hunt@oracle.com = > On Nov 14, 2018, at 5:00 AM, Karaimin, Aleyidin = wrote: >=20 > Hello, > According to the RFC 7644-System for Cross-domain Identity Management: = Protocol, section 3.5.2-Modifying with PATCH, > =20 > =E2=80=98The "path" attribute is > OPTIONAL for "add" and "replace" and is REQUIRED for "remove" > =E2=80=99 > Let=E2=80=99s assume that in some case, =E2=80=9Cpath=E2=80=9D is not = provided for add or replace operation. Is it possible to assign value to = custom schema attribute (or extension Enterprise for User) ?. > Suppose we have the following bodies of PATCH Requests > =20 > Example 1: > =20 > { "schemas": > ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], > "Operations":[ > { > "op":"add", > "value": { > = "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" : { > "employeeNumber" : "12345" > }, > "nickname" : "simpleNickname" > } > } > ] > } > Is the above example valid ? Can we assign custom attribute to = corresponding value in =E2=80=9Cvalue=E2=80=9D body ? > =20 > Example 2: > { "schemas": > ["urn:ietf:params:scim:api:messages:2.0:PatchOp"], > "Operations":[ > { > "op":"add", > "value": { > = "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber= " : "12345", > "nickname" : "simpleNickname" > } > } > ] > } > =20 > If the Example 1 is valid, is it allowed to specify full attribute = path in the =E2=80=9Cvalue=E2=80=9D body ? > =20 > Thank you, > Aleydin Karaimin > =20 > _______________________________________________ > scim mailing list > scim@ietf.org > = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE= &r=3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=3DIM8g4xCE7ueFZYCMNifU_= o_J4kgaWb4y8e5fPKIO2d0&s=3Dxn2tQFGKNxirT3fsN6MPv5zSobvRJ7yDI6q237paKJM&e=3D= = --Apple-Mail=_E54F82A2-3E9A-47FE-BA85-CE6BB9052337 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Aleydin,

Thanks for the interesting example.

IMO both examples are = valid. 

A = rule of thumb for me, is if you can understand it clearly, you should = accept it.

If = you are writing a client, be aware that there are lots of server = implementations that aren=E2=80=99t as =E2=80=9Crobust=E2=80=9D as they = might be and may fail on this one.

Phil

Oracle Corporation, Cloud Security and = Identity Architect
@independentid
www.independentid.com
phil.hunt@oracle.com

On Nov 14, 2018, at 5:00 AM, Karaimin, Aleyidin <aleyidin.karaimin@sap.com> wrote:

Hello,
According = to the RFC 7644-System for Cross-domain Identity Management: Protocol, = section 3.5.2-Modifying with PATCH,
 
=E2=80=98The "path" attribute is
   OPTIONAL = for "add" and "replace" and is REQUIRED for "remove"
=E2=80=99
Let=E2=80=99= s assume that in some case, =E2=80=9Cpath=E2=80=9D is not provided for = add or replace operation. Is it possible to assign value to custom = schema attribute (or extension Enterprise for User) ?.
Suppose = we have the following bodies of PATCH Requests
 
Example = 1:
 
{ = "schemas":
       = ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations":[
       {
        "op":"add",
        = "value":       {
        =        = "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" : {
        =             &n= bsp;          = "employeeNumber" : "12345"
        =        },
        =        "nickname" : "simpleNickname"
    =             }
       }
    ]
}
Is the above example valid ? Can we = assign custom attribute to corresponding value in =E2=80=9Cvalue=E2=80=9D = body ?
 
Example 2:
{ "schemas":
       = ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
     "Operations":[
       {
        "op":"add",
        = "value":       {
        =        = "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber= " : "12345",
        =        "nickname" : "simpleNickname"
    =             }
       }
    ]
}
 
If the Example 1 is valid, is it = allowed to specify full attribute path in the =E2=80=9Cvalue=E2=80=9D = body ?
 
Thank you,
Aleydin Karaimin
 
_______________________________________________
scim mailing list
scim@ietf.org
https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf= .org_mailman_listinfo_scim&d=3DDwICAg&c=3DRoP1YumCXCgaWHvlZYR8PZh8= Bv7qIrMUB65eapI_JnE&r=3Dna5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&am= p;m=3DIM8g4xCE7ueFZYCMNifU_o_J4kgaWb4y8e5fPKIO2d0&s=3Dxn2tQFGKNxirT3fs= N6MPv5zSobvRJ7yDI6q237paKJM&e=3D

