From internet-drafts@ietf.org Wed Feb 5 15:55:16 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F0A1A0233; Wed, 5 Feb 2014 15:55:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v1WkSBGir8lU; Wed, 5 Feb 2014 15:55:15 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB9E1A0141; Wed, 5 Feb 2014 15:55:15 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> Date: Wed, 05 Feb 2014 15:55:15 -0800 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Feb 2014 23:55:16 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF. Title : RPKI Local Trust Anchor Use Cases Author : Randy Bush Filename : draft-ietf-sidr-lta-use-cases-00.txt Pages : 5 Date : 2014-02-05 Abstract: There are a number of critical circumstances where a localized routing domain needs to augment or modify its view of the Global RPKI. This document attempts to outline a few of them. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-lta-use-cases/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-00 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From prvs=7114331750=sandra.murphy@parsons.com Wed Feb 5 16:28:26 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8000D1A0234 for ; Wed, 5 Feb 2014 16:28:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.436 X-Spam-Level: X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrIluI91JtOP for ; Wed, 5 Feb 2014 16:28:24 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id A457B1A022A for ; Wed, 5 Feb 2014 16:28:24 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s160Otwp026913 for ; Wed, 5 Feb 2014 18:28:23 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1hustp213m-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 05 Feb 2014 18:28:23 -0600 Received: from durin.laguna.sparta.com ([10.62.216.7]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s160SLag011391 for ; Wed, 5 Feb 2014 19:28:22 -0500 Received: from tanis.huntsville.ads.sparta.com ([10.62.8.118]) by durin.laguna.sparta.com (8.13.8/8.13.8) with ESMTP id s160SLAG019285 for ; Wed, 5 Feb 2014 16:28:21 -0800 Received: from HSV-MB001.huntsville.ads.sparta.com ([fe80::292e:cdb7:1aa6:ce74]) by tanis.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Wed, 5 Feb 2014 18:28:20 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt Thread-Index: AQHPIs3BoOp718+AakqJpWIus+VP7ZqnXE2o Date: Thu, 6 Feb 2014 00:28:20 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> In-Reply-To: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.24] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-05_08:2014-02-05,2014-02-05,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0999698076309413 urlsuspect_oldscore=0.999698076309413 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0.000199001055409376 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0999698076309413 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402050155 Subject: [sidr] FW: I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 00:28:26 -0000 The lta-use-cases draft was motivated as a way to start/guide discussion of= the Local Trust Anchor Management draft and the Suspenders draft.=0A= =0A= The question is whether we need both efforts, or only one, and if so, which= one.=0A= =0A= So we need to discuss the use cases. And discuss the two drafts.=0A= =0A= Local Trust Anchor Use Cases: http://tools.ietf.org/html/draft-ietf-sidr-lt= a-use-cases-00 (below)=0A= =0A= Local Trust Anchor Management: http://tools.ietf.org/html/draft-ietf-sidr-l= tamgmt-08=0A= =0A= Suspenders: http://tools.ietf.org/html/draft-kent-sidr-suspenders-00=0A= =0A= --Sandy, speaking as one of the wg co-chairs=0A= ________________________________________=0A= From: sidr [sidr-bounces@ietf.org] on behalf of internet-drafts@ietf.org [i= nternet-drafts@ietf.org]=0A= Sent: Wednesday, February 05, 2014 6:55 PM=0A= To: i-d-announce@ietf.org=0A= Cc: sidr@ietf.org=0A= Subject: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt=0A= =0A= A New Internet-Draft is available from the on-line Internet-Drafts director= ies.=0A= This draft is a work item of the Secure Inter-Domain Routing Working Group= of the IETF.=0A= =0A= Title : RPKI Local Trust Anchor Use Cases=0A= Author : Randy Bush=0A= Filename : draft-ietf-sidr-lta-use-cases-00.txt=0A= Pages : 5=0A= Date : 2014-02-05=0A= =0A= Abstract:=0A= There are a number of critical circumstances where a localized=0A= routing domain needs to augment or modify its view of the Global=0A= RPKI. This document attempts to outline a few of them.=0A= =0A= =0A= The IETF datatracker status page for this draft is:=0A= https://datatracker.ietf.org/doc/draft-ietf-sidr-lta-use-cases/=0A= =0A= There's also a htmlized version available at:=0A= http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-00=0A= =0A= =0A= Please note that it may take a couple of minutes from the time of submissio= n=0A= until the htmlized version and diff are available at tools.ietf.org.=0A= =0A= Internet-Drafts are also available by anonymous FTP at:=0A= ftp://ftp.ietf.org/internet-drafts/=0A= =0A= _______________________________________________=0A= sidr mailing list=0A= sidr@ietf.org=0A= https://www.ietf.org/mailman/listinfo/sidr=0A= From randy@psg.com Wed Feb 5 18:13:01 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45AC91A0214 for ; Wed, 5 Feb 2014 18:13:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.936 X-Spam-Level: X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9_FX_L2nWDe for ; Wed, 5 Feb 2014 18:13:00 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id EFAD01A0207 for ; Wed, 5 Feb 2014 18:12:59 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WBESX-0005wM-Eg; Thu, 06 Feb 2014 02:12:58 +0000 Date: Thu, 06 Feb 2014 11:12:56 +0900 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] FW: I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 02:13:01 -0000 > The lta-use-cases draft was motivated as a way to start/guide > discussion of the Local Trust Anchor Management draft and the > Suspenders draft. > > The question is whether we need both efforts, or only one, and if so, > which one. if you accept the three cases of the use cases draft, you may be left thinking that neither ltam nor suspenders meets the needs. it's all about roas, certs are incidental. randy From david@mandelberg.org Thu Feb 6 10:38:56 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34FE81A0445 for ; Thu, 6 Feb 2014 10:38:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.402 X-Spam-Level: X-Spam-Status: No, score=-1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FH_RANDOM_SURE=0.499, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id drTm7LDIVwms for ; Thu, 6 Feb 2014 10:38:55 -0800 (PST) Received: from qmta14.westchester.pa.mail.comcast.net (qmta14.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:44:76:96:59:212]) by ietfa.amsl.com (Postfix) with ESMTP id C834A1A0274 for ; Thu, 6 Feb 2014 10:38:54 -0800 (PST) Received: from omta16.westchester.pa.mail.comcast.net ([76.96.62.88]) by qmta14.westchester.pa.mail.comcast.net with comcast id P44B1n0071uE5Es5E6etc9; Thu, 06 Feb 2014 18:38:53 +0000 Received: from uriel.mandelberg.org ([67.189.168.202]) by omta16.westchester.pa.mail.comcast.net with comcast id P6et1n00F4NM02B3c6etjy; Thu, 06 Feb 2014 18:38:53 +0000 Received: from secure.mandelberg.org (unknown [10.1.2.3]) by uriel.mandelberg.org (Postfix) with ESMTP id 5DABA1C608C for ; Thu, 6 Feb 2014 13:53:57 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 06 Feb 2014 13:53:57 -0500 From: David Mandelberg To: In-Reply-To: References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> Message-ID: X-Sender: david@mandelberg.org User-Agent: Roundcube Webmail/0.7.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1391711933; bh=GUhYEniS0SyDaUxve8bRfNIiMbUXnV/RweM3FqWR/LM=; h=Received:Received:Received:MIME-Version:Content-Type:Date:From:To: Subject:Message-ID; b=ptvLBh0ZMvATwFLG5NGvQe6lFKtv8uVoPS1RVcshMVdWK9USEvPmeWXy6dHyxPsnI 2B4pc5TX5cWUbOpWUI99j9eyFJVUkm3ZHTrPyoPxgGAVpm9VTJUTYucddIdapc9yTG sJV8s0bFqWxUq5V0an6cF0wXu+sWD5Hov0G1MZ7GvMN8WR0nKZ3P54gBc7riBtMI+M GYUD397xCzw89XvOzXoNjC0Bj8sLeC8tafIMQKTQqkuDHKf+XuYKDDpdShd478Up9L skzZfCxf//H4NsDGeIkXS+jmRI3XnpEfQFvUByEkDnRC2UGweC8Hwoe/Ytpns/J3gE 7jTYn7VSkpXIA== Subject: Re: [sidr] FW: I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Feb 2014 18:38:56 -0000 On 2014-02-05 21:12, Randy Bush wrote: >> The lta-use-cases draft was motivated as a way to start/guide >> discussion of the Local Trust Anchor Management draft and the >> Suspenders draft. >> >> The question is whether we need both efforts, or only one, and if >> so, >> which one. > > if you accept the three cases of the use cases draft, you may be left > thinking that neither ltam nor suspenders meets the needs. it's all > about roas, certs are incidental. I think Suspenders meets Carol's use case. Carol could publish a LOCK and INRD as a precautionary measure. Then when the Dutch court attacks, relying parties that use Suspenders would detect the attack and could continue to route to Carol. I'm working on a new draft called SLURM (Simplified Local internet nUmber Resource Management) that I hope to have out before the cutoff next week. I'm pretty sure it handles Bob's use case, and I think it could also handle Alice's use case if I understand that case correctly. -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From christopher.morrow@gmail.com Fri Feb 7 07:12:21 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E29E11AC4A5 for ; Fri, 7 Feb 2014 07:12:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.501 X-Spam-Level: X-Spam-Status: No, score=-1.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_RANDOM_SURE=0.499, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4byDhV9Rgtw3 for ; Fri, 7 Feb 2014 07:12:20 -0800 (PST) Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id B007A1AC49D for ; Fri, 7 Feb 2014 07:12:19 -0800 (PST) Received: by mail-la0-f49.google.com with SMTP id y1so2679845lam.8 for ; Fri, 07 Feb 2014 07:12:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yPPmFBTka/zCAIhkpYdw/oJlOmhlIt6TwCv38V8nwFk=; b=vXOaWX5tN7B/Vf+iRpcNzF8m+ZPGqvj7ziUrdvt2eSjI+Zn8MY7ntf/S3Tgo5Ofh64 wyNh9wb9SSvF7BmlX+K0TBlSDtz+3kEKyAz3LV98LzJq04HDRL9BhuHgwXbGunxWRQE0 o2SZCiXRP1DOR5WIn3u0PrHFmBx9qPVXpY86ohRCRchBT4wNQgAFvb435xucc8Qgfg8J YyDUcb1+z74lhz81FqdZ+rsnieWoTmb1EMEG3vAOVN762POcgZlilptQsEEoour0Tp2R RN/QHfboyhfKwVnhXvIhVg7h7OB+u+z780ZB3pg6RsYvIddQr8som+6AC0XazgdPee09 EaWQ== MIME-Version: 1.0 X-Received: by 10.152.164.199 with SMTP id ys7mr6897829lab.31.1391785938894; Fri, 07 Feb 2014 07:12:18 -0800 (PST) Sender: christopher.morrow@gmail.com Received: by 10.152.45.37 with HTTP; Fri, 7 Feb 2014 07:12:18 -0800 (PST) In-Reply-To: <52E92B20.9060505@bbn.com> References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> <52E92B20.9060505@bbn.com> Date: Fri, 7 Feb 2014 10:12:18 -0500 X-Google-Sender-Auth: QvnzA7L_cxgoCaYNSK6NjBI2EsE Message-ID: From: Christopher Morrow To: Stephen Kent Content-Type: text/plain; charset=ISO-8859-1 Cc: "sidr@ietf.org" Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 15:12:22 -0000 On Wed, Jan 29, 2014 at 11:24 AM, Stephen Kent wrote: > Randy, > >>>> hence the "per se," meaining in and of itself. some cases of pouring >>>> cement into a router (see london tube) are security issues, some are >>>> not. >>>> >>>> how would you make that more clear? >>> >>> I think Warren's suggestion of simply eliminating the assertion about >>> whether it's a security issue, per se or otherwise, and just saying >>> that it's out of scope is enough for the intro. >> >> i disagree. would be interested in hearing other opinions. >> > If just saying that it's out of scope allows us to move forward with this > doc, > that works for me. Ok... did we cycle on to a solution to this conundrum? (the above seems ok to me) From madi@zdns.cn Fri Feb 7 08:04:12 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 097F51A03CC for ; Fri, 7 Feb 2014 08:04:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.101 X-Spam-Level: X-Spam-Status: No, score=-1.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, MIME_8BIT_HEADER=0.3] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dIgsy6zVcOz4 for ; Fri, 7 Feb 2014 08:04:10 -0800 (PST) Received: from mail.zdns.cn (smtp.knet.cn [202.173.10.124]) by ietfa.amsl.com (Postfix) with SMTP id 781B21A01E8 for ; Fri, 7 Feb 2014 08:04:08 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: =?utf-8?B?6amsIOi/qg==?= In-Reply-To: Date: Sat, 8 Feb 2014 00:03:57 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> To: David Mandelberg X-Mailer: Apple Mail (2.1827) Cc: sidr@ietf.org Subject: Re: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 16:04:12 -0000 David, Ever since LTAM was designed, I have been intrigued by one of = its motivation that =C2=97a nation can protect nets within its = administrative jurisdiction by directing internal nets to rely on a = national authority for RPKI data for these critical infrastructure = resources. I think it=E2=80=99s a significant concern in deploying RPKI = worldwide. As you know, I was trying to figure out how to utilize LTAM = or Suspenders especially where NIRs exist. I am therefore looking = forward to seeing your new draft called SLURM that is going to bring = some new ideas. Di Ma Internet Domain Name System Beijing Engineering Research Centre (ZDNS) =E5=9C=A8 2014=E5=B9=B42=E6=9C=887=E6=97=A5=EF=BC=8C=E4=B8=8A=E5=8D=882:53= =EF=BC=8CDavid Mandelberg =E5=86=99=E9=81=93=EF=BC=9A= > On 2014-02-05 21:12, Randy Bush wrote: >>> The lta-use-cases draft was motivated as a way to start/guide >>> discussion of the Local Trust Anchor Management draft and the >>> Suspenders draft. >>>=20 >>> The question is whether we need both efforts, or only one, and if = so, >>> which one. >>=20 >> if you accept the three cases of the use cases draft, you may be left >> thinking that neither ltam nor suspenders meets the needs. it's all >> about roas, certs are incidental. >=20 > I think Suspenders meets Carol's use case. Carol could publish a LOCK = and INRD as a precautionary measure. Then when the Dutch court attacks, = relying parties that use Suspenders would detect the attack and could = continue to route to Carol. >=20 > I'm working on a new draft called SLURM (Simplified Local internet = nUmber Resource Management) that I hope to have out before the cutoff = next week. I'm pretty sure it handles Bob's use case, and I think it = could also handle Alice's use case if I understand that case correctly. >=20 >=20 >=20 > --=20 > David Eric Mandelberg / dseomn > http://david.mandelberg.org/ > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From prvs=7115a17ffd=sandra.murphy@parsons.com Fri Feb 7 11:47:56 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFF201A0428 for ; Fri, 7 Feb 2014 11:47:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.436 X-Spam-Level: X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kcYJpsgxg-yo for ; Fri, 7 Feb 2014 11:47:55 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC6D1A01D2 for ; Fri, 7 Feb 2014 11:47:55 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s17JjsYF007295 for ; Fri, 7 Feb 2014 13:47:54 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1hw4r3rbvg-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Fri, 07 Feb 2014 13:47:53 -0600 Received: from durin.laguna.sparta.com ([10.62.216.7]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s17JlpKQ024148 for ; Fri, 7 Feb 2014 14:47:52 -0500 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by durin.laguna.sparta.com (8.13.8/8.13.8) with ESMTP id s17JllgQ016372 for ; Fri, 7 Feb 2014 11:47:48 -0800 Received: from HSV-MB001.huntsville.ads.sparta.com ([fe80::292e:cdb7:1aa6:ce74]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Fri, 7 Feb 2014 13:47:47 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: Ac8kPNS0cSi2HlN8TgGO+LYSQgrBMg== Date: Fri, 7 Feb 2014 19:47:46 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.24] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-07_07:2014-02-07,2014-02-07,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0999698076309413 urlsuspect_oldscore=0.999698076309413 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=9.99503144522018e-06 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0999698076309413 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402070110 Subject: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Feb 2014 19:47:56 -0000 The authors of "draft-ietf-sidr-multiple-publication-points" proposed a new= direction for that draft that included:=0A= =0A= =0A= - A "6490-bis" document that obsoletes RFC 6490 with the addition of multip= le operators in section 3 of the current document.=0A= =0A= =0A= The wg having consented to that approach, the authors of RFC6490 produced a= new draft draft-huston-sidr-rfc6490-bis that would serve as the 6490-bis.= =0A= =0A= The authors of draft-huston-sidr-rfc6490-bis have requested that the wg ado= pt this draft as a working group work item.=0A= =0A= See http://tools.ietf.org/html/draft-huston-sidr-rfc6490-bis-00, "Resource = Certificate PKI (RPKI) Trust Anchor Locator".=0A= =0A= Please do respond to the list as to whether you support the wg adopting thi= s as a work item. Note that you do not need to comment on the content of t= his draft at this time. You are asked to indicate if you think that this i= s work that the wg should be doing and whether this draft is an acceptable = starting point. Adding whether you can/will review or not is useful.=0A= =0A= This adoption poll will end on Friday, 21 February, 2014.=0A= =0A= --Sandy, speaking as wg co-chair=0A= =0A= From randy@psg.com Fri Feb 7 19:17:27 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C04D1ADBCF for ; Fri, 7 Feb 2014 19:17:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.936 X-Spam-Level: X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arYdGIYt3skW for ; Fri, 7 Feb 2014 19:17:26 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 6A8551ADBCC for ; Fri, 7 Feb 2014 19:17:26 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WByPv-0006K0-55; Sat, 08 Feb 2014 03:17:19 +0000 Date: Sat, 08 Feb 2014 12:17:17 +0900 Message-ID: From: Randy Bush To: Christopher Morrow In-Reply-To: References: <52D072F6.9030304@ops-netman.net> <52D0A0AC.5040903@ops-netman.net> <52E92B20.9060505@bbn.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: "sidr@ietf.org" Subject: Re: [sidr] WGLC: draft-ietf-sidr-bgpsec-reqs X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Feb 2014 03:17:27 -0000 perhaps people should use a dictionary and look up "per se." randy From randy@psg.com Fri Feb 7 20:21:10 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 795881A02B4 for ; Fri, 7 Feb 2014 20:21:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.936 X-Spam-Level: X-Spam-Status: No, score=-1.936 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RANDOM_SURE=0.499, RP_MATCHES_RCVD=-0.535] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8qwn7s0hCzR for ; Fri, 7 Feb 2014 20:21:09 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 0A2D41A0263 for ; Fri, 7 Feb 2014 20:21:09 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WBzPf-0006QC-Hk; Sat, 08 Feb 2014 04:21:08 +0000 Date: Sat, 08 Feb 2014 13:21:06 +0900 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Feb 2014 04:21:10 -0000 i think this is a worthwhile effort and this document is a good place to start. -- presuming there is consensus to adopt, i have some some nits we can discuss when it is a wg item. o i thought folk wanted a blank line between the URI(s) and the key o last para of 2.2 says Where the TAL contains two or more rsync URIs, then the same self-signed CA certificate MUST be found at each referenced location. maybe should say what happens when one or more do not have the same cert? does the whole TAL get ignored? o same last para of 2.2 it is RECOMMENDED that the domain name parts of each of these URIs resolve to distinct IP addresses that are used by a diverse set of repository publication points, and these IP addresses be included in distinct Route Origination Authorizations (ROAs) objects signed by different CAs. as this is ops guidance, and really the core of the proposed change, perhaps the rationale for this should be given o 3.1 Retrieve the object referenced by (one of) the URI(s) contained in the TAL. you may want to give some guidance as to which one. pseudo-random? first? think load balancing, proximity, ..., a la dns and then there are the questions folk have been raising about consistency, etc., which i will leave to them. randy From tim@ripe.net Sat Feb 8 05:14:27 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5631A02E3 for ; Sat, 8 Feb 2014 05:14:27 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.052 X-Spam-Level: X-Spam-Status: No, score=0.052 tagged_above=-999 required=5 tests=[J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXvScsqW2PM8 for ; Sat, 8 Feb 2014 05:14:25 -0800 (PST) Received: from koko.ripe.net (koko.ripe.net [193.0.19.72]) by ietfa.amsl.com (Postfix) with ESMTP id 3C2DB1A02C3 for ; Sat, 8 Feb 2014 05:14:25 -0800 (PST) Received: from nene.ripe.net ([193.0.23.10]) by koko.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WC7jX-0002aN-5G; Sat, 08 Feb 2014 14:14:21 +0100 Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-2.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WC7jW-0003KM-W1; Sat, 08 Feb 2014 14:14:11 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: Date: Sat, 8 Feb 2014 14:14:12 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> To: Randy Bush X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719bd6cdf097dc4d8a137cdbfe903cd20ca Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Feb 2014 13:14:27 -0000 On Feb 8, 2014, at 5:21 AM, Randy Bush wrote: > i think this is a worthwhile effort and this document is a good place = to > start. >=20 +1 Some initial comments in-line. > -- >=20 > presuming there is consensus to adopt, i have some some nits we can > discuss when it is a wg item. >=20 > o i thought folk wanted a blank line between the URI(s) and the key >=20 I am not sure that I care too much about this as long as it's well = defined. But if the format is open to change, then I would feel more for a = key=3Dvalue style, or dare I say even json.. this is parsed by the = machines after all. And using something like json makes it much more = flexible regarding ordering of elements, or extending should that ever = be necessary. > o last para of 2.2 says >=20 > Where the TAL contains two or more rsync URIs, then the same > self-signed CA certificate MUST be found at each referenced > location. >=20 > maybe should say what happens when one or more do not have the same > cert? does the whole TAL get ignored? I agree, but on top of that having multiple publication points by = definition implies that there will be differences, albeit short lived. I would like to see wording along these lines. =3D TA MUST increment serial number whenever they re-issue the CA cert =3D TA SHOULD* publish the CA cert in all locations 'asap', within 1 = hour? =3D TA SHOULD* remove the cert from unmaintained locations *: They may not be able to if this is hosted at a third party To handle all this more elegantly I think there should be a mechanism = for TAs to publish replacement TALs. To add, or remove URIs, or even to = do planned key rolls (for example: TA wants change HSM vendor). What if = the TA could optionally publish one (1) signed object containing an = updated TAL? And possibly some dates: do-not-use-this-before, and = do-not-use-other-after? This would allow RPs to use existing TALs to discover updates and = process automatically (it is signed by the key that I trust). It could = stop re-trying retired URIs, and start using the new ones. And even = planned key rolls could be as simple as this on this level (provided the = TA re-issues and publishes all the products before the change date, = under the new key and in its own repositories). > o same last para of 2.2 >=20 > it is RECOMMENDED that the domain name parts of each of these > URIs resolve to distinct IP addresses that are used by a diverse > set of repository publication points, and these IP addresses be > included in distinct Route Origination Authorizations (ROAs) > objects signed by different CAs. >=20 > as this is ops guidance, and really the core of the proposed = change, > perhaps the rationale for this should be given >=20 > o 3.1=20 >=20 > Retrieve the object referenced by (one of) the URI(s) contained > in the TAL. >=20 > you may want to give some guidance as to which one. pseudo-random? > first? think load balancing, proximity, ..., a la fns I like to see some guidance, but ultimately I think the RP should be = allowed to choose a strategy. I would probably prefer to check all URIs regularly, and go with the = certificate with the highest serial number (provided the key matches of = course). Tim= From tim@ripe.net Sat Feb 8 06:33:57 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20CB61A0323 for ; Sat, 8 Feb 2014 06:33:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.548 X-Spam-Level: X-Spam-Status: No, score=-0.548 tagged_above=-999 required=5 tests=[RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pG0G84exNMZc for ; Sat, 8 Feb 2014 06:33:54 -0800 (PST) Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id B9BA81A0322 for ; Sat, 8 Feb 2014 06:33:54 -0800 (PST) Received: from titi.ripe.net ([193.0.23.11]) by kaka.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WC8yW-0006Eo-Jp; Sat, 08 Feb 2014 15:33:55 +0100 Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-2.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WC8yW-0004JZ-Es; Sat, 08 Feb 2014 15:33:44 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> Date: Sat, 8 Feb 2014 15:33:44 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> To: "Murphy, Sandra" X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07199728d2a68b592407dabac8b6fc2be810 Cc: "sidr@ietf.org" Subject: Re: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Feb 2014 14:33:57 -0000 Hi, On Feb 6, 2014, at 1:28 AM, "Murphy, Sandra" = wrote: > The lta-use-cases draft was motivated as a way to start/guide = discussion of the Local Trust Anchor Management draft and the Suspenders = draft. >=20 > The question is whether we need both efforts, or only one, and if so, = which one. >=20 > So we need to discuss the use cases. And discuss the two drafts. >=20 > Local Trust Anchor Use Cases: = http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-00 (below) Looks like a good starting point to me. Though I had to parse the line = about unicorns twice.. > Local Trust Anchor Management: = http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-08 If I understood correctly it was the authors intent to replace the = existing ltamgmt document with the new work? > Suspenders: http://tools.ietf.org/html/draft-kent-sidr-suspenders-00 Fundamentally I think there is a problem in letting a child refer to a = third party that can override its parent. I think it just doesn't fit in = the hierarchical rpki, and hence all the complexity to deal with = history, and trying to separate noise from signal. I appreciate that = it's well intended and a lot of thought has gone into this, but in my = opinion this is a very complicated way to deal with this. What I would suggest instead is to go to the third party directly. I = think we already have all the building blocks.. This third party can publish a TAL containing resources that it claims = to know better. They can then operate a normal CA and publish all the = ROAs they see fit, or even act as parent CA using up-down. RPs could be = configured to use both TAs and treat them as complementary (i.e. accept = the ROAs from both), or exclusive (i.e. ignore the ROAs for the = resources listed by third party under any other TA tree), or probably = best even: alert the operator and let them choose and set defaults. To deal with Carol's case, well-known third parties could be set up. If = all is well they should have no content, but the key difference is that = it would no longer be possible to do a *covert* attack on Carol. I = understand that it's re-active rather than pro-active, but I think this = is enough to make the attack moot: it's not very effective and it has = drawbacks: it degrades trust and thereby security of internet = infrastructure.=20 Bob can just create a complementary TAL for the private space. Alice can create a TAL that takes precedence, and have her management's = vision of the truth. All this needs some tooling, but I don't think it needs more standards. Tim >=20 > --Sandy, speaking as one of the wg co-chairs > ________________________________________ > From: sidr [sidr-bounces@ietf.org] on behalf of = internet-drafts@ietf.org [internet-drafts@ietf.org] > Sent: Wednesday, February 05, 2014 6:55 PM > To: i-d-announce@ietf.org > Cc: sidr@ietf.org > Subject: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Secure Inter-Domain Routing Working = Group of the IETF. >=20 > Title : RPKI Local Trust Anchor Use Cases > Author : Randy Bush > Filename : draft-ietf-sidr-lta-use-cases-00.txt > Pages : 5 > Date : 2014-02-05 >=20 > Abstract: > There are a number of critical circumstances where a localized > routing domain needs to augment or modify its view of the Global > RPKI. This document attempts to outline a few of them. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-lta-use-cases/ >=20 > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-00 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From gih902@gmail.com Sun Feb 9 14:05:45 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B7A31A0614 for ; Sun, 9 Feb 2014 14:05:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.55 X-Spam-Level: X-Spam-Status: No, score=-0.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_35=0.6, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRLQFNtsCDUd for ; Sun, 9 Feb 2014 14:05:43 -0800 (PST) Received: from mail-ob0-x231.google.com (mail-ob0-x231.google.com [IPv6:2607:f8b0:4003:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 5C5011A0618 for ; Sun, 9 Feb 2014 14:05:43 -0800 (PST) Received: by mail-ob0-f177.google.com with SMTP id wp18so6336410obc.8 for ; Sun, 09 Feb 2014 14:05:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=x4nnwIsYFdubZzykmkSvhYAvxPMRy6J9L3OI/fWvwg4=; b=hHLCdWpjUys2lfAbkcYGkpEpU+nZyVJ4OGFdGUTqUqCU8CjmP6Rzfbx6Fnim/qcptJ 2ZqXjtPnxTuWP5eb6/L1G6HcdixtP57avYmSBdNgbF/s28PmG+9m2YKf/17nQsaiLd21 ZDyW08MLBW0TOB3CA+Xx/mBI/Tvn8EmgU3ZJa+0CL68PCjeoGpChdnysgHX7we5dKs7q qtIfepkkt/o/IEGMz7HM0ee+AQHTy+nwebrBZ1Z8L4HECdm952Pad+SganWOxIpLQ4SQ tjkNcJ5giQ3y6Ix7hRkH/anfU6AWLaW5NZP2VXycG7M98MNsPrg100QXstEI48WKk9vj JIyQ== X-Received: by 10.182.176.10 with SMTP id ce10mr1326165obc.31.1391983543355; Sun, 09 Feb 2014 14:05:43 -0800 (PST) Received: from [192.168.10.136] (ip-64-134-147-132.public.wayport.net. [64.134.147.132]) by mx.google.com with ESMTPSA id n5sm78541697oer.5.2014.02.09.14.05.41 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 09 Feb 2014 14:05:42 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: Geoff Huston In-Reply-To: <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> Date: Mon, 10 Feb 2014 09:05:39 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> To: Tim Bruijnzeels X-Mailer: Apple Mail (2.1827) Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2014 22:05:46 -0000 Hi, I took the text n draft-ietf-sidr-multiple-publication-points as it = related to TAs and placed it into the RFC6490bis draft without change. The syntax of the TAL is not something I care a lot about either - I = suppose that one could get worried about rogue TA:s that try to place 1 = million URIs into the TAL, and get into the whole JSON / plain ascii = thing - I thought that the draft-ietf-sidr-multiple-publication-points = document already had a certain level of WG buy-in behind it - I guess = that was not a very good assumption on my part. I'll happily add what = the WG wants here. The issue about multiple CA certs that are different was something the = earlier draft was silent about. They simply said that they MUST be the = same and left it at that. I'm not sure how critical an issue this is, = and whet forms of additional mechanism are necessary to allow RPs to = retrieve all the referenced CA certs and define an algorithm for them to = follow to select the "best". My simplistic thinking about the original = intent in draft-ietf-sidr-multiple-publication-points was that an RP = would pick oine URI, and if that was unresponsive after some local = threshold it wuould try another, and so on. The discussion so far has = been based on an assumption that an RP would retrieve the CA cert from 2 = or more URI's and then worry about the case where the URIs differ. I am = not sure what to add here to the draft - the WG will need to provide = further guidance on this. I worry about a proposal for RPs to check all = URIs - it seems to me to be adding to the total load and I'm then not = sure where the benefit of multiple URIs in TAs comes from in such a = scenario. Finally, the issue obout URI diversity was again taken from teh original = text and I had assumed that the WG had already considered this.=20 regards, Geoff =20 On 9 Feb 2014, at 12:14 am, Tim Bruijnzeels wrote: >=20 > On Feb 8, 2014, at 5:21 AM, Randy Bush wrote: >=20 >> i think this is a worthwhile effort and this document is a good place = to >> start. >>=20 >=20 > +1 >=20 > Some initial comments in-line. >=20 >> -- >>=20 >> presuming there is consensus to adopt, i have some some nits we can >> discuss when it is a wg item. >>=20 >> o i thought folk wanted a blank line between the URI(s) and the key >>=20 >=20 > I am not sure that I care too much about this as long as it's well = defined. >=20 > But if the format is open to change, then I would feel more for a = key=3Dvalue style, or dare I say even json.. this is parsed by the = machines after all. And using something like json makes it much more = flexible regarding ordering of elements, or extending should that ever = be necessary. >=20 >> o last para of 2.2 says >>=20 >> Where the TAL contains two or more rsync URIs, then the same >> self-signed CA certificate MUST be found at each referenced >> location. >>=20 >> maybe should say what happens when one or more do not have the same >> cert? does the whole TAL get ignored? >=20 > I agree, but on top of that having multiple publication points by = definition implies that there will be differences, albeit short lived. >=20 > I would like to see wording along these lines. > =3D TA MUST increment serial number whenever they re-issue the CA cert > =3D TA SHOULD* publish the CA cert in all locations 'asap', within 1 = hour? > =3D TA SHOULD* remove the cert from unmaintained locations > *: They may not be able to if this is hosted at a third party >=20 > To handle all this more elegantly I think there should be a mechanism = for TAs to publish replacement TALs. To add, or remove URIs, or even to = do planned key rolls (for example: TA wants change HSM vendor). What if = the TA could optionally publish one (1) signed object containing an = updated TAL? And possibly some dates: do-not-use-this-before, and = do-not-use-other-after? >=20 > This would allow RPs to use existing TALs to discover updates and = process automatically (it is signed by the key that I trust). It could = stop re-trying retired URIs, and start using the new ones. And even = planned key rolls could be as simple as this on this level (provided the = TA re-issues and publishes all the products before the change date, = under the new key and in its own repositories). >=20 >=20 >> o same last para of 2.2 >>=20 >> it is RECOMMENDED that the domain name parts of each of these >> URIs resolve to distinct IP addresses that are used by a diverse >> set of repository publication points, and these IP addresses be >> included in distinct Route Origination Authorizations (ROAs) >> objects signed by different CAs. >>=20 >> as this is ops guidance, and really the core of the proposed = change, >> perhaps the rationale for this should be given >>=20 >> o 3.1=20 >>=20 >> Retrieve the object referenced by (one of) the URI(s) contained >> in the TAL. >>=20 >> you may want to give some guidance as to which one. pseudo-random? >> first? think load balancing, proximity, ..., a la fns >=20 > I like to see some guidance, but ultimately I think the RP should be = allowed to choose a strategy. >=20 > I would probably prefer to check all URIs regularly, and go with the = certificate with the highest serial number (provided the key matches of = course). >=20 >=20 >=20 > Tim > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From prvs=7117025de4=sandra.murphy@parsons.com Sun Feb 9 14:12:37 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C484F1A0459 for ; Sun, 9 Feb 2014 14:12:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bHNssy-3FJMA for ; Sun, 9 Feb 2014 14:12:36 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id D640F1A0618 for ; Sun, 9 Feb 2014 14:12:35 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s19M6Q9k017844 for ; Sun, 9 Feb 2014 16:12:32 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1hwms4vyqs-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Sun, 09 Feb 2014 16:12:32 -0600 Received: from durin.laguna.sparta.com ([10.62.216.7]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s19MCUGu031585 for ; Sun, 9 Feb 2014 17:12:31 -0500 Received: from kraven.huntsville.ads.sparta.com ([10.62.8.137]) by durin.laguna.sparta.com (8.13.8/8.13.8) with ESMTP id s19MCUGq020153 for ; Sun, 9 Feb 2014 14:12:30 -0800 Received: from HSV-MB001.huntsville.ads.sparta.com ([fe80::292e:cdb7:1aa6:ce74]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Sun, 9 Feb 2014 16:12:23 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: IETF 89 Final Agenda Thread-Index: AQHPJFgqDZ+dPJ1Bv0aFYY6FR5p4EJqtfvtj Date: Sun, 9 Feb 2014 22:12:21 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6940A9371@HSV-MB001.huntsville.ads.sparta.com> References: <20140207225819.10526.35592.idtracker@ietfa.amsl.com> In-Reply-To: <20140207225819.10526.35592.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-09_02:2014-02-07,2014-02-09,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=110.568 compositescore=0.0999750412669593 urlsuspect_oldscore=0.999750412669593 suspectscore=0 recipient_domain_to_sender_totalscore=1469 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=7945 rbsscore=0.0999750412669593 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402090161 Subject: [sidr] FW: IETF 89 Final Agenda X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Feb 2014 22:12:38 -0000 The final agenda is set.=0A= =0A= SIDR meets TUESDAY, March 4, 2014, 0900-1130 GMT Tuesday Morning Session I= , room Balmoral.=0A= =0A= --Sandy=0A= =0A= ________________________________________=0A= From: IETF-Announce [ietf-announce-bounces@ietf.org] on behalf of IETF Agen= da [agenda@ietf.org]=0A= Sent: Friday, February 07, 2014 5:58 PM=0A= To: IETF Announcement List=0A= Cc: ietf@ietf.org=0A= Subject: IETF 89 Final Agenda=0A= =0A= 89th IETF Meeting - London, England=0A= March 2 - 7, 2014=0A= =0A= The final agenda has been posted.=0A= =0A= https://datatracker.ietf.org/meeting/89/agenda.html=0A= https://datatracker.ietf.org/meeting/89/agenda.txt=0A= =0A= While this is considered the final agenda for printing, changes may be made= to the agenda up until and during the meeting. Updates will be reflected o= n the web version of the agenda.=0A= =0A= Information about the 89th IETF meeting in London, England can be found her= e: https://www.ietf.org/meeting/89/index.html=0A= =0A= Thank you and see you in London!=0A= =0A= Sincerely,=0A= =0A= The IETF Secretariat=0A= From randy@psg.com Sun Feb 9 18:22:12 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27ABC1A050B for ; Sun, 9 Feb 2014 18:22:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0KK102rnXU9 for ; Sun, 9 Feb 2014 18:22:10 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 06AE41A040E for ; Sun, 9 Feb 2014 18:22:10 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WCgVa-0003LD-IR; Mon, 10 Feb 2014 02:22:07 +0000 Date: Mon, 10 Feb 2014 11:22:05 +0900 Message-ID: From: Randy Bush To: Tim Bruijnzeels In-Reply-To: <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 02:22:12 -0000 [ this discussion is not to be taken as questioning if the draft should be adopted by the wg. i have already advocated for adoption. we're now in the post-adoption discussion :) ] > But if the format is open to change, then I would feel more for a > key=value style, or dare I say even json.. this is parsed by the > machines after all. the assumption that json is a universally, or even widely, implemented format is not well founded. let's not get carried away into lala land. we're just trying to allow multiple uris in a tal. >> o last para of 2.2 says >> >> Where the TAL contains two or more rsync URIs, then the same >> self-signed CA certificate MUST be found at each referenced >> location. >> >> maybe should say what happens when one or more do not have the same >> cert? does the whole TAL get ignored? > > I agree, but on top of that having multiple publication points by > definition implies that there will be differences, albeit short lived. huh? a difference in the cert's key between the tal and the repository is a major error. the question i asked was if we should/could give some guidance on how to deal with it. > I would like to see wording along these lines. > = TA MUST increment serial number whenever they re-issue the CA cert > = TA SHOULD* publish the CA cert in all locations 'asap', within 1 hour? > = TA SHOULD* remove the cert from unmaintained locations > *: They may not be able to if this is hosted at a third party' i suspect many of those "TA"s are "CA"s. operationally, how do you remove something from an unmaintained location irrespective of who does not maintain it. maybe you mean remove the uri from the tal? as it is the key, not the cert, which must match, i am not sure how critical this all is. and if the key changes, you have entered the world of key roll, and i suspect we don't want to go there this week. > To handle all this more elegantly I think there should be a mechanism > for TAs to publish replacement TALs. To add, or remove URIs, or even > to do planned key rolls (for example: TA wants change HSM vendor). > What if the TA could optionally publish one (1) signed object > containing an updated TAL? And possibly some dates: > do-not-use-this-before, and do-not-use-other-after? major expand-a-project. not if you want this draft finished in 2014. >> o 3.1 >> >> Retrieve the object referenced by (one of) the URI(s) contained >> in the TAL. >> >> you may want to give some guidance as to which one. pseudo-random? >> first? think load balancing, proximity, ..., a la fns > > I like to see some guidance, but ultimately I think the RP should be > allowed to choose a strategy. that is one approach > I would probably prefer to check all URIs regularly, and go with the > certificate with the highest serial number (provided the key matches > of course). so the rp is to chase them all? how often. when three uris have the same serial, which do you choose? and perhaps we should recommend going with the uri which points to a cert with a serial which matches that in the tal? but mainly, i think it would be good to give some guidance. randy From rogaglia@cisco.com Mon Feb 10 08:06:46 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1047E1A086D for ; Mon, 10 Feb 2014 08:06:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -15.049 X-Spam-Level: X-Spam-Status: No, score=-15.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QjBc0nQ__Kim for ; Mon, 10 Feb 2014 08:06:44 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 1354F1A06F0 for ; Mon, 10 Feb 2014 08:06:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2254; q=dns/txt; s=iport; t=1392048404; x=1393258004; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=1WDoRapHTibn4UAulaAz5VMC85eVVCvR5HDtZUkxesI=; b=RhEgX0POexbeQjDYgZJ+MoQAdtpmB1NJO+8UBqRosuhTthyUMCzsnwMh WkU1W5RFB0HToRYVahExdAJUlEoFFadJfXtU81HxpapqNe3eN6YW0nmbt 6nQjymabjyF3xDSsxkXTT6Nu0Wn+shLuhsjcmHJzi+YLYTNbkDfVQGwFk 4=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUFAHz4+FKtJV2d/2dsb2JhbABZgww4V78+gREWdIIlAQEBAwEBAQE3NAsFCwIBCDYQJwslAgQOBYd9CA3JZBeOSjMHgySBFASYK4EykG+DLYIq X-IronPort-AV: E=Sophos;i="4.95,818,1384300800"; d="scan'208";a="303116780" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-4.cisco.com with ESMTP; 10 Feb 2014 16:06:43 +0000 Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id s1AG6hCi010289 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 10 Feb 2014 16:06:43 GMT Received: from xmb-rcd-x02.cisco.com ([169.254.4.56]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.03.0123.003; Mon, 10 Feb 2014 10:06:43 -0600 From: "Roque Gagliano (rogaglia)" To: "Murphy, Sandra" Thread-Topic: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: AQHPJnoWoHjvJq0ul0OeJ+15EaRxlg== Date: Mon, 10 Feb 2014 16:06:42 +0000 Message-ID: References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [144.254.20.170] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "sidr@ietf.org" Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 16:06:46 -0000 Sandy, I support the addition of multiple publication points as working group item= and hope to go quickly through the process. Roque -------------------- Initial Comments: Section 2.1 (Roque) We received the request from the WG to add a blank line break betwe= en the URI section and the public key. You can see the example on section 3= . of the draft-ietf-sidr-multiple-publication-points-00 document. Section 2.2: (Roque) I find this paragraph confusing: The trust anchor MUST be published at a stable URI. When the trust anchor is re-issued for any reason, the replacement CA certificate MUST be accessible using the same URI. I am not sure the meaning of "stable URI" in this context. Would it be "sta= ble URI section"? or "stable rsync URI(s)"? (Roque) s/Becuase/Because On Feb 7, 2014, at 8:47 PM, "Murphy, Sandra" wr= ote: > The authors of "draft-ietf-sidr-multiple-publication-points" proposed a n= ew direction for that draft that included: >=20 >=20 > - A "6490-bis" document that obsoletes RFC 6490 with the addition of mult= iple operators in section 3 of the current document. >=20 >=20 > The wg having consented to that approach, the authors of RFC6490 produced= a new draft draft-huston-sidr-rfc6490-bis that would serve as the 6490-bis= . >=20 > The authors of draft-huston-sidr-rfc6490-bis have requested that the wg a= dopt this draft as a working group work item. >=20 > See http://tools.ietf.org/html/draft-huston-sidr-rfc6490-bis-00, "Resourc= e Certificate PKI (RPKI) Trust Anchor Locator". >=20 > Please do respond to the list as to whether you support the wg adopting t= his as a work item. Note that you do not need to comment on the content of= this draft at this time. You are asked to indicate if you think that this= is work that the wg should be doing and whether this draft is an acceptabl= e starting point. Adding whether you can/will review or not is useful. >=20 > This adoption poll will end on Friday, 21 February, 2014. >=20 > --Sandy, speaking as wg co-chair >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From rogaglia@cisco.com Mon Feb 10 08:23:46 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7B491A0870 for ; Mon, 10 Feb 2014 08:23:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.848 X-Spam-Level: X-Spam-Status: No, score=-13.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPpBiuyu1N6g for ; Mon, 10 Feb 2014 08:23:42 -0800 (PST) Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 43A3E1A017E for ; Mon, 10 Feb 2014 08:23:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16084; q=dns/txt; s=iport; t=1392049422; x=1393259022; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=alI/Axae8cmtLGl5Nv8aFNbyXNVISJtbJmk2lvHLqvQ=; b=izPy2/QWi8HMQ+o7DCCtI/2IJ9F/yyCzE3stA+T4Li3E6lz6f6V/Yxii uTfrWqJyKHrObAwdpOvvrtfi9qTlj7v3yy6O0V5vybI2ajgMbRi2w+JJl LW0wESU9EZBcw3g5HkJDrEVI9oeFH7t8Av+7kVVEuFF5Bkm1tr+zkA29d w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUFALP8+FKtJXG8/2dsb2JhbABZgww4V78+gRIWdIImAQEEAQEBawsQAgEIDjEHIQYLFBECBA4Fh3EDEQ3BEQ2IRheMZoIXB4MkgRQElEKBfYFsgTKLLIVDgy2CKg X-IronPort-AV: E=Sophos;i="4.95,818,1384300800"; d="scan'208,217";a="303055141" Received: from rcdn-core2-1.cisco.com ([173.37.113.188]) by rcdn-iport-6.cisco.com with ESMTP; 10 Feb 2014 16:23:41 +0000 Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core2-1.cisco.com (8.14.5/8.14.5) with ESMTP id s1AGNfIK031929 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 10 Feb 2014 16:23:41 GMT Received: from xmb-rcd-x02.cisco.com ([169.254.4.56]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.03.0123.003; Mon, 10 Feb 2014 10:23:41 -0600 From: "Roque Gagliano (rogaglia)" To: Geoff Huston Thread-Topic: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: AQHPJnx1QX2QNgXxZUqd/EWTHK/mnw== Date: Mon, 10 Feb 2014 16:23:40 +0000 Message-ID: <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [144.254.20.170] Content-Type: multipart/alternative; boundary="_000_8451BEAE465F49AF9AE0DD6C8D567714ciscocom_" MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 16:23:47 -0000 --_000_8451BEAE465F49AF9AE0DD6C8D567714ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Goeff, On Feb 9, 2014, at 11:05 PM, Geoff Huston > wrote: Hi, I took the text n draft-ietf-sidr-multiple-publication-points as it related= to TAs and placed it into the RFC6490bis draft without change. The syntax of the TAL is not something I care a lot about either - I suppos= e that one could get worried about rogue TA:s that try to place 1 million = URIs into the TAL, and get into the whole JSON / plain ascii thing - I thou= ght that the draft-ietf-sidr-multiple-publication-points document already h= ad a certain level of WG buy-in behind it - I guess that was not a very goo= d assumption on my part. I'll happily add what the WG wants here. The document went through the adoption process and was open to discussions = for almost 2 years. We never went through WGLC, which is when most people p= ays a closer attention. The only formal comment that we received on the for= mat was about the blank line Randy mentioned and that was incorporated. The issue about multiple CA certs that are different was something the earl= ier draft was silent about. They simply said that they MUST be the same and= left it at that. I'm not sure how critical an issue this is, and whet form= s of additional mechanism are necessary to allow RPs to retrieve all the re= ferenced CA certs and define an algorithm for them to follow to select the = "best". My simplistic thinking about the original intent in draft-ietf-sidr= -multiple-publication-points was that an RP would pick oine URI, and if tha= t was unresponsive after some local threshold it wuould try another, and so= on. The discussion so far has been based on an assumption that an RP would= retrieve the CA cert from 2 or more URI's and then worry about the case wh= ere the URIs differ. I am not sure what to add here to the draft - the WG w= ill need to provide further guidance on this. I worry about a proposal for = RPs to check all URIs - it seems to me to be adding to the total load and I= 'm then not sure where the benefit of multiple URIs in TAs comes from in such a scenario. I believe you should use Section 3.2 of draft-ietf-sidr-multiple-publicatio= n-points as a starting point. As you can see the recommended behaviour is = to select a rule to fetch the TA certificate and stop when you fetch one th= at matches the TAL public key. 3.2. Rules for Relying Parties (RP) A RP can use different rules to select the URI from where fetch the Trust Anchor certificate. Some examples are: o Using the order provided in the TAL file o Selecting the URI randomly from the available list o Creating a prioritized list of URIs based on RP specific parameters such as connection establishment delay If the connection to the preferred URI fails or the fetched certificate public key does not match the TAL public key, the RP SHOULD fetch the TA certificate from the next URI of preference. Roque Finally, the issue obout URI diversity was again taken from teh original te= xt and I had assumed that the WG had already considered this. regards, Geoff On 9 Feb 2014, at 12:14 am, Tim Bruijnzeels > wrote: On Feb 8, 2014, at 5:21 AM, Randy Bush = > wrote: i think this is a worthwhile effort and this document is a good place to start. +1 Some initial comments in-line. -- presuming there is consensus to adopt, i have some some nits we can discuss when it is a wg item. o i thought folk wanted a blank line between the URI(s) and the key I am not sure that I care too much about this as long as it's well defined. But if the format is open to change, then I would feel more for a key=3Dval= ue style, or dare I say even json.. this is parsed by the machines after al= l. And using something like json makes it much more flexible regarding orde= ring of elements, or extending should that ever be necessary. o last para of 2.2 says Where the TAL contains two or more rsync URIs, then the same self-signed CA certificate MUST be found at each referenced location. maybe should say what happens when one or more do not have the same cert? does the whole TAL get ignored? I agree, but on top of that having multiple publication points by definitio= n implies that there will be differences, albeit short lived. I would like to see wording along these lines. =3D TA MUST increment serial number whenever they re-issue the CA cert =3D TA SHOULD* publish the CA cert in all locations 'asap', within 1 hour? =3D TA SHOULD* remove the cert from unmaintained locations *: They may not be able to if this is hosted at a third party To handle all this more elegantly I think there should be a mechanism for T= As to publish replacement TALs. To add, or remove URIs, or even to do plann= ed key rolls (for example: TA wants change HSM vendor). What if the TA coul= d optionally publish one (1) signed object containing an updated TAL? And p= ossibly some dates: do-not-use-this-before, and do-not-use-other-after? This would allow RPs to use existing TALs to discover updates and process a= utomatically (it is signed by the key that I trust). It could stop re-tryin= g retired URIs, and start using the new ones. And even planned key rolls co= uld be as simple as this on this level (provided the TA re-issues and publi= shes all the products before the change date, under the new key and in its = own repositories). o same last para of 2.2 it is RECOMMENDED that the domain name parts of each of these URIs resolve to distinct IP addresses that are used by a diverse set of repository publication points, and these IP addresses be included in distinct Route Origination Authorizations (ROAs) objects signed by different CAs. as this is ops guidance, and really the core of the proposed change, perhaps the rationale for this should be given o 3.1 Retrieve the object referenced by (one of) the URI(s) contained in the TAL. you may want to give some guidance as to which one. pseudo-random? first? think load balancing, proximity, ..., a la fns I like to see some guidance, but ultimately I think the RP should be allowe= d to choose a strategy. I would probably prefer to check all URIs regularly, and go with the certif= icate with the highest serial number (provided the key matches of course). Tim _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr --_000_8451BEAE465F49AF9AE0DD6C8D567714ciscocom_ Content-Type: text/html; charset="us-ascii" Content-ID: <74A871EC8192DB47A85B8382369FF5A5@emea.cisco.com> Content-Transfer-Encoding: quoted-printable Hi Goeff,

On Feb 9, 2014, at 11:05 PM, Geoff Huston <gih902@gmail.com> wrote:

Hi,

I took the text n draft-ietf-sidr-multiple-publication-points as it related= to TAs and placed it into the RFC6490bis draft without change.

The syntax of the TAL is not something I care a lot about either - I suppos= e that one could get worried about rogue TA:s that try to place 1 million &= nbsp;URIs into the TAL, and get into the whole JSON / plain ascii thing - I= thought that the draft-ietf-sidr-multiple-publication-points document already had a certain level of WG buy-in behind it - I guess that= was not a very good assumption on my part. I'll happily add what the WG wa= nts here.

The document went through the adoption process and was open to discuss= ions for almost 2 years. We never went through WGLC, which is when most peo= ple pays a closer attention. The only formal comment that we received on th= e format was about the blank line Randy mentioned and that was incorporated.

The issue about multiple CA certs that are differ= ent was something the earlier draft was silent about. They simply said that= they MUST be the same and left it at that. I'm not sure how critical an is= sue this is, and whet forms of additional mechanism are necessary to allow RPs to retrieve all the referenced CA cer= ts and define an algorithm for them to follow to select the "best"= ;. My simplistic thinking about the original intent in draft-ietf-sidr-mult= iple-publication-points was that an RP would pick oine URI, and if that was unresponsive after some local threshold it = wuould try another, and so on. The discussion so far has been based on an a= ssumption that an RP would retrieve the CA cert from 2 or more URI's and th= en worry about the case where the URIs differ. I am not sure what to add here to the draft - the WG will nee= d to provide further guidance on this. I worry about a proposal for RPs to = check all URIs - it seems to me to be adding to the total load and I'm then= not sure where
the benefit of multiple URIs in TAs comes from in such a scenario.

I believe you should use Section 3.2 of draft-ietf-sidr-multiple-= publication-points  as a starting point. As you can see the recommende= d behaviour is to select a rule to fetch the TA certificate and stop when y= ou fetch one that matches the TAL public key.
3.2.  Rules for Relying Parties (RP)<=
/h3>

   A RP can use different rules to select the URI from where fetch the
   Trust Anchor certificate.  Some examples are:

   o  Using the order provided in the TAL file

   o  Selecting the URI randomly from the available list

   o  Creating a prioritized list of URIs based on RP specific
      parameters such as connection establishment delay

   If the connection to the preferred URI fails or the fetched
   certificate public key does not match the TAL public key, the RP
   SHOULD fetch the TA certificate from the next URI of preference.

Roque

Finally, the issue obout URI diversity was again = taken from teh original text and I had assumed that the WG had already cons= idered this.
regards,

  Geoff




On 9 Feb 2014, at 12:14 am, Tim Bruijnzeels <tim@ripe.net> wrote:


On Feb 8, 2014, at 5:21 AM, Randy Bush <randy@psg.com> wrote:

i think this is a worthwhile effort and this docu= ment is a good place to
start.


+1

Some initial comments in-line.

--

presuming there is consensus to adopt, i have some some nits we can
discuss when it is a wg item.

o i thought folk wanted a blank line between the URI(s) and the key


I am not sure that I care too much about this as long as it's well defined.=

But if the format is open to change, then I would feel more for a key=3Dval= ue style, or dare I say even json.. this is parsed by the machines after al= l. And using something like json makes it much more flexible regarding orde= ring of elements, or extending should that ever be necessary.

o last para of 2.2 says

    Where the TAL contains two or more rsync URIs, then= the same
    self-signed CA certificate MUST be found at each re= ferenced
    location.

 maybe should say what happens when one or more do not have the same  cert?  does the whole TAL get ignored?

I agree, but on top of that having multiple publication points by definitio= n implies that there will be differences, albeit short lived.

I would like to see wording along these lines.
=3D TA MUST increment serial number whenever they re-issue the CA cert
=3D TA SHOULD* publish the CA cert in all locations 'asap', within 1 hour?<= br> =3D TA SHOULD* remove the cert from unmaintained locations
*: They may not be able to if this is hosted at a third party

To handle all this more elegantly I think there should be a mechanism for T= As to publish replacement TALs. To add, or remove URIs, or even to do plann= ed key rolls (for example: TA wants change HSM vendor). What if the TA coul= d optionally publish one (1) signed object containing an updated TAL? And possibly some dates: do-not-use-this= -before, and do-not-use-other-after?

This would allow RPs to use existing TALs to discover updates and process a= utomatically (it is signed by the key that I trust). It could stop re-tryin= g retired URIs, and start using the new ones. And even planned key rolls co= uld be as simple as this on this level (provided the TA re-issues and publishes all the products before the= change date, under the new key and in its own repositories).


o same last para of 2.2

    it is RECOMMENDED that the domain name parts of eac= h of these
    URIs resolve to distinct IP addresses that are used= by a diverse
    set of repository publication points, and these IP = addresses be
    included in distinct Route Origination Authorizatio= ns (ROAs)
    objects signed by different CAs.

 as this is ops guidance, and really the core of the proposed change,<= br>  perhaps the rationale for this should be given

o 3.1

    Retrieve the object referenced by (one of) the URI(= s) contained
    in the TAL.

 you may want to give some guidance as to which one.  pseudo-rand= om?
 first?  think load balancing, proximity, ..., a la fns

I like to see some guidance, but ultimately I think the RP should be allowe= d to choose a strategy.

