From nobody Fri Jul 1 04:37:32 2016 Return-Path: X-Original-To: sidr@ietf.org Delivered-To: sidr@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id B44AC12D590; Fri, 1 Jul 2016 04:37:31 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160701113731.24597.95190.idtracker@ietfa.amsl.com> Date: Fri, 01 Jul 2016 04:37:31 -0700 Archived-At: Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-05.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 11:37:32 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Validation Reconsidered Authors : Geoff Huston George Michaelson Carlos M. Martinez Tim Bruijnzeels Andrew Lee Newton Alain Aina Filename : draft-ietf-sidr-rpki-validation-reconsidered-05.txt Pages : 12 Date : 2016-07-01 Abstract: This document proposes an update to the certificate validation procedure specified in RFC 6487 that reduces aspects of operational fragility in the management of certificates in the RPKI, while retaining essential security features. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Jul 1 04:51:45 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674AE12B05A for ; Fri, 1 Jul 2016 04:51:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.326 X-Spam-Level: X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcWc3EOlKJIh for ; Fri, 1 Jul 2016 04:51:41 -0700 (PDT) Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8D412B004 for ; Fri, 1 Jul 2016 04:51:41 -0700 (PDT) Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bIwyv-0002DL-As; Fri, 01 Jul 2016 13:51:38 +0200 Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-49.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bIwyv-0006Fx-60; Fri, 01 Jul 2016 13:51:37 +0200 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: text/plain; charset=utf-8 From: Tim Bruijnzeels In-Reply-To: <4C5B2CAA-58AC-4A12-8C30-03FA4CB42BB2@apnic.net> Date: Fri, 1 Jul 2016 13:51:36 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4C5B2CAA-58AC-4A12-8C30-03FA4CB42BB2@apnic.net> To: Geoff Huston X-Mailer: Apple Mail (2.3124) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: -------- X-RIPE-Spam-Report: Spam Total Points: -8.0 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.4080] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719e8d9b31671051aff9f8fab2ea1f8fbf7 Archived-At: Cc: sidr Subject: Re: [sidr] revising Section 7.2 of RFC 6487 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 11:51:43 -0000 Hi, I have just submitted a -05 version of the document. This version includes: =3D minor clarifications and improvements to the English (thanks Steve) =3D the text to replace all of RFC6487 section 7.2 suggested by Steve = including Geoff's comment =3D amended to reject over-claiming EE certificates so we only need to = update 6487 I would like to ask the WG (BGPSec folk in particular) to have a look at = the following text that I included on 'fate-sharing' ROAs and BGPSec = certificates: Note that ROAs [RFC6482] and BGPSec router (EE) certificates = [I-D.ietf-sidr-bgpsec-pki-profiles] can contain multiple prefixes or = ASNs respectively, and an over-claim of any of these would result in the = ROA or BGPSec EE certificates being considered invalid. However, = operators MAY issue separate ROAs or BGPSec router certificates to avoid = this type of fate sharing. For ROAs I think this is a feasible option. We can easily modify our = code to issue a separate ROA for each prefix. I don't think this causes = scaling issues. But can the same be said about router certificates? I = guess the use case there is that the same key is used for different = ASNs, right? Can one just issue separate certificates for each ASN? And one other question to the working group. Is this something we need = to talk about in Berlin again? I ask because we seem to be converging, = and I don't want to claim speaking time if it's not needed. Thanks, Tim > On 29 Jun 2016, at 04:07, Geoff Huston wrote: >=20 > Thanks! I am now very comfortable with your text on this. >=20 > Geoff >=20 >> On 29 Jun 2016, at 3:39 AM, Stephen Kent wrote: >>=20 >> Geoff, >>=20 >> Thanks for reviewing the text. >>=20 >> I modified the text to change "current VRS-IP" to be "... the value = of the VRS-IP computed for certificate x-1" as per your suggestion. I = also made this change for the corresponding VRS-AS text. >>=20 >> I don't think we need to add a note about validation being performed = "top down" since bullet B already says: "certificate '1' is a trust = anchor" >>=20 >> Steve >>> FWIW, I like this formulation Steve. >>>=20 >>> Possibly when you refer to "the current value of the VRS-IP=E2=80=9D = you may want to explicitly refer to the VRS-IP of certificate x-1 rather = than =E2=80=9Ccurrent=E2=80=9D. >>>=20 >>> I also wonder if it is worth noting that the enumerated steps = outlined here are intended to be performed =E2=80=9Ctop down=E2=80=9D - = i.e. from a trust anchor to the certificate to be validated. >>>=20 >>> regards, >>>=20 >>> Geoff >>>=20 >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Fri Jul 1 07:54:26 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 594E812D66C for ; Fri, 1 Jul 2016 07:54:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.921 X-Spam-Level: X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fCO8kwpVvx3c for ; Fri, 1 Jul 2016 07:54:22 -0700 (PDT) Received: from bos-mailout2.raytheon.com (bos-mailout2.raytheon.com [199.46.198.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2470912B061 for ; Fri, 1 Jul 2016 07:54:18 -0700 (PDT) Received: from ma-mailout1.directory.ray.com (ma-mailout1.directory.ray.com [147.25.130.100]) by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u61EsGWg012465 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Fri, 1 Jul 2016 14:54:17 GMT Received: from smtp.bbn.com ([128.33.0.80]) by ma-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u61EsG2Y004631 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) sender kent@bbn.com for ; Fri, 1 Jul 2016 14:54:16 GMT Received: from ssh.bbn.com ([192.1.122.15]:60885 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bIzpf-000JN2-TJ for sidr@ietf.org; Fri, 01 Jul 2016 10:54:15 -0400 To: sidr@ietf.org References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> From: Stephen Kent Message-ID: <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> Date: Fri, 1 Jul 2016 10:54:17 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-01_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=43 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607010147 Archived-At: Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 14:54:24 -0000 Randy, I presume you are referring to the text that describes ROA competition, although you didn't cite specific text in your message (too much typing?). I'll revise that text to note the case of a resource transfer appears to be competition, absent any additional info labeling it as such. That's a good reason to adopt the TAO record that we proposed long ago, as part of a well-documented description of how to effect transfers. There are 5 places where the word "competition" appears later in the document. I'll review these and see if I think any of them need to revised in light of your comment. Steve From nobody Fri Jul 1 15:39:31 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B076712B022 for ; Fri, 1 Jul 2016 15:39:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d5f82iIaLf45 for ; Fri, 1 Jul 2016 15:39:29 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9325512B00F for ; Fri, 1 Jul 2016 15:39:29 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bJ75r-0003RG-C4; Fri, 01 Jul 2016 22:39:27 +0000 Date: Sat, 02 Jul 2016 07:39:25 +0900 Message-ID: From: Randy Bush To: Stephen Kent In-Reply-To: <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Jul 2016 22:39:30 -0000 > I'll revise that text to note the case of a resource transfer appears to > be competition it is more than transfer. it is the very frequent operation of changing tranist providers. i own P, but do not use bgp. my parent T0 announces it for me (roa P-T0). i change upstream providers to T1. during the move there are two roas, the second being P-T1. this all was very intentionally designed for make before break. multiple roas with different ASs for the same prefix are normal. i found it shocking and disappointing to have the introduction say otherwise. randy From nobody Sat Jul 2 02:45:40 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D88B12D0F7 for ; Sat, 2 Jul 2016 02:45:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOdkn1UmRFqq for ; Sat, 2 Jul 2016 02:45:35 -0700 (PDT) Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCFEC12B035 for ; Sat, 2 Jul 2016 02:45:34 -0700 (PDT) X-TM-DID: 88b81b6e0460de022ccb184a2e5ddd50 Content-Type: text/plain; charset=gb2312 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Declan Ma In-Reply-To: Date: Sat, 2 Jul 2016 17:41:06 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <0891ea5b-6a68-581d-7f5c-0e6f71fe76d2@bbn.com> To: Tim Bruijnzeels X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr Subject: Re: [sidr] rpki-tree-validation vs. madi-sidr-rp X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 09:45:39 -0000 Tim,=20 > =D4=DA 2016=C4=EA6=D4=C230=C8=D5=A3=AC22:46=A3=ACTim Bruijnzeels = =D0=B4=B5=C0=A3=BA >=20 > Hi, >=20 > The point that I was trying to make, but maybe not clearly, is that = rpki-tree-validation is indeed intended as an Informational document = specifically detailing our implementation only, but that the RP = implementers discussed earlier during WG sessions that we might want to = create a generalised RP requirement, or even BCP validation document at = a later stage. So I was just somewhat surprised to see this come up. >=20 Sorry that I did not let you know we were doing the RP I-D in advance.=20= Thank you and Oleg for kicking off the topic on RP implementation by = writing rpki-tree-validation :-) > That being said, we are all busy, so I have no problem with you taking = the lead in the effort to document the generalised RP requirements = instead. Especially as an Informational document referencing the = authoritative docs - as it seems to do. Anyway, inputs from RP software implementers are quite important to the = job of laying out the generalized RP requirements. =20 Steve and I are therefore looking forwards to seeing contributions from = the RP implementers. Please let us know any improvements that should be made. Di >=20 > Tim >=20 >=20 >> On 30 Jun 2016, at 07:09, Declan Ma wrote: >>=20 >> Hi, all, >>=20 >> Speaking as the co-author of =A1=AERequirements for Resource Public = Key Infrastructure (RPKI) Relying Parties=A1=AF, >>=20 >> In addition to the clarification made by Steve, I would like to = deliver a clear message here that this draft is intended to make the RP = requirements well framed, which are segmented with orthogonal = functionalities in different sections. >>=20 >> As such, those =A1=AEfunctional components=A1=AF could be crafted and = distributed across the operational timeline of an RP software .=20 >>=20 >> We would appreciate your comments on this document. >>=20 >> Di >> ZDNS >>=20 >>=20 >>> =D4=DA 2016=C4=EA6=D4=C229=C8=D5=A3=AC02:19=A3=ACStephen Kent = =D0=B4=B5=C0=A3=BA >>>=20 >>> Although I was not present at the BA SIDR meeting, I did participate = remotely for one of the sessions. I recall the discussion of the I-D = that tries to collect all of the RP requirements in one place, with = cites to the sources of these requirements. It part, I recall folks at = the mic arguing that this I-D was redundant relative to the existing WG = document on tree validation. I don't think this is an accurate = comparison of the two docs, although I agree that there is overlap = between them. >>>=20 >>> RPKI tree validation describes how the RIPE RP software works. It = includes references to 6 SIDR RFCs to explain why the software performs = certain checks. The RP requirements doc cites 11 SIDR RFCs, plus the = BGPsec (router cert) profile. Thus it appears that the requirements doc = tries to address a wider set of RFCs relevant to RP requirements. More = importantly, the requirements doc is generic, while the tree validation = doc is expressly a description of one RP implementation. Thus it is an = example of how that implementation tries to meet the RP requirements, = not a general characterization of RP requirements. >>>=20 >>>=20 >>> Thus I think it appropriate to proceed with both docs. >>>=20 >>> Steve >>>=20 >>> _______________________________________________ >>> sidr mailing list >>> sidr@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidr >>=20 >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Sat Jul 2 12:02:08 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C593C127078 for ; Sat, 2 Jul 2016 12:02:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.327 X-Spam-Level: X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3ySGGQ-fbsX for ; Sat, 2 Jul 2016 12:02:04 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1853127071 for ; Sat, 2 Jul 2016 12:02:04 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 1FB7E28B0041 for ; Sat, 2 Jul 2016 15:02:04 -0400 (EDT) Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 0EDF51F8055; Sat, 2 Jul 2016 15:02:04 -0400 (EDT) From: Sandra Murphy X-Pgp-Agent: GPGMail 2.5.2 Content-Type: multipart/signed; boundary="Apple-Mail=_6D8B8F91-CB6A-400F-A984-3CB193294FC9"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Sat, 2 Jul 2016 14:59:06 -0400 Message-Id: To: sidr Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) Archived-At: Cc: Sandra Murphy Subject: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Jul 2016 19:02:07 -0000 --Apple-Mail=_6D8B8F91-CB6A-400F-A984-3CB193294FC9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An = Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature = and ready for a working group last call. This message starts a two week wglc for = draft-ietf-sidr-rpki-oob-setup-04, which will end 16 Jun 2016. Please review the draft and send comments and your opinion of whether it = is worthy of publication to the list. Remember that support for = publication is needed, and comments can improve quality, so lack of = comments is not sufficient. You can reach the document at = https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04 and = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/. =97Sandy, speaking as one of the wg co-chairs --Apple-Mail=_6D8B8F91-CB6A-400F-A984-3CB193294FC9 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXeA8gAAoJEHplpQeet0IZh7cP/R5kEc9C0rir4xzEYDastrn9 ExZ5VsRpNQyphDWTbwYdDaj6jq68zd311mmnz+NpOze0b8olANkiGkH0Ocd3Qtgo mrgtqGMU9JYSxMSY/ENppi1WS3np91vSCsfbdp5Q/v9Bn9PWPVyte5r1Tf5h/c8w lzuTq3QGi1IQuUlEeNBC1nOm7O9ZRpLDwmTviaYMUyjSlAp4EJ3cXlvhmrHIRXat FRTOLSN7ArHKz3wFGs5t5rBMOtdYO78qLCF7cQQHSwnwvuHy//08mLUZ2aqxO4Jo WL5gKSqsJKstbQ29DGwQAahGbF/hCClcufPbgCiaFjRXpVUM4cV/fONykrH4TnjB f8uKS3VbdV1ipKf7zX2VwZYWYqwsCPDIXKg3OPjyDVN7UknkSVEz0KTbBFRte200 e05YI6Wfin6kAY+CQRDnw82py2FLWzLgrvlDKDsapxSXOc9Ny20B3/Gx0tV8eCtv sR57lcKT3PQIXz40qRqpaLiDZBzEr4hkjLGIOP0r0sjHfmp2Jyk94peGKVnRu321 j+tukrfxfp8fP1eoZRIvX/ZKWMvqF1r8wpZyc2JRY9btzJB211pRBrhk9P8QTiLi D8hKnYCNqC/sj/F4Nbvte9xz00ssbeT40fOeYgYaVxqY0eDF+dr9Rz5YrN6uHmV3 31krRdJrT0rixu0FnrpI =VLTE -----END PGP SIGNATURE----- --Apple-Mail=_6D8B8F91-CB6A-400F-A984-3CB193294FC9-- From nobody Sun Jul 3 02:16:37 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EBA12B03F for ; Sun, 3 Jul 2016 02:16:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JE0C4zH03sV0 for ; Sun, 3 Jul 2016 02:16:35 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EA4912B00E for ; Sun, 3 Jul 2016 02:16:35 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bJdVw-0001Wl-MR; Sun, 03 Jul 2016 09:16:32 +0000 Date: Sun, 03 Jul 2016 18:16:30 +0900 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: References: User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: sidr Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jul 2016 09:16:36 -0000 > The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An > Out-Of-Band Setup Protocol For RPKI Production Services=E2=80=9D) is matu= re > and ready for a working group last call. i read it i use it ship it From nobody Tue Jul 5 09:22:54 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C739612D134 for ; Tue, 5 Jul 2016 09:22:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.327 X-Spam-Level: X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u51RE-xeXnWo for ; Tue, 5 Jul 2016 09:22:52 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04A0F12D0C1 for ; Tue, 5 Jul 2016 09:22:51 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 63EF728B0040; Tue, 5 Jul 2016 12:22:50 -0400 (EDT) Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 551C51F8055; Tue, 5 Jul 2016 12:22:50 -0400 (EDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Content-Type: multipart/signed; boundary="Apple-Mail=_371FBEE0-610A-416A-864B-52CCCF79462F"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5.2 From: Sandra Murphy In-Reply-To: Date: Tue, 5 Jul 2016 12:19:42 -0400 Message-Id: References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> To: Randy Bush X-Mailer: Apple Mail (2.1878.6) Archived-At: Cc: sidr wg list , Sandra Murphy Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2016 16:22:54 -0000 --Apple-Mail=_371FBEE0-610A-416A-864B-52CCCF79462F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Speaking as regular ol=92 member: On Jul 1, 2016, at 6:39 PM, Randy Bush wrote: >> I'll revise that text to note the case of a resource transfer appears = to >> be competition >=20 > it is more than transfer. it is the very frequent operation of = changing > tranist providers. i own P, but do not use bgp. my parent T0 = announces > it for me (roa P-T0). i change upstream providers to T1. during the > move there are two roas, the second being P-T1. >=20 > this all was very intentionally designed for make before break. > multiple roas with different ASs for the same prefix are normal. i > found it shocking and disappointing to have the introduction say > otherwise. As an aside, one of my favorite BGP sites is bgp.he.net, which includes = a list of prefixes that are announced by more than one AS = (http://bgp.he.net/report/multi-origin-routes). Many times it is easy = to see why - the similarity in the AS names make it quite likely they = =93belong=94 to the same organization. But there are many times when = the multiple origin ASs have no relationship. I don=92t see that there=92s a requirement that a router have only one = certificate, either. A router that was configured to speak as two = different ASs might have one key certified by both ASs and might have = two different keys, one for each AS. =97Ssandy >=20 > randy >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr --Apple-Mail=_371FBEE0-610A-416A-864B-52CCCF79462F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXe94mAAoJEHplpQeet0IZYLMQAIlDJ2B9O38nOOGWMsVsQTfy qjWFQjS6LZhMmiUPYBtoR+XP8MaHfLRxcNvPM0SlWghNIpBxeq9vXOGRqDW6/GRI pAN56FWh57H7fhmc2bZlziNqzHBvZ5EiYLxdyOjrCQDp2DeU/cnViUhttenS97+f h66dwOu5j2WZykITtqM7STVsVCk4Av3eMd09RogfB3pIWoDo4bIY9UgJR909tKNn ODiwrOeZElb6JgmhXPYShRZzlApnWh2PLbuvWHsmndyCNX8/Ae0JAriY9+HK5O60 CleoDPNYu057WN7VYPF1FfzAXE/bWlw+MDuGcVkxJcBtgY9WUDr0wLJDLx+adwLg 1BvazpycM80zx73E8pJQPkiE1pOwAT3Wt4EQ5A3wWFRTRzFwYgvYmHZyCIqzLD5Q bbkelFpyRZ1QEtFgAyKe2+ln44MB/aM9PGhP6Z2cTx+JB9bNl8sw3Wlw3M0bjegj rXu5h9LDpso4G0Ydok2y7DWg3luDLBXvNNZsZL8kCPgEl+M9BvCDkjqgG4fYUhhR UGroFqjk0kxCwMt1Nn/Jal3PnyWqCQqDus8iLkZvBDkVMsVg0MRofbHoBCNIr036 wTHxjyKxL3c7qIPfPaW/o8U9w9eUxF/2dlEGUMv7N9XHV/1hEBsNFoXsqesHJI/6 B7J3csUxoC56tRBAJSfP =lDJd -----END PGP SIGNATURE----- --Apple-Mail=_371FBEE0-610A-416A-864B-52CCCF79462F-- From nobody Tue Jul 5 10:45:09 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6B012B060 for ; Tue, 5 Jul 2016 10:45:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slleMihidFgd for ; Tue, 5 Jul 2016 10:45:06 -0700 (PDT) Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC58912D12B for ; Tue, 5 Jul 2016 10:45:05 -0700 (PDT) Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bKUP9-0003yx-8c; Tue, 05 Jul 2016 17:45:03 +0000 Date: Wed, 06 Jul 2016 02:45:01 +0900 Message-ID: From: Randy Bush To: Sandra Murphy In-Reply-To: References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jul 2016 17:45:07 -0000 > I don=E2=80=99t see that there=E2=80=99s a requirement that a router have= only one > certificate, either. A router that was configured to speak as two > different ASs might have one key certified by both ASs and might have > two different keys, one for each AS. that this is designed in is not an accident. we had this discussion, just as we had the multi-roa discussion; but they are ops complexity, so easly ignored/forgotten. randy From nobody Wed Jul 6 10:39:06 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7499012D0F9 for ; Wed, 6 Jul 2016 10:39:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.901 X-Spam-Level: X-Spam-Status: No, score=-5.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id degzWZYjGGQc for ; Wed, 6 Jul 2016 10:39:03 -0700 (PDT) Received: from dfw-mailout2.raytheon.com (dfw-mailout2.raytheon.com [199.46.199.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F339012D0DB for ; Wed, 6 Jul 2016 10:39:01 -0700 (PDT) Received: from tx-mailout1.directory.ray.com (tx-mailout1.directory.ray.com [147.25.138.100]) by dfw-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66Hd0Dr020516 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 6 Jul 2016 17:39:01 GMT Received: from smtp.bbn.com ([128.33.1.81]) by tx-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66HcxDq008466 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) Received: from ssh.bbn.com ([192.1.122.15]:40043 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bKqmp-000L3s-1q; Wed, 06 Jul 2016 13:38:59 -0400 To: Randy Bush References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> From: Stephen Kent Message-ID: <6e2eaa6c-8c79-607c-423c-953cf30d1a49@bbn.com> Date: Wed, 6 Jul 2016 13:39:03 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-06_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607060151 Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 17:39:04 -0000 Randy, Thanks for providing additional examples to clarify your concerns. I'll revise the intro text accordingly. Steve From nobody Wed Jul 6 10:39:59 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF61712D16F for ; Wed, 6 Jul 2016 10:39:57 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.921 X-Spam-Level: X-Spam-Status: No, score=-5.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JROJemkjqON for ; Wed, 6 Jul 2016 10:39:56 -0700 (PDT) Received: from bos-mailout2.raytheon.com (bos-mailout2.raytheon.com [199.46.198.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84CE212D13B for ; Wed, 6 Jul 2016 10:39:56 -0700 (PDT) Received: from ma-mailout1.directory.ray.com (ma-mailout1.directory.ray.com [147.25.130.100]) by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66HdshQ006334 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 6 Jul 2016 17:39:55 GMT Received: from smtp.bbn.com ([128.33.0.80]) by ma-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66HdrKM017292 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) Received: from ssh.bbn.com ([192.1.122.15]:48458 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bKqnh-0007lg-2l; Wed, 06 Jul 2016 13:39:53 -0400 To: Sandra Murphy , Randy Bush References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> From: Stephen Kent Message-ID: Date: Wed, 6 Jul 2016 13:39:57 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-06_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607060152 Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 17:39:58 -0000 Sandy, > I don’t see that there’s a requirement that a router have only one certificate, either. A router that was configured to speak as two different ASs might have one key certified by both ASs and might have two different keys, one for each AS. There was no intent to suggest that a router have only one cert. Sorry for the sloppy wording. Steve From nobody Wed Jul 6 10:42:46 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B514212D1B7 for ; Wed, 6 Jul 2016 10:42:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.9 X-Spam-Level: X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfpRzPWIORBV for ; Wed, 6 Jul 2016 10:42:11 -0700 (PDT) Received: from dfw-mailout2.raytheon.com (dfw-mailout2.raytheon.com [199.46.199.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F10FD12D0F9 for ; Wed, 6 Jul 2016 10:42:10 -0700 (PDT) Received: from tx-mailout1.directory.ray.com (tx-mailout1.directory.ray.com [147.25.138.100]) by dfw-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66Hg8cj022604 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 6 Jul 2016 17:42:09 GMT Received: from smtp.bbn.com ([128.33.1.81]) by tx-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66Hg7bY011802 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) Received: from ssh.bbn.com ([192.1.122.15]:40074 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bKqpq-000L5Y-LQ; Wed, 06 Jul 2016 13:42:06 -0400 To: Randy Bush , Sandra Murphy References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> From: Stephen Kent Message-ID: <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com> Date: Wed, 6 Jul 2016 13:42:11 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------CFB01E6D31A752E95A814316" X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-06_08:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607060152 Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 17:42:13 -0000 This is a multi-part message in MIME format. --------------CFB01E6D31A752E95A814316 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Here is the revised text for the relevant part of the intro. I don't see a need to change the text in the specific attack descriptions, given this revised intro text. Additionally, when a ROA or router certificate is created that "competes" with an existing ROA or router certificate (respectively), the creation of the new ROA or router certificatemay be adverse. (A newer ROA competes with an older ROA if the newer ROA points to a different ASN, contains the same or a more specific prefix, and is issued by a different CA.A newer router certificate competes with an older router certificate if the newer one contains the same ASN a different public key, and is issued by a different CA.) Note that transferring resources, or changing of upstream providers may yield competing ROAs and/or router certificates, under some circumstances. Thus not all instances of competition are adverse actions. Steve --------------CFB01E6D31A752E95A814316 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Here is the revised text for the relevant part of the intro.

I don't see a need to change the text in the specific attack descriptions, given this revised intro text.


   Additionally, when a ROA or router certificate is created that

   "competes" with an existing ROA or router certificate (respectively),

   the creation of the new ROA or router certificate may be adverse.

   (A newer ROA competes with an older ROA if the newer ROA points to a

   different ASN, contains the same or a more specific prefix, and is

   issued by a different CA.  A newer router certificate competes with

   an older router certificate if the newer one contains the same ASN

   a different public key, and is issued by a different CA.)  Note that

   transferring resources, or changing of upstream providers may yield

   competing ROAs and/or router certificates, under some circumstances.

   Thus not all instances of competition are adverse actions.


Steve
--------------CFB01E6D31A752E95A814316-- From nobody Wed Jul 6 11:46:19 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E27C12D198 for ; Wed, 6 Jul 2016 11:46:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.891 X-Spam-Level: X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYVVt4OQ3aPF for ; Wed, 6 Jul 2016 11:46:14 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0136.outbound.protection.outlook.com [23.103.200.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16D6512D17A for ; Wed, 6 Jul 2016 11:46:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1Qu35luUkU5pehE34Vr7DiCB4KLgPtbRS7wO+ZoHbGM=; b=FfeK/oI8LXq1+qkZpv1cBAgZuSzxYrW3RxnTL7nHIdPL89JOE4q/if/0+HgUsjeMX5xki6SlltGgFEb0ViECJDzvwX7jVFYszaV/W/+AMidlInnZoP5sQAnYvt2J5+gkYC1eca1Jq3mFnAhjLTS6avDFjA4xuFgQLpryNnVM9T8= Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0447.namprd09.prod.outlook.com (10.161.252.146) with Microsoft SMTP Server (TLS) id 15.1.534.14; Wed, 6 Jul 2016 18:46:12 +0000 Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0534.020; Wed, 6 Jul 2016 18:46:13 +0000 From: "Sriram, Kotikalapudi (Fed)" To: Stephen Kent , Randy Bush , Sandra Murphy Thread-Topic: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 Thread-Index: AQHR0xRGPXiPOJv19EuOijpsn+iICqACoTkAgAEJf4CAAIH1gIAF3zwAgAAX14CAAZGKgIAABtgQ Date: Wed, 6 Jul 2016 18:46:12 +0000 Message-ID: References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com> In-Reply-To: <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov; x-originating-ip: [129.6.140.122] x-ms-office365-filtering-correlation-id: 22482204-40e7-4226-3878-08d3a5cdcded x-microsoft-exchange-diagnostics: 1; DM2PR09MB0447; 6:qWDV+0Ks55VQTtKviQp3GsyB0BTICJYVBBkvIW2c7djoWGyRqaPSPEGZUdi1vsoCID4Y+pI14QwWNQWmgTbIziqcEbv2pB7h9okr1/dyOubyzOG3ZmlKSVQGY47VDA4vQbaByZAwd3Vq8t5e8oBXVMenAgoIDIAIG/Y8nfP86M1apJJv4ch5sGINrzjlcN9y0RLz3zxOz3dhHMJ7+K4PkDdMPgbaDtv2Ab9IfYLJyHc5Y7w3n2HcBDW28c7eKrribhp8TmBpwIVni8GZuSeVlF5BJfqLOZ8iaQGpGODeKOfUrnxiVq3YSAStcjHFwEDGa9NvD4ac/pIG1K85shi95Q==; 5:+2ph7O6gNCBI/7yhl8JLA3otCkED6NcRZsIsK6xCz8Bk6eZTVegiNFKEIO4tK7mlPZrOTgvQVftUsgi5LL/F8c0FjjwYn0o2a7Lx97xwESg2a5/iK8273bEAN2MB2wUvdCMi8Rbd6hDV0bMsJAj2Ng==; 24:+s/7DV2CtmpAMsLfx8aubSvQd4GR/EiRRFQWKhGjQrOpXdJWM9Za7HjXuPhkax3foUOVu66pIQIGVE2H8qaxemuOHWG/hQwn+khvpWN/tjk=; 7:zRoAjEq2IXbOBwKCr36syFePJxQnyKWwX4GJrFreoOAe9NpXjaU7afN1vocEuacowPcaM4bsSd6jhLgU1CjyPkTPapz4NMAwkI0rtf02izk2YyYx+JP2sLyXXYh9OztXN2OJkL6R5xINGw9T1+q3q30mowRf2UGPErfSE1Ze74zhpRYs02xVY9N8skJdnVCMd3qWCzVB8j6eM1891rvfI2poqMHdCSuHwCLd57pmUrI+xYd1nP8cEwZWWquEq9KE x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0447; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:DM2PR09MB0447; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0447; x-forefront-prvs: 0995196AA2 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(199003)(377454003)(790700001)(66066001)(2906002)(7846002)(8676002)(10400500002)(5003600100003)(7736002)(7696003)(5002640100001)(4326007)(92566002)(15975445007)(74316002)(102836003)(189998001)(3846002)(6116002)(99286002)(122556002)(106356001)(93886004)(105586002)(77096005)(68736007)(106116001)(16236675004)(19580405001)(9686002)(87936001)(19580395003)(101416001)(76576001)(54356999)(8936002)(76176999)(3660700001)(2900100001)(3280700002)(81156014)(81166006)(50986999)(230783001)(19300405004)(33656002)(97736004)(86362001)(5001770100001)(586003)(19625215002)(2950100001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0447; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_DM2PR09MB04461EF1F9B3A093E14ADE1C843A0DM2PR09MB0446namp_" MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jul 2016 18:46:12.6933 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0447 Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 18:46:17 -0000 --_000_DM2PR09MB04461EF1F9B3A093E14ADE1C843A0DM2PR09MB0446namp_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 PkEgbmV3ZXIgUk9BIGNvbXBldGVzIHdpdGggYW4gb2xkZXIgUk9BIGlmIHRoZSBuZXdlciBST0Eg cG9pbnRzIHRvIGENCg0KICAgZGlmZmVyZW50IEFTTiwgY29udGFpbnMgdGhlIHNhbWUgb3IgYSBt b3JlIHNwZWNpZmljIHByZWZpeCwgYW5kIGlzDQogICBpc3N1ZWQgYnkgYSBkaWZmZXJlbnQgQ0Eu DQoNCkZvciBERG9TIG1pdGlnYXRpb24gc2VydmljZSwgKGFzIGFuIGV4YW1wbGUpIGEgLzE2IHBy ZWZpeCBvd25lciBtYXkgY3JlYXRlICh3ZWxsIGluIGFkdmFuY2UpDQp0d28gbmV3IFJPQXMgZm9y IG1vcmUgc3BlY2lmaWMgLzE3cyAoY292ZXJlZCBieSB0aGUgLzE2IHByZWZpeCkuDQpUaGUgbmV3 IFJPQXMgd291bGQgaGF2ZSBhIGRpZmZlcmVudCBBU04g4oCTIHRoZSBBU04gb2YgdGhlIEREb1Mg bWl0aWdhdGlvbiBzZXJ2aWNlIHByb3ZpZGVyLg0KVGhlIENBIHJlbWFpbnMgdGhlIHNhbWUuDQoo VGhlIHByZWZpeCBvd25lciBhbHJlYWR5IGhhcyBhIC8xNiBST0Egd2l0aCBpdHMgb3duIEFTTiBm b3IgaXRzIG5vcm1hbCByb3V0ZSBhbm5vdW5jZW1lbnQuKQ0KVGhlIGlkZWEgaXMgdGhhdCBpbiB0 aGUgZXZlbnQgb2YgYSBERG9TIGF0dGFjaywgdGhlIG1pdGlnYXRpb24gc2VydmljZSBwcm92aWRl ciB3aWxsIGJlIGFibGUgdG8NCmFubm91bmNlIHRoZSBtb3JlIHNwZWNpZmljcyBpbW1lZGlhdGVs eSBhbmQgYXR0cmFjdCB0aGUgYXR0YWNrIHRyYWZmaWMgYXdheSBmcm9tIHRoZSB2aWN0aW0uDQoN CldvdWxkIHlvdSBjb25zaWRlciB0aGVzZSB0d28gbmV3IFJPQXMgYXMgY29tcGV0aW5nIFJPQXM/ ICBPciwgaXMgdGhlcmUgYSBkaWZmZXJlbnQgbmFtZSBmb3IgdGhlbT8NClRoZXkgd291bGQgYmUg Y29tcGV0aW5nIChmb3IgYSBnb29kIHB1cnBvc2UpIHdpdGggdGhlIC8xNiBST0Egb25seSBpbiBl bWVyZ2VuY3kgc2NlbmFyaW9zLg0KDQpTcmlyYW0NCg0KRnJvbTogc2lkciBbbWFpbHRvOnNpZHIt Ym91bmNlc0BpZXRmLm9yZ10gT24gQmVoYWxmIE9mIFN0ZXBoZW4gS2VudA0KU2VudDogV2VkbmVz ZGF5LCBKdWx5IDA2LCAyMDE2IDE6NDIgUE0NClRvOiBSYW5keSBCdXNoIDxyYW5keUBwc2cuY29t PjsgU2FuZHJhIE11cnBoeSA8c2FuZHlAdGlzbGFicy5jb20+DQpDYzogc2lkciB3ZyBsaXN0IDxz aWRyQGlldGYub3JnPg0KU3ViamVjdDogUmU6IFtzaWRyXSB3Z2xjIGZvciBkcmFmdC1pZXRmLXNp ZHItYWR2ZXJzZS1hY3Rpb25zLTAwDQoNCg0KSGVyZSBpcyB0aGUgcmV2aXNlZCB0ZXh0IGZvciB0 aGUgcmVsZXZhbnQgcGFydCBvZiB0aGUgaW50cm8uDQoNCkkgZG9uJ3Qgc2VlIGEgbmVlZCB0byBj aGFuZ2UgdGhlIHRleHQgaW4gdGhlIHNwZWNpZmljIGF0dGFjayBkZXNjcmlwdGlvbnMsIGdpdmVu IHRoaXMgcmV2aXNlZCBpbnRybyB0ZXh0Lg0KDQoNCg0KICAgQWRkaXRpb25hbGx5LCB3aGVuIGEg Uk9BIG9yIHJvdXRlciBjZXJ0aWZpY2F0ZSBpcyBjcmVhdGVkIHRoYXQNCg0KICAgImNvbXBldGVz IiB3aXRoIGFuIGV4aXN0aW5nIFJPQSBvciByb3V0ZXIgY2VydGlmaWNhdGUgKHJlc3BlY3RpdmVs eSksDQoNCiAgIHRoZSBjcmVhdGlvbiBvZiB0aGUgbmV3IFJPQSBvciByb3V0ZXIgY2VydGlmaWNh dGUgbWF5IGJlIGFkdmVyc2UuDQoNCiAgIChBIG5ld2VyIFJPQSBjb21wZXRlcyB3aXRoIGFuIG9s ZGVyIFJPQSBpZiB0aGUgbmV3ZXIgUk9BIHBvaW50cyB0byBhDQoNCiAgIGRpZmZlcmVudCBBU04s IGNvbnRhaW5zIHRoZSBzYW1lIG9yIGEgbW9yZSBzcGVjaWZpYyBwcmVmaXgsIGFuZCBpcw0KDQog ICBpc3N1ZWQgYnkgYSBkaWZmZXJlbnQgQ0EuICBBIG5ld2VyIHJvdXRlciBjZXJ0aWZpY2F0ZSBj b21wZXRlcyB3aXRoDQoNCiAgIGFuIG9sZGVyIHJvdXRlciBjZXJ0aWZpY2F0ZSBpZiB0aGUgbmV3 ZXIgb25lIGNvbnRhaW5zIHRoZSBzYW1lIEFTTg0KDQogICBhIGRpZmZlcmVudCBwdWJsaWMga2V5 LCBhbmQgaXMgaXNzdWVkIGJ5IGEgZGlmZmVyZW50IENBLikgIE5vdGUgdGhhdA0KDQogICB0cmFu c2ZlcnJpbmcgcmVzb3VyY2VzLCBvciBjaGFuZ2luZyBvZiB1cHN0cmVhbSBwcm92aWRlcnMgbWF5 IHlpZWxkDQoNCiAgIGNvbXBldGluZyBST0FzIGFuZC9vciByb3V0ZXIgY2VydGlmaWNhdGVzLCB1 bmRlciBzb21lIGNpcmN1bXN0YW5jZXMuDQoNCiAgIFRodXMgbm90IGFsbCBpbnN0YW5jZXMgb2Yg Y29tcGV0aXRpb24gYXJlIGFkdmVyc2UgYWN0aW9ucy4NCg0KU3RldmUNCg== --_000_DM2PR09MB04461EF1F9B3A093E14ADE1C843A0DM2PR09MB0446namp_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 Q291cmllcjsNCglwYW5vc2UtMToyIDcgNCA5IDIgMiA1IDIgNCA0O30NCkBmb250LWZhY2UNCgl7 Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIg NDt9DQpAZm9udC1mYWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1 IDIgMiAyIDQgMyAyIDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBs aS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9t Oi4wMDAxcHQ7DQoJZm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiQ2FsaWJyaSIsc2Fu cy1zZXJpZjsNCgljb2xvcjpibGFjazsNCgltc28tZmFyZWFzdC1sYW5ndWFnZTpKQTt9DQphOmxp bmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjoj MDU2M0MxOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFuLk1z b0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjojOTU0 RjcyOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KcC5Nc29QbGFpblRleHQsIGxpLk1z b1BsYWluVGV4dCwgZGl2Lk1zb1BsYWluVGV4dA0KCXttc28tc3R5bGUtcHJpb3JpdHk6OTk7DQoJ bXNvLXN0eWxlLWxpbms6IlBsYWluIFRleHQgQ2hhciI7DQoJbWFyZ2luOjBpbjsNCgltYXJnaW4t Ym90dG9tOi4wMDAxcHQ7DQoJZm9udC1zaXplOjEwLjVwdDsNCglmb250LWZhbWlseTpDb3VyaWVy Ow0KCWNvbG9yOmJsYWNrOw0KCW1zby1mYXJlYXN0LWxhbmd1YWdlOkpBO30NCnANCgl7bXNvLXN0 eWxlLXByaW9yaXR5Ojk5Ow0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRvOw0KCW1hcmdpbi1yaWdo dDowaW47DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFyZ2luLWxlZnQ6MGluOw0K CWZvbnQtc2l6ZToxMi4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJ Y29sb3I6YmxhY2s7DQoJbXNvLWZhcmVhc3QtbGFuZ3VhZ2U6SkE7fQ0KcC5tc29ub3JtYWwwLCBs aS5tc29ub3JtYWwwLCBkaXYubXNvbm9ybWFsMA0KCXttc28tc3R5bGUtbmFtZTptc29ub3JtYWw7 DQoJbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87DQoJbWFyZ2luLXJpZ2h0OjBpbjsNCgltc28tbWFy Z2luLWJvdHRvbS1hbHQ6YXV0bzsNCgltYXJnaW4tbGVmdDowaW47DQoJZm9udC1zaXplOjEyLjBw dDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjsNCgljb2xvcjpibGFjazsN Cgltc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUzt9DQpzcGFuLlBsYWluVGV4dENoYXINCgl7bXNv LXN0eWxlLW5hbWU6IlBsYWluIFRleHQgQ2hhciI7DQoJbXNvLXN0eWxlLXByaW9yaXR5Ojk5Ow0K CW1zby1zdHlsZS1saW5rOiJQbGFpbiBUZXh0IjsNCglmb250LWZhbWlseTpDb3VyaWVyO30NCnNw YW4uRW1haWxTdHlsZTIxDQoJe21zby1zdHlsZS10eXBlOnBlcnNvbmFsOw0KCWZvbnQtZmFtaWx5 OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0KCWNvbG9yOndpbmRvd3RleHQ7fQ0Kc3Bhbi5FbWFpbFN0 eWxlMjINCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29uYWwtY29tcG9zZTsNCglmb250LWZhbWlseToi Q2FsaWJyaSIsc2Fucy1zZXJpZjsNCgljb2xvcjp3aW5kb3d0ZXh0O30NCi5Nc29DaHBEZWZhdWx0 DQoJe21zby1zdHlsZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtc2l6ZToxMC4wcHQ7fQ0KQHBh Z2UgV29yZFNlY3Rpb24xDQoJe3NpemU6OC41aW4gMTEuMGluOw0KCW1hcmdpbjoxLjBpbiAxLjBp biAxLjBpbiAxLjBpbjt9DQpkaXYuV29yZFNlY3Rpb24xDQoJe3BhZ2U6V29yZFNlY3Rpb24xO30N Ci0tPjwvc3R5bGU+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWRlZmF1bHRzIHY6 ZXh0PSJlZGl0IiBzcGlkbWF4PSIxMDI2IiAvPg0KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBn dGUgbXNvIDldPjx4bWw+DQo8bzpzaGFwZWxheW91dCB2OmV4dD0iZWRpdCI+DQo8bzppZG1hcCB2 OmV4dD0iZWRpdCIgZGF0YT0iMSIgLz4NCjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0t LT4NCjwvaGVhZD4NCjxib2R5IGJnY29sb3I9IndoaXRlIiBsYW5nPSJFTi1VUyIgbGluaz0iIzA1 NjNDMSIgdmxpbms9IiM5NTRGNzIiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNs YXNzPSJNc29QbGFpblRleHQiPiZndDtBIG5ld2VyIFJPQSBjb21wZXRlcyB3aXRoIGFuIG9sZGVy IFJPQSBpZiB0aGUgbmV3ZXIgUk9BIHBvaW50cyB0byBhPG86cD48L286cD48L3A+DQo8cCBjbGFz cz0iTXNvUGxhaW5UZXh0Ij4mbmJzcDsmbmJzcDsgZGlmZmVyZW50IEFTTiwgPHNwYW4gc3R5bGU9 ImNvbG9yOnJlZCI+Y29udGFpbnMgdGhlIHNhbWUgb3IgYSBtb3JlIHNwZWNpZmljPC9zcGFuPg0K PHNwYW4gc3R5bGU9ImNvbG9yOnJlZCI+cHJlZml4LCBhbmQgaXMgPC9zcGFuPjxvOnA+PC9vOnA+ PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOnJlZCI+Jm5ic3A7 Jm5ic3A7Jm5ic3A7aXNzdWVkIGJ5IGEgZGlmZmVyZW50IENBPC9zcGFuPi4mbmJzcDsNCjxvOnA+ PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8 cCBjbGFzcz0iTXNvTm9ybWFsIj5Gb3IgRERvUyBtaXRpZ2F0aW9uIHNlcnZpY2UsIChhcyBhbiBl eGFtcGxlKSBhIC8xNiBwcmVmaXggb3duZXIgbWF5IGNyZWF0ZSAod2VsbCBpbiBhZHZhbmNlKQ0K PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj50d28gbmV3IFJPQXMgZm9yIG1v cmUgc3BlY2lmaWMgLzE3cyAoY292ZXJlZCBieSB0aGUgLzE2IHByZWZpeCkuDQo8bzpwPjwvbzpw PjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPlRoZSBuZXcgUk9BcyB3b3VsZCBoYXZlIGEgZGlm ZmVyZW50IEFTTiDigJMgdGhlIEFTTiBvZiB0aGUgRERvUyBtaXRpZ2F0aW9uIHNlcnZpY2UgcHJv dmlkZXIuPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgQ0EgcmVtYWlu cyB0aGUgc2FtZS48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPihUaGUgcHJl Zml4IG93bmVyIGFscmVhZHkgaGFzIGEgLzE2IFJPQSB3aXRoIGl0cyBvd24gQVNOIGZvciBpdHMg bm9ybWFsIHJvdXRlIGFubm91bmNlbWVudC4pPG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5UaGUgaWRlYSBpcyB0aGF0IGluIHRoZSBldmVudCBvZiBhIEREb1MgYXR0YWNrLCB0 aGUgbWl0aWdhdGlvbiBzZXJ2aWNlIHByb3ZpZGVyIHdpbGwgYmUgYWJsZSB0bw0KPG86cD48L286 cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5hbm5vdW5jZSB0aGUgbW9yZSBzcGVjaWZpY3Mg aW1tZWRpYXRlbHkgYW5kIGF0dHJhY3QgdGhlIGF0dGFjayB0cmFmZmljIGF3YXkgZnJvbSB0aGUg dmljdGltLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8 L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5Xb3VsZCB5b3UgY29uc2lkZXIgdGhlc2Ug dHdvIG5ldyBST0FzIGFzIGNvbXBldGluZyBST0FzPyAmbmJzcDtPciwgaXMgdGhlcmUgYSBkaWZm ZXJlbnQgbmFtZSBmb3IgdGhlbT88bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwi PlRoZXkgd291bGQgYmUgY29tcGV0aW5nIChmb3IgYSBnb29kIHB1cnBvc2UpIHdpdGggdGhlIC8x NiBST0Egb25seSBpbiBlbWVyZ2VuY3kgc2NlbmFyaW9zLjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij5TcmlyYW0gJm5ic3A7PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3Bh biBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtjb2xvcjp3aW5kb3d0ZXh0O21zby1mYXJlYXN0LWxh bmd1YWdlOkVOLVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8ZGl2Pg0KPGRpdiBz dHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLXRvcDpzb2xpZCAjRTFFMUUxIDEuMHB0O3BhZGRpbmc6 My4wcHQgMGluIDBpbiAwaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gc3R5bGU9 ImZvbnQtc2l6ZToxMS4wcHQ7Y29sb3I6d2luZG93dGV4dDttc28tZmFyZWFzdC1sYW5ndWFnZTpF Ti1VUyI+RnJvbTo8L3NwYW4+PC9iPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2NvbG9y OndpbmRvd3RleHQ7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiBzaWRyIFttYWlsdG86c2lk ci1ib3VuY2VzQGlldGYub3JnXQ0KPGI+T24gQmVoYWxmIE9mIDwvYj5TdGVwaGVuIEtlbnQ8YnI+ DQo8Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBKdWx5IDA2LCAyMDE2IDE6NDIgUE08YnI+DQo8Yj5U bzo8L2I+IFJhbmR5IEJ1c2ggJmx0O3JhbmR5QHBzZy5jb20mZ3Q7OyBTYW5kcmEgTXVycGh5ICZs dDtzYW5keUB0aXNsYWJzLmNvbSZndDs8YnI+DQo8Yj5DYzo8L2I+IHNpZHIgd2cgbGlzdCAmbHQ7 c2lkckBpZXRmLm9yZyZndDs8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gUmU6IFtzaWRyXSB3Z2xjIGZv ciBkcmFmdC1pZXRmLXNpZHItYWR2ZXJzZS1hY3Rpb25zLTAwPG86cD48L286cD48L3NwYW4+PC9w Pg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9wPg0KPHA+SGVyZSBpcyB0aGUgcmV2aXNlZCB0ZXh0IGZvciB0aGUgcmVsZXZhbnQgcGFydCBv ZiB0aGUgaW50cm8uPG86cD48L286cD48L3A+DQo8cD5JIGRvbid0IHNlZSBhIG5lZWQgdG8gY2hh bmdlIHRoZSB0ZXh0IGluIHRoZSBzcGVjaWZpYyBhdHRhY2sgZGVzY3JpcHRpb25zLCBnaXZlbiB0 aGlzIHJldmlzZWQgaW50cm8gdGV4dC48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPjxicj4NCjxicj4NCjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ Jm5ic3A7Jm5ic3A7IEFkZGl0aW9uYWxseSwgd2hlbiBhIFJPQSBvciByb3V0ZXIgY2VydGlmaWNh dGUgaXMgY3JlYXRlZCB0aGF0PG86cD48L286cD48L3A+DQo8cCBjbGFzcz0iTXNvUGxhaW5UZXh0 Ij4mbmJzcDsmbmJzcDsgJnF1b3Q7Y29tcGV0ZXMmcXVvdDsgd2l0aCBhbiBleGlzdGluZyBST0Eg b3Igcm91dGVyIGNlcnRpZmljYXRlIChyZXNwZWN0aXZlbHkpLDxvOnA+PC9vOnA+PC9wPg0KPHAg Y2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7IHRoZSBjcmVhdGlvbiBvZiB0aGUgbmV3 IFJPQSBvciByb3V0ZXIgY2VydGlmaWNhdGU8c3BhbiBzdHlsZT0iY29sb3I6cmVkIj4gbWF5IGJl IGFkdmVyc2UuPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+ PHNwYW4gc3R5bGU9ImNvbG9yOnJlZCI+Jm5ic3A7Jm5ic3A7IDwvc3Bhbj4oQSBuZXdlciBST0Eg Y29tcGV0ZXMgd2l0aCBhbiBvbGRlciBST0EgaWYgdGhlIG5ld2VyIFJPQSBwb2ludHMgdG8gYTxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+Jm5ic3A7Jm5ic3A7IGRpZmZl cmVudCBBU04sIDxzcGFuIHN0eWxlPSJjb2xvcjpyZWQiPmNvbnRhaW5zIHRoZSBzYW1lIG9yIGEg bW9yZSBzcGVjaWZpYzwvc3Bhbj4NCjxzcGFuIHN0eWxlPSJjb2xvcjpyZWQiPnByZWZpeCwgYW5k IGlzIDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxzcGFu IHN0eWxlPSJjb2xvcjpyZWQiPiZuYnNwOyZuYnNwOyZuYnNwO2lzc3VlZCBieSBhIGRpZmZlcmVu dCBDQTwvc3Bhbj4uJm5ic3A7IEEgbmV3ZXIgcm91dGVyIGNlcnRpZmljYXRlIGNvbXBldGVzIHdp dGg8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZuYnNwOyBh biBvbGRlciByb3V0ZXIgY2VydGlmaWNhdGUgaWYgdGhlIG5ld2VyIG9uZSBjb250YWlucyB0aGUg c2FtZSBBU048bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPiZuYnNwOyZu YnNwOyBhIGRpZmZlcmVudCBwdWJsaWMga2V5LCA8c3BhbiBzdHlsZT0iY29sb3I6cmVkIj5hbmQg aXMgaXNzdWVkIGJ5IGEgZGlmZmVyZW50IENBPC9zcGFuPi4pJm5ic3A7DQo8c3BhbiBzdHlsZT0i Y29sb3I6cmVkIj5Ob3RlIHRoYXQgPC9zcGFuPjxvOnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1z b1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9yOnJlZCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7dHJh bnNmZXJyaW5nIHJlc291cmNlcywgb3IgY2hhbmdpbmcgb2YgdXBzdHJlYW0gcHJvdmlkZXJzIG1h eSB5aWVsZDwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29QbGFpblRleHQiPjxz cGFuIHN0eWxlPSJjb2xvcjpyZWQiPiZuYnNwOyZuYnNwOyBjb21wZXRpbmcgUk9BcyBhbmQvb3Ig cm91dGVyIGNlcnRpZmljYXRlcywgdW5kZXIgc29tZSBjaXJjdW1zdGFuY2VzLg0KPC9zcGFuPjxv OnA+PC9vOnA+PC9wPg0KPHAgY2xhc3M9Ik1zb1BsYWluVGV4dCI+PHNwYW4gc3R5bGU9ImNvbG9y OnJlZCI+Jm5ic3A7Jm5ic3A7Jm5ic3A7VGh1cyBub3QgYWxsIGluc3RhbmNlcyBvZiBjb21wZXRp dGlvbiBhcmUgYWR2ZXJzZSBhY3Rpb25zLjwvc3Bhbj48bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTomcXVvdDtUaW1lcyBOZXcgUm9t YW4mcXVvdDssc2VyaWY7bXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxicj4NClN0ZXZlPG86 cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2JvZHk+DQo8L2h0bWw+DQo= --_000_DM2PR09MB04461EF1F9B3A093E14ADE1C843A0DM2PR09MB0446namp_-- From nobody Wed Jul 6 12:27:36 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9956512D613 for ; Wed, 6 Jul 2016 12:27:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.9 X-Spam-Level: X-Spam-Status: No, score=-5.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FSL_HELO_HOME=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htXkOVpy7g_8 for ; Wed, 6 Jul 2016 12:27:29 -0700 (PDT) Received: from dfw-mailout2.raytheon.com (dfw-mailout2.raytheon.com [199.46.199.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D83A712D607 for ; Wed, 6 Jul 2016 12:27:28 -0700 (PDT) Received: from ca-mailout1.directory.ray.com (ca-mailout1.directory.ray.com [147.25.146.100]) by dfw-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66JROE6022588 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 6 Jul 2016 19:27:25 GMT Received: from smtp.bbn.com ([128.33.1.81]) by ca-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u66JRMq9002441 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) Received: from ssh.bbn.com ([192.1.122.15]:41258 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bKsTi-000MYL-Df; Wed, 06 Jul 2016 15:27:22 -0400 To: "Sriram, Kotikalapudi (Fed)" , Randy Bush , Sandra Murphy References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> <8196148a-b98d-c680-c714-55498131e7ce@bbn.com> <93749241-0ef4-8328-7393-cffe3a7846c4@bbn.com> From: Stephen Kent Message-ID: <994997cc-5cce-ce0a-196c-73a8a8a86380@bbn.com> Date: Wed, 6 Jul 2016 15:27:21 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------DF36B6774F5D0AFFCEF367B4" X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-06_09:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607060166 Archived-At: Cc: sidr wg list Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jul 2016 19:27:35 -0000 This is a multi-part message in MIME format. --------------DF36B6774F5D0AFFCEF367B4 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sriram, > >A newer ROA competes with an older ROA if the newer ROA points to a > > different ASN, contains the same or a more specific prefix, and is > > issued by a different CA. > > For DDoS mitigation service, (as an example) a /16 prefix owner may > create (well in advance) > > two new ROAs for more specific /17s (covered by the /16 prefix). > > The new ROAs would have a different ASN – the ASN of the DDoS > mitigation service provider. > > The CA remains the same. > > (The prefix owner already has a /16 ROA with its own ASN for its > normal route announcement.) > > The idea is that in the event of a DDoS attack, the mitigation service > provider will be able to > > announce the more specifics immediately and attract the attack traffic > away from the victim. > > Would you consider these two new ROAs as competing ROAs? Or, is there > a different name for them? > because the CA is the same for both ROAs, they are not competing, based on the revised definition that you cited above. Steve --------------DF36B6774F5D0AFFCEF367B4 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Sriram,

>A newer ROA competes with an older ROA if the newer ROA points to a

   different ASN, contains the same or a more specific prefix, and is

   issued by a different CA

 

For DDoS mitigation service, (as an example) a /16 prefix owner may create (well in advance)

two new ROAs for more specific /17s (covered by the /16 prefix).

The new ROAs would have a different ASN – the ASN of the DDoS mitigation service provider.

The CA remains the same.

(The prefix owner already has a /16 ROA with its own ASN for its normal route announcement.)

The idea is that in the event of a DDoS attack, the mitigation service provider will be able to

announce the more specifics immediately and attract the attack traffic away from the victim.

 

Would you consider these two new ROAs as competing ROAs?  Or, is there a different name for them?

because the CA is the same for both ROAs, they are not competing, based on the revised definition that you cited above.

Steve
--------------DF36B6774F5D0AFFCEF367B4-- From nobody Thu Jul 7 08:03:04 2016 Return-Path: X-Original-To: sidr@ietf.org Delivered-To: sidr@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1300E12D11D; Thu, 7 Jul 2016 08:03:00 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160707150300.23729.59924.idtracker@ietfa.amsl.com> Date: Thu, 07 Jul 2016 08:03:00 -0700 Archived-At: Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-delta-protocol-03.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 15:03:00 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Repository Delta Protocol Authors : Tim Bruijnzeels Oleg Muravskiy Bryan Weber Rob Austein Filename : draft-ietf-sidr-delta-protocol-03.txt Pages : 18 Date : 2016-07-07 Abstract: In the Resource Public Key Infrastructure (RPKI), certificate authorities publish certificates, including end entity certificates, Certificate Revocation Lists (CRL), and RPKI signed objects to repositories. Relying Parties (RP) retrieve the published information from those repositories. This document specifies a delta protocol which provides relying parties with a mechanism to query a repository for incremental updates, thus enabling the RP to keep its state in sync with the repository. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-delta-protocol-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Thu Jul 7 08:05:28 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F057712D565 for ; Thu, 7 Jul 2016 08:05:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvu1KUofGu2d for ; Thu, 7 Jul 2016 08:05:19 -0700 (PDT) Received: from mail-qk0-x22c.google.com (mail-qk0-x22c.google.com [IPv6:2607:f8b0:400d:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D25712D7CE for ; Thu, 7 Jul 2016 08:05:06 -0700 (PDT) Received: by mail-qk0-x22c.google.com with SMTP id 82so16624807qko.3 for ; Thu, 07 Jul 2016 08:05:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=G9SSAnvWOBHQdVoyeM71ETDUua/W+mMajibiPuo693k=; b=jjEByt89qmJnoQ8/yN5+oTkDpGlDw9vqRJnYviUNvW7JMRUizD2gY6AueYZ7aOKyvv 5npDAk+By8iV4k2Xrx1v1R/QZO9MH05oy6Endn8D+CLjXSLohFMpAE6muF2uw6iuFjIE DA7HZ9N4yGctN7B80xVw3JHwKRgGLXD7M0FeM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=G9SSAnvWOBHQdVoyeM71ETDUua/W+mMajibiPuo693k=; b=llVFZZYTqI5VOsOBIoxzDOsk5LVpc50X9C9Zz5DWdyAQLhfBf7qYO7GD+TQI2neORu Ex0ihe91l2kwP/wU97YntY8fPdj1D0hd41LcvAFdpwYtQAunjk7uMH4hHxkvVz9HuYGi eBQ1BLgJ0wAcyTGT2IASrVDeauqx0jj3crP2cPUtK+aL463WXruJtsFbTnV9ewArLlhu MxY18cxmgiKLL5A61dqe34q0Y92UKVI5erTyylHQWS5RbZrEnEObCGeOqxJVmt25sivr rQBjwrHwNDjuzZAhdYMJvsiWDjAIqfDPxfAX6B4BtfA2v+0Y8MtZh++ZG1wldXF2aYq/ g5Xg== X-Gm-Message-State: ALyK8tJXvof49ZbmzqQZ8Prsgs9pGFVCZh4w1A+udnzBYEIK06Tz67kogkzxZd9DxTGFpA== X-Received: by 10.55.195.75 with SMTP id a72mr910607qkj.4.1467903905177; Thu, 07 Jul 2016 08:05:05 -0700 (PDT) Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id v4sm1120485qkh.28.2016.07.07.08.05.04 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 07 Jul 2016 08:05:04 -0700 (PDT) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Sean Turner In-Reply-To: Date: Thu, 7 Jul 2016 11:05:02 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Sandra Murphy X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 15:05:26 -0000 I read this document and it looks good to progress. If you get some other editor comments along the way you might slip in a = reference to s4 of RFC 4648 for Base64, but please don=92t stop = progressing this document to wait for this nitty comment. spt > On Jul 02, 2016, at 14:59, Sandra Murphy wrote: >=20 > The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An = Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature = and ready for a working group last call. >=20 > This message starts a two week wglc for = draft-ietf-sidr-rpki-oob-setup-04, which will end 16 Jun 2016. >=20 > Please review the draft and send comments and your opinion of whether = it is worthy of publication to the list. Remember that support for = publication is needed, and comments can improve quality, so lack of = comments is not sufficient. >=20 > You can reach the document at = https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04 and = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/. >=20 > =97Sandy, speaking as one of the wg co-chairs > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Thu Jul 7 08:09:16 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F1BB12D7DA; Thu, 7 Jul 2016 08:09:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.326 X-Spam-Level: X-Spam-Status: No, score=-3.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7y8IPBBPmbk; Thu, 7 Jul 2016 08:09:13 -0700 (PDT) Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB70512D7C8; Thu, 7 Jul 2016 08:09:12 -0700 (PDT) Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bLAvN-0009BY-26; Thu, 07 Jul 2016 17:09:11 +0200 Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-6.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bLAvM-00070T-RP; Thu, 07 Jul 2016 17:09:08 +0200 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Content-Type: text/plain; charset=us-ascii From: Tim Bruijnzeels In-Reply-To: <20160707150300.23729.59924.idtracker@ietfa.amsl.com> Date: Thu, 7 Jul 2016 17:09:08 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <77A206F0-DFF5-4DEF-B338-8A0C5D4C9A64@ripe.net> References: <20160707150300.23729.59924.idtracker@ietfa.amsl.com> To: internet-drafts@ietf.org X-Mailer: Apple Mail (2.3124) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: ---------- X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a62c02fad2e8dea7e42b856adac49ede Archived-At: Cc: sidr@ietf.org, i-d-announce@ietf.org Subject: Re: [sidr] I-D Action: draft-ietf-sidr-delta-protocol-03.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jul 2016 15:09:15 -0000 Dear WG, The biggest change in this version is the addition of a section on HTTPS = (see below). We can take 15 minutes in Berlin to talk about this specifically, but in = the mind of this author we can put the HTTPS discussions related to this = document to rest with this addition. Obviously, if you feel different, = speak up ;) Thanks Tim -- 4. HTTPS considerations It is RECOMMENDED that Relying Parties and Publication Servers follow the Best Current Practices outlined in [RFC7525] on the use of HTTP over TLS (https). Note that a Man-in-the-Middle (MITM) cannot produce validly signed RPKI data, but they can perform withhold or replay attacks targeting an RP, and keep the RP from learning about changes in the RPKI. Because of this RPs SHOULD do TLS certificate and host name validation when they fetch from an RRDP Publication Server However, such validation issues are often due to configuration errors, or a lack of a common TLS trust anchor. In these cases it would be better that the RP retrieves the signed RPKI data regardless, and performs validation on it. Therefore RPs SHOULD log any TLS certificate or host name validation issues they find, so that an operator can investigate the cause. But the RP SHOULD continue to retrieve the data. The RP MAY choose to log this issue only when fetching the notification update file, but not when it subsequently fetches snapshot or delta files from the same host. Furthermore the RP MAY provide a way for operators to accept untrusted connections for a given host, after the cause has been identified. > On 07 Jul 2016, at 17:03, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >=20 > Title : RPKI Repository Delta Protocol > Authors : Tim Bruijnzeels > Oleg Muravskiy > Bryan Weber > Rob Austein > Filename : draft-ietf-sidr-delta-protocol-03.txt > Pages : 18 > Date : 2016-07-07 >=20 > Abstract: > In the Resource Public Key Infrastructure (RPKI), certificate > authorities publish certificates, including end entity certificates, > Certificate Revocation Lists (CRL), and RPKI signed objects to > repositories. Relying Parties (RP) retrieve the published > information from those repositories. This document specifies a = delta > protocol which provides relying parties with a mechanism to query a > repository for incremental updates, thus enabling the RP to keep its > state in sync with the repository. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ >=20 > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-03 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-delta-protocol-03 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Fri Jul 8 02:19:48 2016 Return-Path: X-Original-To: sidr@ietf.org Delivered-To: sidr@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E5C12D115; Fri, 8 Jul 2016 02:19:43 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> Date: Fri, 08 Jul 2016 02:19:43 -0700 Archived-At: Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 09:19:43 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Validation Reconsidered Authors : Geoff Huston George Michaelson Carlos M. Martinez Tim Bruijnzeels Andrew Lee Newton Daniel Shaw Filename : draft-ietf-sidr-rpki-validation-reconsidered-06.txt Pages : 12 Date : 2016-07-08 Abstract: This document proposes an update to the certificate validation procedure specified in RFC 6487 that reduces aspects of operational fragility in the management of certificates in the RPKI, while retaining essential security features. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconsidered/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-06 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-validation-reconsidered-06 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Jul 8 02:35:38 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70C5812D56D for ; Fri, 8 Jul 2016 02:35:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcqYXbETlns3 for ; Fri, 8 Jul 2016 02:35:34 -0700 (PDT) Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84068127071 for ; Fri, 8 Jul 2016 02:35:34 -0700 (PDT) Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bLSC3-000B86-K1 for sidr@ietf.org; Fri, 08 Jul 2016 11:35:33 +0200 Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-71.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bLSC3-0003sX-EL; Fri, 08 Jul 2016 11:35:31 +0200 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Tim Bruijnzeels In-Reply-To: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> Date: Fri, 8 Jul 2016 11:35:30 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> To: sidr X-Mailer: Apple Mail (2.3124) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: ---------- X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07199bdd3b1ea47af2a2fd377fb844a66e73 Archived-At: Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 09:35:36 -0000 Dear WG, After receiving some feedback on the previous version and discussion = with co-authors, this version: - Does not reject 'over-claiming' EE certificates, but uses VRS-IP/AS = there as well - Includes text to update ROA validation (in short requires that all = prefixes are in VRS-IP of the EE) - Includes a request to the authors of the bgpsec-rpki-profile document. The reason why the change that I proposed to reject EE certificates has = been reverted is that: - This way the validation algorithm is consistent between CA and EE = certificates - Even though ROAs still require that *all* prefixes are contained in = the VRS-IP, there may be other future use cases of EE certificates where = a VRS-IP/AS that is smaller than the resources contained in the = extensions. Stephen Kent comment on -04 of this document saying that it should not = attempt to update the BGPSec Router Certificate I-D because it's not an = RFC, just yet. It's currently in IESG Processing. The current document = therefore has a request and some suggestion to the authors to change the = document (in which case the section can be deleted in the next = (hopefully final) version of this document. I don't mind either way. Maybe the chairs have an idea about what the = best process is. But in either case we would like to ask the BGPSec = Router Certificate authors to review the included text. Thanks, Tim > On 08 Jul 2016, at 11:19, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >=20 > Title : RPKI Validation Reconsidered > Authors : Geoff Huston > George Michaelson > Carlos M. Martinez > Tim Bruijnzeels > Andrew Lee Newton > Daniel Shaw > Filename : = draft-ietf-sidr-rpki-validation-reconsidered-06.txt > Pages : 12 > Date : 2016-07-08 >=20 > Abstract: > This document proposes an update to the certificate validation > procedure specified in RFC 6487 that reduces aspects of operational > fragility in the management of certificates in the RPKI, while > retaining essential security features. >=20 >=20 > The IETF datatracker status page for this draft is: > = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconside= red/ >=20 > There's also a htmlized version available at: > = https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-0= 6 >=20 > A diff from the previous version is available at: > = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-validation-recons= idered-06 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Fri Jul 8 06:00:41 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E35412D68F for ; Fri, 8 Jul 2016 06:00:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-eFKADsmipg for ; Fri, 8 Jul 2016 06:00:37 -0700 (PDT) Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD62C12D62F for ; Fri, 8 Jul 2016 06:00:36 -0700 (PDT) Received: by mail-qk0-x229.google.com with SMTP id p74so3374167qka.0 for ; Fri, 08 Jul 2016 06:00:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vIk743bS8PDz7eCBjLS6WQqzPfwcv+ZNJZsKcC299RE=; b=VPpTwM9gAIK6OHZ4Fg4NKwpGvaGLH9l6DAonG5Bnt9IdkHQ0lu9vFckVZQJdX2In+h /2lkve7Tz4VJDZmZsDKGOhILXGEGWVrEtY3j3I3zR2iqloZrROo19JQvTC5vH/0TasuE 2fG0f9e+ZkRmrc6VAZY5AJ67yTbE5yI1WkvWY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vIk743bS8PDz7eCBjLS6WQqzPfwcv+ZNJZsKcC299RE=; b=Q4Wf5hxjL2hO+0L0QYGMLWALm70wJWWX06zXQ/fk+90o2eHGS0IlFySEEdm2Jf/1Bf LcNKlgz95s536cHDE6ga0HZGKIm+C5lt/gCNYrgi+Hbef3K8jvHcKr9IANwRUa0Jko38 hqyiprqKH3k7Njby3hurEIZvq4kW64k8gTZskHfGqFjATm2tswwCmQZvxIOzr39smv4U q77lCLt8FLD3LAZBnRHHLESO+CMxiSGAm5HUlyTjhjvIT0vcprcrZJ4cnZWznMqRh1ye UW1I6obla6bUSb5VClWSEoJKgE8JEwYADzUcRYVFAgYpmKxE9RTZqC+DPl8Hr3MihEA4 zSug== X-Gm-Message-State: ALyK8tLU2Xx4OdE1YR195Xtvo2AhZJSzraIN8exSboKsjDb2ZRf5raXnpK0mocdmy22V8Q== X-Received: by 10.55.4.23 with SMTP id 23mr6940055qke.179.1467982835807; Fri, 08 Jul 2016 06:00:35 -0700 (PDT) Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id u1sm2203194qtu.43.2016.07.08.06.00.34 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 08 Jul 2016 06:00:35 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Sean Turner In-Reply-To: Date: Fri, 8 Jul 2016 09:00:34 -0400 Content-Transfer-Encoding: quoted-printable Message-Id: <793C1123-0398-455C-A316-A2DADB1F400A@sn3rd.com> References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> To: Tim Bruijnzeels X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 13:00:39 -0000 > On Jul 08, 2016, at 05:35, Tim Bruijnzeels wrote: >=20 > Stephen Kent comment on -04 of this document saying that it should not = attempt to update the BGPSec Router Certificate I-D because it's not an = RFC, just yet. It's currently in IESG Processing. The current document = therefore has a request and some suggestion to the authors to change the = document (in which case the section can be deleted in the next = (hopefully final) version of this document. >=20 > I don't mind either way. Maybe the chairs have an idea about what the = best process is. But in either case we would like to ask the BGPSec = Router Certificate authors to review the included text. Tim, Just so I=E2=80=99m following along: - This draft replaces the text in RFC 6487 s7.2 so should = rpki-validation-reconsidered draft include the =E2=80=9CUpdates: 6487 = (if approved)=E2=80=9D header? My understanding is that the proposal is = that all RPKI validators follow these new steps so that would make sense = process wise. - bgpsec-pki-profiles s3.3 currently refers to RFC 6487 s7 for = validation procedures and technically if rpki-validation-reconsidered = updates RFC 6487 when bgpsec-pki-profiles refers to RFC 6487 it includes = those references so I wouldn=E2=80=99t necessarily have to add a = explicit reference to rpki-validation-reconsidered =E2=80=A6 but people = will forget this and miss the update and I know Wes hates chasing = references ;) So, to drive this point home we could do the following = tweak in addition to adding your suggested bullet and = separate-certificate per ASN suggestion: OLD: The validation procedure used for BGPsec Router Certificates is identical to the validation procedure described in Section 7 of [RFC6487], but using the constraints applied come from this specification. NEW: The validation procedure used for BGPsec Router Certificates is identical to the validation procedure described in Section 7 of [ID.sidr-rpki-validation-reconsidered], but using the constraints applied come from this specification. Note I=E2=80=99d probably also add ID.idr-rpki-validation-reconsidered = to the required reading list in the terminology section :/ spt= From nobody Fri Jul 8 06:05:29 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB0F12D6A2 for ; Fri, 8 Jul 2016 06:05:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VL8b7Qu5pBIc for ; Fri, 8 Jul 2016 06:05:26 -0700 (PDT) Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D14612D18A for ; Fri, 8 Jul 2016 06:05:21 -0700 (PDT) Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bLVT4-000AxL-8o for sidr@ietf.org; Fri, 08 Jul 2016 15:05:19 +0200 Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bLVT3-00006a-1x; Fri, 08 Jul 2016 15:05:17 +0200 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_21920811-5CA5-48DA-97B7-0B989A1F39D9"; protocol="application/pgp-signature"; micalg=pgp-sha256 X-Pgp-Agent: GPGMail From: Oleg Muravskiy In-Reply-To: Date: Fri, 8 Jul 2016 15:05:15 +0200 Message-Id: <2B0C0282-BA0C-4FF8-8925-1F94E40F48D6@ripe.net> References: To: sidr@ietf.org X-Mailer: Apple Mail (2.2104) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: ---------- X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74c84dd824131bd1eed0dd7282609fc2b1 Archived-At: Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 13:05:28 -0000 --Apple-Mail=_21920811-5CA5-48DA-97B7-0B989A1F39D9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 > On 02 Jul 2016, at 20:59, Sandra Murphy wrote: >=20 > The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An = Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature = and ready for a working group last call. We use (parts of) it in production. It works. So ship it. Oleg --Apple-Mail=_21920811-5CA5-48DA-97B7-0B989A1F39D9 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXf6UMAAoJEKt45HsRg/7AF6oP/i+FMAXHyCdgf+i++gSIkudi YprjqI3SFqPMNY8rxrpCIpTq25+cUSRs4ntuyf3+1XOt60MWutyD7/uahNN64zt9 CqDcW19J6Y8GTkW64+QgkBLMUPGCaVtV+WaforJ5lqo4Y/5mEShAMyj1cz8ca3/z 1QU72E3l3aCDGy3vA0gYxDJN8BuUI+hRSn9F3ejwiUPkJxsEnyRbqQduULY2fvFn iU2MKs+vvoeoV/K5LlmcMK1k6TOkFJemRCTrp+S7IqdT4DT7fuLi2Mg8spS38K4L RqB8u3bwyxO9c+AofLPRUU9PonNXzEH0aXe9D7N2gWc+TG+M7hrV1aiL6BI/Pa3g k9XfU2AR0Pz4DznYZ6bsvbEAKOoUoDfbbSSolx/Cjj8AkPeM6ZArMuAc9rzsxqXw yAnMqbadDhpJzcmxv/DwSk+31SZBg/0J3kR/F7F1r/FBEQw9B86osLNi0iP5x8GF YKQFLEq9bMuqOFlul6YlqfXNlpmr66ykv/G9n+8Kylm6vIiArji9xrkB7Y6orSZ2 Oo4yuAKlmppnJ1CQfvYRq0S5HkRBk5BSTZB0MpLRmdFU+/yYPTpGXVg6/8JZjQji 6Fgv7NgUu+kBIU8IDVpD6/nHJELKqcDK/4ASVGDojpMmNydrFtfzjh64Zd/25nId 3Kqdwn6sB8Qg0VCRUC7n =UcAX -----END PGP SIGNATURE----- --Apple-Mail=_21920811-5CA5-48DA-97B7-0B989A1F39D9-- From nobody Fri Jul 8 15:51:27 2016 Return-Path: X-Original-To: sidr@ietf.org Delivered-To: sidr@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 544A112D1D5; Fri, 8 Jul 2016 15:51:23 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: X-Test-IDTracker: no X-IETF-IDTracker: 6.25.1 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> Date: Fri, 08 Jul 2016 15:51:23 -0700 Archived-At: Cc: sidr@ietf.org Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 22:51:23 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Secure Inter-Domain Routing of the IETF. Title : RPKI Certificate Tree Validation by a Relying Party Tool Authors : Oleg Muravskiy Tim Bruijnzeels Filename : draft-ietf-sidr-rpki-tree-validation-01.txt Pages : 12 Date : 2016-07-08 Abstract: This document describes the approach to validate the content of the RPKI certificate tree, as used by the RIPE NCC RPKI Validator. This approach is independent of a particular object retrieval mechanism. This allows it to be used with repositories available over the rsync protocol, the RPKI Repository Delta Protocol, and repositories that use a mix of both. This algorithm does not rely on content of repository directories, but uses the Authority Key Identifier (AKI) field of a manifest and a certificate revocation list (CRL) objects to discover manifest and CRL objects issued by a particular Certificate Authority (CA). It further uses the hashes of manifest entries to discover other objects issued by the CA. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ There's also a htmlized version available at: https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-01 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-tree-validation-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Fri Jul 8 16:05:00 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DBBA12D8D2; Fri, 8 Jul 2016 16:04:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.326 X-Spam-Level: X-Spam-Status: No, score=-8.326 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F1MJpGOdq27z; Fri, 8 Jul 2016 16:04:57 -0700 (PDT) Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 525B712D7EF; Fri, 8 Jul 2016 16:04:57 -0700 (PDT) Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bLepK-0001kN-C4; Sat, 09 Jul 2016 01:04:55 +0200 Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bLepJ-0005Em-4r; Sat, 09 Jul 2016 01:04:53 +0200 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: text/plain; charset=us-ascii From: Oleg Muravskiy In-Reply-To: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> Date: Sat, 9 Jul 2016 01:04:52 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <100F7109-D601-478A-959D-7260AC21A31A@ripe.net> References: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> To: internet-drafts@ietf.org X-Mailer: Apple Mail (2.2104) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: ---------- X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74edf8ea5ddad4c9bfeb490374f2683c87 Archived-At: Cc: sidr@ietf.org, i-d-announce@ietf.org Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2016 23:04:59 -0000 This is an update to the draft-ietf-sidr-rpki-tree-validation. No major changes, mostly clarifications that address comments from Steve = Kent, and additional information as requested at the previous WG = session. Hope this version is more clear and close to final. Oleg > On 09 Jul 2016, at 00:51, internet-drafts@ietf.org wrote: >=20 >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >=20 > Title : RPKI Certificate Tree Validation by a Relying = Party Tool > Authors : Oleg Muravskiy > Tim Bruijnzeels > Filename : draft-ietf-sidr-rpki-tree-validation-01.txt > Pages : 12 > Date : 2016-07-08 >=20 > Abstract: > This document describes the approach to validate the content of the > RPKI certificate tree, as used by the RIPE NCC RPKI Validator. This > approach is independent of a particular object retrieval mechanism. > This allows it to be used with repositories available over the rsync > protocol, the RPKI Repository Delta Protocol, and repositories that > use a mix of both. >=20 > This algorithm does not rely on content of repository directories, > but uses the Authority Key Identifier (AKI) field of a manifest and = a > certificate revocation list (CRL) objects to discover manifest and > CRL objects issued by a particular Certificate Authority (CA). It > further uses the hashes of manifest entries to discover other = objects > issued by the CA. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ >=20 > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-01 >=20 > A diff from the previous version is available at: > = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-tree-validation-0= 1 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr >=20 From nobody Sat Jul 9 13:23:27 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C274E12B065 for ; Sat, 9 Jul 2016 13:23:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nistgov.onmicrosoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkzysISnceFx for ; Sat, 9 Jul 2016 13:23:23 -0700 (PDT) Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0122.outbound.protection.outlook.com [23.103.200.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B77A126B6D for ; Sat, 9 Jul 2016 13:23:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MU9bpy85V2+a663Vf7LBkAQ+RJMydq4SGaZnH5nOZpA=; b=QKhzs4B9bJ9EPbcChDZRV/W8X46tM60kYqiZNczjSilDHasiT12rLG/Yns8vF16DWO5O7niSwbw9jV+JCSbaxWOurz942E/wAuf3vwCFeIpRyNSSIQLyKBhIdbh5gXACSGcNOBMU+PIHjwmm+ALO/3hZVjPX+j1R0/9zPiG0dXo= Received: from DM2PR09MB0446.namprd09.prod.outlook.com (10.161.252.145) by DM2PR09MB0445.namprd09.prod.outlook.com (10.161.252.144) with Microsoft SMTP Server (TLS) id 15.1.528.16; Sat, 9 Jul 2016 20:23:22 +0000 Received: from DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) by DM2PR09MB0446.namprd09.prod.outlook.com ([10.161.252.145]) with mapi id 15.01.0534.022; Sat, 9 Jul 2016 20:23:22 +0000 From: "Sriram, Kotikalapudi (Fed)" To: Sandra Murphy , sidr Thread-Topic: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 Thread-Index: AQHR1JQ+fed6owkfY0yBIYPWw5Y5qqAQkpvJ Date: Sat, 9 Jul 2016 20:23:21 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=kotikalapudi.sriram@nist.gov; x-originating-ip: [129.6.223.163] x-ms-office365-filtering-correlation-id: 1b2eb534-f2c7-4e51-d8f8-08d3a836df8e x-microsoft-exchange-diagnostics: 1; DM2PR09MB0445; 6:6WCm8X2Y+SzBiNp/efl/Ntmhfn/ITFTLa4lpSOePBVTHose1LLynr4GMehB7k+n5oEKrv8zThdknf7nmh3GTM1p1t/WLdqy6frgq2gpfzEdx69c897076ZImmd2yPflFLn5pd/iodHyayzAyI/2jMFJ1/hn/P31u0nsuj2CohXPYbhZ6mBj7DLwBX8wRiUjQL+k/9EQyLNJPZFiMPl6fRSuUtwlLr6DUsSBFMiyX5mTIzlzuMujrh5Nua9zJMEBujwfKQxQXIgVw+7wkn0cogv3Kpak+zdOjUeZhIg9xMV/qCbmw1J8IiDzoSrqynmpVzdfQlYnadC8KJKvjBO3v2g==; 5:mugCji9Iy/fsnyUbSNRNfz9YlMDdN45upkk5FsoxrXJXGaoJ01qC67IdVQBlcT6p4H+DQO2wt/jn3j6NZAFgnb3Y46/gYSBcsUf75amJqRQHe8slzOKO/fyJh8AA60vywMqz8pC5E28Z96oeUaGlvQ==; 24:7RV06MvbaOCjx+eprikkOJ+lYSSVhEiy8XJerJHgPLR55uluROvptQifrAg8UdJvXFJ0dx1Rbm/KxbI7jQfncvyjb7m6UHbtg63fSQrj7PQ=; 7:qe603FmxgyLXO+1/y/WTS0hxwTbNbHaQ5Sji4Th5kcrJB7Qrr6+jCWurq19GowGeGqolBFgx5gHqPBzN1SM+AXnGsbGoKS72hjEBB6CHH7i8nq0SoAGdgTWcGu6Uj3vz/mRv88qCdykHluzplqlQshFCyu4m/wAtRbczzeRs1wp9XjLZDV7qfQW9gjRvyFgylihD/lEkbd3+u4EuvZcz65o6/ZIEOFTgv7Wx20weklT1n+Z/rd4G1AYUYlzBzQRO x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0445; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(120809045254105); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DM2PR09MB0445; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0445; x-forefront-prvs: 0998671D02 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(43544003)(199003)(189002)(77096005)(2900100001)(15975445007)(5002640100001)(305945005)(86362001)(87936001)(9686002)(3280700002)(81166006)(4326007)(54356999)(10400500002)(50986999)(7736002)(76176999)(5003600100003)(19580405001)(106116001)(122556002)(189998001)(68736007)(2950100001)(11100500001)(2906002)(7846002)(76576001)(101416001)(19580395003)(105586002)(6116002)(102836003)(3846002)(106356001)(586003)(3900700001)(3660700001)(33656002)(230783001)(97736004)(99286002)(8676002)(92566002)(66066001)(81156014)(7696003)(8936002)(5001770100001)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0445; H:DM2PR09MB0446.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: nist.gov does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nist.gov X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jul 2016 20:23:21.4547 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0445 Archived-At: Cc: Rob Austein Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 20:23:26 -0000 I have given it a quick read. Reads good. I support publication. Nit:=20 BPKI acronym is used earlier but the expansion (Business 'PKI') is stated o= nly in Section 2 for the first time. I think mentioning the expansion on first use of the acronym in the Introdu= ction would be good -- you may take care of this nit during the RFC Editor review process. Tha= nks. Sriram=20 ________________________________________ From: sidr on behalf of Sandra Murphy Sent: Saturday, July 2, 2016 2:59 PM To: sidr Cc: Sandra Murphy Subject: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An Out-Of-Band= Setup Protocol For RPKI Production Services=94) is mature and ready for a = working group last call. This message starts a two week wglc for draft-ietf-sidr-rpki-oob-setup-04, = which will end 16 Jun 2016. Please review the draft and send comments and your opinion of whether it is= worthy of publication to the list. Remember that support for publication = is needed, and comments can improve quality, so lack of comments is not suf= ficient. You can reach the document at https://tools.ietf.org/html/draft-ietf-sidr-r= pki-oob-setup-04 and https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-= oob-setup/. =97Sandy, speaking as one of the wg co-chairs From nobody Sat Jul 9 15:12:38 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C241D12D108 for ; Sat, 9 Jul 2016 15:12:36 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.02 X-Spam-Level: X-Spam-Status: No, score=-5.02 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bCQKw1_UP_PD for ; Sat, 9 Jul 2016 15:12:35 -0700 (PDT) Received: from bos-mailout2.raytheon.com (bos-mailout2.raytheon.com [199.46.198.208]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C010312B055 for ; Sat, 9 Jul 2016 15:12:34 -0700 (PDT) Received: from ma-mailout1.directory.ray.com (ma-mailout1.directory.ray.com [147.25.130.100]) by bos-mailout2.raytheon.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u69MCWbw000560 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Sat, 9 Jul 2016 22:12:33 GMT Received: from smtp.bbn.com ([128.33.1.81]) by ma-mailout1.directory.ray.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id u69MCT0s031808 (using TLSv1 with cipher DHE-RSA-AES256-SHA(256 bits) verified NO) sender kent@bbn.com for ; Sat, 9 Jul 2016 22:12:30 GMT Received: from dhcp89-089-218.bbn.com ([128.89.89.218]:49335) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bM0U8-000BQX-Kj for sidr@ietf.org; Sat, 09 Jul 2016 18:12:29 -0400 To: sidr@ietf.org References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> From: Stephen Kent Message-ID: <8955af42-c592-20fc-edd4-b06c7b677dda@bbn.com> Date: Sat, 9 Jul 2016 18:12:28 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------C8EDA8143706220C96450FBF" X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-07-09_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=13 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607090251 Archived-At: Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Jul 2016 22:12:37 -0000 This is a multi-part message in MIME format. --------------C8EDA8143706220C96450FBF Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Tim, I have not yet read the -06 version, but I did notice a couple of issues in the 7.2 text I provided, most of which you adopted. Specifically, I think it useful to refer to 3779 in Section 2 in the 2nd paragraph, and at the end: These criteria require, in particular, that the Internet Number Resources (INRs) of each certificate in the validation path are "encompassed" by INRs on the issuing certificate.(This criteria is derived from [RFC3779], which defines the certificate extensions used to represent INRs.) The first certificate in the path is required to be a trust anchor, and its resources are considered valid by definition. All certificates in this scenario are considered valid (relative to [RFC3779] since the INRs in each certificate are encompassed by those of the issuingcertificate.ROA1 is valid because the specified prefix isencompassed by the embedded EE certificate, as required by [RFC6482]. I copied text that was OK when it appeared in 6487, but now needs to refer to 6487: 3.The Version, Issuer, and Subject fields of certificate x satisfy the constraints established in Section 4.1-4.7 of [RFC6487]. 4.Certificate x contains all the extensions that MUST be present, as defined in Section 4.8 of [RFC6487].The value(s) for each of these extensions MUST be satisfy the constraints established for each extension in the respective sections.Any extension not identified in Section 4.8 MUST NOT appear in certificate x. step 6 could be a bit be clearer with a minor edit: 6.If certificate x is an EE certificate, then the INRs of this certificate MUST be "encompassed" by the values of VRS-IP and VRS-AS computed for certificate x-1. also, the loop sentence disappeared, so I added it after the last bullet in step 7: Otherwise, return to step 1 and continue path validation. --------------C8EDA8143706220C96450FBF Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

Tim,

I have not yet read the -06 version, but I did notice a couple of issues in the 7.2 text I provided, most of which you adopted. Specifically, I think it useful to refer to 3779 in Section 2 in the 2nd paragraph, and at the end:

   These criteria require, in particular, that the Internet Number

   Resources (INRs) of each certificate in the validation path are

   "encompassed" by INRs on the issuing certificate.  (This criteria

   is derived from [RFC3779], which defines the certificate extensions

   used to represent INRs.) The first

   certificate in the path is required to be a trust anchor, and its

   resources are considered valid by definition.



