From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 8 22:12:44 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA6F12B015 for ; Wed, 8 Jun 2016 22:12:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u4JQG4YOd6f1 for ; Wed, 8 Jun 2016 22:12:43 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5063512B01C for ; Wed, 8 Jun 2016 22:12:42 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 79D4385F47; Thu, 9 Jun 2016 05:12:41 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id 3AEA885F40; Thu, 9 Jun 2016 05:12:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1FECE85EB5 for ; Thu, 9 Jun 2016 03:16:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id V1eQwN66SxIT for ; Thu, 9 Jun 2016 03:16:45 +0000 (UTC) Received: from Stone.Rodents-Montreal.ORG (Stone.Rodents-Montreal.ORG [98.124.61.89]) by mail.netbsd.org (Postfix) with ESMTP id 3218985EB2 for ; Thu, 9 Jun 2016 03:16:45 +0000 (UTC) Received: (from mouse@localhost) by Stone.Rodents-Montreal.ORG (8.8.8/8.8.8) id XAA03232; Wed, 8 Jun 2016 23:16:44 -0400 (EDT) Date: Wed, 8 Jun 2016 23:16:44 -0400 (EDT) From: Mouse Message-Id: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Wed, 8 Jun 2016 22:25:24 -0400 (EDT) To: ietf-ssh@netbsd.org Subject: Rekey issue Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list I've just tripped over an issue in my implementation and I was wondering what people think the rightest behaviour is and/or what other implementations do. The problematic behaviour is: user connects to a host and accepts the host key for this session only (ie, without recording it anywhere permanent). Then, on rekey, the client once again finds the host key unlisted and wants user confirmation of its acceptability. I can see at least three ways of dealing with this: (1) when rekeying, always accept the host key regardless of what it is, (2) when rekeying, require that the host key be what it was the first time around, always accepting if it is and erroring if not, and (3) when rekeying, behave as normal except that a second copy of the host key from the first time around is, effectively, added as a trusted key for the host. For the moment, I've done (1). I'm wondering (a) what other implementations do, (b) if I've missed an option above, and (c) what people think should ideally be done. It's also possible something is given in the spec for this and I just missed it, though (since it's a user-interface issue) I'm inclined to doubt it. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Thu Jun 9 04:15:50 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D58B12B05E for ; Thu, 9 Jun 2016 04:15:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5-oMh3F4d70e for ; Thu, 9 Jun 2016 04:15:48 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFA8E12D0E6 for ; Thu, 9 Jun 2016 04:15:44 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 914EB85F07; Thu, 9 Jun 2016 11:15:43 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D55B385EFB for ; Thu, 9 Jun 2016 11:15:41 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id OxUirTfB2PIv for ; Thu, 9 Jun 2016 11:15:41 +0000 (UTC) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 0DEA185ECB for ; Thu, 9 Jun 2016 11:15:39 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 4CDD340042; Thu, 9 Jun 2016 13:15:36 +0200 (CEST) Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 1E0A440016; Thu, 9 Jun 2016 13:15:34 +0200 (CEST) Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Thu, 09 Jun 2016 13:15:34 +0200 From: nisse@lysator.liu.se (Niels =?utf-8?Q?M=C3=B6ller?=) To: Mouse Cc: ietf-ssh@netbsd.org Subject: Re: Rekey issue References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> Date: Thu, 09 Jun 2016 13:15:34 +0200 In-Reply-To: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> (mouse@rodents-montreal.org's message of "Wed, 8 Jun 2016 23:16:44 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Mouse writes: > I can see at least three ways of dealing with this: (1) when rekeying, > always accept the host key regardless of what it is, (2) when rekeying, > require that the host key be what it was the first time around, always > accepting if it is and erroring if not, and (3) when rekeying, behave > as normal except that a second copy of the host key from the first time > around is, effectively, added as a trusted key for the host. I think I'm doing (3). That's what made most sense to me when I implemented it, but maybe there are better options. When an unknown key is received at the initial keyexchange, there are three possible outcomes depending on the user interaction: A. Disconnect. B. Accepted only for this connection. Key is added to the in-memory list of trusted host keys. C. Accepted. As above, but in addition, the key is appended to the host key list on disk. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Sun Jun 12 00:03:15 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65A9F12D094 for ; Sun, 12 Jun 2016 00:03:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vpo39kUX5aT9 for ; Sun, 12 Jun 2016 00:03:13 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8C0F127078 for ; Sun, 12 Jun 2016 00:03:13 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 8B97E85E7B; Sun, 12 Jun 2016 07:03:12 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 0F07885E54 for ; Sun, 12 Jun 2016 07:03:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id n9NJTw1TcdTY for ; Sun, 12 Jun 2016 07:03:10 +0000 (UTC) Received: from newmailhub.uq.edu.au (mailhub1.soe.uq.edu.au [130.102.132.208]) by mail.netbsd.org (Postfix) with ESMTP id 401C985E46 for ; Sun, 12 Jun 2016 07:03:06 +0000 (UTC) Received: from smtp2.soe.uq.edu.au (smtp2.soe.uq.edu.au [10.138.113.41]) by newmailhub.uq.edu.au (8.14.5/8.14.5) with ESMTP id u5C7353T011791; Sun, 12 Jun 2016 17:03:05 +1000 Received: from mailhub.eait.uq.edu.au (hazel.eait.uq.edu.au [130.102.60.17]) by smtp2.soe.uq.edu.au (8.14.5/8.14.5) with ESMTP id u5C735px050330 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 12 Jun 2016 17:03:05 +1000 Received: from natsu.mindrot.org (natsu.mindrot.org [130.102.96.2]) by mailhub.eait.uq.edu.au (8.15.1/8.15.1) with ESMTPS id u5C73334002197 (version=TLSv1.2 cipher=DHE-RSA-CHACHA20-POLY1305 bits=256 verify=NO); Sun, 12 Jun 2016 17:03:04 +1000 (AEST) Received: by natsu.mindrot.org (Postfix, from userid 1000) id A8041A4F31; Sun, 12 Jun 2016 17:03:03 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by natsu.mindrot.org (Postfix) with ESMTP id A394EA4F2E; Sun, 12 Jun 2016 17:03:03 +1000 (AEST) Date: Sun, 12 Jun 2016 17:03:03 +1000 (AEST) From: Damien Miller To: Mouse cc: ietf-ssh@netbsd.org Subject: Re: Rekey issue In-Reply-To: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> Message-ID: References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> User-Agent: Alpine 2.20 (BSO 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-Scanned-By: MIMEDefang 2.73 on UQ Mailhub X-Scanned-By: MIMEDefang 2.75 on 130.102.60.17 X-UQ-FilterTime: 1465714985 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list On Wed, 8 Jun 2016, Mouse wrote: > I can see at least three ways of dealing with this: (1) when rekeying, > always accept the host key regardless of what it is, (2) when > rekeying, require that the host key be what it was the first time > around, always accepting if it is and erroring if not, and (3) when > rekeying, behave as normal except that a second copy of the host key > from the first time around is, effectively, added as a trusted key for > the host. OpenSSH does: (4) silently accept the hostkey if it is identical to the one used to authenticte the previous KEX, search the known hostkeys otherwise and if not found there then do whatever is configured for hiterto-unknown hostkeys. This could be automatically accepting, prompting the user or unconditionally rejecting the key. -d From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Jun 13 21:49:20 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55B4C12D649 for ; Mon, 13 Jun 2016 21:49:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.727 X-Spam-Level: X-Spam-Status: No, score=-3.727 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2vvw_eQ4UkKy for ; Mon, 13 Jun 2016 21:49:19 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F08A12D107 for ; Mon, 13 Jun 2016 21:49:19 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id EE72785EFD; Tue, 14 Jun 2016 04:49:17 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id ABA9785EEA; Tue, 14 Jun 2016 04:49:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 4FDB285EBD for ; Tue, 14 Jun 2016 00:35:36 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id GEhK5U9dbNyf for ; Tue, 14 Jun 2016 00:35:35 +0000 (UTC) Received: from Stone.Rodents-Montreal.ORG (Stone.Rodents-Montreal.ORG [98.124.61.89]) by mail.netbsd.org (Postfix) with ESMTP id 6FB9285E00 for ; Tue, 14 Jun 2016 00:35:35 +0000 (UTC) Received: (from mouse@localhost) by Stone.Rodents-Montreal.ORG (8.8.8/8.8.8) id UAA27696; Mon, 13 Jun 2016 20:35:34 -0400 (EDT) Date: Mon, 13 Jun 2016 20:35:34 -0400 (EDT) From: Mouse Message-Id: <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Mon, 13 Jun 2016 20:34:04 -0400 (EDT) To: ietf-ssh@netbsd.org Subject: Re: Rekey issue In-Reply-To: References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list >> I can see at least three ways of dealing with this: (1) [...], (2) >> [...], and (3) when rekeying, behave as normal except that a second >> copy of the host key from the first time around is, effectively, >> added as a trusted key for the host. > OpenSSH does: > (4) silently accept the hostkey if it is identical to the one used to > authenticte the previous KEX, search the known hostkeys otherwise and > if not found there then do whatever is configured for hiterto-unknown > hostkeys. I must be missing something. To me, this sounds like (3). What's the difference? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue Jun 14 05:48:13 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 928F012D108 for ; Tue, 14 Jun 2016 05:48:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SMzcp53yziC8 for ; Tue, 14 Jun 2016 05:48:11 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E229612D0F1 for ; Tue, 14 Jun 2016 05:48:11 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id ADF5685EF3; Tue, 14 Jun 2016 12:48:09 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id CF93384CED for ; Tue, 14 Jun 2016 12:48:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id fKwigyMzaPrd for ; Tue, 14 Jun 2016 12:48:07 +0000 (UTC) Received: from mail.lysator.liu.se (mail.lysator.liu.se [IPv6:2001:6b0:17:f0a0::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id E40B885EA1 for ; Tue, 14 Jun 2016 12:48:05 +0000 (UTC) Received: from mail.lysator.liu.se (localhost [127.0.0.1]) by mail.lysator.liu.se (Postfix) with ESMTP id 5A91D40018; Tue, 14 Jun 2016 14:48:02 +0200 (CEST) Received: from armitage.lysator.liu.se (armitage.lysator.liu.se [IPv6:2001:6b0:17:f0a0::83]) by mail.lysator.liu.se (Postfix) with SMTP id 3701040005; Tue, 14 Jun 2016 14:48:00 +0200 (CEST) Received: by armitage.lysator.liu.se (sSMTP sendmail emulation); Tue, 14 Jun 2016 14:48:00 +0200 From: nisse@lysator.liu.se (Niels =?utf-8?Q?M=C3=B6ller?