= --Apple-Mail=_E54F82A2-3E9A-47FE-BA85-CE6BB9052337-- From nobody Thu Nov 15 01:16:25 2018 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA664126BED for ; Thu, 15 Nov 2018 01:16:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sap.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ochRN7MW_IuP for ; Thu, 15 Nov 2018 01:16:20 -0800 (PST) Received: from smtpgw04.sap-ag.de (smtpgw04.sap-ag.de [155.56.66.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E99F12D4ED for ; Thu, 15 Nov 2018 01:16:19 -0800 (PST) Received: from EUR03-AM5-obe.outbound.protection.outlook.com (213.199.154.113) by smtpgw04.sap-ag.de (155.56.66.99) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Thu, 15 Nov 2018 10:16:17 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sap.onmicrosoft.com; s=selector1-sap-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xp/bGVCUaHTil3s75O6ThMnJcGr9LM85H1CgIIm+DDs=; b=pyE1/+z3kbl4JyWFk4obDO4+a8kuEyKYsxlJup/TEf2lLXZHZ6DffavSkJiKh18aDAeHNBmMmZtA0PuNroiQFRRQxnIFPhVhjjBsiTvMdNApfOvrmKN998D1+TKUpmavCyIIFTmWb/houY7C5RrOzvXBsQi3rAflJ8YRi/IzsTI= Received: from HE1PR0202MB2652.eurprd02.prod.outlook.com (10.168.184.144) by HE1PR0202MB2860.eurprd02.prod.outlook.com (10.171.93.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.26; Thu, 15 Nov 2018 09:16:16 +0000 Received: from HE1PR0202MB2652.eurprd02.prod.outlook.com ([fe80::71e8:6eda:e9aa:954]) by HE1PR0202MB2652.eurprd02.prod.outlook.com ([fe80::71e8:6eda:e9aa:954%7]) with mapi id 15.20.1294.045; Thu, 15 Nov 2018 09:16:15 +0000 From: "Karaimin, Aleyidin" To: Phil Hunt CC: "scim@ietf.org" Thread-Topic: [scim] SCIM 2.0 PATCH - modifying custom or enterprise schema attributes with missing "path" Thread-Index: AdR8GgIZyKvGosNgRwGaACDFfh7sjQANfiOAABznxoA= Date: Thu, 15 Nov 2018 09:16:15 +0000 Message-ID: References: <983AD2BE-E40F-4AF9-B738-8B75FAFE473A@oracle.com> In-Reply-To: <983AD2BE-E40F-4AF9-B738-8B75FAFE473A@oracle.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=aleyidin.karaimin@sap.com; x-originating-ip: [193.57.20.13] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; HE1PR0202MB2860; 6:dk5QM/no4MrhaUKs4QwM2RW7jJLMiUXeogL29KplMYFjdjq+jpxYuAQn/tcG/4KqW6VGI/8TPCc07sC3jT7qJQLcclLLwWki8xUgkbwhsoe9YHcBuQoMWHHXjxOeozzfu79uCrh2iGaReL7ryPTndL2wnq3dFSziFDA77LfwIUdRKTMte14frpHeTdSH6sUouZIBQHr/oZ4fzS+7Lrir6CTWpFf//yn9twe4FnvWQqfNlU/yiiXmy6IH4B09YMs974J0vM+OfP+C9feSArmN5e526trnNOpVbEWoRGd6PvduUxcodnJ247fHlSlezSVwYxLmhIdrMEwlb2QZ1zsSdl+NuMwQAqR+MH8UQzWZoviM3Hp3a42RGjBtm08X/nD9NxIo7zV9ZyXauPEfkAyVy3KqJ/IVgJ8miB12JAMAciE5/fCUFvNl42bSORe46xtJEMFhRgODB4vGqHey05RfcQ==; 5:KWkO3DU+Bjz7sou3DrGY8Pn0azy8+zGheW6GBe3HZZfu5Id1LmmEpwGnb1aib+AYygA3/+fnrmytCNhySe8txXAQpgjPe7a6g0idWrOn9pYjt0+eVsRxAVj4MtocCuFKXUpUZ5PPRL/YydXnet8NOOQ+BrSMlg9zaaiSTWFp5Wg=; 7:4/TfPOBzTfCW55zPQm5D/G/GOcw1x9gIaNTt9SOvTUTM2j7BsuyiZwOySQ7Vb3/7r3e+9UA1kJ102kt0wLmcDconNfhjLi85u5c70A8YXZXIsvHybome4qnRKlcsDOEjqXEQXaWf7p9lTm1RiLjG+Q== x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: a15600a8-73c6-41e4-5eaa-08d64adafee5 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR0202MB2860; x-ms-traffictypediagnostic: HE1PR0202MB2860: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(146099531331640)(55761251573089)(158342451672863)(192374486261705)(788757137089)(10436049006162)(21748063052155)(28532068793085)(190501279198761)(227612066756510); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231415)(944501410)(52105112)(148016)(149066)(150057)(6041310)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:HE1PR0202MB2860; BCL:0; PCL:0; RULEID:; SRVR:HE1PR0202MB2860; x-forefront-prvs: 08572BD77F x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(366004)(39860400002)(376002)(136003)(51914003)(189003)(199004)(25786009)(33656002)(14444005)(8936002)(68736007)(5660300001)(81166006)(478600001)(2900100001)(966005)(74316002)(229853002)(256004)(186003)(81156014)(14454004)(99286004)(105586002)(8676002)(2906002)(1680700002)(606006)(7696005)(6506007)(476003)(53546011)(106356001)(7736002)(53936002)(6916009)(3846002)(102836004)(6116002)(53386004)(66066001)(236005)(6246003)(486006)(54896002)(76176011)(345774005)(316002)(6306002)(97736004)(790700001)(446003)(4326008)(86362001)(9686003)(55016002)(71190400001)(6436002)(11346002)(71200400001)(26005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0202MB2860; H:HE1PR0202MB2652.eurprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: sap.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: x6ZUJ6MUTTDiZPntPed1aykl35kmz3IYfXDGx685GlzlLCZSYcB9+Oql1hgDXNDK9cCIQy+k8AV8ArjgHVbZ0zOxaoOibC8G/Gr4ylSRLbZCfhLfRsIk1d6POevpbP6UNrV/SMSJaDuonqNEx2EHSp9BvMQb2C2rGoIyPoaJjbAuBibOZpMoGslTKbz0XztpRz8nrev9VMDYjmRhr+eov/Y9ztl8CY8pkl6g6+czPF+MJVjbxxZvC0b9WPCfwT/vGLSAOlpA2KhhgXfEpR+HLGhQGfruhajqfuobKUDCSejoLReLap3nMmImx1yawSNsUQKvqVnJCwOudEUWUp44IdzaBUCFBBCsyTMYBvarH1c= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_HE1PR0202MB2652361E4EEFD1D962B776DDF8DC0HE1PR0202MB2652_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: a15600a8-73c6-41e4-5eaa-08d64adafee5 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Nov 2018 09:16:15.7543 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 42f7676c-f455-423c-82f6-dc2d99791af7 X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0202MB2860 Archived-At: Subject: Re: [scim] SCIM 2.0 PATCH - modifying custom or enterprise schema attributes with missing "path" X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Nov 2018 09:16:24 -0000 --_000_HE1PR0202MB2652361E4EEFD1D962B776DDF8DC0HE1PR0202MB2652_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 VGhhbmsgeW91IGZvciB0aGUgZmFzdCByZXNwb25zZSwgUGhpbC4NCg0KUmVnYXJkcywNCkFsZXlp ZGluDQoNCkZyb206IFBoaWwgSHVudCA8cGhpbC5odW50QG9yYWNsZS5jb20+DQpTZW50OiBXZWRu ZXNkYXksIE5vdmVtYmVyIDE0LCAyMDE4IDk6MjcgUE0NClRvOiBLYXJhaW1pbiwgQWxleWlkaW4g PGFsZXlpZGluLmthcmFpbWluQHNhcC5jb20+DQpDYzogc2NpbUBpZXRmLm9yZw0KU3ViamVjdDog UmU6IFtzY2ltXSBTQ0lNIDIuMCBQQVRDSCAtIG1vZGlmeWluZyBjdXN0b20gb3IgZW50ZXJwcmlz ZSBzY2hlbWEgYXR0cmlidXRlcyB3aXRoIG1pc3NpbmcgInBhdGgiDQoNCkFsZXlkaW4sDQoNClRo YW5rcyBmb3IgdGhlIGludGVyZXN0aW5nIGV4YW1wbGUuDQoNCklNTyBib3RoIGV4YW1wbGVzIGFy ZSB2YWxpZC4NCg0KQSBydWxlIG9mIHRodW1iIGZvciBtZSwgaXMgaWYgeW91IGNhbiB1bmRlcnN0 YW5kIGl0IGNsZWFybHksIHlvdSBzaG91bGQgYWNjZXB0IGl0Lg0KDQpJZiB5b3UgYXJlIHdyaXRp bmcgYSBjbGllbnQsIGJlIGF3YXJlIHRoYXQgdGhlcmUgYXJlIGxvdHMgb2Ygc2VydmVyIGltcGxl