All certificates in this scenario are considered valid (relative to [RFC3779] since the INRs in each certificate are encompassed by

those of the issuing certificate.  ROA1 is valid because the specified prefix is encompassed by the embedded EE certificate, as required by [RFC6482].



I copied text that was OK when it appeared in 6487, but now needs to refer to 6487:

    3.  The Version, Issuer, and Subject fields of certificate x satisfy

       the constraints established in Section 4.1-4.7 of [RFC6487].

 

   4.  Certificate x contains all the extensions that MUST be present,

       as defined in Section 4.8 of [RFC6487].  The value(s)

       for each of these extensions MUST be satisfy the constraints

       established for each extension in the respective sections.  Any

       extension not identified in Section 4.8 MUST NOT appear in

       certificate x.

 

step 6 could be a bit be clearer with a minor edit:


6.  If certificate x is an EE certificate, then the INRs of this

       certificate MUST be "encompassed" by the values of VRS-IP and

       VRS-AS computed for certificate x-1.


also, the loop sentence disappeared, so I added it after the last bullet in step 7:


Otherwise, return to step 1 and continue path validation.


--------------C8EDA8143706220C96450FBF-- From nobody Sun Jul 10 07:12:55 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9808112D0CC for ; Sun, 10 Jul 2016 07:12:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-EyI3KNphIv for ; Sun, 10 Jul 2016 07:12:49 -0700 (PDT) Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC4C112D0BB for ; Sun, 10 Jul 2016 07:12:48 -0700 (PDT) X-TM-DID: 2020b6d4af0409ee41a0a47a5c11a8b8 Content-Type: text/plain; charset=gb2312 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Declan Ma In-Reply-To: <100F7109-D601-478A-959D-7260AC21A31A@ripe.net> Date: Sun, 10 Jul 2016 22:08:25 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: <1CE8D4C6-D1DF-4368-9770-392153076D91@zdns.cn> References: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> <100F7109-D601-478A-959D-7260AC21A31A@ripe.net> To: Oleg Muravskiy X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 10 Jul 2016 14:12:53 -0000 Oleg, I think this version is much better. Yet I still have a question with Section Security Considerations: "In contrast, objects whose content hash matches the hash listed in the manifest, but that are not located in the publication directory listed in their CA certificate, will be used in the validation process (although a warning will be issued in that case).=A1=B1 Given these sorts of objects have been found somehow, in a different = repository as described in Section 3.2.2. Manifest entries validation, = your RP will take accept them anyway, using them in validation.=20 What if this manifest is a stale one when the latest MFT has been = deleted maliciously or inadvertently?=20 A ROA found in a different repository may has been removed by the = administrator and an attacker just replaces this ROA into that = =A1=AEdifferent repository=A1=AF with poor management.=20 There could be many risks here. I wonder why you take this approach. Di > =D4=DA 2016=C4=EA7=D4=C29=C8=D5=A3=AC07:04=A3=ACOleg Muravskiy = =D0=B4=B5=C0=A3=BA >=20 > This is an update to the draft-ietf-sidr-rpki-tree-validation. >=20 > No major changes, mostly clarifications that address comments from = Steve Kent, and additional information as requested at the previous WG = session. Hope this version is more clear and close to final. >=20 >=20 > Oleg >=20 >=20 >> On 09 Jul 2016, at 00:51, internet-drafts@ietf.org wrote: >>=20 >>=20 >> A New Internet-Draft is available from the on-line Internet-Drafts = directories. >> This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >>=20 >> Title : RPKI Certificate Tree Validation by a Relying = Party Tool >> Authors : Oleg Muravskiy >> Tim Bruijnzeels >> Filename : draft-ietf-sidr-rpki-tree-validation-01.txt >> Pages : 12 >> Date : 2016-07-08 >>=20 >> Abstract: >> This document describes the approach to validate the content of the >> RPKI certificate tree, as used by the RIPE NCC RPKI Validator. This >> approach is independent of a particular object retrieval mechanism. >> This allows it to be used with repositories available over the rsync >> protocol, the RPKI Repository Delta Protocol, and repositories that >> use a mix of both. >>=20 >> This algorithm does not rely on content of repository directories, >> but uses the Authority Key Identifier (AKI) field of a manifest and = a >> certificate revocation list (CRL) objects to discover manifest and >> CRL objects issued by a particular Certificate Authority (CA). It >> further uses the hashes of manifest entries to discover other = objects >> issued by the CA. >>=20 >>=20 >> The IETF datatracker status page for this draft is: >> = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ >>=20 >> There's also a htmlized version available at: >> https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-01 >>=20 >> A diff from the previous version is available at: >> = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-tree-validation-0= 1 >>=20 >>=20 >> Please note that it may take a couple of minutes from the time of = submission >> until the htmlized version and diff are available at tools.ietf.org. >>=20 >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >>=20 >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >>=20 >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Sun Jul 10 20:33:22 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6CC12B029 for ; Sun, 10 Jul 2016 20:33:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BuQtVlerOal3 for ; Sun, 10 Jul 2016 20:33:18 -0700 (PDT) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 7BFF8128B44 for ; Sun, 10 Jul 2016 20:33:15 -0700 (PDT) Received: from LIUXD (unknown [218.241.103.139]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0AZIU18E4NXzwcDCg--.39126S3; Mon, 11 Jul 2016 11:33:16 +0800 (CST) From: "Yu Fu" To: "'Sandra Murphy'" , "'sidr'" Date: Mon, 11 Jul 2016 11:33:20 +0800 Message-ID: <00d201d1db24$f89428e0$e9bc7aa0$@cn> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00D3_01D1DB68.06B768E0" X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AdHbJPg32az47ZYCQxufwCt7KHEA5A== Content-Language: zh-cn X-CM-TRANSID: AQAAf0AZIU18E4NXzwcDCg--.39126S3 X-Coremail-Antispam: 1UD129KBjvJXoW7Kw1rtrW3AFyDJFWfXrWUJwb_yoW8XF1UpF WfWF4fA3WkGF4fWr4kZw18Gry8ZFWfWa9rAr48ta4xAa45CFnYyry7K3WrZFyku3s5Gr17 Zw4j9r15XFZ5A3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPmb7Iv0xC_tr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Xr0_Ar1l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Cr0_Gr1UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwV C2z280aVCY1x0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40Eb7x2 x7xS6ryj6rWUMc02F40E57IF67AEF4xIwI1l5I8CrVAKz4kIr2xC04v26r4j6ryUMc02F4 0E42I26xC2a48xMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm 72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41l7480Y4vEI4kI2Ix0rVAqx4xJMx kIecxEwVAFwVW8GwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s02 6c02F40E14v26r106r1rMI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jr v_JF1lIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvE c7CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6rWUJVWrZr1UMIIF0xvEx4A2js IE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZE Xa7IU89vttUUUUU== X-CM-SenderInfo: pix13q5fqqxugofq/ Archived-At: Subject: Re: [sidr] agenda requests for the Berlin IETF 96 meeting X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 03:33:21 -0000 This is a multi-part message in MIME format. ------=_NextPart_000_00D3_01D1DB68.06B768E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Hi chairs and all, We'd like to request a time slot of 10 minutes to discuss a topic of ROA mergence as described in draft-yan-sidr-roa-mergence-00. https://tools.ietf.org/html/draft-yan-sidr-roa-mergence-00 During the process of ROA issuance, the address space holder needs to specify an origin AS for a list of IP prefixes. Besides, the address space holder has a free choice to put multiple prefixes into a single ROA or issue separate ROAs for each prefix based on the current specification. This draft analyzes and presents some operational problems which may be caused by the misconfigurations of ROAs containing multiple IP prefixes. We would like to have a discussion in the WG for the suggestions and considerations in this topic. Also. We have made an update for the draft-lee-sidr-rpki-deployment-02 based on the comments and feedbacks after my presentation at IETF 95 meeting. We'd like to request a time slot of 5 minutes to share the update. Comments and suggestions are appreciated. Thanks Yu -----Original Message----- From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] On Behalf Of Sandra Murphy Sent: Friday, July 01, 2016 5:06 AM To: sidr Cc: Sandra Murphy Subject: [sidr] agenda requests for the Berlin IETF 96 meeting Anyone who wishes to discuss a topic at the IETF meeting, please send a message to the list and chairs. -Sandy, speaking as one of the wg co-chairs ------------------------------------------- Yu Fu fuyu@cnnic.cn ------=_NextPart_000_00D3_01D1DB68.06B768E0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi = chairs and all,

 

We'd like to request a time slot of 10 minutes to discuss a = topic of ROA mergence as described in = draft-yan-sidr-roa-mergence-00.

https= ://tools.ietf.org/html/draft-yan-sidr-roa-mergence-00

During the process of = ROA issuance, the address space holder needs to

specify an origin AS for a list = of IP prefixes.  Besides, the address

space holder has a free choice = to put multiple prefixes into a single

ROA or issue separate ROAs for = each prefix based on the current

specification.  This draft = analyzes and presents some operational

problems which may be caused by = the misconfigurations of ROAs

containing multiple IP prefixes. = We would like to have a discussion

in the WG for the suggestions = and considerations in this topic.

 

Also. We have made an update for = the draft-lee-sidr-rpki-deployment-02 based on the comments and = feedbacks after my presentation at IETF 95 = meeting.

Wed like to request a time slot of = 5 minutes to share the update.

 

Comments and suggestions are = appreciated.

Thanks

Yu

 

 

-----Original Message-----

From: sidr-bounces@ietf.org [mailto:sidr-bounces@ietf.org] = On Behalf Of Sandra Murphy

Sent: Friday, July 01, 2016 5:06 = AM

To: = sidr

Cc: = Sandra Murphy

Subject: [sidr] agenda requests for the Berlin IETF 96 = meeting

 

Anyone who wishes to discuss a topic at the IETF meeting, = please send a message to the list and chairs.

 

Sandy, = speaking as one of the wg co-chairs

 

 

-------------------------------------------

Yu = Fu

fuyu@cnnic.cn

 

------=_NextPart_000_00D3_01D1DB68.06B768E0-- From nobody Mon Jul 11 01:36:42 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123B412B040 for ; Mon, 11 Jul 2016 01:36:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -8.187 X-Spam-Level: X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBWz3hWGIs1R for ; Mon, 11 Jul 2016 01:36:39 -0700 (PDT) Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB6D8128874 for ; Mon, 11 Jul 2016 01:36:38 -0700 (PDT) Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bMWhd-00085S-4d; Mon, 11 Jul 2016 10:36:34 +0200 Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bMWhb-0004qx-UH; Mon, 11 Jul 2016 10:36:31 +0200 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: text/plain; charset=utf-8 From: Oleg Muravskiy In-Reply-To: <1CE8D4C6-D1DF-4368-9770-392153076D91@zdns.cn> Date: Mon, 11 Jul 2016 10:36:31 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> <100F7109-D601-478A-959D-7260AC21A31A@ripe.net> <1CE8D4C6-D1DF-4368-9770-392153076D91@zdns.cn> To: Declan Ma X-Mailer: Apple Mail (2.2104) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: -------- X-RIPE-Spam-Report: Spam Total Points: -8.8 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 BAYES_20 BODY: Bayes spam probability is 5 to 20% [score: 0.0548] X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b743b8fcd24688ea844e1036ee5a6812a67 Archived-At: Cc: sidr Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 08:36:41 -0000 Di, > On 10 Jul 2016, at 16:08, Declan Ma wrote: >=20 > Oleg, >=20 > I think this version is much better. >=20 > Yet I still have a question with Section Security Considerations: >=20 > "In contrast, objects whose content hash matches the hash listed in > the manifest, but that are not located in the publication directory > listed in their CA certificate, will be used in the validation > process (although a warning will be issued in that case).=E2=80=9D >=20 > Given these sorts of objects have been found somehow, in a different = repository as described in Section 3.2.2. Manifest entries validation, = your RP will take accept them anyway, using them in validation.=20 >=20 > What if this manifest is a stale one when the latest MFT has been = deleted maliciously or inadvertently?=20 >=20 > A ROA found in a different repository may has been removed by the = administrator and an attacker just replaces this ROA into that = =E2=80=98different repository=E2=80=99 with poor management.=20 >=20 > There could be many risks here. I wonder why you take this approach. >=20 > Di Let's look at this case in more detail. What you describe is that there used to be a valid ROA properly = described by a manifest with number X. Then the change happened and in = the manifest version X+1 that ROA is not listed anymore, and a new CRL = that revokes that ROA is listed. The ROA file is also removed from the = repository directory, and new CRL and manifest files replaced their = previous versions. Now, the RP does a new fetch of the repository content, and somehow gets = the old version of the manifest, but the new content of directory, so: - with rsync repository, the rsync stream needs to be tempered with, so = that the new manifest is replaced by the old one, but the rest of the = stream remains the same; - with RRDP repository, the content of a snapshot or a delta needs to be = tempered with, so that it does not contain a replace for the manifest. In this situation the validator on the RP side could detect a mismatch, = but it needs to decide whom to trust more: the RPKI-signed content of = the manifest, or not RPKI-signed (and in case of rsync, not signed at = all) content of an RRDP snapshot/delta or an rsync directory. If we would choose to trust the rsync or RRDP content, then an attacker = could easily remove a valid ROA (or certificate) from the stream, which = probably is the simplest sort of attack the MITM could implement in case = of RPKI.=20 So we chose to trust the RPKI-signed content.=20 Oleg >=20 >=20 >=20 >> =E5=9C=A8 2016=E5=B9=B47=E6=9C=889=E6=97=A5=EF=BC=8C07:04=EF=BC=8COleg = Muravskiy =E5=86=99=E9=81=93=EF=BC=9A >>=20 >> This is an update to the draft-ietf-sidr-rpki-tree-validation. >>=20 >> No major changes, mostly clarifications that address comments from = Steve Kent, and additional information as requested at the previous WG = session. Hope this version is more clear and close to final. >>=20 >>=20 >> Oleg >>=20 >>=20 >>> On 09 Jul 2016, at 00:51, internet-drafts@ietf.org wrote: >>>=20 >>>=20 >>> A New Internet-Draft is available from the on-line Internet-Drafts = directories. >>> This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >>>=20 >>> Title : RPKI Certificate Tree Validation by a Relying = Party Tool >>> Authors : Oleg Muravskiy >>> Tim Bruijnzeels >>> Filename : draft-ietf-sidr-rpki-tree-validation-01.txt >>> Pages : 12 >>> Date : 2016-07-08 >>>=20 >>> Abstract: >>> This document describes the approach to validate the content of the >>> RPKI certificate tree, as used by the RIPE NCC RPKI Validator. This >>> approach is independent of a particular object retrieval mechanism. >>> This allows it to be used with repositories available over the rsync >>> protocol, the RPKI Repository Delta Protocol, and repositories that >>> use a mix of both. >>>=20 >>> This algorithm does not rely on content of repository directories, >>> but uses the Authority Key Identifier (AKI) field of a manifest and = a >>> certificate revocation list (CRL) objects to discover manifest and >>> CRL objects issued by a particular Certificate Authority (CA). It >>> further uses the hashes of manifest entries to discover other = objects >>> issued by the CA. >>>=20 >>>=20 >>> The IETF datatracker status page for this draft is: >>> = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ >>>=20 >>> There's also a htmlized version available at: >>> https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-01 >>>=20 >>> A diff from the previous version is available at: >>> = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-tree-validation-0= 1 >>>=20 >>>=20 >>> Please note that it may take a couple of minutes from the time of = submission >>> until the htmlized version and diff are available at tools.ietf.org. >>>=20 >>> Internet-Drafts are also available by anonymous FTP at: >>> ftp://ftp.ietf.org/internet-drafts/ >>>=20 >>> _______________________________________________ >>> sidr mailing list >>> sidr@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidr >>>=20 >>=20 >> _______________________________________________ >> sidr mailing list >> sidr@ietf.org >> https://www.ietf.org/mailman/listinfo/sidr >=20 >=20 From nobody Mon Jul 11 06:15:52 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0DD312D0B9 for ; Mon, 11 Jul 2016 06:15:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.45 X-Spam-Level: X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nrrFN5gX35Vk for ; Mon, 11 Jul 2016 06:15:49 -0700 (PDT) Received: from mail-vk0-x232.google.com (mail-vk0-x232.google.com [IPv6:2607:f8b0:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF5C912B037 for ; Mon, 11 Jul 2016 06:15:48 -0700 (PDT) Received: by mail-vk0-x232.google.com with SMTP id f7so122481196vkb.3 for ; Mon, 11 Jul 2016 06:15:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=reply-to:subject:references:to:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=DUvkua0Z2SuFvyWPCDf4xQpe28ypsjjpulqD6PLr6Q0=; b=QUnmgqR2HmbmVK9Cf9GuarfIAKqfqth6TAuZh04EiJY2MnOjJ9QiZzAVfaPHWdCYKe jTnTG1c5SISpFPQu+TPniXG9GMVfeqA2xKbyUy2835Q0GPT6FdskFOA8o2WQcYM1bftd o7+8BsoYUkxhyvvFnC+qZg3J8HOcvD7R0ekNxPdHNymVOa/5zICsxFOsJoY6vtg7NB0N tR/Y7yWPnOH2ipDQ3C1bRvyzzU9JXE9X1u2jq76cZkKktmSFyRmjBPuxaYlxN7Ve21xx IRsRwymAZnbxRQ9z0H0bASz/i9t9LcVJUasRGs01jmHuNblL8zA+ynm5u0Y6iBMTjXjW N77Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:reply-to:subject:references:to:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=DUvkua0Z2SuFvyWPCDf4xQpe28ypsjjpulqD6PLr6Q0=; b=aRld5fjIh9D+zBrAeeR1M1NCuRbTVlw2aBp9dlaWzNHqrM+oA0sKYaZyhBvK3KkFXY 9efJeOEg1arfm+gJflbb7xHLKCVq6/mz5+C3ja2h3GCtperBrRR4EAd/sWGBBCX4rRrD 6rdu5/cVNzRnUKVfNz/OaI63DjK9XT8MHJ8GXzA1k3WcNOUcrL2AUCvOZ0N950TXM+es v0PI2H2s9ZaqGe+4iDrTadVRz8chnSiTY5dlxpm+pMWuG3Unin8SXUKPJ22+Ltj3ey2O /2EgTlzQMa1rzQ6gwX43qTEiors9oGoywNuGWOCEGckuHEAzj3tOEltpC88mD02kFPPh x8rQ== X-Gm-Message-State: ALyK8tJjIa3w3z1qRFSqd5qAjl9XH8podJp26EL2t5OVUIhWgsOQbHKYiJ40Taux2QYwlg== X-Received: by 10.176.3.13 with SMTP id 13mr7921825uat.139.1468242947730; Mon, 11 Jul 2016 06:15:47 -0700 (PDT) Received: from grenada.local ([200.7.87.51]) by smtp.googlemail.com with ESMTPSA id u66sm7156415vkf.12.2016.07.11.06.15.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2016 06:15:47 -0700 (PDT) References: <00d201d1db24$f89428e0$e9bc7aa0$@cn> To: Yu Fu , 'Sandra Murphy' , 'sidr' From: "Carlos M. Martinez" Message-ID: <96d9421d-d285-643b-af9c-3f54c7b66607@gmail.com> Date: Mon, 11 Jul 2016 10:15:43 -0300 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <00d201d1db24$f89428e0$e9bc7aa0$@cn> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [sidr] agenda requests for the Berlin IETF 96 meeting X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: carlos@lacnic.net List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 13:15:51 -0000 Dear authors, During the meeting in BA I commented on the following text: > Each of the five RIRs has initiated the deployment of RPKI, and each > now offers RPKI services to its members. A number of countries > (Ecuador, Japan, Bangladesh, etc.) have also started to test and > deploy RPKI internally. In order to promote the deployment of RPKI, > ICANN (Internet Corporation for Assigned Names and Numbers), the five > RIRs, many NIRs and companies have making continuous efforts to solve > the existing problems and improve the corresponding policies and > technical standards. I'm concerned about the loose use of the term 'countries' here. For many people this can mean 'governments' and, at least in the case in Ecuador, the Government has nothing to do with this. RPKI deployment is not a 'national' initiative if by national we mean 'sponsored' or 'approved' by the current Government. A better way of describing the country-wide deployments could be something along the lines of: "Various organizations in different countries like x,y and z have been working on RPKI testing and deployment in some cases at a country-wide level" thanks! -Carlos On 7/11/16 12:33 AM, Yu Fu wrote: > Hi chairs and all, > > > > We'd like to request a time slot of 10 minutes to discuss a topic of ROA > mergence as described in draft-yan-sidr-roa-mergence-00. > > https://tools.ietf.org/html/draft-yan-sidr-roa-mergence-00 > > During the process of ROA issuance, the address space holder needs to > > specify an origin AS for a list of IP prefixes. Besides, the address > > space holder has a free choice to put multiple prefixes into a single > > ROA or issue separate ROAs for each prefix based on the current > > specification. This draft analyzes and presents some operational > > problems which may be caused by the misconfigurations of ROAs > > containing multiple IP prefixes. We would like to have a discussion > > in the WG for the suggestions and considerations in this topic. > > > > Also. We have made an update for the draft-lee-sidr-rpki-deployment-02 > based > on the comments and feedbacks after my presentation at IETF 95 meeting. > > Wed like to request a time slot of 5 minutes to share the update. > > > > Comments and suggestions are appreciated. > > Thanks > > Yu > > > > > > -----Original Message----- > > From: sidr-bounces@ietf.org > [mailto:sidr-bounces@ietf.org] On Behalf Of Sandra Murphy > > Sent: Friday, July 01, 2016 5:06 AM > > To: sidr > > Cc: Sandra Murphy > > Subject: [sidr] agenda requests for the Berlin IETF 96 meeting > > > > Anyone who wishes to discuss a topic at the IETF meeting, please send a > message to the list and chairs. > > > > Sandy, speaking as one of the wg co-chairs > > > > > > ------------------------------------------- > > Yu Fu > > fuyu@cnnic.cn > > > > > > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr > From nobody Mon Jul 11 13:20:03 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AA4212D0B7 for ; Mon, 11 Jul 2016 13:20:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.187 X-Spam-Level: X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OenXju4eyFWG for ; Mon, 11 Jul 2016 13:20:00 -0700 (PDT) Received: from limes.NIC.DTAG.DE (limes.NIC.DTAG.DE [194.25.1.113]) by ietfa.amsl.com (Postfix) with ESMTP id EFFFB12B047 for ; Mon, 11 Jul 2016 13:19:59 -0700 (PDT) Received: from x59.NIC.DTAG.DE (x59.NIC.DTAG.DE [194.25.1.154]) by limes.NIC.DTAG.DE (8.8.5/8.8.3) with ESMTP id WAA22040; Mon, 11 Jul 2016 22:19:55 +0200 (MET DST) To: Sandra Murphy From: "Ruediger Volk, Deutsche Telekom Technik - FMED-41.." In-Reply-To: Your message of "Thu, 30 Jun 2016 17:05:58 EDT." <88ABAC3C-886C-4402-9A73-09E1D748DE7F@tislabs.com> Date: Mon, 11 Jul 2016 22:19:55 +0200 Message-ID: <1115.1468268395@x59.NIC.DTAG.DE> Archived-At: Cc: sidr Subject: Re: [sidr] agenda requests for the Berlin IETF 96 meeting X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2016 20:20:02 -0000 > Anyone who wishes to discuss a topic at the IETF meeting, please send a = > message to the list and chairs. > > Sandy, speaking as one of the wg co-chairs I'll have a few slides revisiting observations reported previously and a few new findings. 5 minutes should do. Ruediger From nobody Tue Jul 12 00:25:35 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 634C312D106 for ; Tue, 12 Jul 2016 00:25:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.29 X-Spam-Level: X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.287, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rrht11NvuSDg for ; Tue, 12 Jul 2016 00:25:33 -0700 (PDT) Received: from cnnic.cn (smtp13.cnnic.cn [218.241.118.13]) by ietfa.amsl.com (Postfix) with ESMTP id 8346312B016 for ; Tue, 12 Jul 2016 00:25:32 -0700 (PDT) Received: from LIUXD (unknown [218.241.103.240]) by ocmail02.zx.nicx.cn (Coremail) with SMTP id AQAAf0A5QChim4RXGDUECg--.18530S3; Tue, 12 Jul 2016 15:25:23 +0800 (CST) From: "Yu Fu" To: References: <00d201d1db24$f89428e0$e9bc7aa0$@cn> <96d9421d-d285-643b-af9c-3f54c7b66607@gmail.com> In-Reply-To: <96d9421d-d285-643b-af9c-3f54c7b66607@gmail.com> Date: Tue, 12 Jul 2016 15:25:26 +0800 Message-ID: <012e01d1dc0e$8fbd3650$af37a2f0$@cn> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AdHbdlw0ymdiM2sQSEeKgAQ9T0ydKQAlvyQA Content-Language: zh-cn X-CM-TRANSID: AQAAf0A5QChim4RXGDUECg--.18530S3 X-Coremail-Antispam: 1UD129KBjvdXoW7Xr1xAr4DXr1kGw18KFykKrg_yoW3urg_Kr Z5trs2ka1UtF4UXrW3Kr4fJ3sa9F4jgryUC3s5Xr92934kAa9FgFsrKrnxZr4fA395Grn8 X395Xas2yF18ujkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUIcSsGvfJTRUUUb28YjsxI4VWxJwAYFVCjjxCrM7AC8VAFwI0_Jr0_Gr1l1xkIjI8I 6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AEw4v_Jr0_Jr4l8cAvFVAK0II2c7xJM2 8CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0 cI8IcVCY1x0267AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIE14v26F4UJVW0owA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IE w4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMc vjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwCY02Avz4vE14v_GF4l42xK82IY c2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s 026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1Y6r17MIIYrxkI7VAKI48JMIIF 0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r1j6r4UMIIF0x vE42xK8VAvwI8IcIk0rVWrJr0_WFyUJwCI42IY6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E 87Iv6xkF7I0E14v26r1j6r4UYxBIdaVFxhVjvjDU0xZFpf9x07jO73kUUUUU= X-CM-SenderInfo: pix13q5fqqxugofq/ Archived-At: Cc: 'sidr' , 'Sandra Murphy' Subject: Re: [sidr] agenda requests for the Berlin IETF 96 meeting X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 07:25:34 -0000 Dear Carlos, Thank you for your remind and comment. I will update the description based on your comments in the next version. BR Yu On Monday, July 11, 2016 9:16 PM, Carlos M. Martinez [mailto:carlosm3011@gmail.com] wrote: >I'm concerned about the loose use of the term 'countries' here. For many people this can mean 'governments' and, at least in the case in Ecuador, the Government has nothing to do with this. RPKI deployment is not a 'national' initiative if by national we mean 'sponsored' or 'approved' >by the current Government. >A better way of describing the country-wide deployments could be something along the lines of: >"Various organizations in different countries like x,y and z have been working on RPKI testing and deployment in some cases at a country-wide level" >thanks! >-Carlos From nobody Tue Jul 12 09:46:36 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC75712D1E6 for ; Tue, 12 Jul 2016 09:46:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UjEroabUgwZ for ; Tue, 12 Jul 2016 09:46:32 -0700 (PDT) Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CEC112B047 for ; Tue, 12 Jul 2016 09:46:31 -0700 (PDT) X-TM-DID: c7db74819864167f5a1c617c2fa3cb52 Content-Type: text/plain; charset=gb2312 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Declan Ma In-Reply-To: Date: Wed, 13 Jul 2016 00:41:54 +0800 Content-Transfer-Encoding: quoted-printable Message-Id: <2D97C8AD-653F-4678-B73D-631FD721015F@zdns.cn> References: <20160708225123.32075.21604.idtracker@ietfa.amsl.com> <100F7109-D601-478A-959D-7260AC21A31A@ripe.net> <1CE8D4C6-D1DF-4368-9770-392153076D91@zdns.cn> To: Oleg Muravskiy X-Mailer: Apple Mail (2.3124) Archived-At: Cc: sidr Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-01.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2016 16:46:35 -0000 Oleg, Thanks for your clarifications. You were making sense here.=20 Yet I think Section Security Considerations deserves more text of why = you take such approach since this section is about your Considerations. = Your reasoning is going to help make it in good shape ;-) Di=20 > =D4=DA 2016=C4=EA7=D4=C211=C8=D5=A3=AC16:36=A3=ACOleg Muravskiy = =D0=B4=B5=C0=A3=BA >=20 > Di, >=20 >> On 10 Jul 2016, at 16:08, Declan Ma wrote: >>=20 >> Oleg, >>=20 >> I think this version is much better. >>=20 >> Yet I still have a question with Section Security Considerations: >>=20 >> "In contrast, objects whose content hash matches the hash listed in >> the manifest, but that are not located in the publication directory >> listed in their CA certificate, will be used in the validation >> process (although a warning will be issued in that case).=A1=B1 >>=20 >> Given these sorts of objects have been found somehow, in a different = repository as described in Section 3.2.2. Manifest entries validation, = your RP will take accept them anyway, using them in validation.=20 >>=20 >> What if this manifest is a stale one when the latest MFT has been = deleted maliciously or inadvertently?=20 >>=20 >> A ROA found in a different repository may has been removed by the = administrator and an attacker just replaces this ROA into that = =A1=AEdifferent repository=A1=AF with poor management.=20 >>=20 >> There could be many risks here. I wonder why you take this approach. >>=20 >> Di >=20 > Let's look at this case in more detail. >=20 > What you describe is that there used to be a valid ROA properly = described by a manifest with number X. Then the change happened and in = the manifest version X+1 that ROA is not listed anymore, and a new CRL = that revokes that ROA is listed. The ROA file is also removed from the = repository directory, and new CRL and manifest files replaced their = previous versions. >=20 > Now, the RP does a new fetch of the repository content, and somehow = gets the old version of the manifest, but the new content of directory, = so: >=20 > - with rsync repository, the rsync stream needs to be tempered with, = so that the new manifest is replaced by the old one, but the rest of the = stream remains the same; >=20 > - with RRDP repository, the content of a snapshot or a delta needs to = be tempered with, so that it does not contain a replace for the = manifest. >=20 > In this situation the validator on the RP side could detect a = mismatch, but it needs to decide whom to trust more: the RPKI-signed = content of the manifest, or not RPKI-signed (and in case of rsync, not = signed at all) content of an RRDP snapshot/delta or an rsync directory. >=20 > If we would choose to trust the rsync or RRDP content, then an = attacker could easily remove a valid ROA (or certificate) from the = stream, which probably is the simplest sort of attack the MITM could = implement in case of RPKI.=20 >=20 > So we chose to trust the RPKI-signed content.=20 >=20 >=20 > Oleg >=20 >>=20 >>=20 >>=20 >>> =D4=DA 2016=C4=EA7=D4=C29=C8=D5=A3=AC07:04=A3=ACOleg Muravskiy = =D0=B4=B5=C0=A3=BA >>>=20 >>> This is an update to the draft-ietf-sidr-rpki-tree-validation. >>>=20 >>> No major changes, mostly clarifications that address comments from = Steve Kent, and additional information as requested at the previous WG = session. Hope this version is more clear and close to final. >>>=20 >>>=20 >>> Oleg >>>=20 >>>=20 >>>> On 09 Jul 2016, at 00:51, internet-drafts@ietf.org wrote: >>>>=20 >>>>=20 >>>> A New Internet-Draft is available from the on-line Internet-Drafts = directories. >>>> This draft is a work item of the Secure Inter-Domain Routing of the = IETF. >>>>=20 >>>> Title : RPKI Certificate Tree Validation by a Relying = Party Tool >>>> Authors : Oleg Muravskiy >>>> Tim Bruijnzeels >>>> Filename : draft-ietf-sidr-rpki-tree-validation-01.txt >>>> Pages : 12 >>>> Date : 2016-07-08 >>>>=20 >>>> Abstract: >>>> This document describes the approach to validate the content of the >>>> RPKI certificate tree, as used by the RIPE NCC RPKI Validator. = This >>>> approach is independent of a particular object retrieval mechanism. >>>> This allows it to be used with repositories available over the = rsync >>>> protocol, the RPKI Repository Delta Protocol, and repositories that >>>> use a mix of both. >>>>=20 >>>> This algorithm does not rely on content of repository directories, >>>> but uses the Authority Key Identifier (AKI) field of a manifest and = a >>>> certificate revocation list (CRL) objects to discover manifest and >>>> CRL objects issued by a particular Certificate Authority (CA). It >>>> further uses the hashes of manifest entries to discover other = objects >>>> issued by the CA. >>>>=20 >>>>=20 >>>> The IETF datatracker status page for this draft is: >>>> = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/ >>>>=20 >>>> There's also a htmlized version available at: >>>> https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-01 >>>>=20 >>>> A diff from the previous version is available at: >>>> = https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-tree-validation-0= 1 >>>>=20 >>>>=20 >>>> Please note that it may take a couple of minutes from the time of = submission >>>> until the htmlized version and diff are available at = tools.ietf.org. >>>>=20 >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>>=20 >>>> _______________________________________________ >>>> sidr mailing list >>>> sidr@ietf.org >>>> https://www.ietf.org/mailman/listinfo/sidr >>>>=20 >>>=20 >>> _______________________________________________ >>> sidr mailing list >>> sidr@ietf.org >>> https://www.ietf.org/mailman/listinfo/sidr >>=20 >>=20 >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Wed Jul 13 08:05:27 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC41F12DA95; Wed, 13 Jul 2016 08:05:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.187 X-Spam-Level: X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yNJIHkIajNQ3; Wed, 13 Jul 2016 08:05:21 -0700 (PDT) Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF95E12D1A7; Wed, 13 Jul 2016 08:05:21 -0700 (PDT) Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bNLiv-000CNn-KC; Wed, 13 Jul 2016 17:05:20 +0200 Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bNLiu-0006bb-DR; Wed, 13 Jul 2016 17:05:16 +0200 Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: text/plain; charset=utf-8 From: Oleg Muravskiy In-Reply-To: Date: Wed, 13 Jul 2016 17:05:16 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20160412100344.32250.28492.idtracker@ietfa.amsl.com> To: Declan Ma X-Mailer: Apple Mail (2.2104) X-ACL-Warn: Delaying message X-RIPE-Spam-Level: ---------- X-RIPE-Spam-Report: Spam Total Points: -10.7 points pts rule name description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0008] X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b74b6d4128e71bdf5e75baa6acfe37374c9 Archived-At: Cc: sidr chairs , IETF SIDR Subject: Re: [sidr] New Version Notification for draft-madi-sidr-rp-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 15:05:26 -0000 Hi Di, > On 27 Apr 2016, at 03:46, Declan Ma wrote: >=20 > Hi, folks, >=20 > Steve Kent and I have generated this document to try to consolidate RP = requirements in one document, with pointers to all the relevant RFCs.=20 I read the document, and I appreciate you putting it together, but I = can't say I support this effort. As you state in Section 1: The follow sections present requirements imposed on RPs as defined in the following RFCs: RFC 6480 (RPKI Architecture) RFC 6481 (Repository Structure) RFC 6482 (ROA format) RFC 6485 (Algorithms) RFC 6486 (Manifests) RFC 6487 (Certificate and CRL profile) RFC 6488 (RPKI Signed Objects) RFC 6489 (Key Rollover) RFC 6810 (RPKI to Router Protocol) RFC 6916 (Algorithm Agility) RFC 7730 (Trust Anchor Locator) RFC XXXX (Router Certificates) This document will be update to reflect new or changed requirements as these RFCs are updated, or new RFCs are written. I agree that there are many documents that one has to consult on order = to make or verify an implementation of RPKI validation, but this = document will *add* to that number! Once this document is out, someone will have to keep it up to date (and = not conflicting) with all those other documents. This could create more = problems than it could solve. My following comments basically show why it is difficult to keep this = document in a state that would not create more problems. > As I mentioned in IETF 95 meeting, there is no standards language = (e.g., MUST, SHOULD, MAY, ...) in this doc, as it is just POINTING to = the docs that have the real requirements.=20 Well, actually there is normative language: 3.3. CRL Processing The CRL processing requirements imposed on CAs and RP are described in [RFC6487]. CRLs in the RPKI are tightly constrained; only the AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they MUST be present. No other CRL extensions are allowed, and no ^^^^^^ CRLEntry extensions are permitted. RPs are required to verify that these constraints have been met. Each CRL in the RPI MUST be ^^^^^^ verified using the public key from the certificate of the CA that issued the CRL. And there are several other places where the normative language is not = used, but implied. > This doc outlines the RP functions, summarizes them and then gives = reference to those precise sections or paragraphs, in order to make life = easier for implementers to make sure he/she has addressed all of these = requirements. I have two comments for this paragraph. First, it might seem appealing to create a document that will give a = "reference to those precise sections or paragraphs", so that the = implementer could skip reading those long RFCs in full. But I do not = think it is possible or advisable. Even in your draft you say: An RP is required to verify that a resource certificate adheres to the profile established by [RFC6487]. This means that all extensions mandated by [RFC6487] must be present and value of each extension must be within the range specified by this RFC. Moreover, any extension excluded by [RFC6487] must be omitted. or To determine whether a manifest is valid, the RP is required to perform manifest-specific checks in addition to those specified in [RFC6488]. So very often it is more practical to refer to the whole RFCs, because = an implementer has to implement all of it, not just specific paragraphs. Second, what if, for whatever reason, this document will not list *all* = of the requirements? Will it be OK for the implementer to say "I did = everything specified there", or will (s)he be required to double-check = with other RFCs you refer to? Or even with those you do not refer to? I'm not sure how to define the applicability of such document. > Any comments and feedbacks are appreciated. Here are my comments for some specific sections: 3.1. Verifying Resource Certificate and Syntax Certificates in the RPKI are called resource certificates, and they are required to conform to the profile [RFC6487]. An RP is required to verify that a resource certificate adheres to the profile established by [RFC6487]. This means that all extensions mandated by [RFC6487] must be present and value of each extension must be within the range specified by this RFC. Moreover, any extension excluded by [RFC6487] must be omitted. I think you should not repeat the text of other RFCs, otherwise you risk = of being incomplete or going out of sync with referenced RFC. 3.2. Certificate Path Validation In the RPKI, issuer can only assign and/or allocate public INRs belong to it, ... I don't think assignment or allocation of INR happens in RPKI. 3.3. CRL Processing The CRL processing requirements imposed on CAs and RP are described in [RFC6487]. CRLs in the RPKI are tightly constrained; only the AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they MUST be present. No other CRL extensions are allowed, and no CRLEntry extensions are permitted. RPs are required to verify that these constraints have been met. Each CRL in the RPI MUST be verified using the public key from the certificate of the CA that issued the CRL. Apart from using normative language mentioned above, you seem to repeat = the text of other RFC. Is it the only bit of RFC6487 that is applicable to CRL processing in = RPKI validation? Aren't any CRL validation (not only in RPKI) requires that CRL must be = verified using the public key of it's issuer? 4.2.1. Manifest To determine whether a manifest is valid, the RP is required to perform manifest-specific checks in addition to those specified in [RFC6488]. Specific checks for a Manifest are described in section 4 of [RFC6486]. If any of these checks fails, indicating that the manifest is invalid, then the manifest will be discarded and treated as though no manifest were present. This description is quite incomplete. Perhaps you should merge the = content of section "4.3. How to Make Use of Manifest Data" in here, but = even there I do not see a reference to section 6 (Relying Party Use of = Manifests) of RFC6486, which is quite a big omission. 4.2.2. ROA To validate a ROA, the RP is required perform all the checks specified in [RFC6488] as well as the additional ROA-specific validation steps. The IP address delegation extension [RFC3779] present in the end-entity (EE) certificate (contained within the ROA), must encompass each of the IP address prefix(es) in the ROA. More details for ROA validation are specified in section 2 of [RFC6482]. The second sentence is almost a 1-to-1 copy of Section 4 of 6482. What's = the point of copying it instead of referencing? Section 2 of RFC6482 defines the ROA content-type, not the validation. 4.2.3. Ghostbusters The Ghostbusters Record is optional; a publication point in the RPKI can have zero or more associated Ghostbuster Records. =20 This is true for all objects except manifest and CRL. If a CA has at least one Ghostbuster Record, RP is required to verify that this Ghostbusters Record conforms to the syntax of signed object defined in [RFC6488]. And this is also true for any signed object. The payload of this signed object is a (severely) profiled vCard. An RP is required to verify that the payload of Ghostbusters conforms to format as profiled in [RFC6493]. I'm mentioning it here, but it applies to many places in this document: = the validation section of RFC6493 already references RFC6488. So why = duplicate it here? 4.3. How to Make Use of Manifest Data For a given publication point, the RP ought to perform tests to determine the state of the Manifest at the publication point. A Manifest can be classified as either valid or invalid, and a valid Manifest is either current and stale. An RP decides how to make use of a Manifest based on its state, according to local (RP) policy. If there are valid objects in a publication point that are not present on a Manifest, [RFC6486] does not mandate specific RP behavior with respect to such objects. However, most RP software ignores such objects and this document recommends that this behavior be adopted uniformly. Instead of "recommending" it in this document, maybe we should review = and change 6486? In the absence of a Manifest, an RP is expected to accept all valid signed objects present in the publication point. =20 Actually, 6486 says that all such objects "SHOULD be viewed as suspect, = but MAY be used by the RP, as per local policy", which has subtle = difference. I think this confirms that keeping such document up to date and = consistent with other documents is not an easy task, and having this = document will not relieve the implementer from studying deeply all the = documents it refers. Oleg >=20 >=20 > Di >=20 > ZDNS >=20 >=20 >> =E4=B8=8B=E9=9D=A2=E6=98=AF=E8=A2=AB=E8=BD=AC=E5=8F=91=E7=9A=84=E9=82=AE= =E4=BB=B6=EF=BC=9A >>=20 >> =E5=8F=91=E4=BB=B6=E4=BA=BA: internet-drafts@ietf.org >> =E4=B8=BB=E9=A2=98: New Version Notification for = draft-madi-sidr-rp-00.txt >> =E6=97=A5=E6=9C=9F: 2016=E5=B9=B44=E6=9C=8812=E6=97=A5 GMT+8 18:03:44 >> =E6=94=B6=E4=BB=B6=E4=BA=BA: "Dr. Stephen T. Kent" , = "Di Ma" , "Stephen Kent" >>=20 >>=20 >> A new version of I-D, draft-madi-sidr-rp-00.txt >> has been successfully submitted by Di Ma and posted to the >> IETF repository. >>=20 >> Name: draft-madi-sidr-rp >> Revision: 00 >> Title: Requirements for Resource Public Key = Infrastructure (RPKI) Relying Parties >> Document date: 2016-04-12 >> Group: Individual Submission >> Pages: 10 >> URL: = https://www.ietf.org/internet-drafts/draft-madi-sidr-rp-00.txt >> Status: https://datatracker.ietf.org/doc/draft-madi-sidr-rp/ >> Htmlized: https://tools.ietf.org/html/draft-madi-sidr-rp-00 >>=20 >>=20 >> Abstract: >> This document provides a single reference point for requirements for >> Relying Party (RP) software for use in the Resource Public Key >> Infrastructure (RPKI). It cites requirements that appear in several >> RPKI RFCs, making it easier for implementers to become aware of = these >> requirements. >>=20 >>=20 >>=20 >>=20 >> Please note that it may take a couple of minutes from the time of = submission >> until the htmlized version and diff are available at tools.ietf.org. >>=20 >> The IETF Secretariat >>=20 >=20 > _______________________________________________ > sidr mailing list > sidr@ietf.org > https://www.ietf.org/mailman/listinfo/sidr From nobody Wed Jul 13 16:33:25 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E76212D9F3 for ; Wed, 13 Jul 2016 16:33:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wt4pdrt5bUfs for ; Wed, 13 Jul 2016 16:33:21 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A658312D9F4 for ; Wed, 13 Jul 2016 16:33:21 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 20C8C28B0041 for ; Wed, 13 Jul 2016 19:33:21 -0400 (EDT) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 1C7B71F8055; Wed, 13 Jul 2016 19:33:21 -0400 (EDT) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_59DF1677-EF3C-48EB-918E-1C43FEA7D103"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: Sandra Murphy In-Reply-To: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> Date: Wed, 13 Jul 2016 19:33:20 -0400 Message-Id: <74604426-12C8-4DC8-9064-E01A1A2990F5@tislabs.com> References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> To: sidr X-Mailer: Apple Mail (2.2104) Archived-At: Cc: Sandra Murphy Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jul 2016 23:33:23 -0000 --Apple-Mail=_59DF1677-EF3C-48EB-918E-1C43FEA7D103 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 There=92s been a rather energetic conversation about this but not many = people involved. The wglc needs some more reviewers and commenters to gauge consensus. There=92s just a few days left - please consider reviewing the draft and = providing comments and publication worthiness to the list. =97Sandy > On Jun 30, 2016, at 5:11 PM, Sandra Murphy wrote: >=20 > The authors of draft-ietf-sidr-adverse-actions-00, "Adverse Actions by = a Certification Authority (CA) or Repository Manager in the Resource = Public Key Infrastructure (RPKI)=94, believe that the document is ready = for a working group last call. >=20 > This starts a two week wglc which will end on 14 July 2016. >=20 > Please review the draft and send comments and your opinion of whether = it is worthy of publication to the list. Remember that support for = publication is needed, and comments can improve quality, so lack of = comments is not sufficient. >=20 > You can reach the document at = https://tools.ietf.org/html/draft-ietf-sidr-adverse-actions-00 and = https://datatracker.ietf.org/doc/draft-ietf-sidr-adverse-actions. >=20 > =97Sandy, speaking as one of the wg co-chairs. >=20 --Apple-Mail=_59DF1677-EF3C-48EB-918E-1C43FEA7D103 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXhs/AAAoJEHplpQeet0IZ3xsP/imNQzAiT6aiCMk+spTu7Fll x8+afERyabq+eSo6ykSDKPJhBAPrSATlYFLuUJbpP+pUUIiZdgFCW8tJQMsbLyW0 Fpt3Zm+/Uvs/Y91Gk+ED4OyhnAlRQBsNIYiFWXDkWTQGPC4cC8cFWlLpRO2thucC H0AorDYmQrjnAQjaXeOLeA9/VzO2q0vh6Xmk/4IvADqZ2o6X8t1verI0nd4Rv8aQ uO77mEi+IxbOkXXSMNh5o+GUl5zBvDbGUzmQn7e/Djux19E49tswegrrFm7GoxHH nxLssLzPdaUV8qKrT6f9NKMypU3LxtsJ0XQOZpXbj+CxPth73MCxuZURseAUgb+t t8MgILPSijutiTaIJCsPgeIPbDVStIKuFQKWiNZ5LEVv1ubrjw2QEDIBw4HJjOfT UeEwz3Jkm8VhxaUwEWQRnHjS9BSB2ietb5xTsb/vR4Lq/a71rU48BLiv8pvPWc99 ZZIm5WwdfrK8ZoSPG6YzlMaUjtKsx3jBhLyKC2cYScPEE084FyttYchpyqTjYvML /jx0e824o5A8PatyMM/wiDLbTkK0s88NRDqZnJTuViN5wupSatLLp4YFgYTyAN0u TmvJzRyqguUNpyEYXkhj6oiv8TXVpqVIOttsqvUKNPsroy41iPz1hTMD0svNv4cB jZH3LiUeA1PmaqMP/tdX =/eF9 -----END PGP SIGNATURE----- --Apple-Mail=_59DF1677-EF3C-48EB-918E-1C43FEA7D103-- From nobody Thu Jul 14 07:05:03 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4565F12D61F for ; Thu, 14 Jul 2016 07:05:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4XXorvajiDA for ; Thu, 14 Jul 2016 07:05:00 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB84212D133 for ; Thu, 14 Jul 2016 07:05:00 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 434B128B0041 for ; Thu, 14 Jul 2016 10:04:59 -0400 (EDT) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 2271E1F8055; Thu, 14 Jul 2016 10:04:59 -0400 (EDT) From: Sandra Murphy X-Pgp-Agent: GPGMail Content-Type: multipart/signed; boundary="Apple-Mail=_D4445BE7-D6EB-49C4-8FA8-87851BF29EC9"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Thu, 14 Jul 2016 10:04:46 -0400 Message-Id: <6FEE1066-E2D5-481F-9D5A-1CC677A98AA7@tislabs.com> To: sidr Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) X-Mailer: Apple Mail (2.2104) Archived-At: Cc: Sandra Murphy Subject: [sidr] agenda uploaded X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 14:05:02 -0000 --Apple-Mail=_D4445BE7-D6EB-49C4-8FA8-87851BF29EC9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 I have uploaded the agenda. It is copied below for your convenience. If there are any errors, please do let the chairs know. Particularly if = requests for agenda slots don=E2=80=99t appear. We have time at the end for discussion, and for new requests. =E2=80=94Sandy, speaking as co-chair Secure Inter-Domain Routing WG (sidr) IETF 95 - Berlin, Germany CHAIR(s): Sandra Murphy sandy at tislabs.com Chris Morrow morrowc at ops-netman.net =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D AGENDA: THURSDAY, July 21, 2016 1000-1230 Morning Session I Bellevue 1) Administrivia & Draft status = 1000-1010 Presenter: Chairs - Mailing list: http://www.ietf.org/mail-archive/web/sidr/index.html - WG Resources: http://tools.ietf.org/wg/sidr/ - Minute taker? - Jabber Scribe? - Blue Sheets - Agenda Bashing 2) Existing WG Drafts a) RRDP and HTTPS = 1010-1025 RPKI Repository Delta Protocol https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-03 Presenter: Tim Bruijnzeels b) Updates to ROA and BGPSec Router Certificate profiles = 1025-1045 RPKI Validation Reconsidered = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconside= red/ = https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-0= 3 Presenter: Tim Bruijnzeels 3) Other Work, Not WG Drafts a) RPKI vs BGP Global Statistics = 1045-1100 Presenter: Tim Bruijnzeels b) Problem Statement and Considerations for ROA Mergence = 1100-1115 https://datatracker.ietf.org/doc/draft-yan-sidr-roa-mergence https://tools.ietf.org/html/draft-yan-sidr-roa-mergence-00 Presenter: Yu Fu c) RPKI Deployment Considerations: = 1115-1130 Problem Analysis and Alternative Solutions https://datatracker.ietf.org/doc/draft-lee-sidr-rpki-deployment https://tools.ietf.org/html/draft-lee-sidr-rpki-deployment Presenter: Yu Fu d) Observations reported previously and a few new findings. = 1130-1145 Presenter: Ruediger Volk 4) Discussion = 1145-1230 --Apple-Mail=_D4445BE7-D6EB-49C4-8FA8-87851BF29EC9 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXh5wKAAoJEHplpQeet0IZgkAQALTPk8Giwf0Ir77l1bmbXiwM 0u85KW3xi6j+xTTkIjf0pdA5U+WAkZRYF0NpMKKTYBDSblfs+3G+uAutaY3DANK+ BvjZYcN3Gg7MwcH9gOmh/p7+faBz8CePTg3mI6JO77EfHOqobSgl5orzwB5VvrS5 SSi2yUgwV0DA/nuqXOCPnFXL5eFqd42fGEHChrlOfynJP3a/xAMLCnGO/b/r21ej qSwqyd+JJ9Ev3J00Rc+HRQ0uJ5pQxrYTukWf8ATnGnB9kpG6VJ0blWZqBqyrgtqF PH88brwS9g/9V/e5/4w13zTGiNftma5P9S0E3+yTxDSz9FkVlXvKrWeTnRDU2Ftp 0+G2TU8xh+NZ02P0yajX3bQJUpE/o4qBH1HmCMW4IsNK6ra4cKAMKG+BuKGWlhy5 +vMwu0ddKuJArWB1nXReqaWYYFDdO8jDtJOGJZuCpedN3MuD7+EQAY0t5oT+AdDA 2vVxu1lDn3fjQIfYthimaqVgEHcuVFNERkhEf5UN52WIXr6hHXlhL/iJ9jvzhxjG U4xuY1j4nB9h7N2W3kxk542Ohs63JBDNSH/itCq8MutoJGQuzEhIYsvmEmCXMdev lmK6SMCaLWugBuz2mQFg5zpT3c/7Hw/DAl05IqE2r9Esfkzt/HO5bPH4Seu4ztrT UUaJaTZBeotigpBIWB/I =B5zd -----END PGP SIGNATURE----- --Apple-Mail=_D4445BE7-D6EB-49C4-8FA8-87851BF29EC9-- From nobody Thu Jul 14 10:08:57 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCA912D197; Thu, 14 Jul 2016 10:08:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.702 X-Spam-Level: X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYYCiFD1BXuN; Thu, 14 Jul 2016 10:08:41 -0700 (PDT) Received: from pv33p07im-ztdg10151401.me.com (pv33p07im-ztdg10151401.me.com [17.142.253.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9CDE12D18B; Thu, 14 Jul 2016 10:08:40 -0700 (PDT) Received: from process-dkim-sign-daemon.pv33p07im-ztdg10151401.me.com by pv33p07im-ztdg10151401.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) id <0OAB00500E5BG700@pv33p07im-ztdg10151401.me.com>; Thu, 14 Jul 2016 17:08:36 +0000 (GMT) Received: from [10.21.1.93] (unknown [122.224.173.86]) by pv33p07im-ztdg10151401.me.com (Oracle Communications Messaging Server 7.0.5.38.0 64bit (built Feb 26 2016)) with ESMTPSA id <0OAB00M0NE9EWK20@pv33p07im-ztdg10151401.me.com>; Thu, 14 Jul 2016 17:08:35 +0000 (GMT) X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-07-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 clxscore=1011 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1510270003 definitions=main-1607140181 Content-type: text/plain; charset=gb2312 MIME-version: 1.0 (Mac OS X Mail 9.3 \(3124\)) From: Declan Ma In-reply-to: Date: Fri, 15 Jul 2016 01:07:58 +0800 Content-transfer-encoding: quoted-printable Message-id: References: <20160412100344.32250.28492.idtracker@ietfa.amsl.com> To: Oleg Muravskiy X-Mailer: Apple Mail (2.3124) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=4d515a; t=1468516116; bh=KkpAsfGZ8w1sWrVvraF3vrQnfS1vyMDF03XVV4BvXgM=; h=Content-type:MIME-version:Subject:From:Date:Message-id:To; b=kyw/vOPBkgemOtGDp1UKDsaqkeuTgkLt/Crnuy4mX2+NJ3CSijUXojF4rFG8aTElr Kme9V9BWzL1ThO0tS+TkeBwiPj75NfI9QpJCj9o7KmtOqJakfaosqQ0xjtRjjOQbFu frRIHw8lhw8iy47IMPOJh6iJ/49yzBk8LB8M07NhJk28YzqhlkOZbdzZUdGd/4EEaj /R6u9vZr08ifrpA0jPLXNTKAFNMBZpT2nvqCYZhqWe5y3P0olSSbFfztesy3I8OBYu tOxaVtRk4LRIAs/8Tjcsj/aeh2TIQ+E+fSQJKmGgD9JXduxb9exP4WEdDdKVt3K8l7 13AxcWpQLQC9g== Archived-At: Cc: sidr chairs , IETF SIDR Subject: Re: [sidr] New Version Notification for draft-madi-sidr-rp-00.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 17:08:55 -0000 Oleg, Thanks for your detailed comments. > =D4=DA 2016=C4=EA7=D4=C213=C8=D5=A3=AC23:05=A3=ACOleg Muravskiy = =D0=B4=B5=C0=A3=BA >=20 > Hi Di, >=20 >> On 27 Apr 2016, at 03:46, Declan Ma wrote: >>=20 >> Hi, folks, >>=20 >> Steve Kent and I have generated this document to try to consolidate = RP requirements in one document, with pointers to all the relevant RFCs.=20= >=20 > I read the document, and I appreciate you putting it together, but I = can't say I support this effort. >=20 > As you state in Section 1: >=20 > The follow sections present requirements imposed on RPs as defined = in > the following RFCs: >=20 > RFC 6480 (RPKI Architecture) > RFC 6481 (Repository Structure) > RFC 6482 (ROA format) > RFC 6485 (Algorithms) > RFC 6486 (Manifests) > RFC 6487 (Certificate and CRL profile) > RFC 6488 (RPKI Signed Objects) > RFC 6489 (Key Rollover) > RFC 6810 (RPKI to Router Protocol) > RFC 6916 (Algorithm Agility) > RFC 7730 (Trust Anchor Locator) > RFC XXXX (Router Certificates) >=20 > This document will be update to reflect new or changed requirements > as these RFCs are updated, or new RFCs are written. >=20 > I agree that there are many documents that one has to consult on order = to make or verify an implementation of RPKI validation, but this = document will *add* to that number! >=20 > Once this document is out, someone will have to keep it up to date = (and not conflicting) with all those other documents. This could create = more problems than it could solve. >=20 > My following comments basically show why it is difficult to keep this = document in a state that would not create more problems. >=20 This document is intended to offer a starting point for searching RP = requirements. Yes. These referenced RFCs would be updated. But it=A1=AFs the IETF not = the implementers who should try to reflect the updates.=20 As such, implementers merely need to keep an eye on the RP requirement = document, which is going to exempt implementers from watching all the = update of all the referenced RFCs.=20 >=20 >> As I mentioned in IETF 95 meeting, there is no standards language = (e.g., MUST, SHOULD, MAY, ...) in this doc, as it is just POINTING to = the docs that have the real requirements.=20 >=20 > Well, actually there is normative language: >=20 > 3.3. CRL Processing >=20 > The CRL processing requirements imposed on CAs and RP are described > in [RFC6487]. CRLs in the RPKI are tightly constrained; only the > AuthorityKeyIndetifier and CRLNumber extensions are allowed, and = they > MUST be present. No other CRL extensions are allowed, and no > ^^^^^^ > CRLEntry extensions are permitted. RPs are required to verify that > these constraints have been met. Each CRL in the RPI MUST be > ^^^^^^ > verified using the public key from the certificate of the CA that > issued the CRL. >=20 > And there are several other places where the normative language is not = used, but implied. >=20 Thanks for spotting these MUSTs. We shall replace them by using = different expressions.=20 >=20 >> This doc outlines the RP functions, summarizes them and then gives = reference to those precise sections or paragraphs, in order to make life = easier for implementers to make sure he/she has addressed all of these = requirements. >=20 > I have two comments for this paragraph. >=20 > First, it might seem appealing to create a document that will give a = "reference to those precise sections or paragraphs", so that the = implementer could skip reading those long RFCs in full. But I do not = think it is possible or advisable. Even in your draft you say: >=20 > An RP is required > to verify that a resource certificate adheres to the profile > established by [RFC6487]. This means that all extensions mandated = by > [RFC6487] must be present and value of each extension must be within > the range specified by this RFC. Moreover, any extension excluded = by > [RFC6487] must be omitted. >=20 > or >=20 > To determine whether a manifest is valid, the RP is required to > perform manifest-specific checks in addition to those specified in > [RFC6488]. >=20 > So very often it is more practical to refer to the whole RFCs, because = an implementer has to implement all of it, not just specific paragraphs. >=20 We are not persuading implementers to skip reading those RFCs in full. = Our draft is born to be a guide to help implementers get the essentials = of RP functionalities scattered in different RFCs. Anyone who wants to comprehend RPKI cannot be exempted from reading all = the RPKI RFCs, let alone the implementers. One might see the RP = requirement as Manifest of all necessary RP functions.=20 Besides, implementers need know more than what RP requirements are. They = need to know how to reflect these functions as they are making software = design.=20 To that end, this draft has generalized RP requirements segmented with = orthogonal functionalities in different sections. >=20 > Second, what if, for whatever reason, this document will not list = *all* of the requirements? Will it be OK for the implementer to say "I = did everything specified there", or will (s)he be required to = double-check with other RFCs you refer to? Or even with those you do = not refer to? >=20 > I=A1=AFm not sure how to define the applicability of such document. >=20 This document is about to go through discussions in SIDR, merging = comments from this WG.=20 If a necessary piece of requirement is not included in this draft and = the community agree to add it in, we of course would do that.=20 >=20 >> Any comments and feedbacks are appreciated. >=20 > Here are my comments for some specific sections: >=20 > 3.1. Verifying Resource Certificate and Syntax >=20 > Certificates in the RPKI are called resource certificates, and they > are required to conform to the profile [RFC6487]. An RP is required > to verify that a resource certificate adheres to the profile > established by [RFC6487]. This means that all extensions mandated = by > [RFC6487] must be present and value of each extension must be within > the range specified by this RFC. Moreover, any extension excluded = by > [RFC6487] must be omitted. >=20 > I think you should not repeat the text of other RFCs, otherwise you = risk of being incomplete or going out of sync with referenced RFC. >=20 When we are repeating text, we consider them the best to brief this = section, helping people to seize the key point.=20 We are open to figure out a better way to do this.=20 >=20 > 3.2. Certificate Path Validation >=20 > In the RPKI, issuer can only assign and/or allocate public INRs > belong to it, ... >=20 > I don't think assignment or allocation of INR happens in RPKI. >=20 >=20 > 3.3. CRL Processing >=20 > The CRL processing requirements imposed on CAs and RP are described > in [RFC6487]. CRLs in the RPKI are tightly constrained; only the > AuthorityKeyIndetifier and CRLNumber extensions are allowed, and = they > MUST be present. No other CRL extensions are allowed, and no > CRLEntry extensions are permitted. RPs are required to verify that > these constraints have been met. Each CRL in the RPI MUST be > verified using the public key from the certificate of the CA that > issued the CRL. >=20 >=20 > Apart from using normative language mentioned above, you seem to = repeat the text of other RFC. > Is it the only bit of RFC6487 that is applicable to CRL processing in = RPKI validation? > Aren=A1=AFt any CRL validation (not only in RPKI) requires that CRL = must be verified using the public key of it's issuer? >=20 Well, CRL is not new. We might need to resort to some other documents, = other than RPKI RFCs, to figure how to deal with CRL which all sorts of = PKI systems need to handle.=20 >=20 > 4.2.1. Manifest >=20 > To determine whether a manifest is valid, the RP is required to > perform manifest-specific checks in addition to those specified in > [RFC6488]. >=20 > Specific checks for a Manifest are described in section 4 of > [RFC6486]. If any of these checks fails, indicating that the > manifest is invalid, then the manifest will be discarded and treated > as though no manifest were present. >=20 > This description is quite incomplete. Perhaps you should merge the = content of section "4.3. How to Make Use of Manifest Data" in here, but = even there I do not see a reference to section 6 (Relying Party Use of = Manifests) of RFC6486, which is quite a big omission. >=20 >=20 > 4.2.2. ROA >=20 > To validate a ROA, the RP is required perform all the checks > specified in [RFC6488] as well as the additional ROA-specific > validation steps. The IP address delegation extension [RFC3779] > present in the end-entity (EE) certificate (contained within the > ROA), must encompass each of the IP address prefix(es) in the ROA. > More details for ROA validation are specified in section 2 of > [RFC6482]. >=20 > The second sentence is almost a 1-to-1 copy of Section 4 of 6482. = What=A1=AFs the point of copying it instead of referencing? When we are repeating text, we consider them the best to brief this = section, helping people to seize the key point.=20 We are open to figure out a better way to do this.=20 >=20 > Section 2 of RFC6482 defines the ROA content-type, not the validation. >=20 >=20 Right. We should have referenced section 4 of RFC6482.=20 > 4.2.3. Ghostbusters >=20 > The Ghostbusters Record is optional; a publication point in the RPKI > can have zero or more associated Ghostbuster Records. =20 >=20 > This is true for all objects except manifest and CRL. >=20 > If a CA has at > least one Ghostbuster Record, RP is required to verify that this > Ghostbusters Record conforms to the syntax of signed object defined > in [RFC6488]. >=20 > And this is also true for any signed object. >=20 > The payload of this signed object is a (severely) profiled vCard. = An > RP is required to verify that the payload of Ghostbusters conforms = to > format as profiled in [RFC6493]. >=20 > I'm mentioning it here, but it applies to many places in this = document: the validation section of RFC6493 already references RFC6488. = So why duplicate it here? >=20 >=20 The reason is quite straightforward. RFC 6493 is specialized for = Ghostbusters.=20 > 4.3. How to Make Use of Manifest Data >=20 > For a given publication point, the RP ought to perform tests to > determine the state of the Manifest at the publication point. A > Manifest can be classified as either valid or invalid, and a valid > Manifest is either current and stale. An RP decides how to make use > of a Manifest based on its state, according to local (RP) policy. >=20 > If there are valid objects in a publication point that are not > present on a Manifest, [RFC6486] does not mandate specific RP > behavior with respect to such objects. However, most RP software > ignores such objects and this document recommends that this behavior > be adopted uniformly. >=20 > Instead of =A1=B0recommending" it in this document, maybe we should = review and change 6486? Agreed.=20 >=20 > In the absence of a Manifest, an RP is expected to accept all valid > signed objects present in the publication point. =20 >=20 > Actually, 6486 says that all such objects "SHOULD be viewed as = suspect, but MAY be used by the RP, as per local policy", which has = subtle difference. >=20 >=20 Agreed. We shall consider how to modify this sentence.=20 >=20 >=20 > I think this confirms that keeping such document up to date and = consistent with other documents is not an easy task, and having this = document will not relieve the implementer from studying deeply all the = documents it refers. >=20 Maybe not an easy task but it deserves necessity and efforts.=20 As I mentioned above, I would like to reiterate the motivation of this = work:=20 1) This document is intended to offer a starting point for searching RP = requirements. 2 ) These referenced RFCs would be updated. But it=A1=AFs the IETF not = the implementers who should try to reflect the updates. As such, = implementers merely need to keep an eye on the RP requirement document, = which is going to exempt implementers from watching all the update of = all the referenced RFCs.=20 3) We are not persuading implementers to skip reading those RFCs in = full. Our draft is born to be a guide to help implementers get the = essentials of RP functionalities scattered in different RFCs. Anyone who = wants to comprehend RPKI cannot be exempted from reading all the RPKI = RFCs, let alone the implementers. One might see the RP requirement as = Manifest of all necessary RP functions.=20 4) Implementers need know more than what RP requirements are. They need = to know how to reflect these functions as they are making software = design. To that end, this draft has generalized RP requirements = segmented with orthogonal functionalities in different sections. Anyway, I appreciate your comments, which is going to help shape this = draft better in it=A1=AFs next version.=20 Di=20 From nobody Thu Jul 14 10:21:56 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EF21126FDC for ; Thu, 14 Jul 2016 10:21:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wEkwrEvqZBwi for ; Thu, 14 Jul 2016 10:21:48 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7B7112D0BF for ; Thu, 14 Jul 2016 10:21:48 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 44B3D28B0043 for ; Thu, 14 Jul 2016 13:21:48 -0400 (EDT) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 3F8591F8055; Thu, 14 Jul 2016 13:21:48 -0400 (EDT) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_2E21AA16-EA6F-4B0A-BF02-6C7140786496"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: Sandra Murphy In-Reply-To: Date: Thu, 14 Jul 2016 13:21:47 -0400 Message-Id: <0CD1721F-5174-48A4-87EE-5E105FF5FC22@tislabs.com> References: To: sidr X-Mailer: Apple Mail (2.2104) Archived-At: Cc: Sandra Murphy Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04 X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 17:21:55 -0000 --Apple-Mail=_2E21AA16-EA6F-4B0A-BF02-6C7140786496 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Responses have been a bit light on this wglc. A few more days left - please give this draft a read and respond. =97Sandy, speaking as one of the wg co-chairs > On Jul 2, 2016, at 2:59 PM, Sandra Murphy wrote: >=20 > The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An = Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature = and ready for a working group last call. >=20 > This message starts a two week wglc for = draft-ietf-sidr-rpki-oob-setup-04, which will end 16 Jun 2016. >=20 > Please review the draft and send comments and your opinion of whether = it is worthy of publication to the list. Remember that support for = publication is needed, and comments can improve quality, so lack of = comments is not sufficient. >=20 > You can reach the document at = https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04 and = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/. >=20 > =97Sandy, speaking as one of the wg co-chairs --Apple-Mail=_2E21AA16-EA6F-4B0A-BF02-6C7140786496 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXh8orAAoJEHplpQeet0IZWo8QAI6P5aInrUeEJBQcnUr42Y0P gnIFYrDqo4lpyVIeGTRE9BG4RsPQg+TMebmQu6748ZvN430/mKvQQB1xbFxvXgDo VS1s9TT0hZmvhV5rJR1Q/Z4wqDb+/SbDDP9F2Hmt0i5CT4H4YJHfPvyNkHlF7Ent rBQIyrU9wyB0J4hJufnTjZeQITSIjdBoQTLVg6XKes61TVSS7IpngiSy3USXIkfo MamIO5dEPFXqLc1OuoSjt6UkSnmRToJOu6UTizCq1skoG7k4YoO5yFK+OyN9oDa4 iC/Rs1qlgUAgrnB6toslZ2JdSf06jE9z7+OMhySAe92ht9ycTvcXgrhu0Rk61/w9 ywdH2j2i5qQwD+uTQM4v4f3cqMjuVxscj7P50gHS8eFCTr6Y8EBxxz6P8KXclKnS zmCcQWtcQjBGd08y8Sg+fAFRyOSwfVXnfrPey/gSqBvMsS58Fay/l0FX9mzVSrw+ oIdS8wlgZHUgmci4QWY6cObbUGAiUUWUZZ8rtIB+WGrG5TR5OjPTbW9ZTHtj7lEp dHiH7zfOt7xd8jFLvcGjZ9RrPC4AJCmYmPcDqDGYwjLtzcTKMky7bvP9iJor1vuH kc4F0YkwF+tksw6gTvkh/+RPxajth+HvrUfrLfgS/SZ0TkqeJ73Fu4WWn3k2FTQO LzMcu3pBouofovpMM7q7 =Zv9b -----END PGP SIGNATURE----- --Apple-Mail=_2E21AA16-EA6F-4B0A-BF02-6C7140786496-- From nobody Thu Jul 14 12:08:52 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98A1E12D0FE for ; Thu, 14 Jul 2016 12:08:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.188 X-Spam-Level: X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DNzLvLydMA5T for ; Thu, 14 Jul 2016 12:08:49 -0700 (PDT) Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BA412D1D0 for ; Thu, 14 Jul 2016 12:08:47 -0700 (PDT) Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 2327B28B003B for ; Thu, 14 Jul 2016 15:08:47 -0400 (EDT) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 1BD621F8055; Thu, 14 Jul 2016 15:08:47 -0400 (EDT) Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Content-Type: multipart/signed; boundary="Apple-Mail=_5223A279-AB87-4287-9602-1BC03908D72E"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail From: Sandra Murphy In-Reply-To: <6FEE1066-E2D5-481F-9D5A-1CC677A98AA7@tislabs.com> Date: Thu, 14 Jul 2016 15:08:38 -0400 Message-Id: <8EE0ECDC-D985-4AEA-AA2A-335D895467C8@tislabs.com> References: <6FEE1066-E2D5-481F-9D5A-1CC677A98AA7@tislabs.com> To: sidr X-Mailer: Apple Mail (2.2104) Archived-At: Cc: Sandra Murphy Subject: Re: [sidr] agenda uploaded X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jul 2016 19:08:50 -0000 --Apple-Mail=_5223A279-AB87-4287-9602-1BC03908D72E Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 and now updated to include a discussion by Declan Ma of = https://tools.ietf.org/html/draft-madi-sidr-rp-00 =E2=80=94Sandy > On Jul 14, 2016, at 10:04 AM, Sandra Murphy wrote: >=20 > I have uploaded the agenda. It is copied below for your convenience. >=20 > If there are any errors, please do let the chairs know. Particularly = if requests for agenda slots don=E2=80=99t appear. >=20 > We have time at the end for discussion, and for new requests. >=20 > =E2=80=94Sandy, speaking as co-chair >=20 >=20 > Secure Inter-Domain Routing WG (sidr) > IETF 95 - Berlin, Germany >=20 > CHAIR(s): Sandra Murphy sandy at tislabs.com > Chris Morrow morrowc at ops-netman.net >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 >=20 >=20 > AGENDA: >=20 > THURSDAY, July 21, 2016 > 1000-1230 Morning Session I Bellevue >=20 >=20 >=20 > 1) Administrivia & Draft status = 1000-1010 >=20 > Presenter: Chairs >=20 > - Mailing list: http://www.ietf.org/mail-archive/web/sidr/index.html > - WG Resources: http://tools.ietf.org/wg/sidr/ > - Minute taker? > - Jabber Scribe? > - Blue Sheets > - Agenda Bashing >=20 > 2) Existing WG Drafts >=20 > a) RRDP and HTTPS = 1010-1025 > RPKI Repository Delta Protocol > https://datatracker.ietf.org/doc/draft-ietf-sidr-delta-protocol/ > https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-03 >=20 > Presenter: Tim Bruijnzeels >=20 > b) Updates to ROA and BGPSec Router Certificate profiles = 1025-1045 > RPKI Validation Reconsidered > = https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-validation-reconside= red/ > = https://tools.ietf.org/html/draft-ietf-sidr-rpki-validation-reconsidered-0= 3 >=20 > Presenter: Tim Bruijnzeels >=20 > 3) Other Work, Not WG Drafts >=20 > a) RPKI vs BGP Global Statistics = 1045-1100 >=20 > Presenter: Tim Bruijnzeels >=20 > b) Problem Statement and Considerations for ROA Mergence = 1100-1115 > https://datatracker.ietf.org/doc/draft-yan-sidr-roa-mergence > https://tools.ietf.org/html/draft-yan-sidr-roa-mergence-00 >=20 > Presenter: Yu Fu >=20 > c) RPKI Deployment Considerations: = 1115-1130 > Problem Analysis and Alternative Solutions > https://datatracker.ietf.org/doc/draft-lee-sidr-rpki-deployment > https://tools.ietf.org/html/draft-lee-sidr-rpki-deployment >=20 > Presenter: Yu Fu >=20 >=20 > d) Observations reported previously and a few new findings. = 1130-1145 >=20 > Presenter: Ruediger Volk >=20 > 4) Discussion = 1145-1230 >=20 >=20 --Apple-Mail=_5223A279-AB87-4287-9602-1BC03908D72E Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJXh+M+AAoJEHplpQeet0IZKXMP/3dO7EPn8rT2V4RY+jDTEiCn hfY6Ir9OXIqP/ct/sVNJwuA24Ws9zSjVeGYQcAU6lJ1ZGfzNfpTewUkigSj0XlAb oTlkokWBqgvD728AdJfR6Zo0SxHvpiuQYOaK8AM6JMyvGB+BRJu+v3CTqJiYmXvC pKLlCK9/95yKwjSZsnKCDhpzoDXRzI22kqqLTsC45OFYy7IhOFk0ke7nxU5tygJ0 u6ZCSHNdAvC5FMfoCTYRGoNohful2TnMQCVrVMs611dZti8Ub+rjLVgDsUX3VC2B 6cN4jevFynnGlOGFku0mK0GNkLkviMwDYvFs2qofeghdN+/xBBKsqdb3QfqY1Jrt WLVN2yi3a+gVZ76L67Ty19tTpkjEA3G/AJJoHGBQBB/w4TyGuqkEKnbPie2utmP6 XkjLAf5/uVhOTM6CDfM9lOC3K5Sv8GuAWmWCDotlcjPUyoFGBbbml/EYKRKT7O6T WT15UF6KhLOaOMVqk+sXF5iECdfJhbJ0FkoIPWHj0TnsU+6HV2Bxk3Oi3+YfIoSJ 03aSO1Keje/ZfwXoLU3pkeiQX2AsIEtYUQqxfhhQ94YxBaxum/1hfsQq1ZTGxXhj /hnHw3HTbn6aSXNMvyrKI2Gj3o3FvuT2oAzs8qTczrxVgkX7NQ0NxzBfUr2q/idw QFyutML1wUxe0YdoHiyV =T5pB -----END PGP SIGNATURE----- --Apple-Mail=_5223A279-AB87-4287-9602-1BC03908D72E-- From nobody Fri Jul 15 00:06:30 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2F312D1B8 for ; Fri, 15 Jul 2016 00:06:29 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.506 X-Spam-Level: X-Spam-Status: No, score=-5.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.287, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6B5UITc4qF00 for ; Fri, 15 Jul 2016 00:06:27 -0700 (PDT) Received: from m4-bn.bund.de (m4-bn.bund.de [77.87.228.76]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C47B312D094 for ; Fri, 15 Jul 2016 00:06:26 -0700 (PDT) Received: from m4.mfw.bn.ivbb.bund.de (localhost.mfw.bn.ivbb.bund.de [127.0.0.1]) by m4-bn.bund.de (8.14.5/8.14.5) with ESMTP id u6F76O8B015282 for ; Fri, 15 Jul 2016 09:06:24 +0200 (CEST) Received: (from localhost) by m4.mfw.bn.ivbb.bund.de (MSCAN) id 5/m4.mfw.bn.ivbb.bund.de/smtp-gw/mscan; Fri Jul 15 09:06:24 2016 X-P350-Id: 3c445b0a22062ec0 X-Virus-Scanned: amavisd-new at bsi.bund.de X-Virus-Scanned: by amavisd-new at bsi.bund.de From: "de =?utf-8?q?Br=C3=BCn?=, Markus" Organization: BSI Bonn To: sidr@ietf.org Date: Fri, 15 Jul 2016 09:05:56 +0200 User-Agent: KMail/1.9.10 (enterprise35 20141209.f66ef9b) MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-ID: <201607150905.56628.markus.debruen@bsi.bund.de> Archived-At: Subject: [sidr] ROA Signing Party X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 07:06:29 -0000 At IETF95 LACNIC organized a ROA Signing Party. We want to keep this up and= =20 will be holding a similar event at IETF96 together with the RIPE NCC and th= e=20 =46U Berlin: on=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Wednesday, 20. July=20 at=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A012:30 - 14:00 in=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0Room "King" The event will be held in German. We will briefly explain (i) what the RPKI is and why you need it, (ii) how = you=20 will create ROAs, and (iii) which pitfalls might occur. ROAs can be created= =20 directly on site. We will also show how you can check the impact of your RO= A=20 creation. We will give a summary of the event in the sidr session on Thursday. Cheers, Markus From nobody Fri Jul 15 10:28:40 2016 Return-Path: X-Original-To: sidr@ietfa.amsl.com Delivered-To: sidr@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68E0512D0E9 for ; Fri, 15 Jul 2016 10:28:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -5.487 X-Spam-Level: X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AALWMqzhBkyx for ; Fri, 15 Jul 2016 10:28:36 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D57B12B04D for ; Fri, 15 Jul 2016 10:28:36 -0700 (PDT) Received: from ssh.bbn.com ([192.1.122.15]:54094 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bO6ud-00065k-0U for sidr@ietf.org; Fri, 15 Jul 2016 13:28:31 -0400 To: sidr@ietf.org References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com> From: Stephen Kent Message-ID: Date: Fri, 15 Jul 2016 13:28:30 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/mixed; boundary="------------77B09798B26354C6D8BF2334" Archived-At: Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt X-BeenThere: sidr@ietf.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Secure Interdomain Routing List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2016 17:28:38 -0000 This is a multi-part message in MIME format. --------------77B09798B26354C6D8BF2334 Content-Type: multipart/alternative; boundary="------------76F2C294AF81703542B903A2" --------------76F2C294AF81703542B903A2 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Tim, I reviewed the -06 version and am attaching a pdf of the MS Word file with suggested edits. I can send you the word file itself if you wish. I have provided text to my co-author, Sean, to include in the bgpsec-pki-profile doc to address your concern. I suggested the following text at the beginning of section 3 : The validation procedure used for BGPsec Router Certificates is identical to the validation procedure described in Section 7 of [RFC6487](and any RFC that updates this procedure), but using the constraints applied come from this specification. Sean added an implementation considerations section which I suggest will say: Operators MAY choose to issue separate BGPsec Router Certificates for different ASNs. Doing so may prevent a BGPsec Router Certificate from becoming invalid if one of the ASNs is removed from any superior CA certificate along the path to a trust anchor. I hope these changes avoid the need to say anything about router certs in your doc. I'm not sure there is a need to change the ROA spec. If we agree that all prefixes in the ROA MUST be contained in the EE cert for that ROA, then the current text in the ROA spec does not need to change. Steve --------------76F2C294AF81703542B903A2 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: 7bit

Tim,

I reviewed the -06 version and am attaching a pdf of the MS Word file with suggested edits. I can send you the word file itself if you wish.

I have provided text to my co-author, Sean, to include in the bgpsec-pki-profile doc to address your concern. I suggested the following text at the beginning of section 3 :

   The validation procedure used for BGPsec Router Certificates is
   identical to the validation procedure described in Section 7 of
   [RFC6487] (and any RFC that updates this procedure), but using the 
   constraints applied come from this specification.

Sean added an implementation considerations section which I suggest will say:

   Operators MAY choose to issue separate BGPsec Router Certificates for 
   different ASNs. Doing so may prevent a BGPsec Router Certificate from
   becoming invalid if one of the ASNs is removed from any superior CA certificate 
   along the path to a trust anchor.

    

    I hope these changes avoid the need to say anything about router
    certs in your doc.

    

    I'm not sure there is a need to change the ROA spec. If we agree
    that all prefixes in the ROA MUST be contained in the EE cert for
    that ROA, then the current text in the ROA spec does not need to
    change.