=) To: Mouse Cc: ietf-ssh@netbsd.org Subject: Re: Rekey issue References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> Date: Tue, 14 Jun 2016 14:48:00 +0200 In-Reply-To: <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> (mouse@rodents-montreal.org's message of "Mon, 13 Jun 2016 20:35:34 -0400 (EDT)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: ClamAV using ClamSMTP Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Mouse writes: >>> I can see at least three ways of dealing with this: (1) [...], (2) >>> [...], and (3) when rekeying, behave as normal except that a second >>> copy of the host key from the first time around is, effectively, >>> added as a trusted key for the host. > >> OpenSSH does: > >> (4) silently accept the hostkey if it is identical to the one used to >> authenticte the previous KEX, search the known hostkeys otherwise and >> if not found there then do whatever is configured for hiterto-unknown >> hostkeys. > > I must be missing something. To me, this sounds like (3). What's the > difference? Not sure if the distinction was intended, and if so, if it matters, but consider the case where the same (previously unknown) host key A occurs in the first and third key exchange, but a distinct host key B is used (and somehow accepted) in the second keyexchange. In this scenario, (3) unconditionally accepts A as trusted when it returns in the third key exchange, while (4) doesn't. Regards, /Niels --=20 Niels M=C3=B6ller. PGP-encrypted email is preferred. Keyid C0B98E26. Internet email is subject to wholesale government surveillance. From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue Jun 14 22:50:37 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0EF12D0A1 for ; Tue, 14 Jun 2016 22:50:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.727 X-Spam-Level: X-Spam-Status: No, score=-3.727 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KH9-pjXuVanm for ; Tue, 14 Jun 2016 22:50:36 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A297712D08D for ; Tue, 14 Jun 2016 22:50:36 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 41F7D85EB4; Wed, 15 Jun 2016 05:50:35 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id F38BB84CFD; Wed, 15 Jun 2016 05:50:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 5B7D585EFE for ; Tue, 14 Jun 2016 13:04:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id nyS7fCVvh5qb for ; Tue, 14 Jun 2016 13:04:08 +0000 (UTC) Received: from Stone.Rodents-Montreal.ORG (Stone.Rodents-Montreal.ORG [98.124.61.89]) by mail.netbsd.org (Postfix) with ESMTP id 6369684CFB for ; Tue, 14 Jun 2016 13:04:07 +0000 (UTC) Received: (from mouse@localhost) by Stone.Rodents-Montreal.ORG (8.8.8/8.8.8) id JAA26299; Tue, 14 Jun 2016 09:04:04 -0400 (EDT) Date: Tue, 14 Jun 2016 09:04:04 -0400 (EDT) From: Mouse Message-Id: <201606141304.JAA26299@Stone.Rodents-Montreal.ORG> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Erik-Conspiracy: There is no Conspiracy - and if there were I wouldn't be part of it anyway. X-Message-Flag: Microsoft: the company who gave us the botnet zombies. X-Composition-Start-Date: Tue, 14 Jun 2016 09:03:01 -0400 (EDT) To: ietf-ssh@netbsd.org Subject: Re: Rekey issue In-Reply-To: References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list >> [two kex scenarios, I asked how they differed] > [C]onsider the case where the same (previously unknown) host key A > occurs in the first and third key exchange, but a distinct host key B > is used (and somehow accepted) in the second keyexchange. Ooh, well spotted. Thank you. /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Tue Jun 14 22:50:58 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A69E12B05B for ; Tue, 14 Jun 2016 22:50:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.925 X-Spam-Level: X-Spam-Status: No, score=-2.925 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfXC-BgSAGOE for ; Tue, 14 Jun 2016 22:50:57 -0700 (PDT) Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F34E912B060 for ; Tue, 14 Jun 2016 22:50:56 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id B96DF85EC8; Wed, 15 Jun 2016 05:50:50 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: by mail.netbsd.org (Postfix, from userid 1347) id 70CA385EC6; Wed, 15 Jun 2016 05:50:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 029B485EF1 for ; Tue, 14 Jun 2016 15:27:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 8LrVl1HEAph3 for ; Tue, 14 Jun 2016 15:27:10 +0000 (UTC) Received: from skroderider.denisbider.com (skroderider.denisbider.com [50.18.172.175]) (using TLSv1.1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 8352785E3C for ; Tue, 14 Jun 2016 15:27:10 +0000 (UTC) X-Footer: ZGVuaXNiaWRlci5jb20= Received: from localhost ([127.0.0.1]) by skroderider.denisbider.com (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)); Tue, 14 Jun 2016 15:20:18 +0100 Message-ID: <21AF3177548C45018453ACA2AC0EA30E@Khan> From: "denis bider \(Bitvise\)" To: "Mouse" , Cc: , =?iso-8859-1?Q?Niels_=22M=F6ller=22?