I would probably prefer to check all URIs regularly, and go with the certif= icate with the highest serial number (provided the key matches of course).<= br>


Tim
_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

_______________________________________________
sidr mailing list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

--_000_8451BEAE465F49AF9AE0DD6C8D567714ciscocom_-- From gih902@gmail.com Mon Feb 10 08:43:18 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D49441A06EE for ; Mon, 10 Feb 2014 08:43:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.15 X-Spam-Level: X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsVwrd9oKVZ9 for ; Mon, 10 Feb 2014 08:43:17 -0800 (PST) Received: from mail-pa0-x22f.google.com (mail-pa0-x22f.google.com [IPv6:2607:f8b0:400e:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 00F921A06F2 for ; Mon, 10 Feb 2014 08:43:16 -0800 (PST) Received: by mail-pa0-f47.google.com with SMTP id kp14so6391946pab.34 for ; Mon, 10 Feb 2014 08:43:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=9cooUgqzLarWZvEfjGgMZPuZHy4pzFZNUwKiOq8Ppwc=; b=TOKDzfBhFMRz8qrjVwfP0faQwOif/diHzS6gr+VspP8nQS5pWVvYupUx6zUCw5x96a /1DL/OEXoSs/H6me7o80a41Nt/8u9ET3x8UjE99PC5vSqU6z3oBgLjQlatdA6lVRYf1E 21DBUAJMZhO5/EINIIJfLGfqbaS90kSWCNpm0ve22F+YvArRPkda8e4VTi7YjkH3Sr36 a/L0n+NilqcrNrXl/+sQcVLFZZaYKTk/uQrN9+WhHLjZQYHchTgAjzzskayRhDIQfo2p 0xBCIiUGeqOwkF3o33zJPVpnOtwHH7vmoiKBfFaa09HGdtLyuBMOnHa6JKgzBH4qfA4I 2nmA== X-Received: by 10.68.108.130 with SMTP id hk2mr38984423pbb.16.1392050596953; Mon, 10 Feb 2014 08:43:16 -0800 (PST) Received: from ?IPv6:2620::ce0:101:981b:c543:68d6:8941? ([2620:0:ce0:101:981b:c543:68d6:8941]) by mx.google.com with ESMTPSA id c7sm44093739pbt.0.2014.02.10.08.43.14 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Feb 2014 08:43:15 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: Geoff Huston In-Reply-To: <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> Date: Tue, 11 Feb 2014 03:43:12 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> To: "Roque Gagliano (rogaglia)" X-Mailer: Apple Mail (2.1827) Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 16:43:19 -0000 On 11 Feb 2014, at 3:23 am, Roque Gagliano (rogaglia) = wrote: > Hi Goeff, >=20 > On Feb 9, 2014, at 11:05 PM, Geoff Huston wrote: >=20 >> Hi, >>=20 >> I took the text n draft-ietf-sidr-multiple-publication-points as it = related to TAs and placed it into the RFC6490bis draft without change. >>=20 >> The syntax of the TAL is not something I care a lot about either - I = suppose that one could get worried about rogue TA:s that try to place 1 = million URIs into the TAL, and get into the whole JSON / plain ascii = thing - I thought that the draft-ietf-sidr-multiple-publication-points = document already had a certain level of WG buy-in behind it - I guess = that was not a very good assumption on my part. I'll happily add what = the WG wants here. >=20 > The document went through the adoption process and was open to = discussions for almost 2 years. We never went through WGLC, which is = when most people pays a closer attention. The only formal comment that = we received on the format was about the blank line Randy mentioned and = that was incorporated. no criticism was intended here Roque about the previous process. I was = trying to explain my assumptions when incorporating this text into = 6490bis. I agree that in general it takes a Last Call to elicit readers = and comments, although there are always exceptions and this call for = adoption is one of them. >=20 >> The issue about multiple CA certs that are different was something = the earlier draft was silent about. They simply said that they MUST be = the same and left it at that. I'm not sure how critical an issue this = is, and whet forms of additional mechanism are necessary to allow RPs to = retrieve all the referenced CA certs and define an algorithm for them to = follow to select the "best". My simplistic thinking about the original = intent in draft-ietf-sidr-multiple-publication-points was that an RP = would pick oine URI, and if that was unresponsive after some local = threshold it wuould try another, and so on. The discussion so far has = been based on an assumption that an RP would retrieve the CA cert from 2 = or more URI's and then worry about the case where the URIs differ. I am = not sure what to add here to the draft - the WG will need to provide = further guidance on this. I worry about a proposal for RPs to check all = URIs - it seems to me to be adding to the total load and I'm then not = sure where=20 >> the benefit of multiple URIs in TAs comes from in such a scenario. >=20 > I believe you should use Section 3.2 of = draft-ietf-sidr-multiple-publication-points as a starting point. As you = can see the recommended behaviour is to select a rule to fetch the TA = certificate and stop when you fetch one that matches the TAL public key. > 3.2. Rules for Relying Parties (RP) >=20 >=20 >=20 > A RP can use different rules to select the URI from where fetch the > Trust Anchor certificate. Some examples are: >=20 > o Using the order provided in the TAL file >=20 > o Selecting the URI randomly from the available list >=20 > o Creating a prioritized list of URIs based on RP specific > parameters such as connection establishment delay >=20 > If the connection to the preferred URI fails or the fetched > certificate public key does not match the TAL public key, the RP > SHOULD fetch the TA certificate from the next URI of preference. >=20 I can (and will) certainly add that text to section 3 of the bis = document. However, the question raised by Randy and commented on by Tim still = remains - what should a RP do if it chooses to retrieve the material = from 2 or more URIs and finds that the CA certificates that are = retrieved in this manner differ? And from Tim, some further = contemplation about that the TA publisher could do to provide hints to = the RP in such a situation. regards, Geoff From rogaglia@cisco.com Mon Feb 10 09:28:37 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD43D1A0886 for ; Mon, 10 Feb 2014 09:28:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -13.849 X-Spam-Level: X-Spam-Status: No, score=-13.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_21=0.6, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G215qrzZ9cIy for ; Mon, 10 Feb 2014 09:28:30 -0800 (PST) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC541A0885 for ; Mon, 10 Feb 2014 09:28:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5501; q=dns/txt; s=iport; t=1392053310; x=1393262910; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=W+YI8Ops23JxNsBJEdk8Z7xMI+amDZtqJtSmyZBAwfs=; b=Ykv67c8xM3HK+uFatuB4WyvIFe5TvfcOognYARUxW0TBL8Rfs059bdLh 8vRPtQyzDsnfiI4iA5UKq7UuM1/B4B3VzdIXBzEEkpHb2zJ88gG+c3tyr vozliOl/PJG2faTHGyMyTZMUPqGeMniVML+WeuWGR3N9COwY1Nv+1bcGg w=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgQFAPkL+VKtJXHA/2dsb2JhbABZgwyBD79AgRIWdIIlAQEBAwEdHT8FCwIBCA4KHhAhESUCBA4Fh3EDCQjBPQ2HYxeMZoFkMweDJIEUBJRCgX2BbIxehUODLYIq X-IronPort-AV: E=Sophos;i="4.95,818,1384300800"; d="scan'208";a="303045311" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-7.cisco.com with ESMTP; 10 Feb 2014 17:28:14 +0000 Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id s1AHSEsq008271 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 10 Feb 2014 17:28:14 GMT Received: from xmb-rcd-x02.cisco.com ([169.254.4.56]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0123.003; Mon, 10 Feb 2014 11:28:14 -0600 From: "Roque Gagliano (rogaglia)" To: Geoff Huston Thread-Topic: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: AQHPJoV6MZzhXGxiM0q6YR1aFtRWpQ== Date: Mon, 10 Feb 2014 17:28:13 +0000 Message-ID: <24E5F079-4440-4507-AC2B-844E07D30F6B@cisco.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [144.254.20.170] Content-Type: text/plain; charset="us-ascii" Content-ID: <648E92EDD1BAC147A4BEEF3889CEBE9B@emea.cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 17:28:38 -0000 Geoff, On Feb 10, 2014, at 5:43 PM, Geoff Huston wrote: >=20 > On 11 Feb 2014, at 3:23 am, Roque Gagliano (rogaglia) wrote: >=20 >> Hi Goeff, >>=20 >> On Feb 9, 2014, at 11:05 PM, Geoff Huston wrote: >>=20 >>> Hi, >>>=20 >>> I took the text n draft-ietf-sidr-multiple-publication-points as it rel= ated to TAs and placed it into the RFC6490bis draft without change. >>>=20 >>> The syntax of the TAL is not something I care a lot about either - I su= ppose that one could get worried about rogue TA:s that try to place 1 milli= on URIs into the TAL, and get into the whole JSON / plain ascii thing - I = thought that the draft-ietf-sidr-multiple-publication-points document alrea= dy had a certain level of WG buy-in behind it - I guess that was not a very= good assumption on my part. I'll happily add what the WG wants here. >>=20 >> The document went through the adoption process and was open to discussio= ns for almost 2 years. We never went through WGLC, which is when most peopl= e pays a closer attention. The only formal comment that we received on the = format was about the blank line Randy mentioned and that was incorporated. >=20 > no criticism was intended here Roque about the previous process. I was tr= ying to explain my assumptions when incorporating this text into 6490bis. I= agree that in general it takes a Last Call to elicit readers and comments,= although there are always exceptions and this call for adoption is one of = them. >=20 (Roque) No problem and thank you for taking over the work. >=20 >>=20 >>> The issue about multiple CA certs that are different was something the = earlier draft was silent about. They simply said that they MUST be the same= and left it at that. I'm not sure how critical an issue this is, and whet = forms of additional mechanism are necessary to allow RPs to retrieve all th= e referenced CA certs and define an algorithm for them to follow to select = the "best". My simplistic thinking about the original intent in draft-ietf-= sidr-multiple-publication-points was that an RP would pick oine URI, and if= that was unresponsive after some local threshold it wuould try another, an= d so on. The discussion so far has been based on an assumption that an RP w= ould retrieve the CA cert from 2 or more URI's and then worry about the cas= e where the URIs differ. I am not sure what to add here to the draft - the = WG will need to provide further guidance on this. I worry about a proposal = for RPs to check all URIs - it seems to me to be adding to the total load a= nd I'm then not sure where=20 >>> the benefit of multiple URIs in TAs comes from in such a scenario. >>=20 >> I believe you should use Section 3.2 of draft-ietf-sidr-multiple-publica= tion-points as a starting point. As you can see the recommended behaviour = is to select a rule to fetch the TA certificate and stop when you fetch one= that matches the TAL public key. >> 3.2. Rules for Relying Parties (RP) >>=20 >>=20 >>=20 >> A RP can use different rules to select the URI from where fetch the >> Trust Anchor certificate. Some examples are: >>=20 >> o Using the order provided in the TAL file >>=20 >> o Selecting the URI randomly from the available list >>=20 >> o Creating a prioritized list of URIs based on RP specific >> parameters such as connection establishment delay >>=20 >> If the connection to the preferred URI fails or the fetched >> certificate public key does not match the TAL public key, the RP >> SHOULD fetch the TA certificate from the next URI of preference. >>=20 >=20 >=20 > I can (and will) certainly add that text to section 3 of the bis document= . >=20 > However, the question raised by Randy and commented on by Tim still remai= ns - what should a RP do if it chooses to retrieve the material from 2 or m= ore URIs and finds that the CA certificates that are retrieved in this mann= er differ? And from Tim, some further contemplation about that the TA publi= sher could do to provide hints to the RP in such a situation. (Roque) Two different problems: 1) Fetching two different TA certificates that match the public key but do= not have the same content: This problem can happen today as even if you ha= ve one URI, you can have two different "real" rsync servers behind, we are = just making it evident. I personally believe we should stay only what is th= e expected behaviour rather than enumerating all the alternatives. 2) Tim proposal to expand the TAL verbosity: I am sympathetic to the idea = of using key=3Dvalue style. However, as we only have two "keys", I see litt= le incremental value on the changes from one version to the next one. On th= e other side, I am skeptical to add more verbosity to the TAL with informat= ion that we cannot cryptographically verify (the TAL is a plain text not si= gned document.) I remember Carlos proposed the idea of having a special TA= L signed object only available at the TA's publication point that would add= information referring to the TAL lifecycle (maybe including a new TAL file= to be replacing the existing one.) This seams to be a more appropriate way= to solve the problem of replacing the TA key and keep the compatibility wi= th the old install base (and as long as it is not been compromised :-) ). Regards, Roque > regards, >=20 > Geoff >=20 From kent@bbn.com Mon Feb 10 10:27:25 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D50361A01F1 for ; Mon, 10 Feb 2014 10:27:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.749 X-Spam-Level: X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbheCkgqnX06 for ; Mon, 10 Feb 2014 10:27:24 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id B2A031A00EE for ; Mon, 10 Feb 2014 10:27:23 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:48662 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WCvZh-000FGO-K5 for sidr@ietf.org; Mon, 10 Feb 2014 13:27:22 -0500 Message-ID: <52F91A08.6030409@bbn.com> Date: Mon, 10 Feb 2014 13:27:20 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: sidr@ietf.org References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> In-Reply-To: Content-Type: multipart/mixed; boundary="------------010200010904000104010503" Subject: Re: [sidr] FW: I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 18:27:26 -0000 This is a multi-part message in MIME format. --------------010200010904000104010503 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Randy, I have attached a PDF with edits and comments on the use cases I-D. The current use case definitions (Section 4) don't always provide a clear statement of the problem to be solved, and the requirements that a solution must exhibit. The Notes (Section 5) assume characteristics of the solution space that may not be necessary; they certainly are not justified by the cases as currently described in Section 4. Steve --------------010200010904000104010503 Content-Type: application/pdf; name="draft-ietf-sidr-lta-use-cases-00.pdf" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="draft-ietf-sidr-lta-use-cases-00.pdf" JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVy IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHNXdty20YSfedXdOUldpUXwlxwy5uvKW28KcXm Vh7W+wCRoISYBGgAtKz9+j0DYkCCNMUhU0OPXYlkRRX19JzpOX26e/yF/qAvFHl+HEbrD/gY JJEXc/WFqPukyuhPKujqdc1oUpPvJTLxWRJuPhttvlZPSIrYk36SEIsSL45iTixIPJ5EIYXM 90QiBeH/Odv+6SySXsASkhHzuOy/b7T7s8nHb/yML/jhLJax76sv4Hf/Jyk84UeBoCgMPCaS iCYLejUe4Yeqb+w+jBd0NR4zzydG4xk9o+c0/ovejmHTlk9sWBWEHg8T4ZhVMvI4k9hfp3wF IAmgyTGreOLJSOgd9D2f+SGNFe6fQtjvWfNQVp/pT/wrL+7o16pcLemEXx88erWq75+PzIGq jtng6LYGPnl8RMK9UISSom6ZoxYSRxZ3uePDfS/0edJBwtT510WTVUXWWD7lMfcYR1iC8wZm Po2Mf9i2KvSSSISIiEOrTJ33pkpnzVGgahfTdZE3edrkXzP6Z7pMi8sBdu1zxwDLmBfISN9C pj5X3iym2ZTqJm1W9S/w6qysFnBrWaTzw5vxLrutVmn1SOEL4j6TF3N+t0zHnO8jmEXRqaH6 7bdlXmVw+svV3apuiPmdMzVHGB3nCGeEXsWSosAPKOrMdsuZIC1e7Ic69D4d0y52IYSxhNOY Pl+uWBUFXhyzU4H3nXNt+W5gIvBkwgIKz7P4w81v1/S+nCAmjSt1Vl4Wk/uyon/XGb1O66y2 HIB4EoAPgH9p+x07MyGyK+brM2Ma/b+Dg+GBGnVJ24EE5ZzgI5GZSbDasDO5c6SpyVNFEmyD NZSK/G1sNEoMbNMrFiIfCJCzDvYaGanKC0ZH84I8a2a2/RbHXhwyvmPikZTYut9wn0QIkWf6 rc6nlWW/cSbA5322Y+IP9htnEfg8tJKh46DBmCWi8ya17TfBvYCDdu1Y+PTlbBtvXESeiJK9 3TT126rObPstYF4i5G4o+dF4g2IVxUgfd3bT1G+TlgZo6mxHXuMxpDwZOBbheAwWCAFy6Djj m8H3beOtJ0+Dq+sI3oZMRMvHB5jI3xFwwwCBLghco/YygWAOfXktlZqegpe3dVOlE9sUqVeg wqGZT4fey20pWCZHtvEdTXH0tyT5bcY7UkWK40pnXygIBQP1ldqqAzu6bx+d5LYzLAT+4xBa 55kGju8z6L+p+oeK1eI2q6ic0aSCPKfytUleTVYL6EvFJKvpYf3NNFe5XP6/bGo5cRNBDGkG 2r5enGOJG+cejxN54ilH4mY5ZveYGBhofKeg6NCo6sO0XKR5QUWWTWtqSkpXd4usaAip+6Kc 5rNHypuavubZg8JMc5/Rr/PyNp3bRkWIik8UgQF1y3MMFUgIJIvPSOcvhYqBgcao+HBj2T7w iyAMJajQwEDjnOW3a49ofJ/XAC6ClkJq2jTZYgmQAr0A9TwvVJyb9YBdeLaxyqE8MpXAdmty DKs+Kuoy7m41VzhdAMopk5OLpx/bKogKRS0I/pUtSsuI7YXRHYsdIVJBHHqIkToSuWIVWkai gIfO3prBwEDj+NiCThc4bQMPRdpEhJyGth45wLbFE8YDiABRsmvVAbJMu2R+XUNG/K5Xt4sc oXtKoB+z1Rw8tFyXNkFD6SFv7hXbsB26A5Sy+MbFbkXuACQoRMXe3VM0MND4FC2r8mteo4Bd q0D+6vUNRTGlxXT9aeL1B8tOebVXc7V/Hdt1VH9j3okdw3ab/dSzd5WBnHZG4tmnxkGAYBSE 7qbGZxp4Tixv/Tja6oM8LjEkuKSjiDPaMXNwXe/t7kmx/IzdZT5aUkAddow6EMr3zGtDed3q CqqhbZ1Nrkl5e7BVsqj9S2+LOxDzrMJ32Y7pkfBAiBDUO8w6drwlV322usPygLP37s3LCQrB wEDjoD5O68/07pR4dIYkDLK77mAbGmmcPpYVuMWnZ9dvx+8+PUcm+XvZZKAZKfQOoLWiO9WL WdMifaR0Xpc0zSHW5rerxj4R6VQwvTDHQCuE54tz2hcsA0KrYMHAQGPQ7settO5j1pbpo747 /kB5Yzv6tr3xx+8ElsTQQmRM2najLT/pTjjjhHFfKVth2Ft1IvlcXwqtSJPRHMenlZpXVaWk Gn0b2L4BUPxIBHfMsyJGThyjuqD3u/PsgAPsx/0tFG5mNA6g8Iz93jA8qFgsRNPhaeWsC95L AwONj3jHUpBxIsrfN83yl6uraQoZCUW4z1nlqbYbr6zurqaqcam+mqyxemVdNRQSB02CfXXr Mjr+tqsKGziwAJM6PncMpD6GZsQwCzneWXVBjJ5lXx8W7fZGbJKQgZWD+LNH8k+6b7ZvQcPi a5+DDGw6wIr3rNtKQdrj21cFULJC9XJK6JVHMWCRfssXq4W6iur8GwpbRXNvuyG1n58J1itz 63hLDPdhuMddgXZooHG0VyqSYu+3Ga2WCPPZ9AVAuZynE/UZwFDe1uU8U7Lj7WNH+nUlqb0h 0uLROjvpeIBeomPIQI+oTPoJwAMncZ+nXKzgLQcGGiOjyRcZaOl1Q6ACeZEuoUIuK8wnIQEs CT19l2KnPGQYrItJr8No+08Kw2fQQB6GnoyTjVUn0kAdiGucthm6TaDhWyaufd+I9qNbTEVi 5FmKrixnDNLLMZXz7MPcGSQ89AwhkuLUTPJWPslws7byCZSUgpBB//RQWg6i/SFau7k7Q6bB CtO3KDohANxhuqv2ftqCqo1MXwhMvaP3E0PtLSiMTvzFmL6MfOgQrvUHSBUlEzwZ4Go6OjTQ +IT/kAry0FZXKsg7Vpke3vaqQYEYFeOsnc+kstgd0LSevPsBHpcASdJrcOxIB1yVEB17L0FC XEAR7NSc43W5fKzyu/tGqfW5dV6BOZ9128WOuYM0eZ/+bl0hVmU6CdkIsoyOi65YxUPUB5gG nOlRviDdGRhoHK032Pv0bPLpeTtJT6p61A25qnRTlTmXWVWrdoZ8Cpk7n+VIL0GD8F8s0yA8 5oAKbhCS7NbnWBxiql6HYoKzl/jAQGNYaMUA3dINhpxr5JUvcR21UUplQHVWfc2mti8hjrd6 fNUpgnpN62bHNt+PPQy+OhapRAIuLvpZIvci1dBAY0gOe6LX/XV/ZZNGpWlbHVYqWHXxy3Zo 8n1MQ2NGWy+oQ6epx/GGwM81vc/uMGtgVxcXXROgNnQdrVzpvBKJetIMDxusR6UOuG9PGT/x aj1Dudel9zMNvNk0AX7I5njPBsMowGoLzjddb39teef7SeDhGo4kSBfLzAWGWQXra3AHtn6f i15Mih0aaByrPj3r6rCNeikkyzY12Dn4fdGPV6P908r7On0DqLbf6OK0LsHqcX5t1YmsKUf3 NCgqhK1sNlORH2mxCveqCoLKlzpKI8N3DbejgWE3S89EtfVGPr3cUYq4kmPdTVDEwEDjo7Rc 3eLMtK+Bqepmsz0ZBVZ6M88wdI/tbAf4gAb8QZNX6wVQGYOVInrppTmGCJU6hQ4PdrYnqjfQ GBETzPmqcYrHF10K+kjTrMawL0qij+Wq0lmKSl2RqaC9caLeksPgrxq5wFeWiB22uaF+W1Kv 0TFoBOoNWqkzFwfv3YGBxtAAvdoNEK/LKd7nKhfLsoByUUNRbR8ngH4xq8rF8NtpgdvaNjJ0 k5zolugYMiReGds8ROsgMgYGGiMjLybzFZDwMV8s52v96tXHN/R+TceoASxUNNGBpJ3Z+og4 gcBB0mvpheXXaKMYWgcj0a3PMVgIvIwTCXcfCRADA41hoejj+jW/Ng+nrZxNXR/qRQkUUb9C 9Zy21wfGr+khraq0aNBAb51gaPFTr84xUHD0+TCHK5hiYKAxKAZBQCHk+0HDuvqp38jSy3Bs 9xme2pOuleAwwgFOjmc11oK8I9UjAakw4a7VtDBC5vlBX9NyxFc8xlOEMXNsBzn+1gbBupk2 40iiXrGHTrn/q3t3ebeqv/uN/7lJ7zJi/7XNSXW20q3SrUDD8bdb8CDQysaPhSkDa2dxFNDZ Vv0f4v4GIwplbmRzdHJlYW0KZW5kb2JqCjUgMCBvYmoKMzAwNwplbmRvYmoKMiAwIG9iago8 PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgNiAwIFIgL0NvbnRlbnRz IDQgMCBSIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdCj4+CmVuZG9iago2IDAgb2JqCjw8IC9Q cm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0Zv bnQgPDwgL1RUMS4wIDggMCBSCj4+ID4+CmVuZG9iago5IDAgb2JqCjw8IC9MZW5ndGggMTAg MCBSIC9OIDMgL0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+ CnN0cmVhbQp4AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJSYBQAoaEJnZEBUYUESlW ZFTAAUeHImNFFAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee319ln733XugBQ/IIE wnRYAYA0oVgU7uvBXBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP27i6AZLvbLL9Q JnPW/3+RIjdDJAYACkXVNjx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s9qfmK7vJ mJcm5KEaWc4ZvDSejLtQ3pol4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M5yah bIkyRRQZ7onyAgAIlMQ5vHIOi/k5aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03h iHhMz/S0DI4wF4Cvb5ZFASVZbZloke2tHO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnf bOysL70WAPYkWpsds76VVQC0bQZA5eGsT+8gAPIFALTenPMehmxeksTiDCcLi+zsbHMBn2su K+g3+5+Cb8q/hjn3mcvu+1Y7phc/gSNJFTNlReWmp6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyyc n8AX8YXoVVHolAmEiWi7hTyBWJAuZAqEf9Xhfxg2JwcZfp1rFGh1XwB9hTlQuEkHyG89AEMj AyRuP3oCfetbEDEKyL68aK2Rr3OPMnr+5/ofC1yKbuFMQSJT5vYMj2RyJaIsGaPfhGzBAhKQ B3SgCjSBLjACLGANHIAzcAPeIACEgEgQA5YDLkgCaUAEskE+2AAKQTHYAXaDanAA1IF60ARO gjZwBlwEV8ANcAsMgEdACobBSzAB3oFpCILwEBWiQaqQFqQPmULWEBtaCHlDQVA4FAPFQ4mQ EJJA+dAmqBgqg6qhQ1A99CN0GroIXYP6oAfQIDQG/QF9hBGYAtNhDdgAtoDZsDscCEfCy+BE eBWcBxfA2+FKuBY+DrfCF+Eb8AAshV/CkwhAyAgD0UZYCBvxREKQWCQBESFrkSKkAqlFmpAO pBu5jUiRceQDBoehYZgYFsYZ44dZjOFiVmHWYkow1ZhjmFZMF+Y2ZhAzgfmCpWLVsaZYJ6w/ dgk2EZuNLcRWYI9gW7CXsQPYYew7HA7HwBniHHB+uBhcMm41rgS3D9eMu4Drww3hJvF4vCre FO+CD8Fz8GJ8Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAkbCRUEBoI5wj9hBHCNFGBqE90IoYQ ecRcYimxjthBvEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0hk8k6ZEdyGFlAXk+uJJ8gXyUP kj9QlCgmFE9KHEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1KfS9HkzOX85fjya2Tq5Fr leuXeyVPlNeXd5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlFmqKVYohimmKJYoPi NcVRJbySgZK3Ek+pQOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf6L30CWUlZVvl KOUc5Rrls8pSBsIwYPgzUhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKVZpUBlY+q TFVv1RTVnaptqk/UMGomamFq2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3qkxqa Gr4aGRpVGpc0xjUZmm6ayZrlmuc0x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k 3as9rWOos1hno06zzhNdki5bN0G3XLdTd0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCL QZvBqKGKob9hnmGj4WMjqpGr0SqjWqM7xjhjtnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TP DGvmaCY0qzW7x6Kw3FlZrEbWoDnDPMh8o3mb+SsLPYtYi50W3RZfLO0sUy3rLB9ZKVkFWG20 6rD6w9rEmmtdY33HhmrjY7POpt3mta2pLd92v+19O5pdsN0Wu067z/YO9iL7JvsxBz2HeIe9 DvfYdHYou4R91RHr6OG4zvGM4wcneyex00mn351ZzinODc6jCwwX8BfULRhy0XHhuBxykS5k LoxfeHCh1FXbleNa6/rMTdeN53bEbcTd2D3Z/bj7Kw9LD5FHi8eUp5PnGs8LXoiXr1eRV6+3 kvdi72rvpz46Pok+jT4Tvna+q30v+GH9Av12+t3z1/Dn+tf7TwQ4BKwJ6AqkBEYEVgc+CzIJ EgV1BMPBAcG7gh8v0l8kXNQWAkL8Q3aFPAk1DF0V+nMYLiw0rCbsebhVeH54dwQtYkVEQ8S7 SI/I0shHi40WSxZ3RslHxUXVR01Fe0WXRUuXWCxZs+RGjFqMIKY9Fh8bFXskdnKp99LdS4fj 7OIK4+4uM1yWs+zacrXlqcvPrpBfwVlxKh4bHx3fEP+JE8Kp5Uyu9F+5d+UE15O7h/uS58Yr 543xXfhl/JEEl4SyhNFEl8RdiWNJrkkVSeMCT0G14HWyX/KB5KmUkJSjKTOp0anNaYS0+LTT QiVhirArXTM9J70vwzSjMEO6ymnV7lUTokDRkUwoc1lmu5iO/kz1SIwkmyWDWQuzarLeZ0dl n8pRzBHm9OSa5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F1q5c27lOd13BuuH1vuuPbSBt SNnwy0bLjWUb326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwVbO3dZrOtatuXIl7R9WLL 4oriTyXckuvfWX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7gXa3lzPKi8re7V+y+ VmFbcWAPaY9kj7QyqLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MBjQPFBz4eFBy8 f8j3UGutQW3FYdzhrMPP66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbCjZLGseNx x2/94PVDexOr6VAzo7n4BDghOfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2aXtM e9/pgNOdHc4dLT+b/3z0jPaZmrPKZ0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu 3suBl69e8blyqdu9+/xVl6tnrjldO32dfb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4F fef6Xfsv3va6feWO/50bA4sG+u4uvnv/Xtw96X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/ rf3V+Ndmqb307KDXYM+ziGePhrhDL/+V+a9PwwXPqc8rRrRG6ketR8+M+YzderH0xfDLjJfT 44W/Kf6295XRq59+d/u9Z2LJxPBr0euZP0reqL45+tb2bedk6OTTd2nvpqeK3qu+P/aB/aH7 Y/THkensT/hPlZ+NP3d8CfzyeCZtZubf94Tz+wplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2Jq CjI2MTIKZW5kb2JqCjcgMCBvYmoKWyAvSUNDQmFzZWQgOSAwIFIgXQplbmRvYmoKMTIgMCBv YmoKPDwgL0xlbmd0aCAxMyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB 1V1dd9s2En3Xr8A+1TnHZQgC4Me+uU7bk203zdre7UOaB1qibbaU6JJS3Oyv3zskQJGSZZN0 qGDjk2MSpqgBcDFzMZgB/mT/Yn+ywHFDP6h/4beKAif0qCDQF0XCfmUr9vq85GxeMteJZOTy yN9ezbZl5ZxJETrSjSLGg8gJg9BjXEWOFwU+87nriEgKhnfetL+dB9JRPGIy4I4nm+dmu9/N XPzgO/7El/NQhq5LBfhp7qRwhBsowQJfOVxEAZsv2XdXENHlrs+uSL7qI/rX1ZK9vrrijss4 u7phJ29X66RYJetX7Op39v0VhGw10pcTM/Qc7qEGu2I+Ldy3U0vlO1Eg/NGN96aIb9as+nfx /qe37Od8HmfsqtiUa3a2mt/lBft3mbDzuEzK+rEfkutiExefmedy+WrWv80JQh1YVp36JDRE 5Dm+8LdtPqug8Qwg2MRtvgWs8h3Pj4QG7NNIOJ5UMnA8LjH0q2Fki1TQMQKKZuDgvoqvs4Tl N+w8xzBfrcuJ+5Z7ygnCIGJBV15bWtGLHBkI2xDnuY7vetHAvoU+mbg3FQyiD7mCjoCwPWRZ Zs9aFu4wButS5IvNfJ3mK8acgT+MeUdTkbqOlqlIzh0lg6E2/YjQ6AjYGxoeoHG5ub1NynWy YBdJvEhXt4PAcUxo6DpaBg0Xxj0IjC7rS/eOCI2OgL2hIQCNX+/iNUtL9k3Fp74ZBAx8/Iha Q9fRLmiAUzmh69trULoC9oaGRN9+/1e8vAenAa0Gox5uUMSxDIqpo2XQCKUTKG6vQfE7AvaG hgI03uVrYOIQJDRXmvWZ346Ya3meBzeCCJipgO73vnr5kNimnLHjIVd3gWXIDZQThtxee+d3 BOyNXB/IvUzmmyJdf6ZpWpkukiImvnwYywYU9W/GjuZIMHW0DBo+fHrctdjedQTsDY0A0Hh7 9u5sHCwIHMeEhq6jZdDAHDZSymJ71xGwNzRC9O3Z/I9V/pAli9sluXYOWr6utjB3x4SGrqNl 0JARVgLgOLfC0Rc6WDQQHvO7UvWlD0fzBXXl643XCHi9SG6SIlnNxxD346oy3Qe24dWFY1rV cO3d8DABk2MDml/5vgT3lWNEjBzyFL7LiyVoz6dkME6OqcnqCloGDMGxNiA1Mnov/B0XGeNk xDIqoPF2dTMSHMeEhq6hZdjAtNQLI2nt2oLfEbC3WjvbrLG4+k3JzhaLIikfcwVNPuEP4H9V ipkaWNHxnvAc5cErbKQa2PGGHT7+mzF1NPeZxoUVrdosWftcOJKHZqZpybKm7yKYRIZDDcDu +tzEq4kcK2yR8EFxu+Ja0ogqUo6MbFsbVqHvYCgbwPWfDhxrbbgrYG/9fZUv4s+MYmamRp3r OyJ0Q9YVdPY06qaOO+JYUoSq9nel6tu/1wgoWrBfivQ2XbH/xFm6qDyGp+zDxQ/nfsj5x1P4 sLMUUy2suz/ApVjeF1hlnVp7I8oLk9htY9ulvRUi/AKFVh8WITf9BMoEWnQF7D2YFsl9ln8m JxCF+qzvEvZjll8jEO0iKfNNMU/Y+811ls7ZT8lnItNFXK4LxGRsEFL22wkNwt9enR4NGroT LIOGHzo+QgHthUZHwN7QqPQBwkY/VtOoChs3G+r4067yxbJYExl7IOhzzKKYGyLCD0GfSkvf q9OnVr4eSBzICG+kGtjptfJ9H6/v2qq3ZcdmEzSl4IgtBkdphO7VlFOzgIYYK0Q8h552s/dG 5+SeKSWwMMTR0x3xOrZ/thsQPajN2oNiRsHiz0flNsq+I9MBy78n3YdBhGmEeI0zb0ibDRqy I4QKPJp2AV9dofo22hsnS+7TVflH2hqlfRTebGDEdTPH6cr5NOCmbrwmKLcrVN/Gu769L5P5 wIajUPVZk0Hx/KDgSjphFO528FduOIzQQLnQuaOGav4pKT6lyQO4+EOaZew6YcmnZMWWOXgX sfOYCNuKjPKQ1h2RIyJgfkUQwA53KvJ0606tB1u2A44B5XdXNvYSV/Y04UBaPkLrbDX1KAEN CQe/doZ0MCQdrHe4j7VMSR3cEdWWHpYeJV3pnIpu/sl+vw5sqyYrpqf93eJOgB0IEzaiSYtV uBsn4HebNekUKJkY/+cILEopK2meFvPNslzH1Qos/AYPd+n8jsUso6Ql6Kgky6aeBErpcEoC U7pmvUjsIPs4RjvKEFlgrtdINXA+UM7z+2RxOgS2Y6RsfCsdVDzjyBqkxEdItR1MHrrWh620 1rfSEbD3FCVeLNNVCn9JvTYdrxavkdRX5Js1ZSws8mVMI4nM+yqBS26ds3hTxeOw+tGpR1Rj 2XX1eo2o46GCKyTCYmhZi4qOgL1RscwX6c1n0rJp8bLGdCJXhSFSgJEo7EUS2rF19WR253au oeugu/4Ar2e789z0hdmAL5Bc0FILQllUV/IOW9mT92Xt3GMKgtgOpFiKRqqBoCWqP7mMvqRU wdEy7riHhzLTEQbCQ5JvECLD2vS1btUxfV1l7j+Wsr8n13PYrMaOJwiBwvEU/L5wr0mXRqHO sqdX3mzdOQKpyqGCIwnPuwGWEFxHKSkpHR9RhEp5NL2YOsNfYS2LhK6UqS0sWmL/BOSY60UV tMuj2w7ss/xhvr8XzN5GCnh1hwS0RQ7KTOsq8XqdLO8RZAsDn2HlEvYfzPkGI74aUjmS/Df4 P6dEf3K1U/ra1KY/CDGp4szUzy7LL0NsigF7NlCJDpzU7w3859W8mdR3BdS4fT6peZWjaymX flGzPTh1XkT8n9NUhzf+4JjquxJZfqYmA+1/XIVQpeuK2L6oDs83erPkYmQdCItTNs8p7W+N dSvQbwzC6wQlmOEymtAu4mLhTD3cQiweh4iyNFV4wXj7goYMIMC+KgQC35E+x1YytOThE4t8 2pLRB7zA/zqWTGKnHCl0VEvvsXdE5TBKPmj9JdwuGSYGBYVe7NmKxheT1Fms1SN3SXaPLX7g Q6g8wRNvCdOguK7hC0B8YJl4hEpunAgyAK3yBweyHRMXbQF7Azctyw14wcRKNuJYglXSw6ZS bSlt8RBBOyHEArtj1b6AMROAKSCnKG83GLqxzqMbWHT6d6b3GTsgc5vQVruMPW9EucQGXxEm IVLLbNngxTAOaGpkV/8KCYrlGdQdmJ7sOxuGTU9GKL2Gh3YE7K1SqhkGi6FYlkREacMMCvyi IL+kYBvQ06JiRjAxKKYYr1NWJkkdIEgBQZMHfJnpia6fZWD1sGAm4Gyz1TEpOwL2hoXpbIT+ 3edlus6x09ylCfbrIIBCRC8wjU10GOnU9Fkgl8eH88ZUzDI8YAEVGzYa5WWhmugI2BsPdZ5M +t8qPLikaM9fzkpEe7Z1gQckYA7FfrzLy/U1ti6E6gB+5nmxKKsHp4aGWdmSuo6WQQNBjNjv zGIL0hGwNzTq0NBIfJyal6Lx6hB82RHUFl4qImgm0WwRYAkvFRFN4LGB6zADhd2zOizU7HZ7 gIW+gLd0BfzK3mjfcwJOvrAdqQ7o8T1v9M6GYxM3ITfrX11prRkQIfKJebNoa8uAoBhQEdnL 2ERHwN5q+ErTc9rvLmYLCjVIr0HLFgw5PTHFmsP3uVojzIACDuZJsU5vEM+Dra5O2fnFz+X0 PB4rZF7kMVM/u6wzNm+Gy8jiBOeugL1hsYxX6Q22x0QvE2U7zNAwB2RI74Jr8RqYQTCKTvng sOtH8iWaKlqGDIQUKw532DALejxnougI2BsZ73OkcpF7mTg7VEN7wzDsk1DN9Vl+/XsyX7Pb ZKU3E6Onp8aDmeKZilmGB7jP/OFbaB8RDx0Be+OBItCwHklhnVXAJ0zIfFNSfmiSlcnDXUNm JsrxMtlUQouve/0A9drztGHBZOoJSLMpghHRLhelQHAJNvI1e3TYwrc8rHci58Ze9dkRsPdw +Tn9o1poY2/eXZ5WztFWnD5DlnRZbaaGhWXwLWw0e1un0lJ0F4xwhm1HNrd3U2tSc3CD0HW0 TJPy0Anl4DWTI2rSjoC9oZGvsHRL8fAI58FVZVvhDUP4T937yLNG3AfRcMraSREYfHvKNveU e4+rqTGhkKGMYxUYvNZV61uGCTeCAxUpRlat/ggX6TDYmtcuqTCbQsxgs/hgicL3QqRFh4gg GcaXv9uUdxjZ+/++/+s+hTZlZ5tbOg6Hu6fVmTe7D354H98mzPs49fAxKtVU067h4+E8KIFE 5artv7IzjXIxeRgo9nKhDgY6meXvD4zPOPuIxe9FfeDW+SXU9VMx8Zfne4dhfdvEOhl3JwK1 nIgLQZ3sSRhRxTg298Ev3AtEndM9/DWKZeyyOvBq+wpK4X7mjXgDfR5nc+B9PnZT1zf1y5q0 1yfrUc5nHHtccQ/7JlJstMAhZHjbflmGMhzXhe1B8Rz2VwnhmUMZApYjN6CI5PqzM3pu930Z u0NU8oe6fXdDCZ+uJG0gRrWE2alq2b7NUGm/+mvVBnSLiBPzMG5bD0Ouu6qNOQ4c43SWmYJr Gy2ILDBUJ8SBaaj2flmGMnj8FOUE6+dmKgIyIyzFKOyfg/hHRJU3JbA/rosNCLZFMvKdkPyY 9Cr9QYSkOr7vh3iVfrnERYTMCzyjxWpKcHQa8mVx/AoF2eqnMpQh4FnAEJuymVQAVIQYd/N2 PNOUaBnoXbpMaVHpVaZI1wev0i83dcYzWoSmZF51qsceBg4EtLlPSPXQ3tvrDNeU8w/PavU3 wXHcDJfwAUs0nb6jQ7r0NVKI0aV1uaJAI3xw+wYVurij76GrOQafxHvpOsM1Jjr00uqehiWu 6jfM9B0wTp+hv2C4Vp+prrU02zdQLep30xW1CA3jRnNgE8xHs2m2De4KOAMq6LXKagiN75cG Qk1fvRzFQHktaVssXYaOqHMOCCQcpwACgdigLgQ4ObajxHZC6AhiixFyb5Gg0N7NoBmOpBbc yMMyGI4wrM8WbG6b91Lqgatcrq0mvome1L/qzCJwmvpIwQ/s5BLHCWIrWHaCzHaoGVzcmwv4 I+qS5NWsvliZEixdVc/+1Hyq+RPe95Fd/aM+oPBlEktyuyEw3dWuCLAefRTi3xpXSTWymlYY 3Ci7X9FuGlNJz9T6ta41rwtmJ+6Bv7ATaf5iXqI/w07+rl/SfNY3bzOPvv9nuwlpux/SNVKC fZLacgVSCWhhyg3DkGG7ACRzdjDTN7t6i0QcBYczDjWlqdxBAWVX44wMatD6l16Jw/c32HmD 3hfsJHvF/Ao/uEbvK3O9eMUAJ9Q3YCeoW4MKbLrTteHbOxzfiaUjpKhI7PHXlcmFg+OATNsj Msm/VqyQQr3FR2u7pKc4TpXHD46Dn6NwHB/H7rU5DrgJ7sdznNrML3E2Kqx7fTOU4ygsJoJy VWHz2IOPpON7ZeAuCGTHsYsAI+LSEbnOITVsALQatlilkHv6LHGcRz47muMEYUVbfKhTkqtz m6HSUBQuRkFT8wDZttQQ1fN4oPXxJ2gO1ciNMN1r0ZymrGUgTNmW5kjQWDjTWzRHIlbGo3lC i9LAhGKcdWkOLHoYuG2a46NZBZyMjY2SpqRNc0xZm+boshbN0W/f8heKOK5kaNEcI2rLbpn6 bGmOqfOW5jQlL6M5xMoNzaHrNs2h+5rA+Iiy29IcjB40bP2XwJUNzQlowtChOYGnNM2hK0Nz 6LpNc+i+JjP6DZrm4N3VZ4ja0HfSZ6prLc2W5pCkNc2hq+E0Rwagn3Tc07LVVxpC4/tlCyGD 7C+BYi1pWywt/SM0B5j0QyKqX5bmUF4KhdD//9CcgxLvcpDxNKf3V9hOc6C2MNAw//iSNAcm Ae4Ku2jOnky9aA4SAnNsFrObD/g/7E/MrQplbmRzdHJlYW0KZW5kb2JqCjEzIDAgb2JqCjQz NDcKZW5kb2JqCjExIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291 cmNlcyAxNCAwIFIgL0NvbnRlbnRzIDEyIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIgNzkyXSA+ PgplbmRvYmoKMTQgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0NvbG9yU3Bh Y2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvVFQyLjAgMTUgMCBSCi9UVDEuMCA4IDAg UiAvVFQ0LjAgMTggMCBSIC9UVDMuMSAxNyAwIFIgPj4gPj4KZW5kb2JqCjIwIDAgb2JqCjw8 IC9MZW5ndGggMjEgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ad2d7X/b xpXv3/OvQNomlhObJp7Be+9269hJm3Y3m8bu9kWcF7RMW2wk0aWkuNm/fr9nzjyBDxIICop8 409EYAAMzswczPzO4/wz+Wvyz6QeT5qq1h9+y2k9bjIpqO3Bap78PTlPnjy7SJPji2QynhbT STqtwtEolF0cJ0XejIvJdJqk9XTc1E2WpOV0nE3rKqnSyTifFnlCnW/jt6d1MS7TaVLU6Tgr /H2j9XcnE/7xjn/y8rQpmslECvjnz4p8nE/qMk/qqhyn+bROjs+SL19C4iSdVMlLoc88Yn9e niVPXr5Mx5MkTV6+TY6+Ob+cr87nlw+Tl/9IvnoJkVEn3R6ZTTZOM1qwTub1xD0emqpqPK3z qnfnPV/N3l4m5r/vv/vLN8l/LI9np8nLlSd7dHNnCm+0+M2M1rVjnk3ycZFWle/MkRlzuKLb mF9dXCZPz49Plqvkbxfz5NnsYn6hrfh6/np1NVv9kmSTtHg46s4SPVqRT7NxlVeBJWwrrmeJ xPftMIwavqeyGmfVNLff032hqqjHWVowM5mv/L5QxRSYMw/uOffAcwOPZsmcXmXTpG4RaD+U 0Y2T49v55fHJ4vzdo4SDcZK8PJnztS4ukvNl8uDt4l8Pkrd8Q5cni4tHyeJSL1wmr1fLn+bn tmToj4iJdZpnjW/hPfuIsum4qHP3EXWdoO6QMVoEdmaMy5N5cj67vIIblm+TN4uLy9Xi9dXl /E3yZnY5Sz4sLk9apcez45P5xXhoZsiKcZ2mLGe2VfeNGSbjasLXeL/mrjQdl0W9L266QxZt EdiZRXWumsGhx6vF5UKAyZWs8/CrcK/BKx/MfDZLTg1umb05W5wLK88uFz/Pk9n5mydDM6yH ALaN94xhJyCUur7Hs1eLwM6swZq1Wl5dsrAlb5ZnswVr1Xz8bsyIJ/PzN9GSPPLi0g5JoAfs C+DVEt9pzIeWBLJJA9oT+aTVpZ3FKD6tVXKxuJw/SmbJ+9mKD+7qdLZKvnnxXUJ3Hy8Rs84v 7+xz2qdrh8ZgHlEDpsfNpHLz//0DA20CO39O71fLnxdv5isZ+nfzZfT9BHXDju+nh8Cf5qyi Iue3qR1dLwoM/f2keTkupmm5TlXXQX6/PLWL1Gr+brFkRhqPx8nZ7Bew1MVJcrlMTmayJiUX 7+fHi9np4n/mb4b+mpp6XDdFaFKnieruvqYGsFem9xe3MJtGBHb+mn5ezD/EIGU89PdUoKMr EFHa9N7wPd3dMNfluGnA9PcKNFcVatR0co+n8haBnZnvayPOz5P3V6v3S4+WEfjn/3p/uhRg LFPThzm45y0LPtOSCP+Kn2VKSoR7h56XHGh2g3DAvGSU4du04BsL03jaTNDYZXRlU6IQjw7Q VWbTclyWU+bKshxz1zTJi/FkkmfJdDwpy0yq66IA74EnA7xA2TMty9p2R9eV5+4EucoSqJ9y Z56cXbDsPbCq5aEnwwzTRl5ljKN25p4avVVQLT94lJwtLy5PfzE6Mr6Sy+XKSKEDfx7CitUE 04drwp78sJrPLpbnFwN3dI6Gpqzy1FO5Z0c/SlA3JbPTi6HhZl43GMzW6WwblUbrRqXtq+PO ySb+6kfPXvBlTCdl02AYY2nOpkWaNtHRi2cb5rDHwR7mzHuAj2ma5zL4aVllY4Fx2OmmAOfN ktPkhbEmhGrEyHZjrSiOpFat0JyUaGOnlBxSIXVAZqtWqbtXlXWBnbHV8rWSnrUy27uW14U5 OajloQ7XclcSWn6zJW1jzbrZkhYWj4KFqsGMqjDrHi4eLQI7Lx6v58czdBPJ4uz96fwMFYSB MMmH5dXpm+R08dOc+VmmulFH02/8qVrr+Pqnis7EfbTXWzFzvsoM7Vq1rWkbluuNSWY1/+fV