    

    Steve

    

  


--------------76F2C294AF81703542B903A2--

--------------77B09798B26354C6D8BF2334
Content-Type: application/pdf;
 name="draft-ietf-sidr-rpki-validation-reconsidered-06.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
 filename*0="draft-ietf-sidr-rpki-validation-reconsidered-06.pdf"

JVBERi0xLjMKJcTl8uXrp/Og0MTGCjQgMCBvYmoKPDwgL0xlbmd0aCA1IDAgUiAvRmlsdGVy
IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAHlXdlz2zYefudfgdmXlWcSmMTBo2+Jk3TdbTPZ
VLN9aPrASLTNRpYUkorj/vX7gZcEJJJBJZA53XhGVqjDH4DfffEj+Q/5SCLqx2HU/MJvmUQ0
ZupC1D4pMvIbWZLzizIgs5L4NBGJHyTh9pm3vVbOiOAxFX6SkCjxKYuYJLf1t0Z+JLfXFttr
QZTQOIoZWfSf9Xau3ZCrXaBBJKgMEiKigDJBwsCnPBGcmDCJj59y5n0EziAWse+rC/jp/yc4
5cDESSQCGkuRkNkteT4FiPqN7a/pLTmfTgMSeNMrMiFnZPoneTkFop3Nc4GJM5rEIhwVJsZp
whI+KkyBpL584OjI9Mr7PkcHhtkS0D5y8kPQWCy9hpx86gd+SKaKM75KWEBHfieT11l1tyo+
kN/wkC+vyY/FarMGvYVCkZ3X/Gr/942//m5f9iMl/9qU1Wp5Rv4g059q/vSO588Dh8xrqRMJ
EumHfOBohxGet0eOHcDUy7EQsjvgXDT8CalsQXiTy2WVFcusGiLYjgAZMxowyGFigDy0cU9d
YwppEvGQm5isNg4c+6JIr6qeQ7/Kk383Ttuz2uOWCbb9JZ/dpNmi3GFdMK4b1g0TGim7paPA
Vj4fosBB6v4IrtiybhxTFrJWj9mxLihQMe9yns1JWaXVpvyB/Fqly3lazEsyLdLZh/9LvfHs
zevLix1NMJCcPGXk1j8wZverew47NA4YI6F2dLqS93rrUSn5YZrAsGg9C0xbcoJJzROY3gdN
EB0dyOnl53VeZCCjn9LlJi3uSfKEMD+I9nD9VuLV1pVuofSK2M32B4mg8EMiEupLfQrhLbn8
wtzS1zohh/45Vjuc+VQo10VH3mgd77CdOLmAzEyLKl9mf7mGGXEaJdzcYW8c8jLyqWTgvprA
vX2nTgz+O3TqVq+ded/u/h0SKiyhSSAUbTTrG+JDTH5+dlFLPnuIR6gsLhPqMwm5px/BOMgi
DKgIw06NOicLx+TAEkkRW8Bet+saQg6Q51NKnheb/M8zEpDJ8q8MhlavF92ZWZz6CaIqBuZx
0IdkVCZhG1U5ldhwTCWcIRLGEgiNdnVDqGTy9vLNS9dmLheSijgGTej7b+VoTV5fwJpzK9NC
IBFK1en4xkGzsOoiFiL4qqKTJ6JZ1yQbhDSOwxgWZLO4QST7jJLX2V0d7nFOFlLCKetQtkcw
DrLggoZRSxWk1XQPWY9WNs4Db3JNGkgfyCSRJGwWOIwy3l6+di0rZEx9HwmSFl/rYmk0YTob
QyB9k9vHJEWio3P79pk/JrwHDvzBl11TBFYlEbkhYbu8QSTxgpJfb9K7IUdwpFUsuTLctSMY
ibMEaZtw/3trEMfHHsQhDYMAGb4GfXvq+4h6oKvnGDzvaVZHb2fxPHsFOaZiWG7VGzy5hmZ1
+tBEmbmtjjFtI1g+0s9Rl5M9hdXjmiJ8jiQzkqdhu7JBUuynzeKexHU0LnR8BDxkKAlQkTX9
CEZBFrAMoH1Fq+HGIV4l6hwCDi+9MdDHsU8xfMIQHs13cBo0evPaepGBJQ8HYl4BDL5YcEZk
i3kQY7x98+9L8t90kc/TKl8tydtstlqW+TwrsrljjmbIAITJl8DHQQARowyVPccTgHbsXZnQ
nmM/wmJCaEsEURwTqSO105BzlXp1jDAIEnhYcFINhIfO13XKOmCofmI4VgOT3a7lWXXletOg
wRMux7VpIqZRHB25aRAmhetNC2OKhBaq73ReeFRKQ/rHF6E0MdlRWrH+kLvetIRRIaHixrRp
qMDhvhQmJrtN+9SrMcdbxxCPjRnnJszHpDcmfUhbGZiY7Lau2FX7jt0mH/aKyiGMiO54gDCq
QHWVgclu83znLgUKRwVShjq6cZRKyBBlwDzuAqkmC3hN8e83l28Qvy7gOFhS0ju/UqK4IYzi
Nra45xSNMN6z92WFmp9BVlEbbPT64u6H6176Qj4DpLZxBrRB+aVvCYBKlWgK+roXDRMiGY9z
mDykUnSlCl2k3qJAZYgS2N00ywImGYLuZQCu1AFaUZtKLt/kJZmvZpvbM/IU+eVsWZE1LKUh
hT9H+A0ocKVJGEHta7DtSuYmq/WqzEqSLslmDY8xI9WKVDcZmWWoqbnKZ+rSjhp2XO0hUa8L
A6tdSOv3mkTbth8Ml0BHbO5WArFIZZdaCTQg/DaEaI8AuCVaHeAeojWil+tiNcvmG5RYl+ts
hvNG5WSOmMGrC6T44giUkFbgpPlmpmhEvacqyeqKrNZZUYcX0oXjmAIUEZpnQBPt8kZFE0GM
gPwRxRMnowkdoBVNQJBdFel1vsire0ULShi0Ai1dptdZ/dyrhRsIYUdMlN27VQTqCbm7yReZ
c+HHa4nBEyL1pY5DZvgosBZhFwe1T9ScjD50gFb0MSmyKs2XqiEnK0vouDxdkDKbbQpFMFcZ
yq5RMUsdiwUmfBr5HM5Ru4RRyQXfR6oGIZ8Rxb8FggNIhLetanbGAUQByudRRq9Efm3d/NKw
P5mses52VTYXcFiuiZSkQz6mExYw+hPpd5w9CmkjEH33o2R4huNU0sYAaCdtarI7UUuWim8L
H0EDA+mh4z1FfJuFoDQDk9XugYGbliw4JuXmfavG86pqzLyrzWJBkB26WhW3Z55yWdLlLCN3
eXWj1H7P4mhYGNaAZOlwcRQXcp8FxtrGEQZBpBf5IhSR1kJ8hF6qAXAPQRiBBxj8n/ISecFa
pj+/eEMQVEGHFKmfJtSxLGBBgFo2tHro4MeRthbwpQIpuqqgQ1w/KH5zhFfXu51CRJTFvDMl
xmdCGgD3UKHhdp5InqtmAaFGIRggD52sc3kO29D3EWQyMFltXCfP4YvDZVfN8coM10NONWMr
p63bZPJyeY3uqKzAe8+8IcGo3RhaPeni4WCoagePVL6nW96orDY1iAOFKYNLABxLxT6GU08K
2QK0pYlpWn4gr1YFdPe7yeXL6at3Z1TvUHy9UpE9FcxZgTQKcq1GKZTw6xutf09SdByTeY6A
ef5+Ux2j+r2diSgWdKJkLUesT1/ySFQ/ms6QsW+t+zGqfh3gHjrRVT9kx9cFxjAz7whl1geo
hQbbzgedqLhjL8scM2KAbLWPUT3EQPqYCgPtxsiussjEtOfQdU3bKwxDHkyhHxbgduXYI3JT
qFRFpy/c64hYTSjyoSNaerDQEa7VMo9h7aucVIdpVLEb1R+NgVDj1Vs6QCvSbDxTBI3B4BW5
qar1D+fnyEClKmf7ISuoqs2iq+L6vC5tK89bOj13HVrkGDQVx2gkEu2qLMjzdP4AHKgQNYej
Ik+fqTD38B5jx9J8a1bpAO3IsxeHbotntj6KDvIxVU7Q+yg6JquN61VO7aPUvPuFh1InlAnC
TiTtbdDPeRue6tLnSjeV+ecu+bRaVjfbZm2rkNQRtgpPAoxlQmOu0Jd+6DhOxvw84aivHnEO
2gBoSy8q/tQefnpP3mdtKcL8CRzQ9SJFhvoJAa2s3perRaZil+/vWz+mcX1rJwYmTK1Jhpmz
hotrM1OmcXHRt6KvFmPwvjpdTLfCEWG9HyL2dvHZRlXRJsZC1M4a+DQSNlANIuFdTAgL2OxZ
H8/iMYYEsWC8UVUDoNWhQuRVnfTKDEv7slIWTr5M1wi9rou8LbHZlNsAjXODm6kJJYkERbS7
b2HRuDa40YuDuakYgNphai2aPRuuuzWd7QjPsMiu0NmCtMUQrjpGMXQBCwOvxlUGykFcdQSm
LVdFEunIrmKzDRJbtL473rPeAOMaPnXEAabHPjT/8zatx7SgflMV09WPqKbDcxTSq1xV/bjA
Yz1sC1eQlMZj8x7sPZ43n22uN1dm9fXmG3a/uXu/h0/d1O9p/uJt80LzFc0Hdl/+8o81rypw
3gTjN/F1zTc0cGHB9Ff+UT9HIzau7EL/sPOeBujyTMFqvmddv9r83eZT1ztXGtDNX2kekdLB
Z/G32sivq3w955HyAmLSHraFjMGCnPbzbvkjxHSNZFwFGQgwqrFRnSc3vsyOAdBOMD9Kut5A
ekgku1Zrqh2tTtcbmOx2r0nW3+VIy2f15EGCBk5j9KDz8AfasqMIowu7FYyKkUWCFG03zkM7
6EezaFGJhuHubXDO0gu4WK3vi/z6piLIzOTOjZcAkawEbeyEa2DHkXbnvJ3WNaJqOc5QmdIP
UR+hQaXha4TLAwbVZEtz7yazd2dqjmlIVLYQk3ExK7yuAlF5Y5R2Y/pwiUm59srZcAnr/J+6
2cCBLneGYZ9SRTLbvW7FjJ2gRDs7Ck/rcnX4AECtWRLfvyWfY9xgkiACr4PVBNCjGf9odcMs
ueGN7dqeff9+9q31rwO0OmG41HpZA0k31c2qKDX32ps8g6qsBanyBMus+JTNYfAeUeQwpOOL
CfScCx8RIG1l40hecx+tcv3Mex0TSPRROr7U2E60FTYu/gjz6Tq+PQSqGxgg0K/1ezWFls18
UTTLqG6qnSI7JV63EvefJfk5u1YdNEfQ6/b2MzbFFhh9oeqg2nWOyaLD6AbEtNl4pZcBcA9x
6MIfxPFmW2j5NlugVwqFWiCG+vRf1D2CfdT6KHm1e/6IwB5WtSiljyVq//W1fCEb6sY6RBq+
dTJ7r/5t7jXEcFslzOXpIsJ7VOpp7zXEMH4iwkTDpvR3DyRs0wnvoaNiuKrJflS8iwkFseiC
+Xb1PGCN5s40T0gGm3Oh6fM6xhWKrwzP10fp7/1fO6/f9JlPfdeH39+gUY4Efwzj7CMiwDzC
6IUYmlUNi9g5iv0kO/CeC0dg6qNuDHcRS/qBrBokXZc6vw0EqrpxAyokGw5AOmAb/Q/SmGhg
CmVuZHN0cmVhbQplbmRvYmoKNSAwIG9iagozNTk0CmVuZG9iagoyIDAgb2JqCjw8IC9UeXBl
IC9QYWdlIC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyA2IDAgUiAvQ29udGVudHMgNCAwIFIg
L01lZGlhQm94IFswIDAgNjEyIDc5Ml0KPj4KZW5kb2JqCjYgMCBvYmoKPDwgL1Byb2NTZXQg
WyAvUERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAv
VFQxIDggMCBSCj4+ID4+CmVuZG9iago5IDAgb2JqCjw8IC9MZW5ndGggMTAgMCBSIC9OIDMg
L0FsdGVybmF0ZSAvRGV2aWNlUkdCIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4
AZ2Wd1RT2RaHz703vdASIiAl9Bp6CSDSO0gVBFGJSYBQAoaEJnZEBUYUESlWZFTAAUeHImNF
FAuDgmLXCfIQUMbBUURF5d2MawnvrTXz3pr9x1nf2ee319ln733XugBQ/IIEwnRYAYA0oVgU
7uvBXBITy8T3AhgQAQ5YAcDhZmYER/hEAtT8vT2ZmahIxrP27i6AZLvbLL9QJnPW/3+RIjdD
JAYACkXVNjx+JhflApRTs8UZMv8EyvSVKTKGMTIWoQmirCLjxK9s9qfmK7vJmJcm5KEaWc4Z
vDSejLtQ3pol4aOMBKFcmCXgZ6N8B2W9VEmaAOX3KNPT+JxMADAUmV/M5yahbIkyRRQZ7ony
AgAIlMQ5vHIOi/k5aJ4AeKZn5IoEiUliphHXmGnl6Mhm+vGzU/liMSuUw03hiHhMz/S0DI4w
F4Cvb5ZFASVZbZloke2tHO3tWdbmaPm/2d8eflP9Pch6+1XxJuzPnkGMnlnfbOysL70WAPYk
Wpsds76VVQC0bQZA5eGsT+8gAPIFALTenPMehmxeksTiDCcLi+zsbHMBn2suK+g3+5+Cb8q/
hjn3mcvu+1Y7phc/gSNJFTNlReWmp6ZLRMzMDA6Xz2T99xD/48A5ac3Jwyycn8AX8YXoVVHo
lAmEiWi7hTyBWJAuZAqEf9Xhfxg2JwcZfp1rFGh1XwB9hTlQuEkHyG89AEMjAyRuP3oCfetb
EDEKyL68aK2Rr3OPMnr+5/ofC1yKbuFMQSJT5vYMj2RyJaIsGaPfhGzBAhKQB3SgCjSBLjAC
LGANHIAzcAPeIACEgEgQA5YDLkgCaUAEskE+2AAKQTHYAXaDanAA1IF60AROgjZwBlwEV8AN
cAsMgEdACobBSzAB3oFpCILwEBWiQaqQFqQPmULWEBtaCHlDQVA4FAPFQ4mQEJJA+dAmqBgq
g6qhQ1A99CN0GroIXYP6oAfQIDQG/QF9hBGYAtNhDdgAtoDZsDscCEfCy+BEeBWcBxfA2+FK
uBY+DrfCF+Eb8AAshV/CkwhAyAgD0UZYCBvxREKQWCQBESFrkSKkAqlFmpAOpBu5jUiRceQD
BoehYZgYFsYZ44dZjOFiVmHWYkow1ZhjmFZMF+Y2ZhAzgfmCpWLVsaZYJ6w/dgk2EZuNLcRW
YI9gW7CXsQPYYew7HA7HwBniHHB+uBhcMm41rgS3D9eMu4Drww3hJvF4vCreFO+CD8Fz8GJ8
Ib4Kfxx/Ht+PH8a/J5AJWgRrgg8hliAkbCRUEBoI5wj9hBHCNFGBqE90IoYQecRcYimxjthB
vEkcJk6TFEmGJBdSJCmZtIFUSWoiXSY9Jr0hk8k6ZEdyGFlAXk+uJJ8gXyUPkj9QlCgmFE9K
HEVC2U45SrlAeUB5Q6VSDahu1FiqmLqdWk+9RH1KfS9HkzOX85fjya2Tq5FrleuXeyVPlNeX
d5dfLp8nXyF/Sv6m/LgCUcFAwVOBo7BWoUbhtMI9hUlFmqKVYohimmKJYoPiNcVRJbySgZK3
Ek+pQOmw0iWlIRpC06V50ri0TbQ62mXaMB1HN6T705PpxfQf6L30CWUlZVvlKOUc5Rrls8pS
BsIwYPgzUhmljJOMu4yP8zTmuc/jz9s2r2le/7wplfkqbip8lSKVZpUBlY+qTFVv1RTVnapt
qk/UMGomamFq2Wr71S6rjc+nz3eez51fNP/k/IfqsLqJerj6avXD6j3qkxqaGr4aGRpVGpc0
xjUZmm6ayZrlmuc0x7RoWgu1BFrlWue1XjCVme7MVGYls4s5oa2u7act0T6k3as9rWOos1hn
o06zzhNdki5bN0G3XLdTd0JPSy9YL1+vUe+hPlGfrZ+kv0e/W3/KwNAg2mCLQZvBqKGKob9h
nmGj4WMjqpGr0SqjWqM7xjhjtnGK8T7jWyawiZ1JkkmNyU1T2NTeVGC6z7TPDGvmaCY0qzW7
x6Kw3FlZrEbWoDnDPMh8o3mb+SsLPYtYi50W3RZfLO0sUy3rLB9ZKVkFWG206rD6w9rEmmtd
Y33HhmrjY7POpt3mta2pLd92v+19O5pdsN0Wu067z/YO9iL7JvsxBz2HeIe9DvfYdHYou4R9
1RHr6OG4zvGM4wcneyex00mn351ZzinODc6jCwwX8BfULRhy0XHhuBxykS5kLoxfeHCh1FXb
leNa6/rMTdeN53bEbcTd2D3Z/bj7Kw9LD5FHi8eUp5PnGs8LXoiXr1eRV6+3kvdi72rvpz46
Pok+jT4Tvna+q30v+GH9Av12+t3z1/Dn+tf7TwQ4BKwJ6AqkBEYEVgc+CzIJEgV1BMPBAcG7
gh8v0l8kXNQWAkL8Q3aFPAk1DF0V+nMYLiw0rCbsebhVeH54dwQtYkVEQ8S7SI/I0shHi40W
SxZ3RslHxUXVR01Fe0WXRUuXWCxZs+RGjFqMIKY9Fh8bFXskdnKp99LdS4fj7OIK4+4uM1yW
s+zacrXlqcvPrpBfwVlxKh4bHx3fEP+JE8Kp5Uyu9F+5d+UE15O7h/uS58Yr543xXfhl/JEE
l4SyhNFEl8RdiWNJrkkVSeMCT0G14HWyX/KB5KmUkJSjKTOp0anNaYS0+LTTQiVhirArXTM9
J70vwzSjMEO6ymnV7lUTokDRkUwoc1lmu5iO/kz1SIwkmyWDWQuzarLeZ0dln8pRzBHm9OSa
5G7LHcnzyft+NWY1d3Vnvnb+hvzBNe5rDq2F1q5c27lOd13BuuH1vuuPbSBtSNnwy0bLjWUb
326K3tRRoFGwvmBos+/mxkK5QlHhvS3OWw5sxWwVbO3dZrOtatuXIl7R9WLL4oriTyXckuvf
WX1X+d3M9oTtvaX2pft34HYId9zd6brzWJliWV7Z0K7gXa3lzPKi8re7V+y+VmFbcWAPaY9k
j7QyqLK9Sq9qR9Wn6qTqgRqPmua96nu37Z3ax9vXv99tf9MBjQPFBz4eFBy8f8j3UGutQW3F
YdzhrMPP66Lqur9nf19/RO1I8ZHPR4VHpcfCj3XVO9TXN6g3lDbCjZLGseNxx2/94PVDexOr
6VAzo7n4BDghOfHix/gf754MPNl5in2q6Sf9n/a20FqKWqHW3NaJtqQ2aXtMe9/pgNOdHc4d
LT+b/3z0jPaZmrPKZ0vPkc4VnJs5n3d+8kLGhfGLiReHOld0Prq05NKdrrCu3suBl69e8bly
qdu9+/xVl6tnrjldO32dfb3thv2N1h67npZf7H5p6bXvbb3pcLP9luOtjr4Ffef6Xfsv3va6
feWO/50bA4sG+u4uvnv/Xtw96X3e/dEHqQ9eP8x6OP1o/WPs46InCk8qnqo/rf3V+Ndmqb30
7KDXYM+ziGePhrhDL/+V+a9PwwXPqc8rRrRG6ketR8+M+YzderH0xfDLjJfT44W/Kf6295XR
q59+d/u9Z2LJxPBr0euZP0reqL45+tb2bedk6OTTd2nvpqeK3qu+P/aB/aH7Y/THkensT/hP
lZ+NP3d8CfzyeCZtZubf94Tz+wplbmRzdHJlYW0KZW5kb2JqCjEwIDAgb2JqCjI2MTIKZW5k
b2JqCjcgMCBvYmoKWyAvSUNDQmFzZWQgOSAwIFIgXQplbmRvYmoKMTIgMCBvYmoKPDwgL0xl
bmd0aCAxMyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBzV1dc9s2Fn3X
r7jTl5VnXIYE+LlvbtrdTbeTpqmmuzNtHxiJsrmrSA5JJfW/3wOSIAlYkkF2aSN+sCJb8gVw
cO731Sf6iT5R5LhxGDXf8D1IIidm4omofVBk9C/a06vXpUfrklwn8RPXS8L+0aJ/rlyTz2PH
d5OEosR1WMQC+li/a+RGQf/crn/OixInjmJGu+61i8Fzd7QdCupFvhN4CfmR5zCfQs91eOJz
0sUkF1/levEJcnqxH7uueAJf3f987nDIxCnyPScO/ITWH+mbFX7D9dyQVmIp9Uuab4vVR3q1
Wnnk0WpLyzf7Kiv2WXVFq//QdyuIONjNy0Iuur2s3x57dl7ImDkeg/y6kJdE+3qCTPJ8F80u
XZYpdJKIh482TpGJVh8Xg+369k/IRG4t1UWZEhwhC3ym75PRYf5KyyLdVnRFoU/Lkd8WY19A
y/fv/vmGfkl3+Sat8sO++4OLCX/+rLwj3+z74+6BmOuFV/Q7rb43hfTizL27AGkeBQ5nHshA
uXcLHT7D24YtMr9mE2TquYAzJ4n9sOECS2Ri3ElYwq2SyQscN5CU+TWuWcCDhc6ZIAHlFGnu
cwxCh/PAAw0o8jUs8JR4vy3vqur+r69eVcWxrLLMybNq6xyK21e7fJ3ty6wD4cKY6yWvNroH
CunCxWCe5wQJlFor/KLRR5fuxSiqn3AvmBc6vi9odcJ+5vvt4bcryveUbbfZuiJQXXWXEVgv
o8O22036CVq6tUMua84xu8lDz0mSKJaiG+zm3OjsWcYNYYbEQXuj2+vzyOR4weujCnhGi6ry
QYveHz/gqjRK7bDFYeclbQ7r48cr+tqjZbavHLoaKqZ3uywtMxhvn/PsiwAH/qO+oJxfH/nA
OPcAFHXRl+7dsyElhD3uce5bixRNQCOkLNdpkW2Pu93DNaWlOPYH2mTlusg/ZPRwOBZU5Ld3
VUnpfgNslFWRr4WhVNKXvLoTz9yDTq4W5ibBOffgAhtzmJQefCOSK7SJQMI4dljIWv27sI9A
NAGNYAECqQ5nSKO3zBfL14dNRq8PLancH/bglZKyP6oiXVfZhraF/NmpN6P2dVDxV4sxpu4U
DMWBw4KY5G5YBSG43TyBe15bGTZCSBXQFEL5fr07AiA/5xIgu3ybAxbf/Pwt/dAYclQBLYJ6
JOtshJXyM0hFuGO+U5sns4MjCp0giDwK24XahQ7XCRhjFqNDEdAIHUthfa6EcU8/ZLfpjt4V
h895WWsWoWqglei+OMysWJjvOpHLxbk3S2jP3WwJn/MNsCz04OFY0Ze0KNJ99QAsC3N6MS4Q
Ncmc1qS2w0qCre+HocXqUBXQ6KihDhV6EuC9RGrO7OqMBa7ji9ho2C7HKsYKGLzn0KrITQiP
L2IhAucisow4+cnIsupGLVfph51QQDBxEGOGaTNwlGGvXnaUJ/j4HgucKI4SmFiKtHbcbO47
IXTkiVCIFpAf5ZJptpxJ1Ltz3kPsF9IJreFE52xvXbxxsa+hgAuRdnk6VdDFvjQBz6BOlQ9k
48E3783sOsNRHDbHxiZSfuLQuC/F5W//CBvn10/YDx5HToBsFGn7oeBa3QURyp/sVI4DEQJr
CXclsC0EkSqgKYiYBqLXWVHB/EZMKBtmPGBtC3VWJ0IktOq40HlgyV8bQnQkiCaQYw8iZT/s
SAyELnK0kUxc2ujCqQKeAZGq/8BEXAPRj/dZUQcVYbK/bnhjRkvX45ETJRHJ3R1jnkN4hKlg
ojfyliqjnge3/MkppuTPyJTKeV3Mfz8bUwZJ4riub6+61QQ8A3JV0QAnvgbymz3ddHFy4ePV
5Njzp4hMDHLGcF3XWQmADcPpEkbi+ym+9MdBaTJfRqKQZHhsdvBlgIoUjyObNTbkNc52m7Bt
IbKpSL6LbVNEPAOmR4zpO7r19ktWNGGv91mJiPoavmOGKOlZuAyh0z8+BaKgAxHSoLMkQnmM
yBgLWLcbNvmZQYzCo5BHNoNIFdEcRI+st7t0f5shQ3NAeD0vq3x/S2WFUFlabMpHTsDs8QcO
G4wlPm5Ju8CRqrnH9SN6rFm0R/aYcq5HUbQLNWedOSlXcMqx7W/3QlSa/RlN2/mNF2TqHNsg
Yg4TGa/G2Tb3SQj/pjpOhs5thNCEGzBOmpBnsH1C26KQTjv1jhl7JZvRuxQZxoGevUiYl+nR
CEQTlAVHVilwRbGmcmCW6NgQZZU8liGvcyDqMV5XUwoE4d8YEE3YuB5EqpBnQKTKWJtsuCA6
iH68MYbLkH/6x6dAFEHHLsyr8IbRkbpI9+loUQ+idi+s0rGBj3g+anfGG2rPCCJVyDEg0h3c
b/7+rszW9B4pnaygIR39GSaKO0NtfiZS90IJsanXaJw6m3DJe3XmB8hWTEhwzw6h3tpXRTSH
kA4gOI/ZH2mX8M5mN8U81O6GwpUK2iW09GHM9zNTvYdUFfdQMyvla6nEdIt7ejZ5pBgJrec9
8vYNKdzQJmrcpKQ/g1PGpGoJjbt9Q5mgVkYFuAMOH86XBQQWZkk0Ac8AQ90+2ACBpv9RNHIs
cmTgka0bBv5MYIO3GkZvPHccYU84Hh4jKoNaXtJWrxP2sHVjlFWmyWTSutETNotErq/V+jZC
RhXQFDKhBpk3N29vpsFFgOrlIKOu3g7IeLETejLpbyNkVAFNIRNpkLlZ/3d/+LLLNrdZFyMW
0bxhMuxJxpndKEBXjwPF61PQrtoCn4KzEOkD6CEp02RDQNnsAVfPFwWN0VUDL9+ezeyp2k2c
yA/HR9JnNvu6GohAFfDMvVNdE2j3WLt377NtVmR7ZFq6u/ZEmvrcLTyJnhmzmBwV4ujJIrkR
FlzFAXpc5K1RFz3evZ8ZP71n5ioimuNHDzK+PRQtYyOD/RklDwNEDY2/c7gZPn8SQ3Wn5jwN
aSJa7SJQBBA1u2ETiPyEgdiBcHtBpIloDiI9yPgGnXT/LxipIPIUl2OWPjwJIrkbVoEI/fVJ
4Nqrx3xVQCMILW+OqA4vyr/QzWaDZqmy1l7mdW0Tgm6eD20jhj5o8upOgtINPDOXeygI5gHa
aTWZjPYQtsCQeZ9+rLpl6rV6smpX85pNAi2dJ6+uTq3ZgX3zIp68jyEdrqihajKJOgpeRibo
duYmbSel2ZQPoEDX55j70VXFKtz55CFPuVZe4iReFJKvCG9Hps+Hse0Fvsz06Yf8nFe9syx9
P3JYjJrfsUbBzFzU+SWagKZctHrcSS06le4PgtvTPR3v66b6un0yo/Wg6PZzN2Zkfvc/QK9y
QHKJVul5MZQIpV/24kIV0AgXSyBgnW2O6FoTDdFNuRcqq399/7fXoR9Hv6PGOq2gW1DEL2BS
d02XorPk0BfUztzsJnIULAjjZrQTTsAqVDC0wAaYPGUtW6gCGqECOmtbpLf5TiQl2jp76YHu
0zZ+uBCzGAQSBlRRyt8WhafX9OUu32HiyZgO6QkajtecwWE4qku1Q5sw9LthNJnF+FAENMLH
ssiqNN+LUj7hGuyrHFX1qD5osljbLK1AKCWaCc0dBs187YrOLkxX6Jpg/XaPreIFDOIJMYmm
PXc7sOgyEXGVLa5GRw0q0CMJZ2pLBv04s5sJDBH5EHFtv12RTSfPE+6EiUxB2mFn89jHbDtP
otG4wmJU3nYCdXc2rSagETSXNyWBchBbrzB3bpNt8z1aHgBDMFE9hAF2vNBPnS1zTb0lK34A
HfXvmTmqs13kAq1CKqboJYHWP/jUhLP5Syx7UCjyNZh4QjzQlWKO1Nbr+jCIfYpCdPQNwiqZ
tziymcQWchKzCrHLFhx8M4kNdbWtSI1uasMYT2xsM3AS3sIWJh2U9S6HO9AOYzti4hauU9o6
wPMlM+EHoKNOim/BjnZBAx6GTpxMSEc9V9BAE9CMYO9FIfuAM2tnEQ1jX+6Q0aQsXd8NjX9p
+w9fgDeYm2HljC25QqtgESCmjZmy1lr/cF2HAhrBAhyLmXxF9umYIy4g+FTWk2RV3ZI9YOAh
ejCbDaXJeTr/kBHOsCoMpiK5PKsw4ScIccleVMUxUCsFn6/QkmOcEDIv9lbNaQKegam6fYDp
qh4GKXEnIXstiOo+xVCB9XGXFtdNiEvMEpADuektxk0uxLjJD1kxLn5x0o9dXJzZykORhYbD
oK1SgYYsM1k0o8NHGeYnZTIcbM45WhXRMNfaCuc8B3XrlyONxKGAhoXLvZGoCmgEjaVs2yrp
t+Wbt+/nH4+DK4+JwtpmNrI+ZXhh/C2MK0NlK+aPza1w5VBcuRqryJWJhK29M6W5Ip8RAMBj
X6F8TM6jvE8Rcdt8RR8eSCBX2uB5WR5FPG6ge7U6X5AhbfMCIytHBWTbuznmAwe4mIbLMA1K
Xa3CZzphjLGDh3QxtqeAexzx2AkNqlMFHM1nqoBmfDY4dWmF17a7ZqdhNG5K9WRyJPzWqO/A
7FzMLMwxH2zeUC3HJ21ELuJPcvut4gwXnYI2z0fmqoBnICEthPbDRRCAr2c2IGkHXw0hkLqz
BPZ67Z4J+qgjZrmIlM0eqUctRxgGIcmV2HT8LEErNOI0J+pMXoqkGDKeYcJkF71CnC9Vj8Pw
YT4YWSENQTtkCmMnQhP7iaOTt+G57WUW4JOIuhGSxiVC/8BA2cP+muBBpzutgLwrGx92anRP
zj1iuOnSdDnJlbV395wnIDe+paFnaMn3sOX4aCa/k7CNthjxJKyr7/64RyCjpO/T/TEtHii5
Fh9iE3U7jG2f8AE9w5cPPmBnWK+t/sqv75BZJ/b7OPNsQtKFR7EDC6g/0Xa/9Cv9ItVXYj5s
7HeZqpeUCYVp+IQNfOLYRJn+B2KOi2wKZW5kc3RyZWFtCmVuZG9iagoxMyAwIG9iagozNTk4
CmVuZG9iagoxMSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJj
ZXMgMTQgMCBSIC9Db250ZW50cyAxMiAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4K
ZW5kb2JqCjE0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNl
IDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA4IDAgUgo+PiA+PgplbmRvYmoKMTYg
MCBvYmoKPDwgL0xlbmd0aCAxNyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFt
CngBzV3Lcts4Ft3zK1C9kqvcDPHiIztPJl2TnpnunsQ1s0h6QUt0rG5FdEgpHf/9HJDgA7Ap
EUzoYrKwDUvyBXAf5x5cXH4m/yGfSeQHcRjVX/BVJpEfMzUQ6W+KjPyP7MmLVyUl65IEfiKS
gCZh953XjZVrInjsiyBJSJQEPouYJJ+qT42CSHZju26MRokfRzEju/a9Xm/sjtz2BaWR8CVN
iIiozwQJaeDzRHBii0kC/C/X3mfISWMRB4EawP/2J8F9Dpk4iQT1YykSsv5E/naNVwQ0CMm1
mkr1lvqLd/2JvLi+poSS61uyerM/ZMU+O1yQ6z/I62uI2FvN00J67VpWH481GxYyZj5lkN8W
8pRoP06Qqdlfr16l0zKFfhLxcNrCvServxfp7YFckFCQleMXz/UNZPX2t3++If9Nd9tNetjm
+/YPehP+/KC8jh/283H3QFhAwwvyO7n+eaz+eANKfkJ/eCR9zigsz1Byz9AfYqo2lmi8Tk+Q
qTM8zvwkFmFteAuRiXE/YQlflExU+oFs/NOPcFCSS892UPYukrn3UYY+55IyEhny1f7zjHhw
Az/lBcm+pp8uyI+UrO532SXZ7snhLiO3+W6X/7XdfyRl9vmY7dfZywvPxVCGosEJQ2FC+lLG
cTMZrw4Gy7CTIETUiuWSdDIEUKCcCy2TVspHUfOxUs6uliGMBb41IpaIA3HdkvBVVhy2t9t1
esgQ6T+sDsWxPJB0v77Liw8XL5Vr9NzCfRNaa/gBTHJKCwPpR4y1oi9JC8M49lnItBvyXHZ8
9j2PuB8FknFiCTluz9+U5TEryPXV5cyRjzLmM8apLeYivEwIHM4T4PXK8y11f00hR+0vYs27
480fF7DnVbY+1PvsEk4mYBzKkFhF2GhD3pMZhVO4tiLcGNjewq4wCnzJ4GXqEDdkyFbCQ+p/
LhbSF9JTueP5fKczZFPIgY22ZHyblfmxWGcloQnzkX76wQsmLvFTjKTRpwE+Rg24TGLC5iN/
9qMojLH7/ZVeBsANQ+qLMJzmxrUS4MvMS0ipgheBJJa4A3pgBXEWBPTl5iZ++fIFZ5fk6l0o
RIJkq5fWeJr4OJ2qO8VuZA5xCOKjEXlE8HZK1adoIouBJxQWMnd93DKqdZNBYKxbQxgNrNsU
GUPmh7EA6DFlXEZQlMyXSbioFDWEJ49YCDpO8VVOgXrmreygtyniOHXrQ29WIe0ZiRGquAch
oXWmqMvQOi78EOjBCNBnMuqVe3yeYKwhMGLI4E8MCev9PSfg88FsBI84BodrSmlsrYUcnOJZ
H9eAE3cDX0z6IKM1yiZO4MvFevsyjsRe7d6aIg4Yr7mANsZ+dUWBsp4BZMs4gA0bEi8EZ1HQ
5DyY4qWdlPFbjNgQUR98nLPisRgb/HYPhF14Pex1BkP0Vbc6cjqfNnBOfS7B2oZ6SiOw19yr
3OVbAdxR1JwvLUM7ZZL4QSCmJPsuXmiKcjb0nSXigBuykH8fQ/BnwxCWqEagsQR8Nq2TOH6l
HLDaHSXOLWMTaEwRR/ofjSLqADPeqUzQRMXWRRyHzKacCzHgGOffIY+ct3dm820PheRCBWyV
z5BvnPI9RjnsGVGOtaLL8DIRGG1UkDir4fwUUrvRhojjNno1hHJMUFMTSp5D7YcToSRiVRiT
EKlnsCRQI0OUz/C4gbfLUEYpQG1G8QRlnNkrtsSINEUcB2re/npF6NxgJhGKcE0osURcxs7i
dF7QaWdTc2+tZkSkIeI4N4N48lrXP9xkm022IX38KnD8/Po1WXcn0uoAevZCCBg2avgYaSa0
KK/DQ1+K5ujKifqc/ciiPbqSppDjbLyFtQpRzAxr1dEk0lFLzmUYOs5NwXxOceHPuMGmkKM2
2IaOb5+JH1OH0NKQdxmH0JLGPsgaDRzdeFCn/LTPJo0kQjtLNoUc2GiTCR2AjnMbdRz4QqCU
0lzXheSqQeJHImyoiGU4GtQCxJFcuKMxhRzQP4th+q3IbrdfrQqIf6dfyb+y/cfDHVEFEVfv
fsHBlzoTn5eXZaoMg0vcK9AzWRKYEEo4lNLqdGERailQ8J9IHGm4snYz+5eW1rEEHKeSV7ud
hrEzi0kDgascnJhSjgPjq6ros6yLkLclCjWzfVpsc5Ki7H6d78vtJisA0b+ouwSk3KIsuapW
fvPL23JmM+KJKl4Cy9LMa1FmhBs5QZQsl4kUpoCjVBZwLb8lWbq+6+dflSqgHj2vkjZvdZ+W
JTTi5gGKkJcZwVtU/foW9aSoXp/9/BPsPopTEPStGS7Dk4HzYEHiXiA+s4voPJkp4Fi16KXj
PoBo7xYRaBqKvdcO4iZbp0fohFKI8j5bo6gcqnJfB+ctPIbL4XgfxI49EsWFHxCHlAg9z0X5
DOwClaJhD4eqICxkMz9n3CmHKeBY5Wh9Ay609HxDRjKT5jFpnUuSltjhz8etii/wJu/f/vQq
hK//3Z9fTVRooaEkQs94UWoiIp/FvAHpy/Br6n4rDlY1QhurGdxyFr/eZ0V1ITHdkVcaXFQ/
z+8ZaIx6BIEiruqqLqayqC1n4FMl6McaAC9jyxmSa5zELBeUmwKO0snVNQJTiot2uOqEe7HK
Aa3zQnHQ+hZedXF2fZfuP+J1JUnxgvK4OyiQg++qOvu5YS+OaAVK5YSe3qL0lFLwV1HjBhYY
wUwBR+kEUO+hSPflbVaUlr9qb2t67W1NhWxeXamE6Uu++6IVR7+d6Hi3/Xh3ILg7p9DxIbcQ
8fevwecoegmSCO0B9OwXpTIB6knEhJsXz4aITQGVylB0O7AaIZigDCrzCfuKq1Uba3fPVPlN
KMjBbZo4EQgJ4rGgT3RseCTo9vYBCttP6KpsP90T5fgKQPUUyqpQO7J/5HiVqjdZXZm5zQ9O
st84Y0yRMAfcwYULe34mYY9Zeb0+FJO58CqNqKQ6eSO1rWLkCffDpDmZcSDsXbS3v2gjyfoW
slsCDjg8i6zvZXMlHBT5If+SFS4ST1BjKnGRlgF/mRKf5Op/nFsmnPriUFDaMg2s4iPTWu/S
rXb5P5BDk+3c5wUYtN0DYkm/Q4ZhgipjLlMwao/Cw/d3IBynJFW3GIeVdzKwCdrQGVgM7pLR
5SIKbgo4SjVWz2FQ2FXQYIgAloSnkoe5DSpGwYqQ6NlgyTRq1RBUDYPa3pLtAThrvTtuEJsU
40z2OWJVvj+k232H2avfaBby1dX85EEcogg1gCfTqrEkuKVa3yTS/RLVzJ62i1eGfLVenLt8
USEURS9jyxX87oUvlbahWUqpkjlfzWHONhUSCXGALmF6jRe17WEIlNge7J7yAc/n2hHxAyYX
7NpNAcc6qTeHJs9LH7CYLoz2hEiJ3A73qdAHCfxQfzlHSbtKd2VO7tL7+0w1GQLQT5GXbnco
ubsimxxeVTlUJLJHuFSFWQBFK3Mi6dwsBzrZoXmJaKe1KGsSCYh667biOS/1jDw9N+QzjN1C
+u9c/Ho/Dxl5wxOX1ymu/xNTogHdtGS7K477P6fKV+VJfhKgeRXuqsBGWAL2I+59dzLB64BK
vZRa+wYEN4H/Crb0YYVDi+MaAalc5/fZh4t2HqiLb/tLDrQLsNZ5TIcQimL4KELhuV7oBVgL
Ra9MNEZ6eu/PGUvDpRqx/K87rGzzG3Cv4BJuMtUQ7UlfVLWyGNm801YTNO9sFAZqUikDxZUD
RUWgOyZ6d6r1jlVrpWZoZw7hlpRq3dm801Mv02OqdWfb8wVFsSwGHOMSsCxhIT4aQzFPAJGb
oV03JNTt2Uh41VD9Rj2EPzapJ+gYBqZLxgQMIEk05a8LSB5RYZYZN9ypOsXLnVgE7LVndFk9
f+UV1JzPONaRm6Ke8oFOgMeyTbflw31cBj9Un5gskSwyBRzwdub+IivDGUlHdGCXq8qPjNzD
QPcHmzE/FoDohWZFcpgw3GN75pcVRV6AclJIRDON6YMbhLI2qDY176Sz56BQw0QAuJvzN5Sm
8fFe3en2W5SmNf8xfXg57lviEvdydcaQb6zK5Ov1sSCbY6Hct1aGdJ9+bDgyKI46UqtO29Ci
Nr1JFf1codVWL8i6yFRDQqT0TiC7ryEj6dSag4Y+mLthKIhpFqol7/gLC32RRiKrzilTXE2J
m8uGS/QqpoBjVaSXxdce4fIxhXqJ/ITschzGomuqWYGmTnGb0rOqGHGKjrg0pca1P3UbCyjB
nO8ylAQloKJtTLpEJTEFHKUkqhixPN7gmGq7V46grzEV2TO5U9L0xEG12KNAhoTrCc2OxL9F
VmBkXJa3RB1Y+yYA1q3eEfZ/wqrvdg+X1alg1a4Yp9kP9/DT2Jf0cEjXf8JlfwQVq3rFKkbh
wwrdjQf41+8H19UWMNzExbxQCYoe9gDVAgU0ibrH2Y6hr35/TARgygHi9Xs99To99jRgV0AT
t4h6eF2P9OC6/ow+XDc/1jkXVE8VsJOVsTltGzFYgq7OIXfJaSuUd5+X20NePGjIBqT24aIO
3t4KVJeuhAHjWhniNwbl6fNkKABmXMRkwjxXdZNjDUEfHXu61macmsQZTMqEjw7irJmExn9G
MGksUkNSp8MbC3FAh7Re9VJfIwkefhoDMmWoU2RJWnuRM3m+eaRzSUAzbncVhz+gPYNe4hFz
2synZx3GfLQ1QGr0DcSjAOAjYMBJjB7yzRBchB6qXiXhE6rHcVRPyOgPPe0hGuvvuYjO+pss
X/0t/cENF9AbGpfSO899eC87H4FDrBCEhIuTWNVO3wn5fkfZwTexSLlxNkV2HLi7IPbvKDdq
jWMcg8DUJ8gNC9pswTGiQAOZd7rfwLB1PpVttkBFm0uy9m9VrYHLQcSge+jMqecoTmbXDNQX
bul026Jd2QDMsNKod+hNrR5QgkgOWOGyQ5iCyR6d8wjDVsHVoxzQfHfSDq3epxvsDkr90moq
5e/GLJ4xpODhBLjdR9tZjIgpTjB6UGl6qmL44OEVV7VsXPDkpKyWqjjZryXrKB4PD5wIY1xt
aex0YP3OF6INRrFHUp3T2TaKqVIDddMZYUyJyQAUWDOGOKbHPDUWSjC46rFSOo51Q0/GsTYc
dXGsGaqBbcVWqw8WeJZVx0x3IxOj2Hm2t4tW6qwBxHi9Iydrxpy05JGXd5EpRJdpwCLXdrWG
d/j+1V5tpQUz5BsF11bNnYwKoj31QJqO8wK3Wal5hIMRp4eTnXoQCOCYTHCep2WfPbd22W6J
B7YtrCc2Q0VKLNriuSeThzqdd6Mrv8kscAMvabs4GyI9tz9vHnXHOFdPQWi6bowCJsBd/8Az
cPL9JcnAbuysYw54md4dSPunftmn/bvqfa+/3uPWW0l+TvfHFAl3cqkejBY98doJz3574lPU
I9yeEOr9b2DkCQdgccSOJvA6b0U8QlO3GJSNtRXLUA+k4kzlfrUnN2RCCn4+3I91gOfrznE7
FOwiwiybJtP/AVI61kgKZW5kc3RyZWFtCmVuZG9iagoxNyAwIG9iago0MDYzCmVuZG9iagox
NSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBSIC9SZXNvdXJjZXMgMTggMCBS
IC9Db250ZW50cyAxNiAwIFIgL01lZGlhQm94ClswIDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjE4
IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9Db2xvclNwYWNlIDw8IC9DczEg
NyAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA4IDAgUgo+PiA+PgplbmRvYmoKMjAgMCBvYmoKPDwg
L0xlbmd0aCAyMSAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBzV3Ldts4
Et3zK7Ab+Rw3Qrz4yKzcmcxJMq+M49OzSPeCpqhYPYrkiFSc/P1c8CUCsWSQfehBspCt2M4l
qlB161YB/kL+Tb6QmIZJFDcveFVpTBOu34jbD/YF+Q/ZkhevSkbykoQ0lWnI0uj4UXB8r8yJ
FAmVYZqSOA0pj7kin+ufGoexOr63Ob7H4pQmccLJpv/eYPDeHVkNgbJYUsVSImNGuSQRC6lI
pSA2TBLib5kHX4CTJTIJQ/0G/vafSUEFMAkSS0YTJVOSfyY/3+ArQhZG5EY/Sv0tzUtw85m8
uLlhhJGbFVm83VbFfltUF+Tmd/L6BhAHq3keZNCvZf3jsWanQSacMg78Nshz0H6agKmzb9Cs
0nlMEU1jEU1buI9k8Zd9tqrIBYkkWYx8CcZ+A1lcX5DfyM07VxsFJxzpjI1YAlfk3F4PbItH
HYkYjoT1eP+3t+SXbLNeZtV6t31kRSY89SM/RS924Ljm7w6b74SHLJp98USsqOAMocHYhYHh
4OaSaR9w33QTDHqMDILTNJFRExk8wcQFTXkqvMLEFA1VF0B/guMroQI7gtpWJPgzsyUj4IIb
I50ZCJud+RTAV8W+Wq/WeVYVCPq/Lqr9oaxIts3vdvtfL14OoCPLtHn0fOTvomyTiZCezkQV
Hioac94hD5rk5Me2CCNk0US1Ltja+4eM+Zi9Zzd4SkXEYW8DYpvTnzL427I8FHtyc3U5sO2R
I52w7YQAwxjIVQKSYcL0I8BEoIBMCOmxdU2IbtZFov1wuP39Alt5UeRVY+W5mQHn2MNgbyZg
T+ycJJRHvI3agY+7ODIgutl5cV2Uu8M+L0rCUk5Rg9DwBZeX+CxB5UBZiOiv39B7PBjH3EfF
70hQKRCvu4fwKYJHqLlEitqszirjbK/TdvNn9iiJ3ZMkxATr6AU8DNnL5W3y8uULwS/J1YdI
yhR0dlbiyFlKFY9hc3N9z2XtUdXahFzDuaQiTpmNyak6Weh1U2E497qphArJIhvjuXWbm0n0
RUAUhzAqmFizV/zAFDEqo2hK7J7ZlD3jjkyIbu42pNx8yLBnYWG6upOKEwuqHxZWnKo06kpP
L7OzAdExLj8/x44MmJ5wL0SXmEdQVLXkOC7/zr2B2woqMiC6Wdfm2K+uGGjW7CQ7pioJsY0N
xJ4YWkgaxa2dyRhlZO78FnV2NhC6KSOnKLZBulo/DUYo46P4tUx02yAlUfMAXtFrrig6Dh29
9iOhMMj2IpwScuaOOJ1IF5kQx1MGAZVuvf2qtfShQAcXnEGg07K/jASIdQvbKw8MoTDFXU/L
zwRjQHRLMIuWPjSJZdZajmntRugWo4HTj7Si0pSGoewCjI/s0IToZt4f+QN/Rv5gIvbF0GhY
C9kVn34aegjRzdDOIh2akAMd5yJw3/KnJgLOtFyEYFQotNYURhf0qvsU0ZXuMkci9kmGUDGn
HPMjE8qY5+IUFkQ3TnH9r6u64/cIl3AY85gg0jHJaSShdVpwvWCOCkq2EMkU5vhcRYwJ0S0G
Idm8/nxBfkI/6LZYLoslGapPElTy9WuStz3gi2BMFTsh9nCRUkw9Ifa0q93GHjeHRYt6SHjn
cVJEH3Q0MKjVQfQqFCkJNh4nE0LR7FMIMcSeUGFASJkg3WzbU17Nhdzz35QoxDHFoIsGC6cf
UUgqKtnEltXMC3c0sAnSycA26b1+Js0shCylDLxnBx5HhXIrALpMFfb9FiUiqmTXb+k0sx+m
S6x5zAktySHIQI+2Pj2OeTS0CfKEoS2Mj8tmM/smS0IqJWbYzHX1pLxBxIE82kVtPwINSygk
nSmk9hkziQnyhP9ZE1jv98Vq/c0ai/hH9o38vdh+qu6InpK4+vBPCOm6VT5vrcX1bIZQmDhv
n8SrWitMaSyjrur2wy0xt5LEqtsq7krAzPFFRSgOFAMrNAE6uSRy35sCE9dD5s3Jar9riTmp
7gpyvy++rneHkhTfss8XgSbs95uCPGQlIvi49tIw5OM0g0teEiHYWwIFxnw+M1diowWDwwGj
ZjosTCSsUZ2dDRUhQpRASDeWvC17nsqUaz3luCS33zECR6rdzO6BulHTNnBKA6sf6UfqIIRZ
5dFFw8yL1u8pC6DrnoI8jjnlZbd7mqBvTL+1u6fdTruvxZKC4A1OB7zZPYzcWxMKDsE4ijYl
yZTnXHwt9pdEP+oqW2+K5cw2EYnCgSPQUgurF8lB4pxQqtADHztPMPOiHR3ZBOjkyItqVwf4
WWtesGOVSoxiW0t4zqyjwvuEbQFPk1Jhvt7C5LRqSKl1hCcZ2RYPRmYVCPfYMBxbfXgQ6KrE
1+6L8rCprC9fl+PS64RnFZDaQxznM/zDTK5WFfVshajEUcMwTlvFfUQhOmZTDbO/YxF63FQm
wBPuYS3fdvdAEO/3E0COObiYKsqkPphpraKxryxoo/bVcOEcqVw9+h2CqlqYnBYO+yrfZOuW
mK63n+oMm++25XoJCrskbbPgz5pZ7Yv8sC/1aT5NYIs2zTYy87gtZT2mEzvsKJf1mMbSW4z1
j2wqF0y9uoN0j5ZR2p4u8XFTmQBdfWNYwUhyKOEQq92eoJPEyBoBdlPuOg+xmNYViFr3Za0P
zd5tEJhpjhKw8s4cPlXfEgGOKTm+3zQmpE1IVce4awI84SKW+HJb5Bncog4I5X2R42QhfOR+
GIfnOEbI0KKNYzTvulUd1Veq9SLEuCpbb+sQV8PX7VH49HZHNrvtJ6SSeaUiqETIJWBo7bJ7
5asypjwR/qoy0gTo5KtIdcU27zSY+6zU0QxZLSP1aJ3OZ2ibBl3bdNAmRR/yktS6zJfDWifF
2+/j0t2EbVm7hxKIZeaj2ulueHvDqHQ3AdMx3enbMDBK4m9hZgJ08o/Fx+u/vsK4Av9t5oh7
JGwmSj9MyzFBrdAO9+hckORo9mAq2l93MwE6uZsWiaFG1XLPuiLl3e6wQWQpkIAqhJjqLqsa
ArXc4dAn3iQt387+W2gmRnYrcPXv+gVsfFw8Av0OjOtvnu4RihSHTHWj2jSGJzUtY2huxR7T
bxPgCQcxC0c4SLZcQsHQDYHu8G/tFg+6ubBv8hVZaJlz2FyAdvinsh/xaXJXrZoeyvkZeBJh
nE/GRLYP7BWrCUEa5YTjhTPngyMDNwGe8BKLgSN2PHShY1mU6312izbSetUEj7z+p7JabzY6
tnxdFw/wFnCZmvPQ2TkuJilruaR9Mp/cQaSCRmnfpfev9WgBdHOHmyK/2+J2lw2uOtJdhDav
6JZirzjPU5Fh5oHjgrQOtYOpRyljE/gqg/wqExzA7jC1BMJtJTu9eaiBdFozeVhXSNjV7Pun
qRE7/A5r+mw1gEgk7tRj/tYAFkA3o9vXaXQNx20TTvtIe1RIZ3YBjvs9Ug6doHscD3ygHh6I
0VbtMI3aV021neX5br/UgvP8zXpNXfU8vwXXi3pL3xSXqvFHaQfh/MljgBNCZ89JTHzNJnri
xikQ176UtlThnw+4aqysBTb9qhNUX95UurCp7rSsnOsrAy/rLTc/ZdX6G8ctnu2TerC/ep1F
RBFNUo+noyyATjEW7tHXLhBgy0cbCMHi7YDXYlZqVTxGbEFpB5F47jP5/bCE9dh+BBLcNhNy
TJ34OiwBVWkI0NVX6nRxScr1Nm/aDFq4xRWG6EKi9Gk1W4SOsh7+0TpJtlrhKrRapq2FfSi2
h1xP0ow57DIhZtZDYSHO7ltP6od7SJzEUe3R2q5B+UQgX2D8/NnyjIHPKc8synx3X+tgluQx
M+a++SQmYK4KOje8JMbsKsR5E57hhabSNO7qWat37zJtekxoEpZN01bJNcXD/1fvXp+P5VAp
msDpNm6KHCYtanO1JVftGEWx1efurvUNyMfiUQesX473Ib/f73CZ3/yKHB4M98iA+7ZP6RW9
wWUEOJncLrwfDspwGjDpzv564qAhDgH2V5f6gYljEgoHJh8zXadPBs2V8qMyiBVb+sNLLhfe
c2jPUcrbEy4/LFPbKA30NffPhwm/bwCn27vYYrh4t06EPTOmKKExfhdCzRNPLRN+G0B9P3uv
GT5ZZJ4y3ZmbCfq0wBV+WQKuhWuDkys1fIObq3WdWIDzbaxwbA6DwuCDKXCHz15/u0envyTv
su0h238n6aW+OD7+gz/V/o+H86r2v9WAP77PPhVEoiM9N3eNce9Ugg3dmaJxDz8ONHCFQ0Ky
lxpP7KL6F1hgFd1ddgLHxwQXLgmHWjAR0/8AChCu8QplbmRzdHJlYW0KZW5kb2JqCjIxIDAg
b2JqCjMxNzEKZW5kb2JqCjE5IDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQgMyAwIFIg
L1Jlc291cmNlcyAyMiAwIFIgL0NvbnRlbnRzIDIwIDAgUiAvTWVkaWFCb3gKWzAgMCA2MTIg
NzkyXSA+PgplbmRvYmoKMjIgMCBvYmoKPDwgL1Byb2NTZXQgWyAvUERGIC9UZXh0IF0gL0Nv
bG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvVFQxIDggMCBSCj4+ID4+CmVu
ZG9iagoyNCAwIG9iago8PCAvTGVuZ3RoIDI1IDAgUiAvRmlsdGVyIC9GbGF0ZURlY29kZSA+
PgpzdHJlYW0KeAHNXUt32zYW3vNXYHbyOSlLPPjqLpNmTtOe6aSJT2aRZkFLdKxWEVVRiuP5
9fNdECAJypJIpXR4vLAES/QF8OG+78Vf7Df2F4v9IIni6hd+h2nsJ4IGYvNim7P/sjX7/kXJ
2bxkgZ+qNOBp1LzymrFyzpRMfBWkKYvTwBexCNkn/dQ4iMNmbNWM8Tj1kzgRbFV/12uN3bHb
NqE8Vn7IU6Zi7gvFIh74MlWSdclkAX7KufcX6OSJSoKABvBTv1PSl6BJslhxPwlVyuaf2D+v
8YmABxG7pqnor1S/vOtP7Pvra844u75ls1frXb5d57srdv0He3kNElureZpIr15L/Xis2XEi
E+FzAfq7RJ4i7bsLaLL761WrdJqmyE9jGV22cO/Z7MdtdrtjVyxSbDbwlzf0C2z25vUvr9i7
bLVcZLtlsa7/oXfBvz9K78CH/bxfPTAR8OiKfWDXP/fFj3cE5CfwI+PQl4Lj5Dkg9xz8MBfa
WKL+mL6ApubgSeGniYqqgzcRmoT0U5HKSdHEQz8IXf7kdfmTu4k4Zsrnfo12fdje5dvl7TJf
sDd5Wey385y9zXfllTcEg8cY7QkM8jjxuUw5i6t5eBWfnQYEgwgCIQmntN0RZDCXUhmavoNA
CmV4IJDcDZ8xNva5DSNfypAL1iHwiMDs0Hd9l7PNtrgZmbmkoc8VKQSXEIlTs8o/XbHvODj9
Ii/n2+UNjkt2U3zO2Txbsxv8KtblcpFvabxkGVsV93pe2c1ytdw9jH6aZBz5YRjzeoJTOk5R
kvgiEoZVeROErktgL+gCFQTcBhm7YpE9dHjrT8V9/jnfsh3BvNjl690yW7HlpyuPwLTJ5jsG
5WNb7HfL9UdW5vP9ltAyuvyPQj+RKXM35qRmO4iNdMRBH/WxFv8RFH+ZwkCo5MExsHQU74F8
rk2gR/bLeZ274XMugUfA0qHvvtivFsQo7pYf79jyloFtgH1sR+Z7PBZ+HCdgCw7RJ5WqQYbC
BYoehw0JZgD0uTQdWUhXYODUzVcZDpDmxnRovvKw+GkQJglsRliMIlWcJ61XJw0eIWBrpq15
GJbbax6zeb7dQe2aZ7t80NE6WPCvmADWPxQc5rLZiEETyDabPIO8+yoEX0685AnpHXGX+G+p
P0pYCTyBQ8MuqNHV+iFijeXUgiLb5F9YcatfP7q62jvzmFtmMDg0hiON4dgPFYyuT4xmEaQq
9iIcVD22qscws9iXcAfBLeN814yRW6bmpTLyRRKC9yR4IQPh4dkRyR0skBnCY+qh5sn1F5uh
fv6eg/mfZ+stuRPgNAgxaM/IjfDoFh3x9VxAYAQOzlVE7NIh8FsCvVm0iPsqAnFaWE9Rs3MJ
7HcS75b5NtvO7x6ekTK/u1uWrJLfy/XnymWU68NJ6tw23z3Yw1rub668/k6SthKinajn0SqV
8MM0ANcz8+qh5o8tz6WKfaXI63rJWu+2eT7yCZIRuI6Cb7pD4DROUEg7Gllv1zF119WCntSs
dwnsd4JWBSk2pPCSIaxP0KZYrnd+a6vhhDdhhiPM8oLz0eiWhuoe5+Pr1K/zZ7ZhlngViwgB
E4oonNTBn44mqfwIbgPH2DrjRXxS9Dn0VeA7Rx75lOZ32fpjXpIPZlOUQOIdfDNsV2i+bZg4
+f3x93m+2ONvyzV7/+ZfLyKVxB/Yohibkafc54ixsaia4KRwKuAdCALr/ZwgS3IJ7MeS1sXO
oEJjgHw3xjlXiW8IeevP+RoZfmjRIBBqLcvT9mSEKCRXcKQ60xvRK3NIa2/bN1I+CS1L6jDL
cbssYbm3REETcT4iCi7Qm0WaIGQDH76lcYhiDzfDM3az3xFUHsAN2Kp2OeixyungDYvw2mhq
YyEdj/AqRLBDIQ9WeLjO8jcaiwBoEMewRCgaFuoYPq0yAiWpV4/BMDRj+nNxFCdkLLa/a8Ye
NxYR/YtkwtvGohlqG4ugwDylNhaboScwFjmi3TKwonyCLNIlsBeLBOgtyuGZ/kq/2nm9KAHC
0wRrGF1GKw5iwf64QubFbF/qU2k8qnXg0uudfDHkaPIoBmNBooOlu4fsHtsGa/y8l61ly6cK
XWlrAsFlE83QqQzXZAlv889LUqgaJWp0pEhARaYB5fU4x244M/z7xEuj1QdIiYptntAUXSAu
gX1ZQbb6WCAYdWdc7QxbDwMuXy+w9zh42ediuUD0c0+inL14zloObfhMCop1wLYnK3D84Cd5
EyPyipip9jiRT2ZhhWnqB4GarjbdIbA3PkoEvQ04Nqt8lyN5yfjHqhA4uMh+hfjmbcWWx84n
EWFIQWaFFMJqwXuAYGy2TFqPVuktTQN10BZbbvFinbVjIsvPSEMt8/GPGJzPURokQ1b3CY8Y
lhmuUbO609PG4LJtE9jriM2sCwNBNso6WX5cV5yXDNlF/nGbLSovtM0aYCO7LBAdhfovCALV
bAYZfcXtrc6OuXnQ5jcFThpn4DiKGpLLKh9Lh+BJqA1hguhxJOPpYtYlsB9m327yuY5qr1YI
nrz5z3PkQq2hUCLBBVkwjopwv1ytWkoCyQytUo6MYpiWSEQPmV3/HlLi6fgYsjUEOQWnGk0L
XQJ7YQJWZbEm3QA5L9hxE9euTQzKnNtlS+Jt8MBCmJncKEZsL183KkZWktUB9oGnjG9xEOvg
EWDizngarCNCjQJwPF2YuAT2gsms3G+QiFx0uES2KmBeZGyT7e602QGjgqz9bD2/K7b+2MyC
S1/FSI8IzYwmxS1Chdg7vGsTCieFKvQVt8l7EzSGOwT2gyYFlO4zUlzICIZImyND4DO4EXjX
3EavocOM4m5CQQg8rAnULrO2Q9QuMN/Nbg+OCf5bEvM0BhsYLjFdMt1t+v/4JgSF4SllvTOR
afBUuJFDVWf/TNCEcAnsBVzsfrumg/0+e/fm7e9X7BZcNgeI2woZwJ3tCCRlvsm2lJV4u4V5
r/OUSSwPE7mPhO6RBHwy/CVRuhcHIex3Z6Zu+MumQXhVud0gzewRmuCk7lcMGArkrMbIDXXi
5AfFF52k3ydMSu4QeAQeHfpe/fqmBBj20NAr3UtHwCVCPB9qHzDLv8DpV1Ks3HympcWPLn91
VYMUzE5vUvIXGahwSFttfRpsLEj9WEXWE3IEBvYUVUWr4BLKF42rX7uXXpj8CThy8y/LsipP
2MGWy7aL8WvDBEeBKwohWWjmM6l9DwI4/MNJ6V0qFXAyo2q50gWH7Hu3HLCWGC9aGeqvSf1+
V5fLjq4rkDMX8d2Y2YlNCQAK5ddpGNhDNomDr1AAH8TIy56q66BDYF+Ekup9W6yQRUi6Kune
a5YZJbaKRZXW5aTruKvA055cBRBXm1WGctbidnS86hRT0m3tNCeFV1R7CWT0TxcbLoG9sDGD
21vveOwLcirVuXuNV5n9NmqKqTJUT2qrUaXGQ2VdQ9NgTcgPF4m08nJ6ppVyCewFPyhNLmt6
JFxuXZmbVfEAfgTWZHImcoqXk1/85ctazy6HGVgXJMRpzzdHFW5nvtMACfWHQQxvujzKJbAv
SFrGUjeC+0qb28bELhb5ChiBlQVbu/J2Ngk2cHm7uRjaNB+9SBhNQkIwOVjgzt5MAy8CVcIh
2gNNVt9xCeyFlxkJsVAkwQckn46cHou0BDQMgPWqLiAU3A+5sUYNKxZV+xDwN+td/DNnUMFs
rOfVa/Z8sUDEp2Q/AuUfq4474H/jq2U6MUjBjDCTnJSsFoGPYoMJy0WXwF4QBjKev2WvFlQa
h6Yy2/aOv7SeJDidGt8iYV67nKC41ZmbA13pPUv4ZYCs4SSQgEN76V0XY8dH9jUuxkF9D1B6
DndSbCSgSxMcNl6ry9jX0MQCTdVJV2yd26gCFJ9S7elU3Z4dAo9A1N3SSnVDdJkizLv7Aobi
Zr/TOYske4+L3R8AUK9/X65j/uYTPZGqFBtUdtt5TYlfyVQiBcz6wKdRviYThcaEaGEwVTWg
Q+ARgB44ZLtOucwJe4+OQ1Qh+SiES5glf1I4hF6aoq1AxZMcbdQ96NQV8OJq7EG8W7t/UusS
ZsdM3C55w3pztflJT4FX96zpEHgEhi594JPdqEDmRgx1kre1adEIpCW+x/C8oGGhr0QYoWUE
IslY7kmhMkz8QCB8WXEiB5bu8R4GywsM/Vp8S5XCG9TppHSuenZg0PIC+hpUOvRVoDxDXiW8
DwxiOIaRzUDNtZb/gxl9j7oFLdrX+T0E+naZoU8XhTq32i6pApnjWx+2J5vZh0nBVWG503S6
xod0CTzCsToni7KKf7BxKuCgjmWho6WRBWOl6XBE4HgSCmYJ77Hb3w2RTxccNI6WkQFSjC1J
RmT2OmgzWO06X2RkGtEYyEcTrbBD5En1cux1ExIF8CGXXZr6gfDVa6TYkHf3nekVc4jDEQuH
bX6z3fMJwFCSFyaMoE26Z3oaMlIiDx9213QtCJfAfhiED+YpDi/1ck9jtMyWLpGndnbsw1u3
eu3Q1GvhtPvq96tOMgwiPfBmluiKrH0GOroMb+dum83/1P56/ImcnTqf6ndwzvFVC4rzCXSa
s5PsccwHWUMXSJtG7RSCesQZaWOMoTN63VP2lJEOfb2kIXCRGRd2idp4+I7A33HIft0bl/dN
vi3B9nUSJfmVqn7Ao+NAIO0D7ddgElVzMjDohfWZrsfS5luTEfri+ch6UiWfkrRD8SmO8XTA
pXT/ZML1N9IlsNc2A7qtIOQhZ2PICR4dpzxEDkCACk07gx78amxBwdFZMSBvgrOo5qKPc+wK
2rFW8bB2A3xMF3BVQY1gYmRPuGR+W/24dsQ4S4dGR4/ekdIx0sA2a1FqjHaUJ5AIJZkKDzzJ
z4v9dn2a68gECVEygX5v6O+BxqdjQgHKeqbc51+6BPbc9EcDwCRCH48VQizt8/IZpccgv2+3
/Iz2As/GhoWtF7YznBIsBPRaVKFNVqly6atAcYaJQjJViSz6YgU6+e3aPvLU6aQplAXCcWdL
UYy7GfUI48eLdTguQV8Rd3KOruL6zIf5dtsefTSAHRRyEDCqI7QhMoBwaALD/SbhYoF+zShp
n1QIW0QJZZIfWSZ9d9dTFxOJEFeb1S1fDyL95j4xj+4TGyR1OnCqJWGf285EiKIGZQOpRgk6
U9+E8/sTanGL9TMG4Z2tOrolaD9xmdbZu7FeftmgubITVBqjTSCu+UGlN+fMXYF+ugxWoGQ/
Z+t9tn1g6TO6vCvuTvvsRLtfGLhq719nH3MWfhi2UsCK51zgd75fm8SFTTCOZGelXPx+M3aI
i8zSuo/tt+SGSL+uLgEQJ0k6z3mONm605/w96rc4gq4BW+j+dd6Ltzi4p+6zePviIPkE7hl7
EaLpxhwjpyLFTVOk/QiFwke00AwQeU1RXYIRCeWf2mfAVKbLL1bsrU7Wah5D/f/PPBXPwBNE
9YRPjCt4sur31RPr2xBPTchDGhPSJf0okdUVJ/CFaCIPxtCBkm67iIEMusIAd1lK6koJSCPD
tbqwgb7rYeyR71JDyffVQndbdp6eKccVk7RaUdrM1R1Z0eyRitmeP9r9J+1vrbzuc1bsTq87
AYBTXS21uMGq0l0eaJGHqzj1/ZrdMbpfE6seJnS5g/lciLY+uLgTbWeRVyFCaBStEdxnEdCt
d60xtLRKqcKfnlV904sQ+46hjNRPZxHs/UCCGTZ02RFcoAn5p2K6q8qO4Y5PvJRoaoFnmW8q
lIChMTr2yz69GbE00LPsp2JDKz2rGsMczYzs05vVaWiw6zDHkt4ywe4HHhGsOpYMd3Hidgv7
ErdaUJdItLfUf8FC0ErgxKBoTL/BgcKiVi/RWQsHKQX0qvc4F7hgAw4y+wgkXelPYAT/qn4H
6CuVNO8BXYXSafwPr/4MnV9ctmGeWL0z/w//v3oPUuir+KAl0T6HiPf0P6H50QLRWT/NYoBF
u/7otx/7caixaMewJwf71CCv3z5ZTDUYbnDd7LBFZ/P01sgBrr2a1gY/Df0rc9ssoYbTjbWE
0jBBK3eOwEcYxxFDMTDdMcC7grU+ocQ4glRI2utKNWveNs/F5nDqrFslN+E/ETetfhnRKnDg
oRpC9XiLmDYCMGwGLQlsCC829sWdfVH/aW1HoG7gs97sl8M/4XlNCs8geo2l3NCrIAWpDikw
zh9VUT37R+Mu+3v/QbMs1QTZLLYz/t4sE68GvJnq/kXYgcC+MJ9lM1zGWq2tfWz92R+uoCRi
0evvJN2Pvv53e0GpOwgBXCkSQmBqXOFCYY5Yc0DtPcDxA1Rwygt8hA18gM+0ubdSW+ExafFI
AiAgmV/Vxa5hDaQfAQWJSw6hsGsw4TWgENrXyNPHNJH9GmuDxIWIVR70rT+1KoHLoOHEwnVC
kUMRHYEgEeQXeIwiOitk9RRz3INHVyk2YPnt/xX1uakKZW5kc3RyZWFtCmVuZG9iagoyNSAw
IG9iago0Nzc1CmVuZG9iagoyMyAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMgMCBS
IC9SZXNvdXJjZXMgMjYgMCBSIC9Db250ZW50cyAyNCAwIFIgL01lZGlhQm94ClswIDAgNjEy
IDc5Ml0gPj4KZW5kb2JqCjI2IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBdIC9D
b2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RUNCAyOSAwIFIKL1RUNSAz
MCAwIFIgL1RUMiAyNyAwIFIgL1RUMSA4IDAgUiA+PiA+PgplbmRvYmoKMzIgMCBvYmoKPDwg
L0xlbmd0aCAzMyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB1V1bkxu3
lX7vX4E8mZOV240G0JekKlWKnNTKcRyvNfE+SHqgOC0NE4ozJjmWVFv73/MdNIAGenhBc9Sj
tvQwJMgGD4CDcz6cG35h/8N+YWWaVUXZ/sFfVZdplVNDaV5sGva/bM2+ebblbLFlWVrLOuN1
0b1KurbtgklRpTKra1bWWZqXuWLvda9lVqqubdW18bJOq7LK2co9m3ht1+ytTygvZap4zWTJ
01yygmepqKVgfTJZhv/bRfIL6OSVrLKMGvDfvZMiFaBJsFLytFKyZov37M+X+EbGs4Jd0lD0
I+2f5PI9++bykjPOLt+y2fP1rtmsm90Fu/wX+8slSPRm8ziRiZtL3T3m7DCRVZ7yHPT3iTxG
2tdn0GTXN2ln6ThNRVqXojhv4l6y2beb+dsdu2CFZLOBf5KhD7DZTz/+7Tn7eb5aXs13y5u1
+8HkjJ8/SO/Azr67W31iecaLC/aaXX4Xyz/JASY/wj+iVKnIOXZewORJwD8sZG1MUTxPn0FT
t/FEntaVLNqNNxGacpHWeS0mRRNXaaasfPoaAkoJlfQFVH8V2djrqIpUCMVzVgb0tfLzBHkQ
A5fXyy27ne+u2a/d7pyv3t1slrvr9xfsa47t9muzWb5dNtsnbP7+IqGmm/U7drO7bjZsd71c
v8Mnu+v5js3H30oVTyXPodiC4QY7qackBq1AT4XFSOJuJ2UF9FqljAozLHJKh7FhLOITmBAU
OK2+OhYJCYzTsbebm+1ts9gtf23YotnswAmLVohrtnk1m7Nt88tds1407OYtQEr3pWb76uIi
iRdj/tg0zDk9NqHyNCfoUZqxJS1+CBiivykfS7QWwHFcCDkFMVamhcoyxXo0HWLS/pQN2kRn
qCPHoz36DvBoj7wtGHJLEgpiqGFvb1armw8QS2xxs75aEuDY/mFkPsxz7H1Zlm5+J8WHVZXm
BYSm3hvTUPEFDhyixsGkpSmaDx+PEUMCoxgRCnWegkIP1b692bD5asW++vgVW67Z//EnLE3T
J2x9kQxBnWeIRhwPcYiCOrJTHcGSg04tZ2zzPMtwzMyEo8ksf+zs8v8npNGw7d2bf13gEDiD
YiKt4+mcdqa3o0+vqHDorcDAA6Z3bOZ1UKQos1TleT54dwGNjE1kKdIyUznxQEBkFA/MaPWX
2+0doGdv3V/NaI/9F+OvLv44trSXVSoKmF/sECK21tjT2q19AYhcFNOS9oBpqi7sIXOC0j4k
MIoXIe3f9KR9IIc4JP62ZdYr9uYTm7Pd5m6LU9J6cX2zAY+OrAByUvsZSSgzuElxKfi1zAuY
M8neNxFMImRalIYkZpj0xBl6Nr7A7LBxQF/LoyfIA48ujvHoWvMoCVWfdXc37E1jLQLN1R/B
slejs6uAcUyVOWdFO8xJcWuuUlivLVqdxumSwwQsMruDJihTQwJjZepVj18PImhgQZ9pNcLe
tlybjs+tAv6KogIEMKOcFLtm8BuV1pkyDeGq6jrNMmm30PTYtUdgFLvOnjmLmJOX5N/YwCK2
3MAeoU2nn8gW0RpIcRIEbA2sFCNjVUEWU0guO7wp8amCd5ILOfyYMrIFz2ncHoFxPNFZndj1
zerqCZ3751etIYpBtYbaltilNcCPzQh5lWYCrlY7KMMJcYNy3oGRp17ApVxmXDoqpwQQFfZS
Xohy8LF65Enr+DUkMG5pF/D1wMMDOz7s/OTouSKOfUE2f/BmQQLr5U9/fabyKnsNxTqqPT9H
ZEFRqILZqZ6UuCrhbECkxqRYskAEBWT8dFkyJDCKJXFq4T0UeElWv+W79Xx3Bwd8z/Tzkb2a
ffwTDD904Dbeyit2t231bsNu796slovxMSHUWVYzZUY8KdZVEkahshrMJo9pEFQhkVGsMvt3
88lCqtYu+NU2OBaAM8aWWQi2KmDbsuRHrPvodnZYVxTHcluazLrHTSk20hNv97ht52kxhHSZ
oLXjYVY2pCnGTy2USjntH8MGEfP4aEZVJRXFHQw/vTzq/gmJjFpscln1wj06GEBHb31uaQUo
o732agZw0J67xxeoOFvnNRSunX7DElEjm1GcQsM+elzbhVoe4NozXFpCIcKy4NzRGIEOxt7+
eidRlIydt6HbPx170ooaIrPCWSRk2UkY1pQoUiWd82waNOUI4Cj5cP098kJ2J4+QwKgdCtmT
74F5i7vNplnv2G6pA9CSWcNWFNvxASFpkD10fF5S4C8i1thV83a5xoEF7hW0jx9+JotU5iU2
VjjcafAIBw7hZzjZHlVHhURG8cnsh5vdnxsoo4YcEQzvnr7F+pOp9w58YXhChxcvd58YTrCr
K2DCkWEfwi7JUgGMZYY0KbyS1Wkpi+GWtUflhZDIOF7wTf4fx9ZTHD6pQiBeRYWkTmO/62Aa
ZXXCJGiSdQ4rP4yMUw3r6hEYxXPQU2KPnvq52WxhIXvCnut4FERHQzi9oMikxEQmaUm0vW+t
aOMVP42vriqV5gKM0Rv1NFgFaTW1yqYtomRIZBS76BglOAG2u80cQGU7MgTjhEkq+M17tH7J
ReaKwyopkCF2zvw1290cBrvtdWiJlil3U5lEJ3oNsUDkyLdDlpp0ZEeo9LHPcjlmUAicRs6a
SpmWJH7cvEUkyN07A6d1pqoKeX4IeESsPQfk6V4dTVIT+vwuS0f7oPM7OR0KWZWvvxT1qk7r
Iqv61B/bWGMDElHItOJ54WiKsDbsX31tvtuXbDp4/fUqK8RNSXifeAZJ9J5pOlWtEte2cm34
HpJVYYFBsqn3rGujZFOX1oKzeF4p6huAFhmqCfWdVqJWrom6cU2ul+5B1xSXxXpv/KezUFzs
pYT7Kitr6yA8xikPXRVL1b1x+hPkhu4mCC6sTJaJnrJ2YtsWTGLc9PQi0QdlSMkCeCSrTUJM
mNqLlI7ES+3dPz0HzHY9mlimqToqmrolgwmDK9mL+ptQ1pYMCTwAQcKkNyBW2UOsfqTKR8qM
2QGcbHVuAllUmo+7Zk1wlnJokMr393++uKQgwFtEscAY82R8W6+Op0fmhB1vhO4dxCQP2tey
hBgS9qgVH7z0mMdpGRJ5gFF6qVPzrbOheU5/KBkPNgBsnQG3jsGG5OjezDmclRkplGBEkUUB
zoINRoIMqQqQK8TTlALAbB+Vp+Nye/uTHNzaoPVqRmmTXU76OFAXSA5aFDnplvqzt9vnAxJ6
3QUyQyR5BQQsG++ZnmWpeOLaVq5Nfy+HaQbKK3jWtO0HEvAuopqD9IGEafKBBCgwvTgF2zXF
acoHCRwq4IHQuMF2lEcVOCGRcQKHfIrNfHFN8gWKZ9upHgfzx+F4jgBUIEkcRgzZgw4j0ItW
JRrrjXZE+Mf8cSOjOuQfkj8cYx4AUQ9iV0gT7NeJ23JCIqPYFUDKt0Y45nVwyXofAJNslvy2
jZzbQsD7JUmergca/HqoNgZpixKJaRIAWwZjnQjSzjNYV2wMks2viUDaQ2WaP3GRNRJcUqIM
iTzAJCHannXcsL7ZseUVAPO9OEqCVFqC/PCPSza/vW3mG/DO2D4qE1JjR3W2kh9DZnD4VsgK
MNRVMJQdzhBsHTuERB5ghx6m/jIuKhjm/Pmchl7IcnJDTioXVdQiLeoJh1L0CIziOegp1TtQ
hAd+J3qu5yjk8qZpKEnl15t/N5SfkDaoSLA0h37Ip/EP+wUsUyUKPNmxTkkwiQqyGieESQum
HpFRTDIzagdR/XP27KfvvdxkMgE9ewqWMPaeNqQmEGRjqyodEiYlsyOLYImxfS9C1zlEkrKl
KcLa3vmoIowmZ6gmQXVJiqpHUojwevBkkJnMB08owhSDOp0tlQrd1TDWa40ekvSlzLuigGug
tkESA0CnO41GLKM/Z5GA0wXO9Qg8sJHDFYW0L/rS/kYHy7HZ7R2CXmk7//zTC8+KFDGKM5gR
JY9SRUmd4SiOZpyOvWk5qh0I5GD0aTowsz3s9vxHHcahJy8+0+mMqWtL4SD3cUJTl2cIaYNz
MSTJ2F1PWDRnT1+gENzOBuXBrrxE8S0KwUZ0ZoOCXH9wO2oc+46Ac6lCKURHfYQCGSQZz1jk
TjKSsThXFlNMApzDUADPl0lpsJLx1CrT4Qv/3FqOI1fc+Suksd3CJ0iEcPw96PNqcD1vM66x
tZ9eXcFQs2XfNqvmXVvF0J3dRwe9OVJbCUu00z4B7sxLRA4VqON8xizPqG5o6xskM8a4xWoR
SZSi2qqbu30AI9SQVKI4Xnz7+nsw5pHgyro2rkG7jSKtWgN3kqYz8eqA2yCAI7WrixQ+Klhm
RUhn7FYKjgAouHEPZuhQfGPyNDZ9kLm9udssmkeowga5KpGQbUc3gV3VyXyUCMkRMHXWOXIg
Z5yhmyrHGSGdcTjpTbP7QEYEpGRsu+ABjZ0IfGpPpmUHAlMjO0fgMS6p5pkwY4ngg7FxqODI
ceIVePOM+YUSg7oKdtvV6GheIBSoruF/7VE8DbSSE6wfXn+b0Ar+DVEHD9pMAZlRUnZGXqVA
zo5MLIepJeeIXEBYqTenwTL31OmgzXKGOiX/QlbgHBlQdEAU9Wjjg4Iu7xF3LE4Fl1ccqevP
K9SwoxpQhuoIofMwPnwIqcgNyxHZHJJ6YILDMzFkkS4T/6Zx8shUWl43HzpJr6X8g0oa3h8e
bjWxIcdHV0KgIGdJlbZD/hmPo++TGh0TrZCaTxGtZ6wEdMIgXj9DkMG0iELWqBcVP5P7efpg
WJC/AbWx7NRc6m2mcFAV8M0qZFpThCuorKANbNMqCZoEyl0jmid40rTtDQqiaCjUSy501zq6
OHFNXXQx/ZjpxQYFeU3jBwUJLuBAn1b9GZEhVq+rcT/NyMgekbFS7ywzApWgmb+hmFnt3n+Q
QDx9vMPMp8ijB2Qz6zC6DjpNkzsA5bVKyRDbugMMa5yw3lA9VfNvZBTkzj8hmXGQLYBrT7Th
k449DyL5lBw8fMjnNcJ+kKBjRmJ4IIrNZ+6k9iDaT3NFjlTaGpeWWSINV8RN9yOY4+GQQTEK
N4cRJqaxMTGqiuCKhDLfO2OnDEw4PaLU4A///P77QYhBK+dhFiZhz97hPjqGvfbvk8+IGGg/
KOSd4Q6pFDcFURwxsV+B2+9s0yoJmpRAJioQg/+kaduPGBDZIjNcUefSbRL00DZ1iIF+zPRi
EYPXND5iyCHkihoenTbGKliTEOQPM5ieASw7rYAkS9RQtGaxadAEPFkiGW6P47p32NzPugfC
43yoO9SunCP7sHIl8+NyH3BS+29UmKecdHji5quejxi0e16R/js/VrX/mX7uLx9vdU3b7+br
u/nmE6uf0PV55Z7vnnFD4J5e6KK/PUS9/HH+rmEFskIHYqskuELztMaiYFqgbYF8g2ApAo79
cuyBm1SkDVL6orEWyJ7DYYxEK0phPYimkxrgJe584ex1krGrNq/72QvsjGP5yS+e3TPgAIja
y0j1D+KeVUR81bipi4BTjvo+qWKoo1PhD94jSUa/R5q9goZ4oT2eXReUqXqiR0qz4QXSR6g/
XkD0mXdtb+4m0qMDwTWqgiM9XaFqloThKUepVFI+99qgfZB2DZceZchiQVC0jpqQz4KcKvco
ZYDueZRU0svXGNLVwGnDsOCjw8BwnaQZpvceirWAT9dNA70v2mnW39ef4/uJeZ6SUWmiabU5
GeGoZjHGQJn5sAFIBJHThbb9NrrQFjpYwehuv5eoGtxZwxyAh5A6TbVcuhZoR5L6XhPyq2Wp
oUD3tQJW0ryo0JXtHOGLqoJnpyPBtuDCWkgL3ASG7DXbhjt1VUn1EJBKbtoSichs3IiCtTS9
4zuuxdBAfdk2uGqJVOrKNbXjQVe2czs3HQm2ZaGze3P2YeCyYs4L4tZSs5p9rVkMywevp/4M
nFTiFSC0xNSZd4hRW5jXpZAtv+FbJe0DPAgmNT2UZNrRv0OvFtiBEv3Sa6R1SeAm6lS/p73p
egB+0+8oSUrvWuKpSj9D7ZaargcaRds3vaIZIRZz4sOzNQZWR2/CgcczzXpe20PXpWMhu1af
gYsRaaApDdilbcNCtHc5E5Nwug8aIQAw+YE5ORxVqiyx4OAsWSNWoXfXrduOdBTN4Cmq8U8r
Uu9t1y9FcfCMm+MofolkpfnT3naLdaWLnIFbXuASZxRSRLoNLh3VL27ti2v7osHlo/ojxBu0
L4AadMPf3FPuI/TX4YOH0YtjIWQOB/Et1ZDf+vrp33VH5s/7A9202AGWdsTfmBEjzJSmIJnJ
/ie5bcjsC/NdBA3aFtut+y7uR9QT6Z6p+1/98e/+hFI+MMkdKYGGiIEqqCWOimhZVVUMpy9e
YOF77OOKOtBsWRWsG927jnlQRFmhY3Ny0WaCkg69cPbTI+ZPuyDQK4aNvgUjCDZbAelqVsJr
MIKyr3GLDVgMkWilvkU6ZJADFEHLSIH7kWVAEW2ArMrJmrWPItopdEM5ucc7LvGyqA9CHTtp
BupgqKNDHdz7rnW2gzpQkA+COnTqJaiDQhjwNdKbgUhHgoCMtDjcgkKR8um30D31sI5A/NAl
9DVYhXQjXQYLB4F9DC1tR0nXchbCIS7EVVoYCC9ITCN52H+Ln6bbFulTM1oOrrFfJpXkPYu3
HrihTPhOBRB0qLRR4X6brxbs9zqMgr1YSsE9uKNxAsUleegGcyaBgKgri4pgF8H5BiV2Hbih
YCvcHYiuLL4yLeiqQxa2jVSMxR+2rVOPpncP7hgSfGxjKaWuLLgx4/E6N2NGVxZf2Vk4B9xg
RYGnCdCUEDKEo+1rH9zQZy2cKXFZYQdusGMwGe0nlawcuIFLqgduKgpK0X3TKwtu6LUPbuh9
C2dMDwbcoG/9jAY6+E16Rr821HTghig1wImE5nBwQ2WMpWY9bxFoNcBCexbGQ512GfYtTMdD
9lt72Nhn2paNPf60zOGzsaU1oKulfw+8ocA3BAd9dniDOPMCeba/GXhziN7PBm9if+DLwRuH
hBzOsUjoGLwBAxUCGr2DN7hKG9lrVlW7A7xGJkcDFTp8A10lUUi4tTi28OYQmBgAb5iBN9oC
NwzeBAQBW2YKEvESVoc9gMvCm3ueusPITsEogSJeOAK3P9Q5qQCjDgE7+zumJH178fx+h8aU
ABXsttD+ne0I5crw/nzbESoP6f44R3Aeghro3UBElcMAVKBkMaYfx26t8u41QbvAl6NynI6p
2gpXCDWgNoAGjlgL8yQk7J4nz4JVxAMYEw2Hw05lx+i9B7DiCAmjz82oOQcjue/rz/H9xDwf
YKvQcGTKZmBZOqVk23ylZNo8pQQTBDxHKPrtQBO87gomIejZro0i16hmjQ+uEDDC61yiL2s5
wtEa+tUjwTT40Mo0+cjKNFnVnFBCP/XsISb7+z6ysnT6itKOxsI2JGuZWjOdArct5yArWlSD
eHDW91/7yIrsxQY/wfjaIStsHcxq+wmsdg5Z1WQ+DMxGNU6c7e/QK4us6DWhJGs2ovctZjI9
GGRFFkFrNqLfpGcIWVWGmq4HbdnWJil6dQayotgiWMAwFXb5cHYxDLRnYTxkZZdh38KMxMSG
Vp8uQ/8eZIUI54zK+X1uw5G2Q6nqN4OsDtH72ZBV7A/81pAVGAgBQmR5dJajzwCtctx4SVVq
NbaCXSuDmfMQwhiArR5gOgooGmA6slfytcDHMyT9B9B75wMKZW5kc3RyZWFtCmVuZG9iagoz
MyAwIG9iago1NzEzCmVuZG9iagozMSAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDMg
MCBSIC9SZXNvdXJjZXMgMzQgMCBSIC9Db250ZW50cyAzMiAwIFIgL01lZGlhQm94ClswIDAg
NjEyIDc5Ml0gPj4KZW5kb2JqCjM0IDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4dCBd
IC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RUNCAyOSAwIFIKL1RU
NSAzMCAwIFIgL1RUMiAyNyAwIFIgL1RUMSA4IDAgUiA+PiA+PgplbmRvYmoKMzYgMCBvYmoK
PDwgL0xlbmd0aCAzNyAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngB3Z1Z
c+TGkcff8Sng9UXaM23ch48HrayNla/VSlw7NjR64JA9Hjo4pERydHz7/WXdhb4AdDentVLE
EF0NVGdVJTL/eVTWN+l/p9+k7SLrmlb/4W/dt4uukIbWXDws03+kd+lvPn7M06vHNFv0VZ/l
feOvEt/2eJVWZbeosr5P2z5bFG1Rp+9Ur23W1r7t1rflbb/o2q5Ib92zSdD2Nn0TEpq31aLO
+7Rq80VRpU2eLcq+KtMhmWnG/49XyTfQmXdVl2XSwP/uU1UuSmgq07bKF11d9enVu/TfL7gj
y7MmvZChqEf0n+TiXfqbi4s8zdOLN+nZp3dPy4e75dN5evGv9JMLSAxmczuRiZtL1T1ztpnI
rljkBfQPidxG2ssZNNn1TfQsbaepWfRt2cybuC/Tsz8+XL55Ss/TpkrPJv5Jpj6Qnn3+2Z8/
Tf9+eXtzffl0c3/nfjCZ8fMb6bWdfZVe/GkiN9iZ19y5nWXLrOf1K3g7Y5Z9Cc/WZb2LZ1P5
by5zJPLy72bYsswXTV2vMOy4t+pP729/SIssb2ZQOeW1Ktt6URY5AimeyG2v1eyZQ2yOea28
PCqLRd9VjZFHEU3pxbskkEL70JRmiqqtr7qnqSgXfdGXJ0VTXsP2VmxPeQeO/ha05aLN6gIR
GdE46iVAQv7KSSklJD99kz69XaYffZF+er28e7p5c7N8SP+4vF3+U4u05fdPy7tHEW43j+nX
D8tHbkpv7s6TQ4ijLcqprKtF1me8RXqUiVagQ4YN1eYkhk02KPUtJHmGzRo0fVdrhk02cQfv
U0SeEpFTxeQMOrtm0ZYFoKeN6dzAITGZcMjV8kH44OryaZl+/yK9un93nr7M07Ov39MgzHIj
+ORxeaV03r1mIDjj/v3D1fLxGTgDEFiip8zoTokzGiBuXpbVqXPGgM5RnHH2evn03XJ5Bwsg
CrxcuLy7Vlzx7eXt+2Vq2OHvn39xnkxGryt4ZcvbWObVom2aPrVjGcEHk9DrjDevzPtFk3et
o8nwwaj55c1DCkdv2/V5OkXMzqG4BQ/0KBM7i4bik5CzTdctiqYwWvh05eyAzlGrffbm/iGN
JO0UWDpjpfOmXxR5WaQDaret9LHfF7Fls6YekLTVNs6nTNPAchdnQlZ3HbY9ln3RV3neBVdb
0Wredos+bzpHqxE34xZ7kV6I0JxC+8oSz6e9yAu8IABsu/RTaEcsvV46qbR8VLL+bvld6uS9
kvVT5NRgWViClWVhqewCbV2WsuoAOyhcOzQtv7ay0CSuHtC6DwuVdbmouzp3tE5ZBnTDYi/2
GWFeN90ir4Dc8Vwm2yTEepZWjr91Hr/JTK1euzpDo4JqqxxH2ru0FDq7uk9c261rU/cVZSYe
v+hZ0yYeP+dpKJtFodajrxd5ltWJ9L3oyp4pME1045qgwPTiHvRN41yJK+PfvSrO6mjwZZY9
Pk9lCc1YlQ2ew/1oyhZ1URSGpmmW0JHZ2dnJTRsROUpi72koX75+Nju5Qq2XAjnNKEfA4PUv
7THYo8kXlWB0zbLT2GOiP3EGGztDuYnpHMUhQzP5cfmkVGPE1YkJgWyY24FyWacIPT5JtirC
vO/QmOjBaCg8PSbg4FR5RLyN32wnfoprtMAj2hPhWU9lMgyLxJ6JM8EZEyIiMxiiqJtFXeFg
jmdxq6ydhCbm0MSCln0Lbo9WFiCydmUHc4ZF+XSf/u1//vKXo6MHZ4/HdH5Q9CAvRV0hHGsx
zAU8KBZs2jqxTbeuSd1VlVUu2CF80rStxw6AkTKrmhA7mKYQO/D7pheHHXzTM2CHuljUfWPc
/lv5+fmUA8imLRoivxIanWjdH1kQeOwQEznqpVuLHb5P/0Ck+9XZzWK5eKFdaBiE4k0NnQCv
lzd3/xTLSiKKy+tX5y+O705tWIYekWdGelL4oawWTWs4JDXwYZeacG72Y3Oyhw8RmZpHdlHJ
yt/99shcnJPA0Pf4OJqIwEgiD1IPJs3ZAL5MCkQ2Rb0gccJYM7G9jg77IIHIJif7oASe6FjT
Jrg6nDLHcFOWU81dEuS+7LYEPb/FdI5iOIRSvmB1g8wEQn+ffpZ+dH1N7OZxV8zvRXpD3O85
ojut2PlY4GaQJyWPMhKXWpvNM1FlGTaZwiQz4GKeVfgy8Jk3Ma1jNdfD8uvby6vldfrdzdNb
pZ/WRfuUwfCYvnkgNphIbJA7L8lX2ssLqJIGtho5ZUPgNSMZJR7civRQYddEJ1PtI9Gcq2hM
qlfd94ssg3NnSg/hjynMgQRJouy53RLEMceA1lES5Gw15DeF3Dm83OM+KHGYxuSONH2cUSsg
6xlsR+IrWVN2Q2IjbTuwzo5uO4Jj+7xuhjSNEgZnn3621/quOvW9L4NUtC2h3aIrxVrz6350
HbAPrWQjtFnvptjQOmqKUcqvzlxsRfIrrrVMVfkWkWXw/Z6GwOoIx4ZYqqLCs9T5ERoBFzH2
ABOtZ+yNYYEQSKpcwFVqY94RDsGur5l1Ei5qDNt3aVX0C4KcQqduS0j69W2SWJq32OTBs65t
vWmfAVErnNvvEhcDsE0+LIBZbXu2pn3QNNO03zX+zUm9LlxQkyKdl1Ux4t2ZFFOdIceJ0eV1
T+jZ0mRM/oiDBqLx2O4qYnFZnouI0dM0gqnXa+fDMbVZupQINXEpHCPwNDOXk53hmm6TsCnP
8hKODh80TWsZ2vGli3MlrilgaH7e9OIY2jfNZOjd2MQzbkf2fUOCl/YLbWOS9SuywV89h3Ft
Gn9NmkzBZgZD0ybLcMDDzjA8Np3OMhzQOVYJFauW4eWdzQnVqD6Ztg9hSiYXWRWLvMdLa6mf
okLPxqWsOvP1uDlpLERd1Ag6wy8jhO+xecO/Vzj6yrKb5299ZuO1jmkdy8c/DuM1HtyJGK+k
W1dN2xk1uEnADWCeF3ByNcVa2Mt4jWnVzLHL3/oBjdeI3FM3XmNitynf9Rj/cMq3cMZrTNMo
YXAKxqsh++g6YL6xUIDrtPEa0zpqin9kxmvERLHQHUi19Yx9OJzvDVCisvg5ush4NW2R8Uob
0eM+Ml5923qsL2kDGakM3nitbVOA9emlqIl4qCaVDFf7pplYfz4/eqxS1UQBinrEu/N8xquh
aYRd8mzGa0TSVqZer50Px9TOBuWibthgGBivtikwXuX2Fs4PjFfftJ6hLV8GxqttChja9+KM
V980k6GnGK/8ai0+o1MyXotWougG202MWk0BdTMsbJdoUcdEjtVAq7sZMVw//0w2K15dXr2V
bApx/xPhfH/79Ci7kwgL7OlK3c0OBQUE8N/YMU2yZ81ecskRYbOlzrJ/dKuQjK4EMMUCL1mG
qm+JE5hVGCF31wuUw8E/eWtVCYU675hMl7u0yTT58L6XmM5RHHz214/+N329TB+f7h/w/V/e
3sOwLvIaZAbBDvfpm8urm9ubJzKDjr23Tu1UyPFjmDGdFD9QqKCtGitiT5cfYjpH8QOY+ubu
6mH5Tu+4Za/15a1NB5M92K8vH2ETLkS4cWXk2mJPibaK2MYGh9QuzDYj6hmN9qhQxMpfp+DJ
FKk7HMYOGcC3pilABuRDtOzN9VA3YV+JbRqHDMI4lSlYo/eTBdM1cuOSF29ZRk5JbT0vkcU9
MEzWi9zxGG5l4uz4g4mzTX7iKlJhO8hyJkLiWz7ctFV9QbYFFXZ0toV+u3Y5gch4+l6gwe/T
uxes5dP7B3Yz3yN9l1+vn9ux6mz1BYrjlZvjdVKNKK9RvXZAk8BCnl6+vv92eWx7o8hbiXFS
GSma9Rl5xBuZdQU77ppS8wJBEgG8ui15+xWZJIzAoKaNaK+QThuhNOrbkG8cmBxB01qTw/B5
kNrtOR/hozaKSR8tJab866F+yTSNez9Wxm5f1M1s48RHRRWnvma/21yDY8qKdBkb0ApYW0pa
8ZvugnQOtk4Uep5zSUCT6GWXLSp2h/XELE3brWujyBYvMEEfqnXZJ13LM0yb7DxuextkHA8i
HBIfUZNrxroyFyUZTwXTExE4Cj2cXYjJcGQKWdS6ryhiNqAwUlxDMH5smvAWVWytHdI0btYe
3t+yrfny9vb+u/TyyJTmhO8pMZcPKf2Qs5eD9ktJYRqs6LjZC4wU0aVX92DWmztBproejMoM
TS8pt3N0o4W0HxxPdhSTFOnd/aRqezPe7BKfQJvllaPvyBL74y8Qzyv76gNY8sXHKyl4iEFb