= References: <201606090316.XAA03232@Stone.Rodents-Montreal.ORG> <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> In-Reply-To: <201606140035.UAA27696@Stone.Rodents-Montreal.ORG> Subject: Re: Rekey issue Date: Tue, 14 Jun 2016 08:19:38 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0C36_01D1C615.7E3D8970" X-Priority: 3 X-MSMail-Priority: Normal Importance: Normal X-Mailer: Microsoft Windows Live Mail 16.4.3528.331 X-MimeOLE: Produced By Microsoft MimeOLE V16.4.3528.331 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list This is a multi-part message in MIME format. ------=_NextPart_000_0C36_01D1C615.7E3D8970 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To me, this also sounds like (3). I also agree with this option. From: Mouse=20 Sent: Monday, June 13, 2016 18:35 To: ietf-ssh@netbsd.org=20 Subject: Re: Rekey issue >> I can see at least three ways of dealing with this: (1) [...], (2) >> [...], and (3) when rekeying, behave as normal except that a second >> copy of the host key from the first time around is, effectively, >> added as a trusted key for the host. > OpenSSH does: > (4) silently accept the hostkey if it is identical to the one used to > authenticte the previous KEX, search the known hostkeys otherwise and > if not found there then do whatever is configured for hiterto-unknown > hostkeys. I must be missing something. To me, this sounds like (3). What's the difference? /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse@rodents-montreal.org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B ------=_NextPart_000_0C36_01D1C615.7E3D8970 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
To me, this also sounds like (3). I also agree with this = option.
 
 
From: Mouse
Sent: Monday, June 13, 2016 18:35
Subject: Re: Rekey issue
 
>>=20 I can see at least three ways of dealing with this: (1) [...], = (2)
>>=20 [...], and (3) when rekeying, behave as normal except that a = second
>>=20 copy of the host key from the first time around is, = effectively,
>>=20 added as a trusted key for the host.

> OpenSSH = does:

> (4)=20 silently accept the hostkey if it is identical to the one used = to
>=20 authenticte the previous KEX, search the known hostkeys otherwise = and
> if=20 not found there then do whatever is configured for = hiterto-unknown
>=20 hostkeys.

I must be missing something.  To me, this sounds = like=20 (3).  What's the
difference?

/~\ The ASCII   = Mouse
\=20 / Ribbon Campaign
X  Against HTML = mouse@rodents-montreal.org
/ \=20 Email!      7D C8 61 52 5D E7 2D 39  4E F1 = 31 3E=20 E8 B3 27 4B
------=_NextPart_000_0C36_01D1C615.7E3D8970-- From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 22 01:42:39 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0091F12B00B for ; Wed, 22 Jun 2016 01:42:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ydfxCzTXvAH for ; Wed, 22 Jun 2016 01:42:36 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D49E412B054 for ; Wed, 22 Jun 2016 01:42:36 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0E75385EC1; Wed, 22 Jun 2016 08:42:36 +0000 (UTC) Delivered-To: ietf-ssh@netbsd.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 1278885E86 for ; Wed, 22 Jun 2016 08:42:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.netbsd.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id BcX7lsz59tvu for ; Wed, 22 Jun 2016 08:42:33 +0000 (UTC) Received: from atreus.tartarus.org (atreus.tartarus.org [80.252.125.10]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 64E7584D04 for ; Wed, 22 Jun 2016 08:42:33 +0000 (UTC) Received: from simon by atreus.tartarus.org with local (Exim 4.69) (envelope-from ) id 1bFdjz-0006AI-7D for ietf-ssh@netbsd.org; Wed, 22 Jun 2016 09:42:31 +0100 Content-Type: text/plain; charset=UTF-8 From: Simon Tatham To: ietf-ssh Subject: Call for review: SSH IUTF8 terminal mode Date: Wed, 22 Jun 2016 09:42:31 +0100 Message-Id: <1466583822-sup-1463@atreus.tartarus.org> User-Agent: Sup/git Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list I'm trying to get an RFC published that standardises the use of code 42 for the IUTF8 terminal mode bit. This has been suggested on this list more than once: in the mailing list archives at ftp://ftp.ietf.org/ietf-mail-archive/secsh/ I can find discussion started by Colin Watson on 2005-12-31, and by David Madore on 2013-03-29. Both suggestions allocated the same number (42) for the flag. Moreover, Fedora's package of OpenSSH already seems to be running with a downstream patch implementing IUTF8 under that number. For example, I just found https://dl.fedoraproject.org/pub/fedora/linux/updates/23/SRPMS/o/openssh-7.2p2-3.fc23.src.rpm which contains a patch file openssh-7.1p1-iutf8.patch implementing it. I also know tha MouSSH has a development branch containing the same feature. So I'd like to bless that existing consensus and practice by turning this Internet-Draft into an RFC: https://datatracker.ietf.org/doc/draft-sgtatham-secsh-iutf8 and am calling for reviews. If anyone has any review comments or (hopefully not) objections, please send them along! Cheers, Simon -- for k in [pow(x,37,0x1a1298d262b49c895d47f) for x in [0x50deb914257022de7fff, 0x213558f2215127d5a2d1, 0x90c99e86d08b91218630, 0x109f3d0cfbf640c0beee7, 0xc83e01379a5fbec5fdd1, 0x19d3d70a8d567e388600e, 0x534e2f6e8a4a33155123]]: print "".join([chr(32+3*((k>>x)&1))for x in range(79)]) # From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Wed Jun 22 08:44:39 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6DC212DE13 for ; Wed, 22 Jun 2016 08:44:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.626 X-Spam-Level: X-Spam-Status: No, score=-5.626 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWSzguz0sj1l for ; Wed, 22 Jun 2016 08:44:37 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F6BA12DB52 for ; Wed, 22 Jun 2016 08:32:32 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 25B5D85EB8; Wed, 22 Jun 2016 15:32:29 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 686EC85EA8 for ; Wed, 22 Jun 2016 15:32:26 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id 95xV-t-PPAbF for ; Wed, 22 Jun 2016 15:32:25 +0000 (UTC) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0778.