YjXfZ6K21I8i2/469dFEcz31VTUuGj5TR/0BKOz2lAMZ/gQ5pmFP1Z78LJphVQZ7mwaIV8Sx 5bnp6d580uFbTLPxpMiZWCw/HNCjO5eajTni2qVGkK1waZGhbsHyOimzKsGU2Exq/D38aqHo Vj0zeCTHcNyULJnuiQnYuCjEd4NHa2D0VBixCx7eILdDNzqHkArBNkMjY2a0zhPGHcLhXvQh oJ0t6b1ID5RcGti5z0Sw0a83scFuBxycWpB0pjjxaHv2hJsz44cxNNzMUuB8jcNRP6Z4lPzw /dfPqqJJfxxaHZPV1Tid5r47Lfu2tJsbS8EheFNdvK5fBtImxwtswlLFx582WerFWz8H8EWP 3pqv0zhs+TnAPfArzQG5rAfoMPtrj/aZSq9TEaQTsFwqKgJkzKysyiTFN2BS3KWGIMuYmafF np9ogefHV/+aCYLazmi3t36bTkJ7UllK95y88eYaeiZJvYagRWIvdWk31rp9gbAEaZRJM01F 0Joivq0V9BGKSrFgUyeyq6vTFCAdcV73Et9snUbAEiK1wkKp7kNklYqsFjV8raBfnVW74VVq Cg5peKiiZHTcWavhN4uDMiPv6VgZxMFUPCwbq9/upe3YMSlYEcS4F49k7dkH0U2Q5oumDelu FpT2hHQ9KHRudlU/Ap/NVstTsZ5+/813XyVn87PXYkxFrz5Dn358uTgTAeQgeHdzJ2d5Pc7r Kai91YbODgAiOf3m+RX+gsmz5dUKB9vLy9nxT7/xZA/jCpyX2NTRyjuqD5CZdjDsBlS+uS/9 Z4RFgMnqHrv/tQnsLCS9OrpYns0RicWx4+fF+TF+VbNER//YjD6WIVxDj+fqawVbP/n22TOx F63mZ0sM2cvVwGrw3DmGuiYewBnd1mkF0tdCwAqld1ZOkxKZqSSoIknld3qXVqKyqcagq+me GHDPObTHR+PmUEfgntDvbPlm8fYX2Ot4uXpz8eqhuO+JodLPP8O4y6cMaVEWjKh2655Uz05P hybQiedtCnvh1dubIdMGTVCVZmv91nm1+TA7v5TZ5EKcYmTpmb1e4EDzi5lhcO2jcDn0BFPl 8jFXvgmDTzC3Lwg0DWJ5kk5kOgJotk77YOGGCDCtT2qzJ/m0F/j3jzdKm6ut5rQPbVPiWaK2 tk771SeUSN/R1imzl5z0bKt/XNvqT0Nbh4X7JbF/teh276uutCeBBlg/IFxlfvlhufoJ2PLq YSuMZY7LioSwCJxJjk9m5+fzU+YTvIPfnSQfThag2Q/zoScS52fnGjn4RNIBqSC9pnmWJyVm nqoqqoTQCnyEm5a2Ci2/BIeCZ9xdLZWWCFJDK/nLqhlXxDAq53ZeP+4QzrQI7Iywj8UX/V/C ke/Q9Q/t5OB9ant2Jx/P0DBGGHKKUaknhcaoNzSNDgu2h7yP6n4H0uqhmpCacrT7ax1nGfFm 5Ynalo6XZ2cCqOV/E+E1cFfKzNKgNWyPduev591y9X5gCulT+pVA1DaJvzKuzgm4T3FEXKeq qz/H+RxR/kICoMHPw0bE53wleV0jOrU+l14d2E1Av338XBcC2HDPEs30WdI67YMpayzmWp+p TU/yqhfedXURmKC02doE6vehjcwOljZTX+u0X31GVqDvgqyQ9myrlRUkCMPIMSorpPjg9mtr WvIdRQPbPu/T2rScRM31Zz3bG57XBofz3i2u0PjHLW6d92pxJcot83EwwKk769ti/7xtsT8P Lb5ZRuqhlgq6XJKaNPjB3FsRqRd9xG69n72boTB5P0N3jx5X3Z/QraCbStDlJncTu51VKWFd wBRtxgEy0A7sdNjYY9YUk31/N4IhqCpwGEOLdn9lnxaBndHbl8vXRLuJReHs6vRyMTAOCbJP i9obcMidxRPie9dnkJ++cEqP5Oqc2MxEwnRaPTkyoKkmaxMz6GYqpljU2OHoyoBaR9fR9a6i zrTYbktnEUSChzGQtqh3aayup/5WHF2dS6mj/l5MTd5NzFG15yQggpxRepl0CIR67dO7PabS vERPQxaaZI3elnCcHBhHsUHXTV6Nxuhd1CVUISGVGGo7O7eWOXCgwhchOLZpqJdqvVgvdlkC 5WPJUZTVVYN+jWhmgh2yNf3anajO8nw8ye9xDCPjERHYefl4+uJCMn0k71eLnwXYvDoS5810 mjY/YhZE2fvg9XK1Wn6Yv3mQ/O1FciaGI5F4h1bzMuSNhAi6Ztl5pKtofvF+djz4V0q4DNIs Mnmr6zurVfFhYV4Zeiqp8zEGbGyH/Yg8GbwXvetBm8Dh5rrb12xg1zbyYC7owMhv8Xk/eZC4 XeRBatT69Axnz4Nqy9RkBr22vmAzW/dZvyGercnaLW6d96KRCL6oxe6sb4v987bF/jy0eGAJ mOak1cRJQV0nrju0tbQI7LxgSIYNBF9E3uM5iWvwIsGj4MzYBU3o2LkBzwuTKJQsUjZ10J0l Myttq+4F7gzqEFxpMwmD7y8Sd9PadjBWlsS6SgrbEtfFbEJ0Aj22Yay8+dvYEHn28fSbEPSU l3uu6Xf4aSh9Olqdv4ynpwtc+FZX53wdONmslsvLoVf3lMEkrFAG0/TonhQbc9XAAETyHKcl 6Y3bJLaW944hOteLr/s4SfswrDZROybpDfLECYI8eLMV5ubl6t3sfPE/NlLWpMi7ev9+HrL6 DuNKF0TE1sj36dadM0v8iQ8Qad9IjA/x9kB9Y4eIT/sgCPJd2/rERqInBfjpgLrIRmppM1UX tcCmPvVNkVyjtrZO+9Xn+o62TonbovK+bfWPa1v9aWhrp9Wgd/hEQVJ1MjvfX3+qngTiAzB7 Z8LojYJW1wS8LVfkfZv/dJG8X4KSJK0iVxaS9e/s/fxyQeKTiweI43MyBhOfNXBWbedN5Zp4 v2BTgeNrQUaPPdV1dwcU2gR2RgqA5/eEqpAQ2GRY/WlxSb5HVPioA67OF/hkn5MiWs4UUiyG ZgOfBce1516wQc4UXpS41Tmq9mQDevc9uXkWr4nEZMUeGOfkTtGyRm1rRe6os90BdDY0tntA 7gIYVuBwe18Nsv3oO5v9ZCfQ5NlTBM/5arY6PvlF0z/+TOJH3K9wWlVJlXxSl3xwAt4uT0SJ P/DcaoOtbMsO+KR2ArQNhtitR5d9QZBAcVwu6qTAiagEQQYF/t0lXitqkBCmgHsr/DkC9/xU VvM35Jc5FnZj4sEVwIR5XeARjWcA9lmz/M/ZS8Om1B6Y+8xYMxWxaUyv/lYFzuA7vfjMZo5M O8dfP2sOnVYixxeqSAvZcUc7rxNV24X9bh/vADrpkqwSSAW1CV+XLGbxeR+ZgxrEnUhqFJ20 PSOvZC+JKDwvZMb1yUt60afZykKLW+c9a4xbrGnG2EqnZ4v987bF/jy0+GZJa2PO3wcEiNuQ 2E/7qyGHgCZkg8NXbN/9YEpiU75dsqIPDOyIVdRtn8CiMZ3XT1HbJ4Mheg8lc127aKQbHHHu jipmUPTdjtN2KNY24fCd7fFTtAjsLLl9cy4LOfbyuaZ48Vv5iO/VGfiSDHmy0n//X0+5dI4G WM5i/Plo4IXfh3K7Fh4APIdg16zCTYEUnToF3UPGaBHYmTE0/E2C/CXa1tjHTJD1wJOTjJAJ WClaZHf2QfiFSfRLcsOa7ASz8weXyT8kKe8JyShwiftg+FjQqyT0G1hccn4AriX3jG/JU8Mm jVZJ2bl/71AV1SKwM9++WSISyzxldkyQycp5Av00/0ViQedvkGgkeHzxzsx9Z3DMn+YksTA8 I56nwwePuxzm5Ko0g3AAa3SD43uYUQvsL5OaFHT47GVpSnznHcrS7EPDvp3Z/ZWlLYE623dm yreLlZuEhCMJfJoOjVy8JbVokdz5Q4+X+IHn/IzgExKrpckaqdcD0qFlZp80ci+qtg9rt4/0 9mVmtUhmk1KMdWJDFLuaPe0jP6oRUiowtUmt2QSXoEPqkoRTcW1itOtTX5qaiCPf2PZ5zxpF kLXNpT4969ne8Lz1qfP1hRYPKy2TeVe8VNyeOdd/XtsZeQAAnaPETdkY694C6DaBned8QaFk ILo4McnGBZGcoqMX2HHidabvlniUXZ7M2DzV7J/qJC2xlQ0NT10ArmveARhkCK4gqJZw5vsr b+ctAjtzxR8x1Fy+RiTBav69ZquymUbOW6vsvvE5NyvNfNIlR/meIEuSpeyXb76HZs8vuo7I Tpq9ocOxMpK94g9cY17qxZWLi4srMetpLJZ85CKKCgq0Y052xJun/th7ycRk3TzmORHqU/Z0 9IQf8JF3wzA3Cxqytc4EjXOOKaKY4Ol392JGjtsTtuNmzy/g7mRfR+CeYsYdYvYUyZXkVwXD qH3Z6UMdGrP79Mx7UbUd6nTj99vH7BLbB+jMUIMLLm6d9kGxGVvoaX2mNnOS9tykx9aV4uCm tNnahOI+tJWNuEr6trZOe9UHlvRtJcWmnPRtq39c2+pPQ1s7Tdm9vQhzyTBYsbOCeri00PqG A+92Ft6By+KFZN8kzDkO2mVaWFxmYc/NeYT2nDp7UOgSiPYk8GuSFuPr/Ah8LqrAD/MHpC9z 5o5vXzx9lPzx2Z/+avZlNTsgSoYuuTxjaSf/lWD4oQG70ye7Fh6wlu9gjB6AzUeE5KToqgpC fO+rHaRNYGfAjggnY72aC4ibs2P4h/Pk7Wp5ZuxgJiRCc2TpTiYJopzgu2+efvtUgk3lzqH5 wm5R59p3AFt0W/JuhniocMkNwIwlfidlKenHfgWQh3sIu9fvu93FnjNVj0/Gz1SWwD1BntER fPM9PtUtgfGGlAg96DSj2ExwqmsReh81yGlVsOslnrU9ScUE9GIp2ho1GhEKyD6YBI/PjKAm /Tzgzl8+a5sjfk+xJJ5/BmYJn7XNkdoJ9W9n1G6Tze3j65IkD8DCwniPsa9IfNoLc5LfROsD X5d6krOTwgF1iUpO8LWrzaDkPvWxD9u4nGBZ8c1dL+lXq0TSSJXQ2OBExEnfFvvHtcXuNGrx wCg7I/cxe1rtOQnf4SrRj0DjvvHI+Iazoy+27beSFQPousB7V1LqzBbG+i0T3BPxjlj3Kr8D DbSL1cltEw9ALkMA2pQk9cXeXnx3yBktAjsDWvHkEg+Y2I/76tz49iyMivcM1pCcUdav+4+n y9dYKb7/7i/fDB707tWVtmn3jCNI4jiVnKX3yttUoorYc95ZSlp6gk1/xIEBghcHydBCSiXv FndfqGInQ1KOuhHs6qz35dXFCd/15n9f/es9MRIXydOrd+Jllk4eYS2m+rX/fviOuMkk/3Fo SdC5FWW2mffr88nEtS+1sY+/8qZi4h2TNqT+OpyonTjWKbF+SNJRmvyIteaNCelPbh/TZmzR Cwor2Z3Q6GVz46pAZnxO+yC8jArW9k1nU2W3g7zWGO0ifV2uM9GbUhs7mgp3Tk2+382y06Tk clGS+cHfV04Zo2nF7l5UMa0m1SiUyAYyqeT95zl3lySSromtlbp8GdraHBE21I6kWLMnF3U5 umwJdRVkHy3qml3QXNkpZQRz5+i1fFlRovWeVmyHyr4HUvsoKrE0SF3uLker1OXKbIui2m3v UJejwfXXcXLCRgpZ8iH5QZlov8xGdH6VFIyd3ZmxfX5KMroKNsEg4O/J01oScBCqPCEzpJ6R 00CeH0nyOq5WJF4y9cnzck4GvXKKV5uvTbaxNneY9/kzgvaKQrcNN/WdqmhSYKP09wg3hxr1 zL1Pnueq5Fiw79dzS+3ICDpSm2+NeZ8/k858gbEVjrp+01s3ViPy9AljSp5qV5ZUe40pz+mY jjxvC986/nPj3Okb8LwNXVu+AUdrzGuhTLfjEGrSCXNfVZHEHn4nKxdiYk1KE3yua760bF1b xFZl/LNpPidTpD3+M+ZnllB3GuqV9P0hUxRvkm0e7Y8meQQcUOHLt8kPydGLy4cMR5YckZmN JF0ckL1fD07cgb00OsJLQi+hVDD3/sU/5S9R34/Jyz8nX700VvWIRLPd5DUU2wUzUMzmXuw5 mUK+0g18ULqPPglISr5H3wsHvyLuGtfIzLX6iW11qgWjo8mOK8lR4a64SuwzydH/aVeSHDWu Nnfrd/8Zd6FI4DINFgUwTpjGBMJIunW2hGlI7s2VOnPLnawLXa1KnhOxUVZTl2FZuhPmYKqp Defoj7V5sd2455xn7FIAu5xBfu5/4AfKYIY0OYITiuSIVlXJ0Q8PkzI5ohPS0dGP5ph+qM3V NreQSwc/R92ZNGxwLRncydvJV9OiVbShE1J9rFNr+YVtSzy1n7AbJjT9Fmp57e/MyadK+mf8 ZKOjB1r46ohTKH71UIqTo8/1JvuzVqqPPDA1uFq/eDh6zJvcnY/0ebxk4lJ90D6HYZ4HKOrS FeFDl5WjKiMVO76RHXriAWwsDTME6ns5e8CpofsL6SLaD29TDFH8FeblRz4Ehjrnh4EVFuc+ vcN2pauzpC4ecKdf6E2VPu9Ka055v/A/99rXuov6hLk2OrK1axluO/J6+Ece+7/6o5f+X7cu lM2eJmaZa3dhi+PXeUga+vIfOq1FWrGdANTN4gBQ/t0FAK1oFjtCNayVAiFBnxISakp6w9C6 YH7ROtOM7G7+fAOG7l7QJeluRjrOWjJGCM7Iq0yB8noZeCQHp+bsNUQGH4GdAihpDLv9CeSz z46kbPNZAWq9QBotE7+CmjpDW1slpwn3CLyP2p9mxuXZP3U6Wq/n1MIdYQCzgAfYgXtB1TBz oWb2UMSVBSgyqlxZBKpT9v0Cg3mUzTSOCIBfcVTGXiZAdknv6e4bVcILFVrjgMYl1pPc/5Q4 NORKYjTuygIapy77ZMBkrvaoxNIQo3FHa0BINFEbFEF92zcOuLHq2ZIAxnug8Ar8D3Cq6XNF xe48QuH+HsXVrLaCZvWkrh3+rskLb/GvuUQWjDX8XUOxucO8yZ9Z/O3OhY/FEiLvcGWKsH2N Bl/791n8zYcun4XOYIbEgLx9CxTpuzb2QN40CswhH2oY083xY3BuGr/AxTHwdmMauD2Ms2Na X7krGFWOgpjbHaWBqxLWRaX+1G6DF5ZN8ixnDUulx91G3TmtUjdjO9naf7bdICZ7XPJF25w4 o4BiBcvcT9xtKR4Sd3d9xd3hbo/ZBX4gxIwEoRph5jrcDdM0ufCMhd3sn5UakRtHpb8n5/tk i4w4UdbWtvWr3kBwW5D3c1A2OIxdGcBfegzWBl/r8RuD2Tbx9Wh90gz4umAFIMIbNZNZ72Oa Jpyso8oND7jXOzYh3ImOnLzyA8q5u0FHtai42uiItNqU9EuCbZR0NYuwqUF2oW0Sf7onOEoR 2dNClH4ocoopMIsEJhtlYBDZTxp7XcJmPUh/LGVSxlqESsA/y6Ky7dne4Ahdm7axxv3eNXaj 7NRuwxt1ATtGCmCyT0HWZk3XACSW2CInD0UMkGwZVUUYxt7nVgjTD5XZrdIjJHEyMNYQj4ZQ oYn2cFqbupy+ktTF+bQi9lZYxWhDCT2o8IuNEJIriRGSLaOuAGLcfWHtdLVHJUqD0X063aSl 1dTlyuAK06JQu+udAJFcyUEQqSYqgA9CJAgFLu48gkj+HoU+7GKNohI3JVFE1lOwAM87oNQw /RsYZBWVbNqxBpQaZBZzh3mfP7NAyZ3TGx4ouTLFP75Gg4b8+yxQcvQ4tFRbagNc8q0xcMmf 9YBLCA8pmbBbcMkxXgxMbh5M4LVl6hgvubL9mH8kU8UG8ztaY7pC2bqiktz8BAnnLcCEPr6e HgiYJP8TKh21534MeEkJHhIudXzDfUdLcExd4bxxu3ApQ9TJnQVTtJTEL+1AJrGecki0tE7S NrAE+B89efkydarTI5x7jk/Iy7ufPskiptHd6ZMIFJMFP9InNYqh+iUsM4ipYYWwIKJK68Sf biCmblbNjIhARL0WSnBl8UTpygJKwIRVZUxhUQnaM1HJRJJliSWySdGMS10WJZQVmKDO2QLH oYSyYtUksjtYNV1JbNX0ZRFK8GUeE7jag1XT0xDrUVJLazyB2xbFGER7J7Jqun4IKKGXwkwX a9BoDBYadx6BBV9m4EEjcNmDBUyALbBAthPR9pk7CSXDsRHW8xZNtG2iiMGaao4sQDDHARyg geMuAwV8DXomdVtQ4N7rQIGnKkAM2xJgAtZS34a9QUFSkS0xzYQ/w3jC9spnncaO0XQWaTt2 YKugr3Pj2YnXAw87GkxdDv06Wlt0Wfo3tCglWh+ExiyAAujM2fjjQEwgKtWQvO9jAAWW4iFR QddX3B0s8NZMsQV1VaLI3MbmYUWABXgc1k3NOnCIFoUUJkTr2dCnIa2XmL8OtV62aDXWy2YD wqwbnjDS/xt2MCxlaKyweGG+U6sdCh8MiBzjGYpBDPsUJQ+MakjvEVsaD2B6RFtkT/SuR1vK tPbmIRqZ9iN6Lw/uZZ7ESYd8J1mUmXmCj8M6XtvS2E+FUmiwP5/zehrB6wtstKYp2mopSY4q e5ueiRGRQr3hC/Ng67q28fcPR7ZDeI12rd77e1P9v7sOpqbP7eNKhD6u9/7Bv1467HPUivS+ UoHqjaKYCC23dbUGkytRt8IS2w3gXmlY4niSTlKcr86SL18Ku0/K6bZuFcwZG8BrsaVC1mOh Qg54M70AlXIiFlZ6uX3tsViKTUuMZVgs2dxDJ/FX7OG+EnuffUOpl9p12Wu/M11fax3uDnuN fvU12urdHY9rvUin8+6nSsgDw6pa1G5Gq2lY13mm3c/02439zC1lxL0pu3V24N5X8n3COLSJ v/Crmsib5OgPD0d4HsBIyieU0CauShu59Uvzlz5mUGgTt7Yu0yHcRCt4jm+UY4aMW+Ny924Y mOvPzL3uCSnhiYjXdvZBKcpudF4oS1o9MMHNpEMPfM4redmTz4wnBUd6zmgxDE+ktTrKXUgJ bE+iA0LMXPak3WyfrLO95VrlH/3ruMowvZlUoIjuojuhlb/PlYOVSy1rifMCDbC8qpf0bnFI 4KGv1Ofhaz3DQ8kzs3KgfVL5VZ9/rBXAJdxr36NFjxlj+b70kj7zWOthdMOXp9ft9+faRRX7 dS7qXES7ymIY07mdhvoL90aYVzpH+pqegNM58RfXPDvsVPOAGbMTlfjR4mEPP7ap/MidNVJ0 9qjHvatGOkHhf4C/MM8DnalPDBH2pLNQLc6FTqgYlWJixcgQad5dUSRmuKIgFxNljE0CP2gv KYvxuZB8klEZGi5E+5ZAjeYRs27kmFDi8GGCKhxNxOJpCVV5gciVUZdXjPuyIFC72qMSQ4Kp ymrYiZI2lJqqfJltT6jcdkygQAuoqbePsCzjTqpF0TIKx5EUjVRrFex4mCA9OpcE4SGkWpWY yTYE+fYYwpCeqc16F6c5hmmtW46c9CzHQXoGl3Ou8nKuNbizQlT6Vq7mndb5wFPjJWdDqZGa zdE1EjNIx25gL8wXBkeSJeKHHjkddBocz7Xrg0NbAxfZAezCxkEx5N8fs7ElM5KVS1+0pj8v cWkqJNevdzi4HUffktjPKcqLj0eB7igeUFbu/Iq7k5W9w4EAgM6yMtOW2SDeq9BvwdG3xIbU iDrKyw5DOfqiFjhQVG7TqqJyJ/Hxj4JJgB+AIIC2YA8QCdhKEAngbtQWhFW2RaAAa9kHEfIM hpHHQVz8BX7xV8uBiYroS18TA0zRc/MKPfY3dQI4zEomIqAkXwcph6L8y3tKzIBBKDewW9vM GNBmWv4negMkTjfQzqfSUH71ElypONM+4sqD2K1KhdHRE31AK3lEe3nuiT3TV+tb9DhC+rx5 G1FgYN6JANOll0QayUj1DxTQXrLT3scOA3E4aMFA8ec4BAYSYGnqa+gv/OjxrtGSzlhQvHXD islGo01KOvIYDLqyeBl1ZQH8ZSQur8vIwIILL2YS2VokgoOYmGpZw6QuZ2BBSSb7dwb7CraA 6aSRCDTrp1raEqoK670ri+GgKwv4QisP6njZstdQEIMQR2m8vNv2xFhT+yaYVwhH0946ABDK 2miBGtrv+DgGhDnXLNQD9gdACDfRJ3qlnJT4TdhjVo+2OYXRsO+RIwcI5TgGhHKusK/UGjCJ IBqk1G2ekWN5pwOEuaUmAEKhVAGhHG0AwggG7gCEmDhKSYgfI8JrxofRsCGDfjQCi4TxCazk yrZwc4QB3egHLnU0xNzsaG3xjdLPUKzjwgmOVXi1b8DCWBsuqUb380Nli0vi5EuXXpNOFwdU +9PXD3WkYV/nimBM2I5xmbyV+K+dFN9e/FfnV9wdLPQmFBte1skPtWT6mpBuA6ZpxX8dZkIp 2QKgYZ0YHhcSM3QoLmzRanAha0UHteQnYDkACxBF4I5ozAAfIDvOgDqPIUsvRUXubi0SvRWP aDXAHlF46SMC7Dmx4U2fqR7Q6sJsVJmEKfGwvRMgpXp189zvgYtaVxcgJLOZwkXs5xWO7JHW juiODj3xBwCavP430m55sbTMoMOR0Giv/s5elZZS+rtv9GZAmyOdUjCx1CDN4sxe+7MU0p22 1NYuakupRxA5OmxbrfQEFRg9IleBzzpGUU8wxtt19aWEPaPiIFpae8Ly705IOCLkVYZsnzAu Nxmvu92Mnr1AgX5dGPOLZ0RutmlnFnVNMZ7ReEyKqwHOdTKIsrSC3dC52+Sz4AA5vy1ImFa4 GO8LB9HOxLgrJUTZhNCEBZRtLUxZvIC6srBckieFrWUk8t/CPNkjfJpiZ4gW0AIdaC3ZVCI4 WBBBXdZEuno8WABxGzbUDHS5Euryi70vi/CgL/N40NUeAKGnIQKEntZ4YbctigChbXUECF0/ 3AogRJHkAaEcx4BQzi3UK/DM8BpCeIlO0StVOvWAsAL2tAEhvucWEMqRA4RyHANCOVcIaGuw gJC6zTMGHPJOBwgJ3zbUBEAolCoglKP9ASH+8Ti0Gq+0MIqOl7aMTwQI3Wh4HildSSzyuLIt /By4l7xuhp+D2OJ5JOZnR2tEl6N/ExAWiH65Ud+7jAAuMslNQv0ik9jznlDKzOkVPgJEuJPi 20OEnV9xd4iwl6JQJjAE9GlAhPgHkOgHQ8wBTjU4Qo4r8fkeXFOIs8CBiLBNq0GEuB53wEEZ 4APMAUwBc4DxgEAgGP4CEYzqcCSoSC/8xdz0Hx11VfjcT+umTCLSRjhr7AQmkotjX2DiHO3W gUkyHDBhq2KjW7LR5amkDjxEV4UyyNSXZgQ0U5ucbeipdseVCzTJJLyhwGAk+uJU+lwsqutl rEakBiX8HCsyZleSrWhcOYmSJSeWe5YpeduzvUOncP0UZR6fowK69rnElBNtJ9dtyzmXGHN7 v1yX50f+XJPneHWAh2BkzBjjkSxt3yyLljF3X1jGyLCIDy7h9gGWsQECaUpb4eQFbtDEFTM2 4TZ8+co0FZ9nGytV4AVNej7xi7ZaOl8SozJ3V4zKbFmEwWztYCtrjXUkxKDMURovrrY9YdF3 bY6Boe2tAMr2w+mqnhMVpVPPyXGMxuTcYi4aENCY7PXt0Bh5AzwaM1uLt7ydCQC3aEyOHBqT 4xiNybmiMVuDRWPU7dGY7i9uMZulJqAxoVTRmBz1QGO1+AGjJYzUcxg7lYX6D0zgIcfat8HG jtYWXUr/FjSGh3OeNZHZ9pbQWC3ONk5q/xjA2A6CbxGLdXzDrwDFxLerq822gGOaRhS6Pkgc MYF8dwchMbye6vsV9YTSuk1St6inN2eL88XF5Wp2uVieJ/tpYX4FsCOBy4omVAuD+YJzhSf7 rRcm8CnNScAp9aHNkSXenG2AnV1RTy0tjIivJALLW8u9K4vnSVcWVm1sI9NW1JMssOigxDIT 7sIwwQ5TsqRFZSi7ZFnx673bzzJoYVwJdXkJ25dF670vC6u7ZNGVBTEqsTTEC76jNZ6/bYuC Fsb1DnXZyBlXYpa3Q3M5pnUl268qBpDjeN2Xc13364qXey0MvMTLzZVsUlVu3c8mRD+3tDAE 0LA3m0Q5mSO77pvjaN0352ZFdzXoui918x6LCHinPCMaGUdNWPeFUl335ajHuo+3U2EimyKM ds34RIDMceW28QnrvrtrCz9H8NWNfuBTR0PMz47WFt8o/ZvrvnBnvS2yKZ7F9zfLFUB5vCo/ IrPcTopvceHf1Snrr7i7ld+b5aw2ppNZrmD+ygsAtF/6TS512fzsECUMIi2pr+7ALIfl6lAl TItWUcKkWSclzH9iicN7CuuQulWlE2NVIvwBxctUrFEjrEViHwrXv3XOTBTpsdjheFDrsjej 3QlPorkxaR9Hcpu9G8Mrap7WM1yJLE9r1ptgvJGpy9jgyJmDCarlOU/+kA66p1cP0SiJIU2M ZPyIVQxinqrXP2ooYxSDHBRUeEg5kxt3vnqIYY5fvSbGNU7EmsYPpjt/5bGJjnn18NVDzIvo sewb9DG90T6lRWK95OFXDznt0gclOeZS9kghl/hGH6Ar6NAHj20cjzH+8eqaEafZRLPxV49r iOFknVxfJGZcTlwNHUkPw4fihYDkVgrNbqTbrhMjL+//og4UCPH2KqZiTuImbNLLDd/Y0BL7 1Bdf2AN85kbCFK5u4QNu/7NWaBnHFtofH3PxWEJLuNn1sQ0n8XQyu4kxtttQh/5CBM7Y0TYy OaNx6zDUuSpW4VzeSvOgDK40X/SIFupVaScXGGzYlXStXNAHIJNjWB0m0Yf1Hi2Xyct0kvS8 Fqmrpt7KzOLL6TOOtSJ6jMf0flUE2/czasG3U6/oXfpSrTUuYVCpCYZdI1jfxnfYq6eZbcS7 P0T5iW1/dK0KmUjRa3jJTDCBl0yCVstLgUvMHOC55L9c39Fr+kHql0jrKZEZhSG0rBXCkrhU 00sym8j0xKl+CPZjiQMQuWZv8Q+MOk0+qHLSCamhizTup/XeacVAHn0XZM51AW7b1I7vINJ7 tKViV29cxp2m01OMO70GM4uRQ79jfgiBpOjfPn1uCmF9fxvcToc8oXe5QU+cr67W+ScZPqqA K7lR7jA5qDv1GAZf8ZVAKIma1TZJ2LRuPmpUvo6evhJ3tOdClpocrCGKSjdh6C+lS2p7kdJx VMURw5zsI6R75feIDa5J/dCKonJFkUjjirz8Iu7AeSuKKsd6i52gFUVFzhPkZRy2Iglddqxt MqbjIKGjRZ+Q98ILVeTdlYI4iMoWUZH3m3RFXhb3NUcl+v44hsrRaaqyWnvfmlC57RYv/Nke uJUYqmyCrs3GUJnjSDY35yqBp3wCXjYXDvKyeYZ+Xp4hlRmBVpKrLIqhyjKcUFQ2lyMnm8tx LJvLucrmtgZ3Vkn+WL0i77Syeeao8bK5odTI5uZoQzYHldrIKWD2thiqXPYmaMdQdRocz7Pr g0NbAw/ZAezCxEFQ9++PxHJHZiSVh6I1X1nhSRIYi9+juNOSSADQiSYLj5ZIwNpfKmfjPJLB fkwxVI5iC8GC/WBdZEZ/xlIhhmVCkd0sLuvejZsldH4Fs4m+AuCR2CSq1pvVyFXGRdgK1Le0 WYKvzb3vmqStMm+lkr/KS+WkYMSVrDhEKM9RC5uUPh6ZDRVDBYg9UChv02o8I9BRdIDrn7Dw AzNEqFC8LiBOgBpnso+C3yzB+dECT+QW6+zqSgE/1AJMESioVco2AyoyaelvEXGMYC53rt/f Bdd42SQnQ8C0HT3VUQy1uNRKo/bH4FHCp2LAq8cWqdIeWmwxsIPV0g80xGJaL2Rx4ydGHNca 6EJKrITWxr/x6xyItu+wP5Yw+5hS8VfT0fYG25zayprcsV8/Ss6zyjik2vwi2PQ78Mzv3cja 8fbDbvPJSL/QOvmRXoKTLENZLrOFQFu5xRZ+r2fKO5Jggce+pgxJy/KordK93D4uXaEqJDsa lo35+T0dKB2iewrvFgRKctxPBQbm2iGRKFZtarY2oPPzf2f042nXOf7qFjXuTOJV85zUIuEt /x94ClkHoQDLa+MB0x+W1yQnM8Yz9l/AnGHO9sHlkZFKkvU1uBhHvjK5K4tBjSsL0BylH7BM XF6sCzM5/5BCDX4MZeyVJdkTYmSOlol9rGTPBusrw/bsmhkhwCpbAtQK6MuVxeDclQUsbmsP tjO8FgwJkenMUxqDLdueGPlr3wTTme+Z4CvTP2Ggyf1lTWfmOIbnkhdMgXcucVHOdGZsp850 VlSNN52RfnbNdFbgS67wXI4cPJfjGJ7LuYJwW4M1nVG3eYahM+908NxRE+C5UKrwXI424HkE ynfAc/Ji4yclHBgG0XHSlvEJpjM/GoFFHJfGCN2VbeHmmHeVm2HK67jZ0dqiS+nfYjojHSoe D5HLjEPpMeLqgdLZzCHFvLKBeQ/ZWmHQkLZ8F8W3iNK7vuK+o3TmrwlILQbpOelUpzHP7Lul WS4b1Igr/eAoHdhyKEpv0WpQekf/ZfCyVxQCkQBFAoNAPH8xf1HMcixQiLueBh07hXr3eqY9 85RoFd0N0jg9HlkdPeCJEkAXSEor0RI0vLyEkv2wpmQDwhM/2BM6Z1njtbwQuIcG+k+GHPAW 9j60q/x9YUr0HvCwEks5mJinaBZ/UcryV3qMHyjnMohUgSIltLEyMYGUIxNQri/TSvVhBgCU CVZdr0jfoJUixzEy5BzkVvs2vaz17d1nOF2j+otsMCnZADsA9N8q5dIuI2rRLloBafCJba8r 1zvpDd8zjC/3a7mnmxKXck5bhLHW2HTkXlKA0GdwneJwSrQjpAt4qfYNHcgFWM4/pseMGdke 6XYI0L/6ar1qq9B+14q0VXqTluhVLZk8HGFK7tjTgsmMcVfc26Wn7STSMi5s4H0qd2i/y+5w bnLDe/+uVOU4dRsMbcF5xgbhnPfG5Dwvzuo4tOErhruSOeuJyQlZryTVQIzJXVmMYlxZwCxE 3E/R00e4Bp09mwgLmPN3yY7cecVexhEoz9DjEGkoW3tYUI5fHImZ2U/Rg3JXQl0ecfmyCJT7 Mo/nXO0BlHsaYlTuaI3RlW1RhMptqyNU7vrhVlB5Qf4Gh8rlOEblcq6oXGJsAyrXAAG9UmM/ d0rzWhBg7Mie1eyapKhcjhwql+MYlcu5onJbg0Xl1G2eEVQu73So3FETULlQqqhcjnqgcgxJ Rdp2ZGfHUeWlLeMToXI3Gp5HclcSo3JXtoWfI+51o+9519MQ8XPuaI3psmWbqJzNzkglZdSg VncO4CCqBseiw3TnZARp0o/IkR3z51aCbxGTd3zDrwDJZbfWro7swjE124l7SE4GuzIjeDpm mL0hOYl2KiKNBkfkuOwfishjUgWQi72uA8IqFAXhCQHAwS3FokJOnhlfNsWmv915lwIXhV0K XBTWgGwVvoCVPjGAygOtveB2hu0Om3YkFWlK3xu9SlwWbKCYKGcFf/HzaZSaG2z4KeRrim7k h3b2L1FJ84CKFvZpudtgQi40rSs01+BOQaXf6pONelCowPM5+nMu6TNazcv0b9zIeyVegwqF 200dTh4ZCSgLXh5tJaxM3AbxZRK61hDz45l0W87jdeyH9evzz8Raowlw+bEyl+snRlFFKkhy XanU10ZEA1BzXRvn3fBMfXEbNxMqy1OfaQc0n3/OvtOc23fqg/HjevxZmzQe3o+DCFHPyjoS 2HBh7/JpSML5QB2v5aOgyyhSKbV12ZPNTS5x3H+b/uCroHv1cQA+x7a9fFOcIGTRxdqR1r9G 73W16CXGA9FE3bZiUmxdDAeX+cT4qw+odKvHjmp5n1bU6nKYt0uP0ockfxI/g3aPtoSM9eT4 0vB9hAxnG7+7EOGslshN4KQTMoBkBwkZADxTX4kfS6Yn+8gYoHu+6BRQL84YuWRhjWQMXxZh Ml/mERhtYktq40ejmlLqYvCMdimSMUBu4t/fkjHAj+zyHLnkZMhgunuzI8sWxBKGLYoFDFsU 5AtXcyix749dcjydEU70rfEuOb7FHr+6kttxyqlx03NOOXIcyxdybqUICdLwWn/YCAxvruQT gsOtfJEDW9tOOfkEvb2RL8yRlS/McSRfmHMjX7gaVNqQur1TjrzTyRe1pSbIF0KpyhdytCFf 3OiUkxEQRH7lVqBsp/EJnLsxPpDh+DtxY2b4z0u0lucdL1PXGi/z3BZedrTGfBPKjG+OkUZ1 0cQpmEQqkW8Oy6lsBRSjxf2V/jj3yA6dH4/OfxfBtydedH3DryBeCGzpLF4weaHxj/xybiNa ho3smeBRMTiP6aH8cnBBQr5gnQcA/GiAzOZWy9eATZNsb0rWCUuwZfDrF368qtzCvxvGioKP DdnWKkZ82QZi17EFILaN2T8LqHR09NxiqkbdlcEh4KxUfL3oBNkDip+AuTdgrj79HAmhk3d3 wONkQmMK3hBYrndbFjyub7RbkSg2f9J8+txCNaVfiwPoA4wC+virDwP6PADUWxsF8i28h2RH c7VCi92ttKN16RWtMZYDLA5vEBbpO73r08/iO2JJwBgieI9ejwaqC9YM3Vng2o2OK5hbxL+9 g2DrNllSYA4RdAwkA8+JbqDDFJarhemRXtYW6wWRDLlXMfrTp4qv9ZKWKaZ+YoQhPizu1Scy xehh1HwtSklLanCwXUdNBAH79licULKEoP16Lid3cdMOFOrSccYTjg6SFsg3wns5g7OYQSCF ki+gTq6I6xyXHhhJBWsItIs8q6Uid9PldJaUfWF/n/tTE8thb7JuX7Zafd6eOCrcr/CgGl7k zeaNhtE4s6+wD9ofYWzIsI+5WvQV9gFObMd2lLjFV4V0zmHaFlvwOktukbhdyIqjwgePSS/S tfy1wWOPpWH0MOzJ30c4kUlrzYneZ6+LOxpXQnO4W/qUMvvjArOkrVzEw87UxRSg3wN3ykfL j/QUP/oWrVGP7ejYGuLrEhZjtvxxLbLdLG6C+/FqhvYOx2i/EHYU0e13Ka+ncfJ2PiEIhVWh kxY+0i/M3tBR0JV0d+kUh+2sRdb1yx1NdstdF2Pa3cu5eOxJNogg57JIHSTnFuSnkvoa0jqw 4oW8Wi7ln3hmocXHbYgc46XZetMfRBnbR5mooHOMlrGc68piOdeVOdkgychzkYIVvExLXbjU oqkwcob1EsokVQOQ1sgZtgyVIpv6ZBJpYiUPRpz0iPjqOflk5EsiSdeXRaKuL/OSra/dlYw8 DZEtzdMayyyuRUHWda12slTorwNsaTJ5iQw6yid0lrWlmeNI1jXnVqLFHullXWElL+umNqFE XbN3jwhAsS0tJ5O/lXXlyMm6chzLunKusq6tQW1pWD80rSe2NPNOK+vmE0uNl3UNpUbWNUcb su6NHm5kpRDKWx5u141PsKV57nXjA1dafo5lXVe2hZ+DLW2Dn6lrGz9bWmO+sfRv2tKEOyXV qQ9DQfatKjwJD5R1iWJkswYHzEJQx711cCNsaTvFtyjtdn3FryDuAlg7i7syf6Wyg4E3p6GV SUtiFWKm2decRmAL87zke7kbeVek3sPkXUdxBEzwxV2Helvk0r8L4gBN2R/0/pyA5kKUNvgU fKJ/5YLJJ8FN4AiLmzkBvQBonpunwWcW42i9IsSA/ygD6ijsoUSPAYlUiAFKb5WfjthHlkNG nwQ8drA6yfox+PlfR3q++gplbmRzdHJlYW0KZW5kb2JqCjIxIDAgb2JqCjE0NDk1CmVuZG9i agoxOSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgMjIg MCBSIC9Db250ZW50cyAyMCAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2Jq CjIyIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9D czEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RUMi4wIDE1IDAgUgovVFQxLjAgOCAwIFIgL1RUNC4w IDE4IDAgUiAvVFQ1LjEgMjQgMCBSIC9UVDMuMSAxNyAwIFIgPj4gPj4KZW5kb2JqCjI2IDAg b2JqCjw8IC9MZW5ndGggMjcgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 AdVdW3fbyJF+x6/odTYZaiNj0LhjXzayPOM4jjOOpGySY/sBIiERMU14QNKaya/PV33DhSIF QoIEj88ZAU2gUd1dXfVVdXX1z+yv7GcW2U4cRvIP/gZJZMcuFUTqoszY39mSfX+64my6Yo6d +InDk7C6sqqy1ZT5Xmz7TpIwHiV2HMUu40Fiu0kUspA7tpf4HkOdV/Wv88i3A54wP+K265vn rPa3mYN/+MbP+DiP/dhxqAD/zJ3v2Z4TBR6LwsDmXhKx6Wf24gIkOtwJ2QXRJ15Rfy4+s+8v LrjtMM4urtjk9XKdlctsfcQu/sV+uACRtU56ODJj1+YuWtAmcz9xz4emKrSTyAt7d97LMr1a M/Hf2bs3r9mfi2naINlS3LajI4kvGrwmRmrveKMPbcdJqo60xHiDI7qN94JdlJvVmp0sp/Oi ZH9bZew0XWUr2Yofs8tyk5a/Mtfh/pHVnSV6tMRLXDv0wq2W7GcJ1uhfPZt39O+95lMQ2m6Y eGo+jYUqP7Jd7kMyiVk+FqogAj3IwQNlD3hu4NEMINNDN2FRg0A1Waw7hePJcnbMLrNpusE0 OVnk0+yYvSguj1m6nGHalMWC3aTLNVsXeIqll4uMLtNyOs+/ZsdDz58gtkM0zDROSYKx8ISb 2H7k6fnTVT49Ik80COzME2X2pSxmG2IF4oJVhv9h0K/KHFcrtp5nbJauU7bMptlqRbIUv5bZ tMzSNdhjnuXl0IwBZZt4LhhDtfAejCH0120waUu02knsQKS76Mg4AGKqXUChYSImDqEsDkkR A664vu06ccwS2wkCl2rrApB6qJkKILmOHTpucqDCfEyGlARKKdqZIefp9NNqYDlawTfViQdK +mNifIzxTb5YYGZkYsqQyGRXRfk5XSx+ZfeaFGCuII6BpIG33cTnPAYAVlf78bMbcEwWHyik 0TLV+1v42Wrj51l2lS+z2SH9r5jYMhbG3ajPjQM7BrZvEdkQ9VukHaRc6zPLIrOnA1GJY0c+ 5nCLqh2ifou+VbZmxZWUljeHdOCW7LmbVi/wYOa5t5N6NxCY59M5y4eeZV4c2VHsBy0qrcYw szYH3j7Mhwju9typZhHNHTFDfCW7g8jhzCMTxCMBr2xSKb4FP5+eo3hrNtZqPD/dsmafm4o0 nkcv2An3PJLVbhTaAfNgU/sJrOytggU7FzZrVQnx7l11BqLO2EaVsk5RwH12j+q4h0qJPlmX KwnuU6HvSPpMm1sF/eqU/Wja7DuioGeb9duyzfqu0WYjQzyYUnHAK+3v2EHg++TNeET9z7kd +FE0Xv2vCDxQ/+fLLxthgqTsJlssBhak3ANIITdT1KD2Dhl1P0fOXnmy31viBZiEHBK13+D3 0O49lBMPMc8DQJBGlzYdd1va83axv8MR0kO7U00eNEObqq7aHVYSGUBk/azTT4B6S5b9kq/W +fKavVoUl+mCCZ/ZusyyBs8+vM+s0qtNLnhavcrBm4HrYiY5CZzBUHG3q9VtKaqer4RoDL8z jK+EhrmLGdWDRyszyoHbLopGbNc3CATyIMfo3RCPjHll2UsjPlvlJQyVz8Usv8pxUWo2tbr4 yOszTiwj3I1RwQvo2QDCSrWgk91+P9HagSrPBZtivDVVB5p+qXA0k8WHiW43ZrpGezuEVg8u 9RwHktTdIrbPTH84qszcgTvZjp0wUV04FqoAtqOAH7pyFNqMnWfTTZmvf2WnxXKVz7IyXee4 UqM81EQxqilUlHeaKAcpzB68V40y8H8ccy0hxzLKIUxC7mje26HGt63LR/PRhw0CO8vti3kG 5zw56KdiHSuFDoRDCd74ArD4a14swJPAHNcSc6wUx8J7u7jM8vW93E53S08sLkJ6BlgKVq0b GauSXzYIDp36j+cTDRsEdmaKm3w9z5dwL04hjdZlc1H24dUOQTlhZjTJ7bwITx5EtsDi8YII Xme/rIdWlAZrtCgei7Dy4RegZYJRLXOGvoPF1+BA+zyCnnx98peT23XkUAEXPPDhMY4j1iS6 Mb6PblNWKtLjWDCGp1MGL4yFKteFnwqxFZKqHSpyu9cOU5F1y6Cjp10vY4f9CLyY5ys2K6ab zxkWq+fpii2L21hycKGDkIooRrhNsx13+I4eD7fBf+vzWCOkBlNu46KBLZlqqjgIFfNjNVU6 q5QYUudk+mlZ3Cyy2TUNvEblg0kcowSbFI+kH4OEdLSJRxgLVXFoYzZontshcra57zCR08Oa 0SInaBDYGYABlbN0s6YQs5t8BYgu/IDzdPmJnRWX7AQhaFm+tAdG3y6ipZwYLjbdinGh7wAh p1HghuNCOUGIuCKERSqqurJkAoFzll1hlX8Jv+/A0pHDket66LkWsWOZ1VisJLYbFboJAizM BqHGXDvGdQvdJDbHyP6FwjTWiGp7xDFWqyItuhtDvEXtQWChBxIzajnwXQokV4GYT7xWU1Hl ebbjaSePktZ3B7EcaM/36DejTvoR+P7sx9PQj/lHxv4I1VEsj9kr+xjx1sXndLk6Zme4IQf+ K5u9RahGmi1W9MyzE/auLK5yxGUizmhgZWPimQPVxpEpG0Tc8dA5FEeCNWr/PZpY70fsWbYq NuUUIe1ZucaqzZRCLs+yL8UqXxeIxDxfl5vpelNmz8AyP57CNo754GG6UKdeFPksUG0aGVvw AHtVEK0pPS07tMJtAPQp2KIfsfVdDe7QRi7tAuIBNv9gSbfesw29td2fA8+sSkMg6Mf1NAho EPV0ytTHJizsBFFAeIRqqyeBSm25UFt/zr7ky9Wn/Ji9ha56A3v8mJ0rrfXSZm+K5XVbX8FS 2qyzobWWjjnUTRyXeEJ4Kax2s9+ll3gaeGohugAh7U7MWrQ25tajT3hjIbWo6tqDP5X5NVZQ ToQNn/9bruuyD5Ozn05WH44q/ekes5Z4HXjXWBQDd3PT2SNjVwh/31PenLEYBX6ESKFQexDH KF37ESila+JBur7YrObSCnhGnieDA99tLrFrC+L2V/Z6eVWmWAuUAJA4GTs2PxwNLl7VXhw9 CCPj15DD14Mty98C+vP7EftqXqzWl+RwLFfgjGlRzoz4SrzHFl8I8vO5j53fqjEj44fAJceV 3sj5tCrMYFYfV1Fk/KRdVRgMlIFVv/ZqNAns7CQXAizm5NV4W8zTLykiFY7ZO6DC8+lmhmiq Y/Yn3Pw9LbEN9SWuKjEHZ8fQkktvL9WNGwWnmngaTdWBkutsaPPPizwb6zkuaxE4lqkE+QNr /xsR+P2IVYtLMKdevHoHByB26P3CFJ79/3SRY3sughS1DsD8wzRLl5T2YOgppTMe+Kpho5hS lZh1QziPuRb+B4jZJ3AF+f2IRV4Lb2gRYKLBWjSORQRwynoSjmzV0XdiG5b0oYIJiXYovGop thHfvj41XBSycvRp0sc1m7EdhBx9OrRzJMznYc8wRwj8gWr78aBck8DuUO71wFAT4cNBGPoR axJ4R+zU0JtDIuz35LTS3aKqq+54aS+UX3Tg7uPY3Z94EC8tQvdPi6G7j7sBAuKipE1V1+67 vP6CePahu05Hko6r6xBiEQVYzmxR1bXriq9Z+TXPbj4O3HuuQ0GF0LYtOvcz3tCGq8F8XoxA XP6NLP/1JLa+9CKiBM5tdrFB0jvY189OluwnxQqUjAIWw/kPp8+GXxRW20J0k0aGHUiue8m3 YQl4/YidUe6+gSe/sQRaNO6f/INrHWxjQLY2j7Wo6io6lcoeuu/0/vMWlfv7Lh+cKgX6D6Jq 8BHVSSFbVHUd0UfBES4sb8AwpI9pTtj9Azp017kcO+AipGJtUdW16zSOGJjvsIVQbp1okfnE nUeLGMhA2CSqs9GE9C8fJjdF+YlhpRl7769LJIz4cHQ8cF96OiKrSfYdptTjQTLaMhrqXUid N3zUfHDDW8smukD44w8n9i3lyKQks3xwZ1zoU9Y/KLtmt+6fOI832DCuAu5rt9dYqPIDOxxz PlevQWBngUMLbjzhMRbczrJPc6wIH7N/Yl3tbbH6VGDP8L+xxIbbN2mJXQyXWYmQLFp2m2Xs VVkUiNhC0PHQawQ6Hks3cWSWAVJ5IfmL2iI5duHUj1gKJP/BRsReKgzE2YzUEtL/0gZtWjmi WHIsK+VfKbpY509fDW8z6rSunmrWyDgD2WuQ3VVLsq746YnUVj9iX5y+Y4EMHScxUosd4UkS ClVmdcyhX99D0TU/kEZbiviRjT8y+8b+2EJHsBcG8B7R9zLAaSz6FWmKkCpZz5WRUIWoBSRj Nuu/Y6EqhtkYI0nlYSFqFCrTlC3q7odfviCvF+T55prOQeDOsTjsoP3s+3fpdcb8j0Orex0S 4KpmjmtSu+SE4ePY5EYZLXgcBcivel+idibH1VL5PeMWZx+R32cmD4IZIK2tDzGO5QtodeS1 jSlvrIcdIyiBmBclfZK8Uh2oAQG/qNB3sDAnrmVVJuH0HbnasUaLanyLkrW7DhZrP+OYHFmG bJCqbIEykB4gxYgpCxIMUYJVtggxBn7ocTwjS1AXDRq5lE0ZC7G33PGR5YXqUm+GmAe0HclU HlLucdobokmwTAnOtqGswFHEUZV6aoEybCbx4JUwZX6Afk0o74SqXBegKkUBVaUeMpRSVaZM tcdUbtqsSah6a8rmyMLoshv2XnJQ+/Se3bmJScih60OLhg2ZiSN0Pd2LYRT3C9zTWjB60jzj 8QgDjSBq30EWN3mHdR3x/NQS9wFFHBGb0ft4OvCR+zeBtja1BWireEJ8z9wh/7Pvx0zfWwvc A3/6NET6DResXNUo7/T36H1aH9b00Pt0r6i1TG2mNeJ75o46k/I7ozv2p6nWY2VFiCRJaKMj JkA1for7+o+pZr+K2x9gBhha63Rp+hcqlydxGMcZT4KhwXc4aQrpc5A8AGyBUXXhvWwneOA4 3YnrxPdO4iIYBNlBRSZR29yaeinvLNbGdRIKfImeVH9kunEgA3lg1Hs2OceyCRIhsQkSYoKV cfFFX8z1hfrJmix1CVwq4tk35i3zE+r7yC7+JI+fosliSLyLYqUtK4qRRhfZUjjIl3QDO6iD rv6r8io+7CfqXaMb6epWf69azWWBNXF2/MImvv5FV6LeYZP/bVbCJomuTT/67m29C+kELxJU PmJQhcxD+k4PTBNg5wzS9WMfqidiIZApT58+1TERUcUyDo4QM34rGjIcJzbFtBasI/+o/YTI amtY57Q4gmCcfAb9nvkDhkAZuIGzCVjBZxM0K2ST90csYBP0Arcm6FD8isV6lKA7IvFMk2lu Px8twKpDnADCIHG9oFixDCh2IP7aNCu2wVFqhmYXY4hv/0FQhuUI0Prfgo7fHFnPQWwsfv4/ 8X/5Q4htJfSKvJO/47oLuaaDKVUoDkypZSt3ArcLub+njz/H11/gD2iFN536+g9HVqfvA1vF QlWq70vYTQN82/fVENe7y3z/N/gwRlGT81tJznenugdBWyhpEyRak+/QRyj8Dv1NhOsXVam+ faPqkcUYFTyq6pZFFxiW2usRnkdvfCef/J18u/HCP2SZfPt/5I16Dh+16O3n+LFT91WiGpLZ qyfbcCKRhLgxQ27htt/iy0TuEcOg4atgMMlzxycn8qffo8norNoDkjXrJX8Vv0qepI4zNZ6J HyCETGsskoa75k5EwXqErhqt2dEGIGY6URBE33JuXBfIDTIryG0NBrkDtAYAm7DVg0NuTklp CLwEQFqEW2qYey9+sVycUMJ9xIKJ01QSoGKQt1UG+IQtOsj1LQ9TgMme4EMupXbxHKQ9pkNs 8C7BtFveJVx6MCYlgYmjOIA4ADfIZGndLvAr4ti02UG3HAnN1cN0W70LuiScMwDFwKowxsFR SIWO6rfLalBLP2dVJgPtuPfgk66VIMQZh3Y2jA0sBEWU/6tubITIZR6gJmXIhIS6EZRXo0CX 1G0NXVa3NVSZZSBnKOquICiCN+X3a6ZGiKNNBJ01+Beq1qAmY8eoniHloKwdVVKZGu1ZvNvG oPGUGB8WUe2yZlkE+EWaCbRUD6gvb3B8J1Q8mQ8h8nMSpMR4ynvYrDAnsIqujZMQAF+ATvEp c6fMCXNP5oA0JyxTJgyEUNco79T38H1xjylMbC/sDkWirgcpoTxYFWSzoBUHmw8sxJGsIaXQ qcwHkLZ7nATSUvbmnnHSPA2TUz11C0/XObgDT4MuRWuDf0yZPAqgghTkWAiRfdyYD8JlmyCJ UZlZGgmSM9rMzk5IOQRmcNADCipUYBzoXQGEOkY+wHwQqFCaGDgf7OHMB03xgOZD50/Uu4Yp oD+w+QBESp1qEc4WnbrPfIAYcx2wiDEfkM4GBxxjrt/DfAixGB+bw1WF+QBfVRuM32JAvISx AGCEU24ALeU1TAYYBfJ6JuDgtoGwB+TgqELEOsK/tE0TUgfuoqk6QFkcEYPvHox5rCWDm7GB edhgmAebvFuYB0dWUwnBhx7nZ4EF4F4UdZLrMsTx2Ob2AOBj4fQeTsuZ8FDAscKx+Vjii1YR oQiEJHA6Q4rodvEYlcHYdyDl1ZvQRluVEeDoCXrIYgSMEXlDhYO2VbBAsymnKPqw1vYwFuBH v7WAP6pRzR4EBPWOMzQJl2ptwUJdVmkLy5RVeAd7dR0Ajpr+IN+cyCtaK6Nt1C6mcoWArNAH cTHOCq0wkAcqyClb0aBL6hhIl1UYyMKxUPLNCgPp2mslioY6CtK0VloMbVQtqlCQ7okKBemS e6Eg2NgaBdFlDQXRrUQ38BIbFISZpFFQBClGGEejoIgOfmugIHGOHTGIQEHmTqEgc19DQaZM gBtTo7xT39MoiEhRKIgc2USiQUHkOhAoiFrRAwXBogB+oq7RY4cxUTxVjRP486Bx0jxV8XDF 1xWvH8bXqEvR2qDLlLVREEU/k/X30CgIdlkC1PoNoSBF8ZAoqOsnxo6CwDQJUn4KNSScqDE0 jwN78l4oCDlEY8fVLENO1KdHQVs09UNB/wFuDuISCmVuZHN0cmVhbQplbmRvYmoKMjcgMCBv YmoKNTIxNQplbmRvYmoKMjUgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAv UmVzb3VyY2VzIDI4IDAgUiAvQ29udGVudHMgMjYgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3 OTJdID4+CmVuZG9iagoyOCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29s b3JTcGFjZSA8PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9UVDIuMCAxNSAwIFIKL1RUMS4w IDggMCBSIC9UVDQuMCAxOCAwIFIgL1RUNS4xIDI0IDAgUiAvVFQzLjEgMTcgMCBSID4+ID4+ CmVuZG9iagozMCAwIG9iago8PCAvTGVuZ3RoIDMxIDAgUiAvRmlsdGVyIC9GbGF0ZURlY29k ZSA+PgpzdHJlYW0KeAHNW8tu21YQ3esrBtmkAdyb+350Vdl1ADcpkFoKsgiyYGTaVmtTMkkV 9d/3UBZl00FtSijdsQBTIiTx8M7jzD0zuqHf6YaCkNGHuwOOLgURdXMibJ6UOX2mgt4eVYpm FUmRbJIq+ftno/tz1YysicLKlEiFJGKImpRLQqfgySspTLKG8J3nD6+ughVOJbJBCW237xs9 vjZJPHCNG1xcRRulbE7gsX1ljTAyOEPBO6FMCjS7psMpIEolPU0bfOuPbA7Ta3o7nSohSdH0 nH44Keq8LPL6DU3/oOMpQD5YpP8OZtRCadzBY5hPg/txaFRepGD83ov3S5md17T+O/34/oQ+ LGbZFU3LVVXTuJhdLkr6VOV0lFV5dfe2d/m3cpWVt6Slsm9G/de8caGOW66N+qRrmKSFN/5+ zUdr13jGIWjgNb93WOeF9slsHPZpT3g5VDYIrSxCfx1GXFAhxxgkmh2DGz43sDUdkqbXiUIH IPJTk31Gz2afL6fvjjzS2leiD/lyXlR/zg/oN0FZcUYTQe/zoj6gV+OCTorzMqvqcjWrV4iE ekGT1XK5KOuhYyhE8IXa3h+zENJJ2GDaEOqb8+9SUft/YA9RChRntKewH9hJPmss3vIUnQ6N NxkRFCihA7e3Ry9W9by4eHVA8GxqXPuAHuZ8LTbwR32Idp+k7wzqGb2Fz81hpfAS+YJXdoWL Oht2LZ3GqxoM/7qi8dlZmVfV0I6pUXYaD9N24XKhKIlqI4Q2FzFBhfpCROlbh9shQw5szZY4 uwB7p5lTMOQtHa6qy4FxgsaFiTJSF+iIi32jFcGpXUP35Qoj3wHY275bujsp5vU8q+d/5fRr tsyKoc2NPaxyzda1g5uNuYMTMYKdd9vkvqC5OwB7m9spG+iovK1q7B8nyxIlxOB04qyIKQby HchsLO0h1CjJOHF3APa29GE2L76V87MLlLTVFbL4AX3OqksYvF4URCkqJZsYH/XUYvYoEVGN C6fB1H5zC7xqRA9qTM4xTukdgL0t/2kycO6GNZ33SCSPVpALVduErTSUSla1v7cSeo+7A9Xb li9IKHvhO77O5lc/UdlUiT8vqwsxW1wP7H1qyycdxB3nGz1Wn3eSpx6mulGjzD8vgW7FRm8U BDTb2pkLKq2FjsluvI8LKmWEVXFDvV25+H+0oETLxEZmFnTJCZtaBY7LWrnohdetzMIGFTps wUEJXBMAG1Q+Co8uEDNUaCFGvamB2CyVgwLlPLcQtLpp6W46NmzWyhghTbt/YYNKW6G85GZB 5dAvl5pZCEL50obZUlmMK6ClyyyH2ogRiNQ2Tbk4u4WWZQ2zMsYGiV0atzLGegUSxOgKK2q2 TjckuOl6s3ErbCpC4FbGWGMFUig3C2oPFlTcLKiauR/PLYnKKNBtYWZBkzDLZlo1jksMmtRM wGG+jVW+MhEig+JWx5igGxpkFoOYugMPcpM+DEQs9GK4xaB1wm+nv9jEoPHgQcNMvDIaIoPi VsmAAkW03CoZbE/Bg4GbBSVUBs2tktEYppWOWyWjowEPqtaC/zLe8p1o28yNtON/nePQPQJv m/EvQ13cvYfVj/9ezjFpRePVRTNirTBc18xRd24BL758zNBedV+Hng1t56vbu+HVR9X4jYFR u8ti/wDcQXA6CmVuZHN0cmVhbQplbmRvYmoKMzEgMCBvYmoKMTIzOQplbmRvYmoKMjkgMCBv YmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2VzIDMyIDAgUiAvQ29u dGVudHMgMzAgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iagozMiAwIG9i ago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBS ID4+IC9Gb250IDw8IC9UVDEuMCA4IDAgUgo+PiA+PgplbmRvYmoKMyAwIG9iago8PCAvVHlw ZSAvUGFnZXMgL01lZGlhQm94IFswIDAgNjEyIDc5Ml0gL0NvdW50IDUgL0tpZHMgWyAyIDAg UiAxMSAwIFIgMTkgMCBSCjI1IDAgUiAyOSAwIFIgXSA+PgplbmRvYmoKMzMgMCBvYmoKPDwg L1R5cGUgL0NhdGFsb2cgL1BhZ2VzIDMgMCBSID4+CmVuZG9iagoyNCAwIG9iago8PCAvVHlw ZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9VQ1BMRVIrQ2FtYnJpYSAv Rm9udERlc2NyaXB0b3IKMzQgMCBSIC9Ub1VuaWNvZGUgMzUgMCBSIC9GaXJzdENoYXIgMzMg L0xhc3RDaGFyIDg4IC9XaWR0aHMgWyAzMjQgMjIxIDgzMgoyMjAgNTU4IDUzMSAzMzggNzc0 IDQ4OCA1NTUgNDE0IDU1MiA0MzAgMzAzIDU1MiAyMDUgNTM3IDU5MyA2MjMgODE1IDUwNCA1 NDcKNDQxIDQ4OCA2MjEgNTM3IDU2MyA3NTIgNTc1IDI3MSA1MDQgMjc4IDU1NiA1NDcgMjA1 IDQ5NCA1NjggNjI5IDYxMSA1MjQgMzc1CjM3NSA0ODMgNDIyIDkyMSA2NjIgMjY0IDMzMiAz ODIgMzgyIDU3MCA0OTYgNjQ4IDQ5MCA2ODEgNTU0IF0gPj4KZW5kb2JqCjM1IDAgb2JqCjw8 IC9MZW5ndGggMzYgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AV2Uy46b QBBF93xFLyeLkRsa7LGEkKKJRvIiD8XJB/BoHKQYEMYL/33OrXEmyiwu8qWquup0u9k8Hz4d xmF1m2/L1B7j6vph7JZ4ma5LG10TT8OYpJnrhna9O3vXnus52VB8vF3WeD6M/eTKMnFu852S y7rc3MPHbmriB737unRxGcaTe/j5fLQ3x+s8/47nOK7OJ1Xlutiz3Od6/lKfo9tY6eOhIz6s t0eq/mX8uM3RMREV6etI7dTFy1y3canHU0xK76vy5aVK4ti9C90Lmr79VS9JmeUVyX7veHQ8 Ms+j9lZ5z3lXUbA0eUquO5f59L/kfP86UNPfJ8nSqpS8z/cV/TKs5FOzgZ/I+22naIHdmo2y OyzyfpfLPmERdie7xyJqC9kai7CW3GARyZmiLRZhLbnDImxQNGIRtVvZHouwT9gAsQS1pgrQ SBC1stBI3hfqG6CRiKay7K+EFWAAUKKvGgVYgwFuNWQATqKv1QIXDLCwKHDBAHOrBS4YYC6E AJyUeTYQC5xEX/EG4CRWtpmBCwa40ynkwElEzQKXG9GOsy1Z3gS+anNoJJJ1CixvAt+SIWI8 9W0UBU7CCiEHTqLWosDlOjaf2srQUEV0p21nd03eMyoWGolG1hea3IgYhig0EslauQCBTcPy h8GCIFErQA7KhNXWFSBIWO1VwfgStepLNxMIOv2C8SUa0Zf79fefrqumT8LbFW6vy8Ltte+G XWxd2GGMb5+WeZq1gOkP+YMnTwplbmRzdHJlYW0KZW5kb2JqCjM2IDAgb2JqCjU2NgplbmRv YmoKMzQgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAvVUNQTEVS K0NhbWJyaWEgL0ZsYWdzIDQgL0ZvbnRCQm94IFstMTQ3NSAtMjQ2MyAyODY3IDMxMTddCi9J dGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTUwIC9EZXNjZW50IC0yMjIgL0NhcEhlaWdodCA2Njcg L1N0ZW1WIDAgL1hIZWlnaHQKNDY3IC9BdmdXaWR0aCA2MTUgL01heFdpZHRoIDI5MTkgL0Zv bnRGaWxlMiAzNyAwIFIgPj4KZW5kb2JqCjM3IDAgb2JqCjw8IC9MZW5ndGggMzggMCBSIC9M ZW5ndGgxIDIyODk2IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ae18aWBT17Xu 3udolqzRmiwPR5Yl2ZZtWZYnGdk+tmVjsAFjDNiMNhYECCEQCIFMOAEHYjKRhJKhTUjD0Kbt Q0B6C70d3NyUm+SGNGlTbm9620CGNk1CIHkdQhLk9+0jyUBu8t778d779WSttcezh7XWXnvt dba88YYblxMtGSE8qRy+bmgdkT7FPQh2Dm/aKKTS5s2EqJ5Yse6a61Jpl4MQXd81a7asSKVL ugmp5FYuH4qn0uQLhLUrkZFK02qERSuv24h22Me/BuidNdcPp8uLf4f0xuuGNqf7J/+JtLB2 6LrlCPEZYOMR1t2wPF1O+wkxFZCEhqj6KBFRaCHG2xGQwX+nFNj4ONETghiJkHFSTvYSBeGI kQQJRqxeiGd5lLJy+ae9ZfJ9iaWG6N+IS8WaICf+9EgjC19ozN3x1+oPu2wfO84jqUYLqQ+e Uz6WjBBiX/DX6kv7bR9LLaULpSByggg0+azaQacLx+lnmcjFTOTTTOQfmcjfM5ELmcj5TOSj TORcJvJhJvJBJvKnTOTdTOSdTOTtTOStTORsJnImE/lNJvLrTOS1TORXmcgrmcipTOTlTGRf JnJ/JnJfJjKWiezMRHZkIndlIgszkQWZyEAm0p+J9GUiPZlIdybSlYlMz0RqM5HKTCSYiZRn ImWZiDoTUWYicnFC4txfJfyJhD+W8AUJn5fwOQl/KOH3JfyuhN+R8NsSPivhP0r4DQn/TsK/ kfApCb8s4Zck/KKEX5DwSQk/L+HnJDwu4Z9L+KcSPibhIxI+LOEDEt4v4X0Svk/C90r4Hgnv kvCYhO+W8KiEt0t4G7DYNF0YkVJbJXy7hG+T8DIJz5Zwj4Q7JdwqYT3DhpZhWQspAAQBzYBZ gKWA6wFbAfcDngQcBvwc8CtAFlnKv4+lNML/lTwA2AdIAMYBrwLOAC4AVGg1jFbDaDWMVsNo NYxWw2g1jFbDaDWMVsNEgzFUo3Y1alejdjVqV6N2NWpXEyV69ZA3AecBPDEAFwCaAUsBT8o8 okd+4S2auDR+iRu/9OqlM5cuXJKlAn584tWJMxMXJmTrWjQyL4Y9Dvwq4Azggswr6mRnfnbh Z5yEDC0mmRsNu5kW4vpR2wB8BsChWw1Ly1TPUoOPGlpcMqWUVgBv5exS3W+SAu6bJAhoBswC LAUoyJvA5wET3DfFOfybZ2z23Nd/C3TLrTbXLbc6X/s14ptuArpuHdCa64GuXWtzXbt26w05 G2/MtuZesxpoxSqg5SuzXctXjq7PcW6w3dzmdG8BOFtC3IPkUQBHcoHLWIx7lHuMe5zouHu5 +7j7EY5xu7h7iI64uEfJLgCmBPwk4J8BvwfIuAOoc4hkcU/i2acQfhPPPkGyJt7j7jua7Ymc QOQxFmnJ4e7kbgOLA9wd3K1EjvB27mYiQ3hbOryZmy/l38RdI4XXcPOPygPCcW7dUZcQ+Sl3 A8pZ/bXIl7H8+cdC4Yi6pYVbT5yAZ1COTNRZhdQbiL0H4Lnt3BZQNMCNIGTPb0XIxnFLOtzC zZPKN3Ns1wtwmxCy8hvT4YZ0uCJdbyNCVm9DOryem3dUGShp6UGakrsY5hZzS7ilIOFsrpeb g3AmN4vrASm13EzAbKLhFpMpiA8gvglwI9KPI/1DhP+BUMOtwhPXgqDDaGk5wkG0tAzhKhLl hgGDgMWA2YCZgBgXlajWxpnAqAAnptNNSLNZN3ImUK2jxYp8SjqATwI4bgrKlSiPIGRUqkvX d6O+klE5fNRii7TYuGC6oCIdliNkbCxLpwPpsBQPygNTW1qRpkQOfADAYbph0gWII7URIONa OaPUdQtC1lIzQjb0hnR+fTqsTYc16VBIh9UI2XOhdFiZzi9Jh8WcEVMYa1mLNCU5wCe4KkzZ zjk4J5ii5XRcFkIVp+Y0EnNUYI4WxLdjtCowRwvmaMEcO5ijAnPsYI4K5R484QUz8tBSAcIc tJSL0ANG5AFyAHaAFqAiUTqHzmAzozPT4Ty6iDGFzk2H8xGy8jfo69BtAfq7dPguPcNmSM+m wzP0Ayl9HiGr/yH9ALQWjyNQa7DYxqnsaCiUjmDRHJ8Yf/ZfC4QIavBHy8oiP6Y8s46OFhR6 TrDosfH8fE8mMy8vk5mbO5npcmUys3PSsRGtJR0T1RrEOEqPiT27EIOJJsVaNMgkZBYpYFks