z1CpBYrsdBUZhGUpk0npxkWdkmKFh0+0bfjxNv1CCUTfgeyy3tUfIF31p3rTHyrRpPP7qoRE
oc30Jn/m9MeOO0Ob6i/6OK8/3ns71hJELR9mjtU9rsfqPvqxrhSBtKYStSpZzpaogN3Wjm42
TQHid4rYPedankE1NzW5NuxI0ojmBFVzTOAoMYlh74unsQ0MbYMz8tW58k4GIlT0kPiAxGn5
9SUZ+FGKPeW3Ht4/7pdnP2aXTtnCSzUbr6poqLFVj47/ILt0KjBSXrNLU1t+m/hjaDtPzk9w
pWlHVqf00C0mcAN/DOi7vLt6S0UgNChLPwWEoGknbwOgTFWVUfh1MJURCBnQN8k+HvhJxrBc
TpZx0WBTDGgaN3vBGzRx7tJ/hJuwtirMrTnrOTWNKVUFiDKrPwl+vEilitrj0w1iAXfwtzfL
78Qd/Kh9f8cGTtTfzDsxkWeQjmBbTR68u79zleA2uCY3mp0D3lkHYgJvG2uiZl4JK0L8ZYZj
GOXGkIqWOi5s5tdtaLewjcLHFcDAPpvIfaZNNNxKiRj8zXorpVOcyEbTFChO0wvBe6c5444n
h2/GvDveGQD8IbvA+hLHvTseqQPbJ749seTZ4+2hlmPZ4UauzAgmvT2Xk8iegd1zapDWLRuR
LHmzsftYh+JuD1COEAfKYe9Eiz4yv+zjj6as9JwpY+dFQ+GxIXmRjhnlJtgoKVao2sV/lF6X
GiklNOEwKPG5v0vV0rL3PXFtSAVZbtrUfaTHSOJN9KxpWy8prAwIJIWXAc5tCAWmFycpfNMz
gGyppM/2kNMF2TGBG0TZgIECGKA8DgHkFsAdfD3E2S/Su/tjq9na+CfMyIyIm/5CHE6GeMXB
28r7YL3ImzD1YLon5vyuvK+7hZzH1DGBo9gBaPL4/vX9w/XNnZQyjlb/6v797bWCWlJrAwRj
q+zL/vj/vP9u+e3yQaVghI/J/vdJW5xnjLgkdCGuuGi8seH1zMg8YBL8+RLqOFnDq4gI3MAk
8fTBJPj+0hsTcbeB9+sbWIbzAh6W/zrnVI4zil1rQK6KH5u7Ln8QDrrEKL+kRLoURsf7eX0j
ZbEHHPU3cS/usTl+DAoEP+njSqp4GoYC5sMY7blkROF4OlneiQkcyzsj+MbmoAXyJ72+J+Ig
fKcTOKioDhtRUf39w83TDxsspg1if8Ve2i1V2QQk9j9Sxgz6pFRRVkh6z/SagUcGtF4VxQRu
4JRYVSr33/3rW5vYg9y4unxPep/4+S4fH++vRN5cS5kC2ODp6BxQVBnBiDatzFgmmVtgpys4
1QrIN7cIx8BrRYriZCvXG9ybQ96l4Ccs+pjkoXSLTlw4Mks4zVgSEmmk0NKpuqwHBI7i2TPv
GFAFydCGAaeuS1IUMfbN+yVuLBTgM6FpO7JTEmElQbNOHEyaHU6DRTmVqMeDofWvZoAd6VII
LXyy/I97JSgb9fl/fRSceXX83cEUuM0KnNVyrhIjOKmFJszY9TZ3b0Y61AadPsNu8LKo7pgv
Nv6crCyKCRwni74wp81UksL/5ef/8THB0+KrFDX0AO5GNL3FWS7K9M295HEozMWWz/1yDlb9
SbHneYuuKlgE6r2nGNXBauDMXlu0NTZJzq6Xj1cPN68ZxBQFpoDgYYIZOv5HwQ5L/gm8dBq0
1o6kKZLsbGJMbcb7R9H4Rd9kiKloxWfIhMP5O6nawwmcqJ9SAjutDvsL9qcmVOLaiFWYNu5j
EL3KkQyedW1r/Z1lg7JryiBJ0rTgNLXezrBfU3M/aDq+t5O9k0DHQWW2Hdrv7Bm9WzF9o5Tz
mcJk+ow2RKLHalNExgqfr0q8IGFoR/wTs62luoQZyySLgvPk9insvQfVZM+SnNoMqP6QiI3j
o0gBxTM/hykuU9DZscvKFmyuqKoK7RC9VtGkDTTa+gDdRkkX+jRG1QPLyU/q5EzEkmAY28Yk
sMM8VjUGo226TaKmXI6tkAhw8KRpWy/nrGx0cR1EqBONTtJVVAMrkbQ+Alz6pueQdEiPno21
p2R6cGwrWeAnjEhjAjeAtBWPzn1sF12APj/9LL009XSv152hKci1bNv+K9mFEkSnBJ8c/URN
7KealyGVY3RlPU4A1HmrpSgIQA3OWx2hoY+vpCnrWTYci1xGFI7T0cs7TvAbX3FqRR3vduVS
BxG/EwIvJm+bLH45haRQEo88a5iaIm3TUystJmnDWzVQFBhzeMBJkPzkE5IjQ5e5FMpUqeW4
ScX5hK9J7D30HVXyVfrUkj2Rx/Y6qfPkOYzDjO2kXqGcTdzdvBp1U1hiBpe6dygi0VjDu97y
QKYiMd/cfP/qbPkIc3gGULv91zGHnMkDOKaQ7ZHPImUTWC3pS6UZ4EnxBRXBq5ln0j4XX0Qk
juQLo2gJpD1+vbySg6sJ6P+ghMInnxjRYeg/VkiiqNikRbGHlBNg1BxPs3rkhOVfPq4HDUfn
WE7PpUr8gPBIb8SA52w9hj+CB7PAlUKNPOPgMbkou6QEQOD5sEBM4UgsYA9SP/Zm3Zwdr13H
Br2YymhpB1p30tLOgAQO5lHWlkAZDiYdhohogt0+SGpCIZnbYrJpmjblPg2n7Pn2EwwIHAWk
iN2IPeK94dgbVMa5tPktd9dISyM3EUNSW4KtB2SzEJS+FtWqToEQ5SkJL8e3Taj0T6HjOrVj
PSUFWlCftuU004g/RsijIytPl5AQ0zdOGj0RHDm2IHI7hWMCo5d++FZNmbO9BBGnr3XuQLQ4
v+6DCaKa/fScfXNSwlFObHQncEVLZ+HBc5+zUpRsV8nQb+t1iEkASS7ecCrNHuzkUlLGnP1S
yO4lOXV4Lk07XaFfkoWYk0KYpdeqsldyhP29FdW/2JeakRykNtGWkgfPZ4pAzdtFW9CDPK83
qopb0nzQW2jdNtUdDvwkp+xITV0EqvVz2m3HMQ74d1facObKgTGFVBLnUAZ14rm0kRbJ8QPu
WTbnrHtWfLNf6vkdxnWBBFu2RcOLsiGaP5WatvjzbdrrrcR6FuRj7u+GlPBpSHurNj/LWudy
SIocTwD1lRoR2+Nkc9NqGzU0mA0qIOiRy31U9mdHU89uKLnoGjUproVYjcpPUV/qu0RaF5xe
JH3Z+zjzntig9GV7Z2MoGyPkZyxdtuWKvVZsK2wRFpSz0XdR3ZGkLaIZ1Icybey0gql64H1t
euce22JpkL5sGz+taJW+XJseEX3Z3llvNTueBttyxZS+SYv0u4m73Zn1RthVnTjurnHr57Lv
XbMy9hNhVe4i0Epemv1UZemVuWbbiGwGU3cJMJcHfQ+5+BVV33J1xUmkbAkHB6ljSipiCtKp
+lzwbnKle0jMJ5GBPCPf8M6ycubaUMNOF9ODjEL3LVcyI7LD3pUHCLIaWFU8wzmpbDCfn3CJ
SbGbB+bzbfsvjGciu1gHYWRDa8gwhn6W4o1KThQ2yakuCBOSVNgTtsxxivOBJZdqVz3VG6lY
ER6v5V5JkQ5ZX5Q9/2kl4T/6fqUsUFPZArb8kmwpNH8u3omSYmVTlBRI/QuSw7NFQZY5Zd/U
xdf24q29ID6gvyJUqi9QbureP7un3FdRsvl+9MrGSNlsnRl1X2mqz37iVethf8BPix1ga0f8
GzNiSv7KFCRn1fCbwjZk9sLcm541tsV26+797TkvALPvbnXf2Fs/++swe18kDzFQkWLUkKux
aPOyJtmi61KUZUZpoXKGn9SzD37mxp2Oqff0tSnnYyN6hZHMH81I6B7DSH+EFcr07JZ8PcVM
XMMKtb2+Pk8YJuHhVkEjvx9BVtBqOLX11X2SSlqUnqYyaESRvAJZV4gRtI4ieVcEf5n0LKZx
TRBkI+SxEzeEPOnxIA+YQuluASyindmJzp85hT405CmQLwKhFOTRH2ZDHnkBG0p0h5DHtoWQ
h2LI1EGT8ike8pj7Isjjn90b8hSEtmWYFsTozw7y2IEbyGO/je7eBnkYUdZICfMAbti2UFOY
tgDyYEmV7P8OoIwcm9TBxwKpLLzhje079HcIeTAuOl7sAPKUzGvGfgSvrWxLCHlsWwh5TFsA
eUzvgRa1NITa1tIaajAzogDy2JnwkMe27Ad54H1mXMMSuQ4hj3zWYKYgpuMhD+8PM6u/IcTs
II8kw8WQp2wEAAm0kisLeeRa4IsFLPJZgxnTg4E8Er62kEd+00IeS43vQSjVkEeuZkCeirwQ
SaMNIc/+C+OZyC7WIRjZ0hoyjGlbA3lgy6bBzXBoyCP7l/HfGdfd6UOeTfQeDPKM/YEfG+RB
ihU5We8B5OGV7tveam5n2CuwsjVv0EMezijHZDceFOXFbDfhiwmIB8tPIZ5EnEHTEM+QIADP
CgQb+C/nAR5lapC5/YyAp5UCycg2C3galOI+gMcWhcMqshXiVgDP1uqhxp+QVFI6X6cqO1np
2gJZ6dqcOmfPIKl36vxPreATDrRatMrJ65V+BcDLCUOFSp+TRgACZOs7P4dsjMSPJIf5aj9H
4loCpe/aAqXv2pyh7Hq3LfRlaAiUvqM1kOFuRM7P4UZtlb6fL6/0J3ux5J0TnZxQ20+YQutn
uQ51v3zWGr6VaLdzd8BKVvcXmT5KBndHUmTMaqT7C3Ffqb7VldH96jrQ/eqz0v22B637Vd9W
98tvWt1vqfG6XyjVul+uput+qeyDk0tKCts1o9qP4aU16+NB2cr6UO3R8HPgy3Nta/jZg1i3
+gGHr+FnS2tEl6Z/VfcLd3ayDE73Y6iUnGy5n7ejkj0A1CH8saj+jfQeSvWP/oEpqr+2Hgzr
B3F+ihHeDufcyK0jCT9A7PZw/Vu3x0eb3R4i1NhBErg9wMZSIrzbBwPI9DeuFr5ye6xoXOOH
8hDg4/tzUfIS2cbfYf7gCKENhxi1G9hOTVEPBoVT5EvlDmEyaP9KXU9yh8gpB2WOULGU+oQf
3qEN3hDcs8Y/85N/Uz/8058pN83P1e//QtP9S+WbeXWmvrF/ztXtv1L//lKNSD8Tf//r85Tx
vVB36e9fnidMBfFdRvlKd/Iy+En4hy8MLTwxChZZj2klNj//+JHn1CvZOfRM6IBMph7SoIbF
YEiKcFkeyOhsO4TTor/V7eZhGB7XFfPB15DPv8wkHTEDtEuniYya9l+E/elbo55KRYb+V/fK
pPCcfywxv6Bb8DRCtv6XlmkzFhf8EdcZ4aidM1YzAS9ZJ4bIvwyOfxkobN0oXtHXtUyN3KZv
MM+8koHoeeYrxi93mD+4U/lGf/+KxkS+0x879SO9ukH4Es+h/kKkBz9setA/ZXv4qf5OyExk
0Xx3IpboghWRNibYf6W7MN9ED9lxKLJ4OeUZ94MT5x351hEK00FZNe/17nl/Fc01zAEB+t+f
q3nHkeynojajf2VHrmbef28mjrmi7XeMhj+/50+ZyMzywa2yHqNdYPlq+wL/wS4jfnC9bnQ4
Zn5qyn2Dbqj+Wer5CUyuvNxkcnkh9gv9OiFveF+gkdeWKeFffc1isubyrRriGIqcDcjBafgw
g03q2ep6GYvL0/NSuIjp8lzEh5fmkzCQfNSTLXJT+Ekv56/PSV0QaSJ3mE5e6q+EV2nUT70U
tneffmZ6ZoS+8ae8RbxUokHpMqZkHXm2EybO328bRUOvdGZJXyFp2gTnJKyKkvavBPHanaLo
d8KyEMqPs+aMUhPNvz9TrwS8y/yw/nzLkCBeX+s7X53r75kWnpCBcDPsO4bymtg6kQYKQ8aU
r4s6GJYQKk873FBkbJw7hvXdCiDTpviK9a0PKgLy2QCvv3q8SnIoasiuUNXpqbSC6bPSRGAB
kFfXuZxeQFpQjTtd2iQSxtY7qbvPkxgda56cHWogn4D9ysqrINkB0DVsuU1bqlSDB+3AWxV8
4VR5HcOx92PdmpZNORZVThislIC/NfthO90UWmq6KTDUMon+k+niDTUKTRa18om7thIPSyZu
V+nKRCBKckHYvpP7aIOUf2M/D/E243hIXUvgeHBtgePBtvlog+3dG7GOhtDxYGkNDUgzosCw
NfNg/Q5uYrzbYRhEJERrY4oq1BcfJmD9AFKD018H/gb8ABIpIDxTZCUsZv0N8vI4fwOVOm2s
gVqjANMwvaIgxGD6livrb5Dr0N8gn7W/wfRg/A30rZ4hvUL9pvE3OGqcv0FRqvwN6mqGv0GO
AIPFQ3fDvqvi+GczBzs+TCgGNoKDK0NmxCia8pW8CuHGloQt52ewaRVD83BaWkWFOijlEA2l
v5JDxBhMKsEdGk6Zw9b4PUhahaXX6FtP78EcDWZCdv7AFEfDkdIqsLbiKd6SViGyq+jYMxzE
GPZPq5BiUblL9T+FtIqYojiZYhBbgDEtrBmKWi9pK1EttcRYV4a6Lnxhc3gBZpKvsaEq9All
alB7wJw+g9IQpd+qdMr5mRotgkpQRYMTg8582oeLYe1MTqXcJgdeA4DIyK84EJPe8pU2UBEF
u2uKWCnfUcbeK2lC7hZkbdpHBTyteXQ2egJvqEkiSUkNMvx4y5glsdeNmgRKfzPfBjdD1ybQ
VJLplsnp0gFqcm0BbLJtHjeVqtKF5FA5PNQRGOFwrCBJo6Q+Q99TbCKETa0cPJf1AWwi9pNL
OWun9krbEsIm2xbCJtMWwCbTewCbLA0BbCoNqYEytOPxqMmOma5Maqxr2Q835UyIxU1yHeIm
+axxE6Z0gJt4cxxukkP55BlBV1ILMsZNFCY3uEmuLG6S6xA3yWeNm0wPBjfRt8NN8psWN1lq
PG4SSjVukqvpuIkT5Ak7KNZzcZr918WzkOXsQ3CxoTRkF0M9CzFIShXebRqijyvoab8wTUm1
m6KsrEPMoxHJ+TvBpNSN9B4KPY3+gR8bekKEUd5GwnwuKZWs8ywfom+V7Cmp3lsQhXX8ywF2
HQd/GuytMzQ2+Y5QK8fPSY0pOiR4Whnq/w/wVLDlIvQ7EbPl83zwxFEzqr+aDR6cICQfpvqd
OG+6LijNJqeY1GTdSzLpoAlMhDVcse9CHchB5pHyO2W1VHrCY6WfFOi0+uRs5FSzZxkmJgVQ
jzD8iD7AIyHfmiHXsnnA3sy3wc3bkBMpBR3O2Ag52bZQ55i2ADlRdxSO1Ht71PadElhM8gtK
1IMptH+LR50l8W3ieOy7EDkxe524pbzasy0hcrJtIXIybQFyMr0HyMnSECInQ2qoCs14AuRk
58EjJ9uyH3IqlG9Te5zkOkRO8tlgIgjyHideGyZWf1OSG2yRk9T/ipFT2UiODNmthVxZ5CTX
IXKSzxo5mR4McqJv9Yx4nOQ3LXKS0yyFGo+chFKNnORqBnKSvNxWsZ5HTnuvi2chu1aH4GJD
acguhvo1yAkHNdlVh0dO7AfofSjx9JHTJnoPhpzG/sAJIKeVvJZtfidEmFQKPShwkn3daJIT
Ak4RRSM380iNOueBCir8n5J3iOPplbo2aa2FlOmymGQIcbfHJ9Q+Hp7X+4LyFoRjPk1EOITb
8GTCUrKTgS3ijRjuK22oFHZtcpwbGgit0meIe2ljchswjn1WVM+aZ2ejHKr3CMxh67oGcvFn
EFWrgI4bOZ9lQsz98r08n7jPG51EJA2pXXKhk8i2hUrCtAVQhyT6KLaG/UqeuJy1EMAaMhnI
G2PGPNJhOoFlbeAjIj7UiifJqynbEiId2xYiHdMWIB3Te4B0DAkh0LGUhqpLDycAOnYWPNCx
LfsBHYwj5yKSawEtqGXBK4V8NnCGkKgHOrw+TKv+ht3kDuhIKmoMdCphSgV05MoCHbkOgY58
1kDH9GCADn2rZwToyG9aoCNHGMVARyjVQEeuZgAd4V/iekyFBzp7r4vnILtWh+BhQ2nILYb6
NUAHyVBWGEKHdhFhEUp1cJ0fcvo4ZwO5B4M5I/s/AZRD3s346Brc02dliHIOEFxDMckZqS61
CHN8UzYZAGuse0iShSRHd/oGHtGUEUHrnDiDIBt1sKaBHOuRZe8O2WS+PsvxNivjd4/27og0
3w/k4C0UrxD1kAi1kIdAjxPjYAkuRLABngSCWVIWnM0zKg620iaYgYoekmokhbE7VXEkZwSN
5BXZRxF4q91JDGpmjZZehbYKOUJKRhp9vFUDF1BjRt2pKKC5mc3MwbPQtRHi4ClqxD0aQhzb
FqoH0xZAHA6m7kVVBuBFtmnEu5VLUs+bTHkF/H04vNhqUAcgB69Yi1r1Gso0hBDHNIUIxzRZ
HZngWVM9B1rT/n6IcIDHis5QZ9nR2E1LSWlnwUMc27IfxKk6WUwDQ7gOIY58Z4AM0UUPcXh5
HMSp28JBnJpKyjHEqXvKySuII1cW4sh1CHHks4Y4pgcDcejbQRz5TQtxJEAfQxyhVEMcuZoB
cVQ5/ninstgtmxYmwJ52GdYtjOcge9chmNjSGjKMaVsDciQJqsM3eWiQo5KRWpsFe/ooZxO9
B4M5Y3/gBHCOqwZjE7W2eXNgoA7b+cBAB2O5wfV/Qv6ciKKR/pwY6vwfq1koagplbmRzdHJl
YW0KZW5kb2JqCjM3IDAgb2JqCjk0NDcKZW5kb2JqCjM1IDAgb2JqCjw8IC9UeXBlIC9QYWdl
IC9QYXJlbnQgMyAwIFIgL1Jlc291cmNlcyAzOCAwIFIgL0NvbnRlbnRzIDM2IDAgUiAvTWVk
aWFCb3gKWzAgMCA2MTIgNzkyXSA+PgplbmRvYmoKMzggMCBvYmoKPDwgL1Byb2NTZXQgWyAv
UERGIC9UZXh0IF0gL0NvbG9yU3BhY2UgPDwgL0NzMSA3IDAgUiA+PiAvRm9udCA8PCAvVFQ0
IDI5IDAgUgovVFQ1IDMwIDAgUiAvVFQ3IDQwIDAgUiAvVFQyIDI3IDAgUiAvVFQxIDggMCBS
ID4+ID4+CmVuZG9iago0MiAwIG9iago8PCAvTGVuZ3RoIDQzIDAgUiAvRmlsdGVyIC9GbGF0
ZURlY29kZSA+PgpzdHJlYW0KeAGlk0trAjEUhff5FWepIPHmMXOTbYtQXLUQ6EJcDMPYB46t
jkL775sZxRlbX23J4iaHPL7knCzxgCVYkkt5W2JNPEuna4F3nVWBRywwvK0U8gokvfWkfNr2
RKtVOaxx0pL3YE9Ss05QNrsycdJq81ZT7KVjpzHfrxUd7RmzLqhiKxPlYVlJbZEqksZbg++Y
oNiqXCwjp3LWEdVCbPuRNdJEJgO2SrrEeuQlbkKcQYpShPoqzZJtEaHEMAQFhTDDBL27TbV+
WwxQrJHNJfpILXpXFXFp5ujj/WVVVBhni022+oQfQJPiI5uL6068gu0I1OQ+eyrA0z6mCGOM
QjSik5nTVoiDxDSPGJNx2grDTjqX/rDijAH1vcPrL5i6KRbbLJxlauNhtPTOprt4HDAhlKIN
xb+YQA3VWSaV2Bjf+h/9jekLrYvPsQplbmRzdHJlYW0KZW5kb2JqCjQzIDAgb2JqCjMyOApl
bmRvYmoKNDEgMCBvYmoKPDwgL1R5cGUgL1BhZ2UgL1BhcmVudCAzIDAgUiAvUmVzb3VyY2Vz
IDQ0IDAgUiAvQ29udGVudHMgNDIgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVu
ZG9iago0NCAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8
PCAvQ3MxIDcgMCBSID4+IC9Gb250IDw8IC9UVDEgOCAwIFIKPj4gPj4KZW5kb2JqCjQ3IDAg
b2JqCjw8IC9MZW5ndGggNDggMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4
AdWda5cbx3GGv8+v6ChOtJuQw7lf6MQJRdE2JcumRR7p5JD+AC1BcX1ALLXAWmJ+fZ7q2/QM
FsAMlqAQ8RxhpzDTU91dXf3WpQs/qb+qn1QdJ01Vmw8+y7aOm0wItf3jeq6+V0v14PEqVRcr
lcRt0SZpW3V/RR1tdaGKvImLpG1V3SZxVmeleqdbrZO67GiLjpbWbdzUTaYW/tkooL1Vb0JG
07qIy7RVRZ3GWaGqNInztsjVkE2V8G91Ef0En2lTNEkiBP75qyKPc3jKVV2kcVMWrbp4p754
wR1JmlTqhXRFP2I+ohfv1IMXL1KVqhdv1NnT5Xp+vZyvz9WLv6snL2AxGM3dTEZ+LHXzjNl2
JpssTjP4HzK5i7X7B/Dk5jcyo7Sbpypu67w6bOBeqrMvr2dv1upcVYU6m/gRTX1AnX377Oun
6rvZ4vL1bH15tfQvjP6mXnw1cebcKBlJQrx2zFxWsoByRNSJV2TE6z7yVeblhnypvnyp4X/B
pCLUdtnuFrQp7OZ5GldlucHultUw4Parm8UHlSVpFXDZKZctXEZb1uyOQc3rMs6zFEXSW7NR
bzkMeGPGxy/RA3jq9EiexW1TVEaPnAhPWR63WZufFE9pyRJw6tauh2iob4ezqI49j2UV53mZ
Zqru8WcWwB720GpXXrNoxfbi7Vw9faZmr19fz1cr9Xq+mP9oFND8l/V8uRJV9PLb3z/O67r9
m7pcqffcN1+u1eVSrd/Oz4+tnmQllXnBRm96a7XTaSykpGKXbkortJM05pEXe9XGeZUxaj0W
LWbYIyRn8+XrI7PXsNrTJhnyt1MXTYILB+jHponrqm2qwZiBGm/FWYN1z5K4XH9Qr86ePHl1
ri7m1+vLN5cXs/Uc0sXVcj27XM5fq58v12/NwlHf/uXRq/N7arZ8reazi7fn0Xjlvw1E7tyQ
BLzWKA0rEKe0jirAfJrnxQmvoz6LI9dRoFfRmm8ufznyqkpLDIQiT1Wf252r6ti7Vcp2VWGK
DXkat6q6tSJbz63r6Ltvnx977YDhkirrujBi7RxbWeVFiQZlWxxM9bhhffrsyJKYl2VcpU0+
ZG/6tq0NiNsM/q0aPq/irClTNB2bTJ202PWQmrwFjTvSwpOqtozTJCkjTdIPOhKG/kFG/Rjb
1IPxim0nE+HabXUNrHpjdE2ZxHDPiMQ/st+mdxhiwOIWERtwuJqvwYczcOJkLqPAi7OfyzTF
fm1whNzK5j6os1Kr9/MLtmo259nqbsowbpOyabCkcfVkbZGmTfDXThs8xQVVlTVuIisNVsNs
GeoB9ACGM7urm8UkJ8/W9bPdyZPlbZyKJ8qxeQLWWlYUcZLV7Hm9hTQStV29UU+e9NDaP7wH
JraCG01wmU3yZDRFXMuu0p/zY6rIfRIqcli2AiCaKi5Sdu13Sk96W5aRpy08Td+X5Yn4RHvP
WpqoT69onF526jXq9LIj0YxT1fI224p/sCON08sHiHinl/H25i1eYa2Xf1UIFfDE9GRZNhkn
T1HBBwya90hUdY/Bcerrz1cYSXqrwDZaKXwON2gzQ8FIAvbNluqHudIrU10tFx/uqcs3arZY
BI6LY0PANgUlYBu6Ho6AgHfbTPZvfJ1YVGlcVJWFENF4N8QnE4s+g6PEAk+VsZkQhcAKmOGL
nS8vrt6dq/tpdPZ+tlqxc//wgcG+k59cY7ade3QG4i7Z31XV6401BTfc5AM4JNIaOAVWRx76
HHdq2hDI6jN7gBo7HH9XVUPgCjdzoOcdKdDzZRsXeZGG+NuSPg3+LjO2vMo6w9W2xTOYTvD3
lBk8AHx3OrXP4JbFM+Bvtrha/ij+WfV+tn6r1lf67/X1zWqNx+ni7dW1upGFwxf/mF9fvvmg
LtdHxztpHhc1AdfK9uikdCjatM4qQscSWz1gnXy82FGn1/MirkC2Pctwn0EzUTLvtNv3+DOC
uY+9v7yfX8/WV9cr9c2j/8Gns7qZq9X8/QziXFyiK/UG2RSHaLC5S8wB79k9tRI5nq0/2WZv
OnhScpqVMTkCDpZuU1cDC/FTCkWfwS3qqs8fe72oqsUVASgsMiJOG55T9eaaPT+6nxKKl3vF
63eXHX+MjyYjhQNYBejr9amfbkFPoiDdYpLfL9wWdM7KCBSCWVJmKZ6CPk9bxnmwLTCsjO9s
+SHEIlM2sgPURd6ATpMGtd/j+ERUbEqOSJ44tX+Cy6nP4JZp7i+nsxG7/89XN4vXanklcVwx
rI6tUnG81jWJNJXtzyQHFxkx82NLqQbMpLs4Bg8GAuMBM0kYCS6GDBNC0rrwovg/sEQyEl2S
Cm9QlRZxQyKT+GJwyTZ1lkeehi/G0lSVsDUUNCf+GfdsR/sELpMET2zt8tNO0Q7tMzhyMd2s
gcuX/6uTIgw8uWIHug73qCOvHvxgcdsSv6hsByatHmdGH3kFaTlMc+zj/ijv8mc6k2NUVuIB
e4/ZwUt28PE83W7YjVvVj5+zhHdFAZ4/3ojRs+e4vE/9EnIicAy3xMNllkmqzONStSzyom0b
dMCQslDPdUpn14x4XPe2itVLq43IlW1VUyQNi//QIYe3Shsdr6bVzFAOarXI0sEIDCgHtjoc
AVSnvOdOI9C14UbAUXojsD8F9wBh93Zj2bZxkhTORti1AG8X9iPYsiWRhTQvnOt6Ok/jFmAY
2HRhA7w7xIHTOvBDeVLnh8Kzh4c3zQM/lCN9Ej9UCUzOqry21v6WvamP57GbijiPmcQgRfnR
Us1/mWn/KC7UBcBpimP0ALlL05bUzbRS/S6cBsAv6yzOxHF/Qn6dsiKjH7PI8nR6RseAwS2y
2Dc6kMXHV6SLvgYZiYH+5mqxuPr5Ei9kTxrVzdLdgYxqe55sQwm+v39/fYXb5+E0eQ1N6JFp
DXlex3VRNarfzb5Z319oks1/cHreGFdDp7vLglhO3Vg1MNSToavhLjypZL+roeOJyEeRulDo
BBf50Z3kFQnaZPNzHKjP4haJHUzq4yBJMyVNM3SPvzpHEMdP+QFqM8M0q7HWBqz3ZnzA8F1m
fJoUsneWYkr2XM/7YlyfNCmp7LM4bsafir/5Wr14dG/K5Godc2BS0oDN05jdrJa4gtMx2/af
ofDp6Z08bvZI3kjd7FLOyj6Lo2aXHej5zQ9/P+fg29n8Ym1m+djYB5uhzjj21mf4RLBP2pCE
6UKbE/wxxw8X+HnusWhj6ftiSN/OV1c31xckBqRtFnN4M04eZMU9rhqOXEo2pyGIrEbTjjxO
yd8CrUvkOlel7cQpxYnKpBWQ4+ytbWu8j+HOjAbv/j9ltR+wBaYpq4eMij6zI6UgS5L04esf
mocPH+TZPfXoeVUU7bHP9WXYOix15rw/vj29PhjUSSGhA0YxyzAC6zYd8rRFaQ64k3Erk+TI
M52V5IIUYiOOH7dJaOeAcevwLQqDXBm7H56G7i5Es3H+drKNKIv3yJNZE8tJyixXAybHCdx3
km8i6dZOjavn8/XDfar8yKejcLBzjM/155QUecHJ+rYkNmQcGAcq8k6lO/k44saYIiBlw3Eu
x/ukcMVOvX6sXOyskZz9rBmy/Kvq9YaTKTVuXDeMVgTGLbNPo9dz9sM0J0dpwOOucTu2evJ6
vSB/I6lb61Kdhn+PzWSnQ/tMjpvc72fXS1xrq4dE8JfHDo2nHH+r8gR132f1NOYYF1CWtO7o
6GnwRO5mWhbT/btH37m9v6zoszhO6kJ/WXZs91gqRSqKMlMDVk9jhouaM4bEug/YlI8Mzpxl
XfRYHGlTHeYfOwB7+0N7fTZPBHtLZSiClXZ2T0PiMo4jlRSfOqE4VpElcUFFrJPiKWWzAjVZ
nkYpNhyHfyQx/mp5T3FodbYYBFSBAlVxQEEn/Zw6e/LL+0s5z/TVbHkzu/6g2ntSgKhW51EQ
tLX3Hv6xt7GXz2Y/zlXzt2nhtQOWdl43nMel6hYHYMOpOI1llOBxKvxRqV+TJxCCOaJT3JWn
vakRL3GJp6QBJOq1cXB+/DylrMBjX2r3js18IQeRA1MYBrXk/tQHZRRJG7RAMIrkDUmLojqe
2BpCMFk/vkTdrrSriHTKlEMnFHcxFQmKlAx6Uqk2aBxjlRoatZycojBAkhClF1pCaZjGFFuQ
Z0kSue1ZSbF8aYZ5eIgau31Hllfd6PQuqRaoc6fk3O0mbQFNksFc/6X0IVfukUV02yNvdSKX
zH8qdeAkD4dBJRG35fQxJ32l6OGAJDUPSVcqmzpyd5XcTS3FjMcYxpY82YAivhNxUAQ00QGS
4SBNmSejqtaFQPD22sY5S0meWynOVM+Bo1DTUA6B1XKu29Eou0ipupzMCdqyTxbUmSCZh1l1
rQcUy4O05e7iRZpXacvQ6KLtkWvdD03Hgh2rC10PIlM/T0ziY8ArvRBssl3/mhyktGImycOT
xaLvydO6xh3F0pGtQl+ViUnWiy7sNfNuU/XM97gLqIrZdq3J0Os79Pv8FanFRSHTYL5FlrOC
YCpqyNOgUDuqdC2aK/c+eV6+tfwwx/racRv51nxv9Pv8lYyiJBfuzpREVrspgpECB/c7T2KO
Nmayk82tM+nl+ZaF0Em9FwAnu13LAcW8n9noaJbNTrg4H284X9jioCJSqRQYraSsGShYpaRq
l6TGKwkiVZyPG265fumKSklIT9RTqk/Vd5ddu0hQ0+bOb8yb5E77YSo3ZmgCKoNKuJSCEYTP
CJdymlb/8d798db9Yb+KzpaOAkjR937tn/Jf0V4XcJ3Er3URdvwWbI9iQyc2XlEYrs/+qbOf
Pu4LumFxHaxdjx/YHqeGEJ2Vw28yRyCQYkbS3qvOCEkZimvWf5OS/6RHEltaf/pvmuEzj74J
R1bSR0XGiwIAI5ovqVDNac6G1RBOI9SSiiYYSpKvxCAD53YjI0juqpMj9haKUzg50ji6lgQQ
MhTlEfthJKr0EvUlMpGrswWQWUsVfyMTpfv79XmEtNHdWldU7cuK42HAEQudKKucvA85ogds
zpmEim/jSBaNVL99dTZfvTrvRCZIvD0h1FR1GdMWNVF49fCMaY2aqJloWnin2K/NPuBpU7ET
1Q9qKV4spUpK2SjAThs0MBFzhcZDu4HQcAs3gp2ANmVNASf3rGCnW549GDuhDkFBnInrutsj
LHT/ucMNCASUZPCI3MEjkW9D6j7JDuVVbwBQcrQ0jp8QNrExalq3gwBQLK3bHKgD3ZIyEGwX
uGoAdD3cxKIuG04hh7gJoFIUhCY63FTqAFyImxwlxE2OFuImR3NbK2exbesBxfLQbcBUETCs
djsbPbT96TZb1+cONznKnYBTlfAmc0pBAxl/HQAnT9NQqMLy7IBTRY6OPO+Akwgi13LGQd9d
E/4V8OVRGDXDzA36df7K4iZ3HeImRzNIyDWoYZF/m4VNjhsHmxyvHWzyfdGwyV8dAJsqVECm
hbWb3Y2ZRLHunclOnkPg5Ga3k3va2iv3kROmEDk5TjsBQ+Ys95vYCWiQyYyF2Kkh+SMd7nh+
AY+DChVl4roaAB0WkR3pFLGT5fd42GnsC/7fYickSTTBx4VOxFbAY85VewrQqcfROOiEeUDZ
paubta21oyFcB9hOE0jVpPb33U8VgX0ohx1o00Cq4sS9bkGO3mGE+uuJICorEAtd/oT6QXWB
acN53g2aGNNYhnXKi7AVyZkSz5kUuSOZDwBmn9Wbz7A9U67yIAcUPROfWsWC7/rao4DaMuCd
WK52PISCSy54ahEN29mBpFxZmxBJOVq3o0SuWEyAm/DGNaXku1nXEu55SjenksAV0CQ/HPDZ
g1JAQOqJk4XmXVBEGYFz0pZzgjlKCKUcLYRSjtZtra71gGJ5CKGU47Xb6uij7VGHpdxIdFjK
Ue6EpaSIOqtB8KsBN+46wFL+HoOOqNrQYSl+TkM/77AUB9gdjGo4pt6DUY07Sanf5K8sjHLX
IYxyNAOjXIMaRsmLLIJyPDgExU+3aA47BOV7oBGUvzoAQUkuSUkGdeh52pxAlureCewEOYRQ
blI7gffVkQJRdq07gSfYc4vAO147wWJhWP43MVROgTDskY+OodBetfvNhOj0IZRh93gIamT7
UwBU4ZxDzi01xfnk7314TolUnDHe5+S9Xc5P9WyHzwnp0WG0ADiRRFy3+RCBa2fO7h+g6XxO
OD1KqhyYQ0cGN21z8ExwOSnrctIh3A7B7HCCeZfTkCE8Ths+sMExGV+cyB0e2/4efh4Kb4qU
0zXvsVK4y58V5JLvaBfFWyeEeHrNGofZBvuDdHBTIejUHWat7N+C6qQ8rQ4zUuj7jjgvLLEg
R9/89QbO21a1RcKMHY7geF/hflXMYQtHC9W9oznlTq0Kpi/HHeXhDQ4Q8A55jN2eUJLKJXmX
0pINzclx1iwjbuTRTSmVKqkrQ1OWA0ehKY8sPK1DNxyNNU92ARfXeuTRjWMhBDeO03APMt3R
DmsJ3tE/MzK05EJ8bgw6bHMQitVAQyQB0dBl3yXu5q8DiONpGuJQhkcAhETOGL0W56Q87yAO
ZbzFj6m/46g7Szb0FaUkHxoopf+y4Eb/3cXVgMXcpXGMb8Fe0baFNe69DtZ4rnw8zXEN0CF+
5654fmI8DQGR2sryi3fdbIqfSQvZmKnrhMdNprrohMzTxoh5J7+eA2nKybTjNODKc78BasqK
QxMFsQLvGCoygvl5NdyVpvmFmHCMBF/X6ORBjeP3aKhm9AumwJpjx9Q28M2OmJoIEp0MHENY
e2VW1M1QkqbgG6knUuAqDnLTtm3HHbx5fHUuAOYdoI9gmv0gygaNsCtHXamGaX+fUJ291LE2
MB50Mr2Iu02KtcnhLDL6CY1YTq0ECXRgVW2JtRHDtvHkptVv/h28wt7n5uNfNO1fiXUS9PvM
0Dh+Lb35d/0VAVLYNX/bZ+z35tH7VImSu317Ebf/l6H9m2kvN1evzvjkS3unSBRXtDIK9bnQ
fMl2wFyXQefZFvZ2Pv9vusBM8DrGPf+NDoTSXzio9BSZr5kcboLDUTwRPKvzhNiP5QnRifjp
z9sgop0Gef9+6Ek2BS508uBcw0Fn9U8+7ngDnsH7MsJ0DOmSmb7PO/kwwx+5STZEPXvyJVHY
4F4z3fZBO1HuFiO/2bnMs5tS05gRFStEvzG0f6ZdpMPdaDkz39k7GX8jB8KrSBOf3X2jJsIL
B/Vk8jYvgvEitrlXOH736pxeGZHn/yLf0rlz8HwWiexD/ExMMcMnVyLSXCBGMPsZI8TF5/Y5
6bL/7nO6ahuOtDXnm3hkbvvCfDw2H1+aD/PQEy5o/vfmw9D+Qy6isz8YGukWHU/2vj/+ljun
jRqxHH7kJg1GjeDw3lF7+pV5u7BEr57yWpbW13IVnf3pm/6XxZ/1GJl73JMkUjA24Td/kk7Q
2BPz8VstGoVtSzdtxoNbiv8c102Bxg2rCdTc6+aONRSu0tN0pacZvnRJkrQGFj81LP5gYwwN
bU/SWFz2xi017LQbneex7mkvJRfUXmxYVjt/PyfCCU7Smdg34PWUGrh45YYkcCIuL4H/socl
bLZQKAHV4lD3zy02mzrQdy76OCN/l/2aE7FmvMJLyXWQYfMd1r+S4m7GQujdHG1LOygrBrit
ZPgCU87SApTt73MAOuIXC8jkZDQ8oiYWhJ3UNyZdLZXQmhRvtkAgZ01GpXi8KTwasOAooTXp
aILYTbomqRf2SWc70pZt3VG4h3HSJWcCm9PxGqJ/2yHXeOT77M1JT+nMyWkCq+1I6izqny4Q
G1L/HdiP+tpYhJn2PmfWPmTRYI+Zb/KiwLlt/9bZpkGOQZozm+Y98pezG+Xvzm7EjuHaWIry
i2pAUmw/ci85nMIJB/uNvFOeEbrjxtuMmlNtL+q/NmxFnIC3/lZVNy84n1tMfVlsmgVJYdk+
LxiUbtKdzN42L6OkODADR0mx47QnLYZ7JsL8OrswoxMwS1yY/EBzkESQEfsiQacNS4pJVe6J
xiIpNhzUwX2gf6T9YxiLNktwyY6lXbbOQftREjDLbfx+rATM0S+YYiweyQe+kXe5wwcuAlTX
HEfwPnBKWyecHLibjcj2lcrPZZpzXieQPFD2OBqdPAAS2ihN+cUfnq3mF+pbsgqowmXAlalD
MNTPHZ4IFqz+SUmbVmH52MCQA298eGT1O//Lbp2F9ODZnEJC79c3s4W6viStFrcn50x0iqv+
xSdML71ASGqUnEx+0zKTlf3g6btUfXll6xYL1CCiDwAsYJyDE7JPQyupxNrRZHOVLZuffHP3
oeHwupH9T+OcVpBqcB2B38Rl+xWfr78HcJVQQ1Va8jTtBzYuXtM2W2vCUe2AA0ehLXK9ahI5
Zf/VN9EU/lIBR45SUhS45qAMe7RpGlhrKNxjGaChkGbD7B3J9sW2bAcl8i93oyS70fcUCHOY
kfTl6raf+vQauZutSM9WJybih9mOQmU1PXj+lhMwb+2U7Xtlz8/z+KOXdc756VaBhTm1e2Rr
5VrDRHMtqIG9lkKV7g5yEzXIzDktQK4p38t1BA6QlAxBHPZ7zuoLgvDX7Il5XoXtSYop1/Z9
+ornE9nbaU9f8zz+Hv0iS+H4vyTVcmXbc9f6ffK8/V7zI8/LNe05frv2dI/N+1zvHCrxh7n0
+iOasl0tmLqu/MqrSGlWNKG3htAXpiXLTITCfpj0vZzNXNLC4zhWL1M8ZM5T8tf/AwkHDTUK
ZW5kc3RyZWFtCmVuZG9iago0OCAwIG9iago2NDgwCmVuZG9iago0NSAwIG9iago8PCAvVHlw
ZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDQ5IDAgUiAvQ29udGVudHMgNDcg
MCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago0OSAwIG9iago8PCAvUHJv
Y1NldCBbIC9QREYgL1RleHQgL0ltYWdlQiAvSW1hZ2VDIC9JbWFnZUkgXSAvQ29sb3JTcGFj
ZSA8PCAvQ3MxIDcgMCBSCj4+IC9Gb250IDw8IC9UVDMgMjggMCBSIC9UVDQgMjkgMCBSIC9U
VDUgMzAgMCBSIC9UVDcgNDAgMCBSIC9UVDIgMjcgMCBSIC9UVDEKOCAwIFIgPj4gL1hPYmpl
Y3QgPDwgL0ltMSA1MCAwIFIgPj4gL1NoYWRpbmcgPDwgL1NoMSA1MiAwIFIgPj4gPj4KZW5k
b2JqCjUyIDAgb2JqCjw8IC9Db2xvclNwYWNlIDcgMCBSIC9TaGFkaW5nVHlwZSAyIC9Db29y
ZHMgWyAzMDM5IDEzMjQgMzAzOSAxMzU4IF0gL0RvbWFpbgpbIDAgMSBdIC9FeHRlbmQgWyBm
YWxzZSBmYWxzZSBdIC9GdW5jdGlvbiA1MyAwIFIgPj4KZW5kb2JqCjUwIDAgb2JqCjw8IC9M
ZW5ndGggNTEgMCBSIC9UeXBlIC9YT2JqZWN0IC9TdWJ0eXBlIC9JbWFnZSAvV2lkdGggOCAv
SGVpZ2h0IDYgL0ludGVycG9sYXRlCnRydWUgL0NvbG9yU3BhY2UgNTQgMCBSIC9JbnRlbnQg
L1JlbGF0aXZlQ29sb3JpbWV0cmljIC9TTWFzayA1NSAwIFIgL0JpdHNQZXJDb21wb25lbnQK
OCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAH7/x8nUCh5qVr1SqMWgSBKgYIm
Pa+tp7yBcIFsCAOoEijouuAthKvfBhWHcO2mQ9UDlUFEsJIAf2N5iQplbmRzdHJlYW0KZW5k
b2JqCjUxIDAgb2JqCjYxCmVuZG9iago1NSAwIG9iago8PCAvTGVuZ3RoIDU2IDAgUiAvVHlw
ZSAvWE9iamVjdCAvU3VidHlwZSAvSW1hZ2UgL1dpZHRoIDggL0hlaWdodCA2IC9Db2xvclNw
YWNlCi9EZXZpY2VHcmF5IC9JbnRlcnBvbGF0ZSB0cnVlIC9CaXRzUGVyQ29tcG9uZW50IDgg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBm/YfDKZBKEwSJsHAMO3/NCACAFQU
KvQKZW5kc3RyZWFtCmVuZG9iago1NiAwIG9iagoyNQplbmRvYmoKNTcgMCBvYmoKPDwgL0xl
bmd0aCA1OCAwIFIgL04gMyAvQWx0ZXJuYXRlIC9EZXZpY2VSR0IgL0ZpbHRlciAvRmxhdGVE
ZWNvZGUgPj4Kc3RyZWFtCngBnZZ3VBTXF8ffzGwvtF2WImXpvbcFpC69SJUmCsvuAktZ1mUX
sDdEBSKKiAhWJChiwGgoEiuiWAgIFuwBCSJKDEYRFZXMxhz19zsn+f1O3h93PvN995535977
zhkAKAEhAmEOrABAtlAijvT3ZsbFJzDxvQAGRIADNgBwuLmi0Ci/aICuQF82Mxd1kvFfCwLg
9S2AWgCuWwSEM5l/6f/vQ5ErEksAgMLRADseP5eLciHKWfkSkUyfRJmekiljGCNjMZogyqoy
TvvE5n/6fGJPGfOyhTzUR5aziJfNk3EXyhvzpHyUkRCUi/IE/HyUb6CsnyXNFqD8BmV6Np+T
CwCGItMlfG46ytYoU8TRkWyU5wJAoKR9xSlfsYRfgOYJADtHtEQsSEuXMI25JkwbZ2cWM4Cf
n8WXSCzCOdxMjpjHZOdkizjCJQB8+mZZFFCS1ZaJFtnRxtnR0cLWEi3/5/WPm5+9/hlkvf3k
8TLiz55BjJ4v2pfYL1pOLQCsKbQ2W75oKTsBaFsPgOrdL5r+PgDkCwFo7fvqexiyeUmXSEQu
Vlb5+fmWAj7XUlbQz+t/Onz2/Hv46jxL2Xmfa8f04adypFkSpqyo3JysHKmYmSvicPlMi/8e
4n8d+FVaX+VhHslP5Yv5QvSoGHTKBMI0tN1CnkAiyBEyBcK/6/C/DPsqBxl+mmsUaHUfAT3J
Eij00QHyaw/A0MgASdyD7kCf+xZCjAGymxerPfZp7lFG9/+0/2HgMvQVzhWkMWUyOzKayZWK
82SM3gmZwQISkAd0oAa0gB4wBhbAFjgBV+AJfEEQCAPRIB4sAlyQDrKBGOSD5WANKAIlYAvY
DqrBXlAHGkATOAbawElwDlwEV8E1cBPcA0NgFDwDk+A1mIEgCA9RIRqkBmlDBpAZZAuxIHfI
FwqBIqF4KBlKg4SQFFoOrYNKoHKoGtoPNUDfQyegc9BlqB+6Aw1D49Dv0DsYgSkwHdaEDWEr
mAV7wcFwNLwQToMXw0vhQngzXAXXwkfgVvgcfBW+CQ/Bz+ApBCBkhIHoIBYIC2EjYUgCkoqI
kZVIMVKJ1CJNSAfSjVxHhpAJ5C0Gh6FhmBgLjCsmADMfw8UsxqzElGKqMYcwrZguzHXMMGYS
8xFLxWpgzbAu2EBsHDYNm48twlZi67Et2AvYm9hR7GscDsfAGeGccAG4eFwGbhmuFLcb14w7
i+vHjeCm8Hi8Gt4M74YPw3PwEnwRfif+CP4MfgA/in9DIBO0CbYEP0ICQUhYS6gkHCacJgwQ
xggzRAWiAdGFGEbkEZcQy4h1xA5iH3GUOENSJBmR3EjRpAzSGlIVqYl0gXSf9JJMJuuSnckR
ZAF5NbmKfJR8iTxMfktRophS2JREipSymXKQcpZyh/KSSqUaUj2pCVQJdTO1gXqe+pD6Ro4m
ZykXKMeTWyVXI9cqNyD3XJ4obyDvJb9Ifql8pfxx+T75CQWigqECW4GjsFKhRuGEwqDClCJN
0UYxTDFbsVTxsOJlxSdKeCVDJV8lnlKh0gGl80ojNISmR2PTuLR1tDraBdooHUc3ogfSM+gl
9O/ovfRJZSVle+UY5QLlGuVTykMMhGHICGRkMcoYxxi3GO9UNFW8VPgqm1SaVAZUplXnqHqq
8lWLVZtVb6q+U2Oq+aplqm1Va1N7oI5RN1WPUM9X36N+QX1iDn2O6xzunOI5x+bc1YA1TDUi
NZZpHNDo0ZjS1NL01xRp7tQ8rzmhxdDy1MrQqtA6rTWuTdN21xZoV2if0X7KVGZ6MbOYVcwu
5qSOhk6AjlRnv06vzoyuke583bW6zboP9Eh6LL1UvQq9Tr1JfW39UP3l+o36dw2IBiyDdIMd
Bt0G04ZGhrGGGwzbDJ8YqRoFGi01ajS6b0w19jBebFxrfMMEZ8IyyTTZbXLNFDZ1ME03rTHt
M4PNHM0EZrvN+s2x5s7mQvNa80ELioWXRZ5Fo8WwJcMyxHKtZZvlcyt9qwSrrVbdVh+tHayz
rOus79ko2QTZrLXpsPnd1tSWa1tje8OOaudnt8qu3e6FvZk9336P/W0HmkOowwaHTocPjk6O
Yscmx3Enfadkp11Ogyw6K5xVyrrkjHX2dl7lfNL5rYuji8TlmMtvrhauma6HXZ/MNZrLn1s3
d8RN143jtt9tyJ3pnuy+z33IQ8eD41Hr8chTz5PnWe855mXileF1xOu5t7W32LvFe5rtwl7B
PuuD+Pj7FPv0+ir5zvet9n3op+uX5tfoN+nv4L/M/2wANiA4YGvAYKBmIDewIXAyyCloRVBX
MCU4Krg6+FGIaYg4pCMUDg0K3RZ6f57BPOG8tjAQFhi2LexBuFH44vAfI3AR4RE1EY8jbSKX
R3ZH0aKSog5HvY72ji6LvjffeL50fmeMfExiTEPMdKxPbHnsUJxV3Iq4q/Hq8YL49gR8QkxC
fcLUAt8F2xeMJjokFiXeWmi0sGDh5UXqi7IWnUqST+IkHU/GJscmH05+zwnj1HKmUgJTdqVM
ctncHdxnPE9eBW+c78Yv54+luqWWpz5Jc0vbljae7pFemT4hYAuqBS8yAjL2ZkxnhmUezJzN
is1qziZkJ2efECoJM4VdOVo5BTn9IjNRkWhoscvi7YsnxcHi+lwod2Fuu4SO/kz1SI2l66XD
ee55NXlv8mPyjxcoFggLepaYLtm0ZGyp39Jvl2GWcZd1LtdZvmb58AqvFftXQitTVnau0ltV
uGp0tf/qQ2tIazLX/LTWem352lfrYtd1FGoWri4cWe+/vrFIrkhcNLjBdcPejZiNgo29m+w2
7dz0sZhXfKXEuqSy5H0pt/TKNzbfVH0zuzl1c2+ZY9meLbgtwi23tnpsPVSuWL60fGRb6LbW
CmZFccWr7UnbL1faV+7dQdoh3TFUFVLVvlN/55ad76vTq2/WeNc079LYtWnX9G7e7oE9nnua
9mruLdn7bp9g3+39/vtbaw1rKw/gDuQdeFwXU9f9Levbhnr1+pL6DweFB4cORR7qanBqaDis
cbisEW6UNo4fSTxy7Tuf79qbLJr2NzOaS46Co9KjT79P/v7WseBjncdZx5t+MPhhVwutpbgV
al3SOtmW3jbUHt/efyLoRGeHa0fLj5Y/Hjypc7LmlPKpstOk04WnZ88sPTN1VnR24lzauZHO
pM575+PO3+iK6Oq9EHzh0kW/i+e7vbrPXHK7dPKyy+UTV1hX2q46Xm3tcehp+cnhp5Zex97W
Pqe+9mvO1zr65/afHvAYOHfd5/rFG4E3rt6cd7P/1vxbtwcTB4du824/uZN158XdvLsz91bf
x94vfqDwoPKhxsPan01+bh5yHDo17DPc8yjq0b0R7sizX3J/eT9a+Jj6uHJMe6zhie2Tk+N+
49eeLng6+kz0bGai6FfFX3c9N37+w2+ev/VMxk2OvhC/mP299KXay4Ov7F91ToVPPXyd/Xpm
uviN2ptDb1lvu9/FvhubyX+Pf1/1weRDx8fgj/dns2dn/wADmPP8CmVuZHN0cmVhbQplbmRv
YmoKNTggMCBvYmoKMjYxNQplbmRvYmoKNTQgMCBvYmoKWyAvSUNDQmFzZWQgNTcgMCBSIF0K
ZW5kb2JqCjUzIDAgb2JqCjw8IC9MZW5ndGggNTkgMCBSIC9GdW5jdGlvblR5cGUgMCAvQml0
c1BlclNhbXBsZSA4IC9TaXplIFsgMTM2NSBdIC9Eb21haW4KWyAwIDEgXSAvUmFuZ2UgWyAw
Ljk1Mjk0MTIgMC45OTIxNTY5IDAuNjE5NjA3OSAwLjc1Njg2MjggMC42MTk2MDc5IDAuNzU2
ODYyOApdIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AWXBU9gQBgBA0WzbtbRs
G1vGlm3brj972daybdu2bdsv9XC/e06gQL8EliAUlIJJcApBISUUhaYwEpbCUXiJQBEpkkSm
KBRVolF0iUExKZbEpjgUV+JRfEogCSkR/SGJKQkllWSUnP6UFJSSUklqSiNpKR2llwyUkTJJ
ZspCWSUbZacckpNyUW7JQ3kpn+SnAlKQClFh+Yv+piJSlIpRcSlBJamUlKYyVFb+oX+pnJSn
ClRRKlFlqUJVqZpUpxpUU2pRbaojdake1ZcG1JAaSWNqQk2lGTWXFtSSWklrakNtpR21pw7S
kTpRZ+lCXambdKce1FN6UQD1DgjoTX2or/Sj/jRABtIgGixDaCgNk+H0H42QkTSKRssYGkvj
ZDxNkIk0iSbLFJpK02Q6zaCZMotm0xyZS/Pof5lPC2ihLKLFsoSW0jJZTitopayi1bRG1tI6
Wi8baCNtks20hbbKNtpOO2Qn7ZLdtIf2yj7aTwfkIB2iw3KEjtIxOU4n6KScotN0Rs7SOTlP
F+iiXKLLdEWu0jW6LjfoJt2S23SH7so9uk8P5CE9osfyhJ7KM3pOL+QlvaLX8obe0jt5Tx/o
o3yiz/RFvtI3+i4/fvsJC/L36gplbmRzdHJlYW0KZW5kb2JqCjU5IDAgb2JqCjQ2NwplbmRv
YmoKNjEgMCBvYmoKPDwgL0xlbmd0aCA2MiAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4K
c3RyZWFtCngBzVzLchs3Ft33V2ApVclw4w1o53g0M/Y84pE4ySLJgqJaNlMyFZNUyv77OSC7
mwRkko3WNAmryrRpizqN+z73Xnwh/yFfiKGl1Wb9glflDLXcv2HqP8wr8jOZkddvF4xMFqSk
TrqSOb35U7F5bzEhUlgqS+eIcSXlhivyefWppjRq897D5j1mHLXGcvLQfm+x9d4ncr8NlBlJ
FXNEGka5JJqVVDgpSAyTlPhaTIovwMmstGXp38BX+zcpqAAmQYxk1CrpyOQz+WGE/1GyUpOR
f5TVt6xfitFn8no0YoSR0T05ezdbVvNZtTwno9/J1QgQt05zP8iiPcvVx+PMdoO0nDIO/DHI
fdBe9cDUyLdYn9J+TJo6I3S/g/uFnP1lPr5fknOiJTlLfClSv4GcXX/4xzvy0/hhejdeTh9n
7Q8sevz4nXgTP+z908M3wkumz8lvZPS+q/4UO5R8j/4Io6jgDJYXKHkR6A8JVRtH1F2ne2Da
GJ7g1Fmp14aXCSYuqONOZIWJKVqqxj+9goNSQhWxg4qlSPyvgUWpHRWaI1oECNce9ABAOIKb
p9vfz+FPz6rJkrx9wy4GNwfGDVW25BHgwBoiR590hFEY6uJNN9ZQasQmq+owVIv5UBxaSbk3
xsJH9MNRqBVzCLFbpLyuFo9P80m1IMxxipyAlq+5vID/K9nl3a29vHwt+EXSI/RwOlxZSB7Z
iAmeAbnLd6N9ZExvbrSUDu56UMfIcT5KxhD3piFJx/YS7dRIDJkQstbOwGJwWMVWavQSTKRc
2cze/KO1GG0t5ZpHjrGbxfQG2dFkjKCmVFyQCOQOfYuczk/VfHo/re5IYzzkplpehgY0tDJK
C9+OPD98gDyitEbNIByseZWyF7t8ZWTFa1+563d/nkVaJt9kzV18KINGKAsDarAXe8uNCHrk
LEN/VCQUHymQuUVxxbmNIcfGv10XJdlVDz++MX5TUsU576UCA9vOxvhDkDuMP5L1z+P5bDr7
uLgks8dZNTBUhrpAixJ+KoSah4w1o1Lr2sFn4noUgrTTTdGS4noGFqVGlYCi0hAdQuymdW+r
+RIxZzJeVkRcDgyV+cpPKh5DzUPr4GMM16C7PB+UFlwGPrcmEdcBxJqyOlBwnb1bLJ6qeV1o
DZrIMs6pEZ6eC3BmYsBCUm1q6ZIcq2kdIFyb7wHhPq+m+RGr6RBwYMRRYpuUHryoXuGKgvTN
uZrWIcQdbjo6wKYgiKtp5lDfMspKfMyqvA5TRM9Pgwuv2f79/HRKiihKDhreokqoH6bOagMd
iPKbJB14UYrIwFSLsnHkeWAq0VcxTbMhLbgMfXCbtDUEuUMzI7F2qVlJo5VF9/gTeYEutRa3
ICuscETXD5KTVirnaFmC5umRXhxNAyKQ3TRgU7g8/lnNB06F2sIlgrrPypM6Yz08D5OaSssZ
mpuBjDsdH0L45GE8/XxOXoESJ/ePc/A9gVMHPV507xb1sRttqLGlbwOv8edlN+jdCtkU/Pvk
PLSZtCSEsuhCa2F62PLA5tEWgxHETqp4dv3jG/Rlfj370/dNfz0/WjkYgc1DxgYpDoYkesh4
aD1sykEVQOxWDsLdXNW+5ra6uwPXvM0ASAj/6opMNqSA14IipVvdy/8IivkRTpoHysr/aAyM
CNtkkynEz+B92DZzUyHIbtbeEgO+ZuyemPUJkOi/lj77jXDmYehKgm00to+hD23pGwGHIDsJ
OCYHro/UaS/BsqgAbx69TPRYqWRN96ihgDLrG0Ygdwi6EzswtFGjTSQlxnhCyHmwfUpo9NTb
NlEejgZeEAxkP0czuKextJTGQJohyh0KuIsEmA/euBLoDYHI6oezHkkJW+oD2wkXfuJURYAz
cYnMUs2arlaiS0xSyTotTBmCNa1KhijXKnmAGT/bsBJHaacqDMeiZa4CqJn4wtJRI3VeFTQI
a2tU7r4wRNnNF36YV/fTr+HQDvnX+Cv5ZzX7uPxE/BDcm5t/o0nmR8sGZkSdpsJYQVT9JDlV
VtLPBWKmtU68s4jRoPGoU5gUzZmljUB2UksUA2B3GJkuyORxtpjeVXPU/iuih9xWk/HToiLL
TxX5Y629n88LT0eOl5NPmOD0/9Dw/GnDuiu3X2ztkRyeOhVWUs5BroWPmUfAlNhDKY2rmb/E
gJmSaGzTKKmzhxHIHfoR1hBeP+qJXT90SLAy4aVehVxRyA1dkPECOL88Tb0u3X4bnCgSylGn
JVSjFkNW7gzcKy9dPSqbaYtPhiB3qEaU3V//9S2iFTxjigL3oYmYQbRigkQo84gMCnP6SjY8
YB6YpKHcij5Z1MCibPsQMoTYUeHQh+CgoqezY3UiJKfQcEsiuHlI2a9WogXWJycZWsz1ItBq
+7OF+P/oRKhnnQiypQ1DdyRW8y0KVGHzYFkFGo5Tx1JLH31Iqtl7uPCWsJYhyG52f4KORIQz
D4PnYFaxG525gAOQnQT8rCNxpGlF35GQwaFmUk0wTOF7MnO9E7Krtxhm6mf1JkuKa39RNRGC
3CHoCGNTS/h5xWiYZdhOo4PPDgEHJh3BTHKH24eIOxGStjwlBibBwTU7awEmZNsn2aMTTlDt
mn5EYi3b5+R6kb8RyrX6HSJ/wzrVkx518kDunsBzPJKtSbXB1qgUlo41phGbJ+iQQww9qYa1
SaSSyrSY6hCzw6jDOhDe+9STasJiR4NJ2eLvcKZJmtoj5WmnwjxxhSnAJk+Pbfwk63L+Igin
em09DD+90vR3QpDdLLxl2YPocnEqol3gQhonhCb1s2Sll1pT69peSx56ib38kqvGVnZlPqED
6pP59DDotoZBkbUNsquTBM/OI569iT4N075mVlcUez2F9yxipfHsPR6z5dmjx8xDP6QD2xat
8RyK+j0S4x7ntlGPAGM3t7XVe6l1YnBSFVSctY4TEcANpHyqrFhInJpzdaEb1mQny4oxYMJ5
Q+MnZcUDV2QtpypCiDv8UiTUH/724aaaBNO+Rxz15qXCci2UMISehxZibRWdpT5F+NASr+lV
3MawhbCbvDdcWjLItH4tQ9fGWlydF6LMQ7QMk+W2GeJPMuaksmGbGujYrW2G+EUIsZNwn/Fo
P/53dHU9eMbARN1uCjHvnXIauqJl6NwwoaB9wTl2vODpGNc7YbzO31WpYoSBgcSJborN9shh
NjVrieH39n6ntKb1wBhbAwkgdusttbMMC796OjBQf6uF9KVfH6BHuF+MYUHcSsEigHvNNsn7
vUQBuVOeJauDb2ATUQKTBGnbIadytdxq8KK83vzKIyvluJcXC4dNpyA4p1NlylxbanBn8Lp5
EUNa0V3F+tbcl4iuXfzucqcvx4CQbW/pqX3FgQ0PBNO/Py2Wj7MLgrmn8QMF2s6XxB68Afbq
6x+YjlqQ9+PZ03j+jTh/AyIu63n+M3pccvudT/F31X4H1C8fxh8r4n5LyxFgRUVwC3SH6T1M
bSPhEiQSRaAeJ7Nshalj2TC0J7VsjBLhrgLcjc37YfofGQuDjgplbmRzdHJlYW0KZW5kb2Jq
CjYyIDAgb2JqCjI2MjIKZW5kb2JqCjYwIDAgb2JqCjw8IC9UeXBlIC9QYWdlIC9QYXJlbnQg
NDYgMCBSIC9SZXNvdXJjZXMgNjMgMCBSIC9Db250ZW50cyA2MSAwIFIgL01lZGlhQm94Clsw
IDAgNjEyIDc5Ml0gPj4KZW5kb2JqCjYzIDAgb2JqCjw8IC9Qcm9jU2V0IFsgL1BERiAvVGV4
dCBdIC9Db2xvclNwYWNlIDw8IC9DczEgNyAwIFIgPj4gL0ZvbnQgPDwgL1RUMSA4IDAgUgo+
PiA+PgplbmRvYmoKNjUgMCBvYmoKPDwgL0xlbmd0aCA2NiAwIFIgL0ZpbHRlciAvRmxhdGVE
ZWNvZGUgPj4Kc3RyZWFtCngBzV1dU9tIFn33r+iaJ1NFhLpb6pZSW1tFCLNDksmw4J1sVZgH
YwvQxJGIJMPw7/e0Pmy3EkO3ZmUrqRqDM8DRved+326+kX+Tb0Q6biBk9YJXP5ROwNQbsv4g
i8gnkpCjk5ySWU5cJ/RCl4Zi/dFo/V4+Ix4PHM8NQyJD12GS+eRr+V2lK/31e4v1e1SGTiAD
Rharrx1tvHdHbjaBUuk5Pg2JJ6nDPCKo6/DQ46QNk7j4m89G34CTBl7guuoN/F195nGHAxMn
0qNO4HshmX0lbyb4P1zqCjJRj1J+SfUymnwlR5MJJZRMbsj4LCmiLImKAzL5k5xOAHFDms+D
HK1kWX57yGw7yIA5lAF/G+Rz0F51wNTod1RJ6XlMwgklF90E95mM32bTm4IcEOGRseXLyPYL
yPji/P0Z+X26iOfTIk6T1Q8cdfjxW/FafrN3y8UTYS4VB+QPMnlnyp/RFpI/wx8ufYczCsvT
SD7S+EN0akNE5pzugGlteJw5YeCJyvAGgolxJ2QhHxQm6juu3/inV3BQPvdHbQfV1iIp//Ss
S8kd6foMvkDDWPnQlyD+HmXxTRzN4bzzdJnNovw1Ob4UnhfCMHqlIHM94OYwCw22ZhUth29l
Fa1wZOJV11bhCsSowK/DUa3ul+JRpe3OIEcqtL8cjtbq1kGaxcxP0yyJk1toOUmTyEbFkOdI
y0Jehkrh8AR3wUwd6iB0LJBmUc69WscaJtjxaCPR6KzSMlsrmfdsNF/xTgSBwwRruRkj3lmq
cpVQGrJOwP0hWkrSgmjGujf/Or+MZuQkygp4m9m0iAgjV+M4eVBJwdXBaxv0HcIdoq/jMV+0
0A8j3Akk3zxEkl7mvqNtzua72NKzzHzqhEAVkK74iJXZdNCqgNwEAyU1AdbFw0uB7yzPl1FG
To5Zz3KkFFVcgGpGhzkU7rmOzxiz5Z4KdT3Lba3dTYhm2kWFc7m8/vMAheI4mhXk+MOH3tN8
ypgjGcpEITcBP6tnqzKxg4VQJh0/cFkb0xav3XIxF7/9Z3J6cdmznqmgju8x5WeM5dY399YB
GeA8IeqAbO6bd2kfGkQz+xhfNNn+jpJ9imgSeJwSoaHdr3H4whHopLUxmRlHVSTJvo0DDTzh
SzgVc7ntzjh85vihGFTvQMB0JRPok6pGop3B9i24VeXWAmlGuNNTMtvIn+Oc1OkzmS8jUqQk
fYiyg5F5zd4qkE1qT+ZzhzEKOtZiHlX92nbxtNml7TvGIUV1XMkR43TVG0kVicJsMY2/HpBX
SBXITZrVDhGGvWoLjozbyk0L10SW3EO48yXyQnNZ9s1QIKn68YJ7jpC1FT3bhLeC1KKcVU9G
MN/BCGHYPZkWyC0c1Nta4ODkDuZ8n6XXi6ih4myakOuI1J/GRXyLqnlOrp9IjMoFLRySR/fT
TJXSG24hPxitaGs+DbGirRr+qKlPrQ4DD2BFkQ5Z7pq1FGMR7g7c+esgt1BET8VBEeWaouns
Dv6JJMuaFtdR5qwcFdxUL46KovcThMrB1sgHpXIX1bVsBofP5pM7o6Efho7rek1Dx1TDvgOE
GxMxdMyWWVw84d3apnvTsIsJlcAEoUFea9gI+fgkTfJ4HsEVYbaX950QI4ligVxDrRO95zKQ
HSoeo23uNd2UYWAKMKQXXFonxD0rEsUX5z5lxNcBGnGuDJkRmS6LuzTLEScXcfSAJPhuWuA/
EdKMhzhHtCzby9XMebq4TWFNd18PRmWqFydFls6XGHitzMtmgaAMmYa9cx4IqMDFZof2qMNI
q3zJHIb9k4ofZFv3WU9Zxpbtv828z1Boa37oALfwo4UvSUkSPSJFql3ow3KRwENdxwtkUpEq
nVAwKaao1QSE0I2qaVSv4zy/QGKTMjH0p318O9LIekgB1BfI+XnQ5EzD8Fm+h66bDGqftUXl
36VIohVAz44/HpNWdOo7PaaokNHth1urn2FQuvYwBqOrSdMwdM2Fav82MXOb/9GVbet/OhQV
a/+jAzQl48eULO+x7wRnU7uaLLqN8yJT7meKLaJ8eXsb5XVNV6gCcJ7OkNiX4SlKinVibx2X
yrEzcVFePzt25p50PA8Zp689oh6XGsGPqp07q1xq0+3XmNAZMdsI9DG6QAei9gE/xkToSO0B
7g4TDRwUQU2s3EIFPRQhVZEtv3Q8+5Kkj4tofttU+1C3ZRrSgdGUY16K3Jn42mMMpGZyQ0d6
onEDw3BNrovaEhNw216ylk80671b8okOily7Jh3gFj42FlxvzU7ueoYnhONyRTMNneFgap3U
P6bLxZws4i9lcxupffKFXBbR/V2UkPcwmLJZqxL96FF1w6bJvOfmN/exMIRNyea5hhTZvZCh
5YBF6qFStQXQiKpwnbMUZVp8vSyUiss4uoqTZce+jJN953TYe0IDDIsmzUMMSvNYTw99JJyV
5gfhOD30iF0ZNj0HU2UHrTh5Ed1EWZRslui9dcBwhgFzLYozDRX0QakYDVjmhvWm4jDitYcg
RH0IrKKduYppS8kf06xuZqNPgx7OhtL7tmsqcEyGhz5pHmZQSkdyzgLeJB/DsGt1rggNzuFG
GR2gESvHn892lBCVx7JW4tNLGr1oGL+ygdQqs0ymqli1CkIXY5MWpi0Sa6F768RRcdMVomED
kCJ9dF00iFsQNUtoAetbbBRnFgJkWS1IZlLDkCTrW2bMU53mYcmMhQ79Xo1mMru+vUcPt2+p
YYMEO7DI7zT3gU/LPY7qZddMQ1vWlZghtjCZie3+S9y3zHA2FQcVvnMge5UZUmEvoKKjzLL0
Jl5E+R8dJGdznJQxZE6etGLb3+lwmYSD1QaFB2PlPg4Cl2mdxTRILbzWfyzlZ32oCD6Yujgj
08JaWcZLa/8X0VOSLub5IfnVOSSTJc4PZ4fkEh+jgYDXsrVwSH46JucVH1Sboe/GAnY7WcmI
WvqDykOZC6NazWLM+/MVG2zI0KEVBovnYUWGzjB7hqhyhpqvGsQtnrzVrcPJKQRAcpEucdZ9
8wAVGLx5nOoiekhxrkqdrv6AKUN+2DdnA7WYrBLImh+D4izFuUM1cLXthjUuDK87Y4WO1YwV
yletta+UfhF9W2KalP90SObqbH/P6mc4neMKVKdeDd9A/VbJeQdfwLAaFFIc8msw2fQmxrYV
TReAIUbtZZ6p61zLmVr237vQwsCBpSDP1DGZ8dC2pOkgNI7jc9ib+U6r+xQalIjGEfognYRm
X9N0ERsO3PgeVtFaEPcqNjW4wq01OiTDwZBlSdNFZGiKhD5Fda+bwl5FhrtDAhfnpiww9R26
1sWCixOPXrfDcU2k3VmY1bGauTds5JclYd8gPYxwKHZaPR3kPomHCtWRUK0OydBWcU3A1fgx
zb5gz04da7jF5SL51cEhebdMcPIfl+40K3d9zXNwikVdaAW7qUVqkJ/szG448gARNqstw5jn
8ACdTXWyyzZl7tk2VrsOLYBGBowB8ueLn0+4lOEf0O7Gbv2HpyRBAYWyX60SrBsA7x1yGaWo
///r+G5ITv8qIiy3Y6293DY4O+//eA3qKuwLe6R53kERF9EIEVJvDr3UcWk8ffXaM11Wxba6
dGsNtWLLS0iP53PlqNR+HuornLM5m4Mc6nqkTNVVYBJRVDpUzzCyu2/Oal24ScnrZxgUA7Dc
E4QdVqI2WLAzCuhYjTzG+O1vZwS7ACiJAnlU+45V3HK93nXvqztNMMDhNfhBKV+dtGW+fYzY
h/J1rGbK/8ddUdy/Pjp6fHx0shursVOHeoNK2JIMA4KG+6Zc95r24YSK5Ki2W5jM5BfN4yLN
nDS7PYqTm/QIMlQO859NtqcWmXEb6P/9gAWuGIMAcRtmg3pQVuNh/uk3x5Y15bZmilYJaIeh
/6pwU0fPcT1ss1u9raffhmfXFN0EaDjyXyd7OsAt7NPx1cmezwK3leydpOm9mvK8Rbpnd9ir
i1XDcYcuxnu6kHFB7w+vtG21+y6nuNM2z1Mkp2om9fM0y6LFovrkTRo9RdU/9Nzd5Wq5i+Gu
4OYZBmVPHNMyttqG20belmA3QhA+3FkKomM148Av6TJfRE9IOMEAlYl+csh5uviCqqS58ZhU
5cn58noRz1DCPO2AEKpzx+vnGRQf0IzlHW9mrVmxMzpoUCs2vFSUnCU32RTHhpazYolTQ+up
DzbltSmQWp3UZoB9cyLwUSPjmnLVDYcCBsUJyjG0bg61Wt4CtGtS6FjNfMTV+OTiw9VBs6RQ
V6cq9iHMtUqY6t1fp+q6azfY2WCY1881KF5gFl8Obmy7XH1HDIFpupQCEbczwoq2O3NlOk4z
1u6rvtKxail4K03oe9xKV/WVjslMfj+or5Rx77C+qlEPyaZZiDiE2q/aWNOUqxcIf+ucqNUW
HcOFDyJkzTlRDRMIt5erpZla2OTNToy+27o3TDiAIZFB/EB1jV3u+tgxQwMuWN1pWM+7XriA
G5XnL8u8UEVbVJDponXCBbFjY/LQ/uzFX1tx+td9jLY0eTdNltPsiYSHaoIm298HP6PDb+b4
wXdR56k3QX0+n95G6IliL7bD1WI2m7G8vMcZCzwtJWj2szeb9nFkwmsGZHu1H5y7wm8nQHnO
umH6H+8bcNMKZW5kc3RyZWFtCmVuZG9iago2NiAwIG9iagozNDQ4CmVuZG9iago2NCAwIG9i
ago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDY3IDAgUiAvQ29u
dGVudHMgNjUgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago2NyAwIG9i
ago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcgMCBS
ID4+IC9Gb250IDw8IC9UVDEgOCAwIFIKPj4gPj4KZW5kb2JqCjY5IDAgb2JqCjw8IC9MZW5n
dGggNzAgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4AdVcW3PbxhV+x684
45dSU3q1Vyzg6XQqS05qW4kVSU0zY/uBpkAJtUzYAGUn/fU9uBILieQCKah1/CCJE8vf7rns
d65f4Bf4AprQwNflF/yqQk0Cnn+gq2/SCP4NSzg8zhjMM6AklCFlob/+zlt/ls1BioBIGoag
Q0q45go+Fb9VU63Wn92uP2M6JIEOONw2f9drfXYDizZQpiVRLASpGeESfEaJCKWALkyg+Ceb
e18QJwtkQGn+Af5pfpKCCMQkQEtGAiVDmH+C55f4f1BGfbjMj1L8lfKLd/kJDi8vGTC4XMDk
5XIVpctodQCX/4EXlwixdZvbQXrNXRa/Hu9sM8iAE8YRfxfkNmhPB2Cq5euVt7Qdk09CLfxh
F/cWJifpbLGCA/AlTHp+8fr+BZicn71+Cb/ObuOr2SpOls0/6A345zfi7fnLXt3d/gGcMv8A
3sPlK1v98TYo+Rb9EVoRwRlanqHknqE/YKo2XpG9Tg/AtDY8wUkYSL80PEcwcUFCHgqnMDFF
qKr901N0UEoor+ugulKEseWofCKEYhy0ga/0nzvgoRt4e/7DsS8D/r4xycIjnEaf42X2MZ7C
T2QKr6PlagoX+N1seQUnBF4ny+vpgdfHbDa9DVvMhgf4OCiKz2B5NK98Gh7TangQEE7xOR1w
25MnR3CWJov4NoJFksJ5creKRrZyESjCRYCvhKEdxhV23tReCtuRqs3DtXY81EcaEKjqxa8s
ateTD8Z/fa4PsXoGidr98DMqCaMcaZSJ1cq6Jm/S+DpewtHd6iZJ4/8WL18G7ybnb46ydwdP
poC2h9YWcDQle1/fufLiEDnJ2mZIYUCQDaHWVsdwwJIaNfCR7DIhZOXrN6nBfcfaUoQ+ajDg
rWzUoIN1A0ntQD158xKQIKMAAn1Yudsp/BB9SO9macFAxlcAHRDtawH1AZxSgNyn+mhkhXv3
3FYAE6udAvztZrX6/Ozw8Nu3byRdzMdWVu1jJBcG4JtYDZ/fUdFewcoQAwoY0YL5XUx29xdd
xaskJUl6fRgvF8kh3mHuNf9OWjeJIWYVRG8P++oQy8ZtCioI5Rhi1TfplNVgwC5CZCKl1WyT
bq8XfYB0165cU6I4570tuSVIfMa2C3IAwIYj+yZAK/Vbk2TdIcn/vMtWyXIKPyIx/ime38yi
26z+OSfK5wROk+TTgfeUwWS2zKZgMMB+YWfx7HutFNBu9lKQP4niMI+9NaOS9hFFh4rYsD+B
+SgaYsrIkIQJCZ2T10ry9FLfDiSgBait7Gitvj4j0vc7IZ6bhNQ3sZaavCPcm/xGFA0BUzG/
wXmUJXfpPILjKF3Fi3g+W0XZmpLqsSmpYJqoIH8RqoM45VsVJyr065SI24zExGrl0iYPUFL9
aJS0OoBTCoA+QXMfc+15MtpxSmpitVOAx6KkJtZtpGV/lNTEZHd/D1NSvUdKWqF2ymqEJL6u
jMZ80h8rx+RzRbDqVOeYNgjXRIeEDwNSYiZEX2LgkX46gILKreKvEb6giyiNlvMoaxE5z7r+
1CcQYRi+MykY1MdxSuoMK1GC1r5ym033YnIDeD7aRFlM9CnWTXVdTOzhv/uw3wEA14GICXCD
XppRehWIiECGWwKR0yS9msJRlas/I3BRBSDx6gYDkJdnX304urpKoyzDbHS0iH9vqa9F+XTA
qUWQl4cpkn7z1E6oigpDQinmRr+Dp76D1VZrkOtH6dfoqqg6nCTzu8qPYVWnyElXtD9XrH0U
dbAzITfN+jAu+TKF0SkTsn8C4xFy0R2sVspwj/gXMoeqEk7lNPd/Xr9Gij4PGVeYtPIpR+GX
F+2U8DFJidk+/V14AhOrnfAfifRjmN++121ef2+kv4PJ7v4eIP25/eyP9NeonbIazbEiHtS5
km3S3Rv9Uz4SQRHUlNQ+f7Mv+tcBaKV+Ff1TIgy20L8nR6O3ZTAsMPmMCahPUamj7SnuMGmO
WfEilEruMrj4I1tF1c9YHT+6eHcAPyNHKdLmHyJslCj4S9k4hlFYP746JG+eP07YXdkcsHwR
3IholZKYpNZBhWmTbpsh7aTFT/DbPmqO9ze4a6KDtVSQHUlqVPMHKCr8K4sqmpobwBS6Gczi
09FVHxutiJLoWOqTOeWJpSKSNRXBTZphBpV/QjMGRIJNI4Uysdq6jpNoXnuK3DFwSlEVurRm
9LY0GRLfx+bk+hAWSjA2seHoFbAJEH3ygIudPEBscnsan9hgX2xAMWNYo7a4yV7Oa4CKNjkk
JXy09aaY7Qax4TrPsFbO38G8ljIB2tp13oWqtOgW2I/Sjx+TKbzCZNZxsipq7Xk7al5bPyXw
a3SdXM3KnJZsclrPb5P5x2z8l6CoY0N9XqcUlwXIz76P6qUysdrqi2VGK1epfWa0qsM4pQw0
JFr630dGy8RqpQz3MlqFzOHVbFk3V9KxWxm4xmEFppAPVPjdkj/FSojq/2K0IoY+4cKAF3dN
CqmB1U7+XfY37tRMHvsWzZXKxLqNHYzN/VjdXNnBZHd/D3E/dJvjc7+6ubJG7ZLVyJBjUQin
Eh1qrsSOVxIqzJ2XmOykW84eZH+p6VFerLYfNRhizIISX4QaOnC3GcjeKD3WnQjVCM4lsfo4
oZN3RPatP44syKZULU2Adnr3Y5QsFlA2yI4MlDEMfRXS3Q5QNzQOr5Ep6W4mWpoAraSLKbqj
LJ7B2Wyed47Cz9HqW5J+hE6PDI75HmOJOY1GD8Y4Jj2UCgKoT+PUWyI1wUnG/gxsZLtZG7gJ
0EoFJj5G5OlVdItqcNFr/H7Im8JCXGaA4/fSROqGheebFrBnwF3/bQK0Ei9a+AVOp97A8zTO
PsyW0RR+OT3Bd7o1ri+xRDK6ZTe1pmKhBV6zU5bNsZtB4c4MZ59uE6CV6CdHONWS4qaG2cj+
h2EERSkOrksTpRtWzSnBcc3aabuBiTHM62mHPY0J0E7dzm6SZfQM/orN9hpwYikAgZph6J63
fSDs3sjP7skohg0CNB+IlhVkp9wK5XnKrv88rHFpI07RSROglZzxRXlR1fhn8e0zuI5v/jH7
vIznpFjfU22SwPbpcRqoFTaE4Pw11NBdkrcIBfHDpqjjhK/BvibcQMVqX+MGJqwWhqoeL6jK
2zu6CfLy9r7MIt/ys8ZXWsUueBgnp9dRa3p0ZLAMyWDAlAITrCHfbutIH0gdX2wzEdoUXIWP
udWwTlXDpv6FLrx+Am4D9PJNarsfiyZQ6gDc4PdMfL1j5fYuqjGG2ptYuT6NU65QBThxr2q3
s0kF7rew9NHRARHoWgVMgBtUoIPvUWJlDEzaV2lYeAff2B5ybeHYOZM7nyJeqg18l4vcpwc3
8Fl5cOtIGd579jvm2l6q2Pe420s1kbIoD+GUWUu8yxBXkrgaKAsToJ1Z7z1Q7qB0w6QFNvfz
pnzhBibOMS/TWePgkpsx8Fm5mYlFmPz/j/iaMFkYiA0hm3Qn3wxqX1/suLl+bJEJzNDUcwf1
Y2KxrGMowN5s0QS4waeY13cvSr6uYuYHYmWrZbcDuA4rYmUspgjjAG4sBhW4kE+ul8UZmvhY
rIaHWH3CLVElqzEgmdLdn3HwAEc0Ql4N5ZiDC3hNj7Jdh+Mua5yuq7i9I5j8Yi/eQ6Krtckr
N03/Gb/WBJk2e7DzEcmg2T1jtwcb3Ua9iypawey2s7sAsbfqNt2fdm5NfvH75xjHxZueunCa
b03W3d+D/8aAxdAP/JZ8v3Mb1NuzGaZIGHs/YPAHln32fItipxp28nWE4IZNK+yOk3VK7lHt
BzsacHMrbpLnwzD9D/+NRNcKZW5kc3RyZWFtCmVuZG9iago3MCAwIG9iagoyODM4CmVuZG9i
ago2OCAwIG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDcx
IDAgUiAvQ29udGVudHMgNjkgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9i
ago3MSAwIG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAv
Q3MxIDcgMCBSID4+IC9Gb250IDw8IC9UVDEgOCAwIFIKPj4gPj4KZW5kb2JqCjczIDAgb2Jq
Cjw8IC9MZW5ndGggNzQgMCBSIC9GaWx0ZXIgL0ZsYXRlRGVjb2RlID4+CnN0cmVhbQp4Ac1c
TVfjxhLd61fU0j6Z6fR3q7MahpDzmBfm8BgnWSSzELYYlBg5I9sh5Ne/kizZ7g4ykjmCPiwM
PmCuuqpufdySvsL/4CsYQmNtNi/4qqwhMS/fMPU3RQq/QA7fni4ZTJdAiZWWMqt330W795ZT
kCImkloLxlLCDVdwV32qoUbt3pvv3mPGktjEHObbv4323ruFm32gzEiimAVpGOESNKNEWCnA
hwkUv5bT6CviZLGMKS3fwK/tT1IQgZgEGMlIrKSF6R28n+BvUEY1TMpLqf5k8xJN7uDbyYQB
g8kNjM7zVVrk6WoMk9/hbIIQ907zMMhoe5bVx+OZtYOMOWEc8fsgD0F7ewSmxr7R5pQOY9LE
GqGPO7hfYfR9kdysYAxawqjnS9T3D2B0dfnfc/g5mWezZJUt8u0/jI749614e37Yh/X8AThl
egyfYfKhq/9ELU5+wH+EUURwhpHnOHnk+A+4ro1H1N2nj8C0CzzBiY2l3gReIJi4IJZbERQm
pghVDT+9RYJSQkU+QflWhKHtqDQRQjEOxsG34c+n4J0mxXyxhAsCF0mxyvL0n4G9jqHbaW2Q
tRy0TiB4HN/rAL0M1IVId4FANaalWNUZqLbwUykI+ll4H2BUZvKns8/Owi7ATikSmf5HpNwc
Tu7G8JbBKC2yaZJDks8ArZ9dX6f40/klnMxmRbpcwlX6BQk6mZffjKM+xLh/aVWR8vSlCRoT
jcwIpr606GD294IrW66Kh4EdViA7xnYHsHaOIBxWY5nIhJDBOqwHsKvDXiW1r17PE7hI/86m
CywxuRo8T1fsZJgAF3gYOVHHMeGa1wkoaqMnL0Z60tMRhcSWnjyALdZ28SE9XSywiP8rm6WL
bVVYFaWMSUo3Jo/6lfZNGd2FXJkwxFgDDfiagJz4diGXxe/LVGYaezJhsXerSDFEi7sAO1l8
9FOx/rJOhubtsu21BrsL7xADMSwlinNeGzYMTJoRqXXA9OIC7OZsl7eLPP0OvlE2Bq6pBDx1
PnD8MoVEzTlyios4DDMrTpTVTbcXYBZxAXYyM2aRs7pkSLL5dzCt2pp382SaZ1NSzYc+R907
/CMKWWY4KadnukYfVBrBDsdwjYPDcrIWSDEjJNGmhnRwxNcr23qW69X+aa4IDijDbf88gC2R
4XbPGBmTrA4NeF+ss9/HODod5f+k6Xw5fD3NLWE4mvCQO0To4u1XXD3L3AwHqII2LthGhD68
l+v2tQuwk7lHV+eXZ/AxXd0vij/gdLEoZlm+mbiepvmqSAdOfZwxzC6VIrB/uoFwDkUxxTQK
Q4jltAuwxeJeN/Ipy7+kc+AqHti2jEoUaLA3dlCGwd3KWkKpDJe7PYAtpnXJBrm7GdotUeaa
NVMRr01GAQNO3ntcHtWK4mENrFejLDnRqhInN2cdUomjsN1jQjYNVRuZe6HzgrMRD2CL/T18
k9u05PLbtJjjuBbT9aBjB1YnaxdqIPEdo86shaknnU4BgYcW7UnCz6kXgVYV40HddSsXKCz5
Ocr2NaY2n3NjetTT5/YrnL5ygQewxedcfH4ntWqKx3dF9mdat1LDiqVMxjgcwSUI93wdm7ug
X65oVBrXFUTcFI0OplfzQyVxcGPioGJDKiJxYh9ubLgAO8XG6CRHiewefkxLWr5fLfKhGRmX
eGKmFCgHbRjVtBKaKLmdYbbRn5fSetLfc+QID2CLiV18eyVXrZOWcmgpM8LNooBm3Qg+ru/G
UammXqdFzzZ6n9FrlRSTzsGUwyUlhjFwr8jNzM11RJvFqOdlwVq47bK2hUxdDnIa9mlzA5+w
X66N9gC2uIGHD/eqFLbP+RQb6BQuk+KP+8EVi+3Y2EUcSLQzFOpZwGNj5QJsMXMTJZv1QYz2
09skX2Xz+cMb+PnEbaxwM0yxwTcgGA6MhcKJSXMBQbVV1BIjdcBtlQuwk9VHP306GThxG4o7
IxQnTcrF59eL+6usvRj7iLy461soojOqZuww6EVajvMbHC6FqnR7ADs5mt9LYQ//8A5XrnKn
jYp67Cz3mtcobFWMjKGBHhKxSNyotoo2xBJEXEjcaaflKkhAMpnUCmcMtt7wCnBk7QHsFBej
75M8w5H1p9vkfmAiZiX/0jII3IMMw+Fwc4op2eiybaWzW7P0HSAdkSm2C13SBdjJuGUHdbNZ
MW1kqPMce6dGnq+2/zdaFPw2Ovnh6vzj+elv48HrLK7x/haGU5LmooKiQ2kIj0WTkgP0BBdg
J08YMba6hR/mKEK+gU8rzH5JgTvHt7honhbpDCaL+7QYR91n2o90ztioHu6cBd4VZa0CWV9A
UFYv79FC1SLcoscF2M3qpw/XQ6vMeDeNwcmTwQmIc4LdABbTbIXt3tl1mg8NFJeziS1lCw9o
GOkH9R6hcGcp2JrbBdjNuhfJushW2XpwtQy7KEpxt0W6KAMxLSUS7+YMqpTF1RCNcnS47uYC
7OZuzX4pFxQkFTjFgXJpvXtSO6I+2w4KpYs4DNejuAgpA14jli7ATmb2O/lZ1cC8S7DQfbkF
U5yzo/SIXrY54JAqGWHxrj7biABhjJREjOtKnDV8E0RwlPcBW6SIKuO6+o0nQPSaBnqFca+t
V6E1ziqbaaCLCTvPV9mswKqEUK5q0wWCSeIqK0qxj5iuadBfWnoTKAviIx4a6a3Fw6PyOQnP
caftXVRd5EAhcFGHNwOrf5muHni/MCZeSizNjdstx4SPk6gea9A9c3tRtz2mA88B2M7gBRNY
oMU6KBLH/U65vZs0DBLnVhHcuXks6l6LMHmsMdfxZu3Ld6dXIUyOj4nBNjMowuQ6JgbXRQMi
TK5wBri996nbI2aw9PvPeom7Pm8gXUEyJ65IfPinJx9Icvb3nxnedQ8fknyd4JKJfVM+kMQ8
8qlHPHPlkU8pM8E+qF8vky8pMP7ZWx9uHkh0eH24zyN0RHWrqNK4qO4YwYmfV4tphZKobGrF
f2Wttpj+P3Z7qu4KZW5kc3RyZWFtCmVuZG9iago3NCAwIG9iagoyMjI5CmVuZG9iago3MiAw
IG9iago8PCAvVHlwZSAvUGFnZSAvUGFyZW50IDQ2IDAgUiAvUmVzb3VyY2VzIDc1IDAgUiAv
Q29udGVudHMgNzMgMCBSIC9NZWRpYUJveApbMCAwIDYxMiA3OTJdID4+CmVuZG9iago3NSAw
IG9iago8PCAvUHJvY1NldCBbIC9QREYgL1RleHQgXSAvQ29sb3JTcGFjZSA8PCAvQ3MxIDcg
MCBSID4+IC9Gb250IDw8IC9UVDEgOCAwIFIKPj4gPj4KZW5kb2JqCjMgMCBvYmoKPDwgL1R5
cGUgL1BhZ2VzIC9QYXJlbnQgNzYgMCBSIC9Db3VudCA4IC9LaWRzIFsgMiAwIFIgMTEgMCBS
IDE1IDAgUiAxOSAwIFIKMjMgMCBSIDMxIDAgUiAzNSAwIFIgNDEgMCBSIF0gPj4KZW5kb2Jq
CjQ2IDAgb2JqCjw8IC9UeXBlIC9QYWdlcyAvUGFyZW50IDc2IDAgUiAvQ291bnQgNSAvS2lk
cyBbIDQ1IDAgUiA2MCAwIFIgNjQgMCBSIDY4IDAgUgo3MiAwIFIgXSA+PgplbmRvYmoKNzYg
MCBvYmoKPDwgL1R5cGUgL1BhZ2VzIC9NZWRpYUJveCBbMCAwIDYxMiA3OTJdIC9Db3VudCAx
MyAvS2lkcyBbIDMgMCBSIDQ2IDAgUiBdID4+CmVuZG9iago3NyAwIG9iago8PCAvVHlwZSAv
Q2F0YWxvZyAvUGFnZXMgNzYgMCBSIC9WZXJzaW9uIC8xLjQgPj4KZW5kb2JqCjQwIDAgb2Jq
Cjw8IC9UeXBlIC9Gb250IC9TdWJ0eXBlIC9UcnVlVHlwZSAvQmFzZUZvbnQgL01CSEZNTStD
YW1icmlhIC9Gb250RGVzY3JpcHRvcgo3OCAwIFIgL1RvVW5pY29kZSA3OSAwIFIgL0ZpcnN0
Q2hhciAzMyAvTGFzdENoYXIgNzggL1dpZHRocyBbIDU3MCA1MzEgNTUyCjQxNCAyMjAgODMy
IDQ4OCA0MzAgNDg4IDQ5NCAyNzggNTU1IDMzOCA1NTIgNTA0IDc3NCA1NTggMjcxIDU1NiA1
NzUgNDQxIDMwMwoyMDUgMzI0IDIyMSA0ODMgNTYzIDYyMyAyMDUgNTA0IDU0NyA1MjQgNTU0
IDU1NCA1NTQgNTU0IDY1MyA2MjEgNjgxIDUzNyA1OTMKNjg3IDY0OCA1NjggNjYyIDQ5NiBd
ID4+CmVuZG9iago3OSAwIG9iago8PCAvTGVuZ3RoIDgwIDAgUiAvRmlsdGVyIC9GbGF0ZURl
Y29kZSA+PgpzdHJlYW0KeAFdk8tu2zAQRff6Ci7TRSDapK0EEAQECQJ4kbao2w/QgzIE1JIg
ywv/fc+dpCnQxV0cD4ecQ4v58+HlMA6ry78vU3tMq+uHsVvSZboubXJNOg1jttm6bmjXD7Lf
2nM9ZznNx9tlTefD2E+uLDPn8h+0XNbl5u6euqlJX/Tbt6VLyzCe3N2v56P9crzO8+90TuPq
fFZVrks9273V89f6nFxurfeHjvqw3u7p+rfi521Ojono2LyP1E5dusx1m5Z6PKWs9L4qX1+r
LI3df6W4f+9o+o+l201VKt7vHqus3G5B4v2+FwaQeF/shBEk4Fa4A4n33nr3IKG3U7UACWi9
DyChN6j6CBKqG2ENErAQNiABbecWJGBUtQMJWxkmkFB9ULUHCVX1Bu5CAbVzwFVhcRLiqoCt
EFeFxV6Iq+J9lELAVWGxFAKuCrgX4qp4z6ggrgq9NgauQc5+Y4hrMN9CMwdcFRbbzrgG8426
nICrws42M67BfAs7F9dgvnv9KRFXhakaIa6K94wK4qqAujpOs4AaI+KqgLorpC1MpY8h4qrw
qdhBuEbzjZoq4qqw2A7CFXEttoNwjebLGhbjqlDVxUZcFVDXHnFV2Mp6ceUIVbkcvum/H68+
bz3Dz2fTXpeFF2Nv1R6THskwps/nPE+zNrD8AVubAlwKZW5kc3RyZWFtCmVuZG9iago4MCAw
IG9iago1MDMKZW5kb2JqCjc4IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRvciAvRm9u
dE5hbWUgL01CSEZNTStDYW1icmlhIC9GbGFncyA0IC9Gb250QkJveCBbLTE0NzUgLTI0NjMg
Mjg2NyAzMTE3XQovSXRhbGljQW5nbGUgMCAvQXNjZW50IDk1MCAvRGVzY2VudCAtMjIyIC9D
YXBIZWlnaHQgNjY3IC9TdGVtViAwIC9YSGVpZ2h0CjQ2NyAvQXZnV2lkdGggNjE1IC9NYXhX
aWR0aCAyOTE5IC9Gb250RmlsZTIgODEgMCBSID4+CmVuZG9iago4MSAwIG9iago8PCAvTGVu
Z3RoIDgyIDAgUiAvTGVuZ3RoMSAyMTIyNCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl
YW0KeAHtvHtgVNW5N7zW3nvu9/tMJpeZTGYmySQzmUyuMEl2kkkICZcQAiQgkJABAbkKKKhI
FCMYvOGlKlqllcup7fs6gD2FHltTq1atWG2tp8f2VLDaWhVBT3tarEy+39ozA2j1+74/3vf9
653M86zrXnut57ae9ew92Xz1luVEQ0YJT6pG1g5vINKntBTJ5pFrNnsyZfNWQpSPrthw5dpM
2e0kRNt/5ZptKzLl0s8JKXt55fLhZKZMUCZ1K1GRKdMapCUr127GOOwTXAP09Jr1I9n20kdQ
Hlo7vDV7f/I7lD3rhtcuR4pP34tAng1XL8+20wFCTEWbty7fzKFh05b1a3MpZeXk2hFK9ISw
QoRMkEryAJETjhhRwoxVi0xFWC+V2mV/76uQ7U8tNcT/StxKXEDIiT8+2MTSF5vyd/2l5qMe
+yfOsyiqMELmg3EV+9KNhDgW/qXmwgH7J9JI2UYpiZwgHpp+SuWk3Z7j9LNc5nwu8/dc5m+5
zH/nMudymbO5zMe5zJlc5qNc5sNc5o+5zHu5zLu5zB9ymXdymdO5zKlc5le5zC9zmddzmV/k
Mq/mMidzmVdymf25zF25zJ25zHguszuX2ZXL3JrLLMplFuYyg7nMQC7Tn8v05jIzcpmeXKY7
l6nLZapymUguU5nLVOQyqlxGkcvIxEmJc3+R8KcS/kTC5yR8VsJnJPyRhD+Q8HsSflfCf5Dw
aQn/XsJvSfg3Ev6VhE9K+BUJvyzhlyT8ooRfkPBzEn5WwhMSfkbCP5LwMQkfkfCTEj4o4QMS
3i/hOyV8h4Rvl/AeCY9L+DYJj0n4FgnvBBabuz2jUmmHhG+U8HYJL5PwHAn3SrhLwm0S1jNs
aB0RWkkRIAJoAcwGLAWsB+wA3AV4DPAk4BnALwA6spT/AKo0yv+F3A3YD0gBJgCvAU4BzgGU
GDWGUWMYNYZRYxg1hlFjGDWGUWMYNYZRY0SNOdSgdw1616B3DXrXoHcNetcQBe7qI28DzgJ4
YgAuArQAlgIeE3yiT3buHZq6MHGBm7jw2oVTF85dEDIJPzH52uSpyXOTwoZWteDHtCeAXwOc