bWVudGF0aW9ucyB0aGF0IGFyZW7igJl0IGFzIOKAnHJvYnVzdOKAnSBhcyB0aGV5IG1pZ2h0IGJl IGFuZCBtYXkgZmFpbCBvbiB0aGlzIG9uZS4NCg0KUGhpbA0KDQpPcmFjbGUgQ29ycG9yYXRpb24s IENsb3VkIFNlY3VyaXR5IGFuZCBJZGVudGl0eSBBcmNoaXRlY3QNCkBpbmRlcGVuZGVudGlkDQp3 d3cuaW5kZXBlbmRlbnRpZC5jb208aHR0cDovL3d3dy5pbmRlcGVuZGVudGlkLmNvbT4NCnBoaWwu aHVudEBvcmFjbGUuY29tPG1haWx0bzpwaGlsLmh1bnRAb3JhY2xlLmNvbT4NCg0KDQpPbiBOb3Yg MTQsIDIwMTgsIGF0IDU6MDAgQU0sIEthcmFpbWluLCBBbGV5aWRpbiA8YWxleWlkaW4ua2FyYWlt aW5Ac2FwLmNvbTxtYWlsdG86YWxleWlkaW4ua2FyYWltaW5Ac2FwLmNvbT4+IHdyb3RlOg0KDQpI ZWxsbywNCkFjY29yZGluZyB0byB0aGUgUkZDIDc2NDQtU3lzdGVtIGZvciBDcm9zcy1kb21haW4g SWRlbnRpdHkgTWFuYWdlbWVudDogUHJvdG9jb2wsIHNlY3Rpb24gMy41LjItTW9kaWZ5aW5nIHdp dGggUEFUQ0gsDQoNCg0K4oCYVGhlICJwYXRoIiBhdHRyaWJ1dGUgaXMNCiAgIE9QVElPTkFMIGZv ciAiYWRkIiBhbmQgInJlcGxhY2UiIGFuZCBpcyBSRVFVSVJFRCBmb3IgInJlbW92ZSINCuKAmQ0K TGV04oCZcyBhc3N1bWUgdGhhdCBpbiBzb21lIGNhc2UsIOKAnHBhdGjigJ0gaXMgbm90IHByb3Zp ZGVkIGZvciBhZGQgb3IgcmVwbGFjZSBvcGVyYXRpb24uIElzIGl0IHBvc3NpYmxlIHRvIGFzc2ln biB2YWx1ZSB0byBjdXN0b20gc2NoZW1hIGF0dHJpYnV0ZSAob3IgZXh0ZW5zaW9uIEVudGVycHJp c2UgZm9yIFVzZXIpID8uDQpTdXBwb3NlIHdlIGhhdmUgdGhlIGZvbGxvd2luZyBib2RpZXMgb2Yg UEFUQ0ggUmVxdWVzdHMNCg0KRXhhbXBsZSAxOg0KDQp7ICJzY2hlbWFzIjoNCiAgICAgICBbInVy bjppZXRmOnBhcmFtczpzY2ltOmFwaTptZXNzYWdlczoyLjA6UGF0Y2hPcCJdLA0KICAgICAiT3Bl cmF0aW9ucyI6Ww0KICAgICAgIHsNCiAgICAgICAgIm9wIjoiYWRkIiwNCiAgICAgICAgInZhbHVl IjogICAgICAgew0KICAgICAgICAgICAgICAgInVybjppZXRmOnBhcmFtczpzY2ltOnNjaGVtYXM6 ZXh0ZW5zaW9uOmVudGVycHJpc2U6Mi4wOlVzZXIiIDogew0KICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICJlbXBsb3llZU51bWJlciIgOiAiMTIzNDUiDQogICAgICAgICAgICAgICB9LA0K ICAgICAgICAgICAgICAgIm5pY2tuYW1lIiA6ICJzaW1wbGVOaWNrbmFtZSINCiAgICAgICAgICAg ICAgICB9DQogICAgICAgfQ0KICAgIF0NCn0NCklzIHRoZSBhYm92ZSBleGFtcGxlIHZhbGlkID8g Q2FuIHdlIGFzc2lnbiBjdXN0b20gYXR0cmlidXRlIHRvIGNvcnJlc3BvbmRpbmcgdmFsdWUgaW4g 4oCcdmFsdWXigJ0gYm9keSA/DQoNCkV4YW1wbGUgMjoNCnsgInNjaGVtYXMiOg0KICAgICAgIFsi dXJuOmlldGY6cGFyYW1zOnNjaW06YXBpOm1lc3NhZ2VzOjIuMDpQYXRjaE9wIl0sDQogICAgICJP cGVyYXRpb25zIjpbDQogICAgICAgew0KICAgICAgICAib3AiOiJhZGQiLA0KICAgICAgICAidmFs dWUiOiAgICAgICB7DQogICAgICAgICAgICAgICAidXJuOmlldGY6cGFyYW1zOnNjaW06c2NoZW1h czpleHRlbnNpb246ZW50ZXJwcmlzZToyLjA6VXNlcjplbXBsb3llZU51bWJlciIgOiAiMTIzNDUi LA0KICAgICAgICAgICAgICAgIm5pY2tuYW1lIiA6ICJzaW1wbGVOaWNrbmFtZSINCiAgICAgICAg ICAgICAgICB9DQogICAgICAgfQ0KICAgIF0NCn0NCg0KSWYgdGhlIEV4YW1wbGUgMSBpcyB2YWxp ZCwgaXMgaXQgYWxsb3dlZCB0byBzcGVjaWZ5IGZ1bGwgYXR0cmlidXRlIHBhdGggaW4gdGhlIOKA nHZhbHVl4oCdIGJvZHkgPw0KDQpUaGFuayB5b3UsDQpBbGV5ZGluIEthcmFpbWluDQoNCl9fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpzY2ltIG1haWxpbmcg bGlzdA0Kc2NpbUBpZXRmLm9yZzxtYWlsdG86c2NpbUBpZXRmLm9yZz4NCmh0dHBzOi8vdXJsZGVm ZW5zZS5wcm9vZnBvaW50LmNvbS92Mi91cmw/dT1odHRwcy0zQV9fd3d3LmlldGYub3JnX21haWxt YW5fbGlzdGluZm9fc2NpbSZkPUR3SUNBZyZjPVJvUDFZdW1DWENnYVdIdmxaWVI4UFpoOEJ2N3FJ ck1VQjY1ZWFwSV9KbkUmcj1uYTVGVnpCVFdtYW5xV055NERwY3R5WFBwdVlxUGtBSTFhTGNMTjRL Wk5BJm09SU04ZzR4Q0U3dWVGWllDTU5pZlVfb19KNGtnYVdiNHk4ZTVmUEtJTzJkMCZzPXhuMnRR RkdLTnhpclQzZnNONk1QdjV6U29idlJKN3lESTZxMjM3cGFLSk0mZT0NCg0K --_000_HE1PR0202MB2652361E4EEFD1D962B776DDF8DC0HE1PR0202MB2652_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 