xMjI0Z650sjIMY+HjYj8KC8/Ir7ncknD/HORNzLvOFWJFvqH38kDU053nebEhDYr8otxeQDz EOuetFgi4jeDlZFvPkYDjz8mDzy2Wxb47qOywKMP8gHxl2WhyIO7+cDO3Y/s5tTDjuF/HeaF 4SwDGr/w7NQCb+TfjlONmEsf2UMDdU/Qb+zhAo69vtKIfS817mkWI/+xh/6E1tIy7BcBWnn0 lCxwnAaPvsyC8qOneARlLPMntJtOl+pMP7pVHjhBF9I+rCtDi5P2Ybp9hKN30Z0Sc3YgZEy+ Ox3upPdLD96HkOXff2xUHmhu0dF9hNJX6MtS4a8RYhnS1+jLRxWMs8qjVVURFhzGGCbGj/0x X2KraPpPR07kxZf4wEsvyALiC+5CRsVjL1jtUngS1GTpk7YcFoqen5eHIj2zQafZoPe7mNY7 byPxdmlp5NTLkKCXW2NS/Zf9fhb+6GV7TuS59ylmrT76htSxGH7f6428+T4Vn3flRY4dkQeO gDHieGNjZPywLPCbw/LA4dugrt8w2yK//CkV7qPG+ygbwq7aeqnpXf6ANJSqXWj7nnvlgXvH ZIG7x+SBMdDxr+f5wCfn5YGPR7jAhX2ywHmQRvywqjoifojeWDP7ZvemwvapqbA+KjWn3QfG v7mP7sOTrN7DkH+E4usjoM8dW2ngdozqNnRxDvC7rXTrqLdg5ygN7ABsRy/bACWjkdFpo/yK UdoxSmtHqW+UuuqsjlqrtcZqrrYawlZdlVUdsioqrXzQSiqsFz8zCBcrL3I+v77YbygN6MsC hkKPvshjyC/QCwUGIjfKuWijXhvdGH00yhuMJp1ao9UplCodL5PrsEHoFHy8YF0pNZRSraHL AE0xhcT4jfz3yO8NCi3R8lrDFDJFPcAvVG/iHyePqx81/AfRnaBaqhNLDS6al+VQ5mRZjfYs syw7K3jx+otPXtx38VcXX72oaL4oXjx8MXHxzEU5OU61R4MXgz+mWtJMtWKF7PPoxeg/on+L lkVLo8VRX7QoWhgVovlRV9QRtUbNUUNUHVVE+SiJ9oT7aMLcRbr6WhMWinBOayIc6DrOC72J qkBXQt2zsP8IpfcNIDfB7cR67kvIdh7nEJjbFizsP06drHjUdQLiTRJdg6P3DgQCeYl415z+ xEjeQKKKRR7IGyBdiarZCZenNfBVnw0bb5SyEW7YmKqwIbAhFTlS7GtPlLYPJcraB2OBTK5U Rjfgk6qffiqQCVPPShhtZlKTkUzG5TBdxAIq5ZKNrLGNrMONV7a64av6wBPkcltXpaQWM7NK 1yGZCafS6dLLLXzNM1f1gIT0HGU44Ug0g3dfrnBEzZjY09ua4NoWdSXivV2J/J6Fg4kcT2tX 4gWkansWJnSeVoyHkRIfhBs33AjEQMo5Qri2viMcQwqghQv7W4ZpksTpZ4CLgE8B/wD8HXAB cB7wEeAc4EPAB4A/Ad4FvAN4G/AW4CzgDOA3gF8DXgP8CvAK4BTgZcA+wP2A+wBjgJ2AHYC7 AAsBCwADgH5AH6AH0A3oAkwH1AIqAUFAOaAMoAYoAXJxVfyv8U/iH8cvxM/Hz8U/jL8ffzf+ Tvzt+Nn4H+NvxH8X/038VPzl+EvxF+MvxE/Gn48/Fx+P/zz+0/ix+JH44fiB+P74vvh98Xvj 98R3xcfid8dH49vj2+Ij8a3x2+O3xZfFZ8d74p3x1rg+/mXG/N9JY+n9v/gQ+b0wYIh8Lnwy AcljQmR2xNMf/iepOI5X3yJk4kImP9l7OY6nj5AsvpFksVY468QF7gwxTuy7skbmucshjzqp FPP1MJCxZCu5jQX4DKcChClfE7Phv/7z3NcXfW3JK+RF8s9km1T+E3KMfD9d8/vkh2SUPEd+ QlJesgEYRNvJPuA+5Cwg08hcsoSsQu31ZD85kH5qGRkkIfwR0gSKjqVzXyLvkX+iX6De4+mc y8FD6OUGchw9PU6mo70mshuzfZh8jzxJushdSF3+nJaiZ7ghsppsIIdIAs/GyUopdwa5g3SS RRhbB5mHMa1F7wvIYfIsWU6OkEeR/xPSS55Q/IyouI2MUxP/nWuY+O9kF57+BrcR57v7+BGy kdxKniB/JDjyk/uTz/3PuXd5YF8be4A8gllsJ/eBpwv4Rr6HH5zk7dc+lC74Eej1C9BmM7hy EHx5gjxAveQxsoPcRnXkW+QntOoq6vyv2vuq8h+Re9D21Z9/ISdAtwPg732g2Abw5TsYfc/V leDOLKYayM1qsoDqyWdk6ZfL/4+k10EWNkPi7kQ/N2Dm/fCYhsiNCFcCbsz0ARO4iewE15+G UnwH+a3kdrKWumklOUl2Uge5GfW/hdyHyY9pJepuIM/SYnIRq2ohZvlfPtAHWJeSPkCZilAb eYWtTf4zVpV/P6MPWIrJCC0iLxByWR9QD82CvP2IPIP+v00epy7Kk7+RsyRJgzQXnCshrwFO gm4/Jr8A/T5EDQeRvMWszSs/Xx4LntglXy7pCVT7r2OBtN975ViwLg6Rb2J93QYZehZr/Rfk QfJPCO9Bah9W0F7yA8jAQcjSCMY6+ZEvIGHQ4BqGJRroyb+k9RPS/DjLn3ht4hQrTWEWS943 Gf8tVvPvsZ57oCv+/+f/U+D/IQU45Rdvy9/kpskNcjrxgewZpSy5kP4NAziAFf8Q8C34u+ar B8Rf4t+TH574SP7jZKvcJC9Krk/eir3s38l/kF+RX5K3yW/Ib8lL5M98Jf9L/iz/iWxQppCf kn+b/FBWQW4i3/hyq7K1spWy2bL9sgWyCrkfKyiXzIBenY+9apAsI9dCrxH5A8qQ7EH5PHmc /4T/TP4I2lgDvXcXdNND0GREXLA8vnTJ4kULFwz0z+3rndHdNX1a59SOWFtri9jc1Bid0hCp r6utqQ5XhSqDFeVlgdKSYr/PW+QpdAsF+Xm5rhynw26zZlvMJqNBn6XTatQqpUIu4+HwKKOO hKOtv311wtk2CNs55jEKCd3MCzOCCWJ2uT0mIRwcKE/XSsgDCWLpSmT39B8hYv1AQhH4cpWZ Cd5r/MSNh2e4hPaEzIuvZ/pQPFHc2+/2GE+7JssH0Gwip63f7XYlOC++01CE7/QhIZ4w9iAf BVLOtATp6WdwfOKtemSSevcAcG9/Ij+THGCtpaZyxSBPQDeNf2mYM+mY8YjO2RZLkOwjRPdW glhZtQv1sCeiiWIcC71GxKTWSDBBsz9JUEuCWmdgSld3wR47U/8VNGiPr/a0x1eBovHByzS9 kKKoWxgTxnr7TWGX2y0NGieX2f1HtJo2T9tyDWaBoyUyyBGNFjlalgG2rDtCdU1UinC69oYj HFFlgXxmNtx2BqsT4q5BRDwx0A0llssl8Czcc2URwWOpSgTVpBiV+kwo2hLK1CCEVQlxKEF2 CUfKxsfuOW4kywYDurgnPrSoP8EPYVBHCO9tX9mXyO3qWYAsDAIwuFJg7I5JiDFPaF8pjCHN 6g4Ce2J49Or8+Mrlg0xM6KAnhjJ1W/8O97gLx/H+He0JUyCRhcezbn7HxY+1O1YJLDk2tkNI 7Jvdf2Wpm9WBEDjKy4Sxdg96Q2Ptq1sZx4KTbJOkcVpcYo64a0hIjCxbDZrhO3RPRv7dY8aE 7u9ucAf8wZNsdTACM4gPrmZTWY0nZQiEsV3LpaneI00N8iq0r44xYA9C+slcPL2gv32lpx30 THcIguB53vvlZ93uhDPAHhwba2dDHIpj9Iwy+DpxIsYwUgmsCVeAYjxtCbFPCkifxAP0KA7F BtJZ6QookYEPCXEwNjDAJpViQELp3SGv8AhjrFGlN5EdMLqfR9l4eVlXb397jEknanJt/Y3n HK5ziHf1TGZTB+qMBc8xIrGSOZ6u2SkpWMnow9BgX2oBg2ppzqNqur7U6imH61Sqh0X9HZ6O wbGxDo/QMTY4NnR8YmSZRzB6xo7odGPr2gcFaflT5P94lyvRcc9Awji4kjZIHGLdY3K8twOn f8vshYxVHcLKIeTg2+xx17vcpsk60CJfXZxec5B+rAG25saMH2L2Omgnl9DBVA08svWuhLGe LVkMaG4/1sQwumiPSwhrBY4hzsVWDT/gbV81J00slxtdSsLDdODsdC4acbvZetp1XCTLkEiM zO5PpQWyzHWUiMEA+DjISsYzJda5rGQkUzL5+KAHfHMwx5QkH18n39Dtk7I9ZvKYhQhT7Bgd vtPiifE+zPHT+oQKFJNYb2nr510cq4IY5+JZTBPA9hBN2APSg4wm0JhjRo/wqidhDCTkbf3j ruiAYDRBWVLU6URFJqnGVz0vUqZHSbYxQaMJamP5BHoV1IPet9ejcFKQhPaxwbQAXjktVGW1 4ysnl1Jq8Fi7bG6YvdGDpetKkcFk9rAZvswEPrMxeDvYugJLJEJNH0jo2X6X0H8oIYzX1dYv QBNh5c6WIkK7sJIxOyEMxiSVMOBi5Zns4xNnBmNMBfZDBlHFlRZxCHqKtFeLYnnZ/66gj0DQ 77hnYGUDxiSWYgZCDbplRG/r608vN4lP0iJAX9PYVK4un6Ripg4UG5azO1GZ86IDgprjkFZ1 au1OVgYT+jCbSQZc2ZlUlhEPNpJEB/b/lA6QRpaYKqWlubPizi8VT8sUQ33c5roZ9bCRtR7x 0J2zj4h055wF/Sdw8BJ29vUf5SjXNtg6cKQIZf0nBBhBUi78doOtLJNVEViCdFG0dhQvxFh9 1wmRkBGpVCZlSOlhOHqlvFQl5FEyDK+vlGfM1OOQJ0vliVIe9hMMsd2xEuqt3wOmxxNiT/+t AyvHBgcYsYktJYCQbE8TSXCepiOUU+gSGs/y1oTW08rym1l+cypfwfKVnlaIPxaHcBxLfWzQ g+UPBdxPXHSAiTCTcs4rHJ+YgAY9Bc3rTii8iwBQsOrAgJCQe6ej3lQGg8iemhgZHmLjYGKK Z5XeacMDCdVkg6gyLaFGC+p0C6jRIT2D7Zk9NAxhHfJIUWRjcYwMJAYCrNP+VWxEggB7qNPT kFD4UoOU+1hHwYExs6dK2k4U3oTGuwNPoI/pkiKUclxIojO2H+Gr1GHkwx7UGh4UwAEZGZ4D YZT52FfD+Iac5djVZT5sqgANFrJUiHsXbOFrszQJdQUaxJfFtRVoEF/lAIjCJi+ldqQroG9j QosR+a4gZfoBUAdF09hY8N2BwbOqv2DNzD5Oej2bE1SiqNSVEsWJLO+0IRgLqee1yPHA7ks9 jLZUXpbF2ng+latkM9dJBm3f8YlDni1skWQ+5WWeBOnrZ4JJ8J4BN8YGxr6ckVgIxan6cm6W lD02psr66gdS9FJlTYasFaF9FWSVCNhTQEaFb9rQrnpzdbk8Rn5G2Yn+C6KQvUO2yEbITfIu sln2GOJdZAv3CNkiV6fiirvIjfIbyI2yXUh/Srbwn5J1sp+RVnmQLFAuJTbZA8TMv0d6ZEOk kt9BVsnWkVX8n8lKbg2Zxf8VN01WE5GLkDmyKtwYKSPNiu8gfhOgGXU3kGmyQbKSn0Xm8OvI Eu6HxCu7FnkqYlFUkTz+j8SOeDbdTxx4XT0N4XUKGbnIfYes4YfIIvpLMhUvhVcBpvIfkiZe T54FBGRrcc4iWOd4l4uPDi8ob0boJvVw6FSRAuQLSPlICXEQOykifuIlTuIiFTjtsVf6WlJM rMRGsokeL/xluK2nIPnwD+eSQuIhZSQHV4TUeP2ZB09INSmFX8qM19zlpJLUkjpcATQQE6lB v/VS/5vIJnKebqRnuSbuJN/Jb5fZZatlH8uH5M8pZihOK0PKB1Um1R3qZvVRjaB5SmvW7tBt 1H2eNTvrr/qQodBwxMgbHzKpTZvMGvMy82lLs+XN7BXZZ6w6a5d12LrHesxmt3XYHrX9yS6z z7I/6qAY8c/A3bvkfZhHGUZVTbpErzVYXVxSRsrytKGK6jJtRYW2rFpWU0tKApVhs8Widzgq QjxpPlUVxLf5D6dPVZnM1B4J4mM8ZTxlChtPVRn/cDJUSWuqm7i6Jr6m2ucp1HNKT01tbbgq n7NmI6HnrVa71VNDTW4TA65OYSstsvtchpYmobLIqR6M3t3WMdyUayiKlgk+q9L8AP3ikoIf +qKe/tlm85bW+J3BcMTT1ZtdVJV/Z35FXrijxNfU2FHuLvMX5yrWPvVU8h3ZY5+vkP3js+9j guCWAnP9i3w5+FpIbhNjKrW7UK7VCIX6QqejUHAX8nK9PKegoEhvt6i0hdmChtfsFg3CLIEz 8YLgMNPsfN5kNh2MEZte4ZKbCx0y0hwO2sMBE7GHTeaII4gTeM65gMlMIpFKHCrCYXMEyGS2 R0zhsHHH+Pg4g5C7pokDVfx+t1KhsGbb7FY3aFNHwzSfs1upm+dzq0IOo8GbrCjMMTY2J+fW z/HTp56gfQ5vdfkXx+i3fxbSOAJFhbNCdyyb3l0QrVeHQup1K2VzPj8ws7dCG+JyuVHI3RbM eDV8lHmQvVpyrTjFZq0tLa3la3eLpbq80t3FlXnlfPnuPDGPHozlmXU+3rdbJ+q0B2M63nS7 2x2ylTpvD4XqSwNb5cGzVZjMWVOEYdIcIDkO47kAcWRiiAYzcw9VhtkMTdUVnL/GXWWDX0Gh UFpToYevgh+igvMUKpQmky1cVYukz+fxbGkqzdLYfSh58hdL2tbM3XnPljceL3rkqfJZa5p9 txZMW7Btd8vUh+98PGT0d07nh9qbPdasUGx01fyRviJ1yfc27fz+DO7jh+5pX1hrl3GXPru0 Vtl6x9DQ7U1shd80cUFmBu8Fcr1ozDbqrZ3ZBvNS8/Vm3mwnsFHFSmRBSHpwH+lVTqbmuXy7 ntfvFu2WfAWv2J0vy6cKBaehlv2c2VyouT0neJbx9iyEP4IvaZZoAQIQh/F5iEEkYHweCKvA 5JHmCrE3S5OtC5sUCk8hMVWbi8JVNpl52DF9Wfs1Ty3qfnhN78qpwvCSX25KJr/YQRX/tPAx eX3yg/nXlN2dPPcvzyc/uDe4Yjj5ltNJ++nc0xSvryHVePciex08dkHvRETBlc/n73aJLjDU ZdbrDsb0JXzJbj1vuc3rLc/dqpCGDf6dw9vbSd5J/OIn+cWWKKdUQDY9fgy5SVZTzWEJKzdX FNs04FCQ/tNPPz7YO2O6uHjGS4cixTP7tq+ZV+u88bcPxxpDOluh2M4PdTQXgjtzvv3xoe8m J+Z3h4oLF8tyo9fuemb5v1H5ZvimqSSdpRh5BdlxghhwtaFLres0aAoK7A6OU6Mj3iwix2zf LWoqCjWQ1kLPwVihg3fsFgsryg/GKtS8encFb9pvMJsddD/HOdzC/oKCSo1jqz8trpLMSoxK T5nJKJt6MOfSyYC0Uh1B8C9oPJnmlczjNjGZBJsY4zwmd1UTXxfmpTWbkmiZsMwgFJbU+5PP ny6rchuWLNEXBoOnaV2osazQnj1s+WJZWpTlc5O/Dk2vytde+qszKiZHoo05l35uKmmdGks+ dZUYZ+ihBj1KyQ5xDtEb9YJ+nz6hl6t5vZrjVGq1jTeYCkxB02HTz01ytcm2WyRqauXVpfnq 3erK3IL8goOx/NKSg7FSFa/aXcob9pv0eg8jTJnavtWTJslV1IDqCjNqMMV16eSSxWmKGE8i IyW7/Jfpkc101JXUUC+zlZRHQ8nfv5IihqEwWPGKXqgtTsauIEOsr8x86UxebGpyQaw9L7k5 2lmKqydXE0GSCa4ANMghRaJZrlKqDsaUVrPFfDBm4clWnaR5MGRHkA08VOn98mDcVmws9Bm1 taQiuSDdOz1Y5rdrP2trKnLoru4wpLW5W9vTtJcz2reThWI9KeVLRZuP50lTiOzOr3Tlh/nK UCVUpNvBh/QmkW9sajwYM6iz+Sa+XWuyudxeZWBrXfCsHdZLej9wZDYGRl57OOcUky9JsGrr 8MfUfw1GyymppPTZBsDyeEnmvnpa38n3Nc/sGfSUGXQVxfRZoamlOZmgaxpao4XJqd5Cu/Mv Jb4yb400+YWZyR9gk+c+dLQuuLYy4s9zFXtloZDS09iRvOvS+b62AnkoxNts5nARXdhUbEku /noypVasEVTKJ1NFP1Eb1ZyOV6vtRAs9o8V+s1vUOmFkHIzZeY16v0olkK3GlMIBXRjHpC0i LWOShHmxumRXr64UC79LFYGGEne+K3t59he3XZ6M16FbpLF6owsXJtdeJTwhnUVohQqn7J2f gr1jryUrxCnVTlFt7nQ6w16t3s8XeYsOxrK8JBQOHYzV2F18mHc6qh0GOqO6ukBxzmav4c3m +hxXmC8YCTB2YrHYw0zTB8K4wS2xFpO4YscPQAopZM50JcvMdR683/PYzFdnS7shpW5FFuOJ xKalkTKjWmFKbtyQfABrWsp7KDPb5XQpvZP2yoskMf3iyTRr9EUds+nWvbQm8oWbP9+YHP9u 8sGv4NoXYf4Uo8bEZ3Ie1KgmbWJRsdfnPRiT2X3GrKrqqoOxXH01bx3hZXZepap15VbzwkjZ 5WnDumEzDWPGJ6tSC47abPawj6thG7gkv5i5h/p8fjZZ65U0kMr5bxaFcrLkKpXVW0FXlnvt utsu/aa6zGJSKq6eaoTLiy6ob6TXPvjrdpHtHCFdtiBO+/xJ/uD8Hv+M5HUvvPwVU2RWHbNx 6iWZDJCY6M0VeGG3mJtrUaa1h6Q72B5o4e23FxWVF0hqpMokWTHSLijpEsl8w97wVTqlCvaL HvaKvyZlrLD9XEm/m+WqCCWnZZh14f13O7c/O3x948b1D82smL2udbjq0pSOErv2apVz7Ecr D66ukM2Zcvf6eRs68mTpGXyKGQRJlCwXa3JdJBQifAjanUxRFqmxDx+MuX3KbMvBWPYUfsru bL60oMDl8+J98O11dU3eEN2aBd0eZFMywdCEQQJZTU0tzcDM7CTLlOn1/8IpNkfJRLPbJf0O lvoreA+PvVCyVbH/02e0Nt8VavX8++/t3ds4v2aBv76hMvmBL+buLw4HQqG16+evWVTXsn3d Am528vudLW7GzitttmeO3T1eq3IuXra/s7tYFaq5uflQd2eelvvOpf/m7Lht4dLbWyG36yYu 8HtgsVWSUdEQZBZbsDyIfKKV2ZjBFkWOzQJryyE4RhwyPe9w5GqLimS55TJetlsst1hy+dzd Fplj/yw7tduLhXMGQ2XxOaWyiuyvTCklLGsQLLhYModgDaXNV0ZBaUc0R6CqUI4wVGnJ58B9 Zqn6K2C8s6OMzZ627ZgNbwPd0mJiej07tmbujbdVb9py4862Vf+2rXv3dcP2jiVdLddEw2tW j9w7q/XGp4e+dYrW9a8I3Xxj14oF0Ybr75yx7sACY27yk/5l/sqhtqnL+qrFtfcuWbV7YUkN NTO91gpJvxVyIpC5YrnBbMKmaOINBTSLLygwqZ3EyTshMzy3n9drChytBfsFwa3Z6nAUutks mBI7G6DGT86mZ0oy0wynN1OLG9PhYfFkhENWY0od3FplDctsgcq6uq2SzNfhtGXR3h5srA5Y hmHi7J8Xr7Z9QdLSrjTai5qiMmKOrOrBqBfA8n4Dow6RsJirklanymIpLedtVmwUASsf2ufz hXO26jOWaUq5StyApGbDDmVrDzRPHyewZ0pqVRJME+OHtI9aZcuzLT7PyofjW36wvkpjKQrR /fVlxpLpK7o7Vk/NMfkb6f0NASP93XWzuhqqp5XW3nLoDu7BmXWCHdKp93T0XooObZ/mDsUf vIVbP18sNIZChqJYL2Zgm7ioHMQMvOT2E3id96oIYtNuayXDZgnjBPGqGFHTGcikM5BHZ3jN Vp4za2GOq9QwYiy5Mj1xFCrVvLfIas3HbWqzWZVtwa2JfL8Kxidbt9LCZedIRC+bEdh0QpWp K24Um0oFz6abOjVacGC0TFoSvJJ6+B8kx7+d/IMZt9/d9PtNIbPxRdr6HSr/MBCeQsfyi9z+ nOTD98vmff60rCk2L+SEAaarDHgGG794X7b2893c57umNNZqQiGNM7Cg+/MXmdRB9GSPYPYB Mk+syCN6vdLr8Xl9B2NeudXBSxaajdOYXXIl79DnyeHxkZfp87YSUl4miR07L0Ls3oLUTVpG bC9BITsgg8U0tZVIB2GLJWUGpU2jSVHka+hbSdybroYWWuLyvPDLYneglN5S0iQ2Jd/X5UIR 11VW5Gbh1yB0cQ8OwCFtR15na3IbXTR1oa+oBCaPoWbBtUlf8ieRjlIHyjX2QEcD2z96oGcS 2Cl98Pj8CVd6J9571mDEhcrjE++JGhbjKmierBhufDGmNnQWa7V+3v8NcZ12RJvQjmtlRGvU 9mgf0O7TynW8VuuspBWyCr7iCVFm8xYdinmtgqXSss+SsMgqgTgLu8Pt95d1yizZSDmzrHnW ctjwvNXohP/mEafRkp2tyh+lWh9fxTpVwzipqqouHVUhdQwJVTAgGSQpu+QU0/QgJ6wpHDzX Bxavx4E8pcqwcacV2Xqm2WDoSyZXIOD1swOoz1dTXeSVjt44iXtqmqDfcEIHyXnY97wkYqnT Ofe0Yf6j87o3NuG6lLt4XufMpY5tgyMjrcObo5wm21+W/Ej3by9VdFTGrm+6XzYwfcq1HQ8+ mdWycnN9b++dVUFX853bkvunN1YX2HQh+gK3clWk1dm6Aj9YIZWg/UX5XvjLKsgS0VtGS+TY qfeKciMsJ5sxy5Pl4T17xCxbjvNQLIfkUvU2H6NfFuOLz1dprKjIHbVI5xomZdDjk5OHC8bR 3CypdNABUmZPzw+eCMzdr/RDnWAt4ZiHCac0O1N2VrpY1rF4eMq1j84Z/sX26ds6O9r5LLs/ /MkUvbt5ZuXmW9ffEOmZ5eUL6LRWz3VvPPH02Q2uwkajrHmwuybfrK7WfP7ajIXRKsvzz5/8 V8/0zgqsoFWYZS8kzE1uEmMCLpdxCfx8pGDEMlUgZqNZMPPqAjM1mKkTB15fSafZ4DDwhr2i w1YA18MescBoNGrMgsXiwS9SPJptLmnXOoUZ5ziBHUHCppliOvbD04zNN+A85zwHF82pxesx eWvKB4ElJu1idfBtgAjpXYyfvtVU1RrqWNPsaBic2n6TGAnPHJgf/ukL617a3ruLP/BaS1f+ guOjc++N19fGWusbSyyfn3v43VuhvDg2N1kAHCyEtX2NWGF6xmg0HIoZreHsoCPIB9kkCksK CsBVNg+l4lBMSVRUM2rOLuQ9jJVMvD2e+jI2K8ZDSPWXuZgS3jDzVjiM72I2lxmHk6jSU+dn G0RmNnbGV/iWsCVLrgteluafIjtQ+2FUZ2hevCq6/+jGX97Suiaid9e3BUfuWruurKG+waW/ gos3z2wrdmqrNftlbW3FFz/Y/+46qyN5ZOYSsSz71Pj4CwZ3QyUOh6DASnD3YXDXCf5uFlsF iy3fbeJN3xDdbq2NTBXedJ53csRpdArOC044lpw2mY237YV60MJVs0fUosRuJm6zcVtOjse8 XSnR4WNz5LQpAv5m2JpisfE0eItfPJ6TtGfaXonAZr2CAjDf3MwegUzXsdMkFjc/Il47MuOV X1978o7l980N8pfGarYM9W5ruVZR2he75hbtM23dgX98vOedW8Xrv7vTvOmphY3tdO6au6cd eJTtALMwzT/LvwkP8RpR0ChVykMxldVoBptt9KOAgQhGQRDGhVcFeRaPFynjoqPQ2ynAqVjE F30jDxYb5z4gBLhRhwGFx4x0hgGnqY+rXmf8ZtqLeRJPMaFtPheuYnKcPmpcNkTgmoJ+ksGX HK6C0xjOwkIcuaxhbvh8lrOkPHlNmc+q2eJz2k1ZMnXjjaMLZtUNW8IV7nKfK+s8P//S020x jxXbmuSb4haHYVLkhCuu2zno1/5wSsjsE5d2r8KFRdKcbOHfAi+rSAuZQy6I81vdvX6/RhVU 1fKqPeO11FBbUBus5dW1tUFDL+0ViZFaoYsMxgJj0HjeOGGUe3ijMdhJ0QRPPhKrDM5OvnOP 6MwNNvPNe4JGv0ZX2F3EiFQCQhQV5btbW7vbBaOFdrfn5/dx6uKQrHTKdrkRy0Iut4YJmdvN dgGtATW6rda54e2lkoCcCoB6bIPFZgDvciR4KsBsCERQcKoK5+3LKiGtBSWZYfID3XAKRm0Q 0bSzGkWQIupXSi5anHQkizYsbQiSwpRM3jq2ZdRKmClTu5tKa4y5ssERhUXaMiaPSJ5C/q0T 6oKiF0/MiXbntcUurL4rsublncsP3dTSNyNYK87u7IosH+vpnEqXXZq+YjDcWW6tmle/NO4M h+9/aMEdMb2/s2HPbH6+UltwbdPTR6wN9V6fsfX66Use6nVEFnc0X+O3TK+KLG0sfWDRvK1z SkzJV2/b6Y8NhPo31d3+xTnf3NoFcysXRHNrSp2QYZylZIXQUw1ktRjlGXW5YiDKEGHIaAnw xSXFh2LmEqtA8+R5fB7bh+rrDsXqSYTqRh2OKPGMVqZFuBJ0l3yLVygrdlBuTlmvKYsttefk M+cAjgfMZ8Z8rJL0pkzYybzUTkSvk81cOBCum9dSkm3wT0lu8hfas1yzphaLfQFldkkguZHJ uaTOPo5iB5rVLOTUzLi2N7ljfrMH9qrOLLTFqGL03o7czu5A8o5Yg98JUyflkW3PbFDQWXOw rP+Ct3s8tNY8sdQuc8oOxZzWjPY2cMPreGrg3+Q5A78UAc/TbZxllNOkTRCE0kLWBAOB588a z5Lg4vWLz6X0c2b14t0OvGNpo53tshIJ6NbjK/xue5bMESr/S6OxPJzcLI8999xn5zD21g76 rDgzaFfVqC/VzGvzZEG/UtIMzkXBOZHcfYKYJ95jJhCMKCnMZgfBRmSUVjQKdpfcWsSXiBxM Vk4HD7PBmRviK4IVh2KuoNWgPxQzGJoaD8WaiEj1JquzSE5KR2vTM6ll/GTeO8mAYEooxci0 AZVzyh6GVY5lInEWfrw6eIjZl/nsJINcqWS+EelFjnRIxCnR45HOhRnGp5m8RnBbndG6iqBa 5S2lhytW1v2JClWzK5MjOU5tYflNhXmCq55RZkOV36RMc5srV6oD4UDUicNDoQIve8TqN5I7 W5uh1HhTtiGvqmlfea7ugkS1UFauv62Wv8zwFBXpf4KKNlIpWmU4Ux2KYYlbDsWyiRU3Dcho VpoQWSkzKkUG2IzMH3KF8Gbm8OXxffa1PUPWFEv5l3GT9aw4T6sCszTM36YWgGQsyTPEsSRl iDCkCiscrvCsXnltTe2hWE9OjXXpM0uWLD4UW2Kg6uJAh7xN0ca37c1SGNXlo1EmDdCmLBTZ 0o5G+y2jBjdtexP2KhNZFCJ8D1oUEfeyQdI5iotM48dMdAZCSZTY5S1Wrx8iDVFgazsQgKaU jBJkwBfGbGh7xgxJucYgFWmRkE5oWPDYoWySqQlvwBWnFxglMsm8/Jo8ZnKn1AM7DNWF6fX6 6IzOZnf8dkfX4qH6tqG2Ao3FV568iakEtcVVWOErbp9ddDlPY3UXVuSVdHb5FFnZXm9ys8/t 0LFV9n4jXyiLNnqNi5Z2d/r9s2++Jrmju0GwwxWe1hdzr2/15RqF7hnVyYeuLhlYFyu1ab0d 3WXJuyPRQquF7aFXLVS2QsFhWRAcjpJNYmMFY0A506hlDAUYcuZGcY2YgwlPrSXPFBf7D8WK DWVmQyUzcyuNtaMqVVNZafZoIY7RbHkjHH/WaKLdheBBihcwCqUjzGXyS8xI6Vl3hnQZEl8p sBI5lSmWpN20smBKtaosLm+l39/R55MUUUYvvd+o1U9fuLi6dm5LqVWV7QtmCNVxw7SSPFNB 9/TK5K6UvF9NjKdlXaLHWT1jzZzkjvYmMCptIfOnYVNk4ZQzTSwgsA33iMSmzOFz9iiNNqOW zrBt0wg6rAtNvh5S+EPk6LfxTG6RyWM9sq0e+PKWHqqUT9q77NXq1fswl/3q7ze8MHL6P9e+ lNy57ea2JVNyWtZ1brnD+LcLB965/uJfDr6znn72yh9a1u6e9dBzC3+N/WBaslemBQeLcRNh RCxlLkcY6i7iq/DhKLtH9Nlqc8IFYT68F0a8/RkYCYdiNkPhtlB6P0CIQxlWTyjUQBw5fP0o M/VENXIMTB5g8AVSznSE7N0x7PjM0WzS7Zax+7yTbmRp95DOaOAfW1hsrrD0+dQppsaYOrCt U9sDlcmVReUOlUxn95d/0JhlaOqcMbX4wJH4z7dP31zlaJwT23Lzu/Wze9z5v2kRvQ7m4bCW dDTwCzobi3PM6hr107LmiM/4j48OnF3vpEsHV7YILz5Pd3pmTiuVbHzQRwAP8+HFWiD68iVh pq4KVakOr4r2ijqbrchigbm7x2J0GOxGm3NUJdGEnW5CobB/myF1ugmfxZviZibK0vn08slG 0rQ0JcdX2PI2e51d0hg48zBLPnOokQnJlZUBu7p28Q3igSMbXtkx9YZoR0xtLy9Kvu1omFlz x93XX186JTIlR5/sxU0Bb3MrHWicVvH3Dw6+uz5PaDR+ft+UdrzL5V9bvGJqwas/xXmmsCHI zjPSaubLMVc/iYv5NqcDJ2+HlXkyfM94DQaqIyqjisvmVfIRHdt9zUZbJxwfOrlRrVKV+Kl5 ND+9ivPZlsr87HBRnMJPhZmVD+sT22jzu1dY+dLKzBj1TGf+l8ULXVi35Lr2huB6R22waGqr 0xYOJ6+7Qr/Z+LYZpYo/1YZKezoqk99e2C4wv9YVeqpaw2a2BCc1DWYWIo+KtmBOc86sHP7n OfgHGsYcAasxx5dHmdR2mm2dQRzQqdyn26S7S8d5dTU6jic6I65G9OgGdXhRqMursMJC3CNa bRV4u7KnwphzwOksraL4laPKOFpYGFaNpux05mA+i02CvbnMWOSM+aDE0sUgBjMw2FtXuJkX 3wATPHVQl+yGjD8ZBkaYHedSfvgrvM/cxKAt2l3Xs9TXs3zF9c21y3b09D3Rtcy1enFRe61Q 3Ld64drmge+sb71lMXc22p7b1VIRrQ6UTV8Wm7Umlu/Mfm3RHIMnWh4Wa8p9ncvaereIWRZG Jy9+mfqc7Bj01TwxZDfy2YJF9AU7LaLO0Gkx7rXD3WdQUB2vUIoaAuNK85HSYMlWq/OVcu0o 7kVEGNNPM8cUTnMZrkeaL50OBHCgZa509kLd6ra6mWizY6pdWtY45HmrmjzZ2vtoW/KnxrL6 suKOwvKpW2N33P4wP6Yqbl668B/Lk21DG1py3QW17U2PPs3hp7iUTIMPwotf4OKHzmJh3jO5 ua5DsVwrTqoeJa/cK3psljJaBkuHGmyjQj6kNuVU0+kquFH49aCnYAcUM7OjmOkppmzDzAsh vfuadKVNuh/gJpeGDXakXEhSOuWIkObhk4x8/zSaZy5qbfB1zPMq9BaPn+Ypsktr321UGObs 7V64qSHL28T/JMnfeHNTaX7X9BC9KdKAl2ia0KW5M2Jp18OCvs7776Q39zV72T96sUz8XabB PAvgaRHVlRYYUZVqPe1WGpk7TCVhmFWIqx02oyUf193ooZg8C++n5cRg0YNDrfn5gtOhVrsF SFyjdD8Jr9Kp8QwM3ox3tpn5m/H/APDTfMp87bie9CWvLLzQ2FXp9yp8liz9f3s521gepZv8 paV5ycObkh/nuv3gRkibLbhcU/xJBX23sslVWgYvu8o9Vbzk4j6YEclVSbomb+JzRRlm5CXP iUa9UdougODvgh3IDLY8RLIFIBNDemkvYQheJqnGBfjiQYFsI8MmCUvPNRrgm88WGDalcLaX p1ZiNmjgkZdcGLIsR26hXGXwFmVn51k4ajJZ4OpW5eXBHw8RkLzwzBMPQl3tjw9f6ZFnd0kA 7N8nwDcHd8tV3vkr6Sa55/OTn+26YC+AMOxqKNHpvkXpvW8k9ObyWroYYut2Jt/cwX1wycj9 qXNKHrO1/H5GQo5XfPEZ/YuvPb+UubaVhrxG8ZIAibDDafGvoF8diZ8gpROfMuMJ/yzkU7ES EVcp0cs8lWarly/0FEL+PUpNFR+sDMJ9U2kgelepDG8qKtVeszniTU0Zl/jgTEhJPizdyffc dnbsoQGKE88V5x1LSlNLWf7LF9lw58+SIQQTHk51pzWnsIhO9c2K/Oqd0Ex/cu0cvWX3YyaL tzh51F1TV/7qb8uqy2x05yyrjWs54Aq77PnKUEgrTk0mT7V2GLBZV1t9zpdesHntLg9c+bqi SB3+EU9RtDYXRyFdlb0il+mB7OR0aX1UYH00aR0mW+e72r9pOaWIGFEalYISbnalVoSpo/2e KMsViNFm9ZfyDrsDBqndoDqgVNqMRBBKbCn2Q42dmyQGDH7JBweF9jKUd2AxFJmcbdWT2rku /SLjq9YMp6pbedu8uvYBXVFhfjDcHki+53L7/HRv0GfO0h99wWQJNqTWUO+tj83MOlki2Os3 DnAfT2vIx16mtbpzXA3+pJaeKW7LC2TWEubsSH5I2/Db+SziEc2Ko+NZojqrM0uhzOKOaLUG vbTxnDxZRYKBnA9xlEtdxPOzncRPa/SVqxbVhiuyle91xDo2bmhvrJyB24TTmcUzDe1uxD3d LNxQbRJ9Rvw0yLTONGJKmC6Y5KbJjoyHDa1cujf8cpBtc+jNeAEeAXQYxGXIL3VqYVc+V0x2 /M8vXN019+T772NW14GddZgVT+yihk+McPQwx8llUvsEN7jQKGun7qX33nuP+e0u4veRe6X6 StzJrRVdWqJMjGioQn1Yo5dTRSt7Xic/rFBk6aRG2EDT70KhBHPOVeFXkaxJdxrov7zEPcu+ 6IB9MKY19BdclFuE3gTRzFGee1YkFLevqExOSXEDLJr07U9s4u4aNxdNVtJX6S8eZ9RchEHa 8C7bi5vEM8QSQaWyEV9CLGbuf87Nm20jNlw2fNAm8x0u8Y4QYs65XaOBURBkTn62IZ09nTIf 0rspLq+9wrx96Cp1xzbjgkvfsWVePD2P96bpO7ZRjbMm1BDOKe2umrXUvPOGJ2ds/tZUQ35F ZGpNZbbnBbqvsKQqMrNx+qLhxhnX1i5Zsr+hovPW2SXtre0dc5q6pkacxxmd2e3p79JFoLSe eEWjEvPX67VKQcVD1owGibCnL7+SOIXRSe5EhdKf0hu0TZdVPH+gMVSh0Mn3umcKrStWzYxO 2TI/P9YOuq7in+ep/DuQORdsD1HERQjRprIqc2lWllap0rpcTqtgc2qP8c5jpuDHfzxrzPRm PJ15EXK6ynmqKsdxCvzErRT2goMZF9Zsu/uqFP4vlVZb1Dc7Uuc3Jc2TUfo2/3xRd17z8tXT ajtuGWibfVUC/7UFvJzKH+MekWiQR+rEHJVdUNpIHs3Lc9nsLr1eh3+FZD7m4o/pUiNkHDSe Zhia5PUqkIcNLUMXaSG6r0rRsFbrmTMnUuIxm+hHl+PyvWww8ZXdtTXTFzWnhnY5xbjTlOzl f4CR4b65qOMp5yJU4DPrJpzTeKoKu3wzesdrZP4Hlyq+xb0u3/vpPyvb8eyzyRnc2/LHccIp E+0aKMhviBpK8ILiG8Slzbdul8uFAsbgS9Alk3YsmsJbRM5kNOM2hLUQXiXpDxdd7bgFZreF ubef+ffNtTWbf/dMR21joDLfYzLne3JLveEpS5IzVryGfxuXT3Pp7NdX9+r0xWWzFj3y1MTZ 5C/jfcESq4PNKIBRLfjSqFypUdF8rXy71Zoa1bmrR2XBe0z8jJmDNVYDR13qD3dY/T725wl8 7aDkj694LXk0+VbyneThqwZFp6QHxbFfDMjc8kW4oVhIlqburQbZvVWDSqOUa3LluHXyOK4u ylU5DtQ5GMvB+jDg/d3duYJbJZPLi1zKIKx+XCv7uOq3MJJTty9AW2y3qfMgDA6Wwv7ihXzU uGsofI/SjVQlHIrS7RxoGDjiPZST4frRpde5afdbG6rc+m7dBela1erkR3SHQqZJbpHu3ezv 4jd88bQpEHplf+oSFZ24uOQvUy49RKQPe8ePtzT4KLCyydy2nu723kDb0HXLblg19D8Aqf7M BgplbmRzdHJlYW0KZW5kb2JqCjM4IDAgb2JqCjE1MDIzCmVuZG9iagoxNSAwIG9iago8PCAv VHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9DTkZaUFQrQXJpYWxN VCAvRm9udERlc2NyaXB0b3IKMzkgMCBSIC9FbmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAv Rmlyc3RDaGFyIDMyIC9MYXN0Q2hhciAxMTYgL1dpZHRocyBbIDI3OAowIDAgMCAwIDAgMCAw IDAgMCAwIDAgMCAwIDAgMjc4IDU1NiA1NTYgNTU2IDU1NiA1NTYgMCA1NTYgNTU2IDU1NiA1 NTYgMjc4CjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjY3IDAgODMzIDAgMCA2 NjcgMCAwIDY2NyAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAwIDAgNTU2IDAgMCA1 NTYgMCAwIDAgMCAwIDU1NiAwIDU1NiAwIDAgMCAyNzggXSA+PgplbmRvYmoKMzkgMCBvYmoK PDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAvQ05GWlBUK0FyaWFsTVQgL0Zs YWdzIDMyIC9Gb250QkJveCBbLTY2NSAtMzI1IDIwMDAgMTAwNl0KL0l0YWxpY0FuZ2xlIDAg L0FzY2VudCA5MDUgL0Rlc2NlbnQgLTIxMiAvQ2FwSGVpZ2h0IDcxNiAvU3RlbVYgOTUgL0xl YWRpbmcKMzMgL1hIZWlnaHQgNTE5IC9TdGVtSCA4NCAvQXZnV2lkdGggNDQxIC9NYXhXaWR0 aCAyMDAwIC9Gb250RmlsZTIgNDAgMCBSID4+CmVuZG9iago0MCAwIG9iago8PCAvTGVuZ3Ro IDQxIDAgUiAvTGVuZ3RoMSAxNTYwNCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0K eAGFewlgVEW2dlXd2/t2u5N0d5JO9006aZYmLCEQApHcQIJL2CGYIBkSFlkCsgRQESQoa0Rh nBHBFXdwBmmSgJ3gDFEZHVFG3uC4jQvjMIq+iTI+hlEh3f9X1R2Eef7z+uZUnao6t5ZzTp06 VXWzYvnKucRKmohEtNmL65cS8csoRPTK7FUr1ETa5iVEP/XmpfMWJ9Ipi5C+Zd6i229OpDN7 E5I9Y/7c+jmJNLmEeOh8ZCTSlNeXO3/xitsS6fSPEFcvWjI7WZ7xHdL9F9fflmyf8HL1lvrF cxP0Je/w9NIljSuS6Q2IJy5dPjdJT6sJsfz2TKIwGdoJoUDd5FtSQh4lBsKIQgaQaYTIv5az iA5pXq5zzPhFx3PDZjpK/mnMNIp3n/xrr74c+d3Ds2784UD3PIUYrUiaBD0vwHuGkbHxZLRC fjjww2ol0RIv6fm528lUqXdryBs4+ZLUh5wGMKlPSzgr0C71krJaRgS0qBRsdaUVOMryJRU1 DhChinAJ4ADgKEAmMyU/ShWE6wBNgAOAo4CTAD0hCHmpClgCeBxwGqCXsiRfixpQynpJ6Xg3 HeN1SB7yDSAOkEgA4QDABMBMwHbA4wC9oOM5SwDrAEcB5wB6okmelvsHo++elntE1LpwUYFI 1ieSM2pFsvXGmkQ8blIiLr8+QTY8QTaoMJHdf1Qi7tUvEbvyCppQeavZVtBZ5pbcGKQbHV+K kLJjxEEpCZA9UhqJAJiEroocTXK15oYKHj8qyYRKTKJkDgnEOyXaYnMWlJlZnH1DXCTAvmZd iRLW1Wp3FjxedgP7jBwAHAVI7DM8f2F/IevYac5zhKWAxwFHAW8DvgHo2Wk8n+L5hH1CHOxj MgBQCpgJeBxwFPANwMA+Rqiwj7jGiJDjpQDGPkKosD9jWH9G6GAfAvuQfRjvZKdaiooL2gUS HpBEAnlJxJOZRFzugij7Y8v3faBRIUgaGnVEyiEjyWAppyVvUCAqeVtKFgSi7K+tajiwp2wg e4dEAAw9eQctv0NUwERAHWApQA/sXWDvkibADsAeQAQALUOoAFR2HPAW4F0yEKABJgKM7GQL momyt1tCowJlbvYH9jrxgOMn2O9F/BZ7TcRvst+J+A3EfpQfZ6+1+AOkzIJygncUxAriASjX sZdbc12BeJmTHQUHAwgHAEoBEwAzAdsBenaU5bTMCbhQyRFyHHM4wFrIlyJ+ljxpJNrCgBYa DQVUeRAafg0wBI+rj4eYFtq5G0kehO67HxgPQhu2AeNBaPV6YDwILVoFjAehOQuB8SA0fSYw HoQmTAWGIMoeezG3V6BoQgNVyxzsVnDpVnDpVnDpViKzW/lDvpd5Hx9u6dsXHHtIC/fpG2jq oE0v0abJtOlJ2jSXNt1Jm9bTphLa9DPaFKZNPtrkp00abTpCh4EVTVRruypZrHlp03HatJ82 NdKmEG3Ko025tEmlRVqUZbdcj1mHqEJErWV80rHs1mtGwvo4WDY4mg2dz4ZNOIrwbUBcpDQQ qTkJ4nQ/j3Na+5Ym0v2HFywpu469ihdfhRheJZ8CZAjoVajRq6jkVVTnQFgKmAnoBHwDiAP0 oM7BOLaL0IFwAKAUMBOwDvANQC+68w26wsgShLyLB0THBiAsBUzgKfYqnhw82Sxby1J8Sli5 Ttruow4/neCP+1kRcbthl11OozNKbYf/ZfvuXzZiKjOx+9h2kgVB7EjG21u+zwpE6a6W0JFA WRp9kPhlaB0tJiGah3gYaRTpIcRn5PmFxMd+hbigxTcNrzlaQv0CHdTO3zoc+N53JvClL8qA nvUdCbynRmXaEvgTcn51OPCOb2vgjQFRI3JeCkUpog5VkLb7hgX2Hxek61HwUEvgTh4dDqz1 XRto8ImCuYmCnzUipTkCk0PTA9ehvnLfrIDWiDoPB0p9PwuUJKiG8HcOBwaiC+EE2hed7eMT jQb9osKqoiidr/Uz7DRUGyYYhhoKDP0M2YaAIcuQaUg1uoyK0W60Gs1Go1FvlI3MSIyp0fhp LcxXvVS9WPz0UGhKZIErsDCUmxmEhFEjIzeQSIpUySqnjKKVkc7ZpHKWGrkwJRil5knTI7rg KBpxVZLKqaMiw8KVUUN8cqQoXBkxTLyp+iCl99UgN8K2RCmZWh2lcZ61MTPiGl3dTih1brw3 k8e9N95bU0O87lWl3lLXSGfxmPKfCOpEZl15+Mef90c07A1nRXZWTqmOPJ9VEyngSDyrpjLy iynqjOp2+i09V1HeTv/Bo5rqdmkk/bZiMs+XRpbX1FRG6TRBR1T6D9BBYxCBzoiFmdMR1ehP 0D2UoMvD+6DL5RHoTCaSJ+jyTCZBJ1NOd7Axt6L8YC4C0HhU0ihoGj3qlTTH80CThwA07iZy XNAcdzdxmshIUY3PBxI/ApDQDOITJD6aIUhEzw8KkgFJkq2XSbaKlqREbwQND1CN7XQPje00 aK5g5H9G544Kh2nriJrZMyrmBivqghVzAXWRe1bN90aaZqnqwdk1vECNSKG6WbPn87h+bqQm OLc8MjtYrh4cId77t+IZvHhEsPwgmVExtfrgDG1uecsIbURFsL68pvXaiYVFV7W19XJbhRN/ oq2JvLJC3ta14r1/a6uIF1/L2yribRXxtq7VrhVtEaHjE6sPGsmomtGQH49bmcUMfa3LzK4Z 5VaWjhTKOyLbe2dmB7yVvcQSrolYg6MiNgDX6/yy/DJehDnFi+zIdiSLvHeOyM7soHuTRQqy ncFRJLxiZeNK4q1YUJ74a8QPWStWclEkwjDP+8kfSCoiWn05960rI32nVEZKJ02vPmgwILeu vAZ5w3vyLJaKaLwzkdkfmcM5oSRdJuR5JTzPZEoS/m9dEH1CNrjTDkfjSCvV/HQFaayRIv7K qQymYOp0sGHG9OoO+FJ8kWiswQAbaZg29tTGxyFwksghGHZjD6xYmcSSvFiRjAVpY5iEG3tY 0lNdmDNLBIJXK8IwbboOkg7I0D1H0uUQwf4n/gXgLI9jC+JneTmP2VcwdNEkELKX7KcLyH5y lLxCz+GtA6SdtBHuApWTR8ga8kuyGcvadORsJZPx6JD/S5oeb8PO5AksmE+QE6C9kdxJOoib euNfknVko3QKb20kNpJDyshEsoTcS8fGV5IZ5FP5blJExpJbyFLaFK+O3xe/P/40eYa0S7+P dxMLySCz8ZyIf617P/4RyccbD5Dd5FN6v+kQ0dBKEygfJcvJQ1KtTOPz4j+gB9nkVvRBJuPI CdrJwqh9LvmCeukaaTRqeSoeiR8DlY/UkvnkIdJBh9BrWbZuRnxc/AT2WvnkNtS6m7SQw3ii 5DfkQ2rVnYs/HT9H0kk/cj3G00b+QDulWPf6WCn4pgOX+pBilCwhvyWvk5M0SF9mS3RWXYFO 062Ov0NSySBShd4+hzc/p/9id+JZJ70mj4mPInbw5eec2+R35C80gw6gE+g01octYY9Jy4kR LQ7CM4csAL93ofZPoEaHmZW9LT0l/0q+qM+KnY7bIZEQeZg8Sl6mNoxUpY30Lvou/SsbzWay h9ln0i/lffIfDfUY9c/IYnIv+RX5F3XRYXQSvYnOp2voZvpzupueoCfpWVbGprIG9o00X1om /UYehWeK3Cjfrduku0d/NlYdOxb7r9i/4gXxTWQS9GE9ev8AeQwjaydvkw/wfEo+ozpqoXY8 Ks2mVfQOPHfSe+mTdC/dR9vQykn6Gf0SS9I/6UWGlZbpWSacH+4CBdlyeJi/ZI+wt/GcZH9n 30seKUcKS0OkEqlGWoJebZZ24Dkk/UXOkN+W4+BzgW6n7nHdXt2vdK/ozumthruwxr916anu vt2fxEhsS2xnrCXWFv8LSYMMsXpgC1aC3tfjWQh574TGHSCnqBW8y6B96Ug6FpyZSRfSZfQ2 cHIDfYg+I/r+An0JXHqPfoM+25hP9Lk/G8JGsQl4fsbmsmVwxu5nbexd9oNkkCySQ0qT+krX SrXSXGmFdLu0U4pIb0kfS59JF6RLeOKyWQ7IOXJIDsvXyjPllfJj8hfyF7oZujd1f9Ob9Yv1 m/RR/T/g1Yw0TDRMMtQathsOG94x1kE7XyWHyIvQwMs/elpaL1VIh8h9bLCcji3MH6DPM8kc aRyDprK9dAtbS9tYru42/Qg2go4n5+QQeP0ae5xdYCOkcbSSTiEL2aBEhfpU+XlgJfKrpEt+ CWP7A2q+TW+ld7Jv9FbSAh+pGD7S76SBclh6k3wofUoN8hPkz7KZemgXe06aCC34jTxSV02y pUfIC9IyupYcYhWEmC8at0GPx9PnYRem0gL6nRSHGzweWlQk/ZXcTRrY+6QL83gLeZDOkeeR +8hguoZ8QZ7FrOiju0XfV59G32AL5GaWQtsIk/dhdMU0l0q6VLKB1koP6b9hH5CV5G3ZTD6R fo3ev81ekMbJ53ST6XzMgLVkE1kWX09u11XLf6TziESnkTz5NKzbGqlAzka8DlZlBmzaYczu DtiBMmkccrzQnLHQiypYiIfw7IKdkKFBCzDHb4QV+wNp009lUTJPZ6ewOjipeTM2mUyPP0t2 x+eRW+L3k3zYg83xNahxL/kb2U720o2xO8hSbCU/wNweqxvD3taNieezZvYBm8J2Xi1fcDuP eslXeF6AZEbqjpBm+T0yhZTGt8X/BO3uDQu7m8yCw3oGo/waLVwndZLBsfHsYHyMtBTj/ZRM ij8XD1AzmR9fRCaQl8gzBh2pN4Qh4wj9I8Z7B5nLJsdXSHNjC8CH7eCCBm6thP3Zqo2umlqm lY68pmTE8OJhRUMKBxcMGjigf36/cN8+vXuF8nKDOdlqwJ/ly8xI93rcaakpLqfisNusFrPJ aNDrZIlR0q8iOKZOjYTqInIoeN11+TwdrEdG/RUZdREVWWOupomo/L16FF1FqYHy5n+j1BKU 2mVKqqglpCS/n1oRVCMnyoNqlE6fVA383vJgjRrpEvg4ge8QuA14djZeUCu888vVCK1TKyJj Vs1vrqgrz+9HD1rMo4Oj55rz+5GDZgtQC7CIJ7j0IPWMpAJhnorhBxkx2jDESEawvCKSHsSr qEbKq6ifE5k4qbqiPDM7uya/X4SOnh2cFSHcUwoLEjJaNBPRj44YRDPqAvg4EXKPerBfZ/O2 qEJm1YWtc4Jz6mdUR6R61FERcYbRbnnEs/qM98ckKodPtvnK0kypucK7QOXEzc2b1cieSdVX vJuZzWuoqUEdeJfljalrHoOmt0FSldwXj7CNNdURuhFNwrHME6NKjC/h9ebVLVQjpuCo4Pzm hXUQTUZzhEy+PbslI0Nrj58mGRVq89TqYHakNDNYU1/uO5hKmiff3pquqelXl+T3O6g4E4w9 aHckEavtSmQumJ4oE5gg51jl5MucpbyPwevhCUbU2Sp6Uh3EmIbxYO4w0jx7GASAXw3FW5E5 kMiCiGl0XbMynOdjiDSiy1OCavM/CTQg2PX3q3Pqkzn6POWfhBdyPbmsahFa34NHwuFI375c RQyjIVP0caRID8nvtyrKgsGlCvbPfNNAJoK39TXDB4D92dlcwPdENTILiUjTpOpEWiWzMluI NgC+NavjJZ09JWlVvKSpp+Ty63VBaHIb38+StIgxdPnPobhTKuYPj1D3fyiemyivnBKshGus VjTXJbW2cupVqUQ5Zyj4hrIkFkkZXS1lMuRxjGVKojThIfeQwF2utkbkPPzphVLPiRqM0EqR Q9UxEaXuukRYY87OTs6Z/+ulaPwcf0tEP76WHEZkeDjZ0US3IyOuSl/VPWuzVDkVJofBs29u Nl9VBlVL9PL6ZASNx0Y/Wx0dIVWYmXn4w5ZjGIeazIgGlqFkKmaRyK7JTCavIsxMvlSDH9fO /H5jYDObm8cE1THNdc310XjTrKCqBJvb2SvslealFbB2CcWJxjvuyYyM2VYDjs2nwzE9GBl1 MEi3TDqo0S1Tple344hD3TK1uoVRNrpuVM3BXJRVt6uEaCKX8VyeyUlUniCVFINsYUZBn9mu EdIkSmWRIdKzcboh8hJEyKNkdpQl8pQeOoY8OZGniTw+Pm5jRk+tTopFKASfetAh3NCgGu5j cJAbSRXgU0AJYBogAzAOUA+Aj0qqQNeum0Z26p8nuxA/BpiB/ErA5h4ATS4hqJhPBoKbIz28 DkJUeOiJHJH9EwHDrkGGt6/HTQyBZ24iZuxQ+L3Kf/7ZUIyrHPwcIoQA/s+fU1C4rqBLAZ6a TKddjtPIOPhRu+HbPCxX6obqtunfNZwz+k3F5j9YJlmftW203+gYjgNF7i1g6eWbFR0uXPgI sp3ZzjwEOPUil1Sp85KmIxeJKndy3mCPyIp1p0A5pZ1I8U9aUotZNP6JpqYWPyhRJj0uHcAl xSpC0SWKiiVils4SdpZG6b5DkFXram9YKVHOdyldpLSktGSzrn+4dq1ybNBAWhsOp9HBlO7b EatO1/39B9TASFX8C9mp68T9VhatOggdnFqtmTP8si7Vb7N5TNH42TaHg1VxREu32YA5iZXn ELfVitDK88gA7IdPIDhBSrtKuwYNzDyo/981nUdNel7T5202m0C+1tItFmBOovAcolitPOR5 l6v8sc42vZqu+GBUMD0sv8WC5ga4AA4cKc6S9ZvZFssWxxt2nclg8bKKlLFpN6SPzpyaMiNt RvrkzAZDg2V2yqK0hvS6zNvZrfpVltWOzfpdhp3KG94P2bv6dy1/dmRcHnijScsOFg40UWJS TMy0I+BsJDAkmh25KtwyRnb4X78HrL5QG+5CsCwMdouh09pl2OAO4z8KqKlJUVxDBxe43a40 hemDOb1CKYp7cMFQpxIK5hj0VQ2n9qxqWTFq4akn3rn95+371qzZt+/ONTfUslNUptf8emZr LP5hLBZ7df+uF+mjsQe/OYdd48KvF2ziuvIpBHgRsjOTA5oqaTZnYYO8jm1nu424pqQmotcx yaSjVkaPm0XvzXxMhKp4F8ewbYoC0UXjX2lOIVCfEKhdCBRc1tK5uHpkIuSTYdVpNkehrocT A3VUxU6b6dItHbSEbiTe8HjlDJgBviRPSJAoGdddQkpLPcXUWczVkNSGs4NOvd4wZOjQosHs YlvZqakPfjZghXzHyDWBF649PpOPrQS6bMDY/PT1pC6ZnIrNm5Kir7JF4+fbnE6BfK2ZFAWY P1Xn5yrq4QR+Py/1++wo8UNBEUbZEc3KzB4PbjWdjKkBp6t4wDsneHiCDOjinS3l4TG41ZnJ acAbtLpcTDSomRxOYIl2TmsWVwqr8qfyPF53C6rmU8ViYVVA/q4JLv5Ua3yO8PZ4a6IxbegI 3Qj9Ed1R/RHD68Y3fIbrrTXWqfYG6xz7atfqlK2ul1x/y/hb5rkM61HLiyksEzYlS/Er+t/i WMQA5TciNkFaGX6zYtTrj/syUn2+DKMvA9bCmOGTbH4lyp5uneCkuMLwHuIjIIIdDsqs5kbP KXCb6zo9wtbDFit0mGZ1HirF8cUSto7JrIPl4qJi+8GEssOuXAhz8wLj0l1S2tVde8bp4pJF sNneP2yHqUECchZTgM+AYaSW1i6vqclLyw4VQeJDhw4phOrrDb2G8nmRlgpNwJ9suFTEPHlP PfTN3t133PUIbU/57r9OXbjuuVeenOHfv7+sZHbnncf+dnPDLx5pTnn7g6/2Vz//0tNb6gdB U6bFP5fd0JQwrUkKzpLu1bgWe32EclUNW5GgfYJmm8Pq8JvNfdL8Ptnfx6frYwvarN50Slwq TA+rUg0hLkVOHhrADdqJAfwhruLSUgUWFdrS9ZrymqtYORYu4ABl0XrrbG5bhW2TTa5w3uhc lSlNdi9SFqbOca+03Z66ydacujXzGZtZp0r85sNisdrssoGiXcrFomEAR7Cx7ENsdEib1Zom ezvY0ySdzdd6oZc6dNPmapypLlGZ6uWarDYZGkPCNoUoCSkhhh6ff5GXhHbke6N0WEv6KdpB h2Eh6dQsP1qrflF6f1KG4S4hRW6zzodrE3arG2LE4BQhz4Q4MVVhwjBb6bKalCI3t1lCcIai y2iPDLkQDW6EJJgTmtYWeKBh3YEn1w4em+qyNEY3LVywLbUt+6sXbjvecPOcu3bEzr77cpze 7d29OXLXmidSH2O3rZ1914YN6qHX57XMmflIf/9v7uuM/fNzmNgM2ABF1wH7ZqMhbair2jrf +pB1n/UNq26sNNb2S1lyQceJVS8ZdGaLZCBWTPbjkpwqSbJkI8xqkw3SEVzsGrEE79HMRJZB Qo6b5Si7+UWdzqxlBQrNPZYQCF+YWBWQr8UKZY7SIs1m0HKChYam7CGGHQ4sxeCqLbWQMAU+ moT0afEOkDOHuRTYIXuUbhOc/ns4XCsM4XluXkqUzxVhB5XzJRdKnMWcycXFm/uHZUwZh8MB dotzbRvWfFcxbNw7mmVwsZSTXyzJWVklvIoaCAM0WqpVsxRbmyYWW7VQsTXHhzi/mBOEa+BW DKGDnYPTgk7JSdnO7g3s0V+89lpbbAid+Yx0+NINz8SewKR+oLsB/B2HtT8NMyeL9KUTknMn 4KABHMBJNLO3X7NRmw2GNVOX40+1mf2U5CnQtoQfoPg9Cl82PGLmeIQf4En6ASfeOaH8TqyH UKraLuVYLZ8o+Q3ptNygpZWnl6vTXVPVBmmOYY5xoWuOusK40rfRuMn3rvEdt9Ogcj72SnBW XxUU04ZnZYsCAy/opQbVbF7g5L2caGPoZyY9NZMvbJg6pp4+wysaprnIobxGRcwZBZ9mYNXD KM69yH0NZUc/M58sflqsuUs9Mz1LPOs8sgeujb7K4+aNeqIstzWcWOohzy5u/8TMSc4bbv/4 GMVsGTaMC4HPmRpqCPUSC7zewM2ci5u5YA5xKkXc6NHUH+eTXrrY6u13fcO0sqpZrOyleW3d t57c8JfYmUe3nt3/cXfRhPvGL3/6yTtWPy9PsS8cOG7gyK8/ml0X+9cfm7vuxKHhGrrv5b2v XPq49vma6GO7DhwAA+oxa9y4e7CRpZr9mI3K+GNG2YQZwVfBgYzKJqutUZIYZ8kEYeglluEw Npr+m0yA7GcyqRTREroOLkg61FkYjvHK+dplJePOd41XLvA1nfuXfA0odgpNxviX1aYMyU7T E0lvCA51uYrqpUPbYl2VQx3t0l3/s1X+Yf+2B2Ku2MXon/fTr+jrj3BveAo0MB0a6CFBfO1A EjrYZiWZ/v58pmE1Z1X9+7uy/Xpdb7/L5jdZuZmGC3kekw1I2AFJCgcVSGL55YgodHhhcc8J J0cgXFmBJNVXyk2z8tU6TdSYJtQ3rceNFb7sFQ4tJBzuKsailvRrXxQdES4s7wgQ3pEzwr/l iMhLts+dKDR7ScvhhLxZrly8QR7ykf44vp4pg7Yo96avBD6Dioa4aR/39e7rQ59bvxyoMw3E se5aukZeYVxmWW5daVvtuYc0023yJuN6ywbrJtu9nrecr6W4cjBTWnxqBo9UdQCP8lWsG6c1 fx/VSvxeYkU39vSnP/bE33jURE1RNk9Two0OTYXf6KDEoTiYI0p/frjA2xiRqITyltzGtB53 UE3T0ljajkGXHePzmPvQGqwzyWXGVVw7gA+Om77kjOEeAvyDZWRZTQ0NhYYU8vlxxXpCkJOS +uOSI105dejCpYs+P9r5VcPizffGLnzwQezCz2dtapi/cevN87YMv37HlPV799+17jkps8+u hXs+/HTPzQ/26Xdsy0txXPt3bn+ZTp2/4e6ZszdvuBQft2PCs013Pb+3Z0fEddIPq/hCwvd8 0RLwwvg5vdH4BSFkIOfFEgHknNabS9TrFCJ1ij2M0+vsF7b09jvsAfsEu2S3p5KJlApnxKbA N6Wy32eDUdUJiR8L1xYII1IgGAOpc0VUuBX9+Hdc6cS27IpOfCVUHm1/pfUVjo5TaPH/p9Wr 2/q3ptDSjw1phcMzxrq14E3uG4M3S4vcizPmBVdnrPVvy7jH/5B7X8ZLGV+5P1cvqCnXuB9z 73dLw/vM0bNeHfBCg1Amb7aqV3v7J9hn2pnd7uPDo6cmJkxyG+8EPnEpJhZYZKdXWGPw1Kt4 mXdHP26n27iZdl7WJafmZM4dScuLTRb3WbgqcbsLL6WUO2OXzS6pXUZrsdUSbspINqSwF7e2 iAmUCSfhfOMVosLtTBO6tHS/e039lLUTh9KhRxYfvkQNr23vumP1P5789YfszWdW3Nayb83a J+gUZfUtY9e9v9TqndZAje9/SpWHYn+NfRv7Itb6wlGp8OHDxx7ZBpOLlbQdTvQm3PXy/f0w TZVxVmEwMX2JLJVQvWxmJQNIKWEqePGE8Yld2DZiVnD7CZ9SiFxMh5Qhg9MkQPuJEyekmhMn Lj134gTe2Imzg8nwgiw0pvmlnKJio2l4L/MQ/VDzteYbpU3Se5JhlfkD6QOzpOfWDV4iq+qt 2yY3656XvzLqzDIdIr8rMxjN05rJlV0oqTzAmUKrtdjFc1uRNiZjmcdZ2YWIO1tdbp7/iXZN OtrMy7vGaEpPvwauugl3CmadJMuqzpwKN8pkNKoGfarBoDeb8eWdTJnBgmtAs8QsOOOIsuGa AzvFPbqIrlN3WifrbjDyPMtAA1UNTYaIQTJE2SbNalE5g9TkrpRPNLE9vSAcLOxTf4B/LHI4 gp1pNP6tZuZmlNRaR+zlTOWrL1+ku8FdzmEchJSUYO+JgAM0hh+H8D0KYq/wvAxGpcRYgo+L vPgAIROnrO1Ejr8/rCYx8XniXKvVyfl1TvMA0St2Z6FRsSuFJo6ZFZtSmPyUoAYWLdED/oWC 5jTlgG/90otlDjmZxdg2f3LYDdRdDEl9gj1ksTEntVjWUos5mw/lAU1L+HGJavDxAryJZctr w2QZDm/g1jlxq4s/g3PnK+x9aujeze6Kk+4L53Qd3X3Ye90vXNrFPv8qhk9DcD9G9A5ojcLO JMxHO3aKFzQLZ6HRbsO+FS4r3Fwg6NfXWm+OWV28WOewSvhgmRlNFjsxmpjZoucyseCMBiHk cJhTWRQI4POeM4TveqR1KSEtbsD48sVPb0o7O5WTJzv5FjEcTvCI9BwQBQwqP+3Ri1ASoSxC nQjBl2+1IKdgWK2xfOq55Jmdh9wX0FeZRQin8Dthj/HCd1qAK0UIBx+q2VXoEIHOKhFqtxCj kTLh3/PaBCIqOcKmERd4NU2zEdEQEQ1hhIlqCV+Ow+cHQMPEqVpJYjBwa3skjo9D+C9TW0eY w5jKMo3yKusm6+/BSuv11usdUh85z9bPXi3dJK+y3WbfbDNamM5YbBtqn8AqJbjFxnG2UXbz LrZb2mnYadwrPWfQu5jDbh+oY5hjzIjVZaDOCNRoneyYTDXKmNFoMlssNpvdjs/MTazO1eRi rg62F9ulQS061RilgzSz1WRWNes6C7V0YJB2akEJi1ILDjQw2RxLFYrzgWkvqro6XZNO0kXZ 3lbniBpvOB026nxtibe7ROnKSFcwn0oyLifO1BIvvD9Mrx+fDKWri0+vzWuPbcbkQoRDgMqI BfPKj3n1G2KNX4QOvktY/F2s+TWYc1aU9RZzzhb/7qDdzHOTm6B3DmcX2/tli43Q4aJie0GR QA/lIze52QnXLF9Wi5nBLf9gHKe6PUOLaLYz6MRnIM5duJO+aaA7HfseqjsSm3YgVq3ruPjt z6+b+LB06Ycx8psXh8inL6qw3Y/BX+7GTLHhjrlF6zfX2ZDKKpXK1JuUm1JlixVruJ14vH6c 2hOjK2SExcEMEmeUULbzWiZXIGOGmkHxl+G1qeJ47T9YscQcTKpZwqoJY3aux5ilj5jBDxaF PsGawcceryyr5elxSZ8bhgy5UD7sNDDyAo+fpaWy7GwncL5Jx84j+zHW5/5xi+6v+Tr2RmwL veOlx2rHDtoQ26rrsLvmHl58JNbd/WuJbls34+40HJNTMgOe+H/j3HkgS9N6zZZmy43SClnO 6zVEKvaNlq43jM2qCJTnjuk1RaoxzMi6sffWFHsQk1PM/9weBBcriRw4lwkE27gEAmIYcpgR ECcQECcQECcQEF/QxnCi3rZQLsuVeuUNdeBruryKAdPVacGqvEWWhbYG+82pc723W1bbVjvW KitzG/M2Sc2WrbZmx73Kxty78+637XTsTPMnDw3zs0OuzFCGKdSHhgjpk+GSCwaF8FkSI7b8 2zO3ZrLMPLct398rj+bp3DCE5zVhT3T+fJPf75aEexaGt1oLSEa1WLE9OCtJPNjW5uXabRZd ti/Ln4mrdty062lebg7y9NiG5megRla1HbrRhW+chAsorKxCVToRV5ZL6Q6qh/8T0VLyeZO8 afT4BlOI9KF94OK12e2sCsh5zcZr6pNRgDHRkAvHjKIICNgHpQTynebgNNhcQ6Tpg2bfxA9k z9eOOwPlga+BrRsUahx8KTEwnPaEz/DgPB+RE3/wQyhQrGTwqJIKiAhn2ilFfoYToIR25fYS jjr31N0eQwj7XH1aqseNjbM4zgvm5IZmvGib+fu1S56fMnHGiNiiSQvm3fntL5/6fpOuw7F/ X+SJ4mH0g+qm1ZsuPvp67H920/eUW+69cVRjecW8oKc+XPTU3CUvz1nw1nr7Pfetv2nC4MEN vUccWrXy7cYVX3JfqzJ+VvbLI0kabiymaJ4A8aVhY1erqzVVWeZKDbolprkWI/YkZ8SCAIfy jDaZLwhZPh72cn2g+yH1QoY8yDU8fZCvzDUuo8w3yYUbAl+9a3FGve82/W1pF9gFr4KP6Bw2 j2eiu869FP9O4nPsUPbg6ECRM31mA+lgzxMa7xT6L4SKcwWcJ8DJfyDFJ1s8Gk5wPhJiAZI4 