ApwT/KJWOPXjcz/mJGRoNQleDOxlVogbQG8D8CkAh9uqWVlQPkUNAWpodQsKqSwH3sE5pL6P
kCLuERIBtABmA5YC5ORt4LOASe4RcS7/9im7I/+NXwNdf4Pdff0Nrtd/ifw11wKt3QC0Zj3Q
Vevs7qvW7bg6b/MWqy3/ytVAK1YBLV9pdS9fObYxz7XJfl27y7sN4GqNcveQhwAcyQeuYDnu
IW4f9zDRcndwd3J3IR3n9nC3Ey1xcw+RPQAsCfgxwL8BfgsQuIPoc5jouMdw7beQPoJrHyW6
yfe5O49afY0nkNnHMq153M3cdrA4xN3E3UBkSG/kriMC0u3Z9DpugVR/LXellF7JLTgqC3mO
cxuOuj2NP+KuRjvrvw71AqtfcCwaa1S1tnIbiQvwBNpRiT6rUHoLufcBPHcLtw0UDXGjSNn1
O5CyeVyfTbdx86X2rRzb9ULcNUhZ+5Zsuimbrsj224yU9duUTddz848qQmWtvShTcivD3GJu
CbcUJJzD9XFzkc7iZnO9IKWGmwWYQ9TcYjIV+UHkrwFsQflhlL+P9D+QqrlVuOIqEHQEIy1H
OoSRliFdReLcCGAIsBgwBzALkODiEtXaORMYFeLEbLkZZbbqJs4EqnW22lBPSSfwCwCOm4p2
BdobkTIq1Wf7e9FfwagcO2qxN7bauUi2IZxNK5EyNlZky6FsWo4LZaFprW0oUyIDPgjgsNwY
6QEkUdoMELg2zijduhUpG6kFKZv6lGx9Qzaty6a12dSTTWuQsuui2bQqW1+WTUs5I5Yw3roO
ZUrygE9w1Viyg3NyLjBFw2k5HVIlp+LUEnOUYI4GxHdgtkowRwPmaMAcB5ijBHMcYI4S7T5c
4QczCjBSEdI8jJSP1AdGFADyAA6ABqAkcTqXzmQro7Oy6Xx6BWMKnZdNFyBl7W/RN2DbQvQ3
2fQ9eoqtkJ7Opqfoh1L5LFLW/yP6IWgtHkeiUkPZJqhwNBrNZqA0xycnnvpZkacRPfijFRWN
P6Q8846OFhX7TrDssYnCQl+usqAgV5mff7HS7c5VWvOyuVGNJZsTVWrkOEqPib17kKMYkeVa
1agkZDYpYlUsxczI0d550szIMZ+PzYj8oKCwUXzf7Zam+acSf+P841QpWuh//kYWmvpmz5uc
mNLoGn8yIQthHWL9YxZLo/hIpKrxkX009PA+WWjfXiH0nYeE0EP38CHx+Ypo4z17+dDuvQ/u
5VQjzpGfjfCeEZ0Bg597alqRv/Hnx6lazKcP3k9D9Y/Sb9zPhZwPBMobHQ9Q4/0tYuN/3E+f
pnW0AvtFiFYdPSmEjtPI0VdYUnn0JI+kglU+TWfQbqlP99EdstAJuoj2Q68MrS7aj+X2E47e
SndLzNmFlDH5tmy6m94lXXgnUlZ/17ExWailVUv3E0pfpa9Ijb9ECjWkr9NXjsoZZxVHq6sb
WfIk5jA5cez3hRJbRdPvnHmNL73Mh15+UQiJL3qLGRWPvWhzSOkLoCYrv2DPY6noe6Yy2tg7
B3SaA3q/h2W9+wcU/lBe3njyFUjQK20Jqf8rwSBLf/CKI6/x2Q8oVq06+pZ0YzH2gd/f+PYH
VHzOXdB47IgsdASMESeamhonnhRCv3pSFnpyO8z1W2Z74/M/op47qfFOyqawp65BGnpPMCRN
pXoPxr79DlnojnEhdNu4LDQOOv7lLB/69Kws9MkoFzq3XwidBWnEj6prGsWPcDc2zP45fZm0
Y1ombYhLw2n2g/Fv76f7cSXrdx/kH6n4xijoc9MOGroRs9qOW5wB/GYH3THmL9o9RkO7ALfg
LjsBZWONY9PH+BVjtHOM1o3RwBh119ucdTZbrc1cYzPEbNpqmypqk1fZ+IiNhG3nPzN4zled
5wJBfWnQUB7SV4QMxT59ic9QWKT3FBmIzCjj4k16TXxz/KE4bzCatCq1RitXKLW8INNig9DK
+WTRhnJqKKcaQ48BlmIqSfCb+e+S3xrkGqLhNYapZKpqkF+kuoZ/mDysesjwH0R7gmqoViw3
uGmBzqnI09mMDp1ZsOoi59eff+z8/vO/OP/aeXnLefH8k+dT50+dl5HjVHM0cj7yQ6ohLVQj
hoV/xM/H/xb/a7wiXh4vjQfiJfHiuCdeGHfHnXFb3Bw3xFVxeZyPk3hvrJ+mzD2kp78tZaFI
57alYqGe47ynL1Ud6kmpehcNHKH0zkHUprjd0Of+lLD7OIfE3L5w0cBx6mLNY+4TEG+S6hka
u2MwFCpIJXvmDqRGCwZT1Sxzd8Eg6UlVz0m5fW2hr/ps2rxFqka6aXOmw6bQpkzmSGmgI1Xe
MZyq6BhKhHK1UhvdhE+mf/aqUC7NXCthjJkrXczkKi6l2SaWUKmWbGaDbWY33Hz5qJu+6h64
glwa6wslacTcqrJ9SG7BmXK29dIIX3PNF+6AgnQdZTjlTLWAd1/ucETFmNjb15bi2q/oSSX7
elKFvYuGUnm+tp7UiyjV9S5KaX1tmA8jJT5IN2/aAsRAqjlCuPb+IxxDcqBFiwZaR2iaJOln
gPOAvwP+BvhvwDnAWcDHgDOAjwAfAv4IeA/wLuAPgHcApwGnAL8C/BLwOuAXgFcBJwGvAPYD
7gLcCRgH7AbsAtwKWARYCBgEDAD6Ab2AGYAeQDegDlAFiAAqARUAFUABkImrkn9Jfpr8JHku
eTZ5JvlR8oPke8l3k39Ink7+PvlW8jfJXyVPJl9Jvpx8Kfli8oXkc8lnkxPJZ5I/Sh5LHkk+
mTyYPJDcn7wzeUfy9uSe5HjytuRY8pbkzuRockfyxuT25LLknGRvsivZltQnv8yY/z1lqN7/
iQ+R3QEHhsjmISYTkiImRHAgn/3wT2fyOF59k5DJc7n6dN+lPK4+QnR8E9GxUTjb5DnuFDFO
7r+8R+66SymPPpkSi/UwEFixjWxnCT4jmQRpJtbEfPiv/zz79U1f2/IqeYn8G9kptT9NjpHv
ZXt+j3yfjJFnydMkEyUbhEN0C9kP3I+ahWQ6mUeWkFXovZEcIAezVy0jQySKP0KaQdHxbO3L
5H3yr/Rz9Hs4W3MpuRd3uZocx50eJt0Yr5nsxWrvI98lj5EecitKlz5vStlT3DBZTTaRwySF
a5NkpVQ7k9xEusgVmFsnmY85rcPdF5InyVNkOTlCHkL906SPPCr/MVFymxmnJv+LmzL5X2QP
rv4Gtxnnuzv5UbKZ3EAeJb8nOPKTu9LP/r9z79LEvjZ3N3kQq7iF3AmeLuSb+F5+6CJvv/ai
bMMPQK+fgDZbwZVD4Muj5G7qJ/vILrKdask3ydO0+gvU+f8a76vaf0Bux9hf/PyUnADdDoK/
d4Jim8CXf8Hse7/YCeHMUqqG3KwmC6mefEaWfrn9f0l5A2RhKyTuZtznaqx8ABHTKNmCdCVg
S+4ecIGbyW5w/XEYxXdR30ZuJOuol1aRF8hu6iTXof83UXsf+SGtQt9N5ClaSs5DqxZhlf/0
gT2AXkr2AG1KQu3kVaab/GesK/9Bzh6wEpMRWkJeJOSSPaA+qoO8/YA8gft/mzxM3ZQnfyWn
SZpGaD44V0ZeB7wAuv2Q/AT0+wg9nOTf2bnjy58vzwVX7JEtl+wEuv7zXCDtd1w+F+jFYfII
9Gs7ZOgp6PpPyD3kX5HejtJ+aNAD5H9ABg5BlkYx14sf2UISAw2uZFiigZ78NGufUOYnWP3k
65MnWWsGs1z6zov5X0Obfwt97oWt+L+f/0uB/4MU4BSf/0H2NjddZpDRyQ+FJxRCehH9KyZw
EBp/L/D1+LvyqyfEX+Dflz05+bHsh+k2mUlWkt6YvgF72b+T/yC/IM+TP5BfkV+Tl8mf+Cr+
ef40/6kwJMhlJ2XfJt8XwuRa8o0vjyqsE1YKc4QDwkIhLAtCg/LJTNjVBdirhsgychXsGpHd
rYgK98jmy5L8p/xnsgcxxhrYvVthm+6FJSPiwuXJpUsWX7Fo4eDAvP6+mTN6uqd3TetMtLe1
ii3NTfGpUxob6utqa2LV0apIuLIiVF5WGgz4S3zFXk9RYUG+O8/ldNhtVovZZDTodVqNWqVU
yGUCj4BHBXWmnO0DHatTrvYh+M4Jn9GT0s46NzOSIma312fyxCKDldleKVkoRSw9KWvvwBEi
Ngym5KEvd5mV4v3GT724eKbb05ES/Pj6uoeTqdK+Aa/P+Kb7Yvsghk3ltQ94ve4U58d3Oprw
7R72JFPGXtSjQaqZniK9AwyOT77TgErS4B0E7htIFeaKg2y0zFIum+QJ2KaJL01zFh03HtG6
2hMpYj1CtO+kiI11O9cAfyKeKsWx0G9EThqNRFLU+mmKWlLUNhNL+uIt2GWnGr6CBh3J1b6O
5CpQNDl0iabnMhT1esY9430Dppjb65UmjZPLnIEjGnW7r325GqvA0RIV5IhagxoNqwBbNhyh
2mYqZThtx5QjHFHqQD4zm24Hg9Upcc8QMr4E6IYWy6UWRBZuv7yJ4LJMJ4JuUo5K90zJ21OK
zCQ8q1LicIrs8RypmBi//biRLBsKaZO+5PAVAyl+GJM6Qnh/x8r+VH5P70JUYRKAoZUexu6E
hBjzPB0rPeMos75DwL4ELv1ifXLl8iEmJnTIl0Cbqn1gl3fCjeP4wK6OlCmU0uFy3XXvuvnx
DucqDyuOj+/ypPbPGbi81cv6QAiclRWe8Q4f7obBOla3MY5FLrJNksbpSYk54p5hT2p02WrQ
DN/h23Py7x03prT/7QV3wB9cybSDEZhBcmg1W8pqXCkg8YzvWS4t9XZpaZBXT8fqBAN2IaSf
zMPVCwc6Vvo6QM/sDUEQXM/7v3yt15tyhdiF4+MdbIrDScyeUQZfF07EmEamAJ1whyjm054S
+6WE9Es8wB3F4cRgtirbAS0C+JAShxKDg2xRGQakFP5dsrDPM84GVfhT1pDR+xzaJiorevoG
OhJMOtGTax9oOuN0n0G+p/diNXWiz3jkDCMSa5nr65mTkYKVjD4MDfVnFBhUy3IeXbP9pVFP
Ot0nM3e4YqDT1zk0Pt7p83SOD40PH58cXebzGH3jR7Ta8Q0dQx5J/Snqf7jHneq8fTBlHFpJ
p0gcYrfH4nh/J07/ljmLGKs6PSuHUYNvi8/b4PaaLvaBFfnq5qzOQfqhA0znxo0fYfVaWCe3
p5OZGkRkG9wpYwNTWUxo3gB0YgS36EhKCLqCwBDnZlrDD/o7Vs3NEsvtxS0l4WE2cE62FoN4
vUyf9hwXyTIUUqNzBjJlD1nmPkrESAh8HGItE7kW2zzWMppruXj5kA98c7LAlCQfXyffsO0X
ZXvc5DN7Gplhx+zwnZ5MTfRjjX9vSClBMYn1lvYB3s2xLshxbp7l1CFsD/GUIyRdyGgCizlu
9Hle86WMoZSsfWDCHR/0GE0wlhR9utCRSarxNd9LlNlRYjWmaDxF7ayewK6CerD7jgY0XhQk
T8f4UFYAL18WurLeyZUXVSkzeeguWxtWb/RBdd0ZMpjMPrbCV5jA5zYGfyfTK7BEIlT3YErP
9ruU/iMJYb7u9gEPLBE0d46U8XR4VjJmpzxDCckkDLpZe676+OSpoQQzgQOQQXRxZ0Ucgp4h
7RdFsbLi/6+gj0LQb7p9cOUUzEksxwo8tbgtI3p7/0BW3SQ+SUqAe01nS/li+0Uq5vrAsEGd
vamqvJecENQ8p6TVGd292BlM6MdqLjLg8ptJbTnxYDNJdWL/z9gAaWapaVJZWjtr7vpS8/Rc
M8zHdvd16IeNrO2Ij+6ec0Sku+cuHDiBg5dnd//AUY5y7UNtg0dK0DZwwgMnSKpF3G6ojVWy
Lh5WID0Uox3FAzHW331CJGRUahWkCqk8gkCvVJfphDpKRhD1leqMuX4c6oRMnSjVYT/BFDuc
K2HeBnxgejIl9g7cMLhyfGiQEZvYMwIIyfY1kxTnaz5CObk2pfYtb0tpfG2svoXVt2Tq5axe
4WuD+EM5PMeh6uNDPqg/DPAAcdNBJsJMyjm/5/jkJCzoSVheb0ruvwIAA6sKDXpSMn83+k1j
MITqaanRkWE2DyamuFbhnz4ymFJeHBBdpqdUGEGVHQE9OqVrsD2zi0YgrMM+KYtqKMfoYGow
xG46sIrNyOOBP9Tlm5KSBzKTlAXYjSKD42ZftbSdyP0ptX8XrsA9uiVDKNW4UcTN2H6Er0KL
mY/40GtkyAMOCGRkLoRRCLCvmvENNcuxqwsBbKoANRRZasR7F0zxNTp1ShXGgPiyvCaMAfFV
DIIobPFSaVe2A+5tTGkwo8BlpMxeAOqgaTqbC767MHnW9SdsmDnHSZ9va4pKFJVupUBzSuef
PgxnIXO9BjU++H2ZizGW0s+q2BjPZWoVbOVayaHtPz552LeNKUnuU1nhS5H+ASaYBM8ZiEgG
x79ckVoEw6n8cq1Oqh4fV+q++oIMvZS6iykbxdOxCrJKPNhTQEZ5YPrwngZzTaUsQX5M2Yn+
cyIXRsm1sh6yVdhHtgk9ZJvsRrKNexDp1WSLbAq5VtiD+r+TbfzfyQbhx6RNFiELhbuJmX+f
9ArDpIrfRVYJG8gq/k9kJbeGzOb/grdLVhORayRzhWq8JVJBWuT/gvy1gBb03USm87PJXH4D
WcJ9n/iFq8h0QUks8mpSwP+eOJC30gPECVhLnyfThHVkJuBmwH2A9SBc5n05vPiHB48rUPaS
MDGSQuIjHrTlExtqTMRBXMRKiomTBImfFBA3KcKjaAuxk1KEdcpJAI8vOVJGSoiZ5JEKRH/D
pBKnPS3er5MTPR70G/A+ooCXgdjnGvydpVfQE1wr91O+jb+R/1iYKjwiC8pSco18jfx3in1K
nfJ65eeqtap31L/QzNd8Tztbe7tuu16rX6L/2LDIcNY4zfhvphLTc+Ye8/PmTywqS4Nlv9Vq
HbC+h7v8GNy4VdaPuVWQKlJDekS/LVJTWlZBKgo00XBNhSYc1lTUCLV1pCxUFTNbLHqnMxzl
ScvJ6gi+Lf/55slqk5k6GiP4GE8aT5pixpPVxv98IVpFa2uaufpmvrYm4CvWcwpfbV1drLqQ
s1lR0PM2m8Pmq6Umr4kBVy+3l5c4Am5Da7OnqsSlGorf1t450pxvKIlXeAI2hflu+vkFOT/8
eQP9k93uL68NuiKxRl9Pn7WkuvDmwnBBrLMs0NzUWemtCJbmy9d961vpd4V9/1gh/O2z72GB
oLkca/2zbDn4UUy2iwmlylss06g9xfpil7PY4y3mZXpZXlFRid5hUWqKrR41r94rGjyzPZyJ
93icZmot5E1m06EEsevlbpm52CmQlljEEQuB6zGTudEZwYk570zIZCaNjVU4BMRi5kYgk9nR
aIrFjLsmJiYYRL21zRyoEgx6FXK5zWp32LygTT2N0ULOYaNens+vjjqNBn86XJxnbGpJz2uY
G6TfepT2O/01lZ8fo9/+cVTtDJUUz47etKx7RlG8QRWNqjasFOb+4+CsvrAmyuVzY5DJayfP
CWas2EPWi0arUW/rshrMS83rzbzZQeBJiVWoAml68dbMa5yg4rlCh57X7xUdlkI5L99bKBRS
uZxTU8sBzmwuVt+YFznNVnQaLG/El7ScCRFnC5ZMnMbnsPjGkPE5IPDe5AtzvmI5mG22x6qx
uJhJLvcVE1ONuSRWbRfMI87uZR1XfuuKGfet6Vs5zTOy5Plr0unPd1H5vy7aJ2tIf7jgyorb
0md++lz6wzsiK0bS77hcdIDOe5PiISt4iScEwhuIlrqhP42ix13IF+51i256KOE267WHEvoy
vmyvnrds9/sr83fIpWmfZtNl8w2RPKfxDGYZq4V0mmrCXLDWKwkmp5CDI74gptws1NZwEFzF
1nCpXa12BCL0X3/0yaG+md3i4pkvH24sndV/y5r5da4tv74v0RTV2ovFDn64s6XYpovO/fYn
h7+TnlwwI1pavFjIj1+154nlP6eyrYigUrINMy/HzMNk1wliwAP4HpW2y6AuKnI4OU6FG/Fm
ETVmx15RHS5W7y2tKvYdShQ7eedesThceSgRVvGqvWHedMBgNsNccZzT6zlQVFSldu4IRk5X
gz8ZJDEqu+QIWMSWHsm78EJIkk9nBPyLGF/I8krweU1ZNjHG+Uze6ma+PsZLkpqhkOBZZvAU
lzUE08+9WVHtNSxZoi+ORN6k9dGmimKHdcTy+bLmch0IFZbNS/8y2l1dqLnwF1dcTI/Gm/Iu
PGMqa5uWSH8ragx2dfPDHS0+ECpHDxXoUU52iXOJ3qj36PfrU3qZiterOE6pUtl5g6nIFDE9
aXrGJFOZ7HtFoqI2XlVeqNqrqsovKiw6lCgsLzuUKFfyyr3lvOGASa/3McJUqBw7fF9FDShs
jFGDqeuFF5YszlLE+AIqMrLLf5keVqaZl1NDtcxeVhmPpn/7aoYYhuJI+FW9p640nbiMDIn+
CvOFUwWJaemFiY6C9NZ4VzlekPgiESSZkAmgQQNZLFaFDLxhrxjyOUJ7q6rkKhvvdDgPJZQO
sz9awxdX+3zFhxI+nuyo0OmmGMp3FECPjxnozIJISOJ7DGLO1mdyxJwtGdMkMZ7Jux8WLLcK
r+nLS/LaYJRhimsCAeiDTc/ZhLvleqs/mF5cX2G68IbKVhZOL8oujh6sCDo0XIWpdCp9vKHC
+NmUKT67WR2N6os759LH04vbm0uc2i+uNKqxe9s60o/SZQvEYiO6+jr7MhrBFWH1eaRENMuU
CuWhhMJmtpgPJSxYpjaSXZAzwpYlLeKLrJDmTZ+QprcwN71DbHqffe0kmORtmfxMxuO+NaRd
LCn1B/yHEoIjYNRV11QfSuTra3jbKC84eKWyzp1fw3tGKyKnHUy9HIzEMUbaWMwZeaE6My1q
tztiAa62NmNOJFr6KEgJsths/0Rr/pGSaJ5OplTa/GG6stLv0G6/8KuaCotJAZaDzvfmFtLI
FcQXNjTRq+75ZYfIrEtUa/WI0//xGH9oQW9wZnrti698xSrZfses/09h/Y2w/yHRQay8Fbpj
UeXz+XtVgm6701ls2i6L/BlL+vMlSx6tkhUHsI4aMzZrTN3KyanRDNtgzthDPcfdufX5O2bu
vnD46H9df/tkWnfse2sfnDG4b8XCm+YFjbMPU+H7b1Px8DfTv/jtB+kf7+d+nj6ZnthDtcfe
okU39z/8O8yM2cAGUL4Q1jsh+vM9vGevmJ9vUWS5L/GeWXAL77ixpKSySBKDahNMW86gSSLO
tlxYtq+SiWrEnvXYgYK1zKwxpsCU0+/o3OFoenqOtuc+eK/rlqdG1jdt3njvrPCcDW0j1Rem
dpY5NF+U22M/WHlodViYO/W2jfM3dRYI2RX8HSuIkDhZLtbmu0k0Svgo6EumKkpU2EUOJbwB
hdVyKGGdyk/da+XLi4rcAT+eud1YX9/sj9IdOlimCFuSCc4BtlO80S1tT3AYJNGSHIqcN8Gs
0j/JEFujXGGD4Dkk6wRhC4Z5Hw9LLvkX2L3oExp7IJy+qBZnP3j/gQeaFtQuDDZMqUp/GEh4
B0pjoWh03cYFa66ob71lw0JuTvp7Xa1eJmiXm+onjt02Uad0LV52oGtGqTJae13L4RldBRru
Xy78T1fn9kVLb2yDRm2YPMffD4mrImOiIcL8jUhlBPVEI9iZuxFHjd0CX8HpcY46BT3vdOZr
SkqE/EqBF/aKlRYLk02L4Dww20EdjlLPGYOhqvSMQlFNDlRl9nAIKwgWWSwJQsb3YO4Wo6Bk
z82NMOZoRxqtshRy4D48rUAwDIlm7qfdkfVMmN9lB92yYmJ6w5pYM2/L9pprtm3Z3b7q5ztn
7F074uhc0tN6ZTy2ZvXoHbPbtjw+/M2TtH5gRfS6LT0rFsanrL955oaDC4356U8HlgWrhtun
LeuvEdfdsWTV3kVltdTMbEwbJP0GyImHzBMrDWYTjJqJNxRRHV9UZFK5iIt3QWZ47gCvVxc5
24oOeDxe9Q5oppetgjlbp0PU+Onp7EpJbpmxrDG0eLEcHvt1TjiEWlPG2W4Tpiyzh6rq63dI
Ml8PD9miuTHSVBOyjGCDPjA/WWP/nGSlXWF0lDTHBWJuXNWLWS+E5XgLs46SmJivlLRTabGU
V/J2m/1QImTjo/sDgVjeDn3Or8rsM5InCEm1wotiugeaZ50rtpmwKUqCefkGs9xqCfhW3pfc
9j82VqstJVF6AHtJWfeKGZ2rp+WZgk30rikhI/3N2tk9U2qml9ddf/gm7p5Z9R4HpJPtHhfi
w7dM90aT91zPbczsKYaSBNtTQHzhQawgROaL4QKi1yv8voA/cCjhl9mcvLTH2Dm12S1T8E59
gQznS1mFvmAHIZUVEuEbQXkQ/h3QPevfZ7YfSSlj2IUolbxGm+S+WyzMxGR3TcUlTeVr6Ttp
vJ1ZAz1c4va9+HypN1ROry9rFpvTH2jzYYrqq8L5OrxzThf3wm2PajoLutrSO+kV0xYFSsqE
aNRQu/CqdCD9dGNnuRPtakeocwqz7b3QtBR/EqfJavLHE4ROvv+UwYjXto5Pvi+qWY4L0wKh
FMFCMaEydJVqNEE++A1xg2ZUk9JMaASiMWp6NXdr9mtkWl6jcVXRsBDmw4+Kgt1fcjjht3ks
VZb9lpRFqALiLOxN0WCwokuwWFFy6WwFtkr4YLzN6DLyxgddRovVqiwco5oAX81uqoJHUl1d
Uz6mRIm5J0q4J4ym2DyRnGS2Dvsn/C0cHDaGFm+EUy6JD9tUs6q8kRk/OGqSUxYK+YPsABEI
1NaU+JlK43SBI2UzZMpuZ8LFPBteOk5JB45a7nHDgofmz9jcjJcyvKXzu2Ytde4cGh1tG9ka
59TWYEX6Y+3PXw53ViXWN98lDHZPvarznsd0rSu3NvT13VwdcbfcvDN9oLuppsiujdIXuZWr
GttcbSvwWjypAu3Pyx7AiT9Mloj+Clomw171gCgzmm0mu1Hn0/l43/2izp7nOpzII/lUtTPA
6KdjfAkEqozhcP6YRfJLGUVgyS4uHpbM2dLCDlSMDpAyR3Z9VmntQUUQCsUHa3GawoIzto2p
u40uFjoXj0y96qG5Iz+5pXtnV2cHr3MEY59O1XtbZlVtvWHj1Y29s/18EZ3e5lv71qOPn97k
Lm4yCi1DM2oLzaoa9T9en7koXm157rkXfubr7gpDg1ZhlX2QMC+5Vkx48AoLl8JL6kWjlmke
YjaaPWZeVWSmBjN14cASKOsyG5xwXB8QnfYiHB3vF4uMRqPa7LFYfHjv3afe6Zbs9kmsOM8F
7IyQzLkxe3p8k7H5avjjrjM4nJ1cvBGLt2XOkFAxyY7X42wKAcjacb57h6m6Ldq5psU5ZWha
x7ViY2zW4ILYj17c8PItfXv4g6+39hQuPD42745kQ12iraGpzPKPM/e9d4OFaQ/WJoTAwWJS
R64Uw6YnjEbD4YTRFrNGnBE+whZRXFZUBK6ydSjkhxMKoqTqMbO1mPcxVjLx9vkaKtiqslL9
ZS5mechOm07je1jNJcbBfVX46oPMROZW42B8hURjU5KOnryQ5Z/cGqr7KK41tCxeFT9wdPPz
17etadR7G9ojo7eu21AxpWGKW38ZF6+b1V7q0tSoDwjt7aXnPzzw3gabM31k1hKxwnpyYuJF
g3dKVTNOXRxZCe7eB+66wN+tYpvHYi/0mnjTN0SvV2Mn0zxvu866OOIyujyucy4EBlx2wc7b
H4B50OCofb+oQYvDTLxm4868PJ/5FoVEh0/MjW+aGsHfjC7nsPFN8Ba/qzojWc9LLo3/MgrA
gfGyHRkyXc8zZ02u4EfFq0ZnvvrLq164afmd8yL8hfHabcN9O1uvkpf3J668XvNE+4zQ3z65
/90bxPXf2W2+5luLmjrovDW3TT/4ENt5Z2OZf5I9grjWGtGjVigVhxNKm9EMNtvpxyED8Rg9
Hs+E5zWPTMcjXDshOov9XZ4CsaCEL/lGAXwWznvQE+LGnAY0HjPSmYZIKPZJ9RuM35K3zMSU
CW3LmVg1M15MZcHmS1sxQguwTwIiYLFqhLqYxWJRrxg3clbnKqtMX1kRsKm3BVwOk05QNW0Z
Wzi7fsQSC3srA27dWX7BhcfbEz4bTlRSbIFbHMOmmhcLr909FNR8f2rUHBCXzsDLkAjFpVv5
d8DLatJK5pJz4oI2b18wqFZGlHW88v6JOmqoK6qL1PGqurqIoY/2icRIbbBFBmORMWI8a5w0
yny80RjpohiCJx+L1QZXF991v+jKj7TwLfdHjEG1tnhGCSNSGQhRUlLobWub0eExWuiMjsLC
fk5VGhXKp94iM0ItZDJbjJB5M9guoDGgxwybbV7slnJJQE6GQD22wWIzQEwMG0GIeb/IoOFk
NeK2lwJKWSsoyQyTH9iGk3DrIsjCPLIQG5oaQfGgAhuAFXtDUPLpYtKGIBlMyemrZ1tGnYSZ
MXV4qaRjLADH9hCLtGVcPCT4ivl3TqiKSl46MTc+o6A9cW71rY1rXtm9/PC1rf0zI3XinK6e
xuXjvV3T6LIL3SuGYl2Vtur5DUuTrljsrnsX3pTQB7um3D+HX6DQFF3V/PgR25QGf8DYtr57
yb19zsbFnS1XBi3d1Y1Lm8rvvmL+jrllpvRr23cHE4PRgWvqb/z8TGBe3cJ5VQvj+bXlLsgw
ThNCMezUFLJajPOMulwpEGWIMGS0hPjSstLDCXOZzUMLZAV8AduHGuoPJxpII9WOOZ1x4hur
yopwVTZGcPmWww6x2ThBtIq9+pzZcwoRCmAOMot5sBiZJL0ZJ+5iXWYnomuFWYsGY/XzW8us
huDU9DXBYofOPXtaqdgfUljLQunNTM4lc/ZJHDvQ7BZPXu3Mq/rSuxa0+BAF0Jo97QkqH7uj
M79rRih9U2JK0AVXJxNR68htULBZc6HWf8YzBB5Wa75Y7hBcwuGEy5az3gZuZANPDfzbPGfg
lyLhebqTs4xx6qwLglRSZHUkFHrutPE0iSzeuPhMxj7ntBcRaf5iTJDtshIJ6I7jK4Jeh05w
Riv/3GSsjKW3yhLPPvvZGcy9rZM+Jc6KOJS1qgu189t9mahWCzgXB+dEctsJYp58n7lAcKKk
1MqOQk2oKA83eRxuma2ELxM5uKycFhFCgys/yocj4cMJd8Rm0B9OGAzNTYcTzUSkepPNVSIj
5WN12ZXUMX46oDWSA8GMUMYRzzpQeScRlmbhZ2gJY2ysuh6BWPbNOqtyuULB4hZS+JnpA86P
CP5JJ6Mc47NMXuPx2lzx+nBEpfSX0yfDK+v/SD3Vc6rSo3kuTXHltcUFHncDo8ym6qBJkeU2
V6lQhWKhuMtmKyyWI0Qt1ryV3t3WAqPGm6yGgurm/ZX52nMS1aK6/GB7HX+J4ZB/UJH+DlS0
kyrRJuBUcTgBFbccTliJDc8zyZguSwhdxo3KkEGyw/7LhTe3hi/P77OvvTNkTb6UfwXvy50W
52uUYJbaCaTyAAmsyDPEsSJliDCkjMmd7tjsPlldbd3hRG9erW3pE0uWLD6cWGKgqtJQp6xd
3s63P6CTG1WVY3EmDbCmLBWZasfjA5Yxg5e2vw1/lYksGpG+DyuKjHfZEOkaw+sSE8dMdCZS
SZTYKyKs3wBEGqLAolOhECyl5JSgAnEq5kqyUKDkhmTCVpCKrEgwfWcKjx3KLrmaOA9fPEoy
tQ8Lknv5NXWZYKLUDyH0+hhdr4/P7GrxJm909iwebmgfbi9SWwKV6WuZSVBZ3MXhQGnHnJJL
dWqbtzhcUNbVE5DrrH5/emvA69QyLfugiS8W4k1+4xVLZ3QFg3OuuzK9a8YUjwMRxay9mLe+
LZBv9MyYWZO+94stgxsS5XaNv3NGRfq2xnixzcL20C8oKvMPwGEhAg7HyTViU5gxoJJZ1AqG
Qgy58uN4WZGDC09tZU+UlgYPJ0oNFWZDFXNzq4x1Y0plc0W5daz4+ORrTL2RTjxlNNEZxeBB
hhewsxlP/iL5JWZk7Kw3a1kvkvgya8vOlvUxRYYlzBLDPRIiGdOqtLj9VcFgZ39AMkQ5u/RB
k0bfvWhxTd281nKb0hqI5AjVefX0sgJT0YzuqvSejLx/kRiPCz2iz1Uzc83c9K6OZjAq6yHz
b8Kn0OGUM10sIvAN7xeJXZHH592vMNqNGjrTvlPt0UIv1IV6SOH3UaPfyTO5RSUPfWRbPfCl
LV2KLGa9d+zX8i/uw5z1td9uenH0zd+tezm9e+d17Uum5rVu6Np2k/Gv5w6+u/78nw+9u5F+
9up/tq7bO/veZxf9EvvB9HSfoAEHSxE3HxXLWdANjrqbBMIBHGXvFwP2urxYUYyPPQAn3vEE
nITDCbuheGc0ux8gxaEM2hONTiHOPL5hjLl6ogo1BiYPcPhCmYgvUgTVmR+fO5plzqrScS3j
9/kvhngldZDOaOAfUyy2Vnj6fOYUU2vMHNg2qByhqvTKkkqnUtA6gpUfNukMzV0zp5UePJJ8
5pburdXOprmJbde91zCn11v4q1bR74QYq21lnVP4hV1NpXlmVa3qcaGlMWD828cHT2900aVD
K1s9Lz1Hd/tmTS/PSjhfCR4GSVIstLucOI06bex0H3jCbzBQLVEalZyVV8pGtWxHMhvtXQgG
aGVGlVJZFqTmscKsZBeybYZFX3FsP4kf6THPFx4ZtpaW9y7zfCVpzTm6zI78k0DDPtQvWdsx
JbLRWRcpmdbmssdi6bWX6bydb59ZLv9jXbS8t7Mq/e1FHR48LLlcXGvwoylKluD0osbKouQh
0R7Ja8mbncc/k4efrhvzPJDQvEABZZzsMtu7Iji0UllAe432Vi3n19ZqOZ5ojVpR26sd0spU
Mm1B2Aav6X7RZg/jacD9YWPeQZervJri90VK41hxcUw5lvFdWdjxNAxnJgadOdswNxSUWLoY
xGCbLnuShODj4qvZQUA6xXwhyogIUYwdcTLR2ctiktzkkD0+o753aaB3+Yr1LXXLdvX2P9qz
zL16cUlHnae0f/WidS2D/7Kx7frF3Ol4R35PazheE6roXpaYvSZR6LK+fsVcgy9eGRNrKwNd
y9r7tok6C6OTH78Je1Y4Bh2eL0YdRt7qsYiBSJdF1Bq6LMYHHAiBGeRUy8sVoprA4VB/rDBY
rCpVoUKmGcOz3kbG9DdZsAYnnBzXG1suvBkK4ZDHAqzNeEho89qkh0ns6OaQRB0HH391s8+q
uZO2p39krGioKO0srpy2I3HTjffx48rSlqWL/rY83T68qTXfW1TX0fzQ4xx+BEfJdJzL/fjt
G35iKBYXPJGf7z6cyLfh9OZT8IoHRJ/dUkErsPtTg33MUwipzQSatNowN4ZYF3QXe2Mp24pL
me4yAxSTHtYwHb0YXrp4JEfwVNJJsCMTVpHKmcO5tI6A5PgGp9MCc0nblEDnfL9cb/EFaYHc
Wl73XpPcMPeBGYuumaLzN/NPp/kt1zWXF/Z0R+m1jZlnYRfmzUxkj+ML+7vuuple19/iZ/9i
wTL534Ia6yxC9EFUVVngWFSp9HSGwshCREoJw9VAXuW0Gy2F7J8RHE7IdCa7W0YMFj041FZY
6HE5VSqvBxLXJL1pgAglNZ6CYOYili04j7Jf4uJHsZRFYPGiwZcilT4pikm/Gw5YdPr/+YrV
WBmn1wTLywvST16T/iTfGwQ3ohqrx+2eGkzL6XtVze7yCsReld5p4gU39+HMxnyl9BS3YPIf
8gqsyE+eFY16o2RCgRADgm/EnJgCZKweIBNDesm+MoTIi9TjnGhiFLAaGTZJWLquyeBCrYdh
UwZb/Ty1EbNBjYf+0rFe0Dnzi2VKg7/Eai2wcNRksiD8qywoCCojEAH2aCXGAIQCJpeRB9nM
XgwCwRFiPx5mKeJVCEGwZ6CZtzMsNHY53XgF2gvTn+055yiCMOyZUqbVfpPSO95K6c2VdXQx
xNbrSr+9i/vwgpH7Y9fUAuZ/BIOMhBwv//wz+udAR2E5C/cqDAVN4gUPJMKBg/zPQL96kjxB
yif/zhwK/Ez/72IVMu5yohd8VWabny/2FUP+fQp1NR+piiCkUWUgene5YK6CBPnN5kZ/Zsl4
HQcHbLh/Ge8vkknZiyiSSFCcAi47A1iyZwBWFbz0Sgre3rHkCMGEh1PebMsrLqHTArMbf/Fu
dFYwvW6u3rJ3n8niL00f9dbWV77264qaCjvdPdtm51oPumNuR6EiGtWI09Lpk22dBmxgNbaA
6+UX7X6H24fwtraksR7/AqMkXpeP44G22hHOZ3bAmu6W9CMM/WjWOE32rvc0f9VwChE5ojAq
PAqEnhUaEdu/5ruikO8hRrstWM6elMNJcxiUBxUKOx57esrsGfbDjJ25SAw4wVLQEQbtFRjv
0GIYMpkeIaeL1rk+G9z/Kp3hlPUrt8+v7xjUlhQXRmIdofT7bm8gSB+IBMw6/dEXTZbIlIwO
9d2wb5buhTKPo2HzIPfJ9CmF2Ms0Nm+ee0owraGnStsLQjldwpqd6Y9oO361qiM+0Sw/OqET
VbounVyh445oNAa9tPG88EI1iYTyPsIDT8mrUATZThKktfqqVVfUxcJWxfudic7Nmzqaqmbi
vaBuRsu1QPUYlycOUc2nRjn6JMfJBGk8gqenGIu9hlX/8vvvv8/6T+O/Q6/AmUtP/KJRIRKq
12sUHiWPWRgN0lVvXgrgnsQ+JwVf5IpgRqJou1ZXumCwKRqWa2UPeGd52lasmhWfum1BYaID
PttMeN1e2RV41l9Mlmbef4mw918MSrVCps6X4fnfw3gJQKbMc6LPoUQe7mxAHPm2fI9XKchk
JW5FBDstnsF/Uv1rbEyZ52CYFl62ykRcpReTYAqxLhCn1ltLcQaWXkBS4GArPSelXhYQ8lFO
wIPgC29w0++yTan26mdoz0mP3lenP6a75II6vU16Anqgh9/0+eOmUPTVA5kH7XTy/JI/T71w
L/OTb8aOpcYTTxfe4ZsvVhTK5HKTSgUf5BFRpXIFXPjnMaJLMAX4ALRE5nPBtOjuCIUivtut
mWdnkEysJ+ckIxzGfEr2UDvzVJNFFG14jUrhkB5eZn1JDm9R1ZXU02Ic4NkLS1DOrFPB37Xv
42961P2PL934WG/y9Yd++/aGV6nxG+nJ6KLegFaulo/e3LOixX2dLBy9ZZKkhHjDyLGtN//s
amrEPzChdX8aU164yl7u0WgtDW3PvFiz6Pqu++AIUXLf5HmBw/M0Pd4QzOe5Kq1WzuGIrEOo
/zEdTzlOK9PrjTqNNnLyebAnxn6v1ZPS9eHtaiKbfL9hEJXMj8hsxCjkGV/C0igkr9ZbrMfL
gRavwF344V7One4qi3rtlvlWfqHM/9kbUWGLwZAfTtAEi3Wuh+c3CXoXgN4tZKlYR6jRJEz1
+fCQfZ/ocyh9+0qrlPD594lKiyPEh/Y5BPcdwWC9tvAOi0Ur3F5f3xq+He+UYApf5dDBnc0S
n1lK6sgIN7x3KVBfH8zF6xkj8D4ge7zMDCkLJGb9+2xRz/FObuPmDb++c+yl9fHhbu7fN76+
4+7nRtZcSOU3j3TN3VjfenX3jWOawtYV0/u2NLVtnd29vMXNva6r+M61W44OD35384LRucW6
xe9c+e0r5jx01brHqHzqyhmVrdv7Fm6P3/b5p60b+6rab1k4tGd6eBaiwOzDnnoibo0Pe4+U
zGzr6pw5M9Q+vHbZ1auG/x+pQIONCmVuZHN0cmVhbQplbmRvYmoKODIgMCBvYmoKMTM5NTAK
ZW5kb2JqCjggMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNl
Rm9udCAvWVNLRkRHK0NvdXJpZXIgL0ZvbnREZXNjcmlwdG9yCjgzIDAgUiAvRW5jb2Rpbmcg
L01hY1JvbWFuRW5jb2RpbmcgL0ZpcnN0Q2hhciAzMiAvTGFzdENoYXIgMTI1IC9XaWR0aHMg
WyA2MDAKMCA2MDAgMCAwIDAgMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw
MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMAo2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAg
NjAwIDYwMCAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAg
NjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw
MCA2MDAgMCA2MDAKMCA2MDAgMCAwIDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYw
MCA2MDAgNjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgNjAwCjYwMCA2MDAgNjAwIDYwMCA2MDAg
NjAwIDYwMCA2MDAgNjAwIDYwMCA2MDAgMCA2MDAgXSA+PgplbmRvYmoKODMgMCBvYmoKPDwg
L1R5cGUgL0ZvbnREZXNjcmlwdG9yIC9Gb250TmFtZSAvWVNLRkRHK0NvdXJpZXIgL0ZsYWdz
IDMyIC9Gb250QkJveCBbLTY1NSAtNDA5IDEwNjMgMTA5MF0KL0l0YWxpY0FuZ2xlIDAgL0Fz
Y2VudCA3NTQgL0Rlc2NlbnQgLTI0NiAvQ2FwSGVpZ2h0IDU5NSAvU3RlbVYgNzYgL1hIZWln
aHQKNDYyIC9TdGVtSCA2NyAvTWF4V2lkdGggODIzIC9Gb250RmlsZTIgODQgMCBSID4+CmVu
ZG9iago4NCAwIG9iago8PCAvTGVuZ3RoIDg1IDAgUiAvTGVuZ3RoMSAzMzU2MCAvRmlsdGVy
IC9GbGF0ZURlY29kZSA+PgpzdHJlYW0KeAGtnQmAXFWZqO+pW70v1d1VvVRXV9e+V3d1V+9Z
Ot1JZw8hAoYOawIhC/sWwiphmAgJRlAUAgIiQgg8xBgcSDqoIIIwIxLejCAOiBsgDjI8RQRM
Ku/7771V1ek4b3wy4p97zq2qc8/59/8//7l98YUbztBqtE2ari07YdX5azTjf1du17TSTaef
s+p8s2/fz/XfTr/kYr/ZV+9xbV9z/tpzzL6tTtPURWvPvsz6fekSTduwet0Zq1abn2sHuPav
44bZV71cw+vOufhSs6//I79fcvZ5p1ufl9zL/Z3nrLrUer72Kn3/uavOOcP8/pXyO//55110
sdm/YhfXZ8+/8Azr+2qc/i2a4t9j1Re0Cu1yrcToaVqlptk0Pc56lXGH79x+03s9pzpm/Em5
y43hvn6NeX1xr37dx08dmCi/pvwxPii1RmCqdMpzfKn0lo+f+vj75dcUPjF+L0/do2kpbYL7
umZLqQnNbja+R2OxNk3LaEGtie+Vp77HzE7VFmkztXThTqk2eth3tO8x0DK+NPlntiN+pmsL
Dv/ZhFbG88pSTMY/96r1LWM8Malt0zZqd2q38u/D9AO5CzRNv0Nrtd+jBTSNr6YX79FKl41/
S6nPr9ijDm3eo41597J6/dRTOvZoKu33z10/tkutpGNLcyMZoKWn/fN26ZF5x4yHVvi3+rcu
XL3VP8+/btXqXfaIceWDM7auyPh3aceOr+ff48YDu0ZWeArNM1asmMY4dhmHn/D1rSsY4Uxr
BK7GrcxBvlSSXuzfpUeXjX9qfNemMc+ukbEVnkDAP3fXE8vGdz0x5gmsWMG3SgszZcayenPO
Zcy5NMnn5eYox47vGvHs0lZs3SpjHjseCuzatHWrZyvrsPp7tCem3FDa1Bsj1g0wwRhgYu4e
tWkZg3EJBTxyIxQIBZjnijGeXZFefOz4XGYaWNGh2Z/X1gBc1bj9eVs51zuA27n3InAa7XO4
0lf3cH0LeJ62nav0HwV2Aw8B3NdesOA58/vGb8e4J8+YDbxmf/5QjutxwFKA8Y37J3GV70n/
u4A8cwEwBFQDAWARwByN63SuNwLyu5lALWADlgNLeLasAdCuA2TclYD8VubxOLAZWA3sAN4G
1gET1tykfQIg85U5ylxkjfJ7mVOC773D9RhA5vdDnuURgKNNuda0anj2Gfp+7RTuidjn/6cj
FSV8WqaVoxsqtSq+W6PVag6tTqvXGjSn5tIakcZmrUVza638zKO1aV6tXfMxWgDZDWlhLaJF
tZgW1xLIVArp7dA6EdAurVvLaj2aaLg+oN966IA2qA0hntO1Gcj6sDZLG0HKZ2tztDFtrjZP
m4/wLkTEF2tLtKO0pdrRCPyn+O0xxu+n8ctN2g5Vqy6xldvGbVttD+kt+oj+B/uiEnvJq6VX
lmXLK8vXVayu7K98oqqr6tyqHVW/qf5Fzb/VPux4qO6L9Tc1nOL8rOty15uNX2y6vbm9+cOW
J9y3t87wnN22yPv99kt80/wtAVdwXmgsdH3ox+EfR/ZHn4k9GD8u/rPEr5ITqXhqV3oXy2vK
aJmXun7V/WH24p43e6/vW9QfHegfHB8am1Y97ZRpu8Hwmtwt9jUl96LsyrT5iFgGYQXK69Ar
+wHp1+3l45L36dGCELR0Pq94VdtHV6hkT+3jaoNC9lRXt7M+UB8J1AfW2LUDF+meA2/kbimr
/fAPF5YmBDU2Na6fo28oOQHKhaDTBDRFoYnOY9AGHioPb93f1a2C0Zje19s/XWWbvEqvVaHA
EXf0aneT3dfctKqp2Wdvcueuczfrvqbmlc1N7XT1c9xRdUG1u6XFXZ27Meo+vAfn2cr1c2xP
G3OpQpXK8rXMX3uy7QR5Tkvzqc0t8hxr4Ba3u8UYmBUodUfuPL3b/jR8d84+UFEKS9pTo81w
VCn8UqotB9YAlwCfBW4BdgCPAs8ALwFVJ4+WaG/Q+BNgO1nU+9zxPZon49kLrmqGV1g3HHLD
oVUMr2C2rtKyUlujq6m5XTW6SkMgKWrr620YGFY92Sa9e0792FBXt/t4Z51vSfasM49fMe20
aJ3Tvr3xhsRXcx9+/to/XT77kcYm9+iC29SyvQ+onptOXemW9dw+eT2NzEfIy/R+R+NjY3os
bojGQmAFsB64DNgC3AY8AOwFngNeAaoK67GmX1yPtUBzPb39A/0Nfb3RWKeC/Kyhuamh0WUr
gwOCUXX7WMOcad3Z1uWuusBi1rNixfDJ0TpX7i7XlsTdqmLbpj9fOfuRJpd7dP723MN7H8j9
6KbTTkIlKO1FdYf+MVZzHtIKh0HroNBb8Dsq6BwV/E5AylZttL5haAL85lvthVZHoTXDakGA
iIFpnzLwX1Zi0sGB8DPfjDLnnVHGamapiHU1ftNcUuRw292qvKzWXl5V5tb1Okfut4+XldVU
za6uLSmtLf3SzWWOMntd5UhNbXnZ47nf1dWXKXdpdXl5dYkq9zR4lrbV6ydcYLM7XEuqHXp5
tT7rZ6WOshJHRaairLryww+rqsrLMxVyp/Rns/SaCltjyRKXw2a7SPmq66v5P+sGR6eh7c+0
X4fenLUPVWsHB3ZEswKRFH3g4NqyH+y1gbnqzD5+ocRn4StlfFTHVxTXZpHeQLZJuDFQb7Bk
Xz3CK9QM1BskbbTtUmcFO9Kh3JfjwfaO3K2hji6/Wp8MBOO2J3EE4rkt4TR3Nsb97Z3qknA6
HRaePCf3Xb1DLUHPO5hFLbOoB3SR2WElioJHluURD6JnqAH1Xnmr798dDXZ77vdlLbV6Wfm8
ujqbag46qytK6soO/sDRYNNbyxqqqypKDBzcjgXusWV4Qg0argzlJxoOvRaMzlSyAlFHLOpp
V3OzS5/Z3NruVOe4m850NjU5z2zwyhjqnkN/0FNqOZbqoQk4XxQckoMvC9OgAy8Y9SA5GpKj
ITkakqMhORqSoyE5GpKjITkakqMhOZr2NvARUFOQoArh2AqtTDSC/irDDTDP+cDxwFpgI3Ad
cCtwP/AY8EPgZeAt4M9AjWgbHEVMJ27vBV3dEZM2BsXUPeccv+Lsc8bHz7536erTli077TRo
/dahG+32ku1YXNGXNRbuSwxOh7oDUAF5NYiwuSnmaUuWltjOd0c97cmSEk82nPCWN1aXjPZG
4m3lrgosxvOHXsei1DJas6qEtxiwAmiBiRwwkyMjtqf0fUOL6kiujhbV0aI6WlRHi+poUR0t
qqNFdbSojhbV81pUR4uyLlnk78DVxwAd0VkVYL4CzFeA+QowXwHmK8B8BZivAPMVYL4CzFcw
lHD/XnR5KXbP/SqrNjRGteC/WvC/DwdE3BURgmq+Sdgh8x2gMR84HlgLbASuA24F7gceA34I
vAwYWv9NGh8AtpNh5iD6vKEnixa06UFbfZ206+tstjUXbdp00cWbNl38+GuvPf74z39uvzr3
3ocf5f5T1X/0oar7y0p1uupTver03B255/nvK8KLdrjv45Jy/KAFExjdNsPYtoHhUjBcCrbr
mbVfs7/P2irpClWNNbbIGltkjXv5nWL9Pn7hF+EuENxUfY31JtXFQhsWu15trKkp8cWCfpWo
aqxyNt29oiseP/hgPN61Yoe922YLeVvCFct0PdT+l2e88TD/i3v1F0Gj0u5hvr+GJ3q0n+5j
XqWIjWV3KqFhZZ6GldCwEhpWQsNKaFgJDSuhYSU0rISGldCwEhriLkJDP+tNM/s0i5N2hnbG
avcVqKrJijWTql6mUmNQVfyeiKZbHlCClkHfBPRNQN8E9E1A3wT0TUDfBPRNQN8E9E1A30Se
vgnomzDoa6Bpluof0DBzoSD2u0zstkiQJUCq1KECeWFqFBOiKvt6nvB6B9QJl6+adVGotCbS
GW6vdY585/Qdr+ceOr7zCvWcPRYIRPFp2ltSHaOPtLX1qnlfPmtzb7rcOSc9HA44hxe+dMcP
cvs+1XlJqiMd1R36Ub4Qy2Whjx56Xf8QnMN5EzjF7ry+Em/anddXbjDuBuNuMO4G424w7gbj
bjDuBuNuMO4G4270lRt95UbBiD11axnDnjZYLdy8jCGTDdCzIU/PBkZvYPQGRm9g9AZGb2D0
BkZvYPQGRm9g9AbQaWoFKGhwrkimeKQ9BTqWCh2JF0Q60ywvZNCxlG878tRzQD0H1HNAPQfU
c0A9B9RzQD0H1HNAPQfUc+Sp54B6DlM6836W2LNsU0+2X5wV/uvrHRACmjQ16WnKhW7bcM2H
T2//fcpX/5OTNn557Qme9HHH+BuXrrzkxOO+1dQW+cX1d7xwum2X/4HLv/n6hnntsTXXn73i
ivoSvWR0eqVur1636NRL14U9My/7ztb114NQm7YbGXm3pJrWoHbLPkIY0zvbo3WzRnQRGKkC
IwouF7e6kms3V7/R3wtOBGdxenFkIM0nfWLVRf2KXyTW3dAAuuCR2EDwyBNR06LldJ5RYegD
GTvAKPIskSjxE7q5ZkVH1FcoSxv0we+YTpBj2IfmJsNVQmcI+jAW4iqlVKOlQ2wTuc3K0RUM
xS7OdbjbvCW62lHb4Ch12O1raut7mlocrjabXl7m8R4XGkGrqOdtOw6ekOvxJcKBnf72ufF0
eYntR+5am1J1Nk/TwfJQe1OFozwRbt3pi4ZxI2CIh7A7Nvu7RILv7dFSLLcRSDH7dmbfjtUR
HBo82giPNuZ5tBEebYRHG+HRRni0ER5thEcb4dFGeLQRHm2ERxsNndMInqALmG5nZNOeoXFp
pwucWrTj++BSHf0gwZQku1poifS0aDrSY1ohLI2pexrg3ga4twHubYB7G+DeBri3Ae5tgHsb
4N4GuFeEhWW8SeMDwLAtllaxFxjUZGDUkNwR9yzvuqnNs8/v+ebbudxzO3+dbKv6yYmfvf+u
S0/4RkO7O9GjPu7qynbmpuu1Lc1//Pb3PjxxtDVx1NeuvvK+E9LT1B8C3lgskmD2po3XDxg2
PqwG92gRMC1WJwIeWsB2i4Fty8Zr2HgNG69h4zVsvIaNl8ygho3XsPGakSF4iasVKWnYeB5i
2vi/Oy6ZwJS3aJqBZ9ESDQbVhFIeZuhhtg20owWqNYpcNJpy4YFWWE+o5qCFz4yECOWhoUmr
v90vs2ilQyvxW2RWFZqDWSFNLkvPQKZY3i6ExDXQDGqJBbGpG/9hzcorrl696uqm/n9cetdr
L93/9O/VKcq3aviSpZm7nlabr/jKFy+5fPsXt8+b9+7Dj/5ODakSdZy6sy02YlMV7blDYJIl
vHDoXf0dZCOoHb1PLCDOnqzJCQaawAZJhSO0g3WjRNBSkkeLzvTlhx6QUYfaxb1EzG2mmVOB
vAsxS3SC5VOX2TaU1zrr57uadV1tydn1cCgYUKoSN8H2Za+nssrVUltXW+6otKcyHcFwZaX9
hLZ2tydYHQvI3HXm/rqeM/1JLaPO3qN1Ce2ALmbfwew74DYSTUKZfhrzgOXAGuAS4LPALcAO
4FHgGeAlwOK2argNpYs/IdGQ9gmtmMlVpYwk8tAAmmLMbAJO7NBiBi92MOs8B8Zoi64NZCZI
ZuW/IXe7C3yZFAIkTQK0Q0rJQEzmy+T/EF+2WHwpM/lrHOqcxK3OfBQvUcEky6ku2nzueZuv
P/us6yuvXbP22mvXrv2HwKrTfv6NB3+18owzzv71P/3Tr85W42f+46Yz111ztXr39M9cvXrl
VVflLuu6+bSv/PDZm876Ulfiq2fdt/9/37/mq+iY5yz/pUULK/LFomPcJnXc6G88GNPv/9s9
GPExhE9M/6XaoIZoLJNaewmQLR7ywUM+eMgHD/ngIR885IOHfPCQDx7ywUM+eMiX5yEfPOQz
eEgsQjVjFvWKlRcx7C0WFl9d6BekRQrUsAa6FjTm4oCSrryGcWENXFgDF9bAhTVwYQ1cWAMX
1sCFNXBhDVxYA1feGrjQMC7mMMmTNwIMzXBMsdP9DU7DMSWrhHXQF/X/A+rkJzt+8F7ua7mf
nTxz49Gddz1dcu2aVZd+5vRVm2wnzR37/Tce/Y/c07kDuQdya9uiI7qtwktu4NUrReHcdjOy
aTNjYv1qifW0Z/9no2JkETxWg0/R2Q3iyxj+S1FPT4DBCiPyaeQbDjNi/tt9wLdQ7n8GrIjZ
QcSML0jELAkBM9ERjFqZjSnRcz6Ktj1vhdG5WD6etpHPeFKPgRP4VjtrAr74n/O8wYGZH5mA
jYLG0oOG+Bua+K9mSwg/nJPWo96uaPG+UFNP5iRX7qwtr9BnOxxKT7Gic89dMX72+4GG6gqd
FMpbdbVKtZQ2VNkrq/RHl64+/eijTz/NsCVj2jb7cvsp5EQbmU8zYlmG+iLC0poNs1Zh5sxw
PGIq70BPyiHEbK+loyFfbdB34A176UknlNt1jyda6wtF07bLcg83Jlrbw5UOdZHSk9ls3A4+
a6qCXk/CJX7HGrXZvkZfhwnzwHHFXJWpEEU1ktPJuzqGVTq8t0O/pj0QaD9wtS8Q8E1q29yx
UDiKJxlVR0dpRSLhiNjN2az1uMJay1hrs7HWZq3MWmteEzYrUpqNLmy2KsR9+gUHI53RULsj
0qZ77OUnjFfaWXNvS3so2mm7TC1lrd5gVU3uZps9nu1O2G25bbbmcHtrolHW+tqhW/TnS8YJ
BIbVqCSt7HCo6I4h7HHaaKFLQLyVkS5Da5WhtcrQWmVorTK0VhlaqwytVYbWKkNrlaG1yvJa
qwytVWZaPuQnu9+wn0OMMsQoQ4wyxChDjDLEKEOMMsQoQ4wyxChD+VGGGGXIGEXyDyMFu2XF
3VWF/HZGDFlG48Y+Anib4YLsEz3OImRZM2iJq7xHSzBQaD8AviUc7Nds4ri/TeMj6YjiH6Sx
ABgH1gGXAtcD24GdwB7gWeCnQJUoRSOCM9MuBfE2u02N9XkbFst7MCgAZ30nyd5SS10GTjru
M9u+/rWOS+udrdef8crvfvqDO7/Y5Mj660MtiUXR06/99u2lzaXldY6Tzlo4uz6r39tyw5dy
P879LvdU7smot6l7jtqk1qqT1WfeOJBb19ZeE+hpbHXWfeWyL3/DlhtVS5Q6++TFx0jC1nYo
B0Vftt8DNroUeexukCABnMR6+WxHRHRdvxaBVhFoFYFWEWgVgVYRaBWBVhFoFYFWEWgVIViI
YB4ipq4rodEI2C4QsU1rEVh5VDKZrcZ/Viazlbiolbiolbiolbiolbiolbiolbiolbiolbio
lbioFbq0QpdWBmemzNL5qmy6t2pOxp1gGWmrpVvPmmATL/9pwLoH/xU4p1IYpXLSzkiT3GgS
F8iyAXG5ETd9IklX+wy2qbQ8IfxZWnjuRGle2EjiP/GygkAG6DJS2eRyDQUhfmqzleEs5Lpi
gTLLBBjWk/0qtV3d9vKNX5zZnVqpvAOxOnVdfX882pt7b0kqM3ryqpx9+arZXamFuY9GkskZ
TptmawjEEj5v7ECmnasvEfW9+64vKq1YO1jHdB0HnS+CzuUk4rIqJNG4HbyIKESJMSVPBVV+
R+NjwPJ2aqBKDVSpgSo1UKUGqtRAlRqoUgNVaqBKDVSpgeml4qFGi0IF9vRNz8nOWOzvmZ6T
nbHsjGVnLDtj2RnLzlh2xrIzlp2x7IxlZyzTGlfsn0BEC2OCZTPr0FugXVAoE5xEuwa50WCS
SqTe3FkQxxj9CoHEftUZLTH3bsjTCtTRFie5zXhgmVZpaNuIGdWmVF++4cyTp96KfE3db/qk
RobtCz9//Pab9/72xc9vufLiD5/LjYRC6WMDgaPS4aD613/7+dics9efcEz3peduO/Xc8065
4oRTVpz6l3eNvOVmXyIUue/Ooy+Jxj539om3dLW5xR4sPfRr+zH2J5HMNfvgyFI2nS3t24Qs
NiGLTchiE7LYhCw2IYtNyGITstiELDYhi015vdmE3myCFHm/xsrLFPfPOgVznZNQWeR6MzdW
/Sr8UYFL65YARvYfBmksAMaBdcClwPXAdmAnsAd4Fvgp8FvgQ0DyeXhRmukPd0IOp/igom6d
iLUzr26djOxkZCcjOxnZychORnYyspORnYzsZGS2EeCWOOPg95jRshtf1o0v68aXdePLuvFl
3fiybnxZN76sG1/WjS/rNnHzJo0PgMmZjaY+ccFIyIlONhPphbxqqbEbR8pbQ2b1eyrDwUi7
3Z+Y7SqzO29a9a2XXtk97dJpnlNcvlRm5LgHT/lz7rtq3p9nb7Ff42kKD572QFUmcEqbY/Gp
uYM/+1nuYCBQOyfR3j4QH+hFXdepGrXaD6vCuacdOmDfgLxWa2m1SKS1FL4WaQ1LRigvrX93
vkIkTLSc5PkkMyHsH+baWZCtdmGI9kkM4Zcb/kk3auRGzSRFWQw+LM1ZjCbZFOB5phDqPMtP
TzKABuUroLy1szJIYwEwDqwDLgWuB7YDO4E9wLPATwGhvHjs1dgryd420pYsnJlj4D73mrkn
TqOZJyKB0I7ylWyr5MzrLaU8XVkCPV3Pauw2GhSOqo3+We0fvPHmwUx3410dkUhqRkPdjI5I
LHXXax+p+Kc/tfjlB1ynbtP1V3//7is2XQQ51q5v9scjodz3cv+5+TfLl84Xf8nw6zT7ELSc
qU6QTKsdJSyUjOFZBYwWdDAiNdPuGhaEuXcyd/FyslybuA5Z11kFGtUJBeomkcTSf0WxLu5H
7EUZigqsszBv0t1tSrUbAUAETKl2QwE3FHBDATcUcEMBNxRwQwE3FHBDATcUcCPVbqTabdji
CmaYt3+iXFNmhJRCGlNIYwppTCGNKaQxhTSmkMYU0phCGlNIY4o9xRQRUsr0GkTXNQG2C4Tn
9PfFl7Pxb5i2uVVsZonNnGs/NrbH1MlFWsr+sbHNKqljqknMXPt/cWciE46kjhoZWdwRiXbo
04IhsaMH31Gl3nDI0xYOe3If21xiV8OBvMKOhBKxd3rj6aNuzH2zrz/ZsWhicbJrbig3956j
0omhA+GoQfuTsLMnQftBVbIPjclWnUHxTmgfN1peaG/uLgxCmTpDIu2vmhlx4ehBcBnhGufa
x9XLdVqBA6wdtiLBy4QlykwLGEPRZnmIICwvfLUMIWkD2Wlv4a65LdfCoH6TFfzQ059nBT+s
4IcV/LCCH1bwwwp+WMEPK/hhBT+s4IcV/LCCH1ZAPSCU9YwWZnyZdoxniEe9F2IacePhno5t
sik1N/r/OrFsp8SS0XAw5wyGY5nArFlLUuGgviEYCgWT7Qd/qcrbwn6vJxhuy324LRAORSKh
iF83rGoilsthhoVKrQuz0WQuG80u9ObmIpdjh35pv9n+lDZN7dhH6VYpYZ7kSOLQRsqJxKoo
6GHmcUwKCNrq0CdCDSk1Yh9K8oB92OM+7HEf9rgPe9yHPe7DHvdhj/uwx33Y4z7scV/eHvdh
j/uwOeZIMwr0PELrhoWe4UkiXtxTlfoKhecpBJa6CsV8RIcjeWKpUxBSBMiw1CkImYKQKQiZ
gpApCJmCkCkImYKQKQiZgpApCJmCkCKGsuuwFwaytHQWLZ3N2+cs42UZL8t4WcbLMl6W8bKM
l2W8LONlGS9raGlhtEEZR3a1B9EIg2iEQTTCIBphEI0wiEYYRCMMohEG0QiDaITBvH0exD4P
GvY50neY45VS9ZISJIryW/a42UhsmzJ+uPnW7/2w3dsaUbta3YFkTXXD0M/Oz72fe1TN+Xhs
y6LKUFvGF0z2NpeXRLaueOSld34wdNlD7/oD0bZAINKW+48WT2NlsEstV07+W+PztTYPnnF9
d2zEWXn08tzBV3+dex8vW2pfNGpf7tHmqV7TYkv6eh+FgaWGrJs2VyRcvF3Z1RELJTJu5yq6
U/SmxA694CtsfK/L+J5ofuG4Ea5C4TGuvVwXFPjmCD3QKnxDlFSIYlJyA7IWbnTIjY5JN4qq
wzLfxa0l68YM+ckMU7mEWPDcKcrlSMXiZ6ayorw66JGZA+JyizbrB+YAY2hwHG7Zy7MS/EVF
bjNvK6oCLR1fuGP9woyt+EVAbZwzvSs5/98n2+sXl6X6F3eo18eGujvGf9gRjiT7W+pmpJNL
XvhUundhdy6wzR9J+Irm25eI+3P3qpOCBFDcDRy4Ih9KqbsNnf5d6FwLnYPaBsmtmjVOML2R
MWwWHDVPQqtbbmAjC4gv7i1bPymXb5SbjpRsHpluUl5TN3PHjFlMZIIoM18YONLi5fFRr99y
VCp11MGvZcLR9FG/+tXizmi0w3YqRq5j8a+2eeOyMMolUJCRUDic8B24Qvj3HOKNm1lXRoMi
su+hsddRb1ikrjoJj2Rjdy/xoniNQXpS/hblkwTtBG1R/MW9BIufigu3+Kl4o5hdxa8rLFz0
mOjZekD2wdKSkBHNkUZzpNEcaTRHGs2RRnOk0RxpNEcazZFGc6TRHOm85kijOfi1JGTyoVug
gCIjy4qHb5RkEZW3K/SGXMRBtOVyf1icDsU6bB2ZcCi96Jrv//SUB48LNXnDLcFyu720tOkf
Ttp6pb0hj8CD17zxL6kOZ6T7P+aFnA2VbeHKwIDn6BO/8k3B6wL4RfC6QC009YL4ABNEWxho
dLd44pO1guyF57WC4Fy0gp/QNCDfymdPYgh3zNTuQzQWAiuA9cBlwBbgNuABYC/wHPAK8Dbw
ESBxWJBrp5E16cErkRY+J89a9F9rFcuhL1LwCJ0xU3h5psnL/53XYRYDycLKtBbj8cJUkosT
dWE6eBNU8eQ/FaUhCmOgqCzyOZTD/Ah0iKqnHqCQcRGtokgUO/PElwpXqaeMlanbRWFMzz1I
tUDGPzKyJBkKquXTk6Ixvlbd1J2mYDQWDGdm1OauOv6e/9UwzOcr/V5HxZrYrM/MPxfVEfcX
nQ1/HNWxXt3K+IFIKBbIbW14PPe99lgoUuuu/c7CDRsq18EPQ/DDefBDXLvZlBuRM1IVSFWC
JbpYoos7MeNOGXeSBYq0CXrbJimTIxyGKvlGlUkAQyEVwzQz2JagQvaeJRgQDy0KOHlIjGtc
klVGAt+rxBv7f6mYgP56e5IcdvDAlkw4nFpy1VWLJDpST6FzOpbstLnUzYvT3Mg9FoodqW1E
LshA2p8ED6PaX/Zos9EfUj4ym6kMMJUB2mIh+uQ+E64yLGENd2qMpHifVmPwrpetjyqDeQb4
VpJvTWgRlEXSuCeyNKeAPbvghjRVQRVb3Fq84ZJvuCZhz7KSZAMlfekyBFAMtkxIMOiiVWO0
8hkkr/UtmUb++4Jjwa+YPlmUTCvPycpZ2EpJ5Tk0z9aqyiyUi1VNzRk688ofzWVb93Jtd+e9
/kBioK6teZRsU+6tacns/FTjM450Opmufa7BZPLf4giPNnnrBpJB/72d3TXqHduFYX8oEPUe
uNAbx2WOE8KedPDJJEPZZh24V5jbIN3nvdFAyB+GZoFD79m3QLPp2numLpPMoQhpUZeZFqOE
GKYH5BDh4u9kDOr1sOyZBWocYRiPYO4j1E1ayJOeRMDJptPgdiudW8zeDshPBkyKljMfkqGQ
zQYR8jZGxEHqYkQRDWhtRygiib97ROVY5cFTHZSeLuOEQbMq5BMK/olpY5Ra3rOovzO18GME
JTHd6T5ues9Q3HVKZ8StPozN7+9OzvnPrnAoNVTt6e5u9hx8x3JIxEKTTwjYGlMHbtebQoaX
EvcfqPc2VXXqX2YpNm3RoV/aryWGkfrXT5sS5DCzrw6yr1JuNir1qg4shAML4cBCOLAQDiyE
AwvhwEI4sBAOLIQDCyHFaoIj8U4lKCxl7aXoIqleZaB+GvOA5cAa4BLgs8AtwA7gUeAZ4CXA
qnhoJNKR8ifTjhXrX49wBoqlYhJwWcFCNSa/GpNfjcmvxuRXY/KrMfnVmPxqTH41Jr8ak28V
WLxJ4wNAHicOhVHuJMnFBqyeVSg4SGMBMA6sAy4Frge2AzuBPcCzwE8BYy+nTgsFzfhCU0ZB
rbFP02C/Nrf/9/+Re0F1vvt71XXw1zuffHLnA9970nZM7t3c19RKLJBLnZy7+2C1Ur/6lVKH
fvMrsz7GxpPNnEA5FuB5iTed+AFSvVVK5CnRnPj62n6iuN9x42PAomIJVCyBiiVQsQQqlkDF
EqhYAhVLoGIJVCyBiiVMXEYRR1SsSjWyKCpevIkQ16I98Yl0+CYJVDGHJydylDh7TMhnCI7o
OykbkMSdmWaT9Jq4J5Jec4vtkJI8ya45LRfVMMEFV152PwxbXK++u+/OO+68A/uK7W0OErFf
M2+ckF698McDH//pm/aGXNfFGy66+MAVgbDY11DQDOYff+yxidwLBt/nPjb4PqUNqD1kSbAS
Uo0r2RLJL+qmDGTAHokjUwYyYC8D9jJgLwP2MmAvA/YyYC8D9jJgLwP22DUEe7IVWGFYE9k+
qTBsDUVIRkvyjXuJ3y2Z+ATRv2TNhkQj+pi8FJ0YSsyKEIpmqVgsbn1jMplImmtEIZBJqsep
Vv2E3rIYOtLO1oqDxn6ayT+yYeJmkhKkfPK8ABqVY0aSRxfpCiXxxozwHRYy/TRMHKJmGDoq
SizRk3S8eu7hF9Xgb95UA7n//Se3p+asGZfPTn8l4jve4Q5fPnvwxb7FD1Q2dazs3Hvv0z+4
794f/MCWVXP/XZWrtbntuT/n3sk9bFvf0pyJpLy+ObMXdLV6TkzfoPSfv67suQOvv55jS9SG
fdPsu7Fz5dqIKpVMS6kYc6Q0XpBSod0nl1JRU27DRtYYWtfFqO14+ymeFzdskWiD2QWrGRCJ
DUySWCsJXLR4/fKNfrF4pgjPMngjwHPMwLKYARbxNUXXFGPZDPMYz56l2Yxnu3l2hrvGLmZe
uHWLPFZMNdn3Nk8usSPWXPS1ScTonbjj6roXPrdt65afjE3rSk7L7QqG452BadOIskJqx223
9s45attnWhPO5wKDuNgXdGdK9SemHzVrs92TO/uM1WesOXBhwdX+fFssGPSGOr706Yvu8zvi
bbkf+aKhyIJSuwqt6EVn3XjoX+09nKObY4NXxwDZFRhjJfkIdgB8G9ZsAGs2gDUbwJoNYM0G
sGYDWLMBrNkA1mwAazaANRvIW7MBrNmAac3AipxuHGBcB23L6n7Cat9hZiaRWZs2bOB/rtBd
5zGjgKEbjtDYESE3m+3i1I5CZMPmSbj8d5f4igIY1RqMCYyyvCozlV+FLa7CFldhi6uwxVXY
4ipscRW2uApbXIUtrsIWV5HKryKVX5VP5VfJPiSxqmlHevP1Fb3YZDpmfUUvNrkXy9iLTe7F
Jvdik3uxyb3Y5F5w0ItN7sUm90IJQZBP6zXmF2F+HWbCswM56sgnPDsYr4PxOhivg/E6GK+D
8ToYr4PxOhivg/E6SHh2kPAkEUaagPpS1E3GPDXYnE8G9Bqxorl/YGYYfeY5SSvFKFUb1tk9
fq1ml4RjyYRew45Ra3VV6Nb113zt9FO/9MJ3D35n4PKjbG3BdNBeGw/3eWtrA1cefdmtF1x8
98O7Pn5xwedDHaHugd82dMWXp5rmLbn81KNX1rq8d3/htv1en7eptfvFylBsUbIx23/pqiXj
da7m+z+/81+CItKa7DFcgK7q1l4h8wqjJOHHJNcMyMlg+5PGdVTXVmLc1Mk0YF1NXUDj1Pyd
X+Qbd+cbm4wGHgMjmJJjWsV2w6eQMdutsSVUl8oR8S2KZyiswLNoxaLCqVHTFZftwDbDj4jS
otQUj0LyWx1AJyBKRza/urh241k4Dcr0dfX3ES4ZVRSUiPaZ/rUeqLdc83zcZKsPvGfzdYRC
tkpbOKqfEQ2rKls0Gm+3VeZ+ebuxk3DwBWMn4fbcL/XaxYlI2FenFkVI9+YebfCrcCixWNnF
+8hvJQieZ1Lzvw08Z5VtH7kYdmENi5CiZdaEiGaFFoUdgxT9VqMvdblk2VlQsXrhv8+PHVHf
cMRugFXmZCj/YrpF9JFEN+LDNOf9gWbEtxnxbUZ8mxHfZsS3GfFtRnybEd9mxLcZ8W02dd2b
ND4AxJWWxIsZ3pq8lRKCGHa5f3ox1smLyxFZWoNKfY+ye0oW8nlJuqYaW0JXLbnx2r6lfcnZ
r3WFI+lpta/87On/sDfI/qkkYA++et4ZyZljDz1hG/AljHSl/+Ajf/zjH38MHWoPvW//LnSI
qxEzfyL6PcEc7azZTttQWFRiod2r0O5VaPcqtHsV2r0K7V6Fdq9Cu1eh3avQ7lVULFWxWEth
4T1L+IImkRO81KOgaPDFK7nZKqGMefbybz/J8TY/+giQHRWpHW2jYolMnhFpynm6RivmlKSA
JAlirEBYv+ilH8EpR6T7LcaYwgdmClmeFjZKCM2cquxb5c/hWVQsOOYVov9E0+U9deNgTTDD
abxsEvc8Mz2R7jqXmv/FmzMdyWmKndJkb3Vuuy/cNjQ7YbNThyRphEjowHZ9XYj0gWTBDhyz
OHJmKZIB7WzIx9PQbppavEebzkqlxHQ6qxWBFw++36w264d2/dCuH9r1Q7t+aNcP7fqhXT+0
64d2/dCuH9r1Q7t+09iU0GgEzGqzjNafp10ttKvN066WSKCWSKCWSKCWSKCWSKCWSKCWSKCW
SKCWSKCWSKCWyLEW2tUatKtllo3QroJ+I+OKGcoYrT1acQevXpRc/ST/LCs3spNueOWGd1KO
qagXxfJ6tXrDssmhykpDL5oumjwu/1kKZEl5nmwMTZO4y8ohNXum0o+3HkgilASS1dCnEnj1
QxXN7R1ed8VTp93ZmUoMqjlNwWi0+vN6vXN+c0vFK0+UNbkXuzjuXx2L+ZvV2EAi1bENQi73
1zd4Du7QPf5QtD3mDQYOtPhcDW7broNL3XXOoP5mMNAebY+yNyd0Xw7dN0L3UXX/BPSZScQ7
wXLSXNmg7Oe/ecByYA1wCfBZ4BZgB/Ao8AzwEvAm8AFgVFIX6Q3nQB8diyTXShBTSZ7QwZMK
PJCGB9gOMOU3DQ+k4YE0PJCGB9LwQBoeSMMDaXggDQ+k4YE0PJCGB8g6Ib9pxo4Y8jvTqGQU
+U1rXoNg8lkTz23iuV3W3QmMcv6bWWsu5h5+MSt5RLR3RGJsci2W4QQOCQsNmSxU3DGq4eFF
kSdQMfmIuyLyTkAsrKQFOBCAORKR68Ld75agxviumeqSjUYUvFFsXMh5efIJ9bypzVde53dW
1OFhwYB6MhUJBQ9EYtm0s/LX71Q2dvUnwweCoUQm96Q6KZ2MB3Pv94bTI4lD2oGOuV1UN34Q
jCc71TH2BhvJc7bwg9Hc99QoR1JjkVA0mFuWS+lBfyAmWUq1KvfV9ljcHwsEg0qRERAe4x1U
9ivgsV51ppSsuwwe68TjsHisDR5rg8fa4LE2eKwNHmuDx9rgsTZ4rA0ea4PH2uCxNniMPLsc
CyuhgY6GcUy9LCiuhcZ+nmBmCyWD2Gt47gG+J46pYS+i8Fs0z29R+C0Kv0Xhtyj8FoXfovBb
FH6Lwm9R+C0Kv0Xhtyj8FuXhIvLRSTsz/YUo8L/fZUwIi1A+Wch1H7EBbPEdNiMfGeYZqLjl
WNyiKTUK7s19P9miMbdnipuR+UyPpYAKfkFeIxVuqHp9NpuTo7nIaDKz6Au5R+pnsE3Q8cb0
RPdo4A9/ScAlC1vvWpJKzajLPWTsVeIPeNUS25DYFWOHZana7Y8n2w0/YW/u+9Ced6ds490p
9+CwDBf32MxEu1TTOAsnOqzMCXiRgv58iaiktaiP5IhZyaTgtniUMaVsC3Z6w0Fv7o++ZNKn
arzBsHfnh36PNxRtK/lCWzRA9cnh85g9gQ9hh/dkFvmcqr1u8lyKdn2feFribfBt04+TuUxW
5sZ2jIVk2+ad7aFAu6r2J5P+3PteypV2cnS7zUvFwsfntUVD3jYOCGnXHXrLfp3+bZI5fWod
ehHrKrXdsrsrOlIUgpPcLn7s+6OS2/273zJjVmIL98jR/1LGFkXjl+ex8gTjEycXeNcyd8Va
/SMyGN3Cu91mBgOqkHUTvJh5C6vKswJvtgJvtgJvtgJvtgJvtgJvtgJvtgJvtgJvtgJvVsoE
EcY3aXwAyJnIGvwhyefJ3rUYYqu+xYvQefPhqJfw0Uv46CV89BI+egkfvYSPXsJHL+Gjl/DR
S/joZXhJNRf9YnYVjfywHHvqazajFmNHrXnqqW7rlQeGedbHBtb23L77vOVXv1J+zJNrvvzY
H1+ddsnwuRcvfcLnjb720K5vd8/noPKdbeFSNdFQv258bHzzghcWLd2x+a6HHXVlF517XCYy
/ZhHvpmb3s5eW1BMLmgbO/Su/doSpqh1qUv2YZNKjSMP+8gMlBo4BTG/o/ExYOVIdbSUjpbS
0VI6WkpHS+loKR0tpaOldLSUjpaSV2RgPFh3BZSuQBu2MLaZMhBPPE//LjAcMegvVabFqntL
Cos8MLkUwDBx1maQkcWSE/hmIlrqARAz4dcBGvOB44G1wEbgOuBW4H7gMeCHwMuAxQMaPABi
mLnIu/GeDdkcKIXy8toMBh2ksQAYB9YBlwLXA9uBncAe4Fngp4AkIqqRWTGdsn7O0RhcJQlx
cxNbtKNVbEqKQJfsptboYjshGjPS4HmdabpkhmG13bFt1yNbb/jWt74xuPPM51R17vfPrL8j
62x6LBbtHGt0jmXjse3tnht2f/6Gbz/yuc9923bNvEW5//Ps07l3Fy1e5mmRzTq75ud1GC5m
IzZxJTqgAx2QlhpyF7NmV9l8p5QLa+jCGrqwhi6soQtr6MIaurCGLqyhC2vowhpaZ/7eoPEn
wFaoIbd2U4s0tLbrijcmRyVycrSevTd47m0aHwEWxuvBeD0Yrwfj9WC8HozXg/F6MF4PxuvB
eD0YrzcwrtjjNR1k0aVEelLrVkXqRwI2o9ativGqGK+K8aoYr4rxqhivivHkpTNVjFfFeFWk
fqpI/UjYJ3VVEitb2uXvjpXR2YfVmRoV5NapHjkVaRgXDs7z2g6jfvzmKLU40agn1ta1ZcUd
T+27ec5l/U7/aMQXy/1k5yu515X/p0tu01faA76uxRORiK/7U8fu+eKXvxOJVLv7Yr6j71NN
+/erZuuc/Di0vh15DyPv0/Yhd+abT/bhk5TCnaJDxVPhFAH62NwlmcBC5ePPFPiUrIHUN0rm
IpDf3/jbT/5Ye34ROIUTP2DVqF8uaH4rI1RkkCPKR4r1ynJYS0HzvEX0QhuZbZnlbUsCqTOv
uzvhp848P3VC/07o3wn9O6F/J/TvhP6d0L8T+ndC/07o32nwE+XTlocllbVSAIFDO9PYducd
aEKk5nxCQ7F7ZSnt0OTj9PrNjfUzvr3+O4dU3b+svXd63/E9idjz7Z6O7nTUf2DX7i1bd3/r
hm0PN7Yfs/hYVfPsC8q5cL66mpdNIKR/uS0QJmX45NZdj2274dvyegL09hroeIIu/mhIe830
ZqT238zRS52gt3CC3lKbRYxO3hjCtDGe/FDU3Sd/nYA5AUkEiRoO5JEfAPmBPPJ5RxCdcWAd
cClwPbAd2AnsAZ4FfgoYe6tSbRU2PS7zXIWBcpQkBTuRgGFKlav8ka9sUC5vO9HB6p+s/03u
XRV8+19VU2ad4+AZthscD1yx+VF1z013XhVt83Y1d/eqsldeUw2HtEcHo9du/MLnBKdKexxE
TC/x4VV8VgKeSsMvk3ed1BrSUAntxR+SGF92ReTMQDdtMx/DvCfvyxk2yQNCqdFkR4gMm+W5
HRmKyasLAkbFQTOjyftSpFI3A5fli/im2gBTfYAAjAKOhLf4GjT99kQqETt4ofz74L2JjmT8
rh+/ef5ZneGGLd0XnKZOS6TS0dyOG8NU9IX5x3Y6Z0vDY//09WyfL95y6rlDOAaxg3fCX5tz
F9g363eh+AbUhfKuEDvSKivpQU/IWU/DG/y735ZlRsmmXyBt2c4XjSPxsexs+Xhaj2EppR7E
2P00sGtFuUVetpKbxRvW8QZe8ifvR+Qku8HcEtAaPoFYFvM1Z5Zl0WBGDWbUYEYNZtRgRg1m
5FXDAESFGTWYURwEgmTGgaqmb+HBt/DgW3jwLTz4Fh58Cw++hQffwoNv4cG38OBbePjpqPiX
HnwLD1Ig6wtaPkGKwLroExQKfvLHPHEI5dWLk3xEfEZT9Rg5OFQP3JCPwJVt0bU7dlz7D/ff
r7ragoP/vOXC9T0hz/neL10580sr9/3pwMRRNy/2eG+Nx7NzG/Tye665+utfv/rqew92fG5D
etFR6S5fxnH9fZfNn/3R9544ODRtQaMrFIr7WTnMu1riZuzGkGrah3UoJRQQbhBvwcxrizXg
O9BQ4oaS/eY7PsVeVNOW+kWp7xHPmn0Fg7JSFsWpBjLhLYVdzekFO2A5/EXCWm9vNNKXBi9Y
STND0sqZIsd2UWNZYx6SupBYgIoj05swSxotmsegeQyax6B5DJrHoHkMmsegeQyax6B5DJrH
DO0vsYD5pgzx2qTyrhEIAuLBmWm2ru6BwyyAsUldMAT59Ee9+bqDvH0wb/e86xzDGGz3tC+8
8ahbv5HJpuPx3AeZQGIodOYZa78SmpEMZHIfxGKZsW2m29bkzE0fG318R24650zCRuB794Yr
tq7JrZQDKeLegQreZGNfVrIS+Y1payf4hxMyYEeOWpiVO9LiLIO8j83AZkjiqZAchrZuOOWG
0wywdASpwkCvk59J5Y15KlL0fIg7skuDWzPpWL/TTA5bmy28kNH0X42csa0yNjIcj4yOxPaS
uomEMgc+jMeTSdX9VCLFm5YiHp/98bMHM+PLE9EDNQFKj1FVQds1lHiEmqSQ4e3cBv12Y21J
7YvmW1BZrXk2VSNSEfcd9TREYyGwAlgPXAZsAW4DHgD2As8BrwDip8spWDPFJe9msvRRgR+L
Eek+8KYTHwn/FxEjcaLvCDQcKbvFd1TiKdhuiI/OjIVHRuPK0R4c+ufrLzgTeb3Q+8Urc5et
6o7HbTHBxVlDnSvGY7G/TFz9j4hpp4jpdTtsL3AeVPChRHHZtyObM9SyfSJLhkckb03BH4Lm
UqMl8Xw913Ku8gJaqZaUFaKWKvlaK2DlPL3gzAvOvODMC8684MwLzrzgzAvOvODMC868KFIz
HJYclAwQNmKcQasl9TbG6IN8yNEMM6M6yOiDjD7I6IOMPsjog4w+yOiDjD7I6IOMPsjog/gM
g4bf3U02dXph3GGhiYtFGHxrHTks8q0VchT1RK8wcq+ZCM0XZU5IPYXmMmbM7pvRym8syrPM
O7A0KRUJvg0de5iEm29YNfdAeMdCrXKow+svB5TaFWjdG4tnjupKLM8mYt/ztCte8pBOKkc0
vspZlTgt+wV1xfJUhONH/ycdj8VyL6urc6/Eu8wITZy/JufBnj/UBpvb24PBGZU2W0lf+urc
aikmbg94YtVqDJZVvN1Ys8+E/h5tkUSbRChQXep8uI+gVkN3e4GPJ4u1aE2RHPwagx+KYj0l
rzRFmG2hB1d1J2JqESuahgeSOYjmQYAb7dvMWYvLaoot8zPeH/AWvurR6sR9hOSlZBlEdqhm
Rr9Iaw6t4jzMKl6pRWs03wDxCSowpPJClJTU/UpMIycFZZdVshKm3zZBxh0tZ1gksVILjM/n
8PmnCjjrEQ6iAL6gG6fJjWmTbozIjZFJN2rlRq3JdJP1a5EtF8s3FpvfqOXB5tFL2UQX9z0J
iGmR8lgp15oAcT1WwdVMq2VuFo/xrbmyv3OYcRGmnanq86dYJyUsxVuYxMlmsYL5b95gGRyv
v9IzvOj4hpmJYOjqlG9sesdiT2RGMtiFLYpkxlwN83ri8dsCjbbEKdPnndiUPHf+NRvrhpPh
0GXxqK1j2+mbzs+tlHduxmd71Y6li4/v6z34itgnNvy8tmv88VCoOZJOzhyeNWPn42ZKqkvq
ckSXXU0uYrqaLm9VLEUDCIdQWwrlhFPFV+Q70FDq+PJ+hviNklsUCsp5qAlwr2ldBlUlEDFP
SrkN2sr+arHC2KoOLtLWqg4u3rB264o3imknSwdZ/FGkbZ/Qtk9oK5MVsZJXQcTzVS1xNBsd
M5kUh+XiOCNx1h7HGYnjjMRxRuI4I3E0XRxnJI4zEjeMVC362iz5EmdEHBHZTjJTSSCHdge8
UHBG2Hn3Wq+6mZRKNLXZ4fxivjKt5w84I8lMZmXRG8nMeG0knJyGM7LmDpyR8LxH+xMJnBEh
YiTQ5BzL+yKxQHuSXZeCL5JsF1pjr08gVr1I340vUqg/tmovP0FeUayabFk1YKulBtOIRyrI
V1WQr6ogX1VBvqqCfFUF+aoK/KEK8lUV5KsqyFdZGd83aPwJkCyEVGvKu7ioXizI/f8jcjbp
ykMHIPB84HhgLbARuA64FbgfeAz4IfAycESKUVjzk6cYD08hKkkemrkjzbbm9qefue22p39g
uz/36tu/zb2qwr/9rYpc9NSttz799K3bv69OeCn3nqp76SXlyL3HBG3abOK+a4n74uyQXbuP
PelSfHyRQOKVYtyXBc9Z8JwFz1nwnAXPWfCcBc9Z8JwFz1nwLEc7cQLeoPEnQPCchW7ijUhd
nPjqcqpJ7JMckyDvxifyDdHZHrM+N41HJwe0wPUQjYXACmA9cBmwBbgNeADYCzwHvAJItBZk
pCP2w4pybJXJFW9YqSZiR0uwrbo5Q7CLpTPm/ikJAGP6knJqw+jWGcomwr0EEm9wxt/98l4J
XswUwOE+xWGa2xRs8iDyks3Y5CyyWv1eNBrJ5ObHEz1znc65PYk4CeGx+059TtUe0n545u4Z
qv+G3Y9s3brrm4c0ji/6w6G4314rStnVuGrevNx7zz+dWzzP9s0brv/Wri1bd8EXS+GLG418
QK/6splvEts9Qc69G3+D5fbDP/MAdvHhiv+v92qauyymx10K5UvZK6hh3KiBUvFfpKpYPBo5
u0OCiF4A/onySZG+1kt5iuS0iiiKN6yDOkX6FneV/mdyX/Kan4p8yPkJXlnRwTgSZYmb2mRt
RMkGUpiFh1l4hKtUggtqorRj6PzJr0NU9ZIwCFu5yckJgimx54FdN7CPcMPnvmm7aHj3WU/n
DinHP59y7zxP+63xaPccp+wlxHPzMpF4VP3w+oe/teX6b+0+8LC6cd7i3NM/Vo5581Y1uqjR
9f/lD/BO2M++kvij/P0n+3nY8JT2GSlWqTL8UbHM7F1CPSOKRt7l6insuVq71UVi/VfSOcmo
Hi6Igq423CifwTWSpY0c5rf+FeGRkwZmDq3MZldLJBY9eGEsnkg9PLaqKxb/jaft1B9vXHHu
QKD5nNTSb6zflvdqbddI8NXoenDjxQuGIkMzz7tU1r370Nv2ZtY9Yuszi3GlbkmKY8VMS/1Z
Xu+J2s+AC0NqMkhNBqnJIDUZdGkGXZpBl2bQpRl0aQZdmkGXypEDQ5dm0KVyYCEfzXHzd7g7
HwOWlvzba5dES4rzKecUJleQW8VjRWpYZwiLNwbFxRmc5OAOy41huSFmQ7fS8sMs327WBtux
k3bspB07acdO2rGTduykHTtpx07asZN27KSd2mA7tcEcwpMFSwmlvPxESisGmSp7OKZ2/dtr
jS27a9bvCeLamRWvLJNtoQgiJm8eM7aFIvhiEXyxCL5YBF8sgi8WwReL4ItF8MUi+GIRfLEI
20IRtoXk/WVmMI2FMhNNZh2Q5dulGS/NeGnGSzNemvHSjJdmvDTjpRkvzXhirvDaENSe7KSS
YivyxHk3zzsc9tIC2TEyS+lF/RsJwt2BSKKlriZ57+lnblp71cCPXnrxO0fdba8abg8G/KH2
tM/Vd+mnTrnokqf2P/Fv3x763JmhbD0l8bvT0cFgff/o8nnzZ3z+un/8YiqWzW7oy/SEGrpT
x47M6reXXLftunsa3c3N3fD4OPvFp9mleOk78ofEeJs0PrmYRrPiV2IqQW6Cq5xKlfKhcq5d
BTk/4nieJfiGjRU3vvTVvM8s9lVOUBq29BNQu5RRzSIVU+lEJVqyDh/VG+8enbS7IC90InAy
01XT8ye/+dNAG7s7ksncWZ9ee2KuvS3WPf20O+du+GrMVf9gMtr76QsisXRQXx0kR5Xbfe+6
M+PeQHdzLLx4UWjlap9aCl3an+9LJbIr/gUcLuCvVF3EX1fr1v6yj39KsWpiSTlKZmBTcszk
VJFHsYWCzTKucryq2ZBS2ZEo7pcXa6mtkLMoopa5K96wXvhgoNoISq3iYUOlksoyMf13v0ra
VCVmHKszbdkscRnJfN4MaihlYYm8vbJ2xwqYLm6cmbGrmfKe/LE658yLzvnKllgomvxJ1NfZ
zR4HWdOVW5bcd1/jWDaWuDXkURd85uKt69SdgVA0HBg5eIw/IkmUsUUD3/yW+r74N21dWCRo
kDj0mv1uaBCV+mCpppWEUozpmXueBGxmjWkl2rkS7VyJdq5EO1einSvRzpVo50q0cyXauRLt
XEl6v5L0Pm8JFKVllgLzejnqg2tRhvK6OG5X4ky3yga5mQ1z4c268GZdeLMuvFkX3qwLb9aF
N+vCm3XhzbrwZl1kw1zEjC5D3Yif7CEjxl8Z0DyMK7W7LqMlYaaJ4Cir8dCOF2IZq5KryAxH
GFwrA2xwx9RdKnkaZw8NIsr+bz3QDvjE8TDSY4Vq4IrJFUnGoXqDkrE7ZpPQVC1D0eyciLKr
wIyj+qNDqi8e757dkHvU3Z1JZdy64YP6YtR2X2a7jjcT+mQH4mBsIOAfNOh26B3o9iJ0m6Yw
B1IbLO+UkNpg2WWoNjOOCXCcyOM4AY4T4DgBjhPgOAGOE+A4AY4T4DgBjhPgOAGOE+CYcjhU
utSndIFjOeVmZhHE1XKaPOGEJ5zwhBOecMITTnjCCU844QknPOGEJ5zwhBOecMITzjxPOMlj
kMCGJ1oZ13wbpafQCvFseZZkbs2Wmacq1g0fURFjKdMiUY9Ifg6IVTaONstieA2JQULZ6yX5
h4oRx7oVGWUrwPhsQrZkrG+JtymepkisHG42/jwatubw8mBSnynlMZMM1BbnbZbpepXJX1Tj
J7aV11TG4+F43RsVyUgsqqr6o0319R3+aQ9dUxWPhRN1V93XkprbFe5V1T5fOPvLmlgsnKxV
B3IRyoOztlcCvF/BF2sJ2UvsB3eqb1NM3J1baRtn86OdvXG/7aBTbiHX/GU8+xb4Y466wTzX
NQx/yLmuvA/WZtLwE9d5CjrzVRF2ECRnCqSSwayOkMpP81ND6och+HCeI4fhyGE4chiOHIYj
h+HIYThyGI4chiOH4chhOHIYjhyGI4cNjhRHagCODNIfMIgod6QYN0u0NLtwVzKexokwQ8Ef
4cdZJZ9FjjmivMLKbRpq4MiYVzYOzPeB5S1qfiOsi6l0A7J53cO1FxgFZosjPiX/mNcRhX3L
5gHT4E7SIuZPLHaarmLqBm92sLsv9057vH+6S43lvl87raNnwfP93QO95S8/3zjY39Wv7L5Y
dqAt90t1SmU02bX4R33ZruTggW2RYDgYb48Eea9tn89IQgbD//qvgVAsFPPxLr6f5B6M8Hkw
HIh+AA8NEetug4cyagkSCF0l1JKMsez9uUwdE4Gilts4RGMhsAJYD1wGbAFuAx4A9gLPAa8A
bwMfAaJjIoyYNnSMy0jsMjZ3PCZ/etAxHnSMBx3jQcd40DEedIwHHeNBx3jQMR50jKewrWzZ
HQ98xx4zOsZnWQWzCtk8qxvg2dLiyTyr+B6eI4zBERvtxdxI3j2bHH2ZLGFaBHlemVUJHABj
wiBSzTA1leE091UmkTzvdBm+WZnNk1rYy95ITyYSi71yT+4LhgFpHjQMiEO5YnN7o0N/TsTS
g4c0wjEj/FSzbC+ImTdMyCs2qQPHhKAgxOaThrNXQ9eY8mAZoakycofiacXBhnl+bQKstRkh
d/7dl37mL3Wqiu/IevKBuFwTBft6xD5U8Tx2HmFiQkqEvAP4B/OB44G1wEbgOuBW4H7gMeCH
wMvAW8CfASsWKiEW4qw/xs+PJMrL+aUlSctRiWY+8UsaJWg2whDzvYgBw7YPqIAZKOf/NB29
MrVN/QG0B3tnH/z64DR3p21GjlNZ4fCcBbbmefM7Orb1LmeHYEdHrDPt6eq0Te85nlzCg4lY
T9a7MIXyVMqTu0HfXVJHLCHvbZd3a0vJvIbDFIJFYRjrdUvGe8wlTufx1t9rlDo566VMxivO
a+XFTKU2z+pl6Wk1LeOdyQe2zr4mFmzzOdp2fO6BRMd4feWs7mXqed+2HV9aN69W16vnBaM7
f3vxhlVNpRHyX+V6Wej7G996MBacW6Wr6sVn33y/FAUV59htzFEC+rAxx7BWa87ReDkUrwqS
P8wkpXvMw4jgBEX8Z4ZsfMaMh41owrb7jE+lB2talyeTD3zuHl+d3+vzV7l2bX0glVreUD7a
9Sn1vHfbjpvPXCizHInGHnxr41PBUntFyB+Ml9rswWcu/u3OWGyk2marmnfOl+69kWmSnzP+
l7sZTfHX/ncsN/nzqvif/91ftT38b9r+LX/Rto/M3wCZgPzfsR1mH2yM1779V3+99hjtWN40
/Wl02/FExiu0E7QTOZ16Mn+PdyWzVIRBylhCKXygrTh28byx+ak55224cP0ZF1qfyNd4V7Xi
+4q/7a02ATcBdwO7gCeA/cAvgPdM5MjfIrf5gS5gBFgGrATOBzYBNwF3A7uAJ4D9wC+A9wRx
QB3gB7qAEWAZsBI4H9gE3ATcDewCngD2A78A3hOnC6gD/EAXMAIsA1YC5wObgJuAu4FdwBPA
fuAXwHuaVqIBdYAf6AJGgGXASuB8YBNwE3A3sAt4AtgP/AJ4j5oGDagD/EAXMAIsA1YC5x+y
/seXtEJbaf4p/eCUfmxKnyKmw36fmNJPTumLBpj8vPSUfseUfueUfmZKn3UdNl73lH52Sr9n
Sl/+MvPk+fRN6Ut2e/LnA1P6RngyCX9DUz6fNqXPuyMOG2/GlP7MKf3hKf2RKf3RKf3ZU/pz
pvTHpvTnTunPm9KfP6W/YEp/4ZT+oin9xVP6nMM6bP1HTekvndI/ekof/j3s9/JXsSfTx/gL
2ZPoIRpw8ufoj8P6n57Sl12Myd8/fkp/fEp/xZT+iVP6J0/pr5rSP21K//Qp/dVT+mdM6a+Z
0l87pc+++mHrWT+lf+aU/llT+mdP6ZPjP2y8c6f0z5vSP39K/4Ip/Qun9C+a0r94Sn/DlL5h
9ybRe+OUzy+d0r9sSv/yKf0rpvSvkv7/BViyhTcKZW5kc3RyZWFtCmVuZG9iago4NSAwIG9i
agoxODc0MwplbmRvYmoKMjggMCBvYmoKPDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVU
eXBlIC9CYXNlRm9udCAvRVBWT0dKK0x1Y2lkYUdyYW5kZSAvRm9udERlc2NyaXB0b3IKODYg
MCBSIC9FbmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAvRmlyc3RDaGFyIDMyIC9MYXN0Q2hh
ciA5MyAvV2lkdGhzIFsgMzE2CjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMzE2IDAgMCA2
MzIgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAKMCAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDMyNSAwIDMyNSBdID4+CmVuZG9iago4