SGVsdmV0aWNhOw0KCXBhbm9zZS0xOjIgMTEgNiA0IDIgMiAyIDIgMiA0O30NCkBmb250LWZhY2UN Cgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAz IDIgNDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAx NSA1IDIgMiAyIDQgMyAyIDQ7fQ0KQGZvbnQtZmFjZQ0KCXtmb250LWZhbWlseTpDb25zb2xhczsN CglwYW5vc2UtMToyIDExIDYgOSAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAq Lw0KcC5Nc29Ob3JtYWwsIGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGlu Ow0KCW1hcmdpbi1ib3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFt aWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7 bXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVu ZGVybGluZTt9DQphOnZpc2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJs aW5lO30NCnByZQ0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJbXNvLXN0eWxlLWxpbms6IkhU TUwgUHJlZm9ybWF0dGVkIENoYXIiOw0KCW1hcmdpbjowaW47DQoJbWFyZ2luLWJvdHRvbTouMDAw MXB0Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7DQoJZm9udC1mYW1pbHk6IkNvdXJpZXIgTmV3Ijt9DQpw Lm1zb25vcm1hbDAsIGxpLm1zb25vcm1hbDAsIGRpdi5tc29ub3JtYWwwDQoJe21zby1zdHlsZS1u YW1lOm1zb25vcm1hbDsNCgltc28tbWFyZ2luLXRvcC1hbHQ6YXV0bzsNCgltYXJnaW4tcmlnaHQ6 MGluOw0KCW1zby1tYXJnaW4tYm90dG9tLWFsdDphdXRvOw0KCW1hcmdpbi1sZWZ0OjBpbjsNCglm b250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30NCnNw YW4uYXBwbGUtc3R5bGUtc3Bhbg0KCXttc28tc3R5bGUtbmFtZTphcHBsZS1zdHlsZS1zcGFuO30N CnNwYW4uSFRNTFByZWZvcm1hdHRlZENoYXINCgl7bXNvLXN0eWxlLW5hbWU6IkhUTUwgUHJlZm9y bWF0dGVkIENoYXIiOw0KCW1zby1zdHlsZS1wcmlvcml0eTo5OTsNCgltc28tc3R5bGUtbGluazoi SFRNTCBQcmVmb3JtYXR0ZWQiOw0KCWZvbnQtZmFtaWx5OkNvbnNvbGFzO30NCnNwYW4uRW1haWxT dHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsLXJlcGx5Ow0KCWZvbnQtZmFtaWx5OiJD YWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0KLk1zb0NocERlZmF1bHQN Cgl7bXNvLXN0eWxlLXR5cGU6ZXhwb3J0LW9ubHk7DQoJZm9udC1zaXplOjEwLjBwdDt9DQpAcGFn ZSBXb3JkU2VjdGlvbjENCgl7c2l6ZTo4LjVpbiAxMS4waW47DQoJbWFyZ2luOjEuMGluIDEuMGlu IDEuMGluIDEuMGluO30NCmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0K LS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMgdjpl eHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lmIGd0 ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFwIHY6 ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlmXS0t Pg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tVVMiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUi Pg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYW5r IHlvdSBmb3IgdGhlIGZhc3QgcmVzcG9uc2UsIFBoaWwuPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlJlZ2FyZHMsPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5BbGV5aWRpbjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8ZGl2Pg0KPGRpdiBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUx IDEuMHB0O3BhZGRpbmc6My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PGI+RnJvbTo8L2I+IFBoaWwgSHVudCAmbHQ7cGhpbC5odW50QG9yYWNsZS5jb20mZ3Q7IDxicj4N CjxiPlNlbnQ6PC9iPiBXZWRuZXNkYXksIE5vdmVtYmVyIDE0LCAyMDE4IDk6MjcgUE08YnI+DQo8 Yj5Ubzo8L2I+IEthcmFpbWluLCBBbGV5aWRpbiAmbHQ7YWxleWlkaW4ua2FyYWltaW5Ac2FwLmNv bSZndDs8YnI+DQo8Yj5DYzo8L2I+IHNjaW1AaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4g UmU6IFtzY2ltXSBTQ0lNIDIuMCBQQVRDSCAtIG1vZGlmeWluZyBjdXN0b20gb3IgZW50ZXJwcmlz