TgLylfBcgHRqpl59CyM4YMkIcFcrL1TIY63Mj51WgAbcg5Vcg5bbtzBgKMWX1RJfJlmVwcul a8BAENr5EmbAoT1CNx+aId1fWCQEnpBcbXhc9xmYjnAYG3b8uPWAaxQOJ53nku5lJUnvM2FK uKSXLaee5EkFfGfiTDVki6MKmi3OM/TSzzr6fd3+ZewbmvrRn/Cd2aWz5paNs7d1f8gmWYdN 27pmH53meaoNZ0gSPurqHfsk9r2iHuiYTx/YNHr+s1DKzdj28y8gU2l9Oy5wOlvTPNy5Os1P zPVVefIQfEXVYZNF1nBPeqHH6LQ6UyUdNp8+nSHVYrbmmbTBQwvjJtppom6Ns8Wtcf/E1FuE qXy6wK39u+bkbDLJnGWmDE6HXHhAnG2mVC4tpL/DaR7aNZmTV1MX4NsgOd7NheEpHFoYcZ9z s6XuPe6IO+6W3Sw1j9+ddGoK+nAO48GR+UlyGjd53JInXdcfNA/vBBFNEyNvmsi8WU6kucW1 CuPt4FM2NE7Gp1078QqLz8+XYN4VREmPNilPccmEQ/dSJz904Yfso2/X7Hq7Ic+ut2ZSm9GR SXEMHg6vJzh5pMJhFHM0DYui2Pzo05yb2+7sXPVCZdvKhon3lsBv/Pb+2qcf6Z7Jnth8x5T7 1nYfScroc8wwN12rpegkfQrbq0SVv0pfpJyTLqTosTc4p5VYbIW3K3SXctJ72hv3yqox1Z7q dkFGVO+2mW12qz3XK+TiFTKyCOlYhHTgQyalYxEssuRwFiH3fEI6FiEdpL9PSMcipIP0BQ2m U19lEQpgoXE4NeOxC+7UMrikvOe8bKl3jzfi7fTKXokNTnMLYV3AZVFy3/CTAoIPdZWAcBvG RSMEJAsB8SZc/y7w8R6xIU3IBiFEdl4IjW9Tr/x1wUniXmNp149Sc+udJrPRbMCmTQk59fZM 6jC7ktLru57fIUIL+Dluwsa6ExIUhta5+cmVH9c9MVExt/VtuK7xOTn04IGKpeMK1nY3sk23 LC67/63ul7id3BxbIGdDii6cbs7S7rMq+co1SqUil6oRlQXUPtZgVkFaQdaorKXqDtU43DM8 8wbPDZk1xpusMzwzMhcaG6wLlMWehsxO9VTqx96PM075z6Se8Z9W46o7KIeVcNoQebgyRr5B ma78zfLfWTHF4rTDTPr0XAN88LXt6bknzVQxa+Y6c5NZVoUeqOJmhp+1axa+wTOL/SrSid3d lb554r4YOWe1IBeGeQVNGcwGu/II6aRYNffQCD1H5QAtxZe7EozwJS2LzzsqNipUnEtTOGrI ET49KC5giuL0hZOKaUjFak9dXMo0PXBtkZfyBfOy9GqXLcdJZ/d5rJI9ecmNu5CmuOeC/7ls OVmWwoWVmG2p4rihlxNHVT2XJvrNTw+/f/6WkwtXfnrH9O39nc+uuu1Xz61oPBhboPtN86RJ 2+K7nopdvGfs8O6L0tMnjr35pzePv8e9stz4t6yvbjfOR99vJ2ZYy2CoEFYL6wSQJlxcUavN TCXiVnACaQbbJYtDySE51ObKs9K4wVhhqqgzLMUue4dBJgbVsAfb7U7DSYMeO6avhb0CwhmN BYW7apx/QPiuJ4mIFSdh3LDE8KkPuQETGySkz4pl1tDBFhIvHXrw5isNGXQYrOvixuzMecyB Ln5g7CyGKzV4sPIGX3TC4TwPP5sJDXEGhwx2FombC3HCx5SMsSWzFvXbsKH10KGUcG//E48r I+c+yWZvo4ZFsXu3df9iXD9cEDEifvFe/JzkJ37837ckzIEUfMORRtzgJP8OORNfImeR/mQg GUyGkutIJb5JnoLvSPkPt4EA/tPzr0dGjx8zfeLUcNnyBfWLxk39f7XcFUwKZW5kc3RyZWFt CmVuZG9iago0MSAwIG9iagoxMDk1MgplbmRvYmoKOCAwIG9iago8PCAvVHlwZSAvRm9udCAv U3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9TWEFDTE8rQ291cmllciAvRm9udERlc2Ny aXB0b3IKNDIgMCBSIC9FbmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAvRmlyc3RDaGFyIDMy IC9MYXN0Q2hhciAxMjIgL1dpZHRocyBbIDYwMAowIDYwMCAwIDAgMCAwIDYwMCA2MDAgNjAw IDAgMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2 MDAgNjAwIDYwMCAwIDAgMCAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAKNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAw IDYwMCA2MDAgMCA2MDAgMCA2MDAgMCA2MDAgMCAwIDAgNjAwCjYwMCA2MDAgNjAwIDYwMCA2 MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAw IDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCBdID4+CmVuZG9iago0MiAwIG9iago8PCAv VHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9TWEFDTE8rQ291cmllciAvRmxhZ3Mg MzIgL0ZvbnRCQm94IFstNjU1IC00MDkgNzY0IDEwODldCi9JdGFsaWNBbmdsZSAwIC9Bc2Nl bnQgNzU0IC9EZXNjZW50IC0yNDYgL0NhcEhlaWdodCA1OTUgL1N0ZW1WIDc2IC9YSGVpZ2h0 CjQ2MiAvU3RlbUggNjcgL01heFdpZHRoIDgyMyAvRm9udEZpbGUyIDQzIDAgUiA+PgplbmRv YmoKNDMgMCBvYmoKPDwgL0xlbmd0aCA0NCAwIFIgL0xlbmd0aDEgMjU2NjggL0ZpbHRlciAv RmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB1Xx5YFXFvf/MOecuSW5y9y1339fkLtkX4AbCGkBU ZBGiIIsLoCKgIlq0QhUR0YqIgDtQoC7IZoOIWgPWVmp9opYWK7apSxvzfJaqxXD4fWbuDYS0 7/3/I3znzHbOnfnOd585Z/FNS+aQUnInEcmEy2feOJfwf1fcSojinVkLZt6YL+tyuP521s2L vflyyfeECA/OvfHqBfly2b24rrl6/tLC/frthLR9f82cmbPz7aQX19prUJEv02pcg9csWIzf Yf+0NkJodP4Nswrteh0q1y+YeWvh98kJlL3Xz1wwh/Um5IopSLw33rBoMS+S9qdw/cWNN80p 9KdoL36cUNSOoQ+RInIbURCB6EiO6AlRfVH8NOZLeTv6fOn6Sr5S2/xPqlfzxz1757++Zpm3 X7KcOP1m7ytKt/plFJW8P2vAPUq1jM7K9affPP1LpftcC2tl/8a0nBXupC3ESESaIxqkg4mM dBBPG8lg5BvIK0jreU0dz9eSdtTUkPVIq3l9Fa/PktmoSfOaCp4maRBXBY3zUozMQ3uU1CCN 8HyY/2aIt7KeIg3wp3qph/hxn5fXsbxI3byvizrJpWhx8X4sL1IHGYu0nOft/A4bteKq4KlI LeQNXjLxNiP/fQMZiXv0VEdOo5+et7C8SLU8r+FpCU+LaRFxoRdLRaom/yDFKKmxTiJVkf/C kxS4tqKk5P0VPJUK/SReEnkqcIxSUom+oBys7lnUl2HV2ZX1OQMqYPeXocTyImgSvckPvP00 +Re5A+2neYnlRfI9MSD9jnxL1qHlO97yHXmdSKj5J5mJOtYiIr0Tdf8kp/A8BW8RyT9bzoLW JNTxOfE2kedF8jUx467/5s/rIV+REtzVw0ssL5Ju8hmxoq6b1/2d/I33+DsvsbxIviRupF+Q bUg/Jw1IPyN/JWrcw+4UeV4kXeRFhk9cGQb+wtM/Mwojn/L8SbSL5BOe/xNP/8jTPxAT6o+T 33OMHOd1LC+Sj3jLh7zmA7KXtODpH/DSMZ6+n18z8j5fAbZ+InmPt/yOp++SctT8lj/lKM+/ w+t/Q37N1pr8hpdYXiRvk1+hnwJXNnqWF8lb5AivY6lIDjNKJ52MQ8ib5Je85U0SYqWzbJV+ WZg/axE5pYrkEHmV3I+nHuJPPcRX81VykExFHWsRkbLVPIinhlHHWkSkbC1ZjUgOFOZ9gGRR 6uB4+QV/2ss83c/ntQ/rn8fPPl677+zv8ARWI5I9ZDcfwx7esoePYTd5iY+BtYhoZ2N4iezi Y2AtIkpsDLsKc2ItIs+LdDiJgupbWUpe4Gv6PH/yczz9OU93gjpEsp3nf8bTbTzdQp5lfMpT kTzD+JQ8TdqQPkWeZPIAV4ZflhfJE/yex8lmThksFclG8hhqFTwVyQbe4xHesg4SsxEt6/jz HmZShvyUtz9EHuQ0zVKRrGW8Sx4ga0gMvR/gXMnyInDB1n41T+/j6SpyL3oryCr+Cywvknt4 y084Za/kNLGC3I06BU9F8mPefhfGIgKvkHhkOfkRGYH25WQnSiwvkqX8/lv5c2/hd9xMlvDx 38xLLC+ShTx/PU8XkPlEi6csIFVoYXkRv85GfB2Rsf4iuZZcA1mmwJVxGsuL5GpSh3QuuZzz 5lwm3cgc/quzyUTeezZfhVnkKmBMQWbxJ7K8CJkzA7pagWsFSiwvkiswbsYnLBXJtMJzp/G7 2G+IoB42pimFp0/hmJ1MPFweTuZtk/jvX1bocRmvY2MRsers3ktILV+vS3jpYv6ECTw/nlP7 OH7/WJ62kXrcMYa3jmZ6i4zi+ZFcJozgMms4rxnGpdjQwrOHklvRt4U/O4d1ZZIrx+8fUigN 4U9gLSIZxNNm/pwmnjbytIGn9cCxDffXc0zWFX6B1Yk8L5Jq/qwq3jvL0wxP0/yOFEmiZyWv 4foWZYaHBE/jvE+MqFATLdB4lM89wnklzHq1rIckYnooiF9l6xPktBrgT/Dz1MdTron5aojA h8T7ujlVuIBFkTgLdU7e2wF8R/E0By+xvEjshV+w8zr2ayK0ABuvhadcO8MSMXANwVIRVpAO mFbwVATllkHTK3Bl/M/yImgrz72l/BkarD/jKJaKwH0Rnq3gqYjnsTpVob+K44DdK6JHfj4K LgFYXsQf60053RCuYSm1rVxDE/8f/yP/f43dxU1UyOoDkBa/IkeR20aKBYcwiiwDHe9FeTN5 jhwWiul68gEdQn9BHqar6Bt0Nl3Fex/FA0xiCtSjoW9IaqEbd7yAulWQxUfpX6Tj5I+g3TXk j+JGslQcgpal5AV6uTgUdt5CycTLW9DnA0KkBrGJrKfF9CA9Tv9IV5Nt9C2KXxenkG/wvFXi ZnE/RrlKspNvxCpRwC+tx2/Av8AzAajfIAr0Gfox7SH7iZXOpS9QDdkubED7LfQ0ZPh6sopW kIfIQ3QIZOZV0lOouwvykP19jV/ZQNbQ32DeawBviGPR/wXM9ih1YBxHyV66kMwW1fQu2Isy PS2WiVb2LOjCe/D3MNkg3E1H0IcEFywphoE1SIn0rfRM/g8FD/DWg99cQ3xSD/tTlJElggMj QR/UrlGalJPoW0IF/QV9C5ieLViFNXQBbBpC7HQ2u0ssRr+HhPHicrJGfE+wwyJZgzncRZdJ zwhbhLkoaTCTtXSDcDnuWi80QWYvU5qkYuCP/6F2DZupMEpxVDFI4cKc14ub6VpxMzlElcSO 6zLyhLheuRI4u4XuBPbuYPgnC4G12dJTGOkN+FsIWIZnTYGO+xoa7QZRDQ10lI0Wo7YCU8UM U3jGQmDKR5YpFsLWWiS8Rxbx9GFgayn07icYDf4tP4sxbYCGTudUSoWEhSRJr26XEBo9e1fu 4ineX031VSQHFL06lXcXmbCrdKn3F2fPTpgiORRTdymcu8SQepcUCnz6vzV+WpFsmzDF+ws6 bHhr4bHDZ7Si8tIp+AX8Z9X4ueGtFRiZdJTMBeBKp0hHBTWumwEbAQtQz67P4Po54CjyEq6s vB+wG/AcAPXk3QK8Xej/sXT0rIy6iYDxgKsAQwHTAa2F8iFc2W+MAjQANAAfYAwAY+HXJlzX Ath9gwBlAAEwFr/Dxgkg9wDYM2cA2H1sPgcBKwGzAdsAXwKuARwojIvlLwewMbHxsXGw+bD7 2Xhi6NeN6yUANra3gKq8H01AgUrYsoR4YYXACYO/3fdPhB5Q8IISekINvVEMTaKBjimDztFB Gxmgn5hc6Ptnhn6xQq/ZoScc0IEu6EYPnuyD/RaALg3B/o1A+8VIHFo5idvYolUCUoVHpEkG FnoVNH0NdH4dbIEG6KQm0gzbYTAZAtuihQwlw6Bph8P+GwkrZXThTj9+4zbIvx7aSG+j2+gR +r0wXdgl5sT/khZL3YopikPK8crXld+q7le71c8URYvWFceLf1EypaRH06zZXnpN6a/LFmuJ drz2F7qJekl/xDDC8Ctjq/Gk6TrTc6avzbdbKi0vWGdYT9t+Yh9j7y1fXN7jeN1pc5W5funW uX/tWeEVfGrfZn+1//XAj4MbQ7kQi54IZK68Xpqr2ALtqSLWXJFElFStECSSeufEOxmiO/bO sXfSRr1PH/LpfXMl0rtIdPT+VV6vKvv+m5uUMTY5gU4RF4hLFJcD4wEyOBfxuq3mMo1CVBvI y+XqPcGA11FuNijdFn1ZkVokSo0gWQR3UHes+0S3tUFvsDbgh3qbu7LWhjT1hyNiTXVtE81a XFQsowHfv9WIGrtF8lgtMy1Wj2Sxy/fYraLHgrlb3CiKC+xhulBjt9nsGnlt2H5hCeOlglpc IBzm4w3m+Egl8rJ6j+H88AwYW35UXf9xTMLlbAQ265VWGxtB4SdtdruN/yR+g26WbxAz0mHQ mC+nF4u0bzn2uDXE+KCSKvVmN57f3pVl0+5qwKRNSpVSMJssVjc1m5QBzDgs1FQb6gbTqqxF zAzTtzakM/bJRp1nbHbedZOnNl4V1hmlDebVsSfl7x+4+5+3Dd1jtthbRj1GJ3TsoFUPXjnD zsaw8dwYqnL+ItHxlnaP215kF+1GuzVWFBNjxphV/SQfkVFDMKjmU93tmfa+UVXX1tUaaqrD kUqKFcFIrBaD2SSosCj+MN3YahjWmMmWTzLpfG0Y1dSpg9vDOpP8hGlV7ClatObO724fusdi sreM3CC/0LFDfufBq6aXM3qhdIF8SKygY8GJFblym0FfIpUVE3uZeNTOCsUSrD+V3Ww/twjv GBoa9GwhBlNGF0CRivJBpCiG1kzr6Nfqcs8ftQZJkr9S2cpElXqETidQq9+oKVLoVGc6tQZB LFcZNCVFCkiRjZC2VUIKUsKXQ50kSqr3yO90WrWKSCWiTnesky/+Kbb4Rn94EMXsfYwesTaH TVarSRxkLXcb6QK75TqjxWK8zsCMH0qfOfuNmKCTIIVMuSLxWNH7GqWDaDANLPSp7nSIIzG/ wPSZBZOnzl8wZcr8LeNnXzVhwlVXYVyfn10rSYoNkFrunE4sNc0lc42CsbiISDqlKT8qLM6x zrSCzx6LUgeUYGE4RlZaIg5nXKkQbrSHHe64QuHIBmMutVmjaKkORZ1qUxHj96NnP4HYLMMY rWR+bpqyQ0M6DIc0H9iaSppU1bRa0VbSpmqlrYpp+mmlE43z9PNKZxs3lWxSraPrFDtKdqi2 0W2KjpIO1X66X3GEHlF8pP+o9PfG31s/139e+oXxC2uwSGUWVVqnDVPGzDHgrt5uXQ84GxRu qMqCogTRL+h1LK/XCcLcRXfeuWjxnXcuPvjxxwcP/ulP0nL56+//Jf831f/re6r7YQadRWto NZ0lb5aP4m9TnoYkQsTTCjVkd0su6NMBSQqx9JBH32kr9toMZh2xF3kkr9Ksc3mVWid1+nXH 2juP9XYycaMHPRkgdFLd2V4sdTpPTAydoTw69XmcMtnDZZGe3lJaqvBE/F4aKzGXGC1PTU1H o2d2RqPpqdukjCAEXLZg0QRRDLh/OOKKBvEv6hLfA00g+kHEvwDfVWRlblZQCRuptGO5iZpc sVCn6xBx25dpblMsU//Ev0p6Ur1JsVHa6Fjvedy+RbvFsFO5U7VTvVOxU3revjXUod4XekX1 ivIVx0HpoMKZSlalwxCmQYXaH1J5xWJV0huyitUgj9ePdXazaWKiDcB/qru3U3ekvYfNuiHN pzSE1tYRcHbAD8GjYgKHTb5ASlSppb4+sjIzbqfFNVWvu1x19PLbZg5ZFFCWhiqD7jJj7tVZ 2z6Rn5tcuYy+LUV8vjAEq9uWqGjZ43RW0xGPzFtZnVQbhyUHB33GwaM/3Nwpv3Jx5c2JimRY 1IrjPAHGM2T/2U/E74GfDHk0t5i4zIGOdJiGk64Os7ZDo/wgeciclSpMFZcELymbppsVnFV2 re7G4I1ly0zL3Mt062B+r8usC/60cp3iobKtlVsyW+hTZVtLnwruKttD9mZ2072Vu4KvqX1m YveqUgbVjSIVZ8RujAkxnd1rF+xF7qzuVGd7Z/uxdhCrvoHhS9fZfaoTFFvAWZr2CWXgCHRR la1lMhF/NdV1DGl5POZxmKcbUVhy1/eHN3yV8Og/mH7LI1df7khOvMRrHj/j5mkTX7I4Qyfv 3fzuLGGXd8dtL36yZIQ7Mvfe+VOX6RWioqWpWJQ014y58tZrgo5BS1+979p7Gc/uBg31KDTI 1ZPHcrPuoweoQL0uZ7nZpArZklpdQioJ+UhnqiRT1Gk7JEbN9eZJwlzhZuEnwjphm7BPKEpE 67Mpv5T0CiaNqFW6nN4i0SwqCamhNcmo0lNMXNoojXrS3uVaqm0Asxxr7mqHUtYdybYzYmIi mLNOH1X19GSPNcvNRwqV6XaqL4L25vxSAyqD1AR6uHyyWjwMieAqhkAIKy04LkHNBS4TDsgr qTbtD0QWyxV2p0sh0m1lBq1SK0lzy/RVFpvW5BREtcrhmhjIge/oUWHbmcvlKk8s6NvudQ+P JmGxvGMvEyjVCQ7LGXXAbSnSqmPB8u2ecDDI5QV5DnJPkHpg2d2Su8gT8xO3OMRxkeNKh+iw dWhBFh8ZOiZg6kWxTv+HRR8k5lnnG+epl1lvN66zP6jfYn9KX+R3xwLErAproTGJ6wbNco2g meGm7gQTLaCfdrAdFywFmQee+7Zd7mznqOPai09YOkcqeVICE7IafV7JMPXgoyuH3lj14pey /Pb2v8SdJR9M+8nPnrj18ucNbnusip5Op7OVcpNYZrP+Y+9r309rKY+Ne3r57VsvTzbSb3yu SCQUy8t5sZfL+SCZmRvudfg15qLjWszwI7HD7O9wHDJ/EJICpsBEy0RhnnqeNFuYbVmmXiYt FhZbVpSvMK3QbQvolCq330C8GpXBZ3OGdKe6ert0XT3nhPq37T0GJk1hwRT4ApOJ9MmOAJPy BIoTZMoMHLr2x3NnLFs+e+ZyS+2K8U98/OHPDn9Fr6CemYNvHp964jBduWzTT2++bcNPN4wY 0fPC/r/RBqqgE+njzkhOoEVu+SyXF++e7RG7sY5+zCrntnosUrlfg4CvTtNZ/qF4IHBtyUqy WrNRs7HkWbJDs4e8oukoKbZaykVjqd+hKVHAznWrS93qGUZqDLCF6yyoBKj8/Lp1YhH1DSDr dAhUKuRlI/X1qdwhjKQL1oBKWKIuM+pHmqyiSFfJkhgM+H2UFkMPCI+4HMUlJluZrkytLZYS qQp/sLhYutzptmMpIj6wNHkXsk8u6OIUeSi3KGjTvlhEi/4gdsTNHe5D8Q/SxS6Fp9xl9tym vk1aUrxEWGFZUfbj4h8Lq02rdavVq6VNrk2JdZ51sU22dcFNqU32dYF1oS2BLaGfp35u3+Hc 5t3v3R/YH+pwdtg7KsNBm8ag8gWUqohG5QhEiKrCmYaW7jwFaXeqpyD9uLY+1f5bbpeeX1Vj vxU29hmEzO7oJx3popXX37Dy3vnz7i2+e+7Vd9999dU/9s286k/P7/zzjDlz5v9l374/z6dT rltx53XX3LWc9sz60fLZM+64Q16afviqTW/96sF569KxJ+dt/d1//Wzuk4xnBfJ2QTfY4Jst yF1MikST1uI/jn0J8SNnR5GlQ/tB0aFQibpEKrE6rBN90xzTime7ZvvmOeYVL3Yt9i1zLCtm SLqvbJN6U9kO685ii91LVBqfR2XwKzk9d5/q7WLr3s1wAHIGMXN67lttbqMQrjQhzWoNRq40 YaqDd8UxtT8GGX+wrfNr+Wn5D+2Dbrmo8onDirvnzrz1R7Nm3ilMH9761fP7/y4flnvlHfLV znBOFIpccGxP3M4I/bGHme/EbUZEYJg95s3pio6J2mPm98V/2AxKh4bYYJN3Mz+Bjy/NDFEu QCEwmLzoy5+3JvusSuFowayUI332pUA+PrtePKqYAl07mCzJjarKusRm4qxNhZtjlNg/lWr/ nCotDjR/mooVf2qMDZGKpHJTkUmRsDXZGuNttjHxabbL4yVhHfFmSULnbIgnVXFLbIjuVO+J btgcWXBSXoGe6NYd6enUdep6PsgLCDTkLXiuLPPG37nh54sWs76PlCLnsW8x6ivhbigLGPdN n/ijNc8+XXGr3lh+75zjf/t95+M/tWizXn3AFhsTnnX33o1Kq1Kt006fN3qoPitusa1eJ/9W /pv8pvxG2GXJDKN30qtpO/3RX3vla5zuUl+Vudyo27T0kecFuYWOpXR+e9slGkZ7Z2VEaT6S ngEVpsm6XLZNmCYIUbGjmHR4/lLclfK5RG1n1JIWS8q08CjdHq9Pkyyv0EGqVIYqVMlkRnes q+tUexfkCAzN5m5rNr+ECAy12LHurXguIta4egBuAJx7RC5YiwjDqJV4AT4A65dWKXTd3d26 bhW7qLunknbqg6/BhROTRtaCG3DOZI34VAXy4MQLh5puoI99tPangzKJGdRVF9HRe/S10XC1 /PXYRKqlfaYsTZo5NJ0YLf8rF483GwUiGHyRmMcV6U25cfXEwp6eHk+Y5SJuxp8idnaItAg4 UsPzz5KbcxfFij5XfebQdfi77KTTIMWkkClmCgVDU2PXKq6NXSsuFZcqlsZ+krhPLHP67UbJ U55NGmJhXTFVBQxKUloa9ljCUmnSUkS05akqXS9o6lg3JyT4f5w1mREChk31ZGX2H0I6r0UT tKYvY+ybsb6gabkKKkgqbs8+9KeDGx/u+OK9B1bdvvj7t+VcIJC81Ocblwz66fvH/tQ6bP61 l1+SufX6NVdef8MVyy6/YuqVP/Rwi36lJxYIbX38opvDkfvnT1ufdsLNhg07/uxfpEukN7BS t+amqJPqCmGafp5+mX61fr1jk/7Z9DbHnvQr5gPB7yu+T5Yudu51CsRYpBHthz1RzZfGTvGL yj3RfRm41+awNWxebFtsWh3bUrG3okhnUZKMv8hSmkhnmDvV2Z036eFSMU18hIkrQ0N7un0h U0pMGlhqWPwA1injmrzDdc6wV3LPnUAno6v4THHQH3JL3thQk0oyPjjzpQ+P7268tdFxhcmT SOUm7rziO/kQHfHd0FXSXQ5LsP6qHSUp3xVObduV8pk//EE+4/OVDYu53XXRumowlI6W0tle JrOvOtsrLQFNaBA/m5prLLJqOtxiZ9xMOt1dpQ61Q0qoE1KTukn6uX9H5BX1K1Kx1m0zSxaD jyhLg1UOQ7W3lGgt2Qq2+Nmu7Klutuz5Ne/uzh7r1snNh9MhN6bL7HDmwegLfNBECwveJGaJ HqqJixF6i3eI+9u/fnYmlTE/UREKJZoNuuaKUCTxxMf/otHLLm77aIfpyjWieOKrnuOCyBY6 4hZXeqOhgPya/N8ruyaNHylhjYeC1hswr0Hk/tyEaGUq4Qt6zLqiqobaRhUJ9ng+T/SQFP06 RVPdrqIO+991XRlVZ+3fyCCD06wrVlFJLVV6M5GsM2MmEfp1hEbSbm2DuaZUUqcG63o7MdXe 5s72hbqeLP7nTW24IyB0RuaA9oVdchfWm1knWHU9SxvSVXkSPz91WjBNUD+IImaXd1p46OLf aw6kgqHEuFyurSIUrhAb/QHG6We6qdIVDDicwaBDPi2YGOcHfX30HwrEIt3V0eS4tfKLNbXx ijEH2uLp4QF5+DPjkrGG3mAYuJoOXE0Hrurh87bVpGqz0XDCadMnesKfZ3tILf26ltZ2B/Ud 3r/buspIp0pFIiF7wGkzlKklXQmVSE0kUxnIOCVSSb+upJV1Ia3TXKJr0J3ozHZyLEGzcCxx 0mBIAS4Yri5EVR+SICKY19EnG4X+cgF08r+iSrgiEg8H/bLRH4ykfEOGjE0E/eISfyDgj7vP fErVzqDX5fAHnfL3a3zBQCgUCHlFLiJiEVmGTGE4Kh+dDcflbDg72iUPB25az34qPSy9iajx +tw1Y9LT0tMs8yzz0nekl1nWpp9MP5l61vuK5UD13to9Xq0vG40kggabnujrtbRjiJqq/7u+ 05b4MtsZ/MK9x7avyVJtqQ1Xh2sXVy2u2+JSaYt0GrVQ4UspFJGMIka0Gl1NqSPdxGVHb1c3 +Ihjihu6TIL0yO0gNk5RrAGWfHuo5gKpmaB6ZuWBlbwFyWHloiZPURcKGnHL925XeYjuKrf7 4qUaQ8MfbpRPyfvpsNOtq8YUB5wpjz9ebVUrQvdN3fNhd2fD0ud6vL6w0+cLOeW/2xzmYn+a TqJQoXSux1NurZ9zbyaSMxZfNEk+c+Iv8iloHYrzC0S6DrQ1gizNjfJ3DP+sKugV9R0JW9ew Gi0O7jSrqiqaa6Xq9LBBiZAUDWiLbAZJp/GWgwUlkovWtwa0DenqapdU7yPaarOmWpcdiTBs 9h0WgdZ1ZWVcznm6HGF5Dd5jRRNLepjKYfRU8A3O856Qr6YIlxfY8lxN4Y68wsYdPnrLsKZ0 fOQf+0uk9yYkatsq6CetDZmKKW9VBEPxWpuuORkf++7FyerRGdm3xhuKec4LKE8s6pW30Ol+ aGXU+nqX9eln+hTD1SHgqgy48pO6nMer67AyblOWqa16SVviLVcSySU2+LSmkgZtQHcCAoiF 4Lmw5aGx7mw6VGCcwnTOCVjq65uQXlw/LpEYd+bpVDCcHPfnP7dVhsMVwpUQLBVtf17jirKR IRYGtggFgsGYp5dt9GFsC6AzH8bYUuTiXFWJcWJ8YuXs+OzKxfHFlapUOOQ0OJRJT/JzBPI6 VF3mfWldsb4US0i0pXpfKONII6p6qrO3k5MuWJ8FGSE4j7AwMUyjQhzi/Cg5l0Mp8lguzCU3 BQGzC1Mjgix/05YMRCqEilQwkBxz1y9/f8XOiQGLK2jzqyVJqbT8ePp9t0uGvjmcueuvv0lU GEOZv48IGA3FzmCxr85x0bRNL2Jeo4BzNq9R5OXciJKRiZGxqlBNItvqa/VP9E30F0WrfCNH SUSf9XtAtnFbVy3WZJDKn62qHdwyUlVJnFL9qCFQD5WNvlFaSL3UaKYdoPmOdbbrvm1mywN7 siebp0ZWzJuULTAVa8lIpGzbqYpdAWxrC8BygCxaRvFa1Kl0Uq+qW9GtU5V19yrLunWK7qnp DGn/v6QliB6nMPvZnYwNKII7xj56YHsXLCwfUdGNjMKb5J0I7KS8udzYeMBPJzXFGYk/rbFk kthEiPiDqeYy+Y7Jz/zcMBjtM7wubdHcyJAfjbwetB71nhep3iho/Vr6KJ7vCwUiPvk+w0H5 NXckECqzl706esmS4ms4XTUA/zcA/1EyIRdXlyiJUQyZO5xdYsTYWRLyhP1Oi7FUMunQ4g+T jLLRrgtrTTHdie5O2Bo65sLkub+gUI7AzGSiUY8gB/e4XJSpDN//wRE+8RN3PBgM+3tXpYLB xNg77hjD7A36JlikYux2wUQfbkuiQn45EPkPzEFhOxHpDcyhhWzM3aBo0WKT0tySIqGWGldN CDH6lupcqwsx+pbW3BzyouvF0DPkNddrod3Y3gwF3a4WqvIN8tWWdAySuqrDDrG0s8IUdJMW qnCFbDmnq0zdrGlyavVDSuO5cKissbm2qXTQ4LA2M6TGMxQxnu5s16muLt1nus962BVGR38J mD1iyDOZ8dxuTKJv+fs0LC3Jh9QjJeCv/qoXMZcCa4IHhWs+KstUbvH6YnU6p7UF1rf8eWM8 OzJhPqJNJuPJsrcNeQr6Arq0xeLS1cX93i2VmVLaLdwU9AZ8YVfvTa4otG4UJtv0M2/E8Shh SO8WRjkcsQ+4wr6AFxFASnxnv5ZWAadNsNHrw74a31zftU1StLHa1+RVONVZv6Ej7uzSkc46 daO3yWcZVhoZ6oukqqsUQ5siVaXVTn1RSzN2KZu7OlkMTOZ4aQArdsLoYOzIsJQGK77GOQ2b wuAzL9tchsum657KGKuweTVQb1Sl+XanlZ4zZM+pjbzYonRS1ZjaysTo06CnWJPRPrGpqiFq uqIyZKffR0bWZuLD/jsdDCQaNI5Mxuo4013QE0zuwpD1CeZE70bREuDKI+rt1bssJZXiI+AX gYyBPXI37BEWfxiUS2o6RUNn0R5xny1oDFoT+kRpU2m1sdrapGeBlBXFKwSNtpS0mkuVabbB c6r/Bo+OBPx5G4FQvs3D/XaDdLf8u6/+Lr9LK3u+oukzf9n+xhvbd7z2hnCJ3CM/TWdAnpho u/zUGQ2lf/4zpWe7/sxDfRgbzttzO1INbr4iN4h2EGwN2OCBd1mKOrVhfzg4TTVNnKeaJy5T LRPVHrtFJ1mN2iK1EPYqccyxNKCJEG1guNNoBYPDxIbtqIPPVFByfV7kh+3YnWLBaeZPGC+k 1/6mYl74HXrl8c2Pb4b4gmiz+mH23TViCuxC+u4/ek//80XJIKcXL1m0uHeZL8jEV8CftwgP vvzyAfldhm/5NMd3AqcHHsxdr60nSU3I02n52v+53ZjtVCY7jZp9yj31wapgXaIikamuqq5r qmjKNKhHmIaZR7hGuCeZLjVPck1yzzHPdc11LzHf7LrZvaLkfrrSvZGuC6x3b1H8XLWD7K/u oH4tTlvWpEqdRa01pVExXY+9Dra3Af7Nx7zeYdscnT3fykzswfgLYduZeYdsFQNxyHBu6gEz BS72M3+LczCCYYUlZk4mffuF92h912e0Tv6vf9odpfOabxua3BTyTNbag7cNrX+vpm1HsaVi RmXHlsOdW7d0dgpZOvyPVE2vljfI38nd8gvCtTZrKpRweYYNHZUud0xLrqbinz6hktz7yScy QjEC+JZIu8G/apIjP8tNZgs/vZkt/dzKmytVFc002lw5pCgBGhmiGyIMKScdvq6UtaizVleb roo6rHqfZDdVNifUwpCGlDpKdcX+IVIpqVKURkvrEW6Iuk32VAtTtfAwYBgDI4g4AFN5cmGc zpVuTxbkwq3oPLM3gM1TpBlpJf5SqjJdN0I1jN3hFvcRlXihFOzvgOS3/BFFtZ5XobCqxUpo WXrPu/evuW/VB62N6XijvMsfjFb6GhthqQTotscerR42bs2PymPGt3310JwLMyml+HrTuCEr JYc8f87sOXN7bzqnQR9wRvx+V6Bi3WWLtnq1Uaf8jiccCI1SSjQwtTpvj609+75UhfMKw8ib uQdjjSObVtl/0vRw02P2dbrNmSfgl2z1/3zYtoaOYfuaDtj3+vXxqL8iRJTFYpPN3ii1eCq+ rC750oBYRkt1Z+gLz56Wfa2WIWOz07NzdLPds2tmN8wzzrMudi+uWdywzLrMuES3UrfauKJ5 hXtFjWleZllmdUbUEmejzd7kzyjrojGz0qmKmUcMrhuhcraCebE9l9fNLDIPj4WfU4AL090n i9lK5a1B5sRw1z+VP7dg7bPzqrllkveI816MJ3/eouDGsCgj36niYpcOVQQj8ZhYipBBuaYk 8Oi1dz0968p17x4682rdbeMEpz/pl8qiwRpXWZnv9ouWPrpw8VMv7Dr93qgHAhWBTN0XhnR0 UsIyYuxtV140o8zkeuqhx37n8rgs5Zn3igORMXFztvbWmWOn6EzWnz2w/Td+brswv3khaDxD bsgNcTpIBjavw2woUhKl0yamnR2lXRXuznCkIhX3hl2BMoNedJhLi4uwj+fImEcFRrpg0Ixy aeMjU1mEH1nAsQtx/YK860NPwU/OHsmCuoGytKpMZeT4qknX1kCr83gi4v01ee0j+vQFxdWn 3gW972vBUxEICMVCMCzOCQdpiRAOR91CsfzpRu4zn3mX+8wb5U/FsrZYKOjR0TEhOHryfoOX BgOxNioxEdnnNOdpcBD26NZg/llyR25cq7nVPtE80T7bPNu+2LTYfJO9qFyfzErE2pmKO+Dq dfhVXal9VfFEMBIIJPxOTzlzf5mP4Kkvj0SqE5p6nTYhVatJCyKJ5/R2HxrYlQcOsEnO3AcW ooVyYP5Dn5FyXg33UdC/+XUcRTX7EVGC23OUuWkJsy1wx9i1d9eMr4kP/TgdDCUby47/4fDf JQOLKTGX7cyJG+bEB7U+97pQ54lx/8h7Zs8//vGP3zI7pezsKekQcICz37nURB2NRnRRhJr0 ZZiwTdUV3BfzlqTMAvSa3uvTRdVOyTxah/MNJaOlGNb8WDs319rPTQmsgiVmLoKO6CClCJ6s 7zNNeI2W16Kex5hhrfDwcgEHjBa4jV+EeCLb3D1Xwbdw/SmcjMjGof5STbFk+nrs17WtTFXE GymCSfFqjbzBE3Q2DI0JEoLJzFALBXo3iNcEuGkPh/WSttB12ITGvAXQ/mHMu5GszmVf89OR 5ZPLBb+fRhsSNrG4I6vvksIub22qTLCXxxNU3Uj8RcXARNkYc+2YVBObet/MU81HuKfOZ20i RZhfEfRGOSlGzs5P/7H4OvvVOGlELoG/OJu9To0AOzyifIC9HTK8YORaHQOnj6NpzA2ChVvI iAPxM/u5Iqu7wmUvevOqxysTsXo6zOIPhzUPiHrjSKut6PjrKou9zYRjXJpIxGulrXWxRMUa IGKSV29wnNkmOryBsDvi8vt6bR6TwS7sOjPerjP6xc/8PnfYHQ54+QzGAm84r4sTiXflEgrf TT4h6kPM2CPqOmLWrlL4+z5dttIUHl85ThxZ5RxvGlelLR6preHyAUbsqc8YI0C7cTPWimAQ R5uBW7FV2JLQce8xC6as4nVavjGhYy0cZWxLQl0wcAfYTgWcNfXxUR8Sz1VQvTgU0YMWOdQS T415SN6jb4ZjVPHXplimxffND7HaeHB0+RNjE4lmnfwcDyaAf1x0rNDAKIm7hOPpbm807uZ8 1SH/kuEEZ+/W4OzdM7BoG3NejUVbQv5H9Y3lf7RdNq26xKJjIsKIkDfW/6IS7LCxo3h5UQiu 6YXUZJokreins8/vzSeoMGq7K+h3yf/wxOMeWuryB13bv/c6XIGwU/GQM+xDRPDCMQzO+dkY VAQj+AYjOT8K6Uk+BKNRYvt8OHvHzA3md/JRYBBsHP0Jj3ueBQdKWLndHfC5qcYbj3vlUy4E b7fjFI7ThYja6Ruc4YDL6QFX3XP2c+kecS98yhpyd27ybYrVCpwyMj+i+rliiwr7xNGd5n3F r3gO6EvLXfaa0kwR0cTtMfHkSQu19Bad1nm/d50Mf6d7P/5DJqFvNBwwiJlEZU22FG+yeOwk EpugjAaMtUxBn4LfyGwmTIAdOurqLcQXme/cp5sRm6nEhArbeTXWvNrhfrV14DmawiEszmVi a93VVRt33zBp+XH1JW/MfeTlf5xovHnw9YvHv+5xhT9+btfezEgcDHncGVTSAwb9NVNap6wc 9e6Y8dtWPvGCVqdadP3EVKjpkj0vyk1ueNx+L/DSerZHuhunsUqwa3O85TLYPaV4L6kUJ3Qt eG+tFGfhLXinjr2vksZORgj40yLP3opxgsZO4m3LECVoUSKvxXucZryfmMR7oQG8++nEmyns 7RSKM8sKfm55K3bItuJc3z5c9+GqxknjGPq6cI8IJ9GJk8ZBSCn2fPZOVhRnl7ESOI1sIJeh 56Xocwl6XEwyiFV2deFEF9uvZ6zLaYbviPV0yYiK9zUw2mkP9W2SwLIRmTFPzCZ4aeEIl+kF SupTahTsK2xes2vPfatfeun5+u3XvU018ldHrt2cNVpejoQrW83GVkSkN7gdq3c/sHrvnvvv 3yvcNWKM/D+/Oiz3jGmb4LAxp1siXhyAM5kx+xmgvQrQXpIsy01f6VyrfSzwpHZT2WOGLclX tAcCe5PF6hIVJaJeuqjkypIbSmY7FzuXlzxZ8mLJFucud7HbejpYoj8pxb8Lvl/Rami1TDRM tOwI74geCB+IqstMJONTTTRFI5PYXhFza7hXA9xgxxDHbrjdw6KBF2yB8I2xAv2xHX3O5TiS g+NwfFvs4TBCluGwI+JMr5q6+c1XHh62tNbobQl5IvIH24/Ln1Dv78c+Js6QfJ5024FQyJO5 +NJf/PSRV0Mhjb0m4rloK7X87nfUyg5Gw3/F/DeCxoKgoY9aJoHGtFhJLWhMgXcE1aAzLehM gTdm1KA1LVIn1l8PkVsJymPn25m2PomT2XrQmg21J1H/Hcrvo3QW1PMDejD/oxWUMhHXibju BE3vBPUcwPUA13xslzKBUbgRCmS/YMCT2dPN6JfAr0VQPxktl4HOozhFP4lRWTcO+3TiBCyj sT6eBlMzj7FAepzCEGodxIM9OLDMEGjtT00FFg70Px4kPmzWN++99tWzVPebq7c01UyuikWO uh0VmWTY27tr96r7dr+0es0LZvclbZfS0l+9S42jR9LlOOoFkvrhMV8QQcM37tv18prVe/dz HM8Fji/H2zxOcNOrLePJXODzZsA2DhayA/PbgbXYjzJ7t45xqw+pGdjrIHeCfylgLZ51kj8P 6gNt36HX+8BYK+6cCNgGXbIDfLsDq7MDd+xD+QDKB1A+gHIxf5/Ahie4gF0nsO4GJouA6ymo Ydw8iQT7qBR4w3/mgXd197KTYwyloFMWjA7mtU5+p5ZjFByLEGvIx+UmNan3bFqC06PuaLxy 9gfXguOp/8v3qSV1jfbMHGG1dseylfvpMw8+fkfY6UpbM9VUdfxjajhL9teH777lofsxQIz2 IGyGJoUHfsbaliqsPnub0AF550PuJHLsZHQHRq1FHSUWKqDuLCiPgN6UqNMhj6PSwEExygTy KYUSO6dgxdMiuLrB8xHURICjYpxqyEJB4Kztsc7+8Rdmc2ADCm412BUYYQGIARZE3qZqKrAw MIEKqA8X2+VkJZ9e3BhLxCJnbmLpzi2xinj0id9+duO8yqBhVWbhVfSqWCIZlretDWLzIYhE mBVGrnXfs9kaT9R25fUNUAeRM48zvAhkpbxQWik+Ab6pI1+1zAS/xvHWohc8G8eephdv43rx xlGc3I7rc4BnkT+I6wHQ3h7k2Z53AkH4FAK2/PsHxA/81FL2/gjD8EnQAaMz9n7nSbQZKJP0 32HfWMJeaStw3QoqnYjrRFzvA+XshJ7YiVU5gOsBXIvw9DQMsRR+qwi/5QaGq/Bra1F+ESAA JgL/EdBwiNTjMHD3qXYW9sKBNq6XcXykC3voPcA42Jh7hnAP2uk5lVwdZm8j9NPLiP7kGZxb /2BwiNO+QCYVxty9bdvdP/7Zz2ja6a//9aqbrq0KOG50rbt90LoZr/yz98C4h9scrkej0exw g6h+5q7lzz67fPmWMxX3L0mOGZdMe1Lae7cuHTn0X6+9fqahcZTZFAhEvZj9bGbTQm42kLdb RoHWIqA4DaQjs9eDoCg2P2ZjEdRF8HapDjhUg0ITwCl7G5TRaRb4dqIcYMFz5G24L4lahrkG 4Iy9r1oLHDKcsbeIPNCvAayyDZLQiF6T+XpG0HYpytPQ9xL0mkoaoX8hBhEiym/Hg2zPRx5A xLDeECiygrCZnMy3oTpdd4Fc5HE1diD2guC4Pn+47MLqqh5jK0TkBod79Npxjz6fyiajUfnb lC/WELhuztWbAs1xX0r+NhJJta7Jq16LUW5qbTm4TW7Cpn2QG8xPLVl231x5BtvdZyqa0fo2 4HiCYgZoPUJua4kjDQBf7JsYRVRBnMBtAFRZDvz8gPmbkPOCu4PAJN5iwZroQMPMfvECK1cg n0MN5esUQT8v+kXB89iha+fnqhlmAAUE4dw9zEWGlv4n2ox9TF1wNAsY4x6nUBzJDY6GWnKR DtoSCQVSvd9Ho/E4zbwZS+BEcMjhkQ7Or09NmRQL95b6sM8IZvcLdyEAG7AY2Xy/lJeIG/l8 4+TmFvaGV5jzqAcrzmd9jkM9mDvDQRjzZxyaACc6MbcIZq7EzMKgp/ycNcgFUBvBk3AIGOdz dMcKupFLdxadyvMZJn/hXP+dyWr0+V3L/HRXR1sGRYK5lijVuv0Nv7534XVgrJtcP71dXjoz E40KETbheQ2VU6dEIj8cWL4C/FTJ+OmebcK7OKTEJk3xJiWRNoCPmsm3LSNAyUm8lZbEznkF TrMkICeSoOkEvrXQDGgCR0SxylHMkL3tXYraJOzRBOaqQC0FpUikFLgxkShSL7BjAs814Wkl oJFqtLI7ynFHBWpxcAl3MtunHjk1+IdZIRHoSw0ZxNyFbNcx6APGIex4XDbbzUwLRiKcnZBh MQsLSVI2ZjwT1yb8NZMEqwE08xa8oYcr9+p56KK7m3mlcODTGRaAZbrzP5i5+lD+CCunOBxO LqNaeuFWVR2lu3zlHZFoalw6Nikbi7zmcFOfz5OMU204OtNYErsq+xBdNikRwmGP/0lGIxH5 I7pcPh5N541gZrFYjGeqvinzW91uv7+5WBAUNcnl8my2qen2OSIaRB4opDqR2JuzDjK1xQNM ogq69ew5zsvzmhotKjQxPpTwR8BpjHMngNcogNU4Ie072/NvuACNXBIxRhvgQg5gMiGwc2Ym FqFjML1G6NbUGUgJMJZZWpOfAjO68uyE36D8XOTnsLcuouUt1+ErHPXkEYzpYf4dAgKNacJM lJzWLoK2K8OoB0GbVnGeYV9KOI0ITxJzrAL95JD/DjovziQPev4AnymAe4aDPrG+sEeHAprJ HMASgBJvWEYw3+HoNwq/VQFdWA3acOEuJnEGwWJhXyIoA26U0NwEvWYhnY6+XnzfwoF6ptWv RGsdStNx/2Q8kXEBq2Pe1gR2sKALe6A6tvWp6+nKC628+IISzZ+7YtHnVDOX8zgQwo4i9Tm5 oGeo0wsEOaPAQVTfd1ptoNDvs3GgWrlayKd9yoGTr3i8avCYyYZBMX9gecLT2lTR5gg1x/1p yP1QqtVkGFEVjT7mMwuxK5pGTLPErx951y26wfFgYGk0LFSsmXXnjfIM9lZSdKiLbhvfNrmm +sxxpgsQhnMJd3mjgYA1lIwPGjykefvBvIucxq5AXn4sh//WRN5tGQOJUAY5oMYKJ2BbsK8t MO/kNDiaa2Kspx6rmcRasC8RMR1chXVlOiII7DthN9pxbxVftVI8h305qQlRCfbVpHpYiaUF TZz3dKej92T0ZyuUQFteE5ugieuxXmzTYiph+7H/URkzNdMH/0Ef99PGCE25Cmcn+8UbuIlz oTYubNpWfQNtHE+lZpxXx6nmj3PBeCO08dzN0MbBEftrYzFoY4bZkM9ibO1TxhGfOx5x03PK OO5mC4BZXw4fZpG4G9RpJcNz1eSkVnnS/J32fVurqrWkTdFGJ6omlkxTTKM79TuNW61bSw/o Dxj3WfeV6sSoZnZR1DDJxiNGeaUDMQo7unA4En4/ZR5/3r0lwtyNh4889tjhTuFn8okvv5BP 0OAXX9DQojcfffTw4Uc3/JJe/qH8NdV9+CHVyuxrZQIZCpv4btjEUeD8Ty2TYfcGARHYvi7Y vkFABLavC9zD3psOgaucmIUOtMIoQIW6k6hNgU48iDYTfEtBIioqInqiQs13WP82+LVtkAHT cJ2G61b4IdtAN/tw3Y+rGvooi2fq8Uw1JJ0WeGKykMm8JH7Vjxyz9ph28UNemNDOvOyLSQ07 18WsX27rMpJg8TWGpW6EULjblT9FyIgFXPu/c2aeRuCKIVIQjlyA3dlfh8OhlDwyGqsabjQO r4pFESBp3Xrl27TsLHnrut3NtHb17j333bfrxbMEh7S8Qdi4UhljOpN55ogR8tdHD8ttI4QX V9/70q5V9+1iOB8PnK/lfkg1OYHY1E7M/eeY/bPABPM4X0F+D/JKSF471gDvFALjIiwTZq2x r/icRDkIbLvAXSfBed9Bf4rAv4q4gP8ayNxiAPNtiwECfsGAJxu4DIzDmmHRKKwRVqAaq5LB c10oMZ3OYmDM4mERgzjwHALGmRwwwsMFvpnsZAgHQvMM+L9gnDVio6XfSyVUz5yOYCGK0N/J GGAP9+5ajfjU6vtfFBYN3j3vsHyWan99xZYRDvej0XBmmJHFqKLyiFQoGqZv3fvCS6vufWl3 7wt07Yg2+fBvqXbEiJlmE3ZSvT98gzUIehEPxPhxHg16+AbIugS5uyUFaoqC4pxc0kHXMrrF TFkshtEso+E++l4HTGwB7AWwr9wwOmVUasL6aAt0mqdNE6izBHVJZhd3Akl8/6lwshnmD4/p 5QVXOnSBlj5/wpCeF1d9vrBKkOhYZhGfuSkSjSVeaJ2ZjkS7HM4rf3vL1OvrfNYFifHPX4vz qX0mMbMOzaadtywe1RBqGHTDrZj77rNfSlbMPUentTyC42NZ2Ih6rG8Wa6rHNzWa8C2NcoAD 4MSXs4xkFWhlBWT5T9DncbQ/zG0AB65Osgntj6F9HdrXo309qPMx0Mrz6Pcs+j2L5zyLfjs4 r5cCe2nQXyWouglUXQ5wAJygxziiEBXAbAa49wN8aEmCOnEWAFqgBM82YHxMe9i4PCjB+tTj OyAhfE0kCqoO0Rz6n8QdNqzaYLS9T27E2kB2oKUFNmk1fqEUUobFLkrwXDWeiW8f8OeasZpz 8I0yHzxrH8GxHvTxgXdSqCXQcS3MisWhPPbSH4xWLlawk4DwY3c7C5H1edecD0DsdTwO2W8z umCZQurkT1hccKSWhSjPfw6A++O7faGYTVca3zLrujuvvqPunQ/fe3XcU1LJYLff5w24kx5T za0XX7Ho5jd/9/qxvQ33XxfI6rHHvzsZrvfra1smjRjZ/MA9K36aiGSzS2pSVQFDJnFpbkit pLhnzT3PmO1WK7PXKWKWPdJV0gFg5KmWRnjipWQxYAVgHWALQAFZYAWm3IAyyIMUZHwS9zKr 6zRaPKjrQE2YR9XAOlSN2veximHihTxnuoLZuCLyetyN09/406KeAvDeTDvcAfZaXl6H853M 9mY4DPkoUUGuMHndFwPiUiQvvPORC37Q85zDXTjzic9J3JKpiMfleZddPU12OyOZpqseH77k yYhJvzMerr5sYSiS9Iuz/fAZ5d1brrku6vJlrJFg25jAjNkeOh7Idx+tScSyU3/D8DQKXyxZ hO/bZMj2FkaPTDqKoPwMaIdZvezLIuWoYXGeMDQe+5ZIGeSGH5gwQkqXY84VoPAQcibgRwva Pm+7VqKeAJ8sjsTsUiu40YDYJpO4TM+FoN2ykLY4AAETqCBsmezowxnbfwEaGR1yhDGztBCF PYcXoK+fzdMX5OnfTBdct2jBplWRQDj+QdhTmUGMDXGIGavGbt1qbs1GYo8GHHThjxbfdw19 3BcIB325M5d4Q8zvaR1T9+JL9JdMyznTGDElsbMfS08BX2HydEsEMkELnzMEHmVRRmWBMtzc boDtyOWtEtgKAFsR3B8GJrzAK9uOVAFTInDGZDT7alsEfg/+c0+ysI+PSUOhMwfSQLRwD5nT zsT4cP4YD68LYzmGoxYPH7iPiW8+MF7Ny+AE/U9b38wM2DwUnji1NYSzw0JUor7mcbXhBloT jWaGGuT99kwqkbKLXNN7Itj1Xyrcg1enPCzGdSZS5/PW46fp2W7g5T3gpZEcaxkCTa3CGjPb luD7flBJmGMANOPEbJkf3gSJRdGXRV89gCroaTtwoAbGkpiWBL9GAs6a0IPteDvQm+1XNeK+ /DduqsDBGpSvBddeDS6nyBmR0xC2h45NdLaHh8g03kZhByKOQH+DdPKoDABhbDRBXKvwV00c yDGLrxxXNftNBXfC8+lU5oGzT7gAVxfujoNLE/gSVt7dcQw4T6wq3CLMuKs4Gg1GdX8tioci YVpSG7bo9RXexufuKolGgjHdHVttieHpYDXVeDzB7KelkUgwXkZ75RB2x7PCcR8OF3sitoCk kM5sp3uxl56RZwhTEBBzYxfBK5wxsipGbIjsSfgmGBlGb4ZPWwt81YJkluB6C/TBPYBV8ETv AfWtQB07N/kIZr8DdXtx1QAjPlgKBP18wOwwaE0f3lPw4WtWw8Czfnz1ahieMAxacBh4OoqU 9dRhpQhWwI+VxLfzsIIxYsMKtuCZZahh9jNbaS2kZAZ1XvQcilo11rgEBL0A8mMetNoClJ1I zShJuOZQngCYARABJaQV7NGOM726z9huf/78eOFthr7FrcTkhxMcy8OPaAE+5Bi/DMWP+3HN 4A//kGOvKfp5G7tjKIANDecDkGN3eQF6fl9fWxXjL9AFQjOFJB+pYaX8QbkBR87Pcdy5OLO1 Lu8l9+PJvLw/F92J0NWubH2mRu52R2ubTLRV/mVZY0XVqKO1mbpq9UdHzfW16VoqeSLZOqf8 Kb2iOBxPt71Tk03H63vXhPxBf9Qd8uMV0BoPd4z9wfff9wUigYgH74F9IO8Mod0f9IW/ZfTS APt8DeglRQ61ZIEML2xpL5kDmMtXlcXQ0kACsxE7sIIprLa7sMawK7HGzANKA5HsK1Xs21L5 r1CpwcMmSMWrcZWwbg6egw+M9UO0TJdfvHNnldi59MIZF7ZUDPHseUzgsYXIf7WK1XoAeIco f2CDL4K6gPkBHo8xHyvrh+U82gvroBIcidHViHdVpUKRyPFn5Ie4BLTWcwmopabI8Opww3ex SLL+LIGdya1rOkR4l+kBLgOPCxEc1oYMBP9hgMDlW+A9DXAZoULLLER2CGzPCLRdBNxjInNQ XorrUsiopdCAq5BfhTyzPx9D/jHkma25A/n8/pwBGDcBjAADcngBAD5QBJLVCEkZAd8YwWcR YNaIlWF+SwS9WFSzA9hTYCXsWD0FVsWONUAeq8VWUQE+L0VvE9aSaSQlCaK/BiUK1giCK824 6sCJUaxWN3ttm1uAOCCO76/ASIR2hhR9jfMQHoMlYWYPYaKSnZ5JswOjof6v6/m4Fqqjvvy2 F7di8ipJRdfQb4Bff/XQM8/WN9orhWYZJ8uCwWGjBOuIkRUVa6onISK0rSJSmXSkK4Wmqsnw iXbGInjjezQTVNC7/J/8MPZK/9O/MahkX9rMf1EtT6f5r6n9+zfU/tOX0ypgz6dA4f/pa2nN kFk5cMz5L6SNgf8/lowj48lFkFwXQx5fCq/0MsjRydg/nYovNU5DrK6dD5RiVSnPKRl/QcUP G3tRYtgNS266ds5NhRY0U1gdtBmAKCCdDpgPuB1wP2Az4DnAQcA7gBOAbkAvEKMBOAFJQDNg LGA6YD7gdsD9gM2A5wAHAe8ATgC6Ab1AmgbgBCQBzYCxgOmA+YDbAfcDNgOeAxwEvAM4AegG 9DJeADgBSUAzYCxgOmA+4HbA/YDNgOcABwHvAE4AugG9ICcNwAlIApoBYwHTAfMBtwPuB2wG PAc4eLbwj+HzXJ6C/i8s+weUGf337x8dUGanH/q3JweU2Vf1+rdXDijzr+31Gw+zIPv356qo X3t2QHvVgDI/4tyvf82Adqbx+z+/bkCZWWr92xsGlBsHlHMDyi0DykMHlIcNKLcOKHMztd/4 RwxoHzmgjHfQLhjv6AFlxt3959M2oDx2QHncgPL4AeWLBpQnDChfPKDMdlL7/z7zafqXJw4o swhT//ZJA8qTB5SZ9dy//7QBZS5J+uFz5oD2qwaUZw0ozx5QZlqq/+/NHVC+ekCZvanWvz+z 9PuXrxtQnjegPH9AGbGrC+6/fkD5hgHlGweUFw4o3zSgvGhAefGAMrOU+4+f65R++L1lQPut A8pLB5RvY+X/BzV39/0KZW5kc3RyZWFtCmVuZG9iago0NCAwIG9iagoxNzE2NAplbmRvYmoK MTggMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAv SkpOUVhPK0x1Y2lkYUdyYW5kZS1Cb2xkIC9Gb250RGVzY3JpcHRvcgo0NSAwIFIgL0VuY29k aW5nIC9NYWNSb21hbkVuY29kaW5nIC9GaXJzdENoYXIgMzIgL0xhc3RDaGFyIDExNiAvV2lk dGhzIFsgMzMwCjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDY2MCA2NjAgNjYwIDY2 MCA2NjAgNjYwIDY2MCA2NjAgNjYwIDY2MCAyNDcKMCAwIDAgMCAwIDAgMCAwIDcxMiA3OTMg MCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAzNzEgMAozNzEg MCAwIDAgMCAwIDAgNjYzIDU4NiAwIDAgMCAwIDAgMCAzMjUgOTcwIDY1NyA2MzkgMCAwIDAg MCA0MDUgXSA+PgplbmRvYmoKNDUgMCBvYmoKPDwgL1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9G b250TmFtZSAvSkpOUVhPK0x1Y2lkYUdyYW5kZS1Cb2xkIC9GbGFncyAzMiAvRm9udEJCb3gK Wy0xMDg2IC00NDAgMTczNCAxMTY5XSAvSXRhbGljQW5nbGUgMCAvQXNjZW50IDk2NyAvRGVz Y2VudCAtMjExIC9DYXBIZWlnaHQKNzIzIC9TdGVtViAxNTAgL1hIZWlnaHQgNTM2IC9TdGVt SCAxMDAgL0F2Z1dpZHRoIC01MjMgL01heFdpZHRoIDE3NTAgL0ZvbnRGaWxlMgo0NiAwIFIg Pj4KZW5kb2JqCjQ2IDAgb2JqCjw8IC9MZW5ndGggNDcgMCBSIC9MZW5ndGgxIDEyNjY0IC9G aWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ab16C3xU1bnv+tbee96PPZOZySSTkJkM AWTAhIQAgVRGkkAktYanCRhJJMGAvEWqoBKJEQxIoTBYPadH7Ms+9LITFBPUmiqitdqiRaDV Ukrt0VZzxVelSnbuf+2ZRMi1Xu/v9Jw9861vvde3vtdae629bu1NTczJWpjEqhc0rF7CjCd/ D2P05uIVDauT6azzwM8sXr8unEzbChhTJi1Zff2KZNrdzJiz6Prlt6TaZ3/EmCfc3NTQmCxn ov2EZmQk0zQeeHjzinU3J9NZ/w5cv3zV4lR5dg/ShSsabk6Nz95AOryyYUUTMJ58jMfGrF51 4zojyfJ9wHNXr21K1acaxiwnGSE3yFYwN7uKmZFSWQHbyJjc7izCfMkoJ9Ya+cWqJYvcpR9T yGJ09+i2ZwS97Jen/Gc/qT6/0XnaugB1rUZ9UYB+zU/q1Yy52CfVn0xxnh4sEaXiCXaxNbEu dj2gDjAndnkuu4qnod4ihKsAmwDfAjwAUBjjXqYCwoACgAZQuBdlARYycEZ/D70Rv8lqL/nj 6UB61rHXEGy8NRDaeGvGK68ivv6bCFasRrB8FYIbVgZCi1auWrlppcRuoBtWblqbue4mnz/r +mUIlixF0NTsC61q3tT8rWaJNalN4Sat6XST0tNETc1tazIzbgxsKMuI3ALgvJvv5YnHpuTo /TzWRfwAULyL2EGbreRswhy73MWn8MlsCsvhYZ7DTCzGR1AfOBzr7+HZnR5PyVM8m2elMrI6 8wtKulGS1ZmRmYq4VVTJGmyT2ZmWZpRkdjpdKMlAieg1QH2dppjt8gI6zoheo1cZZzE6lsK/ TeFXUvhoCr9Mzxv1XkrhX6Xwi8CgkX6Zwi+k8BF6vlOO2S+30nOQlx25IQDvP0qHOyeUgK7j iOREUhFfejJywOoqcT9Jd7AcAKdY514JvLqkc5dAIw/ssgiW5R2w2kqAowfsDgN3It1Foc5E JKeLIp27coCCSSQfBGv/Cce7+nviU/7Tm1ayebcltjUhx3btphjbQTsSttiuhBTbneCx7yQK cx64l47uPb337F5pb4Ji8URGqCSeALO7+MrOO5RYF1/e+bQSE8K47gCE2fIEr2SEVOjAiJGg DzgQMHCnw2kIxN8Zzk1F0oMl3TzE/Z0SZsbTOwNIo6mv0+pAgY/Odxpacv4AyMSUz3dCdbvp FN3bOSyC9KlOX0bJ5TZ6hp42pPOLFO6hp9GQXT6a/sBUAGdhhAVGrIV+Drk/QV1Gi0Mp3J3C j6fwwRR+LIU7k7j/NHV1Olyg4QB1YAj7E9SByR4lbUCq2oBUtc6UVLVOSPUpaqXNzMNyYIGb RQ9PUjMtZYWQdHrnJhPEO7qzTaBRnVtloBGddwo0/MAdmMchygXJuQdQAZPO6MwYJriESNBg FyIuDzQgJ662RnL6zoOXn4Gxn7VAa/p7Dpzz+0sM7PEKHHecczpL/v6xFPu4xWJU+LCwyKjw 4fDhRgX7h4HMkoKOeEd1h2Q06PAES+Jvjs0vUd8k0VNn5jCj4oRO1VOi7Vdi+9uUmPrn6j/v /LO0vQ1KeiYjoyR8ZuqZB87sP/P0mdNnTLdtQu7tbnfJ7akxWyZPMcZsSY3dMnpMMh0yuj7Q Ek3S4mvxBUta2nhsZ5scuwO9bEL/gqjQlmnVJVvabLFWMWBbXl5JvC0nBwGM4fJbuMRlrjAH fULn6B/AH9HH9HfmgHcRPjuHPmFTAdUAibvpY+5hTm5FGzuwic5xC7CblXIrwASQWCnqltJH gAdoHz2IPnfTHkoA76Rd9G3gnwE/wpz0Q5Q/BPw9lP8A+Gdo80PA90RbwG7ATsAkmgLnn0NT qJS+hvb5VEDjgMfQWLoUeAbwFWh/OcrLgC9DeRx4BtpeDrgMMAWQDxgT310amugPTvD7i/3e 8X53kd9R6LeO85sK/FK+n13qHzHSNWqke3TMNSbmzo26hkfdw3Jc4Ry3W/U4rDa7w2S2OCRZ cTDiDiZ5c3Kkq6SnpX5JznFPdVe7pRBlO4PmTKdfTXd6ZZ9zTOno0lGlI0qHl+aWhkuHlYZK g6X+Um+pu9RaaiqVSllpdRFp3ipWNXealkbAc6ZpRbGqLik8WyuMVWnW6oU1HUQ7apGr8a1Y C+Zq8tYuDuQtW7CwBpouittC3VB+plXVt91T28HZNI22atE5NQLFZ9Vo4a1dKptb08FpWm1t rTaxqhpxNq02lq01VqFaS3atVigiO7NrWZU2eZYWik6LfdFz440X5naMGlGhja5o0MZU1Jdf WPD/jhsd0RfUwwDGGAjWDS2+aPDPEzfe+IU1GZon6f2/igfG+LwPUXfocLEYldWEagXEYlpQ i0M8oCrFgwtY0UUnwhXLyrvoZBL9Lol+n0SvJ9EbAhkkreuwCuFeNntalWaZDaheqGVGkXgB iQlIOKLTTDGWgb3fCyya3OhcHMozRSlj/X8wwreM8HXG9Jv632bMNBGxl0Tef+URezQB8n+l E9H2UTYflH69/6eId7M6xGf0f/+fdwrb/YDGk4OK2auw3Y9pFDaCI9gL2EaKOfcBnkSOnf0q 1Uc3+yt7iL3wz3sUJfSjC8vhL0aBliNsFfvkwnwj/ghCAZ8/d3we/ZLYPjawi34wWUsay71S O3uaHWAJdmpIy26MvIftwsJlZe9THpawbfQkpbE32SvYO2/jj0t3sZ+gTfeQdiJ5Cr+taD34 0CXsE2phl7MT2IGPYwcoRE3sJcK2mb2Dmb7B3mGb2dOUNcizVEshX/HITH4kqVHJ9H9DuBG8 fo4t/uo90yiSKPjP6sMy8mAfUrL883kk03KK2/2wCeibYR9GbEqyHPqwEjowEWNkUQC6ZiGJ nWPvgvsnoBXdbCe7k90s5GnUuxT1wuCpSjJx9g9w9Sz7Obt/oBZWGsZihpa/1v9TymMjkX5u YKQvx8oSwfcBe7Yw0PHK5zanvJay86SFfzTQl/6+ETvIDrJP2Wn2Hvs1qewgbQdlz7FnoG/b IfXtoHAju459SKQz6RnMqxq/L3mULEXM5OJnI9uD2QtrWQVaTtHLGOmLnj3QxyE6bqqm14ZY EmO/gB3vQ38XPg9fmEjF90g3s4/YzItK3sR8XuGPs22wm81spVG2St4nd2OU0clfPD77isrS KZNLJk2cUDy+qHBcQf6lY8fERl8yauSIvOHR3Eg4Z1h2VigzI5ge8PvSvB7V7XI67DarxWxS ZIkTG0NBLVhWU7FMyyirhysuj6phzfGNs1fma8wbikQ94aL82rGpWpoS01halebDisrik2o1 U2xolW9oUp76QQSNrwyFKzQ5D//ozIZGbdTsmkhUPR4aLK9Ft1pmWU0kEtJ4Hv5XoAj/mQ3h Rk2tRj4KjJwrNFZdI6Cr/8wkZLJJkVqEs2u0YQNJLPRfQCS8SX/PEDK/Qe1qhyOjrFxjvg7m OKMxv6h2dhLTWKk2ChuPPBUxozeWr5HvA43SNPJfiSldPIRodnrSF/CgonFZtKJxKTjaWP85 T88mORoJt4fbZ9d4ikKRiEE0FsJZNR12W1m0rMmGWWBLggzWYbMjxy4yIJbVHeS4jIwId1RM xn7G4gT7vILcCgHLtPi2ekSi5eAbStI+L8HmePuFRQzNkpUYqhkxMsbUTGWaOUlEeKkWb9DY tnDHmJ727dhPXVcfczRGGxuuqdGkBhDVwaS8iua5WlZV9QJkgQhAfXNYiLvcCITwwhXN4Xak Rd16hNFyNL04v7G5qV6oCdVHy1FmLavZEukJYcNXs6VC88Q0J5o7N7wZktorgkvDItneviWs 7cNG74LSiKgDJQiOHRNur4hiNHRWsWyakFj+oNgMbbyi0RBOfFtDWGu5bhl4hn/D9gH9j7Sr muPvEUgH8kFLYR2CwQIa65eJqSxDSxko3L6tyZjqdmNq0Fex6REgGkL72Ty0XlBT0RytAD9T A4IhaC/lDW0biWgZMdGwvb1CkNjQCOoFZ/DPwIYMZCQTsIlQjEBPmRafayA215ABRow3lNem slIVUCJDDlq8vry2VkwqKQDNnLdFuTQabhedmvM0X0yNHEZZz9gxVbNrKsqFdqImL6v5Wm8w 1Is4ttED2RREnfb8XsEkUTInWjUrqQXNgj8iqJ+bNGBwLSV5VE3VN3p9ORh6GW2nR6fXt7dP j4ant9e3N3T1t1wXDavR9g6Ho311RX3YsHxC/qFtIW369lpNrW+myRCy0Lfp2ECmzVooxDM9 3NyAHPynRiOTQhEPuk7Wgef44uKUnUHjoffCztrVdzFjBzxSKDxduJcueIWQpk4SZgpK5tXA DhZjiIpGI4B94CWCh4SlSLV5FUvnpBgUimBIQ2GE35uVykUnkYiwoW1dcXYdElrLrJpkOsyu C3WyeH4MsqsXJT0DJf55oqRloGSweX0UsgqKlxhDJ/6ZTsOfD+pzuyfqDZcIZw7q8L+iUeuZ izmem6RZwDFD3GllNVKIiyqI8ZAkYrYYloRSLT1mNBQ8gZdsV6Pho1FNjWlKWU1PqLQ2rHrg IGlQGVI9CjVVj0Z/ScKJMp+qUalGAWFWDE4VbITTT5+EwsGG4Yr2+pT2XTg/VBW1G5sH7Sg5 CxiumCTYoEZht6EkPzzeqJjqS0LbkwucpuRNF0YF2Rgcm1mrucRip7neNQJMLlRWE4YbgtnO MiLhinCzkLoWri83/EFtSJQPZHf1n64vF/6vBoqGKqGUfkPLwbaUTaTYUDW3ZiA2u+a20Iba sTi9HVPVxaxYScUbbxf1t3Wx8uxunAdLi65F8dwx4XDF0nIMiMS8McgYHUFs/hjoplD9mmit WEmuaGwPC+VvxLQMjIKm9tp86OucGvhLvAhHtHhtaDDaVFs7Gf1cLfpBE1Rvr0UPy1I9ABtZ +X2oVDOmCp5qRHUNnG1LORS9XJgwptsDq+oRMxYTqR2kFBTftjSYonkBaK4djfKFyV6gqy3o ora9XfQ5pyYKNW9vD7VjHqk0XviHZsRTGV1MNMHEK7qopRptgaLG/qAiGokKzteWY6hrwPcB L4Uz8i/n8LWDdKPlIlB7rcHh+n8Rhxu+Coev+0ocXjxI6UUcbgTNiwWHm76Ywxof8SU8vpCl 8SRL41/A0iUXsfT6L2dp8yChoGopyGs2WLrsX8TSG74KS5d/JZauGKT0IpauBM0rBEtXfTFL /zuUdvVFHF7z5RxeO0g3iLwR1K41OLzuX8Thm74Kh9d/JQ5/c5DSizh8M2j+puDwLf9zHN5w AYdx5UOM40RGmcGWKDMoDLwb8CKgHqADrgd8BNgB2EyfsqXKAVZnqmHdHG+cgMXKlaxO1th8 fj/rNj/DuvEm2a1ksfnSZezreE9L3gEynC6bcB7EWJjNQ96XPxy3RjLu7Ey4U7RgFbAxO9oP fZw4H/7/edyofPEbrId5L+ogjfmYH/eBA096KjKZTWa3sx6aSSd5Kf+xNFraIc+XzyguZYNy XDlnCpvazcycZf4P87uWSstOtMLbJLgqrh0lzAGL2xzcUVryscgBLGoXY0cBIo249AbiwDKw BKy8wQ4Zh2/z0UhWD+EuxsREnKsF4yKeiCcPAaHG+bjUcr5FYZ+xuNyCWkv6X5f/pPSCW2ms KJ5TZKMiTqUWKpXJkWAZasIku1rPWsnq97ZKPvV4r3qqrpdN7Z3aO66gDo+Syzwqi4RFmBf2 qBEA/+55/TmcsWNG9DX9Wf08mfU+vS8Pu5haqqOH9Xn6j/Tv6vO7eTWv7uvo24/z6DDOMe4D HVZ29WMmNSO3Ejclb8ft3mClGXcCXjmhiEuKvJzcSiXuD1YqJtliJlk2t9XznbwH1wlc5Ro/ zc9yhefXrek9cuRl9WU29Q+xWO/Uvp5xBbFYpDjiUYrzPBE/hWmUfpLPolGPyOUzO/d82iNO 8IjtBg3rQUMGeyp+110+qkqj19PIqtDvFFqi0DSZCuXN8geyVCzNk/4ifSzJfp7Hi7k0XZmv 8K8FrgzwQEEgo7LCRI+ZXjPxpSYqMS013WeSlIA/sENWfLKszJQpICt+OX1vhteRyLGT3Zpw ycmsVjK3euLB6iAPhuxgCmWqx+uOAI71qr3phWxq3/E6cD69kOq2yGpsy22HxxVQ3Zq6NbE1 dQzCWCP+a+qKiidOmEqseHwk11w8oahQ9vtMbjKZI/7d6jdvu4Vi+rnvnzjz23cpq/1/Nb4y ku/4W+CBFTeQ5fm3V/5u7h+fuOPY9uof7/wbWAKevAj92Kn8b5bDuuJ3LM2gJUGqDVJV1sIs nmkebZ5slgqcZPJP8HOrw5XlGuOSHIHAiMCEgCRlkSN7efat2duzZbfkSnNxVbImbHHfMFui sIAlSEoMy/AmCjzkcSd8srM13dS6OnQ2xEMRa8Yq2yYbt3nCuKGpxykXraYWHPCFwYo1x4/U FRYi0nsMemgwpO94b4xlBtUroZO06Nq6a8GKa+uYQOKZWBwoKpxQrEaixRPDnvHRAaaoiuzx yZHcF9/4VtuD+pyFV9K3z32/+9mTfyFJ76b1+jFdf91+at7WNZSHTab5l3NeLHvyR/qny+fr R55/G/bK6qEvz+Js0YZvNbbHr7nBudHJl9jX27kiU5NMGfJ9MpftTvsOSfZJkmwhs2SnvQ6H zLxOWbIoNtk5zbY9h21ivJpRNTuKk0KJMfsiif6IiyK+GjOWCiRNkiSodN2aoiKBet8sVHuO sKlFU70l+b09hT1qzxZlUBlQgdXB1osp4inyRz1AUlrflfwhcj/ySN9Eeom2nZIWnX/wlH4T X8rLDRnrkPFWzCPA7o7XwvBLzdeY+WQvnfC95eM16kn1bVWa4qny8InKDIWbC2zOSpsl4Xbb WWIqXQUzlxL+DNdeu+SEBL1nvdwbdLl32Apwy0RxqoYEW0gRF52PwnIpXT0egxT7hF73Hhau RAjRU5LfdwRmakiMLhBarhkWG5HCzC9kpT91+6aEPnHCBGl2311u9H69fkR/b53pxBX33kGX Wflbf9N/oX/6zu8+FfK5HvP6JXTXzyLsW/HGTAfN9C/w8+k0n/j0zPmZfLyNNljbrXxmcEGQ zwwvCPNLnBAS3ecjxef35fkklpFwc+LclZOwwBlOhbKmwVyv8izyrPJInkDbWYWUeEZWpRLN Yq32XPV433Nifr2H6wasFVJa04ujRUzKeISh1tUR7BJTYlHDc0YK0/0jormcxiM0+X1CYenf tv3uCMn6sXf1d/UXqYGm7j314r7Ow9zUtnZF4tvrV7ZKnh/rnz3/V/0E3U3X0h30swkn5+mn +x66V9u3/t9+/qAhW5wCy29Dtna2K75qiZX81jxrhXWetcmquKUcKV+SghKZ5AnydFm6wlZr 42ZrunWkVdpgpUPW31t5sXSTxP/KqZiT1XaL7W6bxLwWZa9JkrEmWc5aJIuTKQVKXKlWViuK Yr9tE8OZb9jQ5Py6ut4jdSrsFbzomTrAAngpw1vVRS6jNIJb9lvIT0X+jSfomvO69JH+B/3g Q+dpMn129qy+q2/FcbEi7oAsj0KWaWwYG02W+PL17C7GMaElTlrqoaUSzcxbkHd/nlQRnRfl CTPttVLsEvrZJZTIpt3DaP4wysGhr2/Y6GG2YTvZaB9jo4exHJ9ttEkZnnBnZCQUGalhoxWH lwXUQDggiWBnYF9ADoilZ1ZOtDJwt8XhzsrJys+SRPBA1v4sOSuOgqy741jL6nFL7mUj60eu HimxkerInSOlke1nHeQY446simyKSDmRByI80s4MG4kJ/a9bkwqP1fXCKtRjIvR400uMJRZ4 i2HZquuwusUFb28oz5q6AV2qoxHF44cXFeJ02gwvL0dzhxerhLPslBpJKV1Cxkg6eJxcr//6 k0+pVH/p0/f01/nyPRsa625ca3vwwVtX7F78LSnjnucffu3gdw7v/+Gnz55941HYrOfG1vnX L7iicoX++7sS6/aur/n68llQK9jWZsjjDNZKYVs/OfCQmbA+n47f4PRU1mLJ47WZJHnTvGXe Od4bva1eU0VwXrApKM3MpLLwnPDisHSTu83NJ7vpRDbZ5ZAckyVTRsJi8blY4iosfFLCl5ED Q8sytcY9xDxnPdwTTfoSiQJt+ADILvxJMLtS2Jxhb2Dkmr7nBv2JcI5DrC6WXAq8xaZoLlZH VpS0vdw0w96STDv61A/2/+qe3zyr/53G/o28NFH/tv7zu6lt7fI9u9av3Gw/fiVFP/sJuY68 RZfoG/Sf6C16lVxwf+f31n+3Zx/4shSL5i7c0Ig93Nh4UN6vuGk/85r2KybsTPZT3GKl/YUF MTLWK/hudWA3VYRdGgGWis2JuEXRT0q5IjTsuK7/daXe4Pfm+NULJeGl5pnJaibyeDzc6c52 c0fQm14ZwLpjoiYXNXnpZvNWM2e7VD/503bxNNsuu3OXRbYztVWJw0wZtrYFWHRkq8TSA8py HqOgegTrZ10mllIVrhkLq+Gck5YL3Uu657o8U2TQbeGahGPvV1Q4Uak/oR/X9+jL6D7a+MF7 +vuP/00nz4e/PzWlnu6nVbSedpe8v0g/ob+nf6QfMy5kuLixVM7DP1lg2cvildfZaZVK1fJq uUXeKcsLzTRXooUmwjckXlOn6RmTtMJNTnu2nTvVbJVbZesulpa2iyRnq2LdxOJ+ZRX3sRs4 buMNBg9yV+wLhNsRzgcPmJ2cQV5RodczfuSlFKNufhvV0Er9Vv37+qv/+eF79dMOdR5SXtB3 6z+GEtzwKjnJe+yeBnHLROw5bCD34N7dzHLiHuVeJt9LTDIpj67GV5uc5df1/aEHqpiPHUka 1q8o1uLn6DcnT+onzXMe+dSc3G8uRh+FRh/YqM+JHUK3srFphwc9hBcBs5FQjN28NLibh474 izxRPy/Ux13YIWd1/W/JCfTnwveVt8VnzVepzU070qjWT1v8VCOTHZ+GxXgVl23po7CIy3af fbhdgkdXvdypMH+QAnulgNvuSVhVB7MHWZvL12qKZ7qaeYZpyedM7TuKyU3tLSw0ILnpYovq YqkdF9VFhInxYtVbVJgu1NpwRyp0RFq+9uMjZ/pPPHwPzOfEDRtWbD55582/eZtydfJR5VZe /Y/XpNjNr3bo+8V1Njg5H3OaKC+GqvrZvfHhHny945zlfMX5J+f7TqVNpoT8Q5lnmsgU9AYq Z8hXyxwvDmfjmTCFmRJtsJHjXreHnvb8Bg7E4/Kx76jCmYfdaZWq6zs84EtYVNXtJavkbbU7 PDAMO0wBUxWmADPAat4LzRGyhCXEevHJl3i7EAaxJoavSMV2e02eSazi8CdQpYg3UjiRImo0 V57426f0Xv0Zir73/qm+q4fRlMQTfXOo/bGuvMvwqZKrH77lqP64fqSC/l18rEDCFuhPkJ/E suIu5odCteEtTWFtg/4CXB9XIBxFN40yxf7xmuCR0c4cAI9C7OG4LWAlyZRm4lY4yKPxRquj 8m37OTufIlfJr8vvyPI6653WPVZJBNzlZ36LZ69NCu5VVHJbmM/V5pRCGBVfRbkZ2SQ/8zmb pvja/PFNfnL7p/qf9kv7/KSBOD+Ks7L9BnFg0Zq1dWsMk4sZpiaifXBuYJhQlaKjvUVTj+I9 DHxbA75diyUM8/BjFxRIn1AUzsA+VezMMTUDdVPW5rO37vPe/3saq7+5ue12/c3W1tvlmb95 e8PKt/VHz/+VH3y2p28GP3j4F30zUjyQ9xh60tDNzP0n4zbMnLu9bi65BSPsvvRKLnklrsrG m2U20m7JaczbxmxtVq5i2l5rM75caxrQdDEBlt9jqHoMc4wtqsMMYgOE+z+ndtSuv+z+qX7y 1ns2CxoPPXj+HH/6ief7rhzU4edAmx077Gvik10Wcsl0t/M+J8e+x+UmVxrZnCTZHWS3Y8tM LsWTMKl4/Q64Wq2+ViketC7l6dIFBjiwZiS92qLkdgov40mfZoR5hZ6BXQC/S+/XX6FxZCIz jdN/rZ/r37L+pi13ZeCbBjPZaLz+kn5O/0D/dTdtOXD06GMHXk3q1df73+LvKXnwzFfFC20W lkjzJHjApdiVhMXtdJtku9sip7nb6uUemePUQQ7Db+/EFbsmn5YtMgwFm3yxxB1R8b7Si5hY UdSXxxUIi8mgaHFRcZ5fvKX44Br4e8u+pm/auJFGvfPOD0cUm3KomU/r7s59vbvvLy/i2IYL onBnPIk1JmNDwiDSEmhNnsekwwdmsEzYRBbLZiPwlcVl0OoZrBLfvFSzWWw2u9poTzjPwUqI x4QWbObMb8yquSr29ZsWL21smLG2YWVj09hpq5aLEZO1RM1mwDrAnYA9gB8AHgUcBhwDvAn4 CA1kgA8wHDAeUA6YC2gErAPcCdgD+AHgUcBhwLH+1IM+2GCcsKO+OF0wJD1uSLpwSLpoSHr8 kHTxkPSEIWl8JXYRPZOGpEuGpCcPSZcNSZcPSS8cksaXXxeN1zgk3TQkvXxIesWQtLHduICf q4aUQx6M/R+M69JdCmVuZHN0cmVhbQplbmRvYmoKNDcgMCBvYmoKNzgxMwplbmRvYmoKMTcg MCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvQUhZ TVhRK0x1Y2lkYUdyYW5kZSAvRm9udERlc2NyaXB0b3IKNDggMCBSIC9Ub1VuaWNvZGUgNDkg MCBSIC9GaXJzdENoYXIgMzMgL0xhc3RDaGFyIDMzIC9XaWR0aHMgWyAwIF0gPj4KZW5kb2Jq CjQ5IDAgb2JqCjw8IC9MZW5ndGggNTAgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0 cmVhbQp4AV2QwW7DIAyG7zyFj92hIukZIU2dKuWwdlrWByDgREgLIIcc8vYzLO2kIfnA//sz P5bn7q0LPoP8oGh7zDD64AiXuJJFGHDyQbQncN7m/VY1O5skJMP9tmScuzBGUEoAyE9Glkwb HF5dHPClaDdySD5McLif+6r0a0rfOGPI0AitweHI495NupoZQVb02Dn2fd6OTP11fG0JgRMx 0f5GstHhkoxFMmFCoZpGq8tFCwzun7UDw7h3nlqtSjV8av/DKWj54jOSXYk4Td1DDVoC+IDP VaWYyoO1fgBtmnAQCmVuZHN0cmVhbQplbmRvYmoKNTAgMCBvYmoKMjIzCmVuZG9iago0OCAw IG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9BSFlNWFErTHVjaWRh R3JhbmRlIC9GbGFncyA0IC9Gb250QkJveApbLTEwNjcgLTczNyAxNjQxIDExNjJdIC9JdGFs aWNBbmdsZSAwIC9Bc2NlbnQgOTY3IC9EZXNjZW50IC0yMTEgL0NhcEhlaWdodAo3MjMgL1N0 ZW1WIDEwMyAvWEhlaWdodCA1MzAgL1N0ZW1IIDc3IC9BdmdXaWR0aCAtNDkwIC9NYXhXaWR0 aCAxNjQwIC9Gb250RmlsZTIKNTEgMCBSID4+CmVuZG9iago1MSAwIG9iago8PCAvTGVuZ3Ro IDUyIDAgUiAvTGVuZ3RoMSA4OTI0IC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4 Ab1aC3hURZY+VbfzpDvdeXRI0pDcpgkgNxAePhJsofPojBDBDgTtBoVu6EBAgUjCG0mLBmKD D/DBfOoo7szOt49Rbjpx7Kxisrr4ye64g6yvWV1AHR/fruwwriN+o0vvX/febkgm48d+uns7 p/6qc+qcOnXqVN17u9OxcVMLWShCEvmWhNpWkXaNUwEVK9eF2vS281tgycrNHbLezskkSv/l qrbV6/R2wSCRZebq27cl9UU/T2tLKKzLSehf3QqG3mZXAse3ruvYqredXwIzb9+w0pCPK0I7 fV1oqzE+vY+2vD60rkXvP64bOKltQ3uH0Q5q7Y0tRn/mJzIfIQYupy1kpRspAy0bTaMdRGln LDMxX6bJ01n6I3HLF8ut7j8wB6aFq6/zlRcFHj9lP3d+8x8dFmfWfDSztP5CALsZL17wYc6l 5zefr7M4UxIhFReP0x1KnFaDbgUtUmpywGwgG4hTJ68nxudwN/QUPpu7Y0z53Qv8OjCvQ6Og jI5CZgNxtpd1x0rKPHF2b6+tsJpqclg32UCc3c26YEth9xi4h3XFuBJ5gXXC7Gm207OKnT5T OHrMm2+h2LGz0GHdUbajcoe0Y2fxGyfB2rwFxbo2FLdvQHHb+kLH8vWdt/Hb1nduLOnYVGAf s3otilVrULS0FjgeaDnccqJFamntuqOkuL1we12xcxuI90sLpXkY2XZUaiAfiJNHqo6Nyqnu TwxKVbEco9KbZa721YySphCTpknTsQIK/5L/F2UCP4q9xJU4f7/3pTDmyt/rnT6rWmDMNVFY QaWgQKv8Jjaz2qhMnmpUnC6jMrrYqOTkapUTsVxUeIRvFe7VKLyDfCCO0N6K2q2ojeI3kAN0 G0hCqxGtRuJ8FjdRIZXxKmAecAafLoLNpxlYCSwFfyqfHistk+OAvMLqfnaefRSTlOwamX1J jP2O/afQYmcN/NzA/zDwM/apCAP7BGgCfgxE/8Q/so96R8H1mrFgMNqMco8QsYfZQc3gQwYe ZA9SOhQPADOADwDFgPezBzHlgQE0GbWhjAgBuzl20KTE2aLYAQE3xg4JuLq3U1KQYNWxvKLq miw2npVrTtlYroYmz7XfInxf+77mnk9KSqofe1xSnnjcpDx+KFt5CPYOHExXDsLSI6AfH+LK o4ck5fAh9tShI4cGDkkvStdLc8XkpLmxLq6IlKjrteVWl70kYRPQGVFKV0lXImpyTZ40k6aB PCAfyCTNlAqEE9IMAyulAvSsHEATuxDZI4M4Pxc7mo78+TA2kCmG4B/ERk/SUuCDGHIhzs/E 9mZDfrp3wISp8nd6XeUiv96J2bFo6H8yBpdqLPxVfkzEk7/MBzX8ewP3C99f5Jv5FjEVvsWY Cr9DnwrfKKailR4eTBoNxrJHadaXx0YXaZVlsfFXaJUlml5NAV+qKYrSyuehLORzaQKIUxaf QsUgDveUWK5d07ui15JbjWxziWw7ysdxWSw3d3I5ZlKOw56MM6QUpdhcZbqUfcV+rS3kGfYc yeRkp9lzsQlOOc5Ox0qd1TUl7N/Y+1rWvGfgvxr4GwPfZe9oBt5hb2v93mZvIrvUATQZe4u9 qTH/RWOuqRnFTmIe/aJkJw3ZG5oMI56I4RDoR37/WuS3MsB+Sj8D9YGkxBn281i+HcvA7mP7 tQH3GRgFirS+KbYHxwRbHItIgObYnjTAwtheAU2xbgG+WLeQLYh1CbhBLFScVcX2CpgeGxDM cTozxzMKwj9+Y1K+EZ0Sg57sP4jE/Iqd+YqJZlaPfUy152OkvGhNPWKxVsNTT5+vL9jX1hfp G+w70Xem71xfVt+RcNlnn5qUe6MZSnRfurIfBJXn7582o/r++zAk1AvuK3VV37ePK/u6MpXd d5mUu8QcEoO9kXnzhf3eyJw6Ha+s1nHSVG1cc2SsqzqyiyuduzSrHvOd3rnVd6KxC5aEabkb prsxw71g7OlKV+6+J1u5B9jWFeniA12sJltaJDVTjuSTmlAukG4UZUwKl9Uslm6Q5pNVckhj pLFklqySTcoFmiWLlAOcCLyCLJITchewFHIZOJHckhNUCnKArCAzufkz/Fl+hMz8af4X/KfA J/lT/DCwH/gCWXgv5M8BVchjwH7o9IJUoQt6GvQk6C6+m3L4Lt6Jcie/U5Sav5v4dr4De8XG c3ke7Fp4DrcCGedcIjO7wBIc936c5Ln0OIiLvjjrbfQUaAB0GpSGk9tCc0CdIInK2AXsm2Lo OuBTPmzagcXwIx9kA1lA6SBGbvR1s6PsJTaA8XpYjPUCn2VHmAo8DvwnsrBXID8GHIT8ZeBx 6LwCGhS6oB7Qs6B1bD3bAL0QW8FWApex5SyotVfFRpeV1dSyVTQH1AmS2DZId8BaO7Q2Adug tRG4DZbaQW3CImgVKARaBqpgU8jKJrCJKCexKyiHTWYKyiJWDE4ey0dZwOzgFLLRKNNYOkrO JJTYwqL0/BVS5ULC6rjGXnS13X6VPe9Ku3Wm3TzDnjXdnj7NLlXaaap9wsScSROtk5WcCsU6 zpUz3mUtLcuRy6xWW645K3uUOT0j0yyZ0syItJkkT36Ji6T8snRpTFmZdY610yrJEiuTbpQG pIRkcrCxlqKMEovdNtqSZyqwPOhgFe7J7knuCe7x7nFu2V3qdriL3HZ3ntvqznKnuyU3uX0z mZrXSI3NtWo+Ay6qVWcqjXFJXqjOUBrVLN9Sfw9j9wfAVXl3nFGzauqOc0Be3ZKl/jgrFuIu R7+Yt9oY7Lov0MOpVmXdqmuRX4Cnya/K3XEbNft7OKsNBALqNY0+1Kk2oIxVw43oFhkbUGeI yoNjA9SozmpSHa5aZfjVLhjtHRpclPVMmuBVJ3tDaoU3WH+RrSiEBhz2qhe8oTjjriHCZMdh xpJsYDsuoxnnO71xvh1m+K6RzaT04tICb1y6AV0ln+ja0c5SshEq7R1gMq0cLtUG79gER4ZI wMDVjjAIVREPDS4pNLfbdQFdKqaUpSQ3iZcMcsm0DZtCq11hdX5HQFHUItWFJEkqGBYFsDjb KXvX1sfZnTrs0qFTh4gOd+mwW4e7dbhHhy4d9uiwV4duHe4VYMwMTyXXalzu1uE6HWbrMEcH jw41OtTqUKdDvQ5eHRp0+JEAxA1za+/JEtnvW1jbqGYuBPmWqiUuNF5D42o0zK5aSleoGG9G r1F5stRfZPTSNJvEGxkl3tPKz5L1C5sSWp3owruC930u8e4lyPR9jAjdY4QDNXFt4kDiSxqg VipI1CR+nPh8RLO7E7voNJ2k49RHz9DjdAr1Y/QS9dPf0keov4raM/QIrYD2z+gn1AX8G3qa HqaN4AsUnGN/aptNGsI7T+fpEKuhecDh18Ow8vBw5p9tf5IoGUF2KjGOdtJOvon/ljbh8xgs /oIOX9JzDep/Se14/z3GztIK9iKtwny6KUwPcF/i39OOU6G0Fa88G0yHRSYMuR4lP22jsPRE 4vfIE2uGDzfVI4nfi3fpIdd39duAsZNXP+1n2bQLcZuON/PHqDYpGIqI4XnMYSXmshufQ1iN Xnx2YtwDl/ZMrxetpN+ZpGdrMo/SxHcNuBKfgrZq1WMi3kbGfkCbMYKbpuB1zpooQ95cn2hJ bEv8JHEU2SBW/+dGVgyg9dd0gB2CByvoFrqJ/wovdqK1Ae2baB4byyz0JGxfpY2SKoxdJekM kePiSvpnMqJo7C14qV+Ja5M1dhA35vP0Gr1Ccc2fJ+ggRSmCOHQgv5eQD77PwtcSer+PtRwW nl/ss4yakXu4kIOzMZ9TSdsC097S9r7x3c2f+Cf2/jHpZV1HRFG/LiQrRK9jJfXd0I1obEI8 VmJlz2u7R6zfMaza08i1pOymlPRVbW1F/9k0Q3iRmJXYhdj/M91MG3gvHljuhl73xaFStV+A m8zkIjrFZqckQyvfJ+93Yg8do0eHGOyiW6llCGdYY3j8holHaKadxaPjw1i1X2K8HfjsHKFT P/L7GOK0nZqohvZiHU9hf7RiD4cR8ZNMxvq8gVNspCsEuyewKhukVZKxyiN1Q4aIzwhX2lmd mUnMhMxP5W6yq567ydYQnJ0m0bssD/nxEL2LnHiGnsdZslpwkcX69b9bo920niYbH/J4Fs69 3n3trOqqa66+6sqZM6ZPq5w6pUKZfMWkiRPKx7vGOeWy0rFjHCXFRaML7QX5ebk2a47FPCo7 KzMjPc0k4Xm+ghWpRXV+71q1uC6Ie2G9yyar5gXn5leqlOdwunLlmZWBKUYvNU1RKb9RLcAz H3mqAmq6MrzLAlUqt33hhPJ8h+xVTeX4c80LhdVJC/1Ol+1tR0oegFm1pM7vdDpUXo6/uRDh b15IDqs2H/gQaJy5Kvn8guKJD6vApCpnAOVCv1qabOJRdAQn+7GjBoe5uYBFbT3m4rp6lQp6 yPyhSnbR7VwV4SVMnYRH43Ibapo1qlRZwRcqy1eZfT6mNHQIoXamaoQYeMNrXd7wGkQ0HLwY 03N6RJ1yVI4u9OfOdDidmtN4Emny94zKrnPVtWRjFnhoBoN6skeBM0owsCxtPcw8m2kVbvbO whN3pgXhyxPuegWtVT37gqi46hE3SPIvSvCSvP9SEUFN70ToptWYNqaaXqdm6E7Ia1RPSKV9 ck/FYHQ/nvhXBBVz2BUO3eJXpRCc6iGp3NvarI5p9C0BC06Agq2yWO56rRCLJ3tb5Sjaom8Q paseqkP54daWoEgTFnTVQ5ZV59/rHHTglcS/16vmKqoF6pbtv3VIUW/RGlk0o9G9snoYryKX SJ2iD5KgaEqFHPW6MBqMedfWihWrTC2blo1zw9riePaFZDWyYi1ihr/Q/mT+O6M21fyVE6uD 9YGm2B0iwILCwbViKmuhaQLI0X0t2lT3a1NDvorHTkFCEdlPi6G9xO9tdXkRT2NABAT6Uvlw XadTLVaEYjTqFS6GwvBeRAZ/xXhYhxt6A3vCoTD4U6d6mjWgZm0NMKInVB8wWEYHSExYB9UT rA8ExKT0BVAzyvemTXXJUWE0o1wtUGzOf4BscEpF40K/t15kJ3ryOv91Z4scZ1HHi16SzYrQ J1p5VgRJSBa5Gpv0LGgV8RFFsFnfwIiasfLoavTXrL5e5Hgdug2uhmA02uCSG6LBaCieiKxw yTZXtMdsjrZ5g7K28xn4f7fPoTbsD6i2YCubhUUW+daAJ/j8pqVieRrk1hA4+JvjclY5nLkw rffByTGy2NhnyHjkvdhnUdvnmLEZJ5JDbhDHSxyngkO1VYltCk8W+7EPVmIIb1grsD/wmssd YqdIgXLvmkVGgBxODKkljDj3mgwujDidYg/ti3toBRpqpMmvt2Va4YiRp1LB2gWFZDApsS8W kkhSklIPurBWReI1W8uJP5fTOM9T+RzNdeXJ1eIwh3f4mxtWB5sxx6+r1ExETFvu/Dq/5OCi C2rcIYlatoJbglsdrWiKIiY4JaM2l3zCpdoUNa3OP+hwB2RbLg5IlkoGw6JIU9sJ13EmDlEq sKnMrbJCsa0IhyrCiEN/dBWEKUXZGw0a2Xfp/NBV9A63pvaRPgtsXDFJhMHmwr516PHIzXOJ qf5KZLt+g1PTyhvEpsLaaBGbF1BzxM1OzflcKzA5R51fxjGEbdukVWSv3CpWXZWD9dp5EHAI eZIdT5wJ1ovzz49EQxeHkd/IcoTN2BNGGBqb/cnaQv+dju2BKfhVrKIxTlm4k4rvZOIs0RWn +rH9+J1NWr4M4uYKWfauqceAaCyuAGOyE7WbKpCbIvX9roC4k8wNR2WR/GFMS0MIWqKBSuTr Ij/OS3xV41Q9AUeq2hIIzIKdm4UdqKB7NAALaw0LQI1V+d/o5K9oxEk1wefHYRupR6LXiy2M 6Q5iVw2KGYuJBFKewuM71xQZPi+Bz4HJkC/VrSBXIzARiEaFzUV+F9I8GnVEMQ+jjW94hjM8 BiNOQgUT98ZZxAddgEt7PvC6nC4R+UA9hroFcU+eUvjt8bsjvCzlNzSXw9tlWoSDP1CEQ5cT 4RWXFeGVKU+HRDgMn1eKCLeMHGGVT/iOGF8aUo8eUs8IIV01JKSrvzukrSlH4dUauNeqhXTt DxTS2y4npLdfVkjXpTwdEtL18HmdCOmGkUP6f5G0bUMifMd3R3hjym842Q5vN2oR7viBIrzp ciK8+bIivCXl6ZAIb4XPW0SEt/3/RXj7JRHGD5vMePFCRa+awTSDKf6TISmUSQYHb0j4hgAf /EySQQXPp3MTCap8/c3XtWL6NGeuM7ccBcN74bceKfJtJI2+IY8pAk38AKNdiSq8p450Cbk+ IsMP7XotnfKJaq4PzPc3KTdsWrkmHPrRxtD6sPbarfcQlmygMQnjEoxU3ejzP2MLgcoKZW5k c3RyZWFtCmVuZG9iago1MiAwIG9iago0NzQ5CmVuZG9iago1MyAwIG9iagooZHJhZnQtaWV0 Zi1zaWRyLWx0YS11c2UtY2FzZXMtMDApCmVuZG9iago1NCAwIG9iagooTWFjIE9TIFggMTAu Ny41IFF1YXJ0eiBQREZDb250ZXh0KQplbmRvYmoKNTUgMCBvYmoKKFN0ZXBoZW5fS2VudCkK ZW5kb2JqCjU2IDAgb2JqCigpCmVuZG9iago1NyAwIG9iagooV29yZCkKZW5kb2JqCjU4IDAg b2JqCihEOjIwMTQwMjEwMTgyNjE1WjAwJzAwJykKZW5kb2JqCjU5IDAgb2JqCigpCmVuZG9i ago2MCAwIG9iagpbICgpIF0KZW5kb2JqCjEgMCBvYmoKPDwgL1RpdGxlIDUzIDAgUiAvQXV0 aG9yIDU1IDAgUiAvU3ViamVjdCA1NiAwIFIgL1Byb2R1Y2VyIDU0IDAgUiAvQ3JlYXRvcgo1 NyAwIFIgL0NyZWF0aW9uRGF0ZSA1OCAwIFIgL01vZERhdGUgNTggMCBSIC9LZXl3b3JkcyA1 OSAwIFIgL0FBUEw6S2V5d29yZHMKNjAgMCBSID4+CmVuZG9iagp4cmVmCjAgNjEKMDAwMDAw MDAwMCA2NTUzNSBmIAowMDAwMDkzNDk5IDAwMDAwIG4gCjAwMDAwMDMxMjMgMDAwMDAgbiAK MDAwMDAzMjc2MyAwMDAwMCBuIAowMDAwMDAwMDIyIDAwMDAwIG4gCjAwMDAwMDMxMDMgMDAw MDAgbiAKMDAwMDAwMzIyNyAwMDAwMCBuIAowMDAwMDA2MDYxIDAwMDAwIG4gCjAwMDAwNjEw NTAgMDAwMDAgbiAKMDAwMDAwMzMyNiAwMDAwMCBuIAowMDAwMDA2MDQwIDAwMDAwIG4gCjAw MDAwMTA1NDAgMDAwMDAgbiAKMDAwMDAwNjA5NiAwMDAwMCBuIAowMDAwMDEwNTE5IDAwMDAw IG4gCjAwMDAwMTA2NDcgMDAwMDAgbiAKMDAwMDA0OTM0MyAwMDAwMCBuIAowMDAwMDAwMDAw IDAwMDAwIG4gCjAwMDAwODc2MzkgMDAwMDAgbiAKMDAwMDA3OTA1NiAwMDAwMCBuIAowMDAw MDI1MzgyIDAwMDAwIG4gCjAwMDAwMTA3ODkgMDAwMDAgbiAKMDAwMDAyNTM2MCAwMDAwMCBu IAowMDAwMDI1NDg5IDAwMDAwIG4gCjAwMDAwMDAwMDAgMDAwMDAgbiAKMDAwMDAzMjkyNCAw MDAwMCBuIAowMDAwMDMwOTU3IDAwMDAwIG4gCjAwMDAwMjU2NDUgMDAwMDAgbiAKMDAwMDAz MDkzNiAwMDAwMCBuIAowMDAwMDMxMDY0IDAwMDAwIG4gCjAwMDAwMzI1NTYgMDAwMDAgbiAK MDAwMDAzMTIyMCAwMDAwMCBuIAowMDAwMDMyNTM1IDAwMDAwIG4gCjAwMDAwMzI2NjMgMDAw MDAgbiAKMDAwMDAzMjg3NCAwMDAwMCBuIAowMDAwMDMzOTY5IDAwMDAwIG4gCjAwMDAwMzMz MDcgMDAwMDAgbiAKMDAwMDAzMzk0OSAwMDAwMCBuIAowMDAwMDM0MjA3IDAwMDAwIG4gCjAw MDAwNDkzMjEgMDAwMDAgbiAKMDAwMDA0OTcyNSAwMDAwMCBuIAowMDAwMDQ5OTg1IDAwMDAw IG4gCjAwMDAwNjEwMjggMDAwMDAgbiAKMDAwMDA2MTU0NyAwMDAwMCBuIAowMDAwMDYxNzc5 IDAwMDAwIG4gCjAwMDAwNzkwMzQgMDAwMDAgbiAKMDAwMDA3OTQ1MiAwMDAwMCBuIAowMDAw MDc5NzE0IDAwMDAwIG4gCjAwMDAwODc2MTggMDAwMDAgbiAKMDAwMDA4ODEyNCAwMDAwMCBu IAowMDAwMDg3ODA1IDAwMDAwIG4gCjAwMDAwODgxMDQgMDAwMDAgbiAKMDAwMDA4ODM3OSAw MDAwMCBuIAowMDAwMDkzMjE4IDAwMDAwIG4gCjAwMDAwOTMyMzkgMDAwMDAgbiAKMDAwMDA5 MzI5MCAwMDAwMCBuIAowMDAwMDkzMzQyIDAwMDAwIG4gCjAwMDAwOTMzNzMgMDAwMDAgbiAK MDAwMDA5MzM5MiAwMDAwMCBuIAowMDAwMDkzNDE1IDAwMDAwIG4gCjAwMDAwOTM0NTcgMDAw MDAgbiAKMDAwMDA5MzQ3NiAwMDAwMCBuIAp0cmFpbGVyCjw8IC9TaXplIDYxIC9Sb290IDMz IDAgUiAvSW5mbyAxIDAgUiAvSUQgWyA8OTI5ZjI1NjZiZjBiNjNlNDJiZWQ3ZjA2NDM1ZTU4 MDI+Cjw5MjlmMjU2NmJmMGI2M2U0MmJlZDdmMDY0MzVlNTgwMj4gXSA+PgpzdGFydHhyZWYK OTM2NzQKJSVFT0YK --------------010200010904000104010503-- From kent@bbn.com Mon Feb 10 10:55:16 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA0DF1A0128 for ; Mon, 10 Feb 2014 10:55:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.749 X-Spam-Level: X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e8I_q-sQWgha for ; Mon, 10 Feb 2014 10:55:13 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 89A681A03A5 for ; Mon, 10 Feb 2014 10:55:11 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:35266 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WCw0d-000FYo-0v for sidr@ietf.org; Mon, 10 Feb 2014 13:55:11 -0500 Message-ID: <52F9208E.20500@bbn.com> Date: Mon, 10 Feb 2014 13:55:10 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: sidr@ietf.org References: <20140205235515.22408.47624.idtracker@ietfa.amsl.com> <24B20D14B2CD29478C8D5D6E9CBB29F6940A848A@HSV-MB001.huntsville.ads.sparta.com> In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 18:55:17 -0000 Tim, > Looks like a good starting point to me. Though I had to parse the line > about unicorns twice.. just twice ;-) ? The text needs work to be clear, precise, and a lot less cutesy. >> Local Trust Anchor Management: http://tools.ietf.org/html/draft-ietf-sidr-ltamgmt-08 > If I understood correctly it was the authors intent to replace the existing ltamgmt document with the new work? Yes, with two new docs. David Mandelburg is submitting a doc to deal with the easiest cases, and I think he will request a slot to present that doc, plus a doc on address space transfer. >> Suspenders: http://tools.ietf.org/html/draft-kent-sidr-suspenders-00 > Fundamentally I think there is a problem in letting a child refer to a third party that can override its parent. I think it just doesn't fit in the hierarchical rpki, and hence all the complexity to deal with history, and trying to separate noise from signal. I appreciate that it's well intended and a lot of thought has gone into this, but in my opinion this is a very complicated way to deal with this. I am a firm believer in the hierarchic PKI. But, that said, I do think we need a credible solution to the concerns raised by folks who worry about errors or compelled actions by RIRs or ISPs. Suspenders proposes a fallback strategy to address these concerns. But, if we can develop a simpler solution, after we agree on use cases, that's great. > What I would suggest instead is to go to the third party directly. I think we already have all the building blocks.. If one goal is to not undermine the hierarchy, then we want constraints on what a third party can assert. Suspenders limits the third party to preserving the status quo; it can turn back the clock, but it can't make arbitrary statement that will be accepted by RPs (if they follow the spec). > This third party can publish a TAL containing resources that it claims to know better. They can then operate a normal CA and publish all the ROAs they see fit, or even act as parent CA using up-down. RPs could be configured to use both TAs and treat them as complementary (i.e. accept the ROAs from both), or exclusive (i.e. ignore the ROAs for the resources listed by third party under any other TA tree), or probably best even: alert the operator and let them choose and set defaults. That is precisely the sort of design that has the potential to undermine the hierarchy. And it seems to head in the direction of the awful Web PKI we have today. > To deal with Carol's case, well-known third parties could be set up. If all is well they should have no content, but the key difference is that it would no longer be possible to do a *covert* attack on Carol. I understand that it's re-active rather than pro-active, but I think this is enough to make the attack moot: it's not very effective and it has drawbacks: it degrades trust and thereby security of internet infrastructure. The attack on Carol is not covert; every RP will see it. The only question is what RPs should do in response. Allowing Carol to publish info that makes it clear that she doesn't agree with the changes to her RPKI data is probably the least dangerous way to provide RPs with the info from which they can make a decision. > Bob can just create a complementary TAL for the private space. > > Alice can create a TAL that takes precedence, and have her management's vision of the truth. > > All this needs some tooling, but I don't think it needs more standards. > The message I just posted noted that several of the use cases need clearer statements of the problems being addressed, and a less colloquial tone. So I won't comments on how we should address the other use cases until we have agreement on them. Steve From tim@ripe.net Mon Feb 10 11:14:40 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7D81A0128 for ; Mon, 10 Feb 2014 11:14:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.247 X-Spam-Level: X-Spam-Status: No, score=-1.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_21=0.6, J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.548] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPp5Wdg2lj6w for ; Mon, 10 Feb 2014 11:14:36 -0800 (PST) Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id 591211A03A5 for ; Mon, 10 Feb 2014 11:14:36 -0800 (PST) Received: from titi.ripe.net ([193.0.23.11]) by kaka.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WCwJF-000063-79; Mon, 10 Feb 2014 20:14:35 +0100 Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-231.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WCwJE-0004uy-V5; Mon, 10 Feb 2014 20:14:25 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_9A2A277C-E8D7-4E21-8AF8-667D2F8BA9CF" From: Tim Bruijnzeels In-Reply-To: <24E5F079-4440-4507-AC2B-844E07D30F6B@cisco.com> Date: Mon, 10 Feb 2014 20:14:30 +0100 Message-Id: <80D1F551-8C47-44F3-8135-931DD5ADA3E5@ripe.net> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> <24E5F079-4440-4507-AC2B-844E07D30F6B@cisco.com> To: Roque Gagliano (rogaglia) X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719bd17f7a921f64515ebd7a2049c78e3d2 Cc: Geoff Huston , sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 19:14:40 -0000 --Apple-Mail=_9A2A277C-E8D7-4E21-8AF8-667D2F8BA9CF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Roque, all, First of all, the short version: =3D Yes, I support adoption =3D No, I don't see big issues / show stoppers, have some comments =3D Yes, I do see potential for other improvements (but I understand we = may want to leave it for now) On Feb 10, 2014, at 6:28 PM, Roque Gagliano (rogaglia) = wrote: > Geoff, >=20 > On Feb 10, 2014, at 5:43 PM, Geoff Huston wrote: >=20 >>=20 >> On 11 Feb 2014, at 3:23 am, Roque Gagliano (rogaglia) = wrote: >>=20 >>> Hi Goeff, >>>=20 >>> On Feb 9, 2014, at 11:05 PM, Geoff Huston wrote: >>>=20 >>>> Hi, >>>>=20 >>>> I took the text n draft-ietf-sidr-multiple-publication-points as it = related to TAs and placed it into the RFC6490bis draft without change. >>>>=20 >>>> The syntax of the TAL is not something I care a lot about either - = I suppose that one could get worried about rogue TA:s that try to place = 1 million URIs into the TAL, and get into the whole JSON / plain ascii = thing - I thought that the draft-ietf-sidr-multiple-publication-points = document already had a certain level of WG buy-in behind it - I guess = that was not a very good assumption on my part. I'll happily add what = the WG wants here. >>>=20 >>> The document went through the adoption process and was open to = discussions for almost 2 years. We never went through WGLC, which is = when most people pays a closer attention. The only formal comment that = we received on the format was about the blank line Randy mentioned and = that was incorporated. >>=20 >> no criticism was intended here Roque about the previous process. I = was trying to explain my assumptions when incorporating this text into = 6490bis. I agree that in general it takes a Last Call to elicit readers = and comments, although there are always exceptions and this call for = adoption is one of them. >>=20 >=20 > (Roque) No problem and thank you for taking over the work. As I tried to say in my previous mail. This is not show stopper for me, = and I am aware that changing this would be new work. So, if this proves too timely and difficult now, or there is simply no = wg consensus on this, then I really don't mind deferring this. >>>> The issue about multiple CA certs that are different was something = the earlier draft was silent about. They simply said that they MUST be = the same and left it at that. I'm not sure how critical an issue this = is, and whet forms of additional mechanism are necessary to allow RPs to = retrieve all the referenced CA certs and define an algorithm for them to = follow to select the "best". My simplistic thinking about the original = intent in draft-ietf-sidr-multiple-publication-points was that an RP = would pick oine URI, and if that was unresponsive after some local = threshold it wuould try another, and so on. The discussion so far has = been based on an assumption that an RP would retrieve the CA cert from 2 = or more URI's and then worry about the case where the URIs differ. I am = not sure what to add here to the draft - the WG will need to provide = further guidance on this. I worry about a proposal for RPs to check all = URIs - it seems to me to be adding to the total load and I'm then not = sure where=20 >>>> the benefit of multiple URIs in TAs comes from in such a scenario. >>>=20 >>> I believe you should use Section 3.2 of = draft-ietf-sidr-multiple-publication-points as a starting point. As you = can see the recommended behaviour is to select a rule to fetch the TA = certificate and stop when you fetch one that matches the TAL public key. >>> 3.2. Rules for Relying Parties (RP) >>>=20 >>>=20 >>>=20 >>> A RP can use different rules to select the URI from where fetch the >>> Trust Anchor certificate. Some examples are: >>>=20 >>> o Using the order provided in the TAL file >>>=20 >>> o Selecting the URI randomly from the available list >>>=20 >>> o Creating a prioritized list of URIs based on RP specific >>> parameters such as connection establishment delay >>>=20 >>> If the connection to the preferred URI fails or the fetched >>> certificate public key does not match the TAL public key, the RP >>> SHOULD fetch the TA certificate from the next URI of preference. >>>=20 >>=20 >>=20 >> I can (and will) certainly add that text to section 3 of the bis = document. >>=20 >> However, the question raised by Randy and commented on by Tim still = remains - what should a RP do if it chooses to retrieve the material = from 2 or more URIs and finds that the CA certificates that are = retrieved in this manner differ? And from Tim, some further = contemplation about that the TA publisher could do to provide hints to = the RP in such a situation. >=20 > (Roque) Two different problems: > 1) Fetching two different TA certificates that match the public = key but do not have the same content: This problem can happen today as = even if you have one URI, you can have two different "real" rsync = servers behind, we are just making it evident. I personally believe we = should stay only what is the expected behaviour rather than enumerating = all the alternatives. For this I think we can assume that the keys match. If the certificate = is for another key, it will simply not validate according to the known = TAL and be dismissed. But even with the same key other important bits may have changed. Most = importantly the resources, but possibly also the publication point. I = think the general semantics should be that: =3D The TAL is just a hints file really, the URIs are there to help the = RP find a certificate matching the key they chose to trust =3D If the RP finds multiple certificates matching the TAL, then (to = me) it would make sense to go with the most recent one.. That's where I was driving with the whole Trust Anchor must increase the = serial number whenever it re-issues a self signed TA certificate. Then = the RP can just go with the one with the highest serial. If we find this = a little scary (though I don't see a clear attack here), then I would = also be fine with saying that the TA should set the signing-time, and = the RP can go with the most recent (non future dated) certificate it = knows. I think it's up to the RP to decide how many URIs it will try and how = often. You could try to limit that here, but I don't think you can make = them.. > 2) Tim proposal to expand the TAL verbosity: I am sympathetic to = the idea of using key=3Dvalue style. However, as we only have two = "keys", I see little incremental value on the changes from one version = to the next one. On the other side, I am skeptical to add more verbosity = to the TAL with information that we cannot cryptographically verify (the = TAL is a plain text not signed document.) As said above.. not a show stopper, my feeling of the room is that = people are not keen, but.. We are actually using a key value pair based tal format in our validator = today. We wanted additional info in there, like a human friendly name, = and a list of pre-fetch URIs to aid in validating non-hierarchical TA = repos. None of this is actually used for validation, it's just hints = that make it a bit smoother. If the standard said something like: - must contain one value for the 'subjectPublicKeyInfo' - must contain one or more values for the 'URI' - may contain additional elements - and RP: just ignore what you don't care about Then it would be a little easier to be back-ward compatible. And we = could publish our extended TAL and other validators would still = understand. And finally on this, I do think json is a better format. Especially when = dealing with arrays. Randy you may want to check RFC4627 and the list of = links to libraries for 50 odd languages at json.org. It's actually = pretty well defined, and widely used. > I remember Carlos proposed the idea of having a special TAL signed = object only available at the TA's publication point that would add = information referring to the TAL lifecycle (maybe including a new TAL = file to be replacing the existing one.) This seams to be a more = appropriate way to solve the problem of replacing the TA key and keep = the compatibility with the old install base (and as long as it is not = been compromised :-) ). Ah cool. I forgot that, or I missed it, or it lingered in my = subconsciousness . In any case it's exactly what I was referring to in = my previous mail. I was triggered by this text in section 2.2: If an entity wishes to withdraw a self-signed CA certificate as a putative Trust Anchor, for any reason, including key rollover, the entity MUST remove the object from the location referenced in the TAL. I think a signed TAL would really help here..=20 If the entity wishes to remove a self-signed CA certificate they SHOULD = first publish a new signed TAL where this URI is no longer present and = then proceed to remove the object. If the entity wishes to add a = self-signed CA certificate publication point they SHOULD first publish = the object at the new location and then publish a new signed TAL where = this URI has been included. And maybe even the planned key roll.. If the entity wishes to perform a key roll of the self-signed CA = certificate they MUST first re-issue all the signed objects signed by = the old key under the new key under a new location. Then they MUST = publish a new TAL with an subjectPublicKeyInfo matching the new key, one = or more URIs, and a date by which the old key will be retired*. I am not saying this is finished.. or even that it must be included now, = but I really think this would be useful, and it does not have to get = much more complicated than this. *: Note.. on second thought I figured that the not-before-date I = mentioned earlier doesn't make sense here: just publish when ready, not = before. Cheers Tim > Regards, > Roque >=20 >> regards, >>=20 >> Geoff >>=20 >=20 --Apple-Mail=_9A2A277C-E8D7-4E21-8AF8-667D2F8BA9CF Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Roque, all,