NiAwIG9iago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9FUFZPR0orTHVj
aWRhR3JhbmRlIC9GbGFncyAzMiAvRm9udEJCb3gKWy0xMDY3IC03MzcgMTY0MSAxMTYyXSAv
SXRhbGljQW5nbGUgMCAvQXNjZW50IDk2NyAvRGVzY2VudCAtMjExIC9DYXBIZWlnaHQKNzIz
IC9TdGVtViAxMDMgL1hIZWlnaHQgNTMwIC9TdGVtSCA3NyAvQXZnV2lkdGggLTQ5MCAvTWF4
V2lkdGggMTY0MCAvRm9udEZpbGUyCjg3IDAgUiA+PgplbmRvYmoKODcgMCBvYmoKPDwgL0xl
bmd0aCA4OCAwIFIgL0xlbmd0aDEgOTUwNCAvRmlsdGVyIC9GbGF0ZURlY29kZSA+PgpzdHJl
YW0KeAG9Wgt4U8eVPjNXkl+SJdkW2BbgKy4Gh2uwjSGxiQIytkjAkAgwRIKGyCATQwI4GEh4
BJyHwRHkRWjohrQl2263u9uUa9lp5TSJ3abuF3ablmaThm5ToE1f325o024asm2K9p97rwR2
nXzZbXbHOvPPnDNz5syZM6M7V96+bUcbOaiLJAqtbu3YQHqa8kXA3vWbWzuM+mQ78Oj6ndtl
o56fTWT72oaO2zYb9aIhIkftbXfsMvtP1ojYU+1trTFDTh8Ar24Hw6iz2cAp7Zu3323Ufe8C
i+/Yut6UTz6Bev7m1rvN8elN1OUtrZvbgEhT9iKr6NjauV2v0pQlwOqObW1mexYmsp8kBq6N
7iIn3URZqLmomvYQWc87ajFfZsiZrTPnmytvdfr/wLyYFlL//peeF3i67rfvX9z5R6/Dl7MU
1Ry9vRBAb9bzl0KY86SLOy82OnwZiZCKZEvSnWqSbgPdAlqhNuQT8YXkAnHaz5uI8fncj34q
n8f9Cab+9hv8OjCvQ6WojF6AzAXi7CDrSZSWBZLswT7XuHpqyGc95AJxdj/rhi6VPWDiAdad
4GrXN9h+qD3H9gY2sHPnx42f8NrryPbsHed17inbU7VH2rO35AevgrXzLmSbO5DdsRXZ7VvG
eW/dsv92fvuW/dtKt+8o8ky4bROyDRuRtbUXeR9pO9F2uk1qa+++s7Skc9zuxhLfLhAfkJZL
izGy6wVpIYVAnAJSfSIvv34gNSTVJfLNQl+OvT7UkCfNICZVSzVYAZW/y/+TsoFvJV7kapK/
2fdiDHPlP+6rmVsvMKFME1pQKCrSCz9K1NabhekzzYJPMQvjS8xCvlsvnE64UeBd/G5hXoPK
t1MIxOHaW1C6BaU8voS8oNtBEmrNqDUT53O5hcZRGa8DFgBn8RrhbF5tYhVwEvgzeU1iUpmc
BBSMqx9gF9lbCUnNbZDZu8TYb9lvRC92wcS3TfwPE3/NfiXcwH4JtAB/AUT71D+zt/ryYHrD
RDAY7UR+QIjYUXZEV/i4iUfYo4hwlT0GzAI+AhQDPswexZQHB1Fl1IG8SwjYzYkjFjXJViQe
E3BT4piAq/v2SyoCrD5RUFzfkMOmsHLdKBdz62gJXPsB3Pd+6H0e+GVpaf2TxyX1qeMW9fix
XPVx6HvsiE09Ak2fBn3mGFefOCapJ46xzx87eWzwmPS8dIO0SExOWpTo5qoIicY+l7u+7EUJ
m4DOi1yaI82G1+SGAqmWqkEBUAhkkWqlImGENMvEKqkILasGUcUuRPTIIM7fSbxgQ/z8LDGY
LYbgP02Mr9BD4KcJxEKSn08czIX8XN+gBVPlb/Qp5SK+3kh4sGho/2oCJjU4+Hf4sPAn/xYf
0vGbJh4Wtj/Pd/K7xFT4XeZU+J3GVPg2MRU9D/BoWmk0kZuna781Mb5YL6xNTLlKL6zW+zUU
8TV6R5E7+WLk4/gimgrilMNnUAmIwzw14fbo/a7qc7jrEW2KiLYX+GQui+XmPi4nLOop6JNx
hkxCLjZXmSFl77Hv6wt5nj1LMvnYOfZsYqpPTrJziUm++oZS9hP2ph41Pzbx30z8kYln2Bu6
gjfYD/V2P2SvIbq0QVQZe529pjP/VWdubMhjr2IeAyJnr5qyH+gyjHg6gUNgAPH9fRHf6iD7
An0R1A+SUufZlxKFHiwDe4gd1gc8ZGIcKMJ6VeIAjgm2MtElAVoSB6yA5YmDApYlegSEEj1C
dmOiW8ASsVBJVpc4KKAmMSiYkw1mfiAPwj/+yaL+STRKDQVy/yAC8z12/j0mqjm9ngn1gV8g
5EVt5kmHsx6WBvpD/dH+jv6u/qH+0/3n+9/pz+k/GSv79a8s6oPxLDV+yKYeBqHL1x+unlX/
8EMYEt2LHpqk1D90iKuHurPV++61qPeKOaSG+roWLxX6+7rmNxo4u97Aipn6uPauiUp91z6u
7t+naw3Y7wkuqr8HlX3QJFTLPVDdgxkeBONAt029/4Fc9QFgR3dXNx/sZg250gqphfKlkLQM
+Y3STSJPSLGyhpXSEmkpOSWvNEGaSHbJKbkkN9AuOaR84DTgVeSQfJArwEmQy8Bp5Jd8oEkg
L8gJspOfP8O/yk+SnT/N/5Z/Afg5/nl+AjgA/AY5eB/kzwI1yBPAAfTpA2miL+hp0OdA9/L7
KJ/v4/uR7+X3iFy3dwffzfdgr7i4mxdAr4PncyeQcc4lsrNLLMXx3Y+T3E3HQVy0xVnvos+D
BkHnQFac3A6aD9oPkqiMXcK+KUFfL2wqhE4PsAR2FIJcIAfIBmLkR1s/e4G9yAYxXi9LsD7g
V9lJpgFPAf+FHOwlyIeBQ5B/C3gKfV4CDYm+oF7QV0Gb2Ra2Ff1a2Tq2HriW3cqien1DYnxZ
WcMCtoHmg/aDJLYL0j3Q1oleO4Ad6LUNuAuaOkEdQiNoA6gVtBZUyWaQk01l05BXsKson01n
KvJiVgJOAStEXsQ84Ixj45FbmQ05ZxJybGGRB76MULmUcnqv8RRf7fHM8RTM9jhrPfZZnpwa
j63aI1V5aKZn6rT8imnO6Wp+peqcrORPUZyTyvLlMqfT5bbn5ObZbVnZdslitcPTdpIChaUK
SYVlNmlCWZlzvnO/U5IlVibdJA1KKcniZRMdxVmlDo9rvKPAUuR41Msq/dP9Ff6p/in+yX7Z
P8nv9Rf7Pf4Cv9Of47f5JT/5Q7VMK2im5pYFWiEDrlig1arNSUlers1Sm7Wc0JpwL2MPR8DV
eE+SUYtm6UlyQEHj6jXhJCsR4m7vgJi31hztfijSy2mBxno0ZUVYQGBZWJN7ki5qCfdytiAS
iWjXNIdQpgURdaIWa0azrokRbZYoPDoxQs3a3GWaV1mgjk6dgtG5XYfLst6KqUFterBVqwxG
my6zVZVQgcFB7VKwNcm4MkKYbjhKWZoN7EQyq0m+N5jku6GG7xtbTaZfUroxmJSWoKkUEk23
d7KMbIxC53YwmZ6PluqDb98BQ0ZIwEDqhBtEV+EPHa7IdLM7DQFdKaaMpjQ3jVcMcsW0TZ2i
V6fKGsPeiKpqxZqCIEl3MDUKYEm2Vw5uakqyewzYZ8B+A7oMuNeA+wy434AHDOg24IABBw3o
MeBBAebM8FRyrc7lfgOuM2CeAfMNCBjQYMACAxoNaDIgaMBCA64XAL9hbp29OSL6Q8sXNGvZ
y0GhNVqpgsrLqFyNil1ZQDaVSnAzepnK07lxkTFyyzwqFqXUj/X81+nypR0pvUx06Yzg/TVJ
3L0EWf4aJaLvMOFATV2beiz1Lg1SOxWlGlKfSb09ptr7UvvoHL1Kp6ifnqHjdBblYXqRBuif
6C2Uv4PSM/RpWofeX6TPUjfwH+lpOkrbwBcoOMN/qZtVjOBdpIt0jDXQYuDodBRajo5mfmj9
l6nSMWRnU5NpL+3lO/jPaQf+noTGr9CJK1puRPnvqBP332F2gdax52kD5tNDMXqEh1L/bj1F
46S7ceXZajkhImFEeoLCtIti0lOp3yFOnFkhfKmeTP1O3KVHpI9qtxVjp9MAHWa5tA9+q8HN
/ElakBaMRPjwIuawHnO5D3/HsBp9+NuLcR+7sqWtSdTSdmeTEa3pOLKKdw1IqV+B7taLw8Lf
ZsT+lHZiBD/NwHXOmSpD3NyQakvtSn029QKiQaz+l8yoGETtH+gxdgwWrKNP0Sr+XVzsRG0r
6qtoMZvIHPQ56J6jj5LJzF0lGQwR4yKl7bOYXjT3Fqw0UuradIkdwRfzRXqZXqKkbs9TdITi
1AU/bEd8r6YQbJ+L1xJGu1/oMSwsv9xmLbUg9pAQg/Mwn7Np3QKtr+t733x38xf2ib0/LH3L
6CO8aKRL6QLRK1hJYzf0wBs74I/1WNmL+u4R6zeMVXsasZaWrcpIv6OvrWg/j2YJK1JzU/vg
++/RzbSV9+GB5X7067k8VKb0FXDTkVxMZ9m8jGRk4a+J+73YQ8P0xAiF3XQLtY3gjKqM9t8o
8RhV6wU8Oh7Fqn0N4+3Bn3i7NToNIL6H4afdtIwa6CDW8Sz2Rzv2cAwef5XJWJ8f4BQbK7VC
72msylZpg2Su8ljNECHib4xkvWAws4lZEPmZ2E03NWI3XRuB86wSnWEFiI/H6Qxi4hn6Os6S
2wQXUWyk/9ka3UdbaLr5R4HA8kU3+K+dW193zdVzZtfOqqmumjmjUp1+VcW0qeVTlMk+uWzS
xAne0pLi8eM8RYUFbpcz32HPy83JzrJZLRKe5ytZsVbcGA5u0koao/gubFJcsma/8Z2lVRoV
eH2KW66tiswwW2lWVaPCZq0Iz3wUqItoNnV0kxs1qdz1ex86L/XKQc1Sjo+yuDWmVSwP+xTX
D70ZeQRqtdLGsM/n1Xg5PosgwmdxqxzTXCHwIdA5izQKhQUlUz+rA5PqfBHky8PapHQVj6Jj
GDmAHTU0yswbWdzVay9pbNKoqJfsP9PII5q9U0e4hGkVeDQud6Gka6MqjRX9XmOFGvMsxZRG
DiG6na8bwwfB2CYlGNsIj8ail336juFRnxyX48vD7lqvz6cbjSeRZeHevNxGpbEtF7PAQzMY
1JubB06eYGBZOnqZfR7TC9wenIsn7mwH3FcgzA0K2qQFDkVRUJrgN0gKL0twST58pYjQzWhE
aKaXmD6mZmvUsgwj5I1aoFWjQ3Jv5VD8MJ7410VVe0yJtX4qrEmtMKqXpPJge4s2oTm0GiwY
AYq2y2K5m/RMLJ4cbJfjqIu2UeRKE7qO5Mfa26IiTFhUaYIspzF80DfkxZUkfDCouVXNge6O
3T/3SvFg8UZZVOPxg7J2AleRK6Q+0QZBUDyjUo4HFYwGZcFNC8SKVWWWTY/GRTF9cQKHWmWt
a90m+Ayf1sPp+PfFXZr9PR9WB+uDnmJ3CAcLikU3ialsQk8LQI4fatOnelifGuJVPHYKEh0R
/bQSvVeHg+1KEP40B4RD0F8qH93X59NKVNExHg8KE1tjsF54Bp8SPKzDDKOCPeFVGexp1AIt
OlCLvgYYMdDaFDFZZgNILFgHLRBtikTEpIwF0LLKD1pnKnJcKM0q14pUl+/bkA3NqGxeHg42
iehES94Yvu5CsfcCyrjopdmsGG3iVReEk4RkhdK8zIiCduEfkUVbjA0Mr5krj6Zme13rK8Xe
V9B3obIwGo8vVOSF8Wi8NZnqWqfILiXea7fHO4JRWd/5DPznDnm1hYcjmivazuZikUW8LcQT
fOGyNWJ5FsrtreDgM1/x1Xl9bqg22uDkGFts7jNEPOJe7LO4623M2I4TySsvFMdLEqeCV3PV
iW0KS1aGsQ/WY4hgTM+wP3DN5V6xU6RIeXDjCtNBXh+G1ANGnHvLTC6U+HxiDx1KBmgdKlrX
srBRl2mdN0GBKhVrFxWSobTEs1JIutKSTPeogrUqFtdsPSY+LKZxnmfiOe5WCuR6cZjDOnwW
xbShFszx/TotGx7Tl7uwMSx5uWiCEvdKopSr4ivBr41X9Y7CJzgl4y5FPq1oLlWzNoaHvP6I
7HLjgGSZYDA1ijB1nVZOMXGIUpFLY36NjRPbinCowo049MfXQZjpKAfjUTP6rpwfmorWsfbM
PjJmgY0rJgk3uBTsW6/hD3eBIqb6XRHtxhecZi1fKDYV1kb32OKIli++7LT8t/UMk/M2hmUc
Q9i2y/SCHJTbxaprcrRJPw8iXiFPs5Op89Emcf6FEWho4jXjG1EOt5l7wnRDc0s4XVoevse7
OzIDv4pVNicpB9+k4p1MkqW6k9Q0cQC/s0m3roW4pVKWgxubMCAqKyvBmO5DaVUlYlOEfliJ
iG+SRbG4LII/hmnpCEFbPFKFeF0RxnmJVzU+LRDxZoptkchc6LlZ6EEXNI9HoGGTqQGos6r+
jEbhymacVFNDYRy2XU0I9CaxhTHdIeyqITFjMZFIxlJYfM/GYtPm1bA5Mh3yNYYWxGoXVETi
caFzRVhBmMfj3jjmYdbxhmc0I2AykiS6YOLBJOsKoS9A0Z8PgopPEZ6PNGGoT8Hv6VMKvz1+
tIfXZuxGz1th7Vrdw9FPyMOtH8fD6z6Wh9dnLB3h4RhsXi883Da2hzU+9SN8fKVLA4ZLA2O4
dMMIl9720S5tzxgKqzbCvHbdpZs+IZfe/nFcesfHcunmjKUjXLoFNm8WLt06tkv/L4K2Y4SH
7/xoD2/L2A0jO2HtNt3D2z8hD+/4OB7e+bE8fFfG0hEevhs23yU8vOv/z8O7r/AwfthkxHGn
Br1sdbLZ/EkaBombn/E/EeIHFBsdQF3GvZwBPyzhtxYk883GhzX6X/HF6xGr3lOGFXNxJz5B
30MdNzYhgEjCL95FX7dxCwmqeuW1V/Ssptrn9rnLkTHcUz8ISF0fdFnpTxSwdKEnZvMyskHc
RCXyBhz4GpZOQmalk9XVKistdi29QFUXaqpr59R6Xr54UX9dx8T/q1gW4xacQ+FA9YOWv7EM
WE5ZLBZXnvsGycKWW45bbUVWm9WWlcWOU/aXsw5Z2JdlmIrfqTjH9eNrhcU3cJ6X6y6or1Jv
ufPCrD+LUWbN/0lN9UFVdX2b1Dt9c3xu65xyt8/DZrOKS2fYb1jFUcujiz+z549/j9dVjIYv
neEhvH/LoimBAstxRtbjJEtZ1ocokE1t3DT+lVk0/8J8TKAQmhR3rWeYHTp79tKZrBVH/+t1
Xc9i6H5d13ON+M+U56Ca0yr8lwpzJcnyZhJGJ8l2mp7T/S8EVtdzaCLpjbiruoZBda1b8bDX
L+24UrcRDZSqwzuJsZINTIncVISoCugNGP65wogvGxUSBUOrbrp+sbpkx/qNsdbrt7Vuiemv
Wi5HoIxelSA/aAkI7yLojpSZUKZMmSFqRtZnjqrXjKqvGVW/RdT/G616CAwKZW5kc3RyZWFt
CmVuZG9iago4OCAwIG9iago1MTE3CmVuZG9iagoyOSAwIG9iago8PCAvVHlwZSAvRm9udCAv
U3VidHlwZSAvVHJ1ZVR5cGUgL0Jhc2VGb250IC9DUkVTT0QrTHVjaWRhR3JhbmRlIC9Gb250
RGVzY3JpcHRvcgo4OSAwIFIgL1RvVW5pY29kZSA5MCAwIFIgL0ZpcnN0Q2hhciAzMyAvTGFz
dENoYXIgMzMgL1dpZHRocyBbIDAgXSA+PgplbmRvYmoKOTAgMCBvYmoKPDwgL0xlbmd0aCA5
MSAwIFIgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBXZDBbsMgDIbvPIWP3aEi
6RkhTZ0q5bB2WtYHIOBESAsghxzy9jMs7aQh+cD/+zM/lufurQs+g/ygaHvMMPrgCJe4kkUY
cPJBtCdw3ub9VjU7myQkw/22ZJy7MEZQSgDIT0aWTBscXl0c8KVoN3JIPkxwuJ/7qvRrSt84
Y8jQCK3B4cjj3k26mhlBVvTYOfZ93o5M/XV8bQmBEzHR/kay0eGSjEUyYUKhmkary0ULDO6f
tQPDuHeeWq1KNXxq/8MpaPniM5JdiThN3UMNWgL4gM9VpZjKg7V+AG2acBAKZW5kc3RyZWFt
CmVuZG9iago5MSAwIG9iagoyMjMKZW5kb2JqCjg5IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVz
Y3JpcHRvciAvRm9udE5hbWUgL0NSRVNPRCtMdWNpZGFHcmFuZGUgL0ZsYWdzIDQgL0ZvbnRC
Qm94ClstMTA2NyAtNzM3IDE2NDEgMTE2Ml0gL0l0YWxpY0FuZ2xlIDAgL0FzY2VudCA5Njcg
L0Rlc2NlbnQgLTIxMSAvQ2FwSGVpZ2h0CjcyMyAvU3RlbVYgMTAzIC9YSGVpZ2h0IDUzMCAv
U3RlbUggNzcgL0F2Z1dpZHRoIC00OTAgL01heFdpZHRoIDE2NDAgL0ZvbnRGaWxlMgo5MiAw
IFIgPj4KZW5kb2JqCjkyIDAgb2JqCjw8IC9MZW5ndGggOTMgMCBSIC9MZW5ndGgxIDg5MjQg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBvVoLeFRFlj5Vt/PuTnceHZI0JLdp
AsgNhIePBFvoPDojRLAJQbtBoRs6EFAgkvBG0qKB2OADdGQ+dRR3Zufbxyg3nTh2VjEZXfxk
d9xB1tesrqCOj29XVmfWEb/Rpfeve283JJPxYz7dvZ1Tf9U5dU6dOnWq7r3d6dy0uZUsFCGJ
fEtD7atJu8argMpV60Ptetv5DbB01ZZOWW/nZhKl/2J1+5r1ertwiMgya82t25P6op+nrTUU
1uUk9K9sA0Nvs8uBE9rWd27T284vgJm3blxlyMcXo52+PrTNGJ/eQVveEFrfqvcf3wOc3L6x
o9NoB7X2plajP/MTmY8SA5fTVrLS9ZSBlo2m006itDOWWZgv0+TpLL0j65dLVljdf2AOTAtX
f9eLzwk8Wf3ZV+e2/NFhcWYtQDNL6y8EsJvx3Hkf5lx2bsu5eoszJRFScfE43abEaQ3oZtBi
pTYXzEaygTh18QZifC53Q0/hc7g7xpTPnuXXgHkNGoXldAwyG4izfawnVlruibO7+2xFNVSb
y3rIBuLsTtYNWwq7y8C9rDvGlcizrAtmT7NdntXs9JmiMWNfex3Fzl1FDuvO8p1VO6Wdu0pe
PQXWlq0o1rejuHUjils2FDlWbOi6hd+yoWtTaefmQvvYNetQrF6LorWt0HFf65HWk61Sa1v3
baUlHUU76kuc20F8QGqW5mNk2zGpkXwgTh6pJpaTWzOQGJKqY7lGpS/LXOOrzZGmEpOmSzOw
Agr/gv83ZQI/iD3PlTh/p+/5MObK3+6bMbtGYMw1SVhBpbBQq/wmNqvGqEyZZlScLqMypsSo
5OZplZOxPFR4hG8T7tUqvJN8II7Q3ozazajl8OvIAboFJKHVhFYTcT6bm6iIynk1MB84k88Q
webTDawCloE/jc+IlZXLcUB+Uc0AO8c+iElKdq3MviDGPmP/JbTYWQM/NfA/DfyEfSzCwD4C
moAfAtE/8U/sg74cuF47DgxGW1DuFSL2IDukGXzAwEPsfkqH4kFgBvA+oBjwXnY/pjw4iCaj
dpQRIWA3xg6ZlDhbHDso4PrYYQFX9nVJChKsJpZfXFObxSawCs0pG8vT0OS5+huE7yvfV9zz
UWlpzcOPSMqjj5iURw5nKw/A3sFD6cohWPoh6EeHufLQYUk5cpg9fvjo4cHD0nPStdI8MTlp
XqybKyIl6vtseTXlz0vYBHRGlNIV0uWImlybL82i6SAPyAcySbOkQuGENNPAKqkQPasG0cQu
RPbIIM4/jx1LR/68HxvMFEPw92JjJmsp8F4MuRDnZ2L7siE/3TdowlT5m32uCpFfb8bsWDT0
PxWDS7UW/hI/LuLJX+BDGv7SwAPC9+f4Fr5VTIVvNabCb9OnwjeJqWilhweTRoOx7BzN+orY
mGKtsjw24TKtslTTqy3kyzRFUVr5fJRFfB5NBHHK4lOpBMThnhLLs2t6l/VZ8mqQbS6Rbcf4
eC6L5eZOLsdMygnYk3GGlKEUm6tcl7Iv2a+1hTzDniaZnOw0ezo20SnH2elYmbOmtpT9O3tH
y5q3Dfw3A39j4FvsTc3Am+wNrd8b7DVklzqIJmOvs9c05r9qzLW1OewU5jEgSnbKkL2qyTDi
yRgOgQHk969FfiuD7Cf0U1A/SEqcYT+LFdixDOwedkAbcL+BUaBI6xtie3FMsCWxiARoie1N
AzTH9glYFOsR4Iv1CNnCWLeA68RCxVl1bJ+AGbFBwRyvM3M9ORD+8WuT8rXolBjyZP9BJOaX
7MyXTDSzeu1jazwfIuVFa9pRi7UGnnr6ff3B/vb+SP9Q/8n+M/2f92f1Hw2Xf/KxSbk7mqFE
96crB0BQeebe6TNr7r0HQ0K98J4yV809+7myvztT2XOHSblDzCEx1BeZv0DY74vMrdfx8hod
J0/TxjVHxrlqIru50rVbs+ox3+6dV3M7GrthSZiWe2C6BzPcB8be7nTlzruylbuA7d2Rbj7Y
zWqzpcVSC+VKPmkRyoXS9aKMSeHy2iXSddICskoOaaw0jsySVbJJeUCzZJFygZOAl5FFckLu
ApZBLgMnkVtygspADpAVZCY3f5I/xY+SmT/B/4r/BPgYf5wfAQ4AnyUL74P8aaAKeQw4AJ0+
kCp0QU+AHgPdwfdQLt/Nu1Du4reLUvN3M9/Bd2Kv2Hgez4ddC8/lViDjnEtkZudZguPej5M8
jx4BcdEXZ72NHgcNgk6D0nByW2guqAskUTk7j31TAl0HfCqATTuwBH4UgGwgCygdxMiNvm52
jD3PBjFeL4uxPuBT7ChTgSeA/0wW9iLkx4FDkL8APAGdF0FDQhfUC3oKtJ5tYBuhF2Ir2Srg
craCBbX26tiY8vLaOraa5oK6QBLbDulOWOuA1mZgO7Q2AbfDUgeoXVgErQaFQMtBlWwqWdlE
NgnlZHYZ5bIpTEFZzErAyWcFKAuZHZwiNgZlGktHyZmEEltYlJ6/QaqcT1gdV9mLr7Tbr7Dn
X263zrKbZ9qzZtjTp9ulKjtNs0+clDt5knWKklupWMe7cie4rGXluXK51WrLM2dl55jTMzLN
kinNjEibSfIUlLpIKihPl8aWl1vnWruskiyxcul6aVBKSCYHG2cpzii12G1jLPmmQsv9Dlbp
nuKe7J7onuAe75bdZW6Hu9htd+e7re4sd7pbcpPbN4up+U3U1FKnFjDg4jp1ltIUl+RmdabS
pGb5lvl7Gbs3AK7Ke+KMWlRTT5wD8uuXLvPHWYkQdzsGxLzVpmD3PYFeTnUq61Fdi/0CPIv8
qtwTt1GLv5ezukAgoF7V5EOd6gLKODXchG6RcQF1pqjcPy5ATersRarDVaeMvDoEo6NTgwuy
3skTveoUb0it9AYbLrAVhdCAw171vDcUZ9w1TJjsOMJYkg3swGU043yXN853wAzfPbqZlF5c
WuiNS9ehq+QTXTs7WEo2SqWjE0ymlSOl2uCdm+HIMAkYuDoQBqEq4qHBRYXmdocuoIvFlLKU
5CbxokEumrZhU2h1KKze7wgoilqsupAkSQXDogAWZ7tk77qGOLtdh906dOkQ0eEOHfbocKcO
d+nQrcNeHfbp0KPD3QKMmeGp5GqNy906XKPDHB3m6uDRoVaHOh3qdWjQwatDow4/EIC4YW4d
vVki+33NdU1qZjPIt0wtdaHxMhpXomF21VG6QiV4M3qZKpKl/iKjl6Y5JN7IKPG2Vn6SrJ/f
nNDqROffErzvcol3L0Gm72JE6B4nHKiJqxMHE1/QILVRYaI28aPEp6Oa3ZPYTafpFJ2gfnqS
HqF3UT9Oz9MA/T19gPpLqD1JP6SV0P4p/Zi6gX9HT9CDtAl8gYJz/E9ts8nDeOfoHB1mtTQf
OPJ6EFYeHMn8s+2PEqWjyN5NjKddtItv5r+lzfg8DIs/pyMX9VyL+l9TB95/j7OztJI9R6sx
nx4K033cl/iPtBNUJG3DK89G0xGRCcOuh8hP2yksPZr4HfLEmuHDTfVo4nfiXXrY9W39NmLs
5DVAB1g27UbcZuDN/GGqSwqGI2J4DnNYhbnswecwVqMPn10Y9+DFPdMbRCvpdybp2ZrMozTx
XQOuxMegbVr1uIi3kbHv0RaM4KapeJ2zJsqRN9cmWhPbEz9OHEM2iNX/mZEVg2j9LR1kh+HB
SrqJbuC/woudaG1E+waaz8YxCz0G21doo6QKY1dJOkPkuLiS/pmMKBp7C17qV+LqZI0dwo35
HL1ML1Jc8+dROkRRiiAOncjvpeSD77PxtYTe70Mth4XnF/ospxbkHi7k4BzM592kbYFpr2t7
3/ju5k/8E3v/uPSCriOiqF/nkxWiV7CS+m7oQTQ2Ix6rsLLntN0j1u84Vu0J5FpSdkNK+pK2
tqL/HJopvEjMTuxG7P+FbqSNvA8PLHdCr+fCUKnaz8FNZnIxvcvmpCTDK98l73dhDx2nh4YZ
7KabqXUYZ0RjZPxGiEdppp3Fo+ODWLVfYLyd+OwapdMA8vs44rSDFlEt7cM6vov90YY9HEbE
TzEZ6/MqTrHRrhDsnsSqbJRWS8Yqj9YNGSI+o1xpZ3VmJjETMj+Vu8mueu4mW8NwTppEb7F8
5McD9BZy4kl6BmfJGsFFFuvXX7ZGe2gDTTE+5PE0z7vWffXsmuqrrrzi8lkzZ0yvmja1Uply
2eRJEysmuMY75fKycWMdpSXFY4rshQX5eTZrrsWck52VmZGeZpLwPF/JitXier93nVpSH8S9
sMFlk1Xzws8XVKmU73C68uRZVYGpRi81TVGpoEktxDMfeaoDaroysstCVaqw/d4J5QUO2aua
KvDnmh8Kq5Ob/U6X7Q1HSh6AWbW03u90OlRegb95EOFvfkgOqzYf+BBonHkq+fyC4on3q8Gk
amcAZbNfLUs28Sg6ipMD2FFDI9xcyKK2XnNJfYNKhb1kfl8lu+j2eTXhJUydjEfjChtqmjWq
Ulnh71VWoDL7Akxp+BBC7Uz1KDHwhte5vOG1iGg4eCGmn+sRdcpROdrsz5vlcDo1p/Ekssjf
m5Nd76pvzcYs8NAMBvVm54CTIxhYlvZeZp7DtAo3e2fjiTvTgvDlC3e9gtapnv1BVFwNiBsk
BRckeEk+cLGIoKZ3InTTakwbU02vVzN0J+S1qiek0n65t3IoegBP/CuDijnsCodu8qtSCE71
klThbWtRxzb5loIFJ0DBNlksd4NWiMWTvW1yFG3RN4jS1QDV4fxwW2tQpAkLuhogy6r373MO
OfBK4t/nVfMU1QJ1y47fOqSot3itLJrR6D5ZPYJXkYukTtEHSVA8tVKOel0YDca86+rEilWl
lk3LxnlhbXE8+0OyGlm5DjHDX+hAMv+dUZtq/tKJ1cH6QFPsDhFgQeHgOjGVddA0AeTo/lZt
qge0qSFfxWOnIKGI7Kcl0F7q97a5vIinMSACAn2pYqSu06mWKEIxGvUKF0NheC8ig78SPKzD
Db2BPeFQGPypVz0tGlCLtgYY0RNqCBgsowMkJqyD6gk2BAJiUvoCqBkV+9KmueSoMJpRoRYq
Nuc/QjY0tbKp2e9tENmJnrzef83ZYsdZ1PGil2SzYvSJVp0VQRKSxa6mRXoWtIn4iCLYom9g
RM1YeXQ1+mtWXyl2vALdRldjMBptdMmN0WA0FE9EVrpkmyvaazZH271BWdv5DPx/2O9QGw8E
VFuwjc3GIot8a8QTfMGiZWJ5GuW2EDj4m+tyVjuceTCt98HJMbrY2GfIeOS92GdR26eYsRkn
kkNuFMdLHKeCQ7VVi20KT5b4sQ9WYQhvWCuwP/Cayx1ip0iBCu/axUaAHE4MqSWMOPcWGVwY
cTrFHtof99BKNNTIIr/elmmlI0aeKgVrFxSSoaTEvkRIIklJSj3owloVi9dsLSf+XE7jPE/l
czTPlS/XiMMc3uFvXlgdasEcv6pWMxExbbkL6v2Sg4suqHGHJGrZCm4JbnWMoimKmOCUjNpc
8kmXalPUtHr/kMMdkG15OCBZKhkMiyJNbSddJ5g4RKnQpjK3yorEtiIcqggjDv0x1RCmFGVv
NGhk38XzQ1fRO9yW2kf6LLBxxSQRBpsL+9ahxyMv3yWm+iuR7foNTk2raBSbCmujRWx+QM0V
Nzs191OtwOQc9X4ZxxC27SKtInvlNrHqqhxs0M6DgEPIk+x44kywQZx/fiQaujiM/EaWI2zG
njDC0NTiT9aa/bc7dgSm4lexyqY4ZeFOKr6TibNEd5waxg3gdzZpxXKIWypl2bu2AQOisaQS
jClO1G6oRG6K1Pe7AuJOMi8clUXyhzEtDSFojQaqkK+L/Tgv8VWNU/UEHKlqayAwG3ZuFHag
gu7RACysMywANVbV/6CTv7IJJ9VEnx+HbaQBid4gtjCmO4RdNSRmLCYSSHkKj29fW2z4vBQ+
B6ZAvky3glyNwEQgGhU2F/tdSPNo1BHFPIw2vuEZyfAYjDgJFUzcG2cRH3QBLu35wOtyukTk
Aw0Y6ibEPXlK4bfHb4/w8pTf0FwBb5drEQ5+TxEOXUqEV15ShFelPB0W4TB8XiUi3Dp6hFU+
8VtifHFIPXpIPaOEdPWwkK759pC2pRyFV2vhXpsW0nXfU0hvuZSQ3npJIV2f8nRYSDfA5/Ui
pBtHD+n/RdK2D4vwbd8e4U0pv+FkB7zdpEW483uK8OZLifCWS4rw1pSnwyK8DT5vFRHe/v8X
4R0XRRg/bDLjxQsVvWoG0wym+E+GpFAmGRy8IeEbAnzwM0kGFT6Tzk0kqOqV117RihnTnXnO
vAoUDO+F33ikyDeRNPqaPKYINPEDjHYlqvGeOtol5PqIDD+067V0KiCqb/Yuvr5BuW7zqrXh
0A82hTaEtdduvYewZAONTRiXYKTqRp//BZqkgTsKZW5kc3RyZWFtCmVuZG9iago5MyAwIG9i
ago0NzUwCmVuZG9iagoyNyAwIG9iago8PCAvVHlwZSAvRm9udCAvU3VidHlwZSAvVHJ1ZVR5
cGUgL0Jhc2VGb250IC9IWldaTlIrQXJpYWxNVCAvRm9udERlc2NyaXB0b3IKOTQgMCBSIC9F
bmNvZGluZyAvTWFjUm9tYW5FbmNvZGluZyAvRmlyc3RDaGFyIDMyIC9MYXN0Q2hhciAxMTYg
L1dpZHRocyBbIDI3OAowIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMjc4IDU1NiA1NTYg
NTU2IDU1NiA1NTYgNTU2IDU1NiA1NTYgNTU2IDU1NiAyNzgKMCAwIDAgMCAwIDAgNjY3IDAg
MCAwIDAgMCAwIDAgMCAwIDY2NyAwIDgzMyAwIDAgNjY3IDAgMCA2NjcgMCAwIDAgMCAwIDAg
MAowIDAgMCAwIDAgMCAwIDAgMCAwIDU1NiAwIDAgNTU2IDAgMCAwIDAgMCA1NTYgMCA1NTYg
MCAwIDAgMjc4IF0gPj4KZW5kb2JqCjk0IDAgb2JqCjw8IC9UeXBlIC9Gb250RGVzY3JpcHRv
ciAvRm9udE5hbWUgL0haV1pOUitBcmlhbE1UIC9GbGFncyAzMiAvRm9udEJCb3ggWy02NjUg
LTMyNSAyMDAwIDEwMDZdCi9JdGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTA1IC9EZXNjZW50IC0y
MTIgL0NhcEhlaWdodCA3MTYgL1N0ZW1WIDk1IC9MZWFkaW5nCjMzIC9YSGVpZ2h0IDUxOSAv
U3RlbUggODQgL0F2Z1dpZHRoIDQ0MSAvTWF4V2lkdGggMjAwMCAvRm9udEZpbGUyIDk1IDAg
UiA+PgplbmRvYmoKOTUgMCBvYmoKPDwgL0xlbmd0aCA5NiAwIFIgL0xlbmd0aDEgMTY0ODgg
L0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3RyZWFtCngBhbsJYFTV9T9+733vzb68mSQzk2Qy
8yaTDMuwhkAIRPICCS5hh2AGSUlYZFXAACqCRKssEQVtpeKKWwVbZEgCDoGWVKlWLJUWq9VW
pS11a1FqKVUhM7/PvTNh6dd///Ny7j13eXc75557zrkvK25ZOY/YSAuRiD7npqZlRPzyKhC9
MmfVCi2dtvsIMUy7cdn8m9LprCVI3zx/ye03ptP5pYQUdS2Y1zQ3nSYXEA9bgIx0mqKcFC24
acVt6XTunxA3Llk6J1Oez7NLbmq6LdM/4eXazU03zeMFhOjXINCWLW1eIZKk8iziactumZep
T+sJsf78yrSDEIpaPvIVqSBPECNhRCUDyXRC5J/KBURBmpcrzpk/6Hxh+Cxnxb9N+SbR/DN/
7dWXI798bPb13+7pnq8Skw1Js6jPC/CecVRyAhmjkm/3fLtaTffES3p+vgNkmtS7PeILHj8k
9SEnAUzq0xYtCB6QekkFbSODekIKt7tzSpxV/SUNLQ4UoYZwKWAP4DBAJrOkAEpVhOsALYA9
gMOA4wADIQh5qQZYCngKcBJgkAokf5sWVKt6Sbl4NxfzdUpe8iUgBZBIEOFAwETALMAWwFMA
g6jHc5YC1gEOA84ADESXvG0PDcHYvW33iah90ZISkWxKJ2c2iGT79bF0PH5yOq6+Nl1tRLra
4NJ09oDR6bhXv3TsLi5pQePtFntJV5VH8mCSHgx8GULKjhAnpSRIdkg5JA5gEoYqcnTJ3V4U
KXnqsCQTKjGJkrkkmOqSaJvdVVJlYSn2JXGTIPuCnU6XsNPtDlfJU1XXsb+QPYDDAIn9Bc+f
2Z/JOnaSrznCSsBTgMOAtwBfAgzsJJ6P8HzIPiRO9gEZCKgEzAI8BTgM+BJgZB8gVNmfOMeI
kOOVAMb+hFBlf8S0/ojQyd4H9j57P9XFTrSVlZccEEh0YAYJFmcQb34GcXtKEux3bd/0AUdF
QGlw1EGpkIwiQ6TCtuLBwYTka6tYGEywv7Zr0eCOqkHsbRIHMIzkbfT8NtEAkwCNgGUAA7B3
gL1DWgBbATsAcQC4DKEK0NhRwK8B75BBAB0wCWBix9vQTYK91RYZHazysN+w14kXK36M/UrE
v2avifhN9ksRv4E4gPKj7LW2QJBUWVFO8I6KWEU8EOUK+0V7kTuYqnKxw1jBIMKBgErARMAs
wBaAgR1mhW1zg240cpAcxR4OsjbymYh/TJ4xEX1RUI+MAQNqPIiMuAoYgqe0pyJMj2zbjiQP
Ig88BIwHkXs2A+NBZPVdwHgQWbIKGA8icxcB40FkxixgPIhMnAYMQYI9+XJRr2DZxMVUq3Ky
W7FKt2KVbsUq3Upkdit/yDcyH+NjbX37YsUe1aN9+gZbOmnLIdoyhbY8Q1vm0ZY7actdtKWC
tnyPtkRpi5+2BGiLTlsO0uFYihaqd1yRLNd9tOUobdlNW5ppS4S2FNOWItqi0TI9wUJt12LX
IaoRUXsV33Qs1H7VKEgfJwthRUPg+RBkwmGEbwFSIqWjklaYrpwb4HFhe9/KdHrAiJKlVdew
V/HiqyDDq+QjgAwCvQo2ehWNvIrmnAgrAbMAXYAvASmAAbULMY8tInQiHAioBMwCrAN8CTCI
4XyJoTCyFCEf4h4xsIEIKwETeYq9iqcQT4iF9ALVr0bVa6QtfuoM0ImBVICVEY8HctntMrkS
1L7/P/av/2Mn5ioze4BtIQUgxNZMvKXtm4Jggj7SFjkYrMqhPyIBGVxHy0mEFiMeTppFeijx
m3h+KfGznyAuafNPx2vOtki/YCd18Lf2B7/xnwp+5k8woJ/6Dwbf1RIybQv+Hjk/2R98278p
+MbAhAk5hyIJiqhTE1UP+IcHdx8VVe9CwaNtwTt5tD+41n91cLFfFMxLF3yvGSndGZwSmRG8
Bu1V+2cH9Wa0uT9Y6f9esCJdayh/Z39wEIYQTaN9Mdg+ftFpOCAarCtL0AV6P+M2Y71xonGY
scTYzxgyBo0FxnxjtsltUk0Ok81kMZlMBpNsYiZiyk6kTupRfuplG8ThZwBDUyILXIWEoVzM
ICSMmhi5jsSzpFpWO3U0rY13zSG1s7X4uanhBLVMnhFXwqNp3F1LaqeNjg+P1iaMqSnxsmht
3Djphvq9lD4QQ26cbUxQMq0+QVM86978uHtM/QFCqeve+/N53Pve+2Mx4vOsqvRVuke5ysdW
f0fQKDIbq6OXfr5LaNQXLYhvq51aH3+xIBYv4UiqIFYb/8FUbWb9AfoVPVNTfYD+k0ex+gPS
KPpVzRSeL42qjsVqE3S6qEc0+k/UA8cgQj0TDmZej2imQLreo+l6xXgf9Yp4hHpmMykW9YrN
ZlFPprze3uaimuq9RQhQx6uRZlGn2atdXudoMeoUI0AdTws5Kuoc9bTwOvFRohm/H1UCCFCF
5hG/qOKneaKKGPleUWVgpsqmi1U2iZ6k9GhEHR6gGfvJnjr2k6hz2UL+b3Te6GiUto+MzZlZ
My9c0xiumQdojN+3aoEv3jJb0/bOifECLS5FGmfPWcDjpnnxWHhedXxOuFrbO1K891/FM3nx
yHD1XjKzZlr93pn6vOq2kfrImnBTdaz96kmlZVf0teliX6WTvqOvSbyxUt7X1eK9/+qrjBdf
zfsq432V8b6u1q8WfRHB45Pq95rI6NgY0I/H7cxqAb825odioz3qslGCeUeGfHfmd0Jb2Ums
0VjcFh4dtwM4X/ev6l/Fi7CneJED2c5Mke/OkaH8TrozU6Qi2xUeTaIrVjavJL6ahdXpv2b8
kLViJSdFOozyvO/8oUpNXG+q5rp1bbzv1Np45eQZ9XuNRuQ2VseQN6Inz2qtSaS60pkDkDmC
V5SkixV5XgXPM5szFf8vL4gxIRurcwCKxsF2qgfoCtIck+KB2mkMomDaDCzDzBn1ndCl+CHR
HMMEm2mUNve0xuchcJLOIZh2cw+sWJnBMmuxIhOLqs1REm3uWZKe5qJ8sUQg1mpFFKJN6SS5
gDzlBZIrR2BFkNQngE95nFyY+pSX85h9DkGXyAAhO8luupDsJofJK/QM3tpDDpAOwlWgavI4
WUN+SDbgWJuBnE1kCh4F+T+kuakOWCZP48B8mhxD3evJnaSTeKgv9RlZR+6VTuCte4mdFJIq
MoksJffTcamVZCb5SP4+KSPjyM1kGW1J1aceSD2Ueo48Tw5Iv0p1EyvJI3PwHEt9ofwh9SfS
H288TLaTj+hD5n1ERy8tqPkEuYU8KjXINDU/9S1GECK3YgwyGU+O0S4WRevzyCfUR9dIY9DK
s6l46ghq+UkDWUAeJZ10KL2ahZSZqfGpY8SDPm5Dq9tJG9mPJ0F+Rt6nNuVM6rnUGZJL+pFr
MZ8O8hvaJSW770pWYt0UrFIfUo6SpeTn5HVynIbpL9hSxaaUKLqyOvU2ySaDSR1G+wLe/Jj+
h92JZ530mjw2NZo4sC4P8tUmvyR/pnl0IJ1Ip7M+bCl7UrqFmNDjYDxzyUKs9yNo/UOw0X5m
Y29Jz8o/kc8bCpInUw5QJEIeI0+QX1A7ZqrRZno3fYf+lY1hs9hj7C/SD+Vd8u+MTZj198hN
5H7yE/If6qbD6WR6A11A19AN9EG6nR6jx+mnrIpNY4vZl9ICabn0M3k0nqlys/x9Zb1yn+HT
ZH3ySPK3yf+kSlLryWTww10Y/cPkSczsAHmLvIfnI/IXqlArdeDRaIjW0Tvw3Envp8/QnXQX
7UAvx+lf6Gc4kv5NzzOctMzA8qH8cBUozG6BhvlD9jh7C89x9g/2jeSVCqWoNFSqkGLSUoxq
g7QVzz7pz3Ke/JacwjqXKNuUp5Sdyk+UV5QzBpvxbpzxv77wbHff7g+TJLkxuS3ZluxI/Znk
gIY4PWCCVWD0TXgWgd7bwHF7yAlqw9rl0b50FB2HlZlFF9Hl9Das5D30Ufq8GPtL9BBW6V36
JcZsZ34x5gFsKBvNJuL5HpvHlkMZe4h1sHfYt5JRskpOKUfqK10tNUjzpBXS7dI2KS79WvpA
+ot0TrqAJyVb5KBcKEfkqHy1PEteKT8pfyJ/osxU3lT+ZrAYbjKsNyQM/4RWM8o4yTjZ2GDc
YtxvfNvUCO58lewjL4MDL/7oSekuqUbaRx5gQ+RcmDC/AT/PInOl8QycynbSjWwt7WBFym2G
kWwknUDOyBGs9WvsKXaOjZTG01o6lSxig9MNGrLlF4FVyK+S0/IhzO03aPk2g43eyb402Egb
dKRy6Ei/lAbJUelN8r70ETXKT5M/yhbqpafZC9IkcMHP5FFKPQlJj5OXpOV0LdnHagixnDdt
Bh9PoC9CLkyjJfRrKQU1eAK4qEz6K/k+Wcz+QE5jH28kP6Jz5fnkATKEriGfkB9jV/RRbjb0
NeTQN9hCuZVl0Q7C5F2YXTktopKSTe6hDdKjhi/Ze2QleUu2kA+ln2L0b7GXpPHyGWUKXYAd
sJasJ8tTd5HblXr5d3Q+keh0UiyfhHRbI5XIIcTrIFVmQqbtx+7uhByoksYjxwfOGQe+qIOE
eBTPI5ATMjhoIfb49ZBivyEdhmksQeYrDgqpA0/Nm8kpZEbqx2R7aj65OfUQ6Q95sCG1Bi3u
JH8jW8hOem/yDrIMpuR72NvjlLHsLWVsqj9rZe+xqWzblfTFahdTH/kcz0ugzCjlIGmV3yVT
SWVqc+r34O7ekLDbyWworKcwyy/QwzVSFxmSnMD2psZKyzDfj8jk1AupILWQBaklZCI5RJ43
KqTJGAWN4/R3mO8dZB6bklohzUsuxDpswSroWK2VkD+b9DF106r0ylFXVYwcUT68bGjpkJLB
gwYO6N8v2rdP716R4qJwYUgLBgr8+Xm5Pq8nJzvL7VKdDrvNajGbjAZFlhgl/WrCYxu1eKQx
LkfC11zTn6fDTchouiyjMa4ha+yVdeIaf68JRVfU1FHzxv+qqadr6hdrUlWrIBX9+2k1YS1+
rDqsJeiMyfXA768Ox7T4aYGPF/hWgduBh0J4QavxLajW4rRRq4mPXbWgtaaxun8/utdqGRMe
M8/Svx/Za7ECtQKLe8PL9lLvKCoQ5q0ZsZcRkx1TjOeFq2viuWG8imak4pqmufFJk+trqvND
oVj/fnE6Zk54dpxwTSkqqpAxopu4YUzcKLrRFkLHiZP7tL39ulo3J1QyuzFqmxue2zSzPi41
oY2auCuKfqvj3tWnfJeSaBw62YbLS/Ol1hrfQo1Xbm3doMV3TK6/7N38EG8hFkMbeJcVj21s
HYuuN4NStVwXj7N7Y/Vxei+6hGJZLGaVnl9a6y1uXKTFzeHR4QWtixpBmrzWOJlye6gtL08/
kDpJ8mq01mn14VC8Mj8ca6r2780mrVNub8/VtdwrS/r326u60gu71+HMIDb75cg8LHq6TGCi
Osdqp1xcWcrHGL4WmmBcm6NhJPVhzGk4D+YNJ61zhoMA+MUo3orPBUUWxs1jGlvVETwfU6Rx
pVgNa63/JuCA8Ol/XJnTlMkxFKv/JryQ88lFVovTph48Ho3G+/blLGIcA5pijKNEemj/fqsS
LBxepsJ+5kYDmYS1bYqNGIjlD4U4ge9L6GQ2EvGWyfXptEZm57cRfSB0a9bIS7p6SnLqeElL
T8nF1xvD4OQObs+SnLgpcvHPqXqyahaMiFPP/yiely6vnRquhWqs1bQ2Zri2dtoVqXQ5X1Cs
G8oyWDxrTL2Uz5DHMZYvidK0htxTBepyvS0uF+PPIJh6bsJoAleKHKqNjauN16TDmCUUyuyZ
/7+XEqkz/C0RXXotM434iGhmoOlhx0dekb5ieLZWqXYaRA6DZt/aarmiDKyWHuW1mQgcD0M/
pI2JkzrszGL8weQYziGWH9exZCiZhl0ksmP5meQVFfMzL8Xw49zZv99YyMzW1rFhbWxrY2tT
ItUyO6yp4dYD7BX2SuuyGki7NOMkUp335cfHbo5hxRbQEdgejIzeG6YbJ+/V6capM+oPwMWh
bZxW38YoG9M4Ora3CGX1BzRCdJHLeC7P5FU0niC1FJNsYyZRP/+ATkiLKJVFhkjPgXdD5KUr
IY+SOQmWzlN76jHkyek8XeTx+XEZM2ZafYYsgiH41gMP4YYGzXAdg4PcTOoAHwEqANMBeQCe
Nx7QBICeSupQ94AyPdWtTCfbDC+SRxA/CZiJslrAhh5AvSJC0AHfFAQ3SAZoH4Ro0NTTOSL7
OwIG60GG1m/AjYwJdyoW2Ck22DaX/3B1839+TuRg8fFzidAtwv8dZIni7Msq5QDnzkD+86Yj
nPs5ZDz0qe3QcR6Ta5XehizDQmO76ZjpvPm45e+2FrvkqHeWqWb1H67fuBvxFo5hbrgouHzB
LEjIFXIVI4AHjFzQpK4LukLOE03u4usDe5GVKydQc+oBIqU+bMsuZ4nUh7qWXf4jiTLpKWkP
LixWEYphUjQsEYv0KWGf0gTdtQ90a1/ti6oV6tnT6mlSWVFZsUEZEG1Yqx4ZPIg2RKM5dAil
u7Ym63OVf3yLFhipS30iu5QurFUBrdsLfpxWr1vyArKSHbDbveZE6tMOp5PVcUTPtduBuYiN
5xCPzYbQxvPIQNjGxxAcI5WnK08PHpS/1/B/WzqLlgy8pY877HaBfKHnWq3AXETlOUS12XjI
8y42eanNDoOWq/ohYLBVrD/H4eYBuAFOuBdny4YNbKN1o/MNh2I2Wn2sJmtcznW5Y/KnZc3M
mZk7JX+xcbF1TtaSnMW5jfm3s1sNq6yrnRsMjxi3qW/43mfvGN6x/tGZd3HizWY9FC4dZKbE
rJqZeWvQ1UwgVHQHcjWoaIxsDbx+H5b6XEP0NILlUSy3mDptWA5jdzj/UUAslqW6hw0p8Xjc
OSozhAt7RbJUz5CSYS41Ei40GuoWn9ixqm3F6EUnnn779gcP7FqzZteuO9dc18BOUJle9dNZ
7cnU+8lk8tXdj7xMn0j+6MszsCAXfbFwPeeVj0DA86CdhezRNUm3u0oXy+vYFrbdhCtLaiYG
hUlmhdoYPWoRo7fwORGq4V24ZDtUFaRLpD7XXYKgfkFQhyAoVlnP5eTqoYmgT55N0e3OUqVn
JQYpVIPVzZRcayetoPcSX3SCegqLgXXJeEuQqBjfXUEqK73l1FXO2ZA0RENhl8FgHDpsWNkQ
dr6j6sS0H/1l4Ar5jlFrgi9dfXQWnxtulGUj5hagr2d4yexS7b6sLEOdPZE62+FyCeQL3ayq
wALZSoCzqJdXCAR4acDvQEkADIowwQ7qNmbxenHD6WJMC7rc5QPfPsbDY2TgaT7YSh4egYqd
n9kGvEOb281Eh7rZ6QKW7uekbnVnsbpANs/jbbehab5VrFZWB+QfuljF7+qN7xHeH+9NdKYP
G6mMNBxUDhsOGl83veE3XmuL2aY5FtvmOla7V2dtch9y/y3vb/ln8myHrS9nsXxcWBSoAdXw
c7hIjGB+E2IzqJUXsKgmg+GoPy/b788z+fMgLUx5fskeUBPsufaJLorrDN8+PgMilsNJmc3S
7D2B1ea8Tg+yuyCPVTpct7n2VcKVsZStYzLrZEW4tNiyN83skCvnoly8QLh0V1Se7m445XJz
yiLY4BgQdUDUIAE6iy3Ad8Bw0kAbbonFinNCkTJQfNiwoaVgfYOx1zC+L3KywQn4k40Xypi3
+NlHv9y5/Y67H6cHsr7+7Ylz17zwyjMzA7t3V1XM6brzyN9uXPyDx1uz3nrv8931Lx56bmPT
YHDK9NTHsgecEqWxDOGsuT6dc7HPTyhn1agNCdonbLE7bc6AxdInJ+CXA338Sh972G7z5VLi
1iB6WJ1mjHAq8uqRgVygHRvIH+Iur6xUIVHBLadfU19zl6tHoiUcwCx6b8XusdfY19vlGtf1
rlX50hTPEnVR9lzPSvvt2evtrdmb8p+3WxRN4rcgVqvN7pCNFP1SThYdEzgII7MPsdOhHTZb
juzrZM+RXLZA74VRKhim3d08S1uqMc3HOVlrMTZHhGyKUBJRIwwjPvsyL4ls7e9L0OFtuSdo
Jx2Og6RLt16SVv0S9KEMDaOnBRW5zDobbUjLrW6QEZNTBT3T5MRWhQjDbqXLY1llHi6zBOGM
ZRfRHhpyIho9CEm4MDK9I/jw4nV7nlk7ZFy229qcWL9o4ebsjtDnL912dPGNc+/emvz0nV+k
6Pd92zfE717zdPaT7La1c+6+5x5t3+vz2+bOenxA4GcPdCX//TFEbB5kgKp0Qr7ZaUQf5q63
LbA9attle8OmjJPG2X8oS27wOLEZJKNisUpGYsNmPyrJ2ZIkS3bCbHbZKB3EJa8JR/AO3UJk
GVXIUYucYDe+rCgWvSBYaumRhED4wcTqgHwhTihLgpbpdqNeGC41toSGGrc6cRRjVe3ZpYSp
0NckpE+Kd4Cc2s+pwPY5EnSzWOl/RKMNQhCe5eKlQv1YFXJQPVtxrsJVzhe5vHzDgKiMLeN0
OrHcwsdtx5nvLoeMe1u3DimXCvuXS3JBQQVvIgZioI6ebdOt5baWSeU2PVJuK/Qj7l/OK0Rj
UCuG0iGuITlhl+SibFv3PeyJH7z2WkdyKJ31vLT/wnXPJ5/Gpn64ezEYj5/9IeXHkLHT0zsH
d2OYn50vAvU7LIGcHL+bS06rU5YDfruDEqMP54XQCAQidhk/9/ku4ecfmKj7CHYG3xh93EL2
OkVYm3d7QWvBtqwXsl61vWP7Y77JnOVz9M2TzIOUQdZOyDEJu0PNsuS4s7KOOpzZjqxsh9OO
LaJn8YHojh0O5nA49RyaGdTLTpme4NsHUk3X+PBcs9Sl6jp1iyqr2CQ+sUl8lPhUH8Ng05vE
t1VzH6JD8R3Iw2Cq4W2Ofd+1WXA9e/lmubRdGnCQcZknJtrgKh/YALFwaoNpQFQBFYkQfELm
0eXQtq7YNtgrWaGckASZR3KyjdAEInU/y9m+5O6O3Zuv39x71wPsve6XJ97zYBc1rbj/7K+6
aYvaet+RZx5tm1jpYf/8aXLVzOS5377+YNtJrrWNB+VyIPMKSF86MSP1gk4ahBtVovm9A7qd
2u04EvOVwkC23RKgpFjFEqQ1ODXgVfmB7xUyzwvyAM9ocMfePqb+soeSDafVIw2ckv0X59Jq
o55TnVutzXBP0xZLc41zTYvcc7UVppX+e03r/e+Y3va4jBrfAb3Se8JQFxYCj2eFRIGRF/TS
wlqIF7j4KCfZGcaZT0/M4oSE0DP3jBn67HDdTfYVN6uCkCo+sIG+glmceZlrierWfhYu5gK0
XPdUemd5l3rXeWUvlFJDndfDO/UmWFF7NK2kYSee5ieXkHkZicdPLhAQ2qqgGN8+XNrFqDHS
S6hmBiM/oNz8gAoXEpdahpSHZl+ShAbpfLuv37WLp1fVzWZVh+Z3dN96/J4/J089senT3R90
l018YMItzz1zx+oX5amORYPGDxr1xZ/mNCb/87vW03fC9buG7vrFzlcufNDwYizx5CN79mAB
miDvPLhBspNluuOIncr4YybZDFnGd+EgRmWzzd4sSYwvyURxREssz2lqNv+dTATtZzGpEtFS
ug7KYy4EkeDiCerZhuUV48+enqCe49oYtwz46V3uEjII81/ekDU0lGMgksEYHuZ2lzVJ+zYn
T9cOcx6Q7v7XJvnb3ZsfTrqT5xN/3E0/p68/zu2YqeDAXHCgl4TxzQpJ82CHjeQHBnAZCT2M
1Q0Y4A4FDErvgNseMNv4AQvl/yzEJJCoE5QUggRIWnHiiCh0+nBWnhHqqUA4swLJsK9UlGPj
elaOaDFHsG9Ohn3TVshlpggoHD1dDnUkY5G8LAYijA8+ECB8IKeEZcIRkZfpn6u/6PaCXsgr
8m45c/EOechneml+PVsGfVEhD9MjETYR30FlQz20j+daz7WRj22fDVLMg+CcX0vXyCtMy623
2FbaV3vvI610s7zedJf1Htt6+/3eX7tey3IXYqe0+bU8HmnaQB7113Din9QDfTQbCfiIDcPY
MYBeGkmg+bCZmhNsvq5Gm526Bo3fSYlTdTJngj64v8TXHJeohPK2ouacHkVey9FzWM7WwRdN
mrPY++AaaAgZBcFd3jCQT44fWpkdw3U7aHbLyfJYjEYiQ0v5/rhMEyDIycr29OgNBunyrUMX
LVvy8eGuzxfftOH+5Ln33kuee3D2+sUL7t104/yNI67dOvWunbvvXveClN/nkUU73v9ox40/
6tPvyMZDKXy80bXlF3Tagnu+P2vOhnsupMZvnfjjlrtf3Nljy3KeDEAqvpS2Gl62BnEEFLtw
AJwTROYngTjcgZzRe3OK+lyCpC5hfbp8rn5Ra++A0xF0THRIDkc2mUSpUCPtKqwKyk8aCFVF
UPxItKFECJESsTCgPGdElUvRD37JmU4Y1JcN4tLZqfcVh6dLcPH/R69X9vVfXaGnSx3ppSPy
xnn08A2e68M3Sks8N+XND6/OWxvYnHdf4FHPrrxDeZ97PtbOaVlXeZ707PZII/rMNbBe/NwN
g5l8Ic2g9Q5MdMzih6yfT4+emJQWyR18EPhQqZxYIZFdVx6rW/txOd3BxbTrIi+5dBdzbc1I
XpjH/PjkrMTl7sWzs0fskobltAFGslAwR7Ghpb24tEVMwEy4z+Amc4QKgyFH8NKy3Z41TVPX
ThpGhx28af8Fanxty+k7Vv/zmZ++z958fsVtbbvWrH2aTlVX3zxu3R+W2XzTF1PTHz6i6qPJ
vya/Sn6SbH/psFT62P4jj2+GyMVJegDmz3rc2HPPzHDoEfA0Gc3MUCFLFdQgW1gF9BrCNKzF
06anH4HBj13B5SesAUFysR2yhg7JkQAHjh07JsWOHbvwwrFjhOFOnSgx6K9G4qDz91OHE/Y2
FMWvOjLI14IRkXNWj3FG5DLSUKeIcKA6SJ1vWmBuVDdKW9U3lNcMXeoZ1WpSYriwnqQusMbV
f9n+Zf+XwyzbZLvskHDpo8gyrAuTwWi0ATfhZhb+pETqa90pLHvNaMtGEZMg1L7WIc0gVTXZ
lo23zAFFMQUMkiHBlulmfL/8mQ6PJeukVmw4q+62aWSeUZoyCRfAH8nSVpnK+CJMt06ydRk/
sklbbdTG06rT+JaRrTO2GJnxB8533k2vVi5WDH8+rFhergou8FVW5J2uPFWhnsYf909FoTtt
GICPqzLGIw6m8g3qkSOOI0c2KOkYIqc2bsX3IgE4xTtkp2QydsLwJamvuRSK0Vu4vsV/YXi4
wlJIygpJkV4Go8SG/JbVf/CT7seefo/+c/vYQv8QpfPbsfRQsprNoNsO3Hr/fWAA3EkTZQoo
ZaVJPSAVlpWbzCN6WYYahlmutlwvrZfelYyrLO9J71mwQqAWLDFW11vZLLcqL8qfmxSLTIfK
78gMx9tJ3ewOlUoaD+C3a7eVu3luO9KmTCzzuCBUirir3e3h+R/qV+Wiz+Liq0zm3NyrYA6b
cYdnUSRZ1hRLNkwVs8mkGQ2gn8FiwZeuMmVGK67dLRKzwo+YYCN0J7wxO5S40qWcVGTlOhPP
sw4yUg30iBslY4Kt121WjbOylvH8cJEoXEDnhBEDXvkWNqjI4Qi8P+BW3cIPPNJgG7mTEzS9
zA3YyctxOCw/DWdjRQXUYgQcIA05SbkfALFPWDdGk1phqgABfSBgPgh4gMipPwyPpUU0T5xp
t7n4ep3RvUAMqsNValIdaqmZYxbVrpZmPt2JgRHSI+BfBOkucyHWrV9uucyhML8crqkP93uA
espBqQ/hpyk3FWaXy3p2OV/mfcVAc9K2UroZfCwEvW/5LQ1RwlkIppOLhij+jK5tr7A/UGP3
dnZ3inSfO6N0dvdh73a/dOER9vHnSXyKhftoYnCCa1R2qsd+MqXO6Va+hCaHHb4h7G2YkkAw
ri/03hyzuXmx4rRJ+AcBZjJbHcRkZhargdPECj8oQtBhP69lVUGAj3v8dF/3UOtCmlr8qOEK
BveQVnZ1qcePd3E3TBTGF18j0uOEDRo17lE1iFASoSxCRYRYl6/0MK/BoFdB0TFwyjPHJYlk
ERIJ6ntaYOGFr/UgZ4oInIuaxV3qFIFikwh1WInJRJmwoXlrAuFNWQ6y6cSNtZqu24noiIiO
uIAScpBwxSl6diA4THiuK9KTgQHSQ3F8jMV/+fo6wpymbJZvklfZ1tt+haW0XWu71in1kYvt
/Rz10g3yKvttjg12k5UppnL7MMdEVivBgDGNt492WB5h26Vtxm2mndILRoObOR2OQQrDHmMm
6AGDFBNQk22KcwrVIQJNJrPFarXbHQ78W4eZNbpb3MzdyXbCehzcpmimBB2sW2xmi6bb1lmp
tROTdFArSlgCgtMM1UtzLlMpfHDTX9aURqVFkZQE29nuGhnzRXNxmpxtqPB1QxBy2Qg872Li
VAMkJbYU32A9Tx7kJ99eG9YKgYkIjrZLgvFnxJY6D4/gOzh83hFysTZuw57rLfacPfX1XoeF
S8uMo+Ht/aFyR7+QcDbsLyt3lJQJdF9/5GYcCtEYJCt2Bj+jh+DKwuMdVkZDrrALn125HsE3
IDcM8uTCt0CVg8npe5L1Suf5rx68ZtJj0oVvx8pvnh8qnzyv4ZR9EpZNN3aKHd90tOn95rkW
Z7NatTb7BvWGbNlqg7blIF5fAGcOMbkjJkgc7CBxDwBmO6vncwYy5Wl5FH95PrsmXNj/Q4ql
92CGzdJSTQizMz3CLHfkTO68F/wE4xDW0AR1eQNPj89YRxBkyAXzwSbEzEu8AZaTzUIhF3Du
CIONGHqS9Xlo/JKHYl8k30hupHccerJh3OB7kpuUTod73v6bDia7u38q0c3rZn4/BxdWlMyE
zfR33O0MYjl6rznSHLlZWiHLxb2GSuX+MdK1xnEFNcHqorG9pkox48yC63tvynKEubrAJUNR
D4KLzHQOzIA0AoM7jaAyBHm6chpB5TSCymkElc/pY3ml3vZIESuSehUPc+Lr1eKagTO06eG6
4iXWRfbFjhuz5/lut662r3auVVcWNRevl1qtm+ytzvvVe4u+X/yQfZtzW04g45jvH4q48yN5
5kgfGiGkT55bLhkcwWeAjNj7356/KZ/lF3vs/QO9immx4oEgPKun9ZxAf3Mg4JGEIh2FXdEA
yEQN0K288EemHzggioscdqsS8hcE8vFpC75sMdDiokLkGeAw6J+HFlndFvDGaXxTKJR1IWVV
qtFJ+ERgGd1KDdBU43pWf96lgq4x4uvMEdKH9uEeLYeD1QE5q9t5S33ySjAnGnHDlS+KgGD5
wJRAMuoU3CAgae7gOTfwS4+zDeNPgXmg48DIBkONh9YrJgaPavQUD87yGbnwB42RAsVJBt03
w4CIcG+UVRZgsJbS3FXUS5hU3KbyeI0ReCQMOdleD1wcwmUeLiyKzHzZPutXa5e+OHXSzJHJ
JZMXzr/zqx8++816pdO5e1f86fLh9L36ltXrzz/xevJf2+m76s33Xz+6ubpmftjbFC17dt7S
X8xd+Ou7HPc9cNcNE4cMWdx75L5VK99qXvEZ14prU5/KAXkUycGt4FTdGyT+HCiLDUqDuc46
T1qsLDXPs5pgPZ4Skhuq/yl9Cj8QCvw87OV+T/k2+1yePNg9Inewv8o9Pq/KP9mNWzh/k/um
vCb/bYbbcs6xcz4VH6067V7vJE+jZxn+fcvv3KrugJNHlfP9FiPpZC9yh6Tgf0FUeIDg+YE5
9nCWX7Z6dXhJ/yTIAiTtsgXyudBcgHTp5l59S+NwheUFuapVHCnlsV4VgE0cpEHPELXIqBf1
LQ0aK/GfDBI/Jlmd0cc5wIiJIHTwI8yIizGEHj41Y26gtEwQPE25huj47lMQHdEoXCv4cekB
1SgazbgIK7qXV2TshLQo4ZRefgv1ZnxKsHKIK9sYEk4lGhKeJ4P0vc5+Xxz4LPklzf7T7/Fd
54VPLW33ztnc/T6bbBs+fdOaXXS699kOePskfETZO/lh8htV29O5gD68fsyCH4MpN8BBw784
zqZNB3BJ2tWe4+XK1Ul+K2WoK5aH4qvFTrssskZ4c0u9JpfNlS0pcBP4FWO21WIrNutDhpWm
zLTLTD06XxaPzqWQubcIs/l2gVr7D93FlwkmCJbMnMfrIRcaEF82czanFtJfw2OOfs2WzPXv
Oeg2SE7wcGJ4S4eVxj1nPGyZZ4cn7kl5ZA/LLub3k126ijGcwXyIRo6Tk7gt55KcD4AjupcP
goiuiYl3TWTerSjziKtLxvvBp6PonEzIuXrSZRKfewIh3lVEGY02Q09xkYuLrUoXd4/xi6wx
t+sOg8NY7DDY8qnd5MynuGqKRu8i8O5ToTCKPZqDQ1GYqYYc14aOO7tWvVTbsXLxpPsroDd+
9VDDc493z2JPb7hj6gNruw9maPQxdpiHrtWzFMmQxXaqCfWv0idZZ6RzWQbYBmf0Cqu99HaV
PqIe9530pXyyZsp2ZHvcoBE1eOwWu8PmKPIJuvgEjayCOlZBHeiQGepYxRJZC/kSIfdsmjpW
QR2kv0lTxyqog/Q5WHtYNqtgACtNQamZAF9Jl57HKeU742PLfDt8cV+XT/bBusrxCGKdw4Vs
mi7fTSDoUFcQCDfOnDSCQLIgEO/C/d8En+AVroM0bRCCZGcF0bhD4fIfTElug8Auv0Q1j8Fl
tpgsRhhtasRlcORTp8WdoV7fu/g9PbiA35WkZawnTUEhaF0bnln5QePTk1RLR9/F1zS/IEd+
tKdm2fiStd3NbP3NN1U99OvuQ1xObkgulEOgoht+6Nn6Aza1v3qVWqvKlVpcY0Gtjy1cUJJT
UjC6YJm2VTON8I7Iv857XX7MdINtpndm/iLTYttC9Sbv4vwu7UT2B74P8k4ETmWfCpzUUpon
LEfVaM5QeYQ6Vr5OnaH+zfr3gqRqdTkgJv0GzgF+6NqO3KLjFqpadEujpcUia4IPNHH7ye+z
cHMDA88i7FWk09bd5bp5+psM5HyqhzkxLCto1hA2xF1MSBfFqbmDxukZKgdpJb6UlyCEL+gF
fN9RYahQcYNAoaghR+j0qHEOHAA/Ga8qtiEVpz11cyrT3ODVZT7KD8yL1GtYfgt80t1ncUr2
5GVcLIKa4i4Z+ufyW8jyLE6s9G7LFo6hXi44FS86GDc8N+KhBRuPL1r50R0ztgxw/XjVbT95
YUXz3uRC5WetkydvTj3ybPL8feNGdJ+Xnjt25M3fv3n0Xa6VFaW+Yn2V7fBk/+EAsUBahiOl
kFo4J4C04HKY2uwWKhGPCl+xBcsuWZ1qISmkdnexjaaMphpzTaNxGazsrUaZGDXjDpjbXcbj
RgMspi/EdgDCFxoHClfV+PoB4VZPBhEnTlq44YjhWx90AyYMJKQ/FcessZMtIj46bO+Nlwsy
8DCW7jQXZqfO8usp7tp3lUOVGjJEfYMfOtFosZd70SJDXeGhQ1xl4nZQ+GKZmjeuYvaSfvfc
075vX1a0d+Dpp9RR855hczZT45Lk/Zu7fzC+Hy5hGRG/VC/uJ/mOnw95EvZAFr7LziEerKRP
fPmfj2//C/Dd1wAyiAwhw8g1pBb/BzAV327zH27dAfxnwP9lkGtmXD9jwpRo1S0Lm5aMn/b/
ANCZDHIKZW5kc3RyZWFtCmVuZG9iago5NiAwIG9iagoxMTU4NAplbmRvYmoKMzAgMCBvYmoK
PDwgL1R5cGUgL0ZvbnQgL1N1YnR5cGUgL1RydWVUeXBlIC9CYXNlRm9udCAvTFhUU0FaK0x1
Y2lkYUdyYW5kZS1Cb2xkIC9Gb250RGVzY3JpcHRvcgo5NyAwIFIgL0VuY29kaW5nIC9NYWNS
b21hbkVuY29kaW5nIC9GaXJzdENoYXIgMzIgL0xhc3RDaGFyIDExNiAvV2lkdGhzIFsgMzMw
CjAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgNjYwIDY2MCAwIDAgMCAwIDAgMCAw
IDI0NyAwIDAgMCAwIDAgMCAwIDAKNzEyIDc5MyAwIDAgMCAwIDAgMCAwIDAgMCAwIDAgMCAw
IDAgMCAwIDAgMCAwIDAgMCAwIDM3MSAwIDM3MSAwIDAgMCAwIDAgMAo2NjMgNTg2IDAgMCAw
IDAgMCAwIDMyNSA5NzAgNjU3IDYzOSAwIDAgMCAwIDQwNSBdID4+CmVuZG9iago5NyAwIG9i
ago8PCAvVHlwZSAvRm9udERlc2NyaXB0b3IgL0ZvbnROYW1lIC9MWFRTQVorTHVjaWRhR3Jh
bmRlLUJvbGQgL0ZsYWdzIDMyIC9Gb250QkJveApbLTEwODYgLTQ0MCAxNzM0IDExNjldIC9J
dGFsaWNBbmdsZSAwIC9Bc2NlbnQgOTY3IC9EZXNjZW50IC0yMTEgL0NhcEhlaWdodAo3MjMg
L1N0ZW1WIDE1MCAvWEhlaWdodCA1MzYgL1N0ZW1IIDEwMCAvQXZnV2lkdGggLTUyMyAvTWF4
V2lkdGggMTc1MCAvRm9udEZpbGUyCjk4IDAgUiA+PgplbmRvYmoKOTggMCBvYmoKPDwgL0xl
bmd0aCA5OSAwIFIgL0xlbmd0aDEgMTA0NjQgL0ZpbHRlciAvRmxhdGVEZWNvZGUgPj4Kc3Ry
ZWFtCngBvVoLeFTVtd7rPGYymdeZycxkkknITIZA5AQTEl6BVAaSQCRaw0OckUYSSDThDaKi
qEQwwh3QQiFY/fpd6cPb3raWk4liglpSrqBttQYrQuujlNLWVvOBDyoqmdx/n5kEkqL1fm3v
IWuvvffaj7X+vdY+e/Zh3drbGpmVtTCR1dxYv/pmpj+jv8UYVSxZUb86Uc56E/zQktvX+RPl
1CLG5Mk3r75lRaJsb2LMWnLL8juT/bOfZ8zU1NRY35CQswvgE3lFokzjwUc2rVi3PlHOwnws
tHzVkqQ8ey/KuSvq1yfnZ3x+/8r6FY3geEbz+oLVq25dpxfZ6ALwitVrG5PtKcxYyglGqFXY
CmZn1zEjSgorYhsYk6LWEthLupzY5rfG3HTvInvZOfKl6MM9ue0Q15f1TD7z2cc1FzZYT5pu
RFuT3p4LMK7x2XgNYzb2cc3HU60nByVcyh+lk61RO9ktoFrQPHV6LrtOSEO7RUhXgTaCvg56
DCQzJjiZAvKDikAaSBackHmYT+cZ/d30Zug2k7n0dyc96VmvHUOy4W6Pb8PdGUdfRf72O5Cs
WI1k+Soky1Z6fItWrlq5caXIltGylRvXZq67zeXOumUpkpubkTQ2uXyrmjY2fb1JZI1Ko79R
azzZKHc3UmNT65rMjFs9d5VnBO4ECUKXsEdoe2pqTrxfUDtJ6AALdRLbn5paerbNqE63CVOF
KWwqyxH8Qg4zMFUYRX1AWO3vFrJjDkfpc0K2kJWsyIoVFpV2QZIVy8hMZuwKmmQN9smMpaXp
ksyY1QZJBiR8VA/1xQxq6vQiep0RHaNXmcBUei3Jf53kR5O8J8lfphf0di8l+S+T/Bfg0JF+
nuQvJvkReiEmqebpJjqM9TKj1gcS+nvo+djEUuj1OjI5gWTGlZ7IdJhspfZn6T6WAxJIje0R
gdUVsZ2cje7YmcIhy+swpZaCBzvMFp3HUO4kX6wtkNNJgdjOHDBvgkn7Ae3nIN7Z3x2a+idn
WummXSnq1jZJ3bmLVPYQPdSWqu5sE9VdbYL6zbbinMcepp49J/ec3SPuaSM11JbhKw21AexO
YWXsPlntFJbHDsoqX4zFHVjMlmeEKkYo+TpGjYZ+4B6PzmMWq74g7pg/N5lJ95Z2CT7BHRNh
mZAe86CMrq6YyQKBiy7EdC+50AE1YfKFGFy3i96mh2MjAii/HXNllE5PpUN0UF+dnyV5Nx1E
RzZ9DL3FFJDA/EiL9FwL/RTr/gx16j0OJHlXkj+d5PuT/KkkjyV4/0nqjFls0KGD2jGF+Rlq
h7E9pA2sqjawqlosuapaDKv6HG2mTczBchCBm/gIz1ITNbNirHR6bKMByzsm1spZfmyrBDYq
dj9nIzvugx0HKBcq53agAYzOiGWM4Cgh49XhQsbmgAfkhJTNgZy+C8DyMwD7WQu8pr+747zb
Xapzh5PzkOW81Vr6t3Oieq4lRW/wYXGJ3uDDkSP1BuYPPZmlRe2h9pp2Ue/Q7vCWhk6PLSxV
ThMfKZY5Qm84MaY4SrV9srqvVVaVP9T8YccfxO2tcNJTGRml/lPTTj12at+pg6dOnjLcsxG1
99rtpfcm52yZMlWfsyU5d8uYgkTZpw/d0RJM6OJqcXlLW1oFdUerpN6HUTZifK6Ub8uMmtIt
ranqZj5ha15eaag1JwcJgmH6nYIoSILMLPQxnadPwD+ic/Q3ZsHuwvfsHPqYTQPVgETBTucE
B7MKJvQxgxvovJACbmdlgglkAImsDG3L6CPQY7SXvo0xd9FuagPfQTvpG+A/An+CWelxyL8P
/h3Ivwf+I/R5HPQd3he0C7QDNJmmYvPPoalURl9B/0IqonHgBTSWrgSfBX41+k+HvBz8KshD
4LPQdzroKtBUUCGoILSrzDfJ7Z3odk9wO8e77SVuS7HbNM5tKHKLhW52pXvUaFv+aPsY1Vag
2nODtpFB+4gcmz/HblccFlOq2WIwplhESbYwEixMdObkiNeJB8V+UcqxT7PX2EUfZVu9xkyr
W0m3OiWXtaBsTFl+2aiykWW5Zf6yEWW+Mm+Zu8xZZi8zlRnKxDJWVlNCmrOaVc+foaUR+LwZ
Wola3Sn652rFarVmqlkYbid6KIJaTdiKd8F8TdraKYA5y29cGIanc3GrrwvOz7TqutYHI+0C
m6HRVi04L8xZaE5Y82/tVNj8cLtAMyKRiDapugZ5NiOiZmsN1WjWkh3RinlmR3aEVWtT5mi+
4Az1cs+tt15a254/qlIbU1mvFVTWVVwq+Md5fSC6TDtMoM+BZN1w8ZDJLxZuvfWyLRm6J/T9
O/HAHBfH4G2HT6eqVB72RTipqubVQlgeaJXE4BIoOum4v3JpRSedSLDfJNhvE+yNBHuTM12l
de0mvrhXzZ1RraXMBdUs1DKDKLyIwkQULMEZBpVl4Oz3IgsmDjpDU2k2lzLW/5ae/llP32As
flv/O4wZJiH3Eq/7Zx5+RuMk/TOD8L5PsgXQ9Jr+HyLfxWqRn9X/3c8fFLH7AY0nC01gryJ2
z1E+DoKj2Is4RnKb+0DPosbMfpkco4v9hX2fvfj5I3IJ/delcuwX+dDlCFvFPr60Xs8/gZTT
xee+i9kvyO1lA6fobydaiWMFpxhlB1kHa2NvD+vZhZl3s514cZnY+5SHV9g2epbS2Gl2FGfn
bcLT4gPsv9Gna1g/Xnwb/7ai9+BDV7CPqYVNZ8dxAh/HOshHjewlwrGZvQtL32Tvsk3sIGUN
YpbsydeXPxKTnkh4VKL8b0g3AOvDbMmXH5nySSTv57VHZOQhPsSE/KIdibKURLsfMQF/0+ND
z01NyOEPK+EDkzBHFnngaykksvPsPaB/HF7RxXaw+9l6vp56uyvRzg9MFZJIYJ8A1bPsp+zR
gVZ40zCm6l5+rP+HlMdGo3x4YKYv5vLNHPeBeE5h0OPoxZiTjyXjPBHhHw2MFX9fz+1n+9mn
7CQ7w35FCttP26HZYXYI/rYdq74dGm5gi9mHRHEmHoJdNfj3BY+cJXNLhj4b2G5Yz6NlFXR5
m17GTJd7dsMfh/m4oYaODYskxn6GON6L8S59fnxpIZnfLa5nH7HZQySnYc9R4Wm2DXGzia3U
ZaukvVIXZhmT+BcKzb26qmzqlNLJkyZOGF9SPK6o8MqxBeqYK/JHj8obGcwN+HNGZGf5MjO8
6R63K83pUOw2q8WcakoxGmRJFIgVkFfzlocrl2oZ5XXYiiuCil+zfPXstYUac/oCQYe/pDAy
NtlKk1WNpVVrLrxRWWhyRDOow5t8VRPzlA8C6Hytz1+pSXn4C86ub9Dy54YDQeV136A8gmG1
zPJwIODThDz8XQ0R/mbX+xs0pQb1EOg1V2usJsyps//UZFSyyYEI0rlhbcRAES/6yyiJ3aS/
e5iaX6Wo0m7JKK/QmKudWU5pzM2bnZ3MNFam5ePgkacgp4/GCjVyfaBRmkbua2HS0Cl4t5OT
L4NBZcPSYGVDMxBtqLuI6dkEogF/1B+dG3aU+AIBXWm8COeE282p5cHyxlRYgSMJKlh7qhk1
Zl6BZVndTparSM8IlsopOM+kWAGfk6tbyWmpFtpWh0ywArhBknZRgsPx9ktFDN0SjRia6TnS
59QM5ZoxoYS/WQvVa2ybv72gO7od56nFdaqlIdhQ/7WwJtZDqXYm5lU2zdeyqmtuRBWUANU1
+flyV+gJXzx/ZZM/ijJvW4c0WIGuQ+sbmhrruJtQXbACMlN5eEug24cDX3hLpeZQNSu6W+86
7ROjld5mPy9Go1v82l4c9C6RBngbOIF3bIE/WhnEbBiscukMvmKFg8ume+PVDfrihLbV+7WW
xUuBGf7qtw/4fyCqaJa/BbA6WB/05NHBAebUULeUm7IUPSUwf3Rbo27qdt00+Cs/9HDiHeH9
7Hr0vjFc2RSsBJ7JCQEI+ot5w/sGAlqGyjtGo5VcxfoGaM+RwV8GDmRQI1FATPhUgj7lWmi+
zth8fQ0wY6i+IpKsSjaARMI6aKG6ikiEG5VYAM2Yt0W+MuiP8kGNeZpLVQLPQ9Y9tqB6briy
gnsnWgrl4a/0en29yOMYPVBNXrSJFvZykLhkXrB6TsILmjg+PKmbnwhgoJZceTRNttdHfdnr
exl9ZwZn1kWjM4P+mdG6aH1nf8vioF8JRtstlujqyjq/HvmE+gPbfNrM7RFNqWuiKVhk7m8z
cYBMm7OQL89Mf1M9avA3LRiY7As4MHSiDXaOy4uTcQaPh9/zOIsq78FiC3Ykn38m3146sSv4
NGUyD1Nocn0YcbAEU1Q26AniAz8iBB+PFDGSV9k8LwmQL4ApdYfh+96cZC0GCQR4DG3rDLHF
KGgtc8KJsp8t9sVYqFDF2tVxSfeAxH09l7QMSAa71wWxVl7+I0b3ic/zaezng/4cdQSd/lK+
mUM7/F3doHXPh43nJ2spQExf7rTysOgTeBPkBJ/Ic6kqXgllWrqqd+SYYJeMKkF/T1BTVE0u
D3f7yiJ+xYENkgadITkid1OlJ/hz4psocykalWnk4WHFsKkCRmz66ZMhHOzor4zWJb3vUvvQ
lLduaBqMo4QVCFxuJGBQgohbXwIPhzPITX2Je3viBafJeTN5UGFtdMRmRzQbf9lptvf0BMb5
ysN+bEMI2zl6xl/pb+KrrvnrKvT9IOLj8oHqzv6TdRV8/wvD0dDEl/RveDlgS8ZEEobq+eGB
3NzwPb67ImNxe1tQ3clMeJPyX7yd1N/aySqyu3AfLC66CeL5BX5/ZXMFJkTh+gJUjAkgt6AA
vsldPxyM8DfJ1Q1RP3f+Bpilcwgao5FC+Ou8MPZL/BAOaKGIbzDbGIlMwTg38HHQBc2jEYyw
NDkCuF5V2IdG4YJq7FSjasLYbFsq4OgVPIRhbjeiqptbzA2JDGoKje9p9iZ1vhE6R8ZAvjAx
Cny1BUNEolE+5rxwEG4ejfqisCNZxg/+4RWhZEUn411geGUntdSgL1hQPx9UBgNBjnykAlN9
DbgP7FK4I/9ihG8a1Bs9F0Hbm3SE6/5FCNd/GYQXfymElwxqOgThBui8hCPceHmENWHUF2B8
KaShBKShy0B68xBIb/liSJsGFYVWzVCvSYd06b8I0mVfBtLlXwrSFYOaDoF0JXRewSFddXlI
/x1Ou3oIwmu+GOG1g3pDyVuh7Vod4XX/IoRv+zII3/6lEL5jUNMhCK+HzndwhO/8/0P4rksQ
xicfYgJuZORZ5JdnsV30KWuWO1itIcy6BPyiBC2Rr2W1ksYWCI+yLuMh1oVfil1yFlsgXsWu
we+wxDc+httjA+57GPOz61H3jx4B34WGPn9/2SRjxP/LY0TjlCEdTCx1SNkMLa24VR547MnM
FDaF3U0GKqb/pE+FLKFC+Ik4UgyJhyRFWi5xq/DrECjxz4givnPiZTUP3xxTCvHSAqXgWyTr
AfEy8uKbyINL4CK4/CY7oF+mLUAnSTmAbysGxvOCUjQu4Ag48pAQWlwIiS0XWmT2GQtJLbjX
9eM+4BG5F+/BG54yKBm5Vfji8E7I7PRWGXG37pTaZH7Zn5eTWyWH3N4q2SClGEmSjK11wg6h
G9fygiJowknhrCALhbVreo8ceVl5mU17S1V7p/V1jytS1cCEgEOekOcIuMlP+fETwhzKf0Kq
mB3b/Wk3vwkjtgs63A4dMthzoQcecFF1Gr2RRiaZfiPTzTLNkKhY2iR9IIkTxOvFP4rnRMkt
5AkTBHGmvEAWvuK51iN4ijwZVZUGespwzCA0G6jU0Gx4xCDKHrfnIUl2SZI8WyKPJLul9D0Z
TktbjpnMpjablKjaTMbNjpC3xit4fWaAQpnK67VHQK/1Kr3pxWxa3+u1vdOQo9otkqJuuef5
cUVUu6Z2jbqmltXWIscLtSUTJk2cRmzC+ECuccLEkmLJ7TLYyWAMuHcpd9xzJ6nx8989furX
71FW9CcNR0cLD/3V89iKZZTywjsrfzP/d8/c99r2mh/s+Csgweo1A5iduLnhvjA25JX2yXba
x5yGfbIBSO+jUIqJ9hUXqZTpVa7t7Va6lV42DTqOKyrBahOomYPNb1fiJ8RcnupY1/a/IdcB
azfbFLphoUhGka43kslI5HA4BKs92y5YvM70Ko9EGQZqtFGjk9YbtxoFtlNxkzttp5CWutNs
3ZkimZmyWQ5t5JHIP8n3MMkksnSPvFxQyascWXRTbW0mVFOe5/DBGQAhR62WI6aC4ckzBPzM
obBAcbob1ycCsiXFk+S64/HX47vjS+kR2vDBmfj7T/81To4Pf/v21Dp6lFbR7bSr9P1F8ePx
M/GP4q/pFzUCv8mUL+DeLoWlsaWhqsVmWqVQjbRaapF2SNJCI80XaaGB8G3JaYgZDhnEFXay
mrPNglXJVgSTZNrJ0tJ2kmjdLJs2spBbXiW42DIBt/Q6wIPoErcLJmDJ+QOwExbklRQ7HeNH
X0kqdQn3UJhWxu+Ofzf+6p8+PFM340DsgPxifFf8B/FvxJe9SlZyvvZgPb99InYYAbEb9/FG
lhNyyA8z6WFiokF+cjVrgRcU1va91Y11LQR0aYigoKPEfZheOXEifsI474lPjYn4WYIxivUx
EPDz1AMYVtKDH7dpB7ChGPWCrO8K4uCuAB9xlziCbqE4Pu7SAQVW2/9nqQ3j2ZiX3ROas0Ch
Vjs9lEYRN21xU1giMz4Zq0K1IKWm56daqySzyzzSLIrMqTgFq8zcXvLsET12s6PNpFiY2cta
ba7NhlCmrUnIMNx8EdS+Hhg3rbe4WCd4B8Bli2pVDjEeqg1MMMAtJijOkuJ07tajgrkGtwIf
EZevPXfkVP/xHz9IV8SPL7trxaYT969/5R3KjZOLqrYKNZ8cE9X1r7bH9/FrbiC5ADZNkpbA
Vd3s4dBIB77qWedYj1p/b33fKrdK1CY9LgmZBjJ4nZ6qWdINkoCN8GwoE6EwW6S7UsnysN1B
Bx2vOASHw+Zi31T4vui3p1Uptm8KHldbiqLYnWQSnZvNFgcCw4xQgKk8FBAGfYeVXhjH1xKR
oPbiUzDfLfVtRMX/LuHbx5o8QxDONB4x4HQEnIHiSRRQgrnSpF8/F++NH6Lgmfff7rthBE1t
e6ZvHkWf6sy7Cp8wbf00Kd4Tfzp+pJK+xT9iEI8F+j3WT2RZIRtzw6FasdvLrHVwvwDqiY2i
i/IN6ifHOEZ6P6MHGPnYj0OpHhOJhjSDYDJ39veEGkyWqnfM583CVKlaekN6V5LWme437TaJ
PBFsbuZOcexJFb17ZIXsKcxla7WKPsyKr6V2Rqmim7msjVNdre7QRjfZ3dPcB93iXjdpUM4N
cVa2W1cOEK1ZW7tGDzlVDzWe7cPmBsC4q5T09JZM68F7BdvvGuB2E5wEMejGbutJn1jiz6CA
Y3ww1whn0VkXZW06e/de56O/pbHx05ta742f3rz5Xmn2K+/ctfKd+JMX/iLs/5/uvlnC/ud/
1jcriYG0W/eT+i5m7D8RSoXlgt1pF0Q7B8LsSq8SRKcoKJL+psxG2S5adbtTWWqrSVBgttPU
hC/ajQOezg1ghd26q6uwUV1UCwvUAcXdF7XN3/nHXT+Mn7j7wU1cxwPfvnBeOPjMC33XDvrw
Yehmxv8n+lpoii2FbBL9h/URq0BustnJlkapVhLNFjKbcWYim+xoMyiWNuaxbTa5Noshr6lZ
SBcvCcCBd0ZiV1ukv8wQeHJiT9PTvGLHeD3sXB7hgXh//CiNwzHGSOPiv4qf799y+21bHsjA
tw4jpdL4+Evx8/EP4r/qoi0dPT1Pdbya8Ktr+v8snJHzsDNfFypOTWFtaY42wWOTzXJbit1q
N0hme4qUZm+tk7olAacXyY99eweu3jXppJQiIVD6juAF160cUY4ggJDjbxTl5XFFPGIyKDih
ZEKeuwS7owtbg3Bm6VfiGzdsoPx333181ARDDjUJM7q6ct/o6vvjL3AwE7hSuEuezBoSuWEp
/wIhMhf2iWw2Cl9broIXz2JV+PZVw+awuewGvT0xJyKGPwbskuya8Px5029Ur7ltSXND/ay1
9SsbGsfOWLWcz5BoxVtWgeaDeO060P2g3aDvgfgJ8HnQa6DToI/QUQK5QCNB4/uTD2RsME/M
P6w8bli5eFh5yrBy+bByxbDywmFlfGEdMn/DsHLjsPLyYeUVw8r66/sSe1YNk6/j5f8FLndR
FAplbmRzdHJlYW0KZW5kb2JqCjk5IDAgb2JqCjYwOTkKZW5kb2JqCjEwMCAwIG9iagooZHJh
ZnQtaWV0Zi1zaWRyLXJwa2ktdmFsaWRhdGlvbi1yZWNvbnNpZGVyZWQtMDYpCmVuZG9iagox
MDEgMCBvYmoKKE1hYyBPUyBYIDEwLjExLjUgUXVhcnR6IFBERkNvbnRleHQpCmVuZG9iagox
MDIgMCBvYmoKKFN0ZXBoZW5fS2VudCkKZW5kb2JqCjEwMyAwIG9iagooKQplbmRvYmoKMTA0
IDAgb2JqCihXb3JkKQplbmRvYmoKMTA1IDAgb2JqCihEOjIwMTYwNzE1MTcyMzU4WjAwJzAw
JykKZW5kb2JqCjEwNiAwIG9iagooKQplbmRvYmoKMTA3IDAgb2JqClsgKCkgXQplbmRvYmoK
MSAwIG9iago8PCAvVGl0bGUgMTAwIDAgUiAvQXV0aG9yIDEwMiAwIFIgL1N1YmplY3QgMTAz
IDAgUiAvUHJvZHVjZXIgMTAxIDAgUiAvQ3JlYXRvcgoxMDQgMCBSIC9DcmVhdGlvbkRhdGUg
MTA1IDAgUiAvTW9kRGF0ZSAxMDUgMCBSIC9LZXl3b3JkcyAxMDYgMCBSIC9BQVBMOktleXdv
cmRzCjEwNyAwIFIgPj4KZW5kb2JqCnhyZWYKMCAxMDgKMDAwMDAwMDAwMCA2NTUzNSBmIAow
MDAwMTI5NTQ2IDAwMDAwIG4gCjAwMDAwMDM3MTAgMDAwMDAgbiAKMDAwMDA2MzQzNiAwMDAw
MCBuIAowMDAwMDAwMDIyIDAwMDAwIG4gCjAwMDAwMDM2OTAgMDAwMDAgbiAKMDAwMDAwMzgx
NCAwMDAwMCBuIAowMDAwMDA2NjQ2IDAwMDAwIG4gCjAwMDAwNzkwNjMgMDAwMDAgbiAKMDAw
MDAwMzkxMSAwMDAwMCBuIAowMDAwMDA2NjI1IDAwMDAwIG4gCjAwMDAwMTAzNzYgMDAwMDAg
biAKMDAwMDAwNjY4MSAwMDAwMCBuIAowMDAwMDEwMzU1IDAwMDAwIG4gCjAwMDAwMTA0ODMg
MDAwMDAgbiAKMDAwMDAxNDc0MSAwMDAwMCBuIAowMDAwMDEwNTgxIDAwMDAwIG4gCjAwMDAw
MTQ3MjAgMDAwMDAgbiAKMDAwMDAxNDg0OCAwMDAwMCBuIAowMDAwMDE4MjE0IDAwMDAwIG4g
CjAwMDAwMTQ5NDYgMDAwMDAgbiAKMDAwMDAxODE5MyAwMDAwMCBuIAowMDAwMDE4MzIxIDAw
MDAwIG4gCjAwMDAwMjMyOTEgMDAwMDAgbiAKMDAwMDAxODQxOSAwMDAwMCBuIAowMDAwMDIz
MjcwIDAwMDAwIG4gCjAwMDAwMjMzOTggMDAwMDAgbiAKMDAwMDExMDA2NiAwMDAwMCBuIAow
MDAwMDk4NjczIDAwMDAwIG4gCjAwMDAxMDQ0NjUgMDAwMDAgbiAKMDAwMDEyMjQwOSAwMDAw
MCBuIAowMDAwMDI5MzQyIDAwMDAwIG4gCjAwMDAwMjM1MzIgMDAwMDAgbiAKMDAwMDAyOTMy
MSAwMDAwMCBuIAowMDAwMDI5NDQ5IDAwMDAwIG4gCjAwMDAwMzkxMjcgMDAwMDAgbiAKMDAw
MDAyOTU4MyAwMDAwMCBuIAowMDAwMDM5MTA2IDAwMDAwIG4gCjAwMDAwMzkyMzQgMDAwMDAg
biAKMDAwMDAwMDAwMCAwMDAwMCBuIAowMDAwMDYzODIwIDAwMDAwIG4gCjAwMDAwMzk4MDQg
MDAwMDAgbiAKMDAwMDAzOTM4MCAwMDAwMCBuIAowMDAwMDM5Nzg0IDAwMDAwIG4gCjAwMDAw
Mzk5MTEgMDAwMDAgbiAKMDAwMDA0NjU4NiAwMDAwMCBuIAowMDAwMDYzNTU5IDAwMDAwIG4g
CjAwMDAwNDAwMDkgMDAwMDAgbiAKMDAwMDA0NjU2NSAwMDAwMCBuIAowMDAwMDQ2Njk0IDAw
MDAwIG4gCjAwMDAwNDcwNzQgMDAwMDAgbiAKMDAwMDA0NzM2MiAwMDAwMCBuIAowMDAwMDQ2
OTMwIDAwMDAwIG4gCjAwMDAwNTAzODkgMDAwMDAgbiAKMDAwMDA1MDM1MiAwMDAwMCBuIAow
MDAwMDQ3MzgxIDAwMDAwIG4gCjAwMDAwNDc1OTQgMDAwMDAgbiAKMDAwMDA0NzYxMyAwMDAw
MCBuIAowMDAwMDUwMzMxIDAwMDAwIG4gCjAwMDAwNTEwNjcgMDAwMDAgbiAKMDAwMDA1Mzgw
NiAwMDAwMCBuIAowMDAwMDUxMDg3IDAwMDAwIG4gCjAwMDAwNTM3ODUgMDAwMDAgbiAKMDAw
MDA1MzkxNCAwMDAwMCBuIAowMDAwMDU3NTU3IDAwMDAwIG4gCjAwMDAwNTQwMTIgMDAwMDAg
biAKMDAwMDA1NzUzNiAwMDAwMCBuIAowMDAwMDU3NjY1IDAwMDAwIG4gCjAwMDAwNjA2OTgg
MDAwMDAgbiAKMDAwMDA1Nzc2MyAwMDAwMCBuIAowMDAwMDYwNjc3IDAwMDAwIG4gCjAwMDAw
NjA4MDYgMDAwMDAgbiAKMDAwMDA2MzIzMCAwMDAwMCBuIAowMDAwMDYwOTA0IDAwMDAwIG4g
CjAwMDAwNjMyMDkgMDAwMDAgbiAKMDAwMDA2MzMzOCAwMDAwMCBuIAowMDAwMDYzNjYzIDAw
MDAwIG4gCjAwMDAwNjM3NTUgMDAwMDAgbiAKMDAwMDA2NDc2MiAwMDAwMCBuIAowMDAwMDY0
MTYzIDAwMDAwIG4gCjAwMDAwNjQ3NDIgMDAwMDAgbiAKMDAwMDA2NTAwMCAwMDAwMCBuIAow
MDAwMDc5MDQxIDAwMDAwIG4gCjAwMDAwNzk1ODQgMDAwMDAgbiAKMDAwMDA3OTgxNyAwMDAw
MCBuIAowMDAwMDk4NjUxIDAwMDAwIG4gCjAwMDAwOTg5ODEgMDAwMDAgbiAKMDAwMDA5OTIz
NyAwMDAwMCBuIAowMDAwMTA0NDQ0IDAwMDAwIG4gCjAwMDAxMDQ5NTAgMDAwMDAgbiAKMDAw
MDEwNDYzMSAwMDAwMCBuIAowMDAwMTA0OTMwIDAwMDAwIG4gCjAwMDAxMDUyMDUgMDAwMDAg
biAKMDAwMDExMDA0NSAwMDAwMCBuIAowMDAwMTEwNDUyIDAwMDAwIG4gCjAwMDAxMTA3MTIg
MDAwMDAgbiAKMDAwMDEyMjM4NyAwMDAwMCBuIAowMDAwMTIyNzg5IDAwMDAwIG4gCjAwMDAx
MjMwNTEgMDAwMDAgbiAKMDAwMDEyOTI0MSAwMDAwMCBuIAowMDAwMTI5MjYyIDAwMDAwIG4g
CjAwMDAxMjkzMjkgMDAwMDAgbiAKMDAwMDEyOTM4MyAwMDAwMCBuIAowMDAwMTI5NDE1IDAw
MDAwIG4gCjAwMDAxMjk0MzUgMDAwMDAgbiAKMDAwMDEyOTQ1OSAwMDAwMCBuIAowMDAwMTI5
NTAyIDAwMDAwIG4gCjAwMDAxMjk1MjIgMDAwMDAgbiAKdHJhaWxlcgo8PCAvU2l6ZSAxMDgg
L1Jvb3QgNzcgMCBSIC9JbmZvIDEgMCBSIC9JRCBbIDw0OTA2Njc0NjhmM2E2NDMzMGMzZDJk
ZDk2ZmMyMTNjZj4KPDQ5MDY2NzQ2OGYzYTY0MzMwYzNkMmRkOTZmYzIxM2NmPiBdID4+CnN0
YXJ0eHJlZgoxMjk3MzAKJSVFT0YK
--------------77B09798B26354C6D8BF2334--