ZSBzY2hlbWEgYXR0cmlidXRlcyB3aXRoIG1pc3NpbmcgJnF1b3Q7cGF0aCZxdW90OzxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QWxleWRpbiw8bzpwPjwvbzpwPjwvcD4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2 Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoYW5rcyBmb3IgdGhlIGludGVyZXN0aW5n IGV4YW1wbGUuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPklNTyBib3RoIGV4YW1wbGVzIGFyZSB2YWxpZC4mbmJzcDs8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QSBydWxlIG9mIHRodW1iIGZv ciBtZSwgaXMgaWYgeW91IGNhbiB1bmRlcnN0YW5kIGl0IGNsZWFybHksIHlvdSBzaG91bGQgYWNj ZXB0IGl0LjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj5JZiB5b3UgYXJlIHdyaXRpbmcgYSBjbGllbnQsIGJlIGF3YXJlIHRoYXQgdGhlcmUgYXJl IGxvdHMgb2Ygc2VydmVyIGltcGxlbWVudGF0aW9ucyB0aGF0IGFyZW7igJl0IGFzIOKAnHJvYnVz dOKAnSBhcyB0aGV5IG1pZ2h0IGJlIGFuZCBtYXkgZmFpbCBvbiB0aGlzIG9uZS48bzpwPjwvbzpw PjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+UGhpbDxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+ DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPGRpdj4N CjxkaXY+DQo8ZGl2Pg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImNvbG9yOmJsYWNrIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8 L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iY29sb3I6Ymxh Y2siPk9yYWNsZSBDb3Jwb3JhdGlvbiwgQ2xvdWQgU2VjdXJpdHkgYW5kIElkZW50aXR5IEFyY2hp dGVjdDxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xvcjpibGFjayI+QGluZGVwZW5kZW50aWQ8bzpwPjwvbzpw Pjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBz dHlsZT0iY29sb3I6YmxhY2siPjxhIGhyZWY9Imh0dHA6Ly93d3cuaW5kZXBlbmRlbnRpZC5jb20i Pnd3dy5pbmRlcGVuZGVudGlkLmNvbTwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4N CjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJjb2xvcjpibGFjayI+PGEgaHJlZj0ibWFpbHRvOnBoaWwuaHVudEBvcmFjbGUuY29tIj5waGls Lmh1bnRAb3JhY2xlLmNvbTwvYT48bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjwvZGl2 Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+ DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPGJsb2NrcXVvdGUgc3R5 bGU9Im1hcmdpbi10b3A6NS4wcHQ7bWFyZ2luLWJvdHRvbTo1LjBwdCI+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+T24gTm92IDE0LCAyMDE4LCBhdCA1OjAwIEFNLCBLYXJhaW1pbiwgQWxl eWlkaW4gJmx0OzxhIGhyZWY9Im1haWx0bzphbGV5aWRpbi5rYXJhaW1pbkBzYXAuY29tIj5hbGV5 aWRpbi5rYXJhaW1pbkBzYXAuY29tPC9hPiZndDsgd3JvdGU6PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5IZWxsbyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkFjY29yZGluZyB0byB0aGUgUkZDIDc2NDQtU3lz dGVtIGZvciBDcm9zcy1kb21haW4gSWRlbnRpdHkgTWFuYWdlbWVudDogUHJvdG9jb2wsIHNlY3Rp b24gMy41LjItTW9kaWZ5aW5nIHdpdGggUEFUQ0gsPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxk aXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PHByZT7igJhUaGUgJnF1b3Q7cGF0aCZxdW90OyBhdHRyaWJ1dGUgaXM8bzpwPjwvbzpwPjwvcHJl Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTAu MHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NvdXJpZXIgTmV3JnF1b3Q7Ij4mbmJzcDsmbmJzcDsgT1BU SU9OQUwgZm9yICZxdW90O2FkZCZxdW90OyBhbmQgJnF1b3Q7cmVwbGFjZSZxdW90OyBhbmQgaXMg UkVRVUlSRUQgZm9yICZxdW90O3JlbW92ZSZxdW90Ozwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPuKAmTxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+TGV04oCZcyBhc3N1bWUgdGhhdCBpbiBz