First of all, the short = version:
=3D Yes, I support adoption
=3D No, I don't = see big issues / show stoppers, have some comments
=3D Yes, I = do see potential for other improvements (but I understand we may want to = leave it for now)


On = Feb 10, 2014, at 6:28 PM, Roque Gagliano (rogaglia) <rogaglia@cisco.com> = wrote:

Geoff,

On Feb 10, 2014, at 5:43 PM, Geoff Huston = <gih902@gmail.com> = wrote:


On 11 Feb 2014, at 3:23 am, = Roque Gagliano (rogaglia) <rogaglia@cisco.com> = wrote:

Hi Goeff,

On Feb 9, 2014, = at 11:05 PM, Geoff Huston <gih902@gmail.com> = wrote:

Hi,

I took the text n = draft-ietf-sidr-multiple-publication-points as it related to TAs and = placed it into the RFC6490bis draft without change.

The syntax of = the TAL is not something I care a lot about either - I suppose that one = could get worried about rogue TA:s that try to place 1 million =  URIs into the TAL, and get into the whole JSON / plain ascii thing = - I thought that the draft-ietf-sidr-multiple-publication-points = document already had a certain level of WG buy-in behind it - I guess = that was not a very good assumption on my part. I'll happily add what = the WG wants here.

The document went through the = adoption process and was open to discussions for almost 2 years. We = never went through WGLC, which is when most people pays a closer = attention. The only formal comment that we received on the format was = about the blank line Randy mentioned and that was = incorporated.

no criticism was intended here Roque = about the previous process. I was trying to explain my assumptions when = incorporating this text into 6490bis. I agree that in general it takes a = Last Call to elicit readers and comments, although there are always = exceptions and this call for adoption is one of = them.


(Roque) No problem and thank you for = taking over the work.

As I tried to = say in my previous mail. This is not show stopper for me, and I am aware = that changing this would be new work.

So, if = this proves too timely and difficult now, or there is simply no wg = consensus on this, then I really don't mind deferring = this.


The = issue about multiple CA certs that are different was something the = earlier draft was silent about. They simply said that they MUST be the = same and left it at that. I'm not sure how critical an issue this is, = and whet forms of additional mechanism are necessary to allow RPs to = retrieve all the referenced CA certs and define an algorithm for them to = follow to select the "best". My simplistic thinking about the original = intent in draft-ietf-sidr-multiple-publication-points was that an RP = would pick oine URI, and if that was unresponsive after some local = threshold it wuould try another, and so on. The discussion so far has = been based on an assumption that an RP would retrieve the CA cert from 2 = or more URI's and then worry about the case where the URIs differ. I am = not sure what to add here to the draft - the WG will need to provide = further guidance on this. I worry about a proposal for RPs to check all = URIs - it seems to me to be adding to the total load and I'm then not = sure where
the benefit of multiple URIs in TAs comes from in such a = scenario.

I believe you should use Section 3.2 of = draft-ietf-sidr-multiple-publication-points  as a starting point. = As you can see the recommended behaviour is to select a rule to fetch = the TA certificate and stop when you fetch one that matches the TAL = public key.
3.2.  Rules for Relying Parties (RP)



=  A RP can use different rules to select the URI from where fetch = the
 Trust Anchor certificate.  Some examples are:

=  o  Using the order provided in the TAL file

 o =  Selecting the URI randomly from the available list

 o =  Creating a prioritized list of URIs based on RP specific
=     parameters such as connection establishment = delay

 If the connection to the preferred URI fails or the = fetched
 certificate public key does not match the TAL public = key, the RP
 SHOULD fetch the TA certificate from the next URI = of preference.



I can (and will) certainly = add that text to section 3 of the bis document.

However, the = question raised by Randy and commented on by Tim still remains - what = should a RP do if it chooses to retrieve the material from 2 or more = URIs and finds that the CA certificates that are retrieved in this = manner differ? And from Tim, some further contemplation about that the = TA publisher could do to provide hints to the RP in such a = situation.

(Roque)  Two different = problems:
= 1) Fetching two different TA certificates that match the public = key but do not have the same content: This problem can happen today as = even if you have one URI, you can have two different "real" rsync = servers behind, we are just making it evident. I personally believe we = should stay only what is the expected behaviour rather than enumerating = all the alternatives.

For this I = think we can assume that the keys match. If the certificate is for = another key, it will simply not validate according to the known TAL and = be dismissed.

But even with the same key other = important bits may have changed. Most importantly the resources, but = possibly also the publication point. I think the general semantics = should be that:
 =3D The TAL is just a hints file really, = the URIs are there to help the RP find a certificate matching the key = they chose to trust
 =3D If the RP finds multiple = certificates matching the TAL, then (to me) it would make sense to go = with the most recent one..

That's where I was = driving with the whole Trust Anchor must increase the serial number = whenever it re-issues a self signed TA certificate. Then the RP can just = go with the one with the highest serial. If we find this a little scary = (though I don't see a clear attack here), then I would also be fine with = saying that the TA should set the signing-time, and the RP can go with = the most recent (non future dated) certificate it = knows.

I think it's up to the RP to decide how = many URIs it will try and how often. You could try to limit that here, = but I don't think you can make them..

= 2) Tim proposal to expand the TAL verbosity: I am sympathetic to = the idea of using key=3Dvalue style. However, as we only have two = "keys", I see little incremental value on the changes from one version = to the next one. On the other side, I am skeptical to add more = verbosity to the TAL with information that we cannot cryptographically = verify (the TAL is a plain text not signed = document.)

As said above.. not a = show stopper, my feeling of the room is that people are not keen, = but..

We are actually using a key value pair = based tal format in our validator today. We wanted additional info in = there, like a human friendly name, and a list of pre-fetch URIs to aid = in validating non-hierarchical TA repos. None of this is actually used = for validation, it's just hints that make it a bit smoother. If the = standard said something like:
  - must contain one value = for the 'subjectPublicKeyInfo'
  - must contain one or = more values for the 'URI'
  - may contain additional = elements
  - and RP: just ignore what you don't care = about

Then it would be a little easier to be = back-ward compatible. And we could publish our extended TAL and other = validators would still understand.

And finally = on this, I do think json is a better format. Especially when dealing = with arrays. Randy you may want to check RFC4627 and the list of links = to libraries for 50 odd languages at json.org. It's actually pretty well = defined, and widely used.


 I remember Carlos proposed the idea of having a = special TAL signed object only available at the TA's publication point = that would add information referring to the TAL lifecycle (maybe = including a new TAL file to be replacing the existing one.) This seams = to be a more appropriate way to solve the problem of replacing the TA = key and keep the compatibility with the old install base (and as long as = it is not been compromised :-) ).

Ah = cool. I forgot that, or I missed it, or it lingered in my = subconsciousness . In any case it's exactly what I was referring to in = my previous mail.

I was triggered by this text = in section 2.2:

   If an entity wishes to withdraw a =
self-signed CA certificate as a
   putative Trust Anchor, for any reason, including key rollover, the
   entity MUST remove the object from the location referenced in the
   TAL.

I think a signed TAL would really help = here.. 

If the entity wishes to remove a = self-signed CA certificate they SHOULD first publish a new signed TAL = where this URI is no longer present and then proceed to remove the = object. If the entity wishes to add a self-signed CA certificate = publication point they SHOULD first publish the object at the new = location and then publish a new signed TAL where this URI has been = included.

And maybe even the planned key = roll..

If the entity wishes to perform a key = roll of the self-signed CA certificate they MUST first re-issue all the = signed objects signed by the old key under the new key under a new = location. Then they MUST publish a new TAL with an subjectPublicKeyInfo = matching the new key, one or more URIs, and a date by which the old key = will be retired*.

I am not saying this is = finished.. or even that it must be included now, but I really think this = would be useful, and it does not have to get much more complicated than = this.

*: Note.. on second thought I figured = that the not-before-date I mentioned earlier doesn't make sense here: = just publish when ready, not = before.


Cheers
Tim
=





Regards,
Roque

regards,

=  Geoff



= --Apple-Mail=_9A2A277C-E8D7-4E21-8AF8-667D2F8BA9CF-- From andy@arin.net Mon Feb 10 11:15:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DCD11A0473 for ; Mon, 10 Feb 2014 11:15:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbE26YCNXe5C for ; Mon, 10 Feb 2014 11:15:53 -0800 (PST) Received: from smtp2.arin.net (smtp2.arin.net [IPv6:2001:500:4:13::32]) by ietfa.amsl.com (Postfix) with ESMTP id D27591A03A5 for ; Mon, 10 Feb 2014 11:15:53 -0800 (PST) Received: by smtp2.arin.net (Postfix, from userid 323) id 93E56213605; Mon, 10 Feb 2014 14:15:53 -0500 (EST) Received: from CHAXCH05.corp.arin.net (chaxch05.corp.arin.net [192.149.252.94]) by smtp2.arin.net (Postfix) with ESMTP id 25682213552; Mon, 10 Feb 2014 14:15:53 -0500 (EST) Received: from CHAXCH04.corp.arin.net (10.1.30.19) by CHAXCH05.corp.arin.net (192.149.252.94) with Microsoft SMTP Server (TLS) id 14.2.342.3; Mon, 10 Feb 2014 14:15:52 -0500 Received: from CHAXCH01.corp.arin.net ([169.254.1.174]) by CHAXCH04.corp.arin.net ([10.1.30.19]) with mapi id 14.02.0347.000; Mon, 10 Feb 2014 14:15:52 -0500 From: Andy Newton To: Randy Bush , Tim Bruijnzeels Thread-Topic: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: AQHPJpSD2gYCV5MqI0iRUmAUu87+DA== Date: Mon, 10 Feb 2014 19:15:52 +0000 Message-ID: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.3.7.130812 x-originating-ip: [10.1.30.36] Content-Type: text/plain; charset="iso-8859-1" Content-ID: <1240E0FE4981EF4EA0F4E5115128AD4D@corp.arin.net> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 19:15:55 -0000 On 2/9/14, 9:22 PM, "Randy Bush" wrote: >>But if the format is open to change, then I would feel more for a >>key=3Dvalue style, or dare I say even json.. this is parsed by the >>machines after all. > >the assumption that json is a universally, or even widely, implemented >format is not well founded. let's not get carried away into lala land. >we're just trying to allow multiple uris in a tal. I agree with Randy that we don=B9t need to get carried away (though JSON is widely implemented). The current format works for me. And I support the adoption of this work item. -andy From david@mandelberg.org Mon Feb 10 14:09:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCA51A0892 for ; Mon, 10 Feb 2014 14:09:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKFNAtKkjO7c for ; Mon, 10 Feb 2014 14:09:54 -0800 (PST) Received: from qmta09.emeryville.ca.mail.comcast.net (qmta09.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:96]) by ietfa.amsl.com (Postfix) with ESMTP id 23D311A088C for ; Mon, 10 Feb 2014 14:09:54 -0800 (PST) Received: from omta05.emeryville.ca.mail.comcast.net ([76.96.30.43]) by qmta09.emeryville.ca.mail.comcast.net with comcast id QlBM1n0050vp7WLA9m9uQy; Mon, 10 Feb 2014 22:09:54 +0000 Received: from uriel.mandelberg.org ([IPv6:2001:4830:11a7:2:216:3eff:fe0e:b38c]) by omta05.emeryville.ca.mail.comcast.net with comcast id Qm9r1n00S1djk4J8Rm9t8Y; Mon, 10 Feb 2014 22:09:54 +0000 Received: from secure.mandelberg.org (unknown [10.1.2.3]) by uriel.mandelberg.org (Postfix) with ESMTP id E68F41C605A for ; Mon, 10 Feb 2014 17:25:32 -0500 (EST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 10 Feb 2014 17:25:32 -0500 From: David Mandelberg To: Message-ID: <16cfa5a26e9f464caf8f13463b3b61d7@mail.mandelberg.org> X-Sender: david@mandelberg.org User-Agent: Roundcube Webmail/0.7.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1392070194; bh=NEHppFzxriYd0cXHzLCuEc7XIPQDNxRJvpLC1VuDSWo=; h=Received:Received:Received:MIME-Version:Content-Type:Date:From:To: Subject:Message-ID; b=F19Z8kma8ZArPmZzLCvOkBLGPOScfwI4n9pFdq2B7rz3m7WfFmBH9kiLzilD9Cczm LpAFXrt6Hq9ed4iZCzLIVhi/38dFVI07WFdxoRv5Yd4o6luhy40La5pGiG9S3gBz29 EuYiS/Q0zVI6LxbHm7698FuAWwtdIccebu2tdRkhC+XyHoq7mkPiqo4dLWwYlqLB4n sCfcgCLRZnrcsl1rWF+sWaczVfMCrY0ltGGuwC7fy+xjEzspVG9L/rV+PUkmUDSeSV x2n2ZZ0tDGctkCkxbH19h6qMsAUt1+gVAol8+/FNDmKra8Ew/w1xTYEj+w7j/enae/ bQMSk1mKVzSHA== Subject: [sidr] Fwd: New Version Notification for draft-dseomn-sidr-slurm-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 22:09:56 -0000 Here's the SLURM document that I previously mentioned. Drink up :) On 2014-02-06 13:53, David Mandelberg wrote: > I'm working on a new draft called SLURM (Simplified Local internet > nUmber Resource Management) that I hope to have out before the cutoff > next week. I'm pretty sure it handles Bob's use case, and I think it > could also handle Alice's use case if I understand that case > correctly. -------- Original Message -------- Subject: New Version Notification for draft-dseomn-sidr-slurm-00.txt Date: 2014-02-10 17:00 From: internet-drafts@ietf.org To: "David Mandelberg" , David Mandelberg A new version of I-D, draft-dseomn-sidr-slurm-00.txt has been successfully submitted by David Mandelberg and posted to the IETF repository. Name: draft-dseomn-sidr-slurm Revision: 00 Title: Simplified Local internet nUmber Resource Management with the RPKI Document date: 2014-02-10 Group: Individual Submission Pages: 7 URL: http://www.ietf.org/internet-drafts/draft-dseomn-sidr-slurm-00.txt Status: https://datatracker.ietf.org/doc/draft-dseomn-sidr-slurm/ Htmlized: http://tools.ietf.org/html/draft-dseomn-sidr-slurm-00 Abstract: The Resource Public Key Infrastructure (RPKI) is a global authorization infrastructure that allows the holder of Internet Number Resources (INRs) to make verifiable statements about those resources. Internet Service Providers (ISPs) can use the RPKI to validate BGP route origination assertions. Some ISPs locally use BGP with private address space or private AS numbers (see RFC6890). These local BGP routes cannot be verified by the global RPKI, and SHOULD be considered invalid based on the global RPKI (see RFC6491). The mechanisms described below provide ISPs with a way to make local assertions about private (reserved) INRs while using the RPKI's assertions about all other INRs. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat -- David Eric Mandelberg / dseomn http://david.mandelberg.org/ From gih902@gmail.com Mon Feb 10 15:01:59 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3040E1A08B8 for ; Mon, 10 Feb 2014 15:01:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.75 X-Spam-Level: X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBrLjvhXWMBP for ; Mon, 10 Feb 2014 15:01:57 -0800 (PST) Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) by ietfa.amsl.com (Postfix) with ESMTP id 315F51A0892 for ; Mon, 10 Feb 2014 15:01:57 -0800 (PST) Received: by mail-yk0-f176.google.com with SMTP id 19so9026176ykq.7 for ; Mon, 10 Feb 2014 15:01:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tKfYKfsncZMuEDlo83Lo31uWeXXpiaexYGKZ0JqrFLU=; b=WlhmdUZXsRsHEuz/s+jV+qMwX6j8ryuK/5BRR2J7GotohlFb1aPGLyjdU98o2SqbtQ z14D7HODatQtPCUu0NMUFIhxDbN1/KLbe5E76tptOWSyHO5GpJMZ01OFW+VbwcCnXFGX jD//+4Z/aR3uh1wc6cZ6S/BTOk0+W+SQeHpdVjZaN0SvOU4uK0h8V+gr7bso6pmPM6CQ hB5k5wYGW0MZEDR7c64UfyhG7YxXlUokXWTqStCWdK5qCYgpuIcdP9k0mTcd67gmhuct MMfcwQ6EoqAZD9N6eAmsb1wsENqhAd8Z5KppA1hjoO2mG0q/6qErP6RTUXiDGcyhpGww VsHA== X-Received: by 10.236.47.162 with SMTP id t22mr3010555yhb.123.1392073316851; Mon, 10 Feb 2014 15:01:56 -0800 (PST) Received: from [10.10.1.87] (50-201-180-2-static.hfc.comcastbusiness.net. [50.201.180.2]) by mx.google.com with ESMTPSA id 23sm51597195yhj.5.2014.02.10.15.01.55 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Feb 2014 15:01:56 -0800 (PST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) From: Geoff Huston In-Reply-To: <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> Date: Tue, 11 Feb 2014 10:01:54 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> To: "Roque Gagliano (rogaglia)" X-Mailer: Apple Mail (2.1827) Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Feb 2014 23:01:59 -0000 On 11 Feb 2014, at 3:23 am, Roque Gagliano (rogaglia) = wrote: >=20 > I believe you should use Section 3.2 of = draft-ietf-sidr-multiple-publication-points as a starting point. As you = can see the recommended behaviour is to select a rule to fetch the TA = certificate and stop when you fetch one that matches the TAL public key. > 3.2. Rules for Relying Parties (RP) >=20 >=20 >=20 > A RP can use different rules to select the URI from where fetch the > Trust Anchor certificate. Some examples are: >=20 > o Using the order provided in the TAL file >=20 > o Selecting the URI randomly from the available list >=20 > o Creating a prioritized list of URIs based on RP specific > parameters such as connection establishment delay >=20 > If the connection to the preferred URI fails or the fetched > certificate public key does not match the TAL public key, the RP > SHOULD fetch the TA certificate from the next URI of preference. I'll add the following to the text in section 3, and re-submit this as a = -01 draft. (I hope that the wg adoption process does not get confused by this change - is this ok WG chairs?) In the case where a TAL contains multiple URIs, RP may use a locally defined preference rule to select the URI from where fetch the Trust Anchor certificate. Some examples are: o Using the order provided in the TAL o Selecting the URI randomly from the available list o Creating a prioritized list of URIs based on RP specific parameters, such as connection establishment delay If the connection to the preferred URI fails, or the fetched CA certificate public key does not match the TAL public key, the RP SHOULD fetch the CA certificate from the next URI, according to the local preference ranking. Geoff= From randy@psg.com Mon Feb 10 23:16:32 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCE701A08D7 for ; Mon, 10 Feb 2014 23:16:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4KM3lRDd7sb for ; Mon, 10 Feb 2014 23:16:31 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 73E4A1A0741 for ; Mon, 10 Feb 2014 23:16:31 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WD7a1-00079d-Pt; Tue, 11 Feb 2014 07:16:30 +0000 Date: Tue, 11 Feb 2014 16:16:28 +0900 Message-ID: From: Randy Bush To: Geoff Huston In-Reply-To: References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <8451BEAE-465F-49AF-9AE0-DD6C8D567714@cisco.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 07:16:33 -0000 > If the connection to the preferred URI fails, or the fetched CA > certificate public key does not match the TAL public key, the RP > SHOULD fetch the CA certificate from the next URI, according to the > local preference ranking. in the case of a key mismatch, there would be significant benefit of reporting it. but to whom and how? randy From iesg-secretary@ietf.org Tue Feb 11 05:16:41 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2B791A01F1; Tue, 11 Feb 2014 05:16:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IJ_ArqW6iw-D; Tue, 11 Feb 2014 05:16:35 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id DED3F1A00BC; Tue, 11 Feb 2014 05:16:35 -0800 (PST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: The IESG To: IETF-Announce X-Test-IDTracker: no X-IETF-IDTracker: 5.0.0 Auto-Submitted: auto-generated Precedence: bulk Sender: Message-ID: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> Date: Tue, 11 Feb 2014 05:16:35 -0800 Cc: sidr@ietf.org Subject: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Reply-To: ietf@ietf.org List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 13:16:42 -0000 The IESG has received a request from the Secure Inter-Domain Routing WG (sidr) to consider the following document: - 'Policy Qualifiers in RPKI Certificates' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2014-02-25. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document updates RFC 6487 by clarifying the inclusion of policy qualifiers in the certificate policies extension of RPKI resource certificates. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-sidr-policy-qualifiers/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-sidr-policy-qualifiers/ballot/ No IPR declarations have been submitted directly on this I-D. From prvs=7119c26555=sandra.murphy@parsons.com Tue Feb 11 08:35:57 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6E491A0614 for ; Tue, 11 Feb 2014 08:35:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.449 X-Spam-Level: X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2x0_aZnjWUfF for ; Tue, 11 Feb 2014 08:35:56 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 19EEB1A05E6 for ; Tue, 11 Feb 2014 08:35:56 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1BGW81j024091 for ; Tue, 11 Feb 2014 10:35:54 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1hymqb0yj4-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 11 Feb 2014 10:35:50 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s1BGYpiF032559 for ; Tue, 11 Feb 2014 10:34:51 -0600 Received: from HSV-CAS003.huntsville.ads.sparta.com ([10.62.8.138]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s1BGYckW018028 for ; Tue, 11 Feb 2014 10:34:38 -0600 Received: from HSV-MB001.huntsville.ads.sparta.com ([fe80::292e:cdb7:1aa6:ce74]) by HSV-CAS003.huntsville.ads.sparta.com ([fe80::a415:ede2:34ef:d13f%11]) with mapi id 14.02.0342.003; Tue, 11 Feb 2014 10:34:37 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: two imminent meeting deadlines Thread-Index: Ac8nQ1vTpaD+u9iHRKyLEsIELoQFLQ== Date: Tue, 11 Feb 2014 16:34:38 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6940A9792@HSV-MB001.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-11_05:2014-02-11,2014-02-11,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=110.568 compositescore=0.0527339388916443 urlsuspect_oldscore=0.527339388916442 suspectscore=0 recipient_domain_to_sender_totalscore=1469 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=7945 rbsscore=0.0527339388916443 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402110070 Subject: [sidr] two imminent meeting deadlines X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 16:35:57 -0000 There are two meeting deadlines coming up soon:=0A= =0A= =0A= 2014-02-14 (Friday): Internet Draft submission cut-off (for all drafts, inc= luding -00) by UTC 23:59, upload using IETF ID Submission Tool.=0A= 2014-02-17 (Monday): Draft Working Group agendas due by UTC 23:59, upload u= sing IETF Meeting Materials Management Tool.=0A= =0A= =0A= If you have something to submit as a draft, keep Friday's deadline in mind.= =0A= =0A= The agenda currently is definitely NOT full. The chairs have received a fe= w private requests for agenda time and there have been a few requests on th= e list. If you have a topic you want to add to the agenda, please do make = a request. =0A= =0A= Monday's deadline is a draft agenda. The revised agenda is due Monday 24 F= eb so later requests are OK. But an early suggestion of what the agenda wi= ll be would be good for wg preparatation (who knows, maybe pre-discussion o= n the list!)=0A= =0A= --Sandy, speaking as wg co-chair= From kent@bbn.com Tue Feb 11 10:12:15 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F61D1A067E for ; Tue, 11 Feb 2014 10:12:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.149 X-Spam-Level: X-Spam-Status: No, score=-4.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJIjRl90nfPv for ; Tue, 11 Feb 2014 10:12:13 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 1EC6B1A066C for ; Tue, 11 Feb 2014 10:12:13 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:52864) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WDHoa-000HoP-3m for sidr@ietf.org; Tue, 11 Feb 2014 13:12:12 -0500 Message-ID: <52FA67FB.9040601@bbn.com> Date: Tue, 11 Feb 2014 13:12:11 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: sidr@ietf.org References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> In-Reply-To: <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 18:12:15 -0000 Tim, > >> -- >> >> presuming there is consensus to adopt, i have some some nits we can >> discuss when it is a wg item. >> >> o i thought folk wanted a blank line between the URI(s) and the key >> > I am not sure that I care too much about this as long as it's well defined. > > But if the format is open to change, then I would feel more for a key=value style, or dare I say even json.. this is parsed by the machines after all. And using something like json makes it much more flexible regarding ordering of elements, or extending should that ever be necessary. I'm not a fan of switching to JSON at this point. > >> o last para of 2.2 says >> >> Where the TAL contains two or more rsync URIs, then the same >> self-signed CA certificate MUST be found at each referenced >> location. >> >> maybe should say what happens when one or more do not have the same >> cert? does the whole TAL get ignored? > I agree, but on top of that having multiple publication points by definition implies that there will be differences, albeit short lived. > > I would like to see wording along these lines. > = TA MUST increment serial number whenever they re-issue the CA cert > = TA SHOULD* publish the CA cert in all locations 'asap', within 1 hour? > = TA SHOULD* remove the cert from unmaintained locations > *: They may not be able to if this is hosted at a third party I agree with Randy that the references to "TA" above should just be "CA" I'm puzzled by the references to a "third party" above. Why would an entity acting as a TA not want to control all of the locations where it's TAL identifies as places from which to acquire the cert? > To handle all this more elegantly I think there should be a mechanism for TAs to publish replacement TALs. To add, or remove URIs, or even to do planned key rolls (for example: TA wants change HSM vendor). What if the TA could optionally publish one (1) signed object containing an updated TAL? And possibly some dates: do-not-use-this-before, and do-not-use-other-after? These are desirable, additional features, but I agree with Randy that they merit a new work item. The change to allow a TAL to contain pointers to multiple locations for cert retrieval seems to be an easy change that we can agree upon. > This would allow RPs to use existing TALs to discover updates and process automatically (it is signed by the key that I trust). It could stop re-trying retired URIs, and start using the new ones. And even planned key rolls could be as simple as this on this level (provided the TA re-issues and publishes all the products before the change date, under the new key and in its own repositories). As I noted above, this seems like a good, new work item. Steve From tim@ripe.net Tue Feb 11 12:37:33 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F161A072A for ; Tue, 11 Feb 2014 12:37:33 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.848 X-Spam-Level: X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_35=0.6, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id opuFNiAoX3hD for ; Tue, 11 Feb 2014 12:37:30 -0800 (PST) Received: from koko.ripe.net (koko.ripe.net [193.0.19.72]) by ietfa.amsl.com (Postfix) with ESMTP id 42ADD1A0709 for ; Tue, 11 Feb 2014 12:37:30 -0800 (PST) Received: from titi.ripe.net ([193.0.23.11]) by koko.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WDK4z-0000xh-MU; Tue, 11 Feb 2014 21:37:28 +0100 Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-163.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WDK4z-0006Ov-Gm; Tue, 11 Feb 2014 21:37:17 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <52FA67FB.9040601@bbn.com> Date: Tue, 11 Feb 2014 21:37:17 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> To: Stephen Kent X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071997e874b695e54a9b33f65473b00813b7 Cc: sidr@ietf.org Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 20:37:34 -0000 Hi Steve On Feb 11, 2014, at 7:12 PM, Stephen Kent wrote: > Tim, >>=20 >>> -- >>>=20 >>> presuming there is consensus to adopt, i have some some nits we can >>> discuss when it is a wg item. >>>=20 >>> o i thought folk wanted a blank line between the URI(s) and the key >>>=20 >> I am not sure that I care too much about this as long as it's well = defined. >>=20 >> But if the format is open to change, then I would feel more for a = key=3Dvalue style, or dare I say even json.. this is parsed by the = machines after all. And using something like json makes it much more = flexible regarding ordering of elements, or extending should that ever = be necessary. > I'm not a fan of switching to JSON at this point. I noticed I stand alone in the matter. No worries. Note the 'if' and = let's move on.. >>=20 >>> o last para of 2.2 says >>>=20 >>> Where the TAL contains two or more rsync URIs, then the same >>> self-signed CA certificate MUST be found at each referenced >>> location. >>>=20 >>> maybe should say what happens when one or more do not have the = same >>> cert? does the whole TAL get ignored? >> I agree, but on top of that having multiple publication points by = definition implies that there will be differences, albeit short lived. >>=20 >> I would like to see wording along these lines. >> =3D TA MUST increment serial number whenever they re-issue the CA = cert >> =3D TA SHOULD* publish the CA cert in all locations 'asap', within 1 = hour? >> =3D TA SHOULD* remove the cert from unmaintained locations >> *: They may not be able to if this is hosted at a third party > I agree with Randy that the references to "TA" above should just be = "CA" Sure. I used to TA rather broadly here, including the CA operated by the = Trust Anchor entity. > I'm puzzled by the references to a "third party" above. Why would an = entity acting as > a TA not want to control all of the locations where it's TAL = identifies as places from > which to acquire the vert? Actually I think this could be a feature. Call me paranoid, but = publishing the cert in places where even your own disgruntled operators = can't reach it, and remove it or replace it with an old one, seems to me = like an idea to entertain. Such access generally does not require any = HSM, card quorum etc. But doing this of course introduces the risk of = these third party points going rogue. Hence the "no control" remark. But = see below.. >> To handle all this more elegantly I think there should be a mechanism = for TAs to publish replacement TALs. To add, or remove URIs, or even to = do planned key rolls (for example: TA wants change HSM vendor). What if = the TA could optionally publish one (1) signed object containing an = updated TAL? And possibly some dates: do-not-use-this-before, and = do-not-use-other-after? > These are desirable, additional features, but I agree with Randy that = they merit a new work item. > The change to allow a TAL to contain pointers to multiple locations = for cert retrieval seems to > be an easy change that we can agree upon. >> This would allow RPs to use existing TALs to discover updates and = process automatically (it is signed by the key that I trust). It could = stop re-trying retired URIs, and start using the new ones. And even = planned key rolls could be as simple as this on this level (provided the = TA re-issues and publishes all the products before the change date, = under the new key and in its own repositories). > As I noted above, this seems like a good, new work item. Fair enough. I did not want to bring this up as a show stopper for going = forward with the bis, but it seemed relevant to talk about this now. The rogue third party risk could be mitigated by signed TALs. A signed = (presumably controlled by an HSM and N out of M cards) statement could = remove such a publication point from the list. On top of this RPs could = regularly re-check certificates in multiple locations to find the most = recent. They could also cache the most recent one they have found and = refuse older ones. This re-checking should not be needed every few = minutes, but once every 24 hours or something seems quite reasonable to = me. But since I don't think it's feasible to get the signed TAL idea worked = out for the bis, it's probably best for now to say that the entity = acting as a TA should only publish the CA certificate in locations it = has full control over. This would also make zealous re-checking by RPs = less relevant at this stage. Tim >=20 > Steve >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From housley@vigilsec.com Tue Feb 11 13:11:06 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F6821A06DD; Tue, 11 Feb 2014 13:11:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.9 X-Spam-Level: X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgA-ngH_73rQ; Tue, 11 Feb 2014 13:11:04 -0800 (PST) Received: from odin.smetech.net (mail.smetech.net [209.135.209.4]) by ietfa.amsl.com (Postfix) with ESMTP id 6FEF81A06F2; Tue, 11 Feb 2014 13:11:02 -0800 (PST) Received: from localhost (unknown [209.135.209.5]) by odin.smetech.net (Postfix) with ESMTP id 36B0C9A42C4; Tue, 11 Feb 2014 16:10:53 -0500 (EST) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([209.135.209.4]) by localhost (ronin.smeinc.net [209.135.209.5]) (amavisd-new, port 10024) with ESMTP id 2wXXwafOrHSn; Tue, 11 Feb 2014 16:10:30 -0500 (EST) Received: from [172.20.40.95] (unknown [12.189.153.253]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 48D2A9A42B0; Tue, 11 Feb 2014 16:10:32 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Russ Housley In-Reply-To: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> Date: Tue, 11 Feb 2014 16:10:24 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> To: ietf@ietf.org X-Mailer: Apple Mail (2.1085) Cc: IETF SIDR Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 21:11:06 -0000 Implementers do not do anything with a CPS pointer in a policy = qualifier. So, this addition will not impact interoperability. That = said, I understand that some people want this notice in the certificate, = and I see no reason to prevent this document form moving forward. Russ On Feb 11, 2014, at 8:16 AM, The IESG wrote: >=20 > The IESG has received a request from the Secure Inter-Domain Routing = WG > (sidr) to consider the following document: > - 'Policy Qualifiers in RPKI Certificates' > as Proposed Standard >=20 > The IESG plans to make a decision in the next few weeks, and solicits > final comments on this action. Please send substantive comments to the > ietf@ietf.org mailing lists by 2014-02-25. Exceptionally, comments may = be > sent to iesg@ietf.org instead. In either case, please retain the > beginning of the Subject line to allow automated sorting. >=20 > Abstract >=20 > This document updates RFC 6487 by clarifying the inclusion of policy > qualifiers in the certificate policies extension of RPKI resource > certificates. >=20 > The file can be obtained via > http://datatracker.ietf.org/doc/draft-ietf-sidr-policy-qualifiers/ >=20 > IESG discussion can be tracked via > = http://datatracker.ietf.org/doc/draft-ietf-sidr-policy-qualifiers/ballot/ >=20 > No IPR declarations have been submitted directly on this I-D. >=20 From randy@psg.com Tue Feb 11 15:06:31 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E5A1A0794 for ; Tue, 11 Feb 2014 15:06:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id joc7unoZyM_B for ; Tue, 11 Feb 2014 15:06:29 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 9E9651A078F for ; Tue, 11 Feb 2014 15:06:29 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WDMPL-0000mQ-JO; Tue, 11 Feb 2014 23:06:28 +0000 Date: Wed, 12 Feb 2014 08:06:26 +0900 Message-ID: From: Randy Bush To: Stephen Kent In-Reply-To: <52FA67FB.9040601@bbn.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: sidr wg list Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 23:06:31 -0000 > I'm puzzled by the references to a "third party" above. Why would an > entity acting as a TA not want to control all of the locations where > it's TAL identifies as places from which to acquire the cert? outsourcing. think of it as rendition. randy From randy@psg.com Tue Feb 11 15:09:41 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC3261A07B8; Tue, 11 Feb 2014 15:09:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LobSoQa7-MrN; Tue, 11 Feb 2014 15:09:40 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 067861A0728; Tue, 11 Feb 2014 15:09:40 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WDMSQ-0000mj-I2; Tue, 11 Feb 2014 23:09:39 +0000 Date: Wed, 12 Feb 2014 08:09:37 +0900 Message-ID: From: Randy Bush To: Russ Housley In-Reply-To: <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: ietf@ietf.org, IETF SIDR Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Feb 2014 23:09:41 -0000 > Implementers do not do anything with a CPS pointer in a policy > qualifier. So, this addition will not impact interoperability. in other words it has no operational use > That said, I understand that some people want this notice in the > certificate, and I see no reason to prevent this document form moving > forward. wow, that encourages healthy discussion randy From internet-drafts@ietf.org Wed Feb 12 06:44:39 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786051A09A6; Wed, 12 Feb 2014 06:44:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6lr0IWw0a9qD; Wed, 12 Feb 2014 06:44:37 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B74551A0996; Wed, 12 Feb 2014 06:44:37 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140212144437.5041.73993.idtracker@ietfa.amsl.com> Date: Wed, 12 Feb 2014 06:44:37 -0800 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-publication-05.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 14:44:39 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF. Title : A Publication Protocol for the Resource Public Key Infrastructure (RPKI) Authors : Samuel Weiler Anuja Sonalker Rob Austein Filename : draft-ietf-sidr-publication-05.txt Pages : 12 Date : 2014-02-12 Abstract: This document defines a protocol for publishing Resource Public Key Infrastructure (RPKI) objects. Even though the RPKI will have many participants issuing certificates and creating other objects, it is operationally useful to consolidate the publication of those objects. This document provides the protocol for doing so. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-publication/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-sidr-publication-05 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-publication-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From sra@hactrn.net Wed Feb 12 06:52:01 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFFD1A09B1 for ; Wed, 12 Feb 2014 06:52:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 988r-D8e7XAO for ; Wed, 12 Feb 2014 06:52:00 -0800 (PST) Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by ietfa.amsl.com (Postfix) with ESMTP id BE22D1A09AE for ; Wed, 12 Feb 2014 06:51:59 -0800 (PST) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id A44E37304D for ; Wed, 12 Feb 2014 14:51:56 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 626A2170A4 for ; Wed, 12 Feb 2014 09:51:56 -0500 (EST) Date: Wed, 12 Feb 2014 09:51:56 -0500 From: Rob Austein To: sidr@ietf.org In-Reply-To: <20140212144437.5041.73993.idtracker@ietfa.amsl.com> References: <20140212144437.5041.73993.idtracker@ietfa.amsl.com> User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20140212145156.626A2170A4@thrintun.hactrn.net> Subject: Re: [sidr] I-D Action: draft-ietf-sidr-publication-05.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 14:52:02 -0000 Updated per discussion last November in Vancouver. Some minor formatting issues I don't have time to fix today, ignore for now. NB: My co-authors have not seen this version, blame me, not them. From kent@bbn.com Wed Feb 12 07:17:52 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727B21A0398 for ; Wed, 12 Feb 2014 07:17:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.749 X-Spam-Level: X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqL6qCCWJXSE for ; Wed, 12 Feb 2014 07:17:50 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2CFEB1A0320 for ; Wed, 12 Feb 2014 07:17:50 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:52944) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WDbZM-0007U6-Mc; Wed, 12 Feb 2014 10:17:48 -0500 Message-ID: <52FB9098.9000509@bbn.com> Date: Wed, 12 Feb 2014 10:17:44 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: Tim Bruijnzeels References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net> In-Reply-To: <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: sidr@ietf.org Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 15:17:52 -0000 Tim, >>> ... >>> >> I'm puzzled by the references to a "third party" above. Why would an entity acting as >> a TA not want to control all of the locations where it's TAL identifies as places from >> which to acquire the vert? > Actually I think this could be a feature. Call me paranoid, but publishing the cert in places where even your own disgruntled operators can't reach it, and remove it or replace it with an old one, seems to me like an idea to entertain. Such access generally does not require any HSM, card quorum etc. But doing this of course introduces the risk of these third party points going rogue. Hence the "no control" remark. But see below.. I don't see the tradeoff as being a positive one, but at least I now understand the motivation for your statement. >> ... >> As I noted above, this seems like a good, new work item. > Fair enough. I did not want to bring this up as a show stopper for going forward with the bis, but it seemed relevant to talk about this now. sure. > The rogue third party risk could be mitigated by signed TALs. A signed (presumably controlled by an HSM and N out of M cards) statement could remove such a publication point from the list. On top of this RPs could regularly re-check certificates in multiple locations to find the most recent. They could also cache the most recent one they have found and refuse older ones. This re-checking should not be needed every few minutes, but once every 24 hours or something seems quite reasonable to me. a once per day retrieval seems quite reasonable to me too. > But since I don't think it's feasible to get the signed TAL idea worked out for the bis, it's probably best for now to say that the entity acting as a TA should only publish the CA certificate in locations it has full control over. This would also make zealous re-checking by RPs less relevant at this stage. agreed. I'm happy to work with you on a new doc that explores added security functions for TALs. Steve From kent@bbn.com Wed Feb 12 07:33:05 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53C9A1A0342 for ; Wed, 12 Feb 2014 07:33:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.728 X-Spam-Level: X-Spam-Status: No, score=-3.728 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBJ3oEwSGfZr for ; Wed, 12 Feb 2014 07:33:03 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 503951A08B8 for ; Wed, 12 Feb 2014 07:33:03 -0800 (PST) Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:52986) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WDbo6-0007hF-7F for sidr@ietf.org; Wed, 12 Feb 2014 10:33:02 -0500 Message-ID: <52FB942D.4070404@bbn.com> Date: Wed, 12 Feb 2014 10:33:01 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 CC: sidr wg list References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> In-Reply-To: Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 15:33:05 -0000 Randy, >> I'm puzzled by the references to a "third party" above. Why would an >> entity acting as a TA not want to control all of the locations where >> it's TAL identifies as places from which to acquire the cert? > outsourcing. think of it as rendition. > > randy > Ah, so a TA kidnaps a cert, blindfolds it, pours water over its signature, and forces the cert to disclose the private key used to sign it. Got it. No problem. Steve From hallam@gmail.com Wed Feb 12 11:52:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05C11A06CF; Wed, 12 Feb 2014 11:52:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PpiNvO4GkCbC; Wed, 12 Feb 2014 11:52:51 -0800 (PST) Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 0665E1A06BE; Wed, 12 Feb 2014 11:52:50 -0800 (PST) Received: by mail-lb0-f172.google.com with SMTP id c11so7606731lbj.3 for ; Wed, 12 Feb 2014 11:52:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cXLxHTTxq1GKrHHEuUohpooWoAC+ExqEmN2+hgxa++Y=; b=zsMv3tc2u6HXFIwHRVDlwfis2JpNPwgMixmEXYs+N5AyYyhkC3sG6Xq5/Uv6kmk6Mv WXa6yuog/M1LjV4wYzv6uZM/ZB38++QT8XyLJANZTEfe27xQxSN0+uG6+YDxftSosczd cNVa9gNx87v4TAOSurir8i4AFh/rZ+di47X/pbAG8rGK2+g4OQdiMYLaDfO0iX9AkJ29 soTOfgWRHtUkJ1w675dmgt3CWJ9Ij3sxOupoWdxNpiEqzHSykn1P1GY/Ng411ezvYCFm Pwe+nuB6hq+qhexfiXFjhrF3MQ3JjgFXkXYZwxjQEcqC98Tdxu/CDJ9K1gc1dzKkHM3+ fbmw== MIME-Version: 1.0 X-Received: by 10.152.43.103 with SMTP id v7mr3183622lal.46.1392234769463; Wed, 12 Feb 2014 11:52:49 -0800 (PST) Received: by 10.112.37.168 with HTTP; Wed, 12 Feb 2014 11:52:49 -0800 (PST) In-Reply-To: References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> Date: Wed, 12 Feb 2014 14:52:49 -0500 Message-ID: From: Phillip Hallam-Baker To: Randy Bush Content-Type: multipart/alternative; boundary=001a11c34dcae0bcc704f23aea69 Cc: IETF Discussion Mailing List , IETF SIDR Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 19:52:56 -0000 --001a11c34dcae0bcc704f23aea69 Content-Type: text/plain; charset=ISO-8859-1 On Tue, Feb 11, 2014 at 6:09 PM, Randy Bush wrote: > > Implementers do not do anything with a CPS pointer in a policy > > qualifier. So, this addition will not impact interoperability. > > in other words it has no operational use It has a legal significance. The terms and conditions are specified within the four corners of the certificate. This has huge importance in any legal dispute arising out of the use or misuse of the certificate and allows the issuer to control their exposure to litigation risk. The fact that relying parties choose to ignore the policy information does not mean that it does not affect their ability to hold the issuer liable. -- Website: http://hallambaker.com/ --001a11c34dcae0bcc704f23aea69 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On T= ue, Feb 11, 2014 at 6:09 PM, Randy Bush <randy@psg.com> wrote:
> Implementers do not do anything with a CPS pointer in = a policy
> qualifier. =A0So, this addition will not impact interoperability.

in other words it has no operational use

<= div>It has a legal significance.

The terms and con= ditions are specified within the four corners of the certificate. This has = huge importance in any legal dispute arising out of the use or misuse of th= e certificate and allows the issuer to control their exposure to litigation= risk.

The fact that relying parties choose to ignore the poli= cy information does not mean that it does not affect their ability to hold = the issuer liable.
=A0


--
Website: http://hallambake= r.com/
--001a11c34dcae0bcc704f23aea69-- From sra@hactrn.net Wed Feb 12 13:06:24 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 175341A06B7; Wed, 12 Feb 2014 13:06:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUv0lOoCqubq; Wed, 12 Feb 2014 13:06:22 -0800 (PST) Received: from cyteen.hactrn.net (cyteen.hactrn.net [66.92.66.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0BFBE1A0620; Wed, 12 Feb 2014 13:06:22 -0800 (PST) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 14B7B7304C; Wed, 12 Feb 2014 21:06:20 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id BE1EC170A4; Wed, 12 Feb 2014 16:06:19 -0500 (EST) Date: Wed, 12 Feb 2014 16:06:19 -0500 From: Rob Austein To: IETF Discussion Mailing List , IETF SIDR In-Reply-To: References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20140212210619.BE1EC170A4@thrintun.hactrn.net> Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 21:06:24 -0000 Since we seem to be re-hashing some of the issues discussed during WGLC of this draft: I don't agree that this draft is harmless: I think it's an attractive nuisance. Given that we already have an RIR which makes people sign a non-disclosure agreement (!) to get a copy of their trust anchor locator, it's not all that far-fetched to imagine that same RIR adding another contractual requirement in which the user of their trust anchor locator is also made to promise that they will perform additional checks outside the core specification using the URI specified in the policy qualifier. The draft doesn't rule this out, it just says that the draft itself adds no such processing requirements. I do not find this particularly reassuring. That said, the RIR in question has already demonstrated that they don't need policy qualifiers to impose whacky restrictions outside the scope of the protocol architecture, so denying them use of this policy qualifier hack wouldn't gain the user community all that much. From ggm@algebras.org Wed Feb 12 15:09:55 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18D691A0025 for ; Wed, 12 Feb 2014 15:09:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.978 X-Spam-Level: X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tz2SSNppxIM5 for ; Wed, 12 Feb 2014 15:09:52 -0800 (PST) Received: from mail-pa0-f53.google.com (mail-pa0-f53.google.com [209.85.220.53]) by ietfa.amsl.com (Postfix) with ESMTP id 6809F1A0024 for ; Wed, 12 Feb 2014 15:09:52 -0800 (PST) Received: by mail-pa0-f53.google.com with SMTP id lj1so9825683pab.26 for ; Wed, 12 Feb 2014 15:09:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=KyrTW4mb/34vTW648aZoKH5g0qrcbgFB+TJgSvXgjgI=; b=VDy/m4BCd7yB1aGPIYoZ5YeTJ4cDx8jDzC01GGhUIwrDz+9KBmtuO1IQiSg1ojIlVd llA1abB1hoCDV8SfLK2PFukCN5NYJ79Q3v+WJbZ0gZRMjFDIaUXbo6G76oghzkUYzjCq uYS3vM00loUL0T6OTuh1zJEl+rn53jU46aPJYjEP5eAuXPTz1GjX9NMLUBkPXxkaghMS 1tTUiPCAk4yg0K1o8EByYvrzbR2RDr+7+p7XAUxRaQ/gFoO8pR3fEX5u3vd4L5WSzfQ7 6GBAg0Fa9/+qoL+w5O8zjyD2PclwfHH1IGpC3SnELwN9s6DI0RzPAyD0txZkmhz1iMB5 IglA== X-Gm-Message-State: ALoCoQlpwJU64CLvdpKpPKvNblJ+YoV8HDUwEEHkZ9YQid06yGL6uMmiDEHDD4DZE2bgtcyWM+5+ MIME-Version: 1.0 X-Received: by 10.66.27.201 with SMTP id v9mr26175569pag.136.1392246591564; Wed, 12 Feb 2014 15:09:51 -0800 (PST) Received: by 10.70.88.203 with HTTP; Wed, 12 Feb 2014 15:09:51 -0800 (PST) X-Originating-IP: [2001:dc0:a000:4:154b:c651:8e62:8ab5] In-Reply-To: <20140212210619.BE1EC170A4@thrintun.hactrn.net> References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> <20140212210619.BE1EC170A4@thrintun.hactrn.net> Date: Thu, 13 Feb 2014 09:09:51 +1000 Message-ID: From: George Michaelson To: IETF Discussion Mailing List Content-Type: multipart/alternative; boundary=bcaec529987d87f69604f23dabcb Cc: IETF SIDR Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Feb 2014 23:09:55 -0000 --bcaec529987d87f69604f23dabcb Content-Type: text/plain; charset=ISO-8859-1 Whilst I agree it has no operational consequence for current relying party code, or consumers of the products of certificates embedded in online systems, I don't agree with Randy's or Rob's conclusions regarding the desirability or risks of this feature. I think this is a useful addition to the qualities of information in a certificate, and I support its status. Since the drivers are non-operational, I don't feel it useful to try and suggest there are any. I also think that should not preclude the adoption of this requirement in certificates. This is a documentation and risk-minimisation process which makes layer-9 happy. -George On Thu, Feb 13, 2014 at 7:06 AM, Rob Austein wrote: > Since we seem to be re-hashing some of the issues discussed during > WGLC of this draft: > > I don't agree that this draft is harmless: I think it's an attractive > nuisance. Given that we already have an RIR which makes people sign a > non-disclosure agreement (!) to get a copy of their trust anchor > locator, it's not all that far-fetched to imagine that same RIR adding > another contractual requirement in which the user of their trust > anchor locator is also made to promise that they will perform > additional checks outside the core specification using the URI > specified in the policy qualifier. The draft doesn't rule this out, > it just says that the draft itself adds no such processing > requirements. I do not find this particularly reassuring. > > That said, the RIR in question has already demonstrated that they > don't need policy qualifiers to impose whacky restrictions outside the > scope of the protocol architecture, so denying them use of this policy > qualifier hack wouldn't gain the user community all that much. > > --bcaec529987d87f69604f23dabcb Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Whilst I agree it has no operational consequence for curre= nt relying party code, or consumers of the products of certificates embedde= d in online systems, I don't agree with Randy's or Rob's conclu= sions regarding the desirability or risks of this feature.