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc0c::778]) by mail.netbsd.org (Postfix) with ESMTP id 0987984C6C for ; Wed, 22 Jun 2016 15:32:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LsRyAvCZBlXK+Y5ttGkmLwfSNansN+Td4jhNyKuTfrU=; b=ip6HCydnMPMq9subfD/DS2A4AZkfpFBGNVLz6a6/irpSN0b2jQ7hI0JrGvR64QNDpqnM1qOE3Di5otB389F6yU9OP7iyAO+qQf1VkTSWtZcuWtO8rhbqG36PnVpx+xFVjtrc351fDs1vMF3J4rmAq3IaT+ozBWWpy/XO0s/TCKY= Received: from BY1PR0501CA0007.namprd05.prod.outlook.com (10.162.139.17) by BLUPR0501MB802.namprd05.prod.outlook.com (10.141.251.140) with Microsoft SMTP Server (TLS) id 15.1.523.12; Wed, 22 Jun 2016 15:32:20 +0000 Received: from BL2FFO11FD037.protection.gbl (2a01:111:f400:7c09::162) by BY1PR0501CA0007.outlook.office365.com (2a01:111:e400:4821::17) with Microsoft SMTP Server (TLS) id 15.1.523.12 via Frontend Transport; Wed, 22 Jun 2016 15:32:20 +0000 Authentication-Results: spf=softfail (sender IP is 66.129.239.19) smtp.mailfrom=juniper.net; NetBSD.org; dkim=none (message not signed) header.d=none;NetBSD.org; dmarc=none action=none header.from=juniper.net; Received-SPF: SoftFail (protection.outlook.com: domain of transitioning juniper.net discourages use of 66.129.239.19 as permitted sender) Received: from P-EMFE01C-SAC.jnpr.net (66.129.239.19) by BL2FFO11FD037.mail.protection.outlook.com (10.173.161.133) with Microsoft SMTP Server (TLS) id 15.1.517.7 via Frontend Transport; Wed, 22 Jun 2016 15:32:19 +0000 Received: from magenta.juniper.net (172.17.27.123) by P-EMFE01C-SAC.jnpr.net (172.24.192.21) with Microsoft SMTP Server (TLS) id 14.3.123.3; Wed, 22 Jun 2016 08:32:13 -0700 Received: from eng-mail01.juniper.net (eng-mail01.juniper.net [172.17.28.114]) by magenta.juniper.net (8.11.3/8.11.3) with ESMTP id u5MFWCE15807; Wed, 22 Jun 2016 08:32:12 -0700 (PDT) (envelope-from mdb@juniper.net) Received: from eng-mail01.juniper.net (localhost [127.0.0.1]) by eng-mail01.juniper.net (Postfix) with ESMTP id E6BF51141B; Wed, 22 Jun 2016 08:32:11 -0700 (PDT) To: Simon Tatham CC: ietf-ssh Subject: Re: Call for review: SSH IUTF8 terminal mode In-Reply-To: <1466583822-sup-1463@atreus.tartarus.org> References: <1466583822-sup-1463@atreus.tartarus.org> Comments: In-reply-to: Simon Tatham message dated "Wed, 22 Jun 2016 09:42:31 +0100." From: "Mark D. Baushke" Date: Wed, 22 Jun 2016 08:32:11 -0700 Message-ID: <42735.1466609531@eng-mail01.juniper.net> MIME-Version: 1.0 Content-Type: text/plain X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:66.129.239.19;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(10019020)(6009001)(7916002)(2980300002)(189002)(199003)(53416004)(2906002)(76506005)(6806005)(4326007)(97736004)(86362001)(586003)(117636001)(47776003)(8936002)(106466001)(356003)(50466002)(345774005)(31430400001)(11100500001)(8666005)(105596002)(68736007)(5003940100001)(189998001)(92566002)(110136002)(76176999)(8676002)(19580395003)(2950100001)(87936001)(15975445007)(48376002)(69596002)(77096005)(50986999)(81156014)(2810700001)(81166006)(54356999)(7696003)(5003600100003)(7059030)(42262002);DIR:OUT;SFP:1102;SCL:1;SRVR:BLUPR0501MB802;H:P-EMFE01C-SAC.jnpr.net;FPR:;SPF:SoftFail;PTR:InfoDomainNonexistent;MX:1;A:1;LANG:en; X-Microsoft-Exchange-Diagnostics: 1;BL2FFO11FD037;1:7/K/NnrqB162Aj1gzu0/yssh0J3Ptu/cVUWc/AUqmuuuWq9MLd74sTSw13AchwZJnDdQueiTcNXcA4bu2refmiI3DMGj6QH5LiFmx0pxTBRY4pdryLYjXzftr7IfSgj2EDNq25TSRm9Y2MkeYt7iWIHZ+SZ+AmLxYrCNDkSLdLSpC/pSwaD9tJYWbvhmszVhD3RdOf2KjZr/Z3rlTM9ugBwiLU5tZRwvc1rs6aOpQuj2759lEtA/J4DPthax9jFKY0+/9ZU3pOa9KZafu6AMjbdUBSYXQVdpnjtmZp+ruT4BjPbTv1qwTVK3VSids30PNuSrhoeotVG/QK8yzDGX9lZzOEgB6KWTVWO2caR94FWOqxryzguDKCVYtPpZrkz7qgyCPHdO/P9OPqwMjYklO5GJD5bsqsrrT2oaOF86XMrlOptJKPbk6Yq8ScJsOND5l4p1jrcIByp9wLzt8PfSFrRkI8ktLPeMcLA7Ip2RVmutFdx5YxhHZTNlea8FrYSWRTG1k6GeDvCoXFyUvRqvf/VNM/Htv5i88+7o3OHmgLs= X-MS-Office365-Filtering-Correlation-Id: f42ba51a-f9df-49bc-c6fd-08d39ab265e5 X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB802;2:Gw45JVhJ40PZWlt8dOUk21n6bFykErFQXrjyoiN9pL4mlJ0d1KQvs4EbZ71SsX6bJAYInP1En88XY4gHXRLDZDQxVjB0RVmb2IeodEDqpCrf3+nLaWsY9dJ2njW2jIfDbSBydp0yyfcfPRrvAdHvzG2OMn03w/OIu9DGHuEXk65t0kxliGl1l+konwf+5hd6;3:OyE2h9ssZYXOPO4TBNaS3/d6Enz2lZqAaoQRy9sqpk96KJeKNsbNFl1YLBdMGNWBSjD6XJZ116bedV4BonheSrr+CbyRcEKDBWsADotlHiBd7CwnCzhFEAlE7kNVhOUMqqZxELjo5KcPTQRk8JqS9nd8sarlXobA8Gbuug1bvRVWoKKkYbiY+lOtyu7dAwH+QW0NFvuUII9TeZn9ulxQ0BD3SExXz3tQR5eOwHnwWzM= X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB802; X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB802;25:Y9AQLVn5Xm7y2A5F8ICAj6orVIdoNg7Uf8ziTYtQjyL11myMDiH5ND/vH26yYEgcVFsgd9roA3GNR5LsmglQL7sP7pOeLhGc9bGoT7wU3Y7yii6ifb7Pi7t/hDehtlri6GmxdSJ6J4Y2RDNHREOyM9PijMDOzn/K3cqmpBQjpAJtA4w9bWsi1EJeoGK9irpIcJQ0RL6D2AasRXXsZu1MO5oSJM//xOQnBHnSb38uHxyOq1PKMnLS0R32qorTgKos3LV1