b21lIGNhc2UsIOKAnHBhdGjigJ0gaXMgbm90IHByb3ZpZGVkIGZvciBhZGQgb3IgcmVwbGFjZSBv cGVyYXRpb24uIElzIGl0IHBvc3NpYmxlIHRvIGFzc2lnbiB2YWx1ZSB0byBjdXN0b20gc2NoZW1h IGF0dHJpYnV0ZSAob3IgZXh0ZW5zaW9uIEVudGVycHJpc2UgZm9yIFVzZXIpID8uPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5TdXBwb3NlIHdlIGhh dmUgdGhlIGZvbGxvd2luZyBib2RpZXMgb2YgUEFUQ0ggUmVxdWVzdHM8bzpwPjwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+RXhhbXBsZSAxOjxvOnA+PC9v OnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7PG86cD48 L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj57ICZxdW90O3Nj aGVtYXMmcXVvdDs6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgWyZxdW90O3Vybjpp ZXRmOnBhcmFtczpzY2ltOmFwaTptZXNzYWdlczoyLjA6UGF0Y2hPcCZxdW90O10sPG86cD48L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgJnF1b3Q7T3BlcmF0aW9ucyZxdW90OzpbPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgezxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZxdW90 O29wJnF1b3Q7OiZxdW90O2FkZCZxdW90Oyw8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyAmcXVvdDt2YWx1ZSZxdW90OzombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsgezxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmcXVvdDt1cm46aWV0ZjpwYXJhbXM6c2NpbTpzY2hl bWFzOmV4dGVuc2lvbjplbnRlcnByaXNlOjIuMDpVc2VyJnF1b3Q7IDogezxvOnA+PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmcXVvdDtlbXBsb3ll ZU51bWJlciZxdW90OyA6ICZxdW90OzEyMzQ1JnF1b3Q7PG86cD48L286cD48L3A+DQo8L2Rpdj4N CjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH0sPG86 cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7Jm5ic3A7ICZxdW90O25pY2tuYW1lJnF1b3Q7IDogJnF1b3Q7c2ltcGxlTmlja25h bWUmcXVvdDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPiZuYnNwOyZuYnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgfTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7Jm5ic3A7IH08bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPiZuYnNwOyZuYnNwOyZuYnNwOyBdPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj59PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5JcyB0aGUgYWJvdmUgZXhhbXBsZSB2YWxpZCA/IENhbiB3ZSBh c3NpZ24gY3VzdG9tIGF0dHJpYnV0ZSB0byBjb3JyZXNwb25kaW5nIHZhbHVlIGluIOKAnHZhbHVl 4oCdIGJvZHkgPzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5FeGFtcGxlIDI6PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj57ICZxdW90O3NjaGVtYXMmcXVvdDs6PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsgWyZxdW90O3VybjppZXRmOnBhcmFtczpzY2ltOmFwaTptZXNzYWdlczoyLjA6 UGF0Y2hPcCZxdW90O10sPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJnF1b3Q7T3BlcmF0aW9ucyZxdW90 OzpbPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4m bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgezxvOnA+PC9vOnA+PC9wPg0KPC9k aXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZxdW90O29wJnF1b3Q7OiZxdW90O2FkZCZxdW90Oyw8bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZuYnNw OyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmcXVvdDt2YWx1ZSZxdW90OzombmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgezxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8 ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7 Jm5ic3A7Jm5ic3A7ICZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyAmcXVvdDt1 