I think this is a useful addition to the qualities of inform= ation in a certificate, and I support its status.

Since = the drivers are non-operational, I don't feel it useful to try and sugg= est there are any. I also think that should not preclude the adoption of th= is requirement in certificates.

This is a documentation and risk-minimisation process w= hich makes layer-9 happy.

-George


On Thu, Feb = 13, 2014 at 7:06 AM, Rob Austein <sra@hactrn.net> wrote:
Since we seem to be re-hashing some of the i= ssues discussed during
WGLC of this draft:

I don't agree that this draft is harmless: I think it's an attracti= ve
nuisance. =A0Given that we already have an RIR which makes people sign a non-disclosure agreement (!) to get a copy of their trust anchor
locator, it's not all that far-fetched to imagine that same RIR adding<= br> another contractual requirement in which the user of their trust
anchor locator is also made to promise that they will perform
additional checks outside the core specification using the URI
specified in the policy qualifier. =A0The draft doesn't rule this out,<= br> it just says that the draft itself adds no such processing
requirements. =A0I do not find this particularly reassuring.

That said, the RIR in question has already demonstrated that they
don't need policy qualifiers to impose whacky restrictions outside the<= br> scope of the protocol architecture, so denying them use of this policy
qualifier hack wouldn't gain the user community all that much.


--bcaec529987d87f69604f23dabcb-- From randy@psg.com Wed Feb 12 17:08:12 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8003C1A009A; Wed, 12 Feb 2014 17:08:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B2nhmbu2Uly1; Wed, 12 Feb 2014 17:08:11 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id 238531A0091; Wed, 12 Feb 2014 17:08:11 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WDkme-0005BV-60; Thu, 13 Feb 2014 01:08:08 +0000 Date: Thu, 13 Feb 2014 10:08:06 +0900 Message-ID: From: Randy Bush To: Phillip Hallam-Baker In-Reply-To: References: <20140211131635.4764.88322.idtracker@ietfa.amsl.com> <6C3F924B-EDFF-42BC-9075-D4930636E643@vigilsec.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Cc: IETF Discussion Mailing List , IETF SIDR Subject: Re: [sidr] Last Call: (Policy Qualifiers in RPKI Certificates) to Proposed Standard X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Feb 2014 01:08:12 -0000 >>> Implementers do not do anything with a CPS pointer in a policy >>> qualifier. So, this addition will not impact interoperability. >> in other words it has no operational use > It has a legal significance. rhetorical question: in what juristiction(s)? from 2804 - The IETF, an international standards body, believes itself to be the wrong forum for designing protocol or equipment features that address needs arising from the laws of individual countries, because these laws vary widely across the areas that IETF standards are deployed in. Bodies whose scope of authority correspond to a single regime of jurisdiction are more appropriate for this task. this song has been repeated. randy From nobody Thu Feb 13 22:06:32 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E038E1A010A; Thu, 13 Feb 2014 22:06:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7AWdp37_jzVe; Thu, 13 Feb 2014 22:06:25 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A0471A00FF; Thu, 13 Feb 2014 22:06:25 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.0.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140214060625.4472.94145.idtracker@ietfa.amsl.com> Date: Thu, 13 Feb 2014 22:06:25 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Qy3VYZxzNLIKIQFtoErqMwZKeYs Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-origin-validation-signaling-04.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 06:06:30 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF. Title : BGP Prefix Origin Validation State Extended Community Authors : Pradosh Mohapatra Keyur Patel John Scudder David Ward Randy Bush Filename : draft-ietf-sidr-origin-validation-signaling-04.txt Pages : 5 Date : 2014-02-13 Abstract: As part of the origination AS validation process, it can be desirable to automatically consider the validation state of routes in the BGP decision process. The purpose of this document is to provide a specification for doing so. The document also defines a new BGP opaque extended community to carry the validation state inside an autonomous system to influence the decision process of the IBGP speakers. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-origin-validation-signaling/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-sidr-origin-validation-signaling-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-origin-validation-signaling-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Feb 14 13:25:04 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F311A0312; Fri, 14 Feb 2014 13:24:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-TCPdWjz7K2; Fri, 14 Feb 2014 13:24:55 -0800 (PST) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0101A0331; Fri, 14 Feb 2014 13:24:45 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 5.0.0.p1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20140214212445.20006.86281.idtracker@ietfa.amsl.com> Date: Fri, 14 Feb 2014 13:24:45 -0800 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/kokydGvEV12tQAMyeYDdIW3w5w0 Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-multiple-publication-points-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2014 21:24:58 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing Working Group of the IETF. Title : Multiple Repository Publication Points support in the Resource Public Key Infrastructure (RPKI) Authors : Roque Gagliano Terry Manderson Carlos Martinez Cagnazzo Filename : draft-ietf-sidr-multiple-publication-points-01.txt Pages : 13 Date : 2014-02-14 Abstract: The Resource Public Key Infrastructure (RPKI) depends on Relying Parties (RP) ability to access its Trust Anchors' certificate specified in the different "Trust Anchor Locator (TAL)" files and the Repository Objects located at the Certificate Authorities (CA) repositories hosted in its respective publication point. This document updates [RFC6490] by allowing multiple URI associated to a single public key in a TAL file and introduces the concept of multiple repository publication point operators for every CA in the RPKI. This document provides also recommendation for the RP behavior when analyzing signed objects that include multiple publications points. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-multiple-publication-points/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-sidr-multiple-publication-points-01 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-multiple-publication-points-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Feb 17 00:44:02 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E88261A0188 for ; Mon, 17 Feb 2014 00:43:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z9do9-4rOcgE for ; Mon, 17 Feb 2014 00:43:58 -0800 (PST) Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id 51CC91A00BE for ; Mon, 17 Feb 2014 00:43:58 -0800 (PST) Received: from nene.ripe.net ([193.0.23.10]) by kaka.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1WFJng-0001j7-To; Mon, 17 Feb 2014 09:43:53 +0100 Received: from s258-sslvpn-1.ripe.net ([193.0.20.231] helo=vpn-66.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES128-SHA:128) (Exim 4.72) (envelope-from ) id 1WFJng-0002zJ-RF; Mon, 17 Feb 2014 09:43:40 +0100 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Content-Type: multipart/alternative; boundary="Apple-Mail=_86DE0A5E-7168-4806-9919-CF38A17E147D" From: Tim Bruijnzeels In-Reply-To: <52FB9098.9000509@bbn.com> Date: Mon, 17 Feb 2014 09:43:46 +0100 Message-Id: <6ED5D5CB-141F-46A5-949D-B29D64148AFB@ripe.net> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> <1B60AC34-6528-4505-B1C7-D92CA7E128D7@ripe.net> <52FA67FB.9040601@bbn.com> <354F03D4-48DB-4946-BFDF-D20C6737EA1C@ripe.net> <52FB9098.9000509@bbn.com> To: Stephen Kent X-Mailer: Apple Mail (2.1510) X-RIPE-Spam-Level: --- X-RIPE-Spam-Report: Spam Total Points: -3.5 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE BODY: HTML included in message X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07195fd816709995551a9301c5135478b128 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/NPeYa6KvvHr9coD0sRM8-tlvuBM Cc: sidr@ietf.org Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 08:44:00 -0000 --Apple-Mail=_86DE0A5E-7168-4806-9919-CF38A17E147D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Steve, On Feb 12, 2014, at 4:17 PM, Stephen Kent wrote: > I'm happy to work with you on a new doc that explores added security = functions for TALs. Let's have a chat in London. Carlos may also be interested. Tim= --Apple-Mail=_86DE0A5E-7168-4806-9919-CF38A17E147D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii Hi = Steve,

On Feb 12, 2014, at 4:17 PM, Stephen Kent = <kent@bbn.com> wrote:

I'm happy to work with you on = a new doc that explores added security functions for TALs.
To: "sidr@ietf.org" Thread-Topic: draft IETF89 agenda uploaded Thread-Index: AQHPLCV/IPJ/3XwDlUSrJxO//K3wYQ== Date: Mon, 17 Feb 2014 21:16:19 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6940AB651@HSV-MB001.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-17_02:2014-02-14,2014-02-17,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0475211685653588 urlsuspect_oldscore=0.475211685653588 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=1 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402170142 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/0blcMi_Rqkd7Gyyutq8tst63gOU Subject: [sidr] draft IETF89 agenda uploaded X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2014 21:16:29 -0000 I have uploaded a draft agenda from the requests received so far. It is co= pied below. This is a DRAFT. Changes are possible. The final agenda is n= ot due until 24 Feb.=0A= =0A= There is still room on the agenda for topic discussion, if anyone has a top= ic to suggest.=0A= =0A= If the agenda is wrong (wrong topic, wrong name, missed request, whatever),= please do send a message to the list.=0A= =0A= There are some brand new materials on the agenda. You should take a look a= t the drafts. You might even ask questions now.=0A= =0A= --Sandy, speaking as wg co-chair=0A= =0A= =0A= =0A= =0A= =0A= Secure Inter-Domain Routing WG (sidr)=0A= IETF 89 - London, UK=0A= =0A= CHAIR(s): Sandra Murphy Sandra.Murphy at Sparta.com=0A= Chris Morrow morrowc at ops-netman.net=0A= =0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=0A= =0A= =0A= =0A= AGENDA:=0A= =0A= TUESDAY, 4 March 2013=0A= 0900-1130 Morning Session I Balmoral =0A= =0A= =0A= 1) Administrivia & Draft status 0900= -0915=0A= =0A= Presenter: Chairs = =0A= =0A= - Mailing list: http://www.ietf.org/mail-archive/web/sidr/index.html=0A= - WG Resources: http://tools.ietf.org/wg/sidr/ =0A= - Minute taker?=0A= - Jabber Scribe?=0A= - Blue Sheets=0A= - Agenda Bashing=0A= =0A= 2) Revisiting Current RFCs 0915-= 1015=0A= =0A= a) RFC6490bis 0915-= 0930=0A= Resource Certificate PKI (RPKI) Trust Anchor Locator=0A= draft-huston-sidr-rfc6490-bis-01.txt=0A= http://tools.ietf.org/html/draft-huston-sidr-rfc6490-bis=0A= =0A= Presenter: Geoff Huston =0A= =0A= b) RPKI Validation Reconsidered 0930-= 1000=0A= =0A= draft-huston-rpki-validation-01.txt=0A= http://tools.ietf.org/html/draft-huston-rpki-validation =0A= =0A= Presenter: Geoff Huston =0A= =0A= c) Fixing a point problem in OID with RFC6485. 1000-= 1015=0A= Clarifying RPKI use of CMS SignerInfo=0A= draft-michaelson-signerinfo-00.txt=0A= http://tools.ietf.org/html/draft-michaelson-signerinfo=0A= =0A= Presenter: George Michaelson=0A= =0A= 3) New Topics 1015-= 1045=0A= =0A= a) SLURM 1015-= 1030=0A= Simplified Local internet nUmber Resource Management with the RPKI=0A= draft-dseomn-sidr-slurm-00.txt=0A= http://tools.ietf.org/html/draft-dseomn-sidr-slurm=0A= =0A= Presenter: David Mandelberg=0A= =0A= b) TAO 1030-= 1045=0A= Resource Public Key Infrastructure (RPKI) Resource Transfer Protocol an= d=0A= Transfer Authorization Object (TAO)=0A= draft-barnes-sidr-tao-00.txt=0A= http://tools.ietf.org/html/draft-barnes-sidr-tao=0A= =0A= Presenter: TBD=0A= =0A= 4) Deployment 1045-= 1100=0A= =0A= a) Experience/Lessons Learned in Ecuador 1045-= 1100=0A= Implementing RPKI-based origin validation one country at a time. The= =0A= Ecuadorian case study.=0A= draft-fmejia-opsec-origin-a-country-00.txt=0A= http://tools.ietf.org/html/draft-fmejia-opsec-origin-a-country=0A= =0A= Presenter: TBD=0A= =0A= 5) General Discussion 1100-= 1130=0A= From nobody Tue Feb 18 09:00:13 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AE31A0402; Tue, 18 Feb 2014 09:00:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.749 X-Spam-Level: X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FYEOok66Q5JY; Tue, 18 Feb 2014 09:00:07 -0800 (PST) Received: from mail-lb0-x236.google.com (mail-lb0-x236.google.com [IPv6:2a00:1450:4010:c04::236]) by ietfa.amsl.com (Postfix) with ESMTP id 385451A00B2; Tue, 18 Feb 2014 09:00:05 -0800 (PST) Received: by mail-lb0-f182.google.com with SMTP id w7so12742773lbi.27 for ; Tue, 18 Feb 2014 09:00:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=z4mCyz6CBSeF3ekt6ZWkxQOk2gZ+hM6A6OlHjafIKn4=; b=qcvErU4NsEfcK8l2aJ7cpKkTExyG8WWpw6lzFblaxK+rG55VjSwCp3ffKN/5z8RNHf gzD45pwXtDWHpnQRtIbBPlsT7pU1LeqHWGwNZlQkzDUhF1GScn+6VufvSQVQh1RcViw4 3Pt9CTELDgA2MM3GOlwYLo0UsdIWuw/JCBoXlW7WHgWaBBlyb9nYgmS4GtpQM+UTsBeI FVxdxjTXDWoDSaJ+ZTlu3V97xLjxZyb4MyVclYvpf1ruNr/8BK1I/KdKWGAY7P7tFe6q FHiYAH/WiKC2ZZ2oQlMb6RdL4ALsOBFCkqQ2Z2m7l+wEFcJWrP+V/9oNxuQArQaZUcXt rYkQ== MIME-Version: 1.0 X-Received: by 10.152.5.101 with SMTP id r5mr2137501lar.56.1392742802421; Tue, 18 Feb 2014 09:00:02 -0800 (PST) Received: by 10.112.172.166 with HTTP; Tue, 18 Feb 2014 09:00:02 -0800 (PST) In-Reply-To: <20140214212445.20006.86281.idtracker@ietfa.amsl.com> References: <20140214212445.20006.86281.idtracker@ietfa.amsl.com> Date: Tue, 18 Feb 2014 13:00:02 -0400 Message-ID: From: Carlos Martinez-Cagnazzo To: internet-drafts@ietf.org Content-Type: multipart/alternative; boundary=089e013d12d6007aa204f2b134ee Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/7RKXZLArtGNrqlqOYQ1WHGUDepA Cc: "sidr@ietf.org" , i-d-announce@ietf.org Subject: Re: [sidr] I-D Action: draft-ietf-sidr-multiple-publication-points-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: carlos@lacnic.net List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 17:00:10 -0000 --089e013d12d6007aa204f2b134ee Content-Type: text/plain; charset=ISO-8859-1 Foks, this is just a keepalive version as we are discussing ways for moving forward this idea. On Fri, Feb 14, 2014 at 5:24 PM, wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Secure Inter-Domain Routing Working > Group of the IETF. > > Title : Multiple Repository Publication Points support > in the Resource Public Key Infrastructure (RPKI) > Authors : Roque Gagliano > Terry Manderson > Carlos Martinez Cagnazzo > Filename : > draft-ietf-sidr-multiple-publication-points-01.txt > Pages : 13 > Date : 2014-02-14 > > Abstract: > The Resource Public Key Infrastructure (RPKI) depends on Relying > Parties (RP) ability to access its Trust Anchors' certificate > specified in the different "Trust Anchor Locator (TAL)" files and the > Repository Objects located at the Certificate Authorities (CA) > repositories hosted in its respective publication point. This > document updates [RFC6490] by allowing multiple URI associated to a > single public key in a TAL file and introduces the concept of > multiple repository publication point operators for every CA in the > RPKI. This document provides also recommendation for the RP behavior > when analyzing signed objects that include multiple publications > points. > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-sidr-multiple-publication-points/ > > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-sidr-multiple-publication-points-01 > > A diff from the previous version is available at: > > http://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-multiple-publication-points-01 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > -- -- ========================= Carlos M. Martinez-Cagnazzo h ttp://cagnazzo.me ========================= --089e013d12d6007aa204f2b134ee Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Foks, this is just a keepalive version as we are discussin= g ways for moving forward this idea.

On Fri, Feb 14, 2014 at 5:24 PM, <int= ernet-drafts@ietf.org> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
=A0This draft is a work item of the Secure Inter-Domain Routing Working Gro= up of the IETF.

=A0 =A0 =A0 =A0 Title =A0 =A0 =A0 =A0 =A0 : Multiple Repository Publication= Points support in the Resource Public Key Infrastructure (RPKI)
=A0 =A0 =A0 =A0 Authors =A0 =A0 =A0 =A0 : Roque Gagliano
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Terry Manderson
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Carlos Martinez Cagnazz= o
=A0 =A0 =A0 =A0 Filename =A0 =A0 =A0 =A0: draft-ietf-sidr-multiple-publicat= ion-points-01.txt
=A0 =A0 =A0 =A0 Pages =A0 =A0 =A0 =A0 =A0 : 13
=A0 =A0 =A0 =A0 Date =A0 =A0 =A0 =A0 =A0 =A0: 2014-02-14

Abstract:
=A0 =A0The Resource Public Key Infrastructure (RPKI) depends on Relying
=A0 =A0Parties (RP) ability to access its Trust Anchors' certificate =A0 =A0specified in the different "Trust Anchor Locator (TAL)" fi= les and the
=A0 =A0Repository Objects located at the Certificate Authorities (CA)
=A0 =A0repositories hosted in its respective publication point. =A0This
=A0 =A0document updates [RFC6490] by allowing multiple URI associated to a<= br> =A0 =A0single public key in a TAL file and introduces the concept of
=A0 =A0multiple repository publication point operators for every CA in the<= br> =A0 =A0RPKI. =A0This document provides also recommendation for the RP behav= ior
=A0 =A0when analyzing signed objects that include multiple publications
=A0 =A0points.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-iet= f-sidr-multiple-publication-points/

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-sidr-mul= tiple-publication-points-01

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=3Ddra= ft-ietf-sidr-multiple-publication-points-01


Please note that it may take a couple of minutes from the time of submissio= n
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp= .ietf.org/internet-drafts/

_______________________________________________
sidr mailing list
sidr@ietf.org
ht= tps://www.ietf.org/mailman/listinfo/sidr



--
--
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
Carlos M. Martinez-Cagnazzo
http://cagnazzo.me
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
--089e013d12d6007aa204f2b134ee-- From nobody Tue Feb 18 12:58:23 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2A01A0081 for ; Tue, 18 Feb 2014 12:58:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.403 X-Spam-Level: X-Spam-Status: No, score=-1.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RDNS_NONE=0.793, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3M9_mrf7i1j for ; Tue, 18 Feb 2014 12:58:19 -0800 (PST) Received: from smtp.bbn.com (unknown [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id B7FB91A0221 for ; Tue, 18 Feb 2014 12:58:19 -0800 (PST) Received: from trenzalore.bbn.com ([128.89.88.54]:44980) by smtp.bbn.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WFrk8-0001Vb-F8 for sidr@ietf.org; Tue, 18 Feb 2014 15:58:16 -0500 Message-ID: <5303C968.9080209@bbn.com> Date: Tue, 18 Feb 2014 15:58:16 -0500 From: Edric Barnes User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: sidr@ietf.org References: <20140213195259.26440.59282.idtracker@ietfa.amsl.com> In-Reply-To: <20140213195259.26440.59282.idtracker@ietfa.amsl.com> X-Enigmail-Version: 1.5.2 X-Forwarded-Message-Id: <20140213195259.26440.59282.idtracker@ietfa.amsl.com> Content-Type: multipart/alternative; boundary="------------010702090508090109050702" Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/jAgYqZZnm5tEzY0v3925hyQ36OU Subject: [sidr] Fwd: New Version Notification for draft-barnes-sidr-tao-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Feb 2014 20:58:22 -0000 This is a multi-part message in MIME format. --------------010702090508090109050702 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit I created a draft to make Steve Kent's thoughts on automated INR transfer within the RPKI a reality. It builds on rpki-updown and handles verifiable transfers of INR between existing CAs. Transfers between self-signed CAs are not handled, but assuming a unique root, this protocol should make transfers much easier. Edric Barnes -------- Original Message -------- Subject: New Version Notification for draft-barnes-sidr-tao-00.txt Date: Thu, 13 Feb 2014 11:52:59 -0800 From: internet-drafts@ietf.org To: Edric Barnes , "Edric Barnes" A new version of I-D, draft-barnes-sidr-tao-00.txt has been successfully submitted by David Mandelberg and posted to the IETF repository. Name: draft-barnes-sidr-tao Revision: 00 Title: Resource Public Key Infrastructure (RPKI) Resource Transfer Protocol and Transfer Authorization Object (TAO) Document date: 2014-02-13 Group: Individual Submission Pages: 18 URL: http://www.ietf.org/internet-drafts/draft-barnes-sidr-tao-00.txt Status: https://datatracker.ietf.org/doc/draft-barnes-sidr-tao/ Htmlized: http://tools.ietf.org/html/draft-barnes-sidr-tao-00 Abstract: This document defines an extension to the rpki-updown protocol to provide support for transferring Internet Number Resources from one INR holder to another. Such transfers take place external to the RPKI, using procedures defined within and between RIRs. This protocol facilitates automation of the maintenance of RPKI data in the context of INR transfers. The protocol supports asynchronous transfers of live or unused INRs within an RIR or between RIRs. The scope of this protocol is limited to the transfer of Internet Number Resources within the Resource Public Key Infrastructure. In support of this protocol, this document also defines a new signed object type for the RPKI repository system, the Transfer Authorization Object (TAO). Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat --------------010702090508090109050702 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit I created a draft to make Steve Kent's thoughts on automated INR transfer within the RPKI a reality. It builds on rpki-updown and handles verifiable transfers of INR between existing CAs. Transfers between self-signed CAs are not handled, but assuming a unique root, this protocol should make transfers much easier.

Edric Barnes


-------- Original Message --------
Subject: New Version Notification for draft-barnes-sidr-tao-00.txt
Date: Thu, 13 Feb 2014 11:52:59 -0800
From: internet-drafts@ietf.org
To: Edric Barnes <ebarnes@bbn.com>, "Edric Barnes" <ebarnes@bbn.com> 


A new version of I-D, draft-barnes-sidr-tao-00.txt
has been successfully submitted by David Mandelberg and posted to the
IETF repository.

Name:		draft-barnes-sidr-tao
Revision:	00
Title:		Resource Public Key Infrastructure (RPKI) Resource Transfer Protocol and Transfer Authorization Object (TAO)
Document date:	2014-02-13
Group:		Individual Submission
Pages:		18
URL:            http://www.ietf.org/internet-drafts/draft-barnes-sidr-tao-00.txt
Status:         https://datatracker.ietf.org/doc/draft-barnes-sidr-tao/
Htmlized:       http://tools.ietf.org/html/draft-barnes-sidr-tao-00


Abstract:
   This document defines an extension to the rpki-updown protocol to
   provide support for transferring Internet Number Resources from one
   INR holder to another.  Such transfers take place external to the
   RPKI, using procedures defined within and between RIRs.  This
   protocol facilitates automation of the maintenance of RPKI data in
   the context of INR transfers.  The protocol supports asynchronous
   transfers of live or unused INRs within an RIR or between RIRs.  The
   scope of this protocol is limited to the transfer of Internet Number
   Resources within the Resource Public Key Infrastructure.  In support
   of this protocol, this document also defines a new signed object type
   for the RPKI repository system, the Transfer Authorization Object
   (TAO).

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


--------------010702090508090109050702-- From nobody Fri Feb 21 15:30:33 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99F91A0272 for ; Fri, 21 Feb 2014 15:30:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OvlLwo8lorXu for ; Fri, 21 Feb 2014 15:30:30 -0800 (PST) Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by ietfa.amsl.com (Postfix) with ESMTP id A0B751A025C for ; Fri, 21 Feb 2014 15:30:29 -0800 (PST) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 8D2807304D for ; Fri, 21 Feb 2014 23:30:23 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id 4ABC9170A4 for ; Fri, 21 Feb 2014 18:30:23 -0500 (EST) Date: Fri, 21 Feb 2014 18:30:23 -0500 From: Rob Austein To: sidr@ietf.org User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.4 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20140221233023.4ABC9170A4@thrintun.hactrn.net> Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/u-RKTcP9hACwhuAlBCiDEHxah7w Subject: [sidr] Conflict between rtr-keying, bgpsec-pki-profile, and RFC 6487 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Feb 2014 23:30:32 -0000 Obscure little conflict that only an implementor would notice: there's a three-way conflict between the current rtr-keying draft, the current bgpsec-pki-profile draft, and the base RPKI certificate profile RFC. The problem is with router-ids and the subject field in the PKCS #10 request. - draft-ietf-sidr-bgpsec-pki-profiles-06 3.1.1.1 (talking about certificates, not certificate requests) says router certificate names SHOULD be /commonName=ROUTER-aaaaaaaa/serialNumber=rrrrrrrr, where aaaaaaaa is the ASN and rrrrrrrr is the router-id, as 32-bits hex in both cases. OK, fine. As far as I can tell, this is the only way in which the router-id is encoded anywhere in the certificate. - draft-ietf-sidr-bgpsec-pki-profiles-06 3.2 says that the certificate request profile matches RFC 6487 with a few specific differences, none of which have anything to do with subject names. - draft-ietf-sidr-rtr-keying-04 3.1 says that when a router is generating keys, it includes the router-id in the PKCS #10. Given that the only place we have to encode the router-id is in the subject name (as opposed to, say, a newly-defined X.509v3 extension), this text would seem to imply that the PKCS #10 includes a non-empty Subject field. - RFC 6487 6.1.1 says that the Subject field of the PKCS #10 MUST be absent or empty except when requesting reissuance of an existing key and even then only if the CA's CPS allows reusing subject names. I see no way to reconcile all of this without changing something. What's an implementor to do? For the moment, I've gone with rtr-keying and am allowing the subject name to appear in the PKCS #10. Not sure this is right, one could make a case either way. I can certainly implement it either way, but it would be nice to settle this so I know which way to go. From nobody Fri Feb 21 16:32:51 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F4D11A031A; Fri, 21 Feb 2014 16:32:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rDNukWMmLgwW; Fri, 21 Feb 2014 16:32:41 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [IPv6:2607:f170:8000:1500::d3]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA3B1A01ED; Fri, 21 Feb 2014 16:32:41 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id 60BD17FC3A9; Fri, 21 Feb 2014 16:32:37 -0800 (PST) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Message-Id: <20140222003237.60BD17FC3A9@rfc-editor.org> Date: Fri, 21 Feb 2014 16:32:37 -0800 (PST) Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/vFwJSGK9fA3vpcsT632snbuHS_M Cc: drafts-update-ref@iana.org, sidr@ietf.org, rfc-editor@rfc-editor.org Subject: [sidr] RFC 7128 on Resource Public Key Infrastructure (RPKI) Router Implementation Report X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 00:32:47 -0000 A new Request for Comments is now available in online RFC libraries. RFC 7128 Title: Resource Public Key Infrastructure (RPKI) Router Implementation Report Author: R. Bush, R. Austein, K. Patel, H. Gredler, M. Waehlisch Status: Informational Stream: IETF Date: February 2014 Mailbox: randy@psg.com, sra@hactrn.net, keyupate@cisco.com, hannes@juniper.net, waehlisch@ieee.org Pages: 11 Characters: 19348 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-sidr-rpki-rtr-impl-05.txt URL: http://www.rfc-editor.org/rfc/rfc7128.txt This document is an implementation report for the Resource Public Key Infrastructure (RPKI) Router protocol as defined in RFC 6810. The authors did not verify the accuracy of the information provided by respondents. The respondents are experts with the implementations they reported on, and their responses are considered authoritative for the implementations for which their responses represent. The respondents were asked to only use the "YES" answer if the feature had at least been tested in the lab. This document is a product of the Secure Inter-Domain Routing Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Fri Feb 21 16:33:25 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5083B1A02FC; Fri, 21 Feb 2014 16:33:15 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.548, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gh6rjG3Ukx42; Fri, 21 Feb 2014 16:33:09 -0800 (PST) Received: from rfc-editor.org (rfc-editor.org [IPv6:2607:f170:8000:1500::d3]) by ietfa.amsl.com (Postfix) with ESMTP id B2DA51A02B5; Fri, 21 Feb 2014 16:32:59 -0800 (PST) Received: by rfc-editor.org (Postfix, from userid 30) id BAF017FC3B5; Fri, 21 Feb 2014 16:32:55 -0800 (PST) To: ietf-announce@ietf.org, rfc-dist@rfc-editor.org From: rfc-editor@rfc-editor.org Message-Id: <20140222003255.BAF017FC3B5@rfc-editor.org> Date: Fri, 21 Feb 2014 16:32:55 -0800 (PST) Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Mue2nVzKxySxcHHc-iR0yQuprMk Cc: drafts-update-ref@iana.org, sidr@ietf.org, rfc-editor@rfc-editor.org Subject: [sidr] RFC 7132 on Threat Model for BGP Path Security X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 00:33:15 -0000 A new Request for Comments is now available in online RFC libraries. RFC 7132 Title: Threat Model for BGP Path Security Author: S. Kent, A. Chi Status: Informational Stream: IETF Date: February 2014 Mailbox: kent@bbn.com, achi@cs.unc.edu Pages: 20 Characters: 52539 Updates/Obsoletes/SeeAlso: None I-D Tag: draft-ietf-sidr-bgpsec-threats-09.txt URL: http://www.rfc-editor.org/rfc/rfc7132.txt This document describes a threat model for the context in which External Border Gateway Protocol (EBGP) path security mechanisms will be developed. The threat model includes an analysis of the Resource Public Key Infrastructure (RPKI) and focuses on the ability of an Autonomous System (AS) to verify the authenticity of the AS path info received in a BGP update. We use the term "PATHSEC" to refer to any BGP path security technology that makes use of the RPKI. PATHSEC will secure BGP, consistent with the inter-AS security focus of the RPKI. The document characterizes classes of potential adversaries that are considered to be threats and examines classes of attacks that might be launched against PATHSEC. It does not revisit attacks against unprotected BGP, as that topic has already been addressed in the BGP-4 standard. It concludes with a brief discussion of residual vulnerabilities. This document is a product of the Secure Inter-Domain Routing Working Group of the IETF. INFORMATIONAL: This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/search For downloading RFCs, see http://www.rfc-editor.org/rfc.html Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-editor@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC From nobody Mon Feb 24 08:42:04 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757031A0211 for ; Mon, 24 Feb 2014 08:42:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.048 X-Spam-Level: X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwVnqInbTzp7 for ; Mon, 24 Feb 2014 08:42:01 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 8AF541A020C for ; Mon, 24 Feb 2014 08:42:01 -0800 (PST) Received: from dommiel.bbn.com ([192.1.122.15]:38583 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WHybQ-000OH5-LG for sidr@ietf.org; Mon, 24 Feb 2014 11:42:00 -0500 Message-ID: <530B7657.10806@bbn.com> Date: Mon, 24 Feb 2014 11:41:59 -0500 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: sidr@ietf.org References: <20140221233023.4ABC9170A4@thrintun.hactrn.net> In-Reply-To: <20140221233023.4ABC9170A4@thrintun.hactrn.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/wyvqiv3EMDg8lhLYwmo62EthhDU Subject: Re: [sidr] Conflict between rtr-keying, bgpsec-pki-profile, and RFC 6487 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Feb 2014 16:42:03 -0000 Rob, Good catch. > Obscure little conflict that only an implementor would notice: there's > a three-way conflict between the current rtr-keying draft, the current > bgpsec-pki-profile draft, and the base RPKI certificate profile RFC. > > The problem is with router-ids and the subject field in the PKCS #10 > request. > > - draft-ietf-sidr-bgpsec-pki-profiles-06 3.1.1.1 (talking about > certificates, not certificate requests) says router certificate > names SHOULD be /commonName=ROUTER-aaaaaaaa/serialNumber=rrrrrrrr, > where aaaaaaaa is the ASN and rrrrrrrr is the router-id, as 32-bits > hex in both cases. OK, fine. > > As far as I can tell, this is the only way in which the router-id is > encoded anywhere in the certificate. yep. > - draft-ietf-sidr-bgpsec-pki-profiles-06 3.2 says that the certificate > request profile matches RFC 6487 with a few specific differences, > none of which have anything to do with subject names. yep. > - draft-ietf-sidr-rtr-keying-04 3.1 says that when a router is > generating keys, it includes the router-id in the PKCS #10. this seems to be the place where there is an error, given you observation re 6487, 6.1.1. > Given that the only place we have to encode the router-id is in the > subject name (as opposed to, say, a newly-defined X.509v3 > extension), this text would seem to imply that the PKCS #10 includes > a non-empty Subject field. > - RFC 6487 6.1.1 says that the Subject field of the PKCS #10 MUST be > absent or empty except when requesting reissuance of an existing key > and even then only if the CA's CPS allows reusing subject names. > > I see no way to reconcile all of this without changing something. a router cert is issued by an ISP to one if its routers. it's not clear to me that a PKCS #10 request is strictly required for this, as it is a local process within an AS. But, if one does use PKCS #10 then a CA operating within an AS context can probably determine the ID of the router making the request. I suggest this mismatch ought to be addressed in the rtr keying I-D. Steve From nobody Wed Feb 26 09:16:34 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4E01A0077 for ; Wed, 26 Feb 2014 09:16:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66S1ZWC-wpwK for ; Wed, 26 Feb 2014 09:16:27 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id C6F051A0455 for ; Wed, 26 Feb 2014 09:16:27 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1QHEjh1011785 for ; Wed, 26 Feb 2014 11:16:26 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1j9k1y8k0p-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Feb 2014 11:16:26 -0600 Received: from CVA-MXINT01.ads.sparta.com ([10.62.108.15]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s1QHGPWo005760 for ; Wed, 26 Feb 2014 12:16:25 -0500 Received: from HSV-CAS003.huntsville.ads.sparta.com ([10.62.8.138]) by CVA-MXINT01.ads.sparta.com (8.14.4/8.14.4) with ESMTP id s1QHGP4L028642 for ; Wed, 26 Feb 2014 12:16:25 -0500 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS003.huntsville.ads.sparta.com ([fe80::a415:ede2:34ef:d13f%11]) with mapi id 14.02.0342.003; Wed, 26 Feb 2014 11:16:24 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: working group adoption poll for draft-huston-sidr-rfc6490-bis Thread-Index: Ac8kPNS0cSi2HlN8TgGO+LYSQgrBMgO2TX/U Date: Wed, 26 Feb 2014 17:16:24 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949DBD45@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6940A90C5@HSV-MB001.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-26_04:2014-02-26,2014-02-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0999698076309413 urlsuspect_oldscore=0.999698076309413 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0.000132886163913937 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0999698076309413 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402260084 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/-cEB6lbCUW7v9HUYwkQ79mkOX-Q Subject: Re: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-bis X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 17:16:30 -0000 There was sufficient support and no objections raised (as well as some ener= getic activity) to judge the working group as having consensus to adopt thi= s work as a working group work item.=0A= =0A= The authors should submit a new draft with a working group file name as soo= n as as possible.=0A= =0A= --Sandy, speaking as one of the co-chairs=0A= =0A= ________________________________________=0A= From: sidr [sidr-bounces@ietf.org] on behalf of Murphy, Sandra [Sandra.Murp= hy@parsons.com]=0A= Sent: Friday, February 07, 2014 2:47 PM=0A= To: sidr@ietf.org=0A= Subject: [sidr] working group adoption poll for draft-huston-sidr-rfc6490-b= is=0A= =0A= The authors of "draft-ietf-sidr-multiple-publication-points" proposed a new= direction for that draft that included:=0A= =0A= =0A= - A "6490-bis" document that obsoletes RFC 6490 with the addition of multip= le operators in section 3 of the current document.=0A= =0A= =0A= The wg having consented to that approach, the authors of RFC6490 produced a= new draft draft-huston-sidr-rfc6490-bis that would serve as the 6490-bis.= =0A= =0A= The authors of draft-huston-sidr-rfc6490-bis have requested that the wg ado= pt this draft as a working group work item.=0A= =0A= See http://tools.ietf.org/html/draft-huston-sidr-rfc6490-bis-00, "Resource = Certificate PKI (RPKI) Trust Anchor Locator".=0A= =0A= Please do respond to the list as to whether you support the wg adopting thi= s as a work item. Note that you do not need to comment on the content of t= his draft at this time. You are asked to indicate if you think that this i= s work that the wg should be doing and whether this draft is an acceptable = starting point. Adding whether you can/will review or not is useful.=0A= =0A= This adoption poll will end on Friday, 21 February, 2014.=0A= =0A= --Sandy, speaking as wg co-chair=0A= =0A= _______________________________________________=0A= sidr mailing list=0A= sidr@ietf.org=0A= https://www.ietf.org/mailman/listinfo/sidr=0A= From nobody Wed Feb 26 13:16:05 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77EB91A0292 for ; Wed, 26 Feb 2014 13:15:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.048 X-Spam-Level: X-Spam-Status: No, score=-2.048 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7VjVePv4k5J6 for ; Wed, 26 Feb 2014 13:15:54 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id F09DF1A02B4 for ; Wed, 26 Feb 2014 13:15:53 -0800 (PST) Received: from smp.bbn.com ([192.1.122.26]:17957) by smtp.bbn.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.77 (FreeBSD)) (envelope-from ) id 1WIlpY-0007yB-CZ for sidr@ietf.org; Wed, 26 Feb 2014 16:15:52 -0500 Received: from dhcp192-1-115-216.bbn.com ([192.1.115.216]:52217) by smp.bbn.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76 (FreeBSD)) (envelope-from ) id 1WIlpY-00020F-8W for sidr@ietf.org; Wed, 26 Feb 2014 16:15:52 -0500 Message-ID: <530E5986.7080009@bbn.com> Date: Wed, 26 Feb 2014 16:15:50 -0500 From: David Mandelberg User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: sidr@ietf.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: dmandelb Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/5x8APxx4fhuNUzb_Od8FQrwvxBA Subject: [sidr] rpstir-0.10 released X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 21:15:57 -0000 Hi all, We just released version 0.10 of our relying party software, rpstir. The biggest changes are beta support for both 64-bit mode and Mac OS X. Full ChangeLog and download link below: * Add beta support for running rpstir in 64-bit mode. * Add beta support for running rpstir on Mac OS X. * Significantly improve performance of incremental updates by adding an rsync flag to preserve file modification times. * Fix multiple potential SQL-injection bugs. * Support newer versions of rsync and automake. * Remove support for RPSL due to lack of demand. * Update conformance cases (see doc/conformance-cases). * The ./configure script no longer prints a misleading error message when it's run outside of a git directory. * Add tests with AS numbers that don't fit into 16 bits. * Reject trust anchor CA certificates that have resources marked inherit, as specified in RFC 6490, Section 2.2. * Verify that rpstir compiles with clang, and fix all of clang's warnings. * In the statistics collection mode, add support for incremental updates and for running multiple simultaneous statistics collections. * Change handling of CRLs that list syntactically invalid serial numbers. These CRLs are now accepted, but the certificates with syntactically invalid serial numbers are still not accepted. Download: https://sourceforge.net/projects/rpstir/ Contact: rpstir-support@bbn.com From nobody Wed Feb 26 15:39:18 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0D8E1A066B for ; Wed, 26 Feb 2014 15:39:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeuHPNub-0UG for ; Wed, 26 Feb 2014 15:39:08 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id AAEE71A01EE for ; Wed, 26 Feb 2014 15:39:08 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1QNYwIN018806 for ; Wed, 26 Feb 2014 17:39:07 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1j9r108jyv-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Feb 2014 17:39:07 -0600 Received: from CVA-MXINT01.ads.sparta.com ([10.62.108.15]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s1QNd6Vm007424 for ; Wed, 26 Feb 2014 18:39:06 -0500 Received: from HSV-CAS003.huntsville.ads.sparta.com ([10.62.8.138]) by CVA-MXINT01.ads.sparta.com (8.14.4/8.14.4) with ESMTP id s1QNd6cm030220 for ; Wed, 26 Feb 2014 18:39:06 -0500 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS003.huntsville.ads.sparta.com ([fe80::a415:ede2:34ef:d13f%11]) with mapi id 14.02.0342.003; Wed, 26 Feb 2014 17:39:06 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: jabber scribe; minutes taker; slides from presenters Thread-Index: Ac8zS9OBK2AN0fOiThSf0Ru4Y6WuLA== Date: Wed, 26 Feb 2014 23:39:05 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD35A@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-26_05:2014-02-26,2014-02-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=110.568 compositescore=0.0999750412669593 urlsuspect_oldscore=0.999750412669593 suspectscore=0 recipient_domain_to_sender_totalscore=1469 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=7945 rbsscore=0.0999750412669593 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402260136 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/vAcLNNLsmvYFDQezZN5gu_YTwMg Subject: [sidr] jabber scribe; minutes taker; slides from presenters X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Feb 2014 23:39:13 -0000 It would be most helpful to have the roles of jabber scribe and minutes tak= er set before the meeting. If you are willing, please do speak up.=0A= =0A= We can't proceed with the discussions and presentations without a the jabbe= r scribe and minutes taker identified. So if you want the meeting to proce= ed, speak up or urge someone to speak up.=0A= =0A= We are meeting first thing Tuesday morning. Anyone presenting slides shoul= d get their slides to the chairs by end of the session time on Monday. It = would be very much appreciated by those who are participating remotely.=0A= =0A= (Anyone hoping to be first has already lost - David got his in already.)=0A= =0A= --Sandy, speaking as co-chair=0A= From nobody Wed Feb 26 16:00:25 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16F191A01B2 for ; Wed, 26 Feb 2014 16:00:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pzm94chGS72h for ; Wed, 26 Feb 2014 16:00:15 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7F11A02F9 for ; Wed, 26 Feb 2014 16:00:15 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1QNxteQ009685 for ; Wed, 26 Feb 2014 18:00:14 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1j9r108nbv-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Feb 2014 18:00:13 -0600 Received: from CVA-MXINT01.ads.sparta.com ([10.62.108.15]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s1R00D9K007467 for ; Wed, 26 Feb 2014 19:00:13 -0500 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by CVA-MXINT01.ads.sparta.com (8.14.4/8.14.4) with ESMTP id s1R00DYK030260 for ; Wed, 26 Feb 2014 19:00:13 -0500 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Wed, 26 Feb 2014 18:00:12 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: agenda revised Thread-Index: AQHPM07N63Lqm7/K2k2A3QOMJbiN3A== Date: Thu, 27 Feb 2014 00:00:12 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-26_05:2014-02-26,2014-02-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0999698076309413 urlsuspect_oldscore=0.999698076309413 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0.000199001055409376 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0999698076309413 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402260138 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/Oh80nkjclDXthj7ktv5P8JRwLOs Subject: [sidr] agenda revised X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 00:00:18 -0000 The agenda has been revised. It is copied below for ease of the reader.=0A= =0A= The agenda is now full. Further additions are possible but not necessarily= accepted.=0A= =0A= The requests for agenda time have not gone to the list in all cases and not= to all chairs in all cases. So if you made a request, you should check th= e revised agenda. It may be that your request was overlooked.=0A= =0A= --Sandy=0A= =0A= =0A= =0A= =0A= Secure Inter-Domain Routing WG (sidr)=0A= IETF 89 - London, UK=0A= =0A= CHAIR(s): Sandra Murphy Sandra.Murphy at Sparta.com=0A= Chris Morrow morrowc at ops-netman.net=0A= =0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=0A= =0A= =0A= =0A= AGENDA:=0A= =0A= TUESDAY, 4 March 2014=0A= 0900-1130 Morning Session I Balmoral =0A= =0A= =0A= 1) Administrivia & Draft status 0900-= 0915=0A= =0A= Presenter: Chairs = =0A= =0A= - Mailing list: http://www.ietf.org/mail-archive/web/sidr/index.html=0A= - WG Resources: http://tools.ietf.org/wg/sidr/ =0A= - Minute taker?=0A= - Jabber Scribe?=0A= - Blue Sheets=0A= - Agenda Bashing=0A= =0A= 2) Current Drafts and Revisiting Current RFCs 0915-= 1030=0A= =0A= a) RFC6490bis 0915-= 0930=0A= Resource Certificate PKI (RPKI) Trust Anchor Locator=0A= draft-huston-sidr-rfc6490-bis-01.txt=0A= http://tools.ietf.org/html/draft-huston-sidr-rfc6490-bis=0A= =0A= Presenter: Geoff Huston =0A= =0A= b) Fixing a point problem in OID with RFC6485. 0930-= 1000=0A= Clarifying RPKI use of CMS SignerInfo=0A= draft-michaelson-signerinfo-01.txt=0A= http://tools.ietf.org/html/draft-michaelson-signerinfo=0A= =0A= Presenter: George Michaelson=0A= =0A= c) LTA Use Cases 1000-= 1015=0A= RPKI Local Trust Anchor Use Cases=0A= draft-ietf-sidr-lta-use-cases-00.txt=0A= http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases=0A= =0A= Presenter: Randy Bush=0A= =0A= d) RPKI Validation Reconsidered 1015-= 1030=0A= RPKI Validation Reconsidered=0A= draft-huston-rpki-validation-01.txt=0A= http://tools.ietf.org/html/draft-huston-rpki-validation =0A= =0A= Presenter: Geoff Huston =0A= =0A= 3) New Topics 1030-= 1100=0A= =0A= a) SLURM 1030-= 1045=0A= Simplified Local internet nUmber Resource Management with the RPKI=0A= draft-dseomn-sidr-slurm-00.txt=0A= http://tools.ietf.org/html/draft-dseomn-sidr-slurm=0A= =0A= Presenter: David Mandelberg=0A= =0A= b) TAO 1045-= 1100=0A= Resource Public Key Infrastructure (RPKI) Resource Transfer Protocol an= d=0A= Transfer Authorization Object (TAO)=0A= draft-barnes-sidr-tao-00.txt=0A= http://tools.ietf.org/html/draft-barnes-sidr-tao=0A= =0A= Presenter: TBD=0A= =0A= 4) Deployment 1100-= 1130=0A= =0A= a) RSYNC in RPKI and Repository Structure 1100-= 1115=0A= =0A= Presenter: George Michaelson=0A= =0A= b) Experience/Lessons Learned in Ecuador 1115-= 1130=0A= Implementing RPKI-based origin validation one country at a time. The= =0A= Ecuadorian case study.=0A= draft-fmejia-opsec-origin-a-country-00.txt=0A= http://tools.ietf.org/html/draft-fmejia-opsec-origin-a-country=0A= =0A= Presenter: TBD=0A= =0A= 5) General Discussion 1130-= 1130=0A= =0A= =0A= =0A= =0A= From nobody Wed Feb 26 16:05:46 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8E321A003A for ; Wed, 26 Feb 2014 16:05:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOan2TfklSlU for ; Wed, 26 Feb 2014 16:05:39 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id EA2531A0709 for ; Wed, 26 Feb 2014 16:05:38 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1R05JvG014814 for ; Wed, 26 Feb 2014 18:05:37 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1j9r108nyd-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Feb 2014 18:05:37 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s1R05Z6C003706 for ; Wed, 26 Feb 2014 18:05:35 -0600 Received: from HSV-CAS003.huntsville.ads.sparta.com (HSV-CAS003.huntsville.sparta.com [10.62.8.138]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s1R05Usm005334 for ; Wed, 26 Feb 2014 18:05:30 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS003.huntsville.ads.sparta.com ([fe80::a415:ede2:34ef:d13f%11]) with mapi id 14.02.0342.003; Wed, 26 Feb 2014 18:05:27 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: SURFnet analysis of policy Thread-Index: Ac8zT53sAVAFpFLnRJeJSjxeF3gVLA== Date: Thu, 27 Feb 2014 00:05:26 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD4DB@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-26_05:2014-02-26,2014-02-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0475211685653588 urlsuspect_oldscore=0.475211685653588 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=1 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402260139 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/M67-Dd3CBawZr2aTD_cJQfGfhQM Subject: [sidr] SURFnet analysis of policy X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 00:05:40 -0000 Speaking as regular ol' member=0A= =0A= SURFnet did an analysis of routing policy and RPKI https://blog.surfnet.nl= /?p=3D3159 that might of interest to the wg.=0A= =0A= There was a short discussion on the ripe routing mail list http://www.ripe.= net/ripe/mail/archives/routing-wg/2014-February/date.html.=0A= =0A= --Sandy, speaking as regular ol' member= From nobody Wed Feb 26 16:18:48 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A29ED1A06A6 for ; Wed, 26 Feb 2014 16:18:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NT8uEpAJRQYz for ; Wed, 26 Feb 2014 16:18:38 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id ADEE61A02CD for ; Wed, 26 Feb 2014 16:18:38 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1R0GFOv025032 for ; Wed, 26 Feb 2014 18:18:37 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1j9r108qg1-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT) for ; Wed, 26 Feb 2014 18:18:37 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s1R0IakP003743 for ; Wed, 26 Feb 2014 18:18:36 -0600 Received: from kraven.huntsville.ads.sparta.com (kraven.huntsville.sparta.com [10.62.8.137]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s1R0IaQj005388 for ; Wed, 26 Feb 2014 18:18:36 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by kraven.huntsville.ads.sparta.com ([::1]) with mapi id 14.02.0342.003; Wed, 26 Feb 2014 18:18:36 -0600 From: "Murphy, Sandra" To: "sidr@ietf.org" Thread-Topic: jabber scribe; minutes taker; slides from presenters Thread-Index: Ac8zS9OBK2AN0fOiThSf0Ru4Y6WuLAABZMBU Date: Thu, 27 Feb 2014 00:18:34 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD60A@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD35A@HSV-MB002.huntsville.ads.sparta.com> In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD35A@HSV-MB002.huntsville.ads.sparta.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.33] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-26_05:2014-02-26,2014-02-26,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=230.336 compositescore=0.0475211685653588 urlsuspect_oldscore=0.475211685653588 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=1 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.0475211685653588 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.3 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402260140 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/gevPESjmJz0eLuX-yeg-cPA2xRc Subject: Re: [sidr] jabber scribe; minutes taker; slides from presenters X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 00:18:41 -0000 And number your slides, too. Please.=0A= =0A= --Sandy, speaking as wg co-chair=0A= ________________________________________=0A= From: Murphy, Sandra=0A= Sent: Wednesday, February 26, 2014 6:39 PM=0A= To: sidr@ietf.org=0A= Subject: jabber scribe; minutes taker; slides from presenters=0A= =0A= It would be most helpful to have the roles of jabber scribe and minutes tak= er set before the meeting. If you are willing, please do speak up.=0A= =0A= We can't proceed with the discussions and presentations without a the jabbe= r scribe and minutes taker identified. So if you want the meeting to proce= ed, speak up or urge someone to speak up.=0A= =0A= We are meeting first thing Tuesday morning. Anyone presenting slides shoul= d get their slides to the chairs by end of the session time on Monday. It = would be very much appreciated by those who are participating remotely.=0A= =0A= (Anyone hoping to be first has already lost - David got his in already.)=0A= =0A= --Sandy, speaking as co-chair=0A= From nobody Wed Feb 26 20:22:48 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305F81A0380 for ; Wed, 26 Feb 2014 20:22:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YfhQHfKjULK1 for ; Wed, 26 Feb 2014 20:22:45 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id DA7E71A0246 for ; Wed, 26 Feb 2014 20:22:44 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WIsUb-0000js-D5; Thu, 27 Feb 2014 04:22:42 +0000 Date: Thu, 27 Feb 2014 04:22:43 +0000 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/RmO9T-2sqNsN_089JPdnLG9l5xI Cc: sidr wg list Subject: Re: [sidr] agenda revised X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 04:22:46 -0000 > c) LTA Use Cases 1000-1015 > RPKI Local Trust Anchor Use Cases > draft-ietf-sidr-lta-use-cases-00.txt > http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases > > Presenter: Randy Bush i have no intent to present. i presume folk are literate. i am hoping for constructive discussion and to learn something from others, aside from an inability to deal with modern argot , before a next draft. randy From nobody Thu Feb 27 09:12:58 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E5281A03AB for ; Thu, 27 Feb 2014 09:12:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HjJSbtedzHar for ; Thu, 27 Feb 2014 09:12:55 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id DF5E91A0231 for ; Thu, 27 Feb 2014 09:12:54 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1RHAXAl013736; Thu, 27 Feb 2014 11:12:53 -0600 Received: from cva-mx004.sparta.com (cva-mx004.sparta.com [157.185.34.2]) by txdal11mx03.parsons.com with ESMTP id 1ja8nj8d3s-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 27 Feb 2014 11:12:52 -0600 Received: from CVA-MXINT01.ads.sparta.com ([10.62.108.15]) by CVA-MX004.sparta.com (8.14.4/8.14.4) with ESMTP id s1RHCqTA009886; Thu, 27 Feb 2014 12:12:52 -0500 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by CVA-MXINT01.ads.sparta.com (8.14.4/8.14.4) with ESMTP id s1RHCqfa032494; Thu, 27 Feb 2014 12:12:52 -0500 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Thu, 27 Feb 2014 11:12:52 -0600 From: "Murphy, Sandra" To: Randy Bush Thread-Topic: [sidr] agenda revised Thread-Index: AQHPM07N63Lqm7/K2k2A3QOMJbiN3JrI5RWAgABye3E= Date: Thu, 27 Feb 2014 17:12:51 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949EBCF2@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.23] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-27_06:2014-02-27,2014-02-27,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=50.2706893527431 compositescore=0.0798738114045844 urlsuspect_oldscore=0.998959739433069 suspectscore=0 recipient_domain_to_sender_totalscore=1469 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=22 recipient_domain_to_sender_domain_totalscore=7945 rbsscore=0.0798738114045844 spamscore=0 recipient_to_sender_domain_totalscore=27 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402270078 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/nUDkhRd3KY737VSQI8gUCubdNu4 Cc: sidr wg list Subject: Re: [sidr] agenda revised X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 17:12:56 -0000 Will revise to "Speaker". =A0Unless you'd prefer "Discussion Facilitator" (= *) , as modern argot.=0A= =0A= =0A= --Sandy=0A= =0A= =0A= (*) =A0Merriam-Webster says:=0A= =0A= =0A= Definition of FACILITATOR=0A= =0A= =0A= one that facilitates; especially : =A0one that helps to bring about an outc= ome (as learning, productivity, or communication) by providing indirect or = unobtrusive assistance, guidance, or supervision =0A= =0A= =0A= ________________________________________=0A= From: Randy Bush [randy@psg.com]=0A= Sent: Wednesday, February 26, 2014 11:22 PM=0A= To: Murphy, Sandra=0A= Cc: sidr wg list=0A= Subject: Re: [sidr] agenda revised=0A= =0A= > c) LTA Use Cases 100= 0-1015=0A= > RPKI Local Trust Anchor Use Cases=0A= > draft-ietf-sidr-lta-use-cases-00.txt=0A= > http://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases=0A= >=0A= > Presenter: Randy Bush=0A= =0A= i have no intent to present. i presume folk are literate. i am hoping=0A= for constructive discussion and to learn something from others, aside=0A= from an inability to deal with modern argot , before a next draft.=0A= =0A= randy=0A= From nobody Thu Feb 27 09:16:29 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 006F71A0425 for ; Thu, 27 Feb 2014 09:16:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.447 X-Spam-Level: X-Spam-Status: No, score=-2.447 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iEFQMQQKaOQk for ; Thu, 27 Feb 2014 09:16:27 -0800 (PST) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) by ietfa.amsl.com (Postfix) with ESMTP id D5D341A041E for ; Thu, 27 Feb 2014 09:16:26 -0800 (PST) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com.psg.com) by ran.psg.com with esmtp (Exim 4.76) (envelope-from ) id 1WJ4ZL-0002X3-1y; Thu, 27 Feb 2014 17:16:23 +0000 Date: Thu, 27 Feb 2014 17:16:22 +0000 Message-ID: From: Randy Bush To: Sandy Murphy In-Reply-To: <24B20D14B2CD29478C8D5D6E9CBB29F6949EBCF2@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/VhjyKx-BfIGjdqkyiM3haTvyclM Cc: sidr wg list Subject: Re: [sidr] agenda revised X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 17:16:28 -0000 > Will revise to "Speaker". =A0Unless you'd prefer "Discussion > Facilitator" (*) , as modern argot. not an omnibudsgeek? From nobody Thu Feb 27 09:25:26 2014 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 517D51A0104 for ; Thu, 27 Feb 2014 09:25:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.448 X-Spam-Level: X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CQRKcvkckFwK for ; Thu, 27 Feb 2014 09:25:24 -0800 (PST) Received: from txdal11mx03.parsons.com (txdal11mx03.parsons.com [206.219.199.111]) by ietfa.amsl.com (Postfix) with ESMTP id 364C81A00FB for ; Thu, 27 Feb 2014 09:25:24 -0800 (PST) Received: from pps.filterd (txdal11mx03 [127.0.0.1]) by txdal11mx03.parsons.com (8.14.5/8.14.5) with SMTP id s1RHM2WG026369; Thu, 27 Feb 2014 11:25:21 -0600 Received: from m4.sparta.com (m4.sparta.com [157.185.61.2]) by txdal11mx03.parsons.com with ESMTP id 1ja8nj8gcu-1 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 27 Feb 2014 11:25:01 -0600 Received: from Beta5.sparta.com ([10.62.8.21]) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id s1RHOim6008838; Thu, 27 Feb 2014 11:24:44 -0600 Received: from HSV-CAS004.huntsville.ads.sparta.com ([10.62.8.148]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id s1RHOiEJ024793; Thu, 27 Feb 2014 11:24:44 -0600 Received: from HSV-MB002.huntsville.ads.sparta.com ([fe80::2521:a783:a30c:d057]) by HSV-CAS004.huntsville.ads.sparta.com ([fe80::d00f:c039:2622:2252%11]) with mapi id 14.02.0347.000; Thu, 27 Feb 2014 11:24:44 -0600 From: "Murphy, Sandra" To: Randy Bush , Sandy Murphy Thread-Topic: [sidr] agenda revised Thread-Index: AQHPM07N63Lqm7/K2k2A3QOMJbiN3JrI5RWAgABye3GAAGWtAP//nUD5 Date: Thu, 27 Feb 2014 17:24:43 +0000 Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F6949EBDB8@HSV-MB002.huntsville.ads.sparta.com> References: <24B20D14B2CD29478C8D5D6E9CBB29F6949DD372@HSV-MB002.huntsville.ads.sparta.com>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.185.61.23] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-02-27_07:2014-02-27,2014-02-27,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=0 circleOfTrustscore=59.6438557307059 compositescore=0.00229813596881827 urlsuspect_oldscore=0.195307920112602 suspectscore=0 recipient_domain_to_sender_totalscore=4066 phishscore=0 bulkscore=0 kscore.is_spamscore=0 recipient_to_sender_totalscore=38 recipient_domain_to_sender_domain_totalscore=12528 rbsscore=0.00229813596881827 spamscore=0 recipient_to_sender_domain_totalscore=47 urlsuspectscore=0.1 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1305240000 definitions=main-1402270079 Archived-At: http://mailarchive.ietf.org/arch/msg/sidr/xg-PbpRqoFyP3uSegBe8gfh5qW4 Cc: sidr wg list Subject: Re: [sidr] agenda revised X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Feb 2014 17:25:25 -0000 >not an omnibudsgeek?=0A= =0A= :-) will revise.=0A= =0A= --Sandy=0A= =0A= P.S. Thanks for avoiding the ietf "ombudsman" vs "ombudsperson" etc discus= sion=0A=