From nobody Fri Jul 15 10:43:19 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 655E112D9A0 for ; Fri, 15 Jul 2016 10:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PPk-vRJfr2Iv for ; Fri, 15 Jul 2016 10:43:17 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DDED12D977 for ; Fri, 15 Jul 2016 10:43:15 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bO78o-00098B-Fw; Fri, 15 Jul 2016 19:43:12 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-211.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bO78o-00024B-AP; Fri, 15 Jul 2016 19:43:10 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=windows-1252
From: Tim Bruijnzeels 
In-Reply-To: <0CD1721F-5174-48A4-87EE-5E105FF5FC22@tislabs.com>
Date: Fri, 15 Jul 2016 19:43:09 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F78EE51-1448-493A-90C4-AB9CE0BCCA53@ripe.net>
References:  <0CD1721F-5174-48A4-87EE-5E105FF5FC22@tislabs.com>
To: Sandra Murphy 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points:   -8.0 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60% [score: 0.4889]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071931c808e8c0c6d04fa925679add51cf06
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 15 Jul 2016 17:43:18 -0000

Hi,

As Oleg already mentioned. We use the setup w.r.t. the provisioning =
protocol - we already implemented an older version of the document but =
the XML was easy to change. We have no code related to the publication =
client-server setup, but I see no issues there - and I know Rob does =
have an implementation for this part, so I am confident that the =
necessary bits are there.

Tim

> On 14 Jul 2016, at 19:21, Sandra Murphy  wrote:
>=20
> Responses have been a bit light on this wglc.
>=20
> A few more days left - please give this draft a read and respond.
>=20
> =97Sandy, speaking as one of the wg co-chairs
>=20
>=20
>=20
>> On Jul 2, 2016, at 2:59 PM, Sandra Murphy  wrote:
>>=20
>> The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An =
Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature =
and ready for a working group last call.
>>=20
>> This message starts a two week wglc for =
draft-ietf-sidr-rpki-oob-setup-04, which will end 16 Jun 2016.
>>=20
>> Please review the draft and send comments and your opinion of whether =
it is worthy of publication to the list.  Remember that support for =
publication is needed, and comments can improve quality, so lack of =
comments is not sufficient.
>>=20
>> You can reach the document at =
https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04 and =
https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/.
>>=20
>> =97Sandy, speaking as one of the wg co-chairs
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Fri Jul 15 10:44:11 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AFF212D9A0 for ; Fri, 15 Jul 2016 10:44:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1OQ-ECg0U0m for ; Fri, 15 Jul 2016 10:44:08 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 963AB12D977 for ; Fri, 15 Jul 2016 10:44:08 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bO79h-00098q-S1; Fri, 15 Jul 2016 19:44:07 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-211.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bO79h-00024B-MD; Fri, 15 Jul 2016 19:44:05 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=windows-1252
From: Tim Bruijnzeels 
In-Reply-To: <6F78EE51-1448-493A-90C4-AB9CE0BCCA53@ripe.net>
Date: Fri, 15 Jul 2016 19:44:05 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References:  <0CD1721F-5174-48A4-87EE-5E105FF5FC22@tislabs.com> <6F78EE51-1448-493A-90C4-AB9CE0BCCA53@ripe.net>
To: Sandra Murphy 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0053]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07191e7789fcb3dfe8633698f7ccfad7a919
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] wglc for draft-ietf-sidr-rpki-oob-setup-04
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 15 Jul 2016 17:44:10 -0000

to be clear: I meant support..


> On 15 Jul 2016, at 19:43, Tim Bruijnzeels  wrote:
>=20
> Hi,
>=20
> As Oleg already mentioned. We use the setup w.r.t. the provisioning =
protocol - we already implemented an older version of the document but =
the XML was easy to change. We have no code related to the publication =
client-server setup, but I see no issues there - and I know Rob does =
have an implementation for this part, so I am confident that the =
necessary bits are there.
>=20
> Tim
>=20
>> On 14 Jul 2016, at 19:21, Sandra Murphy  wrote:
>>=20
>> Responses have been a bit light on this wglc.
>>=20
>> A few more days left - please give this draft a read and respond.
>>=20
>> =97Sandy, speaking as one of the wg co-chairs
>>=20
>>=20
>>=20
>>> On Jul 2, 2016, at 2:59 PM, Sandra Murphy  wrote:
>>>=20
>>> The authors believe that draft-ietf-sidr-rpki-oob-setup-04 ("An =
Out-Of-Band Setup Protocol For RPKI Production Services=94) is mature =
and ready for a working group last call.
>>>=20
>>> This message starts a two week wglc for =
draft-ietf-sidr-rpki-oob-setup-04, which will end 16 Jun 2016.
>>>=20
>>> Please review the draft and send comments and your opinion of =
whether it is worthy of publication to the list.  Remember that support =
for publication is needed, and comments can improve quality, so lack of =
comments is not sufficient.
>>>=20
>>> You can reach the document at =
https://tools.ietf.org/html/draft-ietf-sidr-rpki-oob-setup-04 and =
https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-oob-setup/.
>>>=20
>>> =97Sandy, speaking as one of the wg co-chairs
>>=20
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>=20


From nobody Fri Jul 15 16:41:03 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD66512D1A2 for ; Fri, 15 Jul 2016 16:41:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level: 
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N52P_9VP7aeM for ; Fri, 15 Jul 2016 16:41:00 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D21E12B038 for ; Fri, 15 Jul 2016 16:41:00 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 9A89D28B003B; Fri, 15 Jul 2016 19:40:59 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 937631F8055; Fri, 15 Jul 2016 19:40:59 -0400 (EDT)
From: Sandra Murphy 
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Date: Fri, 15 Jul 2016 19:40:59 -0400
Message-Id: 
To: sidr 
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: [sidr] note to those presenting at IETF 96 Berlin
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 15 Jul 2016 23:41:02 -0000

To all those who are are on the agenda for our meeting in Berlin on =
Thursday morning, 21 Jul.

If you plan to use slides, please do get the slides to the chairs for =
upload by breakfast time on Wed 20 Jul.

And remember to number your slides.

=E2=80=94Sandy


From nobody Fri Jul 15 16:44:51 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1BE12D7FD for ; Fri, 15 Jul 2016 16:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level: 
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0jULw1JQJhD for ; Fri, 15 Jul 2016 16:44:47 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D22D412D688 for ; Fri, 15 Jul 2016 16:44:47 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 4267028B0041; Fri, 15 Jul 2016 19:44:47 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 3B9D81F8055; Fri, 15 Jul 2016 19:44:47 -0400 (EDT)
From: Sandra Murphy 
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Date: Fri, 15 Jul 2016 19:44:47 -0400
Message-Id: 
To: sidr 
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: [sidr] usual plea for jabber scribe and minutes taker
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 15 Jul 2016 23:44:49 -0000

We meet in Berlin on Thursday morning, 21 Jul.

We need volunteers to be jabber scribe and to take minutes. =20

Minutes taking can be a collaborative effort in the etherpad, to help =
out the volunteer.

We can=E2=80=99t start the meeting without those volunteers.

Please do consider volunteering.  Lot of gratitude for anyone who steps =
up.

=E2=80=94Sandy=


From nobody Sat Jul 16 02:35:31 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C0FF12B063 for ; Sat, 16 Jul 2016 02:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cMTcxZVwXrhe for ; Sat, 16 Jul 2016 02:35:28 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6483E126579 for ; Sat, 16 Jul 2016 02:35:28 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id C639E28B0041 for ; Sat, 16 Jul 2016 05:35:27 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id B081E1F8055; Sat, 16 Jul 2016 05:35:27 -0400 (EDT)
From: Sandra Murphy 
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_B04C3CA6-2427-4C61-B5C2-3CFE70FC341F"; protocol="application/pgp-signature"; micalg=pgp-sha512
Date: Sat, 16 Jul 2016 05:35:20 -0400
Message-Id: 
To: sidr 
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: [sidr] updated agenda uploaded
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 16 Jul 2016 09:35:29 -0000

--Apple-Mail=_B04C3CA6-2427-4C61-B5C2-3CFE70FC341F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

And another update, to allow Carlos to discuss the RIR applicability =
statement
RPKI Multiple "All Resources" Trust Anchors Applicability Statement
https://tools.ietf.org/html/draft-rir-rpki-allres-ta-app-statement-00

Note to all.  The discussions are all allowed the same time allotment, =
no matter what the speakers requested.  I did that for my own =
convenience and to allow for speaker optimism.  If the agenda fills up =
more, in order to allow for some discussion time at the end, the agenda =
slot time allotments will have to be more precise and more carefully =
kept to.

=E2=80=94Sandy, speaking as one of the wg co-chairs

--Apple-Mail=_B04C3CA6-2427-4C61-B5C2-3CFE70FC341F
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXif/fAAoJEHplpQeet0IZzdwQAJyrotO/japL9SXf5PwW5vmn
TWpPxXQNB83gPQSiLs43vA4JF1SUyUNvZQ6fPpHqwjXJxNYo81+jF3IA84/Ezl/b
GJGbKIyhqVOnjp5thDRDRzrkpia6v65hIfWFeLsUPYEj4U0r40XcSn6wS2QQmNLn
wgLZd31uO1eP5xJ+hHLLTGr6nsrfz+QtYtiY2zEQuFInLRyEcvEoPn8Ao3BMcyFy
nB7sfI0ZTif/hfxcJ/6nL4xzTygmvOyFwgdMJzab9bCnxZ3J7DSXHRyMd/pn2fqd
+VVBTleBVWQq+qOcmSJqJLtVLRqVr11SU50xAgSw95iOHz4shUP2Qw/PCP50c880
NlQ53QP085KmPmnzl1x1i4cXvKmpiXQ1t/WYpSYDPGk5rr2OLnD3sswJR1yDOZ/4
k8QUKSUpTUnuMsG+q5qDcKN8u2dGtSRFJ9cyQJwZnM+etbCFPndHrczSPpT3H8f5
jHaJ1sEiuYTgdvkRJ8cEfroTMbZioPehghZSPpyLgpNmaJLzPvemYuXqOhXIGG7K
RNLCrP+JzUQziDiSDYqhLoi185ZSrPs9ifhCB5+XOu2VALCesPLeMN2Ukv6smscl
yBTCpH6mVU1A1AhSawzpukzN47CfmeHl4WqYryeWpM9ZU0xsN4reVCP31rAvQR81
SBg4IcFG4eslzil+dK7R
=ZMtv
-----END PGP SIGNATURE-----

--Apple-Mail=_B04C3CA6-2427-4C61-B5C2-3CFE70FC341F--


From nobody Sat Jul 16 16:03:01 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8E8212D18E for ; Sat, 16 Jul 2016 16:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0SqEb-ti_P4 for ; Sat, 16 Jul 2016 16:02:57 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03CAE12D123 for ; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id x1so45658735qkb.3 for ; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zO4ewMBvoq3/MMTUbkoWA5xM1TW0J1HYPyTAvOqMvuQ=; b=WcgK/W48IWH9pV8NV0/kskAEiodrBbTo7gbdJpEUkMMFlum11i1gCCZ1UBIp5hefPE 58RpOM8fNUFjiPe9Z94QqbgFSNO5JlXy+NkfT+IkYmem1A3Y/6tESEzD1Fvga3w77zXe UIEDZXc0K/6J+ABO/AoQRCNnIZjO8Z7fy7RoA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=zO4ewMBvoq3/MMTUbkoWA5xM1TW0J1HYPyTAvOqMvuQ=; b=VFkq+7ypwvUmK0e7RLqJwz7d4TFk2d/4M+tGLGZv+qZ64b1XOy7XcJ1sysAycj5r4d WTPESio40EyQeF5teO248OslnfikKdZ4qYXEpS0A9+S8l6UmAwg+JKGHs75904LJS2Ln M3IW7w93O5zFRMuo1EoYjKBzZt2kvhZyZLQg9MrW0Q4E0haCj5AlXEUvXPIq1LzsO5jh At0JAiaMgIpumjEu7v+SHrqLYe4Uym+XWAdEXmB3Z6VJW7DOjuK/I0F3b6PpvkGr328+ j+aiHBDnINY8z5qD/q/9Ci0DEVhzAP4qs+zs3DJbGoPhbm6s+A+6sOQMMISAWXeFiYXp ygmg==
X-Gm-Message-State: ALyK8tJ/ZrhqamosnYqcWwuo5rjvm+28ELLhFSDDjqslX2MXaedVPJkzbgfnq+I690mO7g==
X-Received: by 10.55.71.6 with SMTP id u6mr35599214qka.188.1468710176118; Sat, 16 Jul 2016 16:02:56 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id z1sm230139qkc.40.2016.07.16.16.02.54 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 16 Jul 2016 16:02:55 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner 
In-Reply-To: <793C1123-0398-455C-A316-A2DADB1F400A@sn3rd.com>
Date: Sat, 16 Jul 2016 19:02:53 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <7A61D320-EA64-41D3-AEEF-ACF0F8837CBD@sn3rd.com>
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com>  <793C1123-0398-455C-A316-A2DADB1F400A@sn3rd.com>
To: Tim Bruijnzeels , sidr chairs 
X-Mailer: Apple Mail (2.3124)
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 16 Jul 2016 23:03:00 -0000

> On Jul 08, 2016, at 09:00, Sean Turner  wrote:
>=20
>=20
>> On Jul 08, 2016, at 05:35, Tim Bruijnzeels  wrote:
>>=20
>> Stephen Kent comment on -04 of this document saying that it should =
not attempt to update the BGPSec Router Certificate I-D because it's not =
an RFC, just yet. It's currently in IESG Processing. The current =
document therefore has a request and some suggestion to the authors to =
change the document (in which case the section can be deleted in the =
next (hopefully final) version of this document.
>>=20
>> I don't mind either way. Maybe the chairs have an idea about what the =
best process is. But in either case we would like to ask the BGPSec =
Router Certificate authors to review the included text.
>=20
> Tim,
>=20
> Just so I=E2=80=99m following along:
>=20
> - This draft replaces the text in RFC 6487 s7.2 so should =
rpki-validation-reconsidered draft include the =E2=80=9CUpdates: 6487 =
(if approved)=E2=80=9D header?  My understanding is that the proposal is =
that all RPKI validators follow these new steps so that would make sense =
process wise.

I would like to propose that sidr-rpki-validation-reconsidered include =
an updates header, i.e., =E2=80=9CUpdates: 6487 (if approved)=E2=80=9D, =
be included on the 1st page of the draft in the appropriate location.

Of the options presented in the change below for =
sidr-bgpsec-pki-profiles, I=E2=80=99d like to rely on the change =
proposed above and not make the OLD/NEW changes I proposed below, i.e., =
I am suggesting making no changes to the introductory text in s3.3 of =
sidr-bgpsec-pki-profiles to refer to sidr-rpki-validation-reconsidered =
because it=E2=80=99s an unnecessary change.

Steve=E2=80=99s suggested some other edits a a result of this thread and =
rpki-validation-reconsidered, so if the chairs direct me I can upload a =
new version of sidr-bgpsec-pki-profiles.  Since AD review hasn=E2=80=99t =
really happened yet, maybe we can treat these as late, but timely WGLC =
comments?

spt

> - bgpsec-pki-profiles s3.3 currently refers to RFC 6487 s7 for =
validation procedures and technically if rpki-validation-reconsidered =
updates RFC 6487 when bgpsec-pki-profiles refers to RFC 6487 it includes =
those references so I wouldn=E2=80=99t necessarily have to add a =
explicit reference to rpki-validation-reconsidered =E2=80=A6 but people =
will forget this and miss the update and I know Wes hates chasing =
references ;)  So, to drive this point home we could do the following =
tweak in addition to adding your suggested bullet and =
separate-certificate per ASN suggestion:
>=20
> OLD:
>=20
>  The validation procedure used for BGPsec Router Certificates is
>  identical to the validation procedure described in Section 7 of
>  [RFC6487], but using the constraints applied come from this
>  specification.
>=20
> NEW:
>=20
>  The validation procedure used for BGPsec Router Certificates is
>  identical to the validation procedure described in Section 7 of
>  [ID.sidr-rpki-validation-reconsidered], but using the constraints
>  applied come from this specification.
>=20
> Note I=E2=80=99d probably also add ID.idr-rpki-validation-reconsidered =
to the required reading list in the terminology section :/
>=20
> spt


From nobody Sun Jul 17 02:48:02 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CB5C12D580 for ; Sun, 17 Jul 2016 02:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ivp1FeY1TEn1 for ; Sun, 17 Jul 2016 02:47:59 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) by ietfa.amsl.com (Postfix) with ESMTP id 1A51912D552 for ; Sun, 17 Jul 2016 02:47:59 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bOifk-0001XJ-Ad; Sun, 17 Jul 2016 11:47:41 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-216.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bOifk-0007Mk-3N; Sun, 17 Jul 2016 11:47:40 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=windows-1252
From: Tim Bruijnzeels 
In-Reply-To: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com>
Date: Sun, 17 Jul 2016 11:47:39 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com>
To: Sandra Murphy 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points:   -8.0 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60% [score: 0.4941]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719669cc6a267ce5d223b844a3829e52b90
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 17 Jul 2016 09:48:01 -0000

Hi,

I have a number of late comments (unfortunately no time to read this in =
detail earlier)

First of all, I believe that the structure of the document, where =
analysis is done without going into details of solutions, is useful.

That said I have some substantial comments. I think the order of the =
analysis of the various objects in section 2 is not logical. This may =
sound like a trivial thing, but actually I think a re-ordering will help =
to think about the context and different vectors for each.

Comments on each case:

- CA certificates (section 2.5)

I suggest that section 2 should start with this. CA certificates are =
issued by parent CAs. So the sections on modification, revocation and =
injections make more sense to me here - they are all done by the parent =
of the CA that is affected by these actions.

@A-5.4.1: A shrink may be seen as adverse by the INR holder, but there =
may be reasons (e.g. transfers, temporary assignments, closure) why an =
RIR may have to reclaim certain resources. In our case these practices =
are based on community consensus in our address policy working group. =
So.. a specific INR holder may not be happy to see resources removed, =
but in some cases this is a feature, not a bug.

@A-5.4.2: I think this is being addressed by validation-reconsidered

@A-5.4.5: It may be hard to detect this case because of normal key =
rolls.

- Manifests (section 2.2) and CRLs (section 2.4)

These objects are part of the 'boilerplate' objects that a CA uses. To =
me they seem related. At least in our RP software we typically find the =
'current' MFT and CRL for a validated CA certificate and then we use =
this to find and validate all other objects issued by this CA. So it =
would make sense to me to look at these next (as 2.2 and 2.3 after CA =
certificates)

In any case I don't think that the analysis of modification, revocation =
and injections are very useful here. For these to work an adverse agent =
needs to have access to the CA certificate's private key *and* =
repository. Bets are then just off.

I understand that you don't want to go in solution space here, but.. I =
believe that with RRDP we can now actually get multiple objects as a =
single delta. That means that a CA can publish a new MFT and CRL, and =
all its objects together.

This in turn means that an RP can find a MFT and CRL, check the =
thisUpdate/nextUpdate time to detect a withhold. And it can find all the =
objects enumerated on the MFT by hash. So it can detect withhold, replay =
or modification of other objects.

Ultimately the adverse actions by a repository (deletion, suppression, =
corruption) cannot be prevented, but they can be *detected*. And I =
believe this is relevant to the analysis of those adverse actions.


- Ghostbusters

No comment

- ROAs

Similarly to manifests I don't think that the analysis of modification, =
revocation and injections are very useful here. Bets are off if an =
adversary has the key and the repo.

I think it would be more useful to analyse what the general problem is =
w.r.t. outsourcing CA functions - as is done later in the doc. People do =
it because it's convenient, but obviously this means that you have to =
*trust* that the organisation you outsource to will do any of those =
M/R/I type adverse actions.

- Router Certs

Same concerns as ROAs

=20












> On 30 Jun 2016, at 23:11, Sandra Murphy  wrote:
>=20
> The authors of draft-ietf-sidr-adverse-actions-00, "Adverse Actions by =
a Certification Authority (CA) or Repository Manager in the Resource =
Public Key Infrastructure (RPKI)=94,  believe that the document is ready =
for a working group last call.
>=20
> This starts a two week wglc which will end on 14 July 2016.
>=20
> Please review the draft and send comments and your opinion of whether =
it is worthy of publication to the list.  Remember that support for =
publication is needed, and comments can improve quality, so lack of =
comments is not sufficient.
>=20
> You can reach the document at =
https://tools.ietf.org/html/draft-ietf-sidr-adverse-actions-00 and =
https://datatracker.ietf.org/doc/draft-ietf-sidr-adverse-actions.
>=20
> =97Sandy, speaking as one of the wg co-chairs.
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Tue Jul 19 04:18:38 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7CB12B02B for ; Tue, 19 Jul 2016 04:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fupu3W6WzUiY for ; Tue, 19 Jul 2016 04:18:29 -0700 (PDT)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4CEA12B057 for ; Tue, 19 Jul 2016 04:18:29 -0700 (PDT)
Received: from minas-ithil.hactrn.net (dhcp-b3d9.meeting.ietf.org [31.133.179.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id 95BF31398E for ; Tue, 19 Jul 2016 11:18:28 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id 12A97412B25E for ; Tue, 19 Jul 2016 13:18:30 +0200 (CEST)
Date: Tue, 19 Jul 2016 13:18:29 +0200
From: Rob Austein 
To: sidr@ietf.org
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Archived-At: 
Subject: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 11:18:35 -0000

Reminding the WG of an old issue I raised years ago for validation
reconsidered which, as far as I know, has not yet been addressed.

If we change the validation algorithm, we really should also change
the object identifiers used in the X.509v3 extensions used to convey
the resources.

The reason for this is simple: the RFC 3779 validation algorithm has
shipped, long since.  My implementation has been part of OpenSSL for
the last decade, and while it's not enabled by default on all
platforms, it is on some, and is available as a configuration option
on others.  It is far too late to change this, that ship has sailed.

So if we're talking about changing the validation algorithm now, we
need to label the algorithm we're using, so that validation code knows
which algorithm it's supposed to follow.  Otherwise, we'll get
different validation results at different sites depending on which
algorithm they're using this week, different routing decisions as a
consequence, dogs and cats living together, mass hysteria.

The solution to this is simple: change the extension OIDs.  X.509's
"critical extension" mechanism will take care of the rest.

This will require some kind of phase-in/phase-out process during which
the new OIDs appear and the old OIDs vanish, and will require RP code
to implement the new OIDs, but these are trivial issues given that the
RP behavior has to change in any case, that being the point of the
entire validation reconsidered exercise.

Yes, this will be a bit painful, but I view it as in essence exposing
a problem that already exists, rather than sweeping it under the rug.

Sorry for reminding the WG of this yet again at what some may consider
a late date, but I have raised this issue before, I just haven't
(re)raised it in the last few months.


From nobody Tue Jul 19 05:44:28 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1E412D762 for ; Tue, 19 Jul 2016 05:44:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level: 
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D9O6UN9gIlAg for ; Tue, 19 Jul 2016 05:44:23 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB47412D795 for ; Tue, 19 Jul 2016 05:43:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id B075A30056B for ; Tue, 19 Jul 2016 08:43:03 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ho_loI5e4au4 for ; Tue, 19 Jul 2016 08:43:02 -0400 (EDT)
Received: from dhcp-b4d9.meeting.ietf.org (dhcp-b4d9.meeting.ietf.org [31.133.180.217]) by mail.smeinc.net (Postfix) with ESMTPSA id 0331B3002C4; Tue, 19 Jul 2016 08:43:01 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley 
In-Reply-To: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Date: Tue, 19 Jul 2016 08:43:00 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
To: Rob Austein 
X-Mailer: Apple Mail (2.1878.6)
Archived-At: 
Cc: IETF SIDR 
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 12:44:26 -0000

Does this apply to the Certificate Policy OID too?  If memory is =
correct, the current CP has a normative pinter to RFC 3779.

Russ


On Jul 19, 2016, at 7:18 AM, Rob Austein  wrote:

> Reminding the WG of an old issue I raised years ago for validation
> reconsidered which, as far as I know, has not yet been addressed.
>=20
> If we change the validation algorithm, we really should also change
> the object identifiers used in the X.509v3 extensions used to convey
> the resources.
>=20
> The reason for this is simple: the RFC 3779 validation algorithm has
> shipped, long since.  My implementation has been part of OpenSSL for
> the last decade, and while it's not enabled by default on all
> platforms, it is on some, and is available as a configuration option
> on others.  It is far too late to change this, that ship has sailed.
>=20
> So if we're talking about changing the validation algorithm now, we
> need to label the algorithm we're using, so that validation code knows
> which algorithm it's supposed to follow.  Otherwise, we'll get
> different validation results at different sites depending on which
> algorithm they're using this week, different routing decisions as a
> consequence, dogs and cats living together, mass hysteria.
>=20
> The solution to this is simple: change the extension OIDs.  X.509's
> "critical extension" mechanism will take care of the rest.
>=20
> This will require some kind of phase-in/phase-out process during which
> the new OIDs appear and the old OIDs vanish, and will require RP code
> to implement the new OIDs, but these are trivial issues given that the
> RP behavior has to change in any case, that being the point of the
> entire validation reconsidered exercise.
>=20
> Yes, this will be a bit painful, but I view it as in essence exposing
> a problem that already exists, rather than sweeping it under the rug.
>=20
> Sorry for reminding the WG of this yet again at what some may consider
> a late date, but I have raised this issue before, I just haven't
> (re)raised it in the last few months.
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Tue Jul 19 06:46:39 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 693B512E2BF for ; Tue, 19 Jul 2016 06:46:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbQGyjU3797f for ; Tue, 19 Jul 2016 06:46:32 -0700 (PDT)
Received: from khatovar.hactrn.net (khatovar.hactrn.net [198.180.150.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 462B512D6AE for ; Tue, 19 Jul 2016 06:14:56 -0700 (PDT)
Received: from minas-ithil.hactrn.net (dhcp-b3d9.meeting.ietf.org [31.133.179.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "nargothrond.hactrn.net", Issuer "Grunchweather Associates" (not verified)) by khatovar.hactrn.net (Postfix) with ESMTPS id 1EFCA1398E for ; Tue, 19 Jul 2016 13:14:55 +0000 (UTC)
Received: from minas-ithil.hactrn.net (localhost [IPv6:::1]) by minas-ithil.hactrn.net (Postfix) with ESMTP id D0705412C916 for ; Tue, 19 Jul 2016 15:14:56 +0200 (CEST)
Date: Tue, 19 Jul 2016 15:14:56 +0200
From: Rob Austein 
To: IETF SIDR 
In-Reply-To: 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net> 
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Message-Id: <20160719131456.D0705412C916@minas-ithil.hactrn.net>
Archived-At: 
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 13:46:37 -0000

At Tue, 19 Jul 2016 08:43:00 -0400, Russ Housley wrote:
> 
> Does this apply to the Certificate Policy OID too?  If memory is
> correct, the current CP has a normative pinter to RFC 3779.

Good catch.

Not sure a policy OID change is necessary, although might be simplest.
If there's a reference, we either need to change the OID or change the
definition of what the OID means.

IIRC, the OpenSSL library code doesn't do anything RFC-3779-specific
for the policy OID, it just follows the usual rules; it's the RP code
built on top of the library that demands that particular policy OID.
So at least in the OpenSSL case, changing the policy OID may not have
any noticeable effect on correctness of software behavior.


From nobody Tue Jul 19 07:33:18 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9A7012DD11 for ; Tue, 19 Jul 2016 07:33:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level: 
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CuENDLmGId4J for ; Tue, 19 Jul 2016 07:33:13 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 022C612E090 for ; Tue, 19 Jul 2016 07:00:21 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:39106 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bPVZM-0009mI-A6 for sidr@ietf.org; Tue, 19 Jul 2016 10:00:20 -0400
To: sidr@ietf.org
References: <8E32FD39-FD20-455C-8BEC-5752DE9C8531@tislabs.com> 
From: Stephen Kent 
Message-ID: <99a31951-b095-eaee-0c44-9358ce2d989a@bbn.com>
Date: Tue, 19 Jul 2016 10:00:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------91392DE15469DBE4E94F919F"
Archived-At: 
Subject: Re: [sidr] wglc for draft-ietf-sidr-adverse-actions-00
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 14:33:17 -0000

This is a multi-part message in MIME format.
--------------91392DE15469DBE4E94F919F
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit

Tim,

Thanks for taking the time to read and comment on the document.

I will change CA certificate analysis to be section 2.1, and make the 
CRL section b 2.3, as per your request. The Manifest section will remain 
2.2, ROAs will become 2.4, GB will become 2.5, and Router Certificates 
will remain 2.6. This will require a lot of changes to the pointers 
within and between sections, but we aim to please :-).

A-5.4.1: I agree that reducing the set ofresources in a CA certificate 
may be done for legitimate reasons, even if the INR holder does not 
agree with the reduction. Nonetheless, this is an adverse action from 
the perspective of the INR holder. It’s important to note that there are 
cases when this reduction is the result of an attack against or an error 
by the parent CA. Thus I believe it is important to retain this action 
in the list.

A-5.4.2: I’ll delete this action.

A-5.4.5: I agree that this may be hard to distinguish from a legitimate 
key rollover, except that a key rollover would have both old and new CA 
keys present simultaneously. I’ll add a note to this effect.

I disagree with your suggestion that we remove the modification, 
revocation, and injection actions for Manifests, ROAs, and Router 
Certificates. First, remember that adverse actions include errors by 
CAs, and transient attacks against CAs. In the former case the private 
key is clearly available and the CA may also control the repository. In 
the latter case note that an attacker need not need learn the private 
key’s value; he/she needs only the ability to cause an HSM to use the 
key. Also, an attacker need not control the repository to effect these 
actions; an RP might be misdirected to a different set of files via a 
routing system attack (ironic?) or a DNS attack.

Recall that the goal of this document is to document, as best we can, a 
wide range of actions that are adverse, irrespective of whether we can 
prevent or detect such actions. Your message noted that RRDP may make it 
easier for RPs to detect some of these actions; I suggest you add 
references to the relevant sections of this document as further 
motivation for transitioning to RRDP.

Finally, when we revised an earlier version of the document we decided 
to include every action in the same order in each section (except for GB 
records, where it would be trivial), to make it easier for a reader to 
see that we were addressing the same issues for each object.

Steve

--------------91392DE15469DBE4E94F919F
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    

      
    

    

      
      
      
      
      
      
      
      
      
      
      
      
Tim,

      
 

      
Thanks
          for taking the time to read and comment on
          the document.

      
 

      
I
          will change CA certificate analysis to be section
          2.1, and make the CRL section b 2.3, as per your request. The
          Manifest section
          will remain 2.2, ROAs will become 2.4, GB will become 2.5, and
          Router Certificates will
          remain 2.6. This will require a lot of changes to the pointers
          within and
          between sections, but we aim to please :-).

      
 

      
A-5.4.1:
          I agree that reducing the set of 
          resources in a CA certificate may be done for
          legitimate reasons, even if the INR holder does not agree with
          the reduction.
          Nonetheless, this is an adverse action from the perspective of
          the INR holder.
          It’s important to note that there are cases when this
          reduction is the result
          of an attack against or an error by the parent CA. Thus I
          believe it is
          important to retain this action in the list. 

      
 

      
 

      
A-5.4.2:
          I’ll delete this action.

      
 

      
A-5.4.5:
          I agree that this may be
          hard to distinguish from a legitimate key rollover, except
          that a key rollover
          would have both old and new CA keys present simultaneously.
          I’ll add a note to
          this effect.

      
 

      
I
          disagree with your suggestion that we remove the
          modification, revocation, and injection actions for Manifests,
          ROAs, and
          Router Certificates. First, remember that adverse actions
          include errors by CAs,
          and transient attacks against CAs. In the former case the
          private key is clearly
          available and the CA may also control the repository. In the
          latter case note that
          an attacker need not need learn the private key’s value;
          he/she needs only the ability
          to cause an HSM to use the key. Also, an attacker need not
          control the
          repository to effect these actions; an RP might be misdirected
          to a different
          set of files via a routing system attack (ironic?) or a DNS
          attack.

      
 

      
Recall
          that the goal of this document is to
          document, as best we can, a wide range of actions that are
          adverse,
          irrespective of whether we can prevent or detect such actions.
          Your message
          noted that RRDP may make it easier for RPs to detect some of
          these actions; I
          suggest you add references to the relevant sections of this
          document as further
          motivation for transitioning to RRDP.

      
 

      
Finally,
          when we revised an earlier version of the
          document we decided to include every action in the same order
          in each section
          (except for GB records, where it would be trivial), to make it
          easier for a
          reader to see that we were addressing the same issues for each
          object. 

      
    

    Steve

  


--------------91392DE15469DBE4E94F919F--


From nobody Tue Jul 19 07:42:05 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D035E12D984 for ; Tue, 19 Jul 2016 07:42:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5u9VMcaWuYuD for ; Tue, 19 Jul 2016 07:42:02 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDE5A12D894 for ; Tue, 19 Jul 2016 07:15:03 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bPVnX-0006DX-LM; Tue, 19 Jul 2016 16:15:00 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-233.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bPVnX-0003JS-Fa; Tue, 19 Jul 2016 16:14:59 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=us-ascii
From: Tim Bruijnzeels 
In-Reply-To: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Date: Tue, 19 Jul 2016 16:14:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
To: Rob Austein 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07190e3a8e628e26cacf3a5665bebccd1b80
Archived-At: 
Cc: sidr@ietf.org
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 14:42:05 -0000

Hi Rob, WG,

I can see how this can help to make the behaviour of RPs consistent. If =
this is left as local policy then differences can occur w.r.t. RPs using =
reconsidered, or not and it's unpredictable for CAs to understand how =
RPs would behave.

I am not sure that I got your and Russ's point entirely correct, but are =
you suggesting that we update section 4.8.10 (IP resources extension) in =
RFC6487 (Resource Certificate Profile) so that it doesn't use the normal =
RFC3779 critical extension with its corresponding OID, but uses =
essentially the same resource extension with a different OID to indicate =
that validation should be done differently? If this is not what you =
meant some more precise pointers to which OID in which RFC and section =
need updating would be appreciated :)

Other than that I can prepare some text and slide ware to discuss this =
further, here and Thursday morning.

Thanks,

Tim







> On 19 Jul 2016, at 13:18, Rob Austein  wrote:
>=20
> Reminding the WG of an old issue I raised years ago for validation
> reconsidered which, as far as I know, has not yet been addressed.
>=20
> If we change the validation algorithm, we really should also change
> the object identifiers used in the X.509v3 extensions used to convey
> the resources.
>=20
> The reason for this is simple: the RFC 3779 validation algorithm has
> shipped, long since.  My implementation has been part of OpenSSL for
> the last decade, and while it's not enabled by default on all
> platforms, it is on some, and is available as a configuration option
> on others.  It is far too late to change this, that ship has sailed.
>=20
> So if we're talking about changing the validation algorithm now, we
> need to label the algorithm we're using, so that validation code knows
> which algorithm it's supposed to follow.  Otherwise, we'll get
> different validation results at different sites depending on which
> algorithm they're using this week, different routing decisions as a
> consequence, dogs and cats living together, mass hysteria.
>=20
> The solution to this is simple: change the extension OIDs.  X.509's
> "critical extension" mechanism will take care of the rest.
>=20
> This will require some kind of phase-in/phase-out process during which
> the new OIDs appear and the old OIDs vanish, and will require RP code
> to implement the new OIDs, but these are trivial issues given that the
> RP behavior has to change in any case, that being the point of the
> entire validation reconsidered exercise.
>=20
> Yes, this will be a bit painful, but I view it as in essence exposing
> a problem that already exists, rather than sweeping it under the rug.
>=20
> Sorry for reminding the WG of this yet again at what some may consider
> a late date, but I have raised this issue before, I just haven't
> (re)raised it in the last few months.
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Tue Jul 19 09:33:03 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1854A12D0AD for ; Tue, 19 Jul 2016 09:33:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J386qqgUtYm1 for ; Tue, 19 Jul 2016 09:33:00 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1755512B04F for ; Tue, 19 Jul 2016 09:33:00 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 83FDC28B003B; Tue, 19 Jul 2016 12:32:59 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id C10AE1F8055; Tue, 19 Jul 2016 12:32:58 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_F8D5961F-E6A1-478B-93A8-87A154064F04"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail
From: Sandra Murphy 
In-Reply-To: 
Date: Tue, 19 Jul 2016 12:32:43 -0400
Message-Id: <8F7345B9-7F4E-45E2-A74B-808BBE93BB96@tislabs.com>
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com>  
To: Stephen Kent 
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: sidr@ietf.org, Sandra Murphy 
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 19 Jul 2016 16:33:02 -0000

--Apple-Mail=_F8D5961F-E6A1-478B-93A8-87A154064F04
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Speaking as regular ol=92 member:

> On Jul 15, 2016, at 1:28 PM, Stephen Kent  wrote:
>=20
> Tim,
>=20
> I reviewed the -06 version and am attaching a pdf of the MS Word file =
with suggested edits. I can send you the word file itself if you wish.
>=20
> I have provided text to my co-author, Sean, to include in the =
bgpsec-pki-profile doc to address your concern. I suggested the =
following text at the beginning of section 3 :
>=20
>    The validation procedure used for BGPsec Router Certificates is
>    identical to the validation procedure described in Section 7 of
>    [RFC6487]
> (and any RFC that updates this procedure)
> , but using the
>    constraints applied come from this specification.

I can=92t parse =93but using the constraints applied come from this =
specification=94.  Can you clarify?

>=20
>=20
> Sean added an implementation considerations section which I suggest =
will say:
>=20
>    Operators MAY choose to issue separate BGPsec Router Certificates =
for
>    different ASNs. Doing so may prevent a BGPsec Router Certificate =
from
>    becoming invalid if one of the ASNs is removed from any superior CA =
certificate
>    along the path to a trust anchor.

I quibble about this wording.  why do you say =93may=94?  Is it because =
if the ASN in one of the separate router certificates is one of the ASNs =
that is removed, then it still becomes invalid?

I think you mean:


This document permits the operator to include a list of ASNs in a BGPsec =
Router Certificate.
In that case, the router certificate would become invalid if any one of =
the ASNs is removed
from any superior CA certificate along the path to a trust anchor.  =
Operators MAY choose
to avoid this possibility by issuing a separate BGPsec Router =
Certificate for each distinct
ASN, so that the router certificates for ASNs that are retained in the =
superior CA certificate
would remain valid.

I=92m not sure you meant a normative =93MAY choose=94 ("there are =
reasons,  to make this choice=94) or =93could possibly =
choose=94

>=20
>=20
> I hope these changes avoid the need to say anything about router certs =
in your doc.
>=20
> I'm not sure there is a need to change the ROA spec. If we agree that =
all prefixes in the ROA MUST be contained in the EE cert for that ROA, =
then the current text in the ROA spec does not need to change.

Well=85=85

The ROA RFC says validation of the ROA must satisfy:

   o  The IP address delegation extension [RFC3779] is present in the
      end-entity (EE) certificate (contained within the ROA), and each
      IP address prefix(es) in the ROA is contained within the set of IP
      addresses specified by the EE certificate's IP address delegation
      extension.