cm46aWV0ZjpwYXJhbXM6c2NpbTpzY2hlbWFzOmV4dGVuc2lvbjplbnRlcnByaXNlOjIuMDpVc2Vy OmVtcGxveWVlTnVtYmVyJnF1b3Q7IDogJnF1b3Q7MTIzNDUmcXVvdDssPG86cD48L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj4mbmJzcDsmbmJzcDsmbmJzcDsm bmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgJm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5i c3A7ICZxdW90O25pY2tuYW1lJnF1b3Q7IDogJnF1b3Q7c2ltcGxlTmlja25hbWUmcXVvdDs8bzpw PjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOyZu YnNwOyZuYnNwOyAmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsgfTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAg Y2xhc3M9Ik1zb05vcm1hbCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7IH08 bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNw OyZuYnNwOyZuYnNwOyBdPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj59PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj4mbmJzcDs8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJN c29Ob3JtYWwiPklmIHRoZSBFeGFtcGxlIDEgaXMgdmFsaWQsIGlzIGl0IGFsbG93ZWQgdG8gc3Bl Y2lmeSBmdWxsIGF0dHJpYnV0ZSBwYXRoIGluIHRoZSDigJx2YWx1ZeKAnSBib2R5ID88bzpwPjwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+ PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+VGhhbmsgeW91 LDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+QWxl eWRpbiBLYXJhaW1pbjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+Jm5ic3A7PG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0 aWNhJnF1b3Q7LHNhbnMtc2VyaWYiPl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fPGJyPg0Kc2NpbSBtYWlsaW5nIGxpc3Q8YnI+DQo8L3NwYW4+PGEgaHJlZj0i bWFpbHRvOnNjaW1AaWV0Zi5vcmciPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7Zm9udC1m YW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izk1NEY3MiI+c2Np bUBpZXRmLm9yZzwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTo5LjBwdDtmb250LWZh bWlseTomcXVvdDtIZWx2ZXRpY2EmcXVvdDssc2Fucy1zZXJpZiI+PGJyPg0KPC9zcGFuPjxhIGhy ZWY9Imh0dHBzOi8vdXJsZGVmZW5zZS5wcm9vZnBvaW50LmNvbS92Mi91cmw/dT1odHRwcy0zQV9f d3d3LmlldGYub3JnX21haWxtYW5fbGlzdGluZm9fc2NpbSZhbXA7ZD1Ed0lDQWcmYW1wO2M9Um9Q MVl1bUNYQ2dhV0h2bFpZUjhQWmg4QnY3cUlyTVVCNjVlYXBJX0puRSZhbXA7cj1uYTVGVnpCVFdt YW5xV055NERwY3R5WFBwdVlxUGtBSTFhTGNMTjRLWk5BJmFtcDttPUlNOGc0eENFN3VlRlpZQ01O aWZVX29fSjRrZ2FXYjR5OGU1ZlBLSU8yZDAmYW1wO3M9eG4ydFFGR0tOeGlyVDNmc042TVB2NXpT b2J2Uko3eURJNnEyMzdwYUtKTSZhbXA7ZT0iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6OS4wcHQ7 Zm9udC1mYW1pbHk6JnF1b3Q7SGVsdmV0aWNhJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6Izk1NEY3 MiI+aHR0cHM6Ly91cmxkZWZlbnNlLnByb29mcG9pbnQuY29tL3YyL3VybD91PWh0dHBzLTNBX193 d3cuaWV0Zi5vcmdfbWFpbG1hbl9saXN0aW5mb19zY2ltJmFtcDtkPUR3SUNBZyZhbXA7Yz1Sb1Ax WXVtQ1hDZ2FXSHZsWllSOFBaaDhCdjdxSXJNVUI2NWVhcElfSm5FJmFtcDtyPW5hNUZWekJUV21h bnFXTnk0RHBjdHlYUHB1WXFQa0FJMWFMY0xONEtaTkEmYW1wO209SU04ZzR4Q0U3dWVGWllDTU5p ZlVfb19KNGtnYVdiNHk4ZTVmUEtJTzJkMCZhbXA7cz14bjJ0UUZHS054aXJUM2ZzTjZNUHY1elNv YnZSSjd5REk2cTIzN3BhS0pNJmFtcDtlPTwvc3Bhbj48L2E+PG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvYmxvY2txdW90ZT4NCjwvZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJz cDs8L286cD48L3A+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9ib2R5Pg0KPC9odG1sPg0K --_000_HE1PR0202MB2652361E4EEFD1D962B776DDF8DC0HE1PR0202MB2652_--