CjDZnlmhro41KOmHpFFiIoZIgIceDsxQPfk5WXuhXMIQHvzgD5Q15OAz3ikT2WhMXu/cFUH2EipOJH+rid1dVY+l0jbUCNO9IFychEzDphcEZtVB6i5y5FwgEWFfdoeq5VkK2kG+tQSFSYrQnKhMmktpB7MYmEflJIHXQPibv6bRbCd3VNdRybN4CiVhR1thvZzNmJcI5MG7mi9G0Z+HeTlMSfGRXnUHSM47cj12QGdmisX5dU8Ch3t6xrt6tbVQ6ZYvETTzGpzILJABuhbAouzVzJztKHqiZWfhRB5f2nYhVJRxFhfrMVgtu7Lez048c7AXo8mcbvXfap7gp781OLUXmSS8xbnPil9NG5veyEUvJT8wmBqUaU35YRl65VuAoeSWGQn0x+TF7US935+sCrcNd+9SZ2a9eVGlUEZKEAO8huMvcfuuM8gZTnRkblLnEdkpOLUqrDJLM/C1oxdcJuWxaOR2WwH1r7fTXoymbElAP40cJ+GUXlxt3I4dZvsxzebz11yI5qLuAjPAUikSmwbZbtGoscDaT4DSBPAe0Xk/aRAuNE4ivMpdD3cdnW189W3Yb00tdslu+gFxP/jJPMsjwacAAcRikm/LEdI= X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB802;20:bRUj9g4vwWYQAL6hmOe5/ylycuZ/lVOHaXQu9XFghTt1v1fI+B87wTwbfPF4rmElE5fq3DzrOPncC2Xi1QG0+5pKc8ve6//ZDVP7b+7ymJoEZsVCUpaanUMLzSAtFIFwqURUl3bcSJCG8rCnNPMIoLxuR25bsqHfeaRruKtBk+QR/NdT07vqAp0xsevuAukgeMKZbrEzYQcIQVmKH4KbpNgyaHI6iM6pIDp9ius70bYxVKjg2hWUnDi/Dx+UUEW8atF1C1a+64czWzQBD2pePfy5sGPE9Lw2M4301Q1IJ/cHfYsk+svr9Oget9Gm7bwGik5KIoLPEf+sgG3Q/WI8SmabtbUMhbTBAp1U+0LDcrC8RPSZ4Pz7Y2y9AuFzwCbUdf7OqeVmcWG5Pxwo79wG9crwBRRujnygD/1i8eywfZbWZCq5Caj6suv4THvMnQcOh3Bp0iyDJIL0KUxTxEWveFWYLLwvowVZy2CNg+XfvrjU0wPlSH3P/10BQ+NXlgNQ X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(209352067349851); X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(2401047)(13018025)(13024025)(8121501046)(13017025)(13023025)(5005006)(13015025)(10201501046)(3002001)(6055026);SRVR:BLUPR0501MB802;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB802; X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB802;4:2DHzSjJuWeIYpv1dv9RRzVg+Mf3fp5+MeWkVqqdQDZrSgO084OGtjndvj1z2Dxxq7oLJ+F6EYwT4gI3gGGc3X6jdbdye+kEcSTqFMaC3lw+9l/eUIBgFpeaow+WeYXcoc7tZtTVqYPQSeLUWFS5n8t9T3KHT1M3Hx4khlD5ecg5JN7pKJwirxohzYq4arRLxpFlWQ0lqtDOX9p9CZnN1u4nReGJjZowtlMUeEtVqbm4CZ/m0i0FeO0VrsdbF8PDwBqEQw5qx1oF9pobWBBH3fsf6ay7bVA5kPoEp6UYeC5UOZydoyT7Z9e8Wb7tpedydBoKm+gDqo4dQFP1YOoVSP4U7NrD65r3NjDPuyAeT4Zdbhc4yBtVxvL88uF0uYebWv0+6s+NhmIc3NxwRMv3BJN3aA7De0zgEKudKX/hmQ65ah011tBVJ0xntQcJI4zaOHvc3bXRZzzhXr7TNj4SY+J8MQrv/Q/pmVBz2tZOVlr9yn+cUpIDFCZnJXJekKSSYpQ+8C3irMAcDsBAvURfKbA== X-Forefront-PRVS: 0981815F2F X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1;BLUPR0501MB802;23:kDPmFwOegrhC7dK8LFIuIY+PR5PnATBg6QXMA5ob?= =?us-ascii?Q?6MpO5e5lhT+ytY3B+EjwURqZ52XqjAbNmhbyk9wWOdn+jN+VjRW6/rFNa2jA?= =?us-ascii?Q?KftYxHxLaRbEv4QOCbYiccymrMct5lRPvtNQMr3U/hz9QkiCQoxHq9BMAGyM?= =?us-ascii?Q?0DfwSMNYHIF1kemBOc2ZOQEe+ni03Da5l/qaCQfp4OS9Lgxys4hCess0qxva?= =?us-ascii?Q?CeuSGcket45hCqqxuJ9TooFdicCWJl69vWdsBJJCDbXGnjOw+ZB3DZrlzMq8?= =?us-ascii?Q?pfsSAR8VCVfEH/WTJGAlAIAJrmL62yRUCBbcC8axkEhiCqb+xoYgn8/HebOg?= =?us-ascii?Q?56ZcOYx2hmYrJ7fHnEUdHLAspe/XEmAPVa6HMYos1gOfiYyy+X1Or5dnXfoy?= =?us-ascii?Q?Lal8KqQMhnJthwU71rV2h0u0Ie4V/qG9OZSjasDKSr7XBG2ABFw+/l9ht6XJ?= =?us-ascii?Q?Sc7+lKBLuCrGSGLWfY4Z5CXRG4sxjbDbNdfoSCpi0YWh7j1lpiTHJYptaYCL?= =?us-ascii?Q?SdpKyTvaw81ye1QBUx8Gt40yRy2hyh7PHkc/1hJVVolhCGLroJjIdcuTPbsS?= =?us-ascii?Q?nY/er6QZB63J/dNHLngvG0nm1UyMU8wz01wQWyyU6yEwFq+HPmkTy/E5dngp?= =?us-ascii?Q?ngv00PiXFVIab8b/6lM997disAHnJebF/Y2lHWDukOyyvrNRDT2JO+QdMCWl?= =?us-ascii?Q?E6PzllHfr8jwtTnms9/k2eRb/F4lWqQxnSBZITayWKPzTSLflMukUw8klKBk?= =?us-ascii?Q?819YZMepQbuKnr7PbFWbIoETqR1SD1wTYA0nw9G8fCyg1Utuu/7/GAQHCZaq?= =?us-ascii?Q?L0UYWsJN+4VlKpEU/R29FGEJYnwHd2pJMKqCYqXY6aUep/ZmeG7VOdNQkgsL?= =?us-ascii?Q?ONvEs2w9LdgZQfFB8VlgyyvUBLZ4xvDhQqC/vSHwPUcSXvbuo/vp5D3pAJur?= =?us-ascii?Q?2oNGAAyux9nrl13N8XdaUP09JUNr8PK0xaR3S0JQrXcjB4rS0yLCmb+B1CoY?= =?us-ascii?Q?2MBKuSqCy4pmLFDp6OJNIUpBve9whkkfQlpT6aD/3joMEqyOOGvRftW5PpEE?= =?us-ascii?Q?6lMVKuxvg3gtIvM8lFCJQNT7geSZ2ONYzXYG56eEELiwg4FSocszsCommcQT?= =?us-ascii?Q?Fy6AZd/OwBay/VBGtQeK6fGVC+ZMOpzWN7fxDZF2r4Lm2kENvAVnqzycb9n2?= =?us-ascii?Q?BE2qcFQrOSmUBjU=3D?= X-Microsoft-Exchange-Diagnostics: 1;BLUPR0501MB802;6:/0+ELbzlFpdHnZGhabstnuBVh1ErQPl9JWOg8y/n4ARkfdb27K4N+/OpJ7/2po35t15WSE2XsacpVfb2woWF2vdD9G8VU5i9dAt4stFKevn/bKMEmUH0e94x03KTTnulxHY/OKBI4zwO12PyJJEFqhKY34UdiW4H4zH5ShFOBfT8+u0u1KXI+GqxTZxOJpw4D+rHCx3U9JGbVvQr+jQ5WTjKJE6HqIQZ9gvTTJOX+LpIAcCmuNw6PSpEbreaZJQCn8KaHmS3T2F5/oN+XXIckCXTm8A+bLfm9Pafyg7BR0kVjxDkGaBPax5h2h6WAOVjdpy2ETf0efWiyeePe7h3XwtyFbnfubBA0NIWzjCsdLE=;5:OKylzuVKTludeSBK5nGn6ij5oJCmfLOGOaiNu3JxeXn+8vRC3Qw5JAElpz4B/kxXxx7LUD5OC3n3xVxLmVI10BTcMouhlUoiyth0wCfYVKwEZA+F99Bg5NUfjv8Mz2vg+P0v5J3lsXEv6iY+xos1mQ==;24:LuiCHIGZgN+jsScQuf/+oCfrrdqXGpUSDUhwY2Is70bUZpyRjw4Ec8CEUWYUB40kZvYG7nxfi7x1TpMvsAhxWWuaeFTltwh62DFhv8u5rSo=;7:kejqEP02FmflHHeI8KYBFfuWthLditPzHRfOBPnV/gWHX98l/sVIyqnehqHpqT6oaBAOshjHwL2y4ievNqHtbWxDnl/dYmGIC0Zsgnaa7/Dgd+psVYlRROvfHt/HDVlRu9pXVOfNVCajgU20qnFzZqkIxnj5zs5Avg7RwY4ePqcN99DpxglmHtbUn4gYYfs/MHwrYBPbyCvVJu8BtIraC32HO5M6l6Hl2TFPwbIW2tQMYbFqxWnxNLPQLBB99tR05jL2suKHmDxRUXlxPOuucA== SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-OriginatorOrg: juniper.net X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Jun 2016 15:32:19.0197 (UTC) X-MS-Exchange-CrossTenant-Id: bea78b3c-4cdb-4130-854a-1d193232e5f4 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=bea78b3c-4cdb-4130-854a-1d193232e5f4;Ip=[66.129.239.19];Helo=[P-EMFE01C-SAC.jnpr.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB802 Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list Hi Simon, I like what you have written. I suggest you may wish to add RFC 3629 in section 7.2 of your draft. As RFC 3629 is slightly out-of-date, a reference to ISO/IEC 10646:2014 may also be useful. In September 2006, ISO released a free online PDF copy of ISO 10646 on its Freely Available Standards web page: http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html on that page you should be able to find links for ISO/IEC 10646:2014 as well as the two ammendments for it. The ZIP file is 130 MB. There is a good FAQ on UTF-8 and Unicode for Unix/Linux available here: https://www.cl.cam.ac.uk/~mgk25/unicode.html Thank you for going through the process of getting this into an RFC for SSH. -- Mark From bounces-ietf-ssh-owner-secsh-tyoxbijeg7-archive=lists.ietf.org@NetBSD.org Mon Jun 27 05:15:42 2016 Return-Path: X-Original-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Delivered-To: ietfarch-secsh-tyoxbijeg7-archive@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0159112D08C for ; Mon, 27 Jun 2016 05:15:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.726 X-Spam-Level: X-Spam-Status: No, score=-5.726 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JMWe_CLz5Sj for ; Mon, 27 Jun 2016 05:15:38 -0700 (PDT) Received: from mail.netbsd.org (mail.NetBSD.org [IPv6:2001:470:a085:999::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9256412B008 for ; Mon, 27 Jun 2016 05:15:38 -0700 (PDT) Received: by mail.netbsd.org (Postfix, from userid 605) id 0A33585FA2; Mon, 27 Jun 2016 12:15:31 +0000 (UTC) Delivered-To: ietf-ssh@NetBSD.org Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id 04DD585F82 for ; Mon, 27 Jun 2016 12:15:24 +0000 (UTC) X-Virus-Scanned: amavisd-new at netbsd.org Authentication-Results: mail.netbsd.org (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie Received: from mail.netbsd.org ([IPv6:::1]) by localhost (mail.netbsd.org [IPv6:::1]) (amavisd-new, port 10025) with ESMTP id uRvenYxyWZ3F for ; Mon, 27 Jun 2016 12:15:23 +0000 (UTC) Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.netbsd.org (Postfix) with ESMTPS id 09DB285F42 for ; Mon, 27 Jun 2016 12:15:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DBE73BE2D for ; Mon, 27 Jun 2016 11:58:54 +0100 (IST) Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK7PJBcCvzPq for ; Mon, 27 Jun 2016 11:58:54 +0100 (IST) Received: from [134.226.36.93] (bilbo.dsg.cs.tcd.ie [134.226.36.93]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 54A86BE29 for ; Mon, 27 Jun 2016 11:58:54 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1467025134; bh=a/uDfJidYXQcdz7L6hKpTtXWGGT7vqHncWSH+r61/Kk=; h=Subject:References:To:From:Date:In-Reply-To:From; b=rbynmJdQppD1fmS8KWtcnscHPGBP6Qcl8hXh0oTZJYGi8p1vz/EyBX+C5eU7aWYhC 8xc+glkPVnyOx0BuEHMMmTrUIuftLB1GtZu2RLzEDOjfYacZpBHOAmJsWvOPE0yrv/ O4V9C6lG3HsfmyjTBpLfLYm8/KTChF9jj+Vh+oZU= Subject: Fwd: [Editorial Errata Reported] RFC4253 (4721) References: <20160627105527.3BD0DB81777@rfc-editor.org> To: "ietf-ssh@netbsd.org" From: Stephen Farrell Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url= X-Forwarded-Message-Id: <20160627105527.3BD0DB81777@rfc-editor.org> Message-ID: <577106EE.4000007@cs.tcd.ie> Date: Mon, 27 Jun 2016 11:58:54 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0 MIME-Version: 1.0 In-Reply-To: <20160627105527.3BD0DB81777@rfc-editor.org> Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms070208000405090804060309" Sender: ietf-ssh-owner@NetBSD.org List-Id: ietf-ssh.NetBSD.org Precedence: list This is a cryptographically signed message in MIME format. --------------ms070208000405090804060309 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable FYI. If folks tell me to, I'll approve this erratum. If they tell me to not approve it I'll do that. If silence ensues... I'll do nothing:-) Cheers, S. PS: The above is my default mode of operation for errata. -------- Forwarded Message -------- Subject: [Editorial Errata Reported] RFC4253 (4721) Date: Mon, 27 Jun 2016 03:55:27 -0700 (PDT) From: RFC Errata System To: ylo@ssh.com, clonvick@cisco.com, stephen.farrell@cs.tcd.ie, Kathleen.Moriarty.ietf@gmail.com, sommerfeld@sun.com CC: o.andriyanov@gmail.com, rfc-editor@rfc-editor.org The following errata report has been submitted for RFC4253, "The Secure Shell (SSH) Transport Layer Protocol". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata_search.php?rfc=3D4253&eid=3D4721 -------------------------------------- Type: Editorial Reported by: Oleg Andriyanov Section: 5.3 Original Text ------------- o The minimum size of a TCP/IP header is 32 bytes. Thus, the increase is actually from 33 to 51 bytes (roughly). o The minimum size of the data field of an Ethernet packet is 46 bytes [RFC0894]. Thus, the increase is no more than 5 bytes. When Ethernet headers are considered, the increase is less than 10 percent. Corrected Text -------------- o The minimum size of a TCP/IP header is 32 bytes. Thus, the increase is actually from 33 to 60 bytes (roughly). o The minimum size of the data field of an Ethernet packet is 46 bytes [RFC0894]. Thus, the increase is no more than 14 bytes. When Ethernet headers are considered, the increase is less than 25 percent. Notes ----- As the minimum size of SSH message is 28, the minimum size of the TCP segment containing SSH message must be 32 + 28 =3D=3D 60 bytes (as oppose= d to 32 + 1 in case of transmission of plain text over TCP). Instructions: ------------- This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party (IESG) can log in to change the status and edit the report, if necessary. -------------------------------------- RFC4253 (draft-ietf-secsh-transport-24) -------------------------------------- Title : The Secure Shell (SSH) Transport Layer Protocol Publication Date : January 2006 Author(s) : T. Ylonen, C. Lonvick, Ed. Category : PROPOSED STANDARD Source : Secure Shell Area : Security Stream : IETF Verifying Party : IESG --------------ms070208000405090804060309 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC CvIwggUIMIID8KADAgECAhBPzaE7pzYviUJyhmHTFBdnMA0GCSqGSIb3DQEBCwUAMHUxCzAJ BgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSkwJwYDVQQLEyBTdGFydENvbSBD ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEjMCEGA1UEAxMaU3RhcnRDb20gQ2xhc3MgMSBDbGll bnQgQ0EwHhcNMTYwMjA5MDkyODE1WhcNMTcwMjA5MDkyODE1WjBOMSIwIAYDVQQDDBlzdGVw aGVuLmZhcnJlbGxAY3MudGNkLmllMSgwJgYJKoZIhvcNAQkBFhlzdGVwaGVuLmZhcnJlbGxA Y3MudGNkLmllMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuC0rYze/2JinSra C9F2RjGdQZjNALLcW9C3WKTwYII3wBslobmHuPEYE5JaGItmzuKnAW619R1rD/kfoNWC19N3 rBZ6UX9Cmb9D9exCwYIwVuSwjrCQWGxgCtNQTrwKzCCpI790GRiMTvxvO7UmzmBrCaBLiZW5 R0fBjK5Yn6hUhAzGBkNbkIEL28cLJqH0yVz7Kl92OlzrQqTPEts5m6cDnNdY/ADfeAX18c1r dxZqcAxhLotrCqgsVA4ilbQDMMXGTLlB5TP35HeWZuGBU7xu003rLcFLdOkD8xvpJoYZy9Kt 3oABXPS5yqtMK+XCNdqmMn+4mOtLwQSMmPCSiQIDAQABo4IBuTCCAbUwCwYDVR0PBAQDAgSw MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAJBgNVHRMEAjAAMB0GA1UdDgQWBBQJ QhvwQ5Fl372Z6xqo6fdn8XejTTAfBgNVHSMEGDAWgBQkgWw5Yb5JD4+3G0YrySi1J0htaDBv BggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnN0YXJ0c3NsLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL2FpYS5zdGFydHNzbC5jb20vY2VydHMvc2NhLmNsaWVudDEu Y3J0MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc3RhcnRzc2wuY29tL3NjYS1jbGll bnQxLmNybDAkBgNVHREEHTAbgRlzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllMCMGA1UdEgQc MBqGGGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tLzBGBgNVHSAEPzA9MDsGCysGAQQBgbU3AQIE MCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeTANBgkqhkiG 9w0BAQsFAAOCAQEArzrSv2C8PlBBmGuiGrzm2Wma46/KHtXmZYS0bsd43pM66Pc/MsqPE0HD C1GzMFfwB6BfkJn8ijNSIhlgj898WzjvnpM/SO8KStjlB8719ig/xKISrOl5mX55XbFlQtX9 U6MrqRgbDIATxhD9IDr+ryvovDzChqgQj7mt2jYr4mdlRjsjod3H1VY6XglRmaaNGZfsCARM aE/TU5SXIiqauwt5KxNGYAY67QkOBs7O1FkSXpTk7+1MmzJMF4nP8QQ5n8vhVNseF+/Wm7ai 9mtnrkLbaznMsy/ULo/C2yuLUWTbZZbf4EKNmVdme6tUDgYkFjAFOblfA7W1fSPiQGagYzCC BeIwggPKoAMCAQICEGunin0K14jWUQr5WeTntOEwDQYJKoZIhvcNAQELBQAwfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5MB4XDTE1MTIxNjAxMDAwNVoXDTMwMTIxNjAxMDAwNVowdTELMAkGA1UEBhMC SUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmlj YXRpb24gQXV0aG9yaXR5MSMwIQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL192vfDon2D9luC/dtbX64eG3XAtRmv mCSsu1d52DXsCR58zJQbCtB2/A5uFqNxWacpXGGtTCRk9dEDBlmixEd8QiLkUfvHpJX/xKnm VkS6Iye8wUbYzMsDzgnpazlPg19dnSqfhM+Cevdfa89VLnUztRr2cgmCfyO9Otrh7LJDPG+4 D8ZnAqDtVB8MKYJL6QgKyVhhaBc4y3bGWxKyXEtx7QIZZGxPwSkzK3WIN+VKNdkiwTubW5PI dopmykwvIjLPqbJK7yPwFZYekKE015OsW6FV+s4DIM8UlVS8pkIsoGGJtMuWjLL4tq2hYQuu N0jhrxK1ljz50hH23gA9cbMCAwEAAaOCAWQwggFgMA4GA1UdDwEB/wQEAwIBBjAdBgNVHSUE FjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEgYDVR0TAQH/BAgwBgEB/wIBADAyBgNVHR8EKzAp MCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwZgYIKwYBBQUHAQEE WjBYMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5zdGFydHNzbC5jb20wMAYIKwYBBQUHMAKG JGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAdBgNVHQ4EFgQUJIFsOWG+ SQ+PtxtGK8kotSdIbWgwHwYDVR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwPwYDVR0g BDgwNjA0BgRVHSAAMCwwKgYIKwYBBQUHAgEWHmh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Bv bGljeTANBgkqhkiG9w0BAQsFAAOCAgEAi+P3h+wBi4StDwECW5zhIycjBL008HACblIf26HY 0JdOruKbrWDsXUsiI0j/7Crft9S5oxvPiDtVqspBOB/y5uzSns1lZwh7sG96bYBZpcGzGxpF NjDmQbcM3yl3WFIRS4WhNrsOY14V7y2IrUGsvetsD+bjyOngCIVeC/GmsmtbuLOzJ606tEc9 uRbhjTu/b0x2Fo+/e7UkQvKzNeo7OMhijixaULyINBfCBJb+e29bLafgu6JqjOUJ9eXXj20p 6q/CW+uVrZiSW57+q5an2P2i7hP85jQJcy5j4HzA0rSiF3YPhKGAWUxKPMAVGgcYoXzWydOv Z3UDsTDTagXpRDIKQLZo02wrlxY6iMFqvlzsemVf1odhQJmi7Eh5TbxI40kDGcBOBHhwnaOu mZhLP+SWJQnjpLpSlUOj95uf1zo9oz9e0NgIJoz/tdfrBzez76xtDsK0KfUDHt1/q59BvDI7 RX6gVr0fQoCyMczNzCTcRXYHY0tq2J0oT+bsb6sH2b4WVWAiJKnSYaWDjdA70qHX4mq9MIjO /ZskmSY8wtAk24orAc0vwXgYanqNsBX5Yv4sN4Z9VyrwMdLcusP7HJgRdAGKpkR2I9U4zEsN JQJewM7S4Jalo1DyPrLpL2nTET8ZrSl5Utp1UeGp/2deoprGevfnxWB+vHNQiu85o6MxggPM MIIDyAIBATCBiTB1MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcG A1UECxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxIzAhBgNVBAMTGlN0YXJ0 Q29tIENsYXNzIDEgQ2xpZW50IENBAhBPzaE7pzYviUJyhmHTFBdnMA0GCWCGSAFlAwQCAQUA oIICEzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNjA2Mjcx MDU4NTRaMC8GCSqGSIb3DQEJBDEiBCC0oW4FeYNkclWtWBRlkQPJxE3aLz1nK8Gbs6nnmUJq ZTBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcN AwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMC AgEoMIGaBgkrBgEEAYI3EAQxgYwwgYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMw IQYDVQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzCB nAYLKoZIhvcNAQkQAgsxgYyggYkwdTELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29t IEx0ZC4xKTAnBgNVBAsTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSMwIQYD VQQDExpTdGFydENvbSBDbGFzcyAxIENsaWVudCBDQQIQT82hO6c2L4lCcoZh0xQXZzANBgkq hkiG9w0BAQEFAASCAQCYHTceFBkKPp9/tVb+NUbN1MqNKGIKH8E6zTsOB4a9lNCjdrjbbret wFXCNahmH5hBvIe3P/L0EXTTGjO8n/JqE28E8eHK0lITT0xoSMHJDfAO2G0Bxv+2wLRd8xb9 haAlFEkHFS8DXAZz+qrFT0/tteAk/P40jhrm7zgoK1i7CC0/MrZTftshi7USImUWJvIyRjMo swOxewGXlgw+bh+GTk/pMKOe/38hmftTre33ThKp3cLg1u5dUNYicn9Xmh8JmZR8J93cGj9I oH5DL4r8b/qi5qqR0p2YL27sbSof+EwZvNh9sOC33F1iJCsOVQyCr7LKVNYo3cWhcvMnKKg1 AAAAAAAA --------------ms070208000405090804060309--