If the EE certificate and the ROA mention a /18, and a /19 is removed =
from a =93superior CA certificate=94, then there is/are only a /19 of =
the EE certificate that is/are VRP.  And every prefix in the ROA is =
still contained in the EE cert, so this validation step is satisfied.  =
What does this ROA now authorized?  How would it be applied in BGP route =
validation?

=97Sandy, speaking as regular ol=92 member

>=20
> Steve
>=20
> =
_____________________=
__________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


--Apple-Mail=_F8D5961F-E6A1-478B-93A8-87A154064F04
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXjlY5AAoJEHplpQeet0IZfyYQAKsXZpMNwy7j9rcHCvPwgcSb
OraA+coog1Bmlh2+W+lMX7ueOCz/MI8li5PGuvUp7CvNT+mLrT2DUH+0EZaksMe+
NKo7FJGv/FBniYZuTDEaYxg6/IO61dcETxO9GTIBtCVqREbP5MqcDpXhKZl+RS4p
EVAob1g4j9AD+7EbsGvQ7fIzEaRcavrBLkYSbeLG/xOxvuTKB14NT3R9X6lhmnF6
agXPekcTjdEkgLr1cLF+3u+6NtHcQOH24y/o1hEsQw8mabit1SRay3ckIFOhO3b8
OqNKTM4X++6FOfOpJn/DXgKqcPvAZAJp4U7VyZbtLzybaqc8zObEXsTgLIYUbENU
F9nj4pyacEVgBKeGdxTKG0VmtFG2LNnZu3pVTj25TC84EuyflZGXmn51ecT7bWY2
udM/K5VM1gK3t4otWgnxdnbQzgrSaMV9jffwg2xf3AFsdqgjy2HgmyzQbg717mFg
4uY1eCd5pbY9wljGG7PmKQPpbGq6X3L8+oFFP1MxTuWfl53bcYW6iZSuCoQ4xIQh
eBFYyY1I/oi3GgL3nZwRIqGUAE9CXMd1Evjx4N4JLSdU1KD17XSbpx7BonrcffgG
KRp21y8f7FPxZQMToSoua+YuS+F2rEbQI+cbHfU3zGaeL/x5GybEGPShRrGvWKJy
obJQXMjSEuzLxKth4sTc
=4Yhk
-----END PGP SIGNATURE-----

--Apple-Mail=_F8D5961F-E6A1-478B-93A8-87A154064F04--


From nobody Wed Jul 20 04:36:10 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AD9012B05A for ; Wed, 20 Jul 2016 04:36:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level: 
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ySC_rm4gPBFJ for ; Wed, 20 Jul 2016 04:36:06 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB19112D1D7 for ; Wed, 20 Jul 2016 04:36:05 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id f65so171902152wmi.0 for ; Wed, 20 Jul 2016 04:36:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=subject:references:reply-to:to:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=BQmd4y/nKrEWo/cvL73d2I+eXeCtg3VR4lld4Sgo7vE=; b=BIyOZUmUcpLAuM2kwMJjTeJt3rEYiu6Ef+7yylUiPbbgstXrIsh/QCDtqwgjEN9wpD 7ZE2dqZXNnxpTjJa39xFNaiPOoTvZOLTNaqdkdI5MnfQynt8KBarokWDp+Z1kKNfQsoa zs8Omg5u3AKKnfl/KPHQqKh7G6OLs6ZLZnivtgxHXh+/peSbB/YTmjycWEhb/vSsb/RJ KCQ0RnF/8wOJNN3KmG8xLjSZ8IRYH9RH9zODv3E6t2Lwl+Gk2OomUY59ydPaGP4pCXr3 UHLzpsVkwX+cvh0WTHjUlmb3XmyVJ04t10DQNH0p5ztq3fVNvIHTZODom4UGk1ivMoYP oewA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:references:reply-to:to:from:message-id :date:user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=BQmd4y/nKrEWo/cvL73d2I+eXeCtg3VR4lld4Sgo7vE=; b=Mo3w3exciKEVBT4pBm2UicBgkaRRSn46EQ1OuGy+JRrhyjnWoHZrX19BICM4Zkv5fD Uolj9fRQ6WpmZZu0nq3yoG76gXgCQxpnyrAxGzwpSoyWnQZYHAwbtGe7iEECXppQ7Ovs EQmtv29bu0vKGZDzADEOIPCwYNYWNFHE14Y7yBLhSvrWD7OKVoDcnTIvBV/RkkuB/Xp+ Oz9jHM7EFC7In2s31ZLK3zzh2UMhM/CfLCHOveT+Bq9NI6W4PJCvA/PjA6H5tvhsvytb /R/d5APQcmiIeQ0WYEy6dYW7vrgNb79D8R+P2FHA+K4Omy4NEaL7ng9Le2DGwQSciY/B j9WQ==
X-Gm-Message-State: ALyK8tL5aEc1nAKKebMvN+7KUwtzl36N68fUEuIWUlhZGetTcxvyUlV4UcuDlayrSLMcFA==
X-Received: by 10.194.187.236 with SMTP id fv12mr847350wjc.93.1469014564034; Wed, 20 Jul 2016 04:36:04 -0700 (PDT)
Received: from [172.29.122.157] ([62.214.2.210]) by smtp.googlemail.com with ESMTPSA id gb5sm819723wjb.6.2016.07.20.04.36.02 for  (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Jul 2016 04:36:03 -0700 (PDT)
References: <20160720112239.22633.90992.idtracker@ietfa.amsl.com>
To: "sidr@ietf.org" 
From: "Carlos M. Martinez" 
X-Forwarded-Message-Id: <20160720112239.22633.90992.idtracker@ietfa.amsl.com>
Message-ID: <2e5f222b-ac1b-6a71-f882-38d9b01d2985@gmail.com>
Date: Wed, 20 Jul 2016 13:36:02 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160720112239.22633.90992.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: [sidr] Fwd: New Version Notification for draft-rir-rpki-allres-ta-app-statement-01.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: carlos@lacnic.net
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 11:36:08 -0000

Fyi, mostly wording fixes. Will comment tomorrow.



-------- Forwarded Message --------
Subject: 	New Version Notification for
draft-rir-rpki-allres-ta-app-statement-01.txt
Date: 	Wed, 20 Jul 2016 04:22:39 -0700
From: 	internet-drafts@ietf.org
To: 	Andrew Newton , Carlos Martinez-Cagnazzo
, Tim Bruijnzeels , Byron Ellacott
, Carlos M. Martinez , Daniel Shaw




A new version of I-D, draft-rir-rpki-allres-ta-app-statement-01.txt
has been successfully submitted by Carlos Martinez-Cagnazzo and posted to the
IETF repository.

Name:		draft-rir-rpki-allres-ta-app-statement
Revision:	01
Title:		RPKI Multiple "All Resources" Trust Anchors Applicability Statement
Document date:	2016-07-20
Group:		Individual Submission
Pages:		5
URL:            https://www.ietf.org/internet-drafts/draft-rir-rpki-allres-ta-app-statement-01.txt
Status:         https://datatracker.ietf.org/doc/draft-rir-rpki-allres-ta-app-statement/
Htmlized:       https://tools.ietf.org/html/draft-rir-rpki-allres-ta-app-statement-01
Diff:           https://www.ietf.org/rfcdiff?url2=draft-rir-rpki-allres-ta-app-statement-01

Abstract:
   This document provides an applicability statement for the use of
   multiple, over-claiming 'all resources' (0/0) RPKI certificate
   authorities (CA) certificates used as trust anchors (TAs) operated by
   the Regional Internet Registry community to help mitigate the risk of
   massive downstream invalidation in the case of transient registry
   inconsistencies.

                                                                                  


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat


From nobody Wed Jul 20 05:18:50 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7A912D605 for ; Wed, 20 Jul 2016 05:18:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mhREBqXrx73F for ; Wed, 20 Jul 2016 05:18:46 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D026C12DBC5 for ; Wed, 20 Jul 2016 05:18:42 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 4C18928B0048 for ; Wed, 20 Jul 2016 08:18:42 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id EBC541F8055; Wed, 20 Jul 2016 08:18:40 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_D105FD61-AD11-465C-8960-A27F7BBC2CA8"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail
From: Sandra Murphy 
In-Reply-To: 
Date: Wed, 20 Jul 2016 08:18:39 -0400
Message-Id: 
References: 
To: sidr 
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: [sidr] SLIDES (was Re: note to those presenting at IETF 96 Berlin)
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 12:18:49 -0000

--Apple-Mail=_D105FD61-AD11-465C-8960-A27F7BBC2CA8
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Two sets of slides are uploaded.

Presenters are encouraged to get their slides to the chairs =
(sidr-chairs@ietf.org) soon.   And remember to number your slides, =
please.

=E2=80=94Sandy, speaking as one of the wg co-chairs

> On Jul 15, 2016, at 7:40 PM, Sandra Murphy  =
wrote:
>=20
> To all those who are are on the agenda for our meeting in Berlin on =
Thursday morning, 21 Jul.
>=20
> If you plan to use slides, please do get the slides to the chairs for =
upload by breakfast time on Wed 20 Jul.
>=20
> And remember to number your slides.
>=20
> =E2=80=94Sandy
>=20


--Apple-Mail=_D105FD61-AD11-465C-8960-A27F7BBC2CA8
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXj2wfAAoJEHplpQeet0IZsGIQALXz8Kg/iuaCYq7SiMySQ+kB
IBgtd0Hy7QQqqf6iz8/nkXWEQftCHmOgWr5WQXIgH5/2uYgOVWR+ZQewA1jWjfI7
W7cA336I60N5QJXXrboHhNS8Vf+eS29rI1AkOAJf01b+SrG1cOaipEwxLdWIZjAb
mVC7H89S78koFSGlwRDFjFN0vau7Qn1Hg+FRAIMLO+HJEmYuiH92H5a2qIUA8car
zvRxyUZ1ljNlrlZLBlcUTwn2q7w3WF/6gsvQ9+2ZXWZlTQvRbdFWT65VFk2E/T2f
nYP6xp++vw/7w4hOyRtyJmNcq0oKh2R8XZJK+V/PPCcmHafTArVSUbb0cqJuFUEZ
Cu+no9GPWXvt33W1APCsCFt3Tgawz81Zw0156fGk7JTYdZEM+LZ7GaLLJUIzoWcg
LPeisAO16ubeKDkSyf+XYkJudqpsWD4TAhZm5/gdO/4Y42JEsxr/JKlzjL+J3UnK
ICHch0YxBfYtTuDEeDDQlXrQYJ6rt/JPvRzP5kFRQ0hS9rXadkeyXydzgbCfndi/
aqYdv1WswmSfZST918xIWaxRqX4acybGeq/kAZ7bTv8P/K7w67xvL2SyPTYKTiis
HkETeFuu0neLcCHbf0jvmjaC+k2uWfJRV1ef+9IHko5iUQXho//l3WV7CGW0/bq6
4LGnRBS00zB+Rfh9oGse
=Hlku
-----END PGP SIGNATURE-----

--Apple-Mail=_D105FD61-AD11-465C-8960-A27F7BBC2CA8--


From nobody Wed Jul 20 07:22:36 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B215F12D808 for ; Wed, 20 Jul 2016 07:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gXV00lIbzovJ for ; Wed, 20 Jul 2016 07:22:29 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A70E112D802 for ; Wed, 20 Jul 2016 07:22:29 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:40921 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bPsOF-00082S-LL for sidr@ietf.org; Wed, 20 Jul 2016 10:22:23 -0400
From: Stephen Kent 
To: sidr@ietf.org
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Message-ID: <1c97d2b8-485d-b208-8cf9-43fdcf27646a@bbn.com>
Date: Wed, 20 Jul 2016 10:22:24 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 14:22:35 -0000

Rob,

I agree with your suggestion to create a new OID for this purpose. This 
can be noted in the document under discussion.

I also agree with Russ's comment that the cert policy needs to be 
updated to reflect the fact that use either OID is OK (if we stick with 
one policy OID).

Steve


From nobody Wed Jul 20 07:42:55 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15CF312D826 for ; Wed, 20 Jul 2016 07:42:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgMhFqy5l8tw for ; Wed, 20 Jul 2016 07:42:44 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0680212B031 for ; Wed, 20 Jul 2016 07:42:44 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:40683 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bPsho-0004zG-My; Wed, 20 Jul 2016 10:42:36 -0400
To: Sandra Murphy 
References: <20160708091943.32156.30842.idtracker@ietfa.amsl.com>   <8F7345B9-7F4E-45E2-A74B-808BBE93BB96@tislabs.com>
From: Stephen Kent 
Message-ID: <43d83fb5-5c61-5c78-85f8-3bb68c478c18@bbn.com>
Date: Wed, 20 Jul 2016 10:42:36 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <8F7345B9-7F4E-45E2-A74B-808BBE93BB96@tislabs.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Archived-At: 
Cc: sidr@ietf.org
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-validation-reconsidered-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 14:42:49 -0000

Sandy,


> I can’t parse “but using the constraints applied come from this specification”.  Can you clarify?
The text I supplied for the replacement validation alg were based on the 
original text, whenever possible. Unfortunately, the original text 
refers to sections of 6487 implicitly as "this specification". Thus, in 
the new document we need to explicitly note that the indicated 
constraints on certs (e.g., required/prohibited extensions, etc.) are in 
the relevant parts of 6487.
>
>>
>> Sean added an implementation considerations section which I suggest will say:
>>
>>     Operators MAY choose to issue separate BGPsec Router Certificates for
>>     different ASNs. Doing so may prevent a BGPsec Router Certificate from
>>     becoming invalid if one of the ASNs is removed from any superior CA certificate
>>     along the path to a trust anchor.
> I quibble about this wording.  why do you say “may”?  Is it because if the ASN in one of the separate router certificates is one of the ASNs that is removed, then it still becomes invalid?
>
> I think you mean:
>
>
> This document permits the operator to include a list of ASNs in a BGPsec Router Certificate.
> In that case, the router certificate would become invalid if any one of the ASNs is removed
> from any superior CA certificate along the path to a trust anchor.  Operators MAY choose
> to avoid this possibility by issuing a separate BGPsec Router Certificate for each distinct
> ASN, so that the router certificates for ASNs that are retained in the superior CA certificate
> would remain valid.
I prefer your text. Nice job.
> I’m not sure you meant a normative “MAY choose” ("there are reasons,  to make this choice”) or “could possibly choose”
I'm not picky about the case of the MAY here.
>
>>
>> I hope these changes avoid the need to say anything about router certs in your doc.
>>
>> I'm not sure there is a need to change the ROA spec. If we agree that all prefixes in the ROA MUST be contained in the EE cert for that ROA, then the current text in the ROA spec does not need to change.
> Well……
>
> The ROA RFC says validation of the ROA must satisfy:
>
>     o  The IP address delegation extension [RFC3779] is present in the
>        end-entity (EE) certificate (contained within the ROA), and each
>        IP address prefix(es) in the ROA is contained within the set of IP
>        addresses specified by the EE certificate's IP address delegation
>        extension.
>
> If the EE certificate and the ROA mention a /18, and a /19 is removed from a “superior CA certificate”, then there is/are only a /19 of the EE certificate that is/are VRP.  And every prefix in the ROA is still contained in the EE cert, so this validation step is satisfied.  What does this ROA now authorized?  How would it be applied in BGP route validation?
I see your point. yes, the ROA spec does need to be modified.

Steve


From nobody Wed Jul 20 07:53:00 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67FAD12B031 for ; Wed, 20 Jul 2016 07:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nnZ707BH30Oo for ; Wed, 20 Jul 2016 07:52:55 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B18512B032 for ; Wed, 20 Jul 2016 07:52:55 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bPsrj-0009XM-EM; Wed, 20 Jul 2016 16:52:52 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-118.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bPsrj-000214-8F; Wed, 20 Jul 2016 16:52:51 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=us-ascii
From: Tim Bruijnzeels 
In-Reply-To: <1c97d2b8-485d-b208-8cf9-43fdcf27646a@bbn.com>
Date: Wed, 20 Jul 2016 16:52:51 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net> <1c97d2b8-485d-b208-8cf9-43fdcf27646a@bbn.com>
To: Stephen Kent 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071908b09aa541a7f6d23e750d8be8b6fa3d
Archived-At: 
Cc: sidr@ietf.org
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 14:52:59 -0000

Hi,

So, to be clear I think this is the related text in section 9 of RFC =
6487:

   A new document will be issued as an update to this RFC.  The CP for
   the RPKI [RFC6484] will be updated to reference the new certificate
   profile.  The new CP will define a new policy OID for certificates
   issued under the new certificate profile.

And references in 6484 (CP) to 6487 should be reviewed and reference the =
validation-reconsidered instead (since it updates the profile), and we =
should have another OID instead of the one section 1.2. But there is no =
need to use a different OID for the RFC3779 extensions used. Right?

..just trying to make sure I am looking at the right things here, please =
correct me if the above is wrong.

Thanks
Tim







> On 20 Jul 2016, at 16:22, Stephen Kent  wrote:
>=20
> Rob,
>=20
> I agree with your suggestion to create a new OID for this purpose. =
This can be noted in the document under discussion.
>=20
> I also agree with Russ's comment that the cert policy needs to be =
updated to reflect the fact that use either OID is OK (if we stick with =
one policy OID).
>=20
> Steve
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Wed Jul 20 09:58:42 2016
Return-Path: 
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EED612D123; Wed, 20 Jul 2016 09:58:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160720165840.26437.1521.idtracker@ietfa.amsl.com>
Date: Wed, 20 Jul 2016 09:58:40 -0700
Archived-At: 
Cc: sidr@ietf.org
Subject: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-02.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 16:58:40 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing of the IETF.

        Title           : RPKI Certificate Tree Validation by a Relying Party Tool
        Authors         : Oleg Muravskiy
                          Tim Bruijnzeels
	Filename        : draft-ietf-sidr-rpki-tree-validation-02.txt
	Pages           : 13
	Date            : 2016-07-20

Abstract:
   This document describes the approach to validate the content of the
   RPKI certificate tree, as used by the RIPE NCC RPKI Validator.  This
   approach is independent of a particular object retrieval mechanism.
   This allows it to be used with repositories available over the rsync
   protocol, the RPKI Repository Delta Protocol, and repositories that
   use a mix of both.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-02

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-rpki-tree-validation-02


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Jul 20 10:50:45 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 426B312D0ED for ; Wed, 20 Jul 2016 10:50:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W97NU4TSetwk for ; Wed, 20 Jul 2016 10:50:42 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFE7A12D943 for ; Wed, 20 Jul 2016 10:50:41 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:41356 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bPvdj-000FQ9-9X; Wed, 20 Jul 2016 13:50:35 -0400
To: Tim Bruijnzeels 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net> <1c97d2b8-485d-b208-8cf9-43fdcf27646a@bbn.com> 
From: Stephen Kent 
Message-ID: <11fd6dc3-7bb0-40e5-821b-10f92244264a@bbn.com>
Date: Wed, 20 Jul 2016 13:50:35 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Cc: sidr@ietf.org
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 17:50:44 -0000

Tim,

> Hi,
>
> So, to be clear I think this is the related text in section 9 of RFC 6487:
>
>     A new document will be issued as an update to this RFC.  The CP for
>     the RPKI [RFC6484] will be updated to reference the new certificate
>     profile.  The new CP will define a new policy OID for certificates
>     issued under the new certificate profile.
>
> And references in 6484 (CP) to 6487 should be reviewed and reference the validation-reconsidered instead (since it updates the profile), and we should have another OID instead of the one section 1.2. But there is no need to use a different OID for the RFC3779 extensions used. Right?
Thanks for reminding me of the text in section 9 of 6487. Immediately 
after the paragraph you cite the text says that an update to 6487 
requires establishing a timeline for a three phase transition process, 
something we have yet to discuss, and which is not yet part of the 
validation reconsidered I-D.

I believe that Rob suggested using a different OID for the 3779 
extensions because he wants currently-deployed code to continue to work 
with any software that relies on the cert validation procedure defined 
in 3779. A new OID for the extensions would allow software to know which 
type of processing is to be used when encountering a cert extension. So, 
for that reason, and to be consistent with the notion of a phased 
transition process, I believe there is a need for a new OID for the 3779 
extensions.

Steve


From nobody Wed Jul 20 11:11:18 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 827A312D9DD for ; Wed, 20 Jul 2016 11:11:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7H5tsfrZtZf for ; Wed, 20 Jul 2016 11:11:14 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB43812D9A7 for ; Wed, 20 Jul 2016 11:11:13 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bPvxf-0002OE-8B for sidr@ietf.org; Wed, 20 Jul 2016 20:11:12 +0200
Received: from dog.ripe.net ([193.0.1.217] helo=[IPv6:::1]) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bPvxe-0006Km-0M; Wed, 20 Jul 2016 20:11:10 +0200
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Oleg Muravskiy 
In-Reply-To: <20160720165840.26437.1521.idtracker@ietfa.amsl.com>
Date: Wed, 20 Jul 2016 20:11:08 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <026C6417-DBA6-4FCA-94A7-8FA76EE121BE@ripe.net>
References: <20160720165840.26437.1521.idtracker@ietfa.amsl.com>
To: IETF SIDR 
X-Mailer: Apple Mail (2.2104)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: c408758d4ce2e8eb06762a65a3365b746dc968dcf0d686a63970fb7aba9e141b
Archived-At: 
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-rpki-tree-validation-02.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 18:11:16 -0000

We've got more comments from Steve Kent, so here's the new version.
Mostly clarifications and text improvements.


> On 20 Jul 2016, at 18:58, internet-drafts@ietf.org wrote:
>=20
>=20
> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
> This draft is a work item of the Secure Inter-Domain Routing of the =
IETF.
>=20
>        Title           : RPKI Certificate Tree Validation by a Relying =
Party Tool
>        Authors         : Oleg Muravskiy
>                          Tim Bruijnzeels
> 	Filename        : draft-ietf-sidr-rpki-tree-validation-02.txt
> 	Pages           : 13
> 	Date            : 2016-07-20
>=20
> Abstract:
>   This document describes the approach to validate the content of the
>   RPKI certificate tree, as used by the RIPE NCC RPKI Validator.  This
>   approach is independent of a particular object retrieval mechanism.
>   This allows it to be used with repositories available over the rsync
>   protocol, the RPKI Repository Delta Protocol, and repositories that
>   use a mix of both.
>=20
>=20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sidr-rpki-tree-validation/
>=20
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-sidr-rpki-tree-validation-02
>=20
> A diff from the previous version is available at:
> =
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-rpki-tree-validation-0=
2
>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>=20


From nobody Wed Jul 20 12:28:27 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8EC12DAA8; Wed, 20 Jul 2016 12:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level: 
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xo2ZkTaMc6TT; Wed, 20 Jul 2016 12:28:23 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E52E612D629; Wed, 20 Jul 2016 12:28:22 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:41550 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bPxAH-000HtA-NM; Wed, 20 Jul 2016 15:28:17 -0400
From: Stephen Kent 
To: Oleg Muravskiy , Declan Ma 
References: <20160412100344.32250.28492.idtracker@ietfa.amsl.com>  
Message-ID: 
Date: Wed, 20 Jul 2016 15:28:17 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------2A340A258DBCA8D20FEFB468"
Archived-At: 
Cc: sidr chairs , IETF SIDR 
Subject: Re: [sidr] New Version Notification for draft-madi-sidr-rp-00.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 20 Jul 2016 19:28:26 -0000

This is a multi-part message in MIME format.
--------------2A340A258DBCA8D20FEFB468
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit

Oleg,

Thanks for the feedback on our doc.
> Well, actually there is normative language: 
you're right. those instances of MUST will be changed to lowercase, 
since the intent is that this doc be informational.
> And there are several other places where the normative language is not used, but implied.
the doc is re-iterating what requirements doc say, so it is appropriate 
to use language that conveys what the requirements are, but we do try to 
avoid normative language. We'll revise the doc to remove normative 
(uppercase) language, but we will continue to convey what is mandated 
vs. optional, etc.
>> This doc outlines the RP functions, summarizes them and then gives reference to those precise sections or paragraphs, in order to make life easier for implementers to make sure he/she has addressed all of these requirements.
> I have two comments for this paragraph.
>
> First, it might seem appealing to create a document that will give a "reference to those precise sections or paragraphs", so that the implementer could skip reading those long RFCs in full.  But I do not think it is possible or advisable. Even in your draft you say:
>
>     An RP is required
>     to verify that a resource certificate adheres to the profile
>     established by [RFC6487].  This means that all extensions mandated by
>     [RFC6487] must be present and value of each extension must be within
>     the range specified by this RFC.  Moreover, any extension excluded by
>     [RFC6487] must be omitted.
>
> or
>
>     To determine whether a manifest is valid, the RP is required to
>     perform manifest-specific checks in addition to those specified in
>     [RFC6488].
>
> So very often it is more practical to refer to the whole RFCs, because an implementer has to implement all of it, not just specific paragraphs.
I agree that implementers will have to read the cited RFCs. The goal 
here is to provide an overview of the requirements and to enumerate the 
RFCs that contain such requirements.
> Second, what if, for whatever reason, this document will not list *all* of the requirements?  Will it be OK for the implementer to say "I did everything specified there", or will (s)he be required to double-check with other RFCs you refer to?  Or even with those you do not refer to?
>
> I'm not sure how to define the applicability of such document.
the utility of the doc is that it provides a concise, high level 
description of RP requirements, and pointers to the normative RFCs where 
these requirements are fully specified. The BGPsec overview I-D is 
informational and provides a concise description of what a router needs 
to do to implement BGPsec, but it points to the relevant RFCs that 
provide the full specs for BGPsec, router certs, etc.
>> Any comments and feedbacks are appreciated.
> Here are my comments for some specific sections:
>
>     3.1.  Verifying Resource Certificate and Syntax
>
>     Certificates in the RPKI are called resource certificates, and they
>     are required to conform to the profile [RFC6487].  An RP is required
>     to verify that a resource certificate adheres to the profile
>     established by [RFC6487].  This means that all extensions mandated by
>     [RFC6487] must be present and value of each extension must be within
>     the range specified by this RFC.  Moreover, any extension excluded by
>     [RFC6487] must be omitted.
>
> I think you should not repeat the text of other RFCs, otherwise you risk of being incomplete or going out of sync with referenced RFC.
An informational RFC providing an overview always runs this risk, but 
that doesn't make it a bad idea.
>
>     3.2.  Certificate Path Validation
>
>     In the RPKI, issuer can only assign and/or allocate public INRs
>     belong to it, ...
>
> I don't think assignment or allocation of INR happens in RPKI.
good point. the text will be revised to note that the RPKI _represents_ 
the allocations of INRs.
>
>     3.3.  CRL Processing
>
>     The CRL processing requirements imposed on CAs and RP are described
>     in [RFC6487].  CRLs in the RPKI are tightly constrained; only the
>     AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they
>     MUST be present.  No other CRL extensions are allowed, and no
>     CRLEntry extensions are permitted.  RPs are required to verify that
>     these constraints have been met.  Each CRL in the RPI MUST be
>     verified using the public key from the certificate of the CA that
>     issued the CRL.
>
>
> Apart from using normative language mentioned above, you seem to repeat the text of other RFC.
> Is it the only bit of RFC6487 that is applicable to CRL processing in RPKI validation?
> Aren't any CRL validation (not only in RPKI) requires that CRL must be verified using the public key of it's issuer?
The cited text notes what CRL processing requirements are unique to the 
RPKI. ALL PKIs require that a CRL be validated using the public key of 
the issuer of the CRL.
>
>     4.2.1.  Manifest
>
>     To determine whether a manifest is valid, the RP is required to
>     perform manifest-specific checks in addition to those specified in
>     [RFC6488].
>
>     Specific checks for a Manifest are described in section 4 of
>     [RFC6486].  If any of these checks fails, indicating that the
>     manifest is invalid, then the manifest will be discarded and treated
>     as though no manifest were present.
>
> This description is quite incomplete. Perhaps you should merge the content of section "4.3.  How to Make Use of Manifest Data" in here, but even there I do not see a reference to section 6 (Relying Party Use of Manifests) of RFC6486, which is quite a big omission.
I agree that this needs more work. Your doc describing what the RIPE RP 
code does include examples where you have made choices that are allowed, 
but not mandated, by RFCs. This text wants to say what is mandated and 
what is allowed. I suspect we may add an implementation guidance section 
that will address issues where implementers have options and what 
experience has taught us about the pros and cons of different options.
>
>     4.2.2.  ROA
>
>     To validate a ROA, the RP is required perform all the checks
>     specified in [RFC6488] as well as the additional ROA-specific
>     validation steps.  The IP address delegation extension [RFC3779]
>     present in the end-entity (EE) certificate (contained within the
>     ROA), must encompass each of the IP address prefix(es) in the ROA.
>     More details for ROA validation are specified in section 2 of
>     [RFC6482].
>
> The second sentence is almost a 1-to-1 copy of Section 4 of 6482. What's the point of copying it instead of referencing?
the goal of this doc is both to point to all of the RFCs that establish 
RP requirements, and to provide an overview of the requirements. In some 
cases, the text here will paraphrase the requirements, in other cases it 
may merely restate them.
>
> Section 2 of RFC6482 defines the ROA content-type, not the validation.
god catch, we'll fix that.
>
>
>     4.2.3.  Ghostbusters
>
>     The Ghostbusters Record is optional; a publication point in the RPKI
>     can have zero or more associated Ghostbuster Records.
>
> This is true for all objects except manifest and CRL.
yes, so what?
>     If a CA has at
>     least one Ghostbuster Record, RP is required to verify that this
>     Ghostbusters Record conforms to the syntax of signed object defined
>     in [RFC6488].
>
> And this is also true for any signed object.
ibid.
>     The payload of this signed object is a (severely) profiled vCard.  An
>     RP is required to verify that the payload of Ghostbusters conforms to
>     format as profiled in [RFC6493].
>
> I'm mentioning it here, but it applies to many places in this document: the validation section of RFC6493 already references RFC6488. So why duplicate it here?

Oleg, I think we fundamentally disagree about the utility of a doc like 
this. I agree that this initial cut can be improved, but I disagree with 
you sentiment that it is not a worthwhile document. I have provided you 
and Tim with extensive comments on your RIPE validation description doc, 
and these have identified a number of places where the text needed to be 
clarified or fixed, i.e., it was technically incorrect.  In that light I 
think it would be fair to assume that successive versions of this doc 
can improve as well, and thus refusing to consider it is premature.

Steve

--------------2A340A258DBCA8D20FEFB468
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
Oleg,

    

    Thanks for the feedback on our doc.

    
Well, actually there is normative language: 

    you're right. those instances of MUST will be changed to lowercase,
    since the intent is that this doc be informational.

    

      
And there are several other places where the normative language is not used, but implied.

    

    the doc is re-iterating what requirements doc say, so it is
    appropriate to use language that conveys what the requirements are,
    but we do try to avoid normative language. We'll revise the doc to
    remove normative (uppercase) language, but we will continue to
    convey what is mandated vs. optional, etc.

    

      

      

        
This doc outlines the RP functions, summarizes them and then gives reference to those precise sections or paragraphs, in order to make life easier for implementers to make sure he/she has addressed all of these requirements.


      

      
I have two comments for this paragraph.

First, it might seem appealing to create a document that will give a "reference to those precise sections or paragraphs", so that the implementer could skip reading those long RFCs in full.  But I do not think it is possible or advisable. Even in your draft you say:

   An RP is required
   to verify that a resource certificate adheres to the profile
   established by [RFC6487].  This means that all extensions mandated by
   [RFC6487] must be present and value of each extension must be within
   the range specified by this RFC.  Moreover, any extension excluded by
   [RFC6487] must be omitted.

or

   To determine whether a manifest is valid, the RP is required to
   perform manifest-specific checks in addition to those specified in
   [RFC6488].

So very often it is more practical to refer to the whole RFCs, because an implementer has to implement all of it, not just specific paragraphs.

    

    I agree that implementers will have to read the cited RFCs. The goal
    here is to provide an overview of the requirements and to enumerate
    the RFCs that contain such requirements.

    

      
Second, what if, for whatever reason, this document will not list *all* of the requirements?  Will it be OK for the implementer to say "I did everything specified there", or will (s)he be required to double-check with other RFCs you refer to?  Or even with those you do not refer to?

I'm not sure how to define the applicability of such document.

    

    the utility of the doc is that it provides a concise, high level
    description of RP requirements, and pointers to the normative RFCs
    where these requirements are fully specified. The BGPsec overview
    I-D is informational and provides a concise description of what a
    router needs to do to implement BGPsec, but it points to the
    relevant RFCs that provide the full specs for BGPsec, router certs,
    etc.

    

      

        
Any comments and feedbacks are appreciated.


      

      
Here are my comments for some specific sections:

   3.1.  Verifying Resource Certificate and Syntax

   Certificates in the RPKI are called resource certificates, and they
   are required to conform to the profile [RFC6487].  An RP is required
   to verify that a resource certificate adheres to the profile
   established by [RFC6487].  This means that all extensions mandated by
   [RFC6487] must be present and value of each extension must be within
   the range specified by this RFC.  Moreover, any extension excluded by
   [RFC6487] must be omitted.

I think you should not repeat the text of other RFCs, otherwise you risk of being incomplete or going out of sync with referenced RFC.

    

    An informational RFC providing an overview always runs this risk,
    but that doesn't make it a bad idea.

    

      

   3.2.  Certificate Path Validation

   In the RPKI, issuer can only assign and/or allocate public INRs
   belong to it, ...

I don't think assignment or allocation of INR happens in RPKI.

    

    good point. the text will be revised to note that the RPKI
     represents the allocations of INRs.

    

      

   3.3.  CRL Processing

   The CRL processing requirements imposed on CAs and RP are described
   in [RFC6487].  CRLs in the RPKI are tightly constrained; only the
   AuthorityKeyIndetifier and CRLNumber extensions are allowed, and they
   MUST be present.  No other CRL extensions are allowed, and no
   CRLEntry extensions are permitted.  RPs are required to verify that
   these constraints have been met.  Each CRL in the RPI MUST be
   verified using the public key from the certificate of the CA that
   issued the CRL.


Apart from using normative language mentioned above, you seem to repeat the text of other RFC.
Is it the only bit of RFC6487 that is applicable to CRL processing in RPKI validation?
Aren't any CRL validation (not only in RPKI) requires that CRL must be verified using the public key of it's issuer?

    

    The cited text notes what CRL processing requirements are unique to
    the RPKI. ALL PKIs require that a CRL be validated using the public
    key of the issuer of the CRL.

    

      

   4.2.1.  Manifest

   To determine whether a manifest is valid, the RP is required to
   perform manifest-specific checks in addition to those specified in
   [RFC6488].

   Specific checks for a Manifest are described in section 4 of
   [RFC6486].  If any of these checks fails, indicating that the
   manifest is invalid, then the manifest will be discarded and treated
   as though no manifest were present.

This description is quite incomplete. Perhaps you should merge the content of section "4.3.  How to Make Use of Manifest Data" in here, but even there I do not see a reference to section 6 (Relying Party Use of Manifests) of RFC6486, which is quite a big omission.

    

    I agree that this needs more work. Your doc describing what the RIPE
    RP code does include examples where you have made choices that are
    allowed, but not mandated, by RFCs. This text wants to say what is
    mandated and what is allowed. I suspect we may add an implementation
    guidance section that will address issues where implementers have
    options and what experience has taught us about the pros and cons of
    different options.

    

      

   4.2.2.  ROA

   To validate a ROA, the RP is required perform all the checks
   specified in [RFC6488] as well as the additional ROA-specific
   validation steps.  The IP address delegation extension [RFC3779]
   present in the end-entity (EE) certificate (contained within the
   ROA), must encompass each of the IP address prefix(es) in the ROA.
   More details for ROA validation are specified in section 2 of
   [RFC6482].

The second sentence is almost a 1-to-1 copy of Section 4 of 6482. What's the point of copying it instead of referencing?

    

    the goal of this doc is both to point to all of the RFCs that
    establish RP requirements, and to provide an overview of the
    requirements. In some cases, the text here will paraphrase the
    requirements, in other cases it may merely restate them.

    

      

Section 2 of RFC6482 defines the ROA content-type, not the validation.

    

    god catch, we'll fix that.

    

      


   4.2.3.  Ghostbusters

   The Ghostbusters Record is optional; a publication point in the RPKI
   can have zero or more associated Ghostbuster Records.  

This is true for all objects except manifest and CRL.

    

    yes, so what? 

    

      
   If a CA has at
   least one Ghostbuster Record, RP is required to verify that this
   Ghostbusters Record conforms to the syntax of signed object defined
   in [RFC6488].

And this is also true for any signed object.

    

    ibid.

    

      
   The payload of this signed object is a (severely) profiled vCard.  An
   RP is required to verify that the payload of Ghostbusters conforms to
   format as profiled in [RFC6493].

I'm mentioning it here, but it applies to many places in this document: the validation section of RFC6493 already references RFC6488. So why duplicate it here?

    

    

    Oleg, I think we fundamentally disagree about the utility of a doc
    like this. I agree that this initial cut can be improved, but I
    disagree with you sentiment that it is not a worthwhile document. I
    have provided you and Tim with extensive comments on your RIPE
    validation description doc, and these have identified a number of
    places where the text needed to be clarified or fixed, i.e., it was
    technically incorrect.  In that light I think it would be fair to
    assume that successive versions of this doc can improve as well, and
    thus refusing to consider it is premature.

    

    Steve

  


--------------2A340A258DBCA8D20FEFB468--


From nobody Wed Jul 20 20:09:18 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5667212B01B for ; Wed, 20 Jul 2016 20:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pa21iuDy5T-C for ; Wed, 20 Jul 2016 20:09:15 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F3BD12D746 for ; Wed, 20 Jul 2016 20:09:15 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 9D59C28B0042 for ; Wed, 20 Jul 2016 23:09:14 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 1676B1F8055; Wed, 20 Jul 2016 23:09:13 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_B5D909F5-793C-4ABF-93A1-0F5BF123CA23"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail
From: Sandra Murphy 
In-Reply-To: 
Date: Wed, 20 Jul 2016 23:09:03 -0400
Message-Id: 
References: 
To: sidr 
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: Re: [sidr] need jabber scribe and minutes takers
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 03:09:17 -0000

--Apple-Mail=_B5D909F5-793C-4ABF-93A1-0F5BF123CA23
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

We are still looking for volunteers for jabber scribe and minutes taker.

Please do consider volunteering.  Please.

=97Sandy, speaking as one of the wg co-chairs

> On Apr 4, 2016, at 7:39 AM, Sandra Murphy  wrote:
>=20
> We need jabber scribes and minutes takers for the Monday and Wednesday =
sessions.
>=20
> Please volunteer.  If we don=92t have someone who has agreed we can=92t =
continue with the meeting.
>=20
> =97Sandy, speaking as one of the co-chairs
>=20


--Apple-Mail=_B5D909F5-793C-4ABF-93A1-0F5BF123CA23
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXkDzXAAoJEHplpQeet0IZFE8QAK7ZnHsUSbf/p2xLyGwKxggG
Uyyoa6FY/+V1lmmn8tvMY8onQ2IqtYGFrsHqt0/453audJ/6GO4+qZMJqD3WW+ZU
ostjDJTNyWS2lAZmRbHw+E26u7bpwLltiEoSCfXq5F+N4fpL337k8/8ywRGQGwqD
Ytn6GjX8k31FAqvSQvhbtLTmUKrgwvypTWGIweu+vnK1eRA7O3cYZA8pkc0ZlSXs
OyS4HlLPz7X2CBrF3P/lkx6aM2OzT6uO2JFR/5MZsgS1q08a8MlgPy53HV+sMrH+
kGKPlJE9KqnDrxc9Ij9xTlYFoOQRKtUCrlMRzmJSTSqN38WuDicJ6fF8kAOEj8ue
pK/O9gkbDDQY42eRgLqxAR4ryv9Mz4fBy4qhj8u8mfBdJXdjoV49rSWGbGwu3ThA
WK/uXIW+U0SNEdGNkwMKwtBG9JaIWCPz2OZfzMpov3NiBv0F4O53PBNPCHsgKMfM
Abzm566/L3fbOhhikgt1LqCVoRiJpAtjTbsOCodmEnjiK6JlS2UnkkK5mo7O36Ba
01yutSr3Ke6F3rG4e5uZS/gPy8tcx2THggzXsJLALPq3mvurmRE9mdbK6o7G8VAn
zinlyu7h+SGrcTUSCtEFGNcYItw9gkitii+Z0MShdan+FZRav89YjdFSg+sZD39U
EsETDd9wJgF4my5Wka8m
=rZvW
-----END PGP SIGNATURE-----

--Apple-Mail=_B5D909F5-793C-4ABF-93A1-0F5BF123CA23--


From nobody Wed Jul 20 21:34:39 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6190A12D83F for ; Wed, 20 Jul 2016 21:34:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6WgWTj8XnSd for ; Wed, 20 Jul 2016 21:34:36 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9DA3127071 for ; Wed, 20 Jul 2016 21:34:36 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 3A56E28B0042 for ; Thu, 21 Jul 2016 00:34:36 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id C721F1F8056; Thu, 21 Jul 2016 00:34:35 -0400 (EDT)
From: Sandra Murphy 
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_6819321E-C251-4C67-A326-9D9294253B80"; protocol="application/pgp-signature"; micalg=pgp-sha512
Date: Thu, 21 Jul 2016 00:34:17 -0400
Message-Id: <97C53287-DC74-4E47-90B5-EF893310CDB2@tislabs.com>
To: sidr 
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: Sandra Murphy 
Subject: [sidr] new agenda uploaded; all slides received so far uploaded
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 04:34:38 -0000

--Apple-Mail=_6819321E-C251-4C67-A326-9D9294253B80
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

I have uploaded a new agenda.

There are two new items on the agenda - =E2=80=9CROA Misconceptions=E2=80=9D=
 from Randy Bush and a report on Wednesday=E2=80=99s ROA signing party =
by Markus de Brun.  Both are short presentations.

I have compressed some of the other time slots, in order to keep a block =
of time for discussion at the end.  Likely topic: continuing last =
meeting=E2=80=99s discussion of the future of SIDR - possible =
rechartering.  Each presenter has at least as much time as they =
requested.

All slides I know I have received have been uploaded.

Presenters should check the agenda to be sure I have the right presenter =
listed, name spelled correctly, topic title correct, etc., and check the =
materials uploaded to make sure the right versions are uploaded.  =
(Meeting materials are available on the agenda page =
https://datatracker.ietf.org/meeting/96/agenda.html if you click on the =
=E2=80=9Cshow meeting materials=E2=80=9D icon and on the meeting =
materials site https://datatracker.ietf.org/meeting/96/materials.html.

=E2=80=94Sandy, speaking as one of the wg co-chairs

--Apple-Mail=_6819321E-C251-4C67-A326-9D9294253B80
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXkFDaAAoJEHplpQeet0IZgVoP/0mzYO3WHa/HkGdzK7jZFEVm
D7F5PKBDCKF1mBL5xPka/79ntM8eQKJxc71qIoGOU3uWEwSW8Pq6xPtgT3TEtRXF
1y7NcDEyq/mJYoo30zEYkHHyKWOfH64D8wL8Zxo7vmTUPWkeaX/I5RRBiFcgIwxl
Re19TEDW/GgSsxDbacKa1iIp51yqbd6TA5Y+g1OuCwVgvEhon7MUIR4gnUXZnxwK
Cx/dzZhTWUrB89iy/qDXsXRyG/50zOzRTrFCF0WaUlty7Zz+tekBo3HD4IQMBHRS
1Eg7ud1AzQClrFQoz1h5sEGfNWasV4Hca4FMSVOMGSJJ7Q0F4vnnEJW+DJQNF2Ew
9+BbuN5qsaeojc5WkKVKhp6opEr6/4je9X+wQ+NIsvzvRqgwHLLNml7yCUI3WPX7
94kZdCtkeehf+i9x692CG24bvpn1VIGO6eARG+33ComB8uzxq2u1+CVr6JwvFVUv
O02mYpkRZJpLa7ooM6TI+HIeRVgzbza3QnZvq7ZfOL0YiOxOvg0XZJzzfVuzqFeU
W3J7lXCdeUKZfzoDAxDhXA2cay7vmHdhxlpws9W76hJdh3PhAtQnILl2uJbRXPSb
XLsBEBUUcqcWwdVxbHc7w9B6Joxdb//9heLvxdbicRAR1E9bInC0UOv7tYi8poH3
aRI8NiQa3cVgeXSIE+z/
=5i+H
-----END PGP SIGNATURE-----

--Apple-Mail=_6819321E-C251-4C67-A326-9D9294253B80--


From nobody Thu Jul 21 01:49:40 2016
Return-Path: 
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 9493A12DC24; Thu, 21 Jul 2016 01:49:39 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160721084939.4433.46916.idtracker@ietfa.amsl.com>
Date: Thu, 21 Jul 2016 01:49:39 -0700
Archived-At: 
Cc: sidr@ietf.org
Subject: [sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-18.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 08:49:39 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing of the IETF.

        Title           : A Profile for BGPsec Router Certificates, Certificate Revocation Lists, and Certification Requests
        Authors         : Mark Reynolds
                          Sean Turner
                          Stephen Kent
	Filename        : draft-ietf-sidr-bgpsec-pki-profiles-18.txt
	Pages           : 13
	Date            : 2016-07-21

Abstract:
   This document defines a standard profile for X.509 certificates used
   to enable validation of Autonomous System (AS) paths in the Border
   Gateway Protocol (BGP), as part of an extension to that protocol
   known as BGPsec.  BGP is the standard for inter-domain routing in the
   Internet; it is the "glue" that holds the Internet together. BGPsec
   is being developed as one component of a solution that addresses the
   requirement to provide security for BGP.  The goal of BGPsec is to
   provide full AS path validation based on the use of strong
   cryptographic primitives.  The end-entity (EE) certificates specified
   by this profile are issued (to routers within an Autonomous System).
   Each of these certificates is issued under a Resource Public Key
   Infrastructure (RPKI) Certification Authority (CA) certificate.
   These CA certificates and EE certificates both contain the AS
   Identifier Delegation extension.  An EE certificate of this type
   asserts that the router(s) holding the corresponding private key are
   authorized to emit secure route advertisements on behalf of the
   AS(es) specified in the certificate.  This document also profiles the
   format of certification requests, and specifies Relying Party (RP)
   certificate path validation procedures for these EE certificates.
   This document extends the RPKI; therefore, this documents updates the
   RPKI Resource Certificates Profile (RFC 6487).


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-pki-profiles/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-18

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-bgpsec-pki-profiles-18


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Jul 21 01:51:33 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D04912DC16 for ; Thu, 21 Jul 2016 01:51:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level: 
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvhfyB2mJ4RK for ; Thu, 21 Jul 2016 01:51:29 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6905D12DB53 for ; Thu, 21 Jul 2016 01:51:29 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id w38so40246132qtb.0 for ; Thu, 21 Jul 2016 01:51:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=8elcT+nXYQ3rdCSMi5yvtdikJaXCFtkxL5yo4t6Okfg=; b=i6g1yjrk4F2YMbmRQTXN4WIqIFx3R5axtiPPwgfZ5tmZgifkE9QkZJFHUHP5dzrzHz oiFFaZITGPEgSt//QVgZNsib+rWQDehk8ebFH9t/kdSl9WFswF3zqx/ec3pjfq7be5Hu hxUkrbtWXUCmjoeGd2iFlbLmbb/FSdO/JT1GQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date :content-transfer-encoding:message-id:references:to; bh=8elcT+nXYQ3rdCSMi5yvtdikJaXCFtkxL5yo4t6Okfg=; b=dZANNUP3yhXvyOkQQX+XA9T2VR3yoMVsjQ6oDercf73TBTzn1X2ALf64JqM84hPisn QMCN9yMSBsubysPh3lM+KMRMC/kN+048/UFATh4DHiDflNJk5JW7/3pQseiU9wnwup8d ydUqSDKb0hedr+RhkzZOtDMmXayxslcUOZ/Xm/H25qfUePB6IUjhNsviBWObKvZFxjgQ F1Zh++pTnFo7cMqiEctD3C2PFRsWl0bwBSZI5Nb2+tdTHlJ9pTDKfRFG6+D+NfCpADjh Bi2MN2ALNaWlK44p1qgzsLxYDeQGbacH3B4jnNeTJSxJmY/xe0jUPRgkvb0WxDfnWLiR rxCg==
X-Gm-Message-State: ALyK8tJFlPbmBTzIhu2sr3rV3Wa58qviVA0Z9RPpZUTnSkBk1h//v2AFp8lsELKcJrvu4A==
X-Received: by 10.237.35.76 with SMTP id i12mr41623914qtc.41.1469091088416; Thu, 21 Jul 2016 01:51:28 -0700 (PDT)
Received: from [172.16.0.112] ([96.231.230.69]) by smtp.gmail.com with ESMTPSA id j7sm3735670qkf.11.2016.07.21.01.51.26 for  (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 21 Jul 2016 01:51:27 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Sean Turner 
In-Reply-To: <20160721084939.4433.46916.idtracker@ietfa.amsl.com>
Date: Thu, 21 Jul 2016 04:51:23 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <20160721084939.4433.46916.idtracker@ietfa.amsl.com>
To: sidr 
X-Mailer: Apple Mail (2.3124)
Archived-At: 
Subject: Re: [sidr] I-D Action: draft-ietf-sidr-bgpsec-pki-profiles-18.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 08:51:32 -0000

Changes as a result of discussions inspired by the validation =
reconsidered draft.

spt

> On Jul 21, 2016, at 04:49, internet-drafts@ietf.org wrote:
>=20
>=20
> A New Internet-Draft is available from the on-line Internet-Drafts =
directories.
> This draft is a work item of the Secure Inter-Domain Routing of the =
IETF.
>=20
>        Title           : A Profile for BGPsec Router Certificates, =
Certificate Revocation Lists, and Certification Requests
>        Authors         : Mark Reynolds
>                          Sean Turner
>                          Stephen Kent
> 	Filename        : draft-ietf-sidr-bgpsec-pki-profiles-18.txt
> 	Pages           : 13
> 	Date            : 2016-07-21
>=20
> Abstract:
>   This document defines a standard profile for X.509 certificates used
>   to enable validation of Autonomous System (AS) paths in the Border
>   Gateway Protocol (BGP), as part of an extension to that protocol
>   known as BGPsec.  BGP is the standard for inter-domain routing in =
the
>   Internet; it is the "glue" that holds the Internet together. BGPsec
>   is being developed as one component of a solution that addresses the
>   requirement to provide security for BGP.  The goal of BGPsec is to
>   provide full AS path validation based on the use of strong
>   cryptographic primitives.  The end-entity (EE) certificates =
specified
>   by this profile are issued (to routers within an Autonomous System).
>   Each of these certificates is issued under a Resource Public Key
>   Infrastructure (RPKI) Certification Authority (CA) certificate.
>   These CA certificates and EE certificates both contain the AS
>   Identifier Delegation extension.  An EE certificate of this type
>   asserts that the router(s) holding the corresponding private key are
>   authorized to emit secure route advertisements on behalf of the
>   AS(es) specified in the certificate.  This document also profiles =
the
>   format of certification requests, and specifies Relying Party (RP)
>   certificate path validation procedures for these EE certificates.
>   This document extends the RPKI; therefore, this documents updates =
the
>   RPKI Resource Certificates Profile (RFC 6487).
>=20
>=20
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-sidr-bgpsec-pki-profiles/
>=20
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-pki-profiles-18
>=20
> A diff from the previous version is available at:
> =
https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-sidr-bgpsec-pki-profiles-18=

>=20
>=20
> Please note that it may take a couple of minutes from the time of =
submission
> until the htmlized version and diff are available at tools.ietf.org.
>=20
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Thu Jul 21 01:56:28 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9959212DAE3 for ; Thu, 21 Jul 2016 01:56:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Level: 
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLG4WUEekol6 for ; Thu, 21 Jul 2016 01:56:24 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F303312B017 for ; Thu, 21 Jul 2016 01:56:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id DCF3A300568 for ; Thu, 21 Jul 2016 04:56:21 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id NhxSuOBwuYuD for ; Thu, 21 Jul 2016 04:56:20 -0400 (EDT)
Received: from [5.5.33.70] (vpn.snozzages.com [204.42.252.17]) by mail.smeinc.net (Postfix) with ESMTPSA id 402E3300293 for ; Thu, 21 Jul 2016 04:56:19 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley 
In-Reply-To: <20160719131456.D0705412C916@minas-ithil.hactrn.net>
Date: Thu, 21 Jul 2016 04:56:12 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>  <20160719131456.D0705412C916@minas-ithil.hactrn.net>
To: IETF SIDR 
X-Mailer: Apple Mail (2.1878.6)
Archived-At: 
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 08:56:26 -0000

On Jul 19, 2016, at 9:14 AM, Rob Austein  wrote:

> At Tue, 19 Jul 2016 08:43:00 -0400, Russ Housley wrote:
>>=20
>> Does this apply to the Certificate Policy OID too?  If memory is
>> correct, the current CP has a normative pinter to RFC 3779.
>=20
> Good catch.
>=20
> Not sure a policy OID change is necessary, although might be simplest.
> If there's a reference, we either need to change the OID or change the
> definition of what the OID means.
>=20
> IIRC, the OpenSSL library code doesn't do anything RFC-3779-specific
> for the policy OID, it just follows the usual rules; it's the RP code
> built on top of the library that demands that particular policy OID.
> So at least in the OpenSSL case, changing the policy OID may not have
> any noticeable effect on correctness of software behavior.

During the SIDR session today, there seemed to be some confusion about =
which OIDs we are taking about.

The first two are from RFC 3779.  They appear here in the IANA registry:
=
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-=
1.3.6.1.5.5.7.1

The two OIDs are:=20
	1.3.6.1.5.5.7.1.7	id-pe-ipAddrBlocks
	1.3.6.1.5.5.7.1.8	id-pe-autonomousSysIds=09

In addition, RFC 6484 assigned an OID for the certificate policy.  It =
appears here in the IANA registry:
=
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-=
1.3.6.1.5.5.7.14

The OID is:
	1.3.6.1.5.5.7.14.2	id-cp-ipAddr-asNumber

I think this is a very good candidate for early IANA code point =
allocation.  I think that our AD can assist with that.

Russ


From nobody Thu Jul 21 03:38:42 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A24712DE07 for ; Thu, 21 Jul 2016 03:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.186
X-Spam-Level: 
X-Spam-Status: No, score=-3.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mrF2-zoqeMq for ; Thu, 21 Jul 2016 03:38:38 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81DE412DCA5 for ; Thu, 21 Jul 2016 03:36:16 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bQBKt-00007n-3l; Thu, 21 Jul 2016 12:36:14 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-80.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bQBKs-0006kF-Rn; Thu, 21 Jul 2016 12:36:11 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_30A5C3EC-EE89-4A96-A763-166B0735D775"
From: Tim Bruijnzeels 
In-Reply-To: 
Date: Thu, 21 Jul 2016 12:36:10 +0200
Message-Id: <173EB2A5-1F28-4108-9D91-B3D1C2B3126C@ripe.net>
References: <20160719111830.12A97412B25E@minas-ithil.hactrn.net>  <20160719131456.D0705412C916@minas-ithil.hactrn.net> 
To: Russ Housley 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 0.0 HTML_MESSAGE           BODY: HTML included in message
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719494c9d1a0440fb899e62a42b1f4e8b07
Archived-At: 
Cc: IETF SIDR 
Subject: Re: [sidr] Validation reconsidered and X.509v3 extension OIDs
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 10:38:40 -0000

--Apple-Mail=_30A5C3EC-EE89-4A96-A763-166B0735D775
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi Russ,

Thank you for the pointers. I am traveling now but I will get back to =
it.

Thanks
Tim

> On 21 Jul 2016, at 10:56, Russ Housley  wrote:
>=20
>=20
> On Jul 19, 2016, at 9:14 AM, Rob Austein > wrote:
>=20
>> At Tue, 19 Jul 2016 08:43:00 -0400, Russ Housley wrote:
>>>=20
>>> Does this apply to the Certificate Policy OID too?  If memory is
>>> correct, the current CP has a normative pinter to RFC 3779.
>>=20
>> Good catch.
>>=20
>> Not sure a policy OID change is necessary, although might be =
simplest.
>> If there's a reference, we either need to change the OID or change =
the
>> definition of what the OID means.
>>=20
>> IIRC, the OpenSSL library code doesn't do anything RFC-3779-specific
>> for the policy OID, it just follows the usual rules; it's the RP code
>> built on top of the library that demands that particular policy OID.
>> So at least in the OpenSSL case, changing the policy OID may not have
>> any noticeable effect on correctness of software behavior.
>=20
> During the SIDR session today, there seemed to be some confusion about =
which OIDs we are taking about.
>=20
> The first two are from RFC 3779.  They appear here in the IANA =
registry:
> =
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-=
1.3.6.1.5.5.7.1 =

>=20
> The two OIDs are:=20
> 	1.3.6.1.5.5.7.1.7	id-pe-ipAddrBlocks
> 	1.3.6.1.5.5.7.1.8	id-pe-autonomousSysIds=09
>=20
> In addition, RFC 6484 assigned an OID for the certificate policy.  It =
appears here in the IANA registry:
> =
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#smi-numbers-=
1.3.6.1.5.5.7.14 =

>=20
> The OID is:
> 	1.3.6.1.5.5.7.14.2	id-cp-ipAddr-asNumber
>=20
> I think this is a very good candidate for early IANA code point =
allocation.  I think that our AD can assist with that.
>=20
> Russ
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org 
> https://www.ietf.org/mailman/listinfo/sidr =


--Apple-Mail=_30A5C3EC-EE89-4A96-A763-166B0735D775
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

Hi Russ,

Thank you for the pointers. I am traveling now but I will get =
back to it.

Thanks
Tim

On =
21 Jul 2016, at 10:56, Russ Housley <housley@vigilsec.com> wrote:


On Jul 19, 2016, at 9:14 =
AM, Rob Austein <sra@hactrn.net> wrote:

At Tue, =
19 Jul 2016 08:43:00 -0400, Russ Housley wrote:

Does this apply to the =
Certificate Policy OID too?  If memory is
correct, =
the current CP has a normative pinter to RFC 3779.

Good catch.

Not sure a policy OID change is necessary, although might be =
simplest.
If there's a reference, we either need to change =
the OID or change the
definition of what the OID means.

IIRC, the OpenSSL library code doesn't do =
anything RFC-3779-specific
for the policy OID, it just =
follows the usual rules; it's the RP code
built on top of =
the library that demands that particular policy OID.
So at =
least in the OpenSSL case, changing the policy OID may not have
any noticeable effect on correctness of software behavior.

During the SIDR session today, there seemed to =
be some confusion about which OIDs we are taking about.

The first two are from RFC 3779. =
 They appear here in the IANA registry:
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#s=
mi-numbers-1.3.6.1.5.5.7.1

The two OIDs are: 
	1.3.6.1.5.5.7.1.7	id-pe-ipAddrBlocks	1.3.6.1.5.5.7.1.8	id-pe-autonomousSysIds	

In addition, RFC 6484 assigned an OID for the =
certificate policy.  It appears here in the IANA =
registry:
http://www.iana.org/assignments/smi-numbers/smi-numbers.xhtml#s=
mi-numbers-1.3.6.1.5.5.7.14

The OID is:
	=
1.3.6.1.5.5.7.14.2	id-cp-ipAddr-asNumber

I think this is a very good candidate for early =
IANA code point allocation.  I think that our AD can assist with =
that.

Russ

_______________________________________________
sidr mailing =
list
sidr@ietf.org
https://www.ietf.org/mailman/listinfo/sidr

=

--Apple-Mail=_30A5C3EC-EE89-4A96-A763-166B0735D775--


From nobody Thu Jul 21 04:37:46 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E25E12DDDA; Thu, 21 Jul 2016 04:37:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UrXKvJhXhcaz; Thu, 21 Jul 2016 04:37:42 -0700 (PDT)
Received: from relay.kvm02.ops-netman.net (relay.ops-netman.net [192.110.255.59]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E1E12DDB8; Thu, 21 Jul 2016 04:33:45 -0700 (PDT)
Received: from mail.ops-netman.net (unknown [208.76.12.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id 7E865409B7; Thu, 21 Jul 2016 11:33:44 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (dhcp-aa0e.meeting.ietf.org [31.133.170.14]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id 1534C88DF04; Thu, 21 Jul 2016 10:36:29 +0000 (UTC)
Date: Thu, 21 Jul 2016 11:36:28 +0100
Message-ID: 
From: Chris Morrow 
To: sidr@ietf.org,sidr-chairs@ietf.org,sidr-ads@ietf.org
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Subject: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 11:37:44 -0000

We are going to officially stake:
  1)     draft-ietf-sidr-slurm
  2)     draft-ietf-sidr-lta-use-cases

These are not being progressed currently, and won't be in the future
it seems. We'll do the process bits next week to remove them from
SIDR's work queue.

-chris


From nobody Thu Jul 21 04:46:35 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADED612DB56; Thu, 21 Jul 2016 04:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJlcS8k-Tcx1; Thu, 21 Jul 2016 04:46:32 -0700 (PDT)
Received: from relay.kvm02.ops-netman.net (relay.kvm02.ops-netman.net [IPv6:2606:700:e:550:5c82:28ff:fe25:4960]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0FD012DB47; Thu, 21 Jul 2016 04:44:05 -0700 (PDT)
Received: from mail.ops-netman.net (unknown [208.76.12.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id 1459E409B6; Thu, 21 Jul 2016 11:44:05 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (dhcp-aa0e.meeting.ietf.org [31.133.170.14]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id E73CB88906A; Thu, 21 Jul 2016 10:25:55 +0000 (UTC)
Date: Thu, 21 Jul 2016 11:25:49 +0100
Message-ID: 
From: Chris Morrow 
To: sidr@ietf.org,sidr-ads@ietf.org,sidr-chairs@ietf.org
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Subject: [sidr] SIDR operations area proposed Charter
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 11:46:34 -0000

Howdy!
as promised in the meeting today (berlin july 21 2016):
  

I believe this is the current proposed charter for a group in the
ops-area, I (and sandy) would appreciate comments/questions/help/text
on this proposal, as we would like to close out discussion/editing by
September 1, 2016.

Thanks!
-chris
(sidr-co-chair)


From nobody Thu Jul 21 09:00:08 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0879012D62E; Thu, 21 Jul 2016 09:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9khaG9xxVcqA; Thu, 21 Jul 2016 09:00:05 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517B312D76D; Thu, 21 Jul 2016 09:00:05 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id BF3BC28B0043; Thu, 21 Jul 2016 12:00:04 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id 4C1C71F8055; Thu, 21 Jul 2016 11:59:59 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_E544B9DE-B248-46D1-8492-54A7E801FF46"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail
From: Sandra Murphy 
In-Reply-To: 
Date: Thu, 21 Jul 2016 11:59:52 -0400
Message-Id: <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
References: 
To: Christopher Morrow 
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: sidr-ads@ietf.org, sidr@ietf.org, sidr-chairs@ietf.org, Sandra Murphy 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 16:00:07 -0000

--Apple-Mail=_E544B9DE-B248-46D1-8492-54A7E801FF46
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On Jul 21, 2016, at 6:36 AM, Chris Morrow  =
wrote:
>=20
>=20
> We are going to officially stake:
>  1)     draft-ietf-sidr-slurm

Hasn=E2=80=99t had energy in a while, but not so long that I can say =
there=E2=80=99s no possibility of resurrection.  (e.g., keyroll had a =
two year gap in there.  But then the need was clear.)


>  2)     draft-ietf-sidr-lta-use-cases
>=20
> These are not being progressed currently, and won't be in the future
> it seems. We'll do the process bits next week to remove them from
> SIDR's work queue.

I=E2=80=99d like to hear from the authors (we=E2=80=99ve heard from =
Randy) whether they have a possibility of continuing.

And I=E2=80=99d think the wg has to declare there=E2=80=99s no interest =
- if there=E2=80=99s a reason, and a new author volunteers=E2=80=A6

=E2=80=94Sandy

>=20
> -chris


--Apple-Mail=_E544B9DE-B248-46D1-8492-54A7E801FF46
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXkPF/AAoJEHplpQeet0IZV0kP/jxd5VnkyX8AHnDEy663qPDh
Oav8DjRh73Kp1YzLnToENN5Na6Y3DhwnVAcuRWBQ9glADOqW78/02n7VRLzhxzfd
rGzGUmCcfdSn5pmr0Rx6ei1F7+YQ6hDbtr8ckZSNUbAJ31PQAbIEsMQjoShim14A
W0asPAUYyAS/A+u3/reMmYWDjxolcp163+Oi4sGoVPF5QUVeRy3ulehq0hFMYxs4
bPAK06qpNEVR6ZRXdGxbxMcZQ+656lMFKFClbVbwPovLXXVwhEHwK84UgiiIqDA5
/KABtxbCD4vo6Z6F3pSNYYqXOLmg4XET1mzjG3GyF8+3wNgj1ELHv14RvZB7VQ9m
P3dm0RcnL+k5spMly7oS28hemEupBsCzSwkf6d68LzXV6qfZNuxZkRpY6Xr/ktjh
TZ9sGQzSf12n26SrlwfNu761IUwW8vg9wQfuHfe/Li0qMV878Mtpb2alVbNqHPcT
2v3j6afZIvrmiXUB91qtunmF+xkim0YZxP2EncCoF/iN/VEopkj6JxqHPKzANbmW
r106i99bX20GMldlg/6Es1v9X9fFLWQK6ritM3bQG7L1p4SGQNderhZpXLlGB+oE
ttxFIqHjzyywPPis/Y6yEaS5TL8j26FMrXXNJJFORi7Gk9OnGyiMThbJzQFCtgMP
B5eG82zwvaHP3o/qG5xc
=y9u/
-----END PGP SIGNATURE-----

--Apple-Mail=_E544B9DE-B248-46D1-8492-54A7E801FF46--


From nobody Thu Jul 21 09:37:39 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8607F12D79C; Thu, 21 Jul 2016 09:37:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PR_bFNuxm53; Thu, 21 Jul 2016 09:37:35 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B7F512D65E; Thu, 21 Jul 2016 09:37:35 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 0B3AC28B0046; Thu, 21 Jul 2016 12:37:34 -0400 (EDT)
Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id D907E1F8055; Thu, 21 Jul 2016 12:37:29 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
Content-Type: multipart/signed; boundary="Apple-Mail=_DE3B0F97-3F78-4D63-9B5F-A6646F6145FA"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail
From: Sandra Murphy 
In-Reply-To: <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
Date: Thu, 21 Jul 2016 12:37:27 -0400
Message-Id: 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
To: Christopher Morrow 
X-Mailer: Apple Mail (2.2104)
Archived-At: 
Cc: sidr-ads@ietf.org, sidr , sidr-chairs@ietf.org, Sandra Murphy 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 16:37:37 -0000

--Apple-Mail=_DE3B0F97-3F78-4D63-9B5F-A6646F6145FA
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> On Jul 21, 2016, at 11:59 AM, Sandra Murphy  wrote:
>=20
>=20
>> On Jul 21, 2016, at 6:36 AM, Chris Morrow  =
wrote:
>>=20
>>=20
>> We are going to officially stake:
>> 1)     draft-ietf-sidr-slurm
>=20
> Hasn=E2=80=99t had energy in a while, but not so long that I can say =
there=E2=80=99s no possibility of resurrection.  (e.g., keyroll had a =
two year gap in there.  But then the need was clear.)
>=20
>=20
>> 2)     draft-ietf-sidr-lta-use-cases
>>=20
>> These are not being progressed currently, and won't be in the future
>> it seems. We'll do the process bits next week to remove them from
>> SIDR's work queue.
>=20
> I=E2=80=99d like to hear from the authors (we=E2=80=99ve heard from =
Randy) whether they have a possibility of continuing.
>=20
> And I=E2=80=99d think the wg has to declare there=E2=80=99s no =
interest - if there=E2=80=99s a reason, and a new author volunteers=E2=80=A6=


Chris, I suppose that=E2=80=99s what you meant by =E2=80=9Cthe process =
bits=E2=80=9D

=E2=80=94Sandy

>=20
> =E2=80=94Sandy
>=20
>>=20
>> -chris
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


--Apple-Mail=_DE3B0F97-3F78-4D63-9B5F-A6646F6145FA
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJXkPpHAAoJEHplpQeet0IZ5LcQAJN1yx+Az2DgQMHuu6Top/tv
YLzSZIS3TgzXqCd3AqdKxbXjpvacy0uWRRhRy8mm4DdrL9DEPxayJoN6mEEda2nh
Modet9uQYkPmlQEMEu7V0q6mE4QWUdfqP2S6hF1D1fmYALnmk3UDdjKDtp58SOik
bZRx09lP9ba1kJvX13IXZ+S3CVBTeFxLSIPCsRyQKW7jaV15FcZZWpsID8+1bOim
Sl/fyCrJ5gC9aqgUUZzzWYgREJFZlDstBYSWec/0bh+yVebJbYuPTaRU3cDT5sA9
b1ZhAtcuSQP4yms/DwLd3aWpQ+OkzmJcrw0AZ5/FZxs9jEk5vcknYNqJtC4n7AkZ
+mBLeWjJlnBf3MxeLLkGRt9d9moOVBFRy2EFuUQQv1dQfVrkqpmBBrPXyDGOWRSO
QJfY0bqwAFfCUfAADYwBa++rboZnOR3ORNkhB9MhuVF6S815Z0q1qp3OTj4HJHKe
4CXlLWxwM1FlXUNI36pMRRMGcXh3ftzhwrExh9UjagsszBGH/151/cJjOuImLlBz
RLsYgAY50o2dI0Ke7MNNxIivLkPGvNpgZaLopxwFAaOHjUJz6X324zMBicdpKK3r
dddrdPZkfiM1QXc9CCuPeG6YA4w1Yzi7XmBom+B1jAXyXd2mUBtFePF6hkqDGR19
OdqmWebdvX2e5EsnOlH5
=9Y+A
-----END PGP SIGNATURE-----

--Apple-Mail=_DE3B0F97-3F78-4D63-9B5F-A6646F6145FA--


From nobody Thu Jul 21 10:42:24 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7024612B065 for ; Thu, 21 Jul 2016 10:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p8_CSJAlXEQ0 for ; Thu, 21 Jul 2016 10:42:22 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC1FA12B006 for ; Thu, 21 Jul 2016 10:42:21 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:43307 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bQHz5-000DI8-Q6; Thu, 21 Jul 2016 13:42:07 -0400
To: Sandra Murphy , Chris Morrow ,  SIDR Chairs , sidr 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
From: Stephen Kent 
Message-ID: <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
Date: Thu, 21 Jul 2016 13:42:07 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 17:42:23 -0000

Sandy & Chris,

I believe Chris' declaration is premature.

I anticipate that Dr. Ma may want to take over slurm, with David's 
permission.

With a few minor tweaks the use cases doc can be done.

Steve



From nobody Thu Jul 21 15:27:49 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A002712DA13 for ; Thu, 21 Jul 2016 15:27:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ap_fSPqxUEZA for ; Thu, 21 Jul 2016 15:27:45 -0700 (PDT)
Received: from relay.kvm02.ops-netman.net (relay.kvm02.ops-netman.net [IPv6:2606:700:e:550:5c82:28ff:fe25:4960]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56ADB12D7A2 for ; Thu, 21 Jul 2016 15:20:14 -0700 (PDT)
Received: from mail.ops-netman.net (unknown [208.76.12.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id 97AD9409CC; Thu, 21 Jul 2016 22:20:13 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (unknown [172.56.7.115]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id 4B6A1881472; Thu, 21 Jul 2016 22:20:06 +0000 (UTC)
Date: Thu, 21 Jul 2016 23:20:02 +0100
Message-ID: 
From: Chris Morrow 
To: Stephen Kent 
In-Reply-To: <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Cc: Chris Morrow , sidr , SIDR Chairs , Sandra Murphy 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 21 Jul 2016 22:27:47 -0000

At Thu, 21 Jul 2016 13:42:07 -0400,
Stephen Kent  wrote:
> 
> Sandy & Chris,
> 
> I believe Chris' declaration is premature.
> 
> I anticipate that Dr. Ma may want to take over slurm, with David's
> permission.
> 
> With a few minor tweaks the use cases doc can be done.

ok, let's put some dates around the 2 items then:
  1) use-cases - decide on tweaks & rev-document: Aug 1
                 review and WGLC  Aug 14
                 send to IESG Sept 1

  2) Get hand-over on SLURM - Aug 1
                 New revision Aug 14
                 Discussion and next steps Sept 1

Propose alternate dates, 'no-date' is not valid as an answer... we
need to march toward conclusion.

-chris

> 
> Steve
> 


From nobody Fri Jul 22 00:16:35 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6C712D6B8 for ; Fri, 22 Jul 2016 00:16:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFt6hU-TtEXE for ; Fri, 22 Jul 2016 00:16:32 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3946412D678 for ; Fri, 22 Jul 2016 00:16:32 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bQUi6-0000uY-A3; Fri, 22 Jul 2016 07:17:26 +0000
Date: Fri, 22 Jul 2016 09:16:31 +0200
Message-ID: 
From: Randy Bush 
To: Chris Morrow 
In-Reply-To: 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com> 
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 22 Jul 2016 07:16:33 -0000

>   1) use-cases - decide on tweaks & rev-document: Aug 1
>                  review and WGLC  Aug 14
>                  send to IESG Sept 1

do we have a concise issue list (other than steve not liking the style
used)?  not sure i will make the 1 aug dreadline if i have to sift
through the mailing list, whine, whine, whine.

randy


From nobody Fri Jul 22 00:21:27 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5399F12D6B8 for ; Fri, 22 Jul 2016 00:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level: 
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id daC_nVsvia_k for ; Fri, 22 Jul 2016 00:21:25 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF6AB12D678 for ; Fri, 22 Jul 2016 00:21:24 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id u25so57186454qtb.1 for ; Fri, 22 Jul 2016 00:21:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;  h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=ZHmWJm9FzzrpBi5nXVqN38lcdG82042OgGt4yHsg+Jg=; b=SOvdtHFOLDwvD6g7SDE1LGOfwoynfnbyj7t7M5WSxwm8ZbnNFaYHZMpKIpiV0Q3aAX lALZPTG3hlyWecv/Ydtd+YBluaaYp0HWt4T+jlJc3k+QQoQE//9/3uoNQwSjSm5mvnVM To0xf3MbciuzDvXk/VC8YOORleC6r1XgK3vP9BkiMfeiI0TSXGiuJtiaaUbfWx0gr+qh urqd5ipBLXyS4Zkp2zkLPfBX5j3pmflICtfjw4irXD/xBShBlwurhnmPjkoAE6gdJnv7 CxSpY/tj8PKom81E+zBr3Zkfj/fTWUXNf3Ww0dskpWL/iwha1VA2rjsk4hz78gIcYoTk vCYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=ZHmWJm9FzzrpBi5nXVqN38lcdG82042OgGt4yHsg+Jg=; b=N8pKMh/2w9G18bEENgOEIqsU0QMqTgEJwbr0FjfLp/TILi6aBcm7nFkX3d+MgFeFU+ UOTUyLDgSFEVBdWRxeNf4V8zW2qO1VWDhr3LmJWhfBVKJN4fcpPmXDxNC39cvBvWn9sz zHkckIb/RLpoVZI5odDy2wR1eVch8j5R8WneBYI0+Tvr/5XSbz8apbso44j2IYQXRLv7 ip7YnFHcoVtA4z5N0IW+r9T8WAABkKfqngAd6Wqr4D9g4FBW6tQrrcdDzbhpi3pEHrYh /dk3hNMuiEYzjhRGByjun8sYYixnvMZMA2ioHSY7fJxLCRn17+6Rb5uBo5+PeS9vJVuw dzfw==
X-Gm-Message-State: AEkoout4IBmOq7PTxe7diWTdnWOsjH6yyLhIpH+nbSaVYVA7YIGigNyjCq7qk2aqsKFu6EywBXA3ZmYyw4iB5g==
X-Received: by 10.200.57.34 with SMTP id s31mr3801410qtb.49.1469172083985; Fri, 22 Jul 2016 00:21:23 -0700 (PDT)
MIME-Version: 1.0
Sender: christopher.morrow@gmail.com
Received: by 10.140.85.116 with HTTP; Fri, 22 Jul 2016 00:21:23 -0700 (PDT)
In-Reply-To: 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>  
From: Christopher Morrow 
Date: Fri, 22 Jul 2016 08:21:23 +0100
X-Google-Sender-Auth: M7wXDvgDFF06Dpcu7mJp0xTGuFg
Message-ID: 
To: Randy Bush , Stephen Kent 
Content-Type: multipart/alternative; boundary=001a1141ca482e6fd70538344854
Archived-At: 
Cc: Chris Morrow , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 22 Jul 2016 07:21:26 -0000

--001a1141ca482e6fd70538344854
Content-Type: text/plain; charset=UTF-8

On Fri, Jul 22, 2016 at 8:16 AM, Randy Bush  wrote:

> >   1) use-cases - decide on tweaks & rev-document: Aug 1
> >                  review and WGLC  Aug 14
> >                  send to IESG Sept 1
>
> do we have a concise issue list (other than steve not liking the style
> used)?  not sure i will make the 1 aug dreadline if i have to sift
> through the mailing list, whine, whine, whine.
>
>
My hope is that steve can (or was already going to) respond with
issues-list, so we can move along.
I presume, since he stated the issue list was short he had it on
top-of-mind :)

Steve, is there a list you were working from? could you either:
  1) send to list
  2) send to co-authors
  3) send to chairs for distribution

thanks!
-chris

--001a1141ca482e6fd70538344854
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable




On Fri, Jul 22, 2016 at 8:16 AM, Randy Bush <randy@psg.com> =
wrote:
>=C2=A0 =C2=A0=
1) use-cases - decide on tweaks & rev-document: Aug 1

>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 review a=
nd WGLC=C2=A0 Aug 14

>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 send to =
IESG Sept 1



do we have a concise issue list (other than steve not liking the sty=
le

used)?=C2=A0 not sure i will make the 1 aug dreadline if i have to sift

through the mailing list, whine, whine, whine.

My hope is that steve can (or was already going to) respond wit=
h issues-list, so we can move along.
I presume, since he stated t=
he issue list was short he had it on top-of-mind :)

Steve, is=
 there a list you were working from? could you either:
=C2=A0 1) send to=
 list
=C2=A0 2) send to co-authors
=C2=A0 3) send to ch=
airs for distribution

thanks!
-chris



--001a1141ca482e6fd70538344854--


From nobody Fri Jul 22 02:55:40 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674A312DF49 for ; Fri, 22 Jul 2016 02:55:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level: 
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cWgDWHO8zSP for ; Fri, 22 Jul 2016 02:55:28 -0700 (PDT)
Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72EC412DB9C for ; Fri, 22 Jul 2016 02:55:28 -0700 (PDT)
X-TM-DID: 08deaf513336b6b9ac9f28c52b737186
Content-Type: text/plain; charset=gb2312
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Declan Ma 
In-Reply-To: <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
Date: Fri, 22 Jul 2016 11:48:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn>
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
To: Sandra Murphy , Chris Morrow 
X-Mailer: Apple Mail (2.3124)
Archived-At: 
Cc: SIDR Chairs , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 22 Jul 2016 09:55:33 -0000

Sandy & Chris,

Thank Steve for recommending me to take over SLURM.=20

With David=A1=AFs permission, I would be happy to assume responsibility =
for SLURM.

I think SLURM is quite important to RPKI operation in term of local =
network.=20

SLURM provides a simple way to enable INR holders to establish a local, =
customized view of the RPKI, by overriding RPKI repository data if =
needed.

In particular, I was exchanging notes with David earlier on the use of =
multiple SLURM files among others, which I believe is worth more text in =
the next version of SLURM.

Di

> =D4=DA 2016=C4=EA7=D4=C221=C8=D5=A3=AC19:42=A3=ACStephen Kent =
 =D0=B4=B5=C0=A3=BA
>=20
> Sandy & Chris,
>=20
> I believe Chris' declaration is premature.
>=20
> I anticipate that Dr. Ma may want to take over slurm, with David's =
permission.
>=20
> With a few minor tweaks the use cases doc can be done.
>=20
> Steve
>=20
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr







From nobody Fri Jul 22 08:48:41 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE28512D830 for ; Fri, 22 Jul 2016 08:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level: 
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N2rbD-48E-F2 for ; Fri, 22 Jul 2016 08:48:38 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE9EE126D74 for ; Fri, 22 Jul 2016 08:48:37 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:45331 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bQcgg-000Afa-SW; Fri, 22 Jul 2016 11:48:31 -0400
To: Christopher Morrow , Randy Bush 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>   
From: Stephen Kent 
Message-ID: <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com>
Date: Fri, 22 Jul 2016 11:48:30 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------78AE76FB0E018A26C978767D"
Archived-At: 
Cc: Chris Morrow , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Fri, 22 Jul 2016 15:48:41 -0000

This is a multi-part message in MIME format.
--------------78AE76FB0E018A26C978767D
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Chris,

Here is my message to the SIDR list from 6/16:


    I read the latest version of this document and have a few comments,
    some of which I have made before, to no avail ;-).

    I still find the wording of the three examples in Section 4 to be
    unnecessarily informal. I’ve provided suggested text for previous
    versions of this document that probably is still applicable, since
    the examples do not seem to have changed much. It seems preferable
    to describe the first motivating case without reference to a
    specific RIR. (Including a parenthetical note about the historical
    precedent of a Dutch court order involving RIPE is relevant and
    might be included.) There is language in the adverse actions
    document that could be used here to be more formal, less folksy.
    Since adverse actions is now a Wg document, one might even cite
    sections of it to support the examples. In the second example, the
    term “borrowed” is not defined. I think I know what is implied, and
    it seems inappropriate to possibly condone advertisement of address
    space allocated to another party, just because that party is not
    advertising the space to the global Internet. Why not just stick
    with private address space in this example? The third example is a
    six-line, run-on sentence, so it’s not easy for a reader to be
    certain what the example really implies.

    The Notes section (5) seems to offer an analysis of requirement for
    potential solutions to address the use cases. Maybe a better section
    title is warranted.

    David’s SLURM document describes a mechanism that seems to address
    the local, customized view requirements described in Section 4.
    (David says that it addresses the second and maybe third uses cases,
    but I think he was modest in his assertion.) SLURM could support the
    first use case, if the community decided on a mechanism to
    distribute SLURM files in response to a CA being compelled to modify
    RPKI data. (It would be easy to ad a digital signature to the files,
    to provide authentication and integrity, but the there’s the little
    issue of key management and a suitable trust model …) The design
    accommodates merging of multiple SLURM files, meeting that
    requirement as stated in this section. Note that SLURM does not
    require modifying ROAs or GB records. It is a post-processing
    mechanism using “local” configuration data that overrides the global
    data acquired from the RPKI. This suggests that some of the comments
    in Section 5 are not accurate, e.g., ones that allude to the
    problems posed by not having keys to sign ROAs, etc. Although there
    is a need to achieve the effect of modifying, creating and/or
    replacing ROAs and GB records, that effect does not have to involve
    signatures on the affected data, as suggested in the first and third
    paragraphs of Section 5.

    Typos:

    … to be a formally formally defined set … (repeated word)

    … 'recipes' should be mergable (mergeable?)

    The Security Considerations text seems unduly negative. The approach
    being proposed here is not violating global security, because the
    results are intended to be local. How about the following wording:

    The use cases described in Section 4, and the notes for suggested
    solution approaches in Section 5, are not intended to undermine the
    security provided by the RPKI. Rather they identify potential
    obstacles to widespread adoption of the RPKI, and suggest changes
    that would enable network operators to generate custom “views” of
    the RPKI for use on a local basis. Providing the ability to create
    local RPKI views does not adversely affect global routing security.


--------------78AE76FB0E018A26C978767D
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
Chris,

    
Here is my message to the SIDR list from 6/16:

    


    

    

      
I read the
          latest version of this document and have a few comments, some
          of which I have made before, to no avail ;-).

      
I still
          find the wording of the three examples in Section 4 to be
          unnecessarily informal. I’ve provided suggested text for
          previous versions of this document that probably is still
          applicable, since the examples do not seem to have changed
          much. It seems preferable to describe the first motivating
          case without reference to a specific RIR. (Including a
          parenthetical note about the historical precedent of a Dutch
          court order involving RIPE is relevant and might be included.)
          There is language in the adverse actions document that could
          be used here to be more formal, less folksy. Since adverse
          actions is now a Wg document, one might even cite sections of
          it to support the examples.  In
          the second example, the term “borrowed” is not defined. I
          think I know what is implied, and it seems inappropriate to
          possibly condone advertisement of address space allocated to
          another party, just because that party is not advertising the
          space to the global Internet. Why not just stick with private
          address space in this example? The third example is a
          six-line, run-on sentence, so it’s not easy for a reader to be
          certain what the example really implies. 

      
The Notes
          section (5) seems to offer an analysis of requirement for
          potential solutions to address the use cases. Maybe a better
          section title is warranted.

      
David’s
          SLURM document describes a mechanism that seems to address the
          local, customized view requirements described in Section 4.
          (David says that it addresses the second and maybe third uses
          cases, but I think he was modest in his assertion.) SLURM
          could support the first use case, if the community decided on
          a mechanism to distribute SLURM files in response to a CA
          being compelled to modify RPKI data. (It would be easy to ad a
          digital signature to the files, to provide authentication and
          integrity, but the there’s the little issue of key management
          and a suitable trust model …)  The
          design accommodates merging of multiple SLURM files, meeting
          that requirement as stated in this section. Note that SLURM
          does not require modifying ROAs or GB records. It is a
          post-processing mechanism using “local” configuration data
          that overrides the global data acquired from the RPKI. This
          suggests that some of the comments in Section 5 are not
          accurate, e.g., ones that allude to the problems posed by not
          having keys to sign ROAs, etc. Although there is a need to
          achieve the effect of modifying, creating and/or replacing
          ROAs and GB records, that effect does not have to involve
          signatures on the affected data, as suggested in the first and
          third paragraphs of Section 5.  

      
Typos: 

      
     … to be a formally
          formally defined set … (repeated word)

      
     … 'recipes' should be
          mergable (mergeable?)

    

    
 

    

      
The
          Security Considerations text seems unduly negative. The
          approach being proposed here is not violating global security,
          because the results are intended to be local. How about the
          following wording:

      The use cases described in
        Section 4, and the notes for suggested solution approaches in
        Section 5, are not intended to undermine the security provided
        by the RPKI. Rather they identify potential obstacles to
        widespread adoption of the RPKI, and suggest changes that would
        enable network operators to generate custom “views” of the RPKI
        for use on a local basis. Providing the ability to create local
        RPKI views does not adversely affect global routing security.

    

  


--------------78AE76FB0E018A26C978767D--


From nobody Sat Jul 23 16:58:49 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C0712D7F4 for ; Sat, 23 Jul 2016 16:58:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueqFSXCq0CWX for ; Sat, 23 Jul 2016 16:58:46 -0700 (PDT)
Received: from nm7-vm7.access.bullet.mail.bf1.yahoo.com (nm7-vm7.access.bullet.mail.bf1.yahoo.com [216.109.114.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99EA612D128 for ; Sat, 23 Jul 2016 16:58:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1469318319; bh=YsbujMVG+v03HWMjdenjc4jcpVT18PSDtHSbgCUNSEc=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=qVZ+sJnMvyIb3QOSxUcE7XOF2cMK/ieufBolkMBqYdC6SD7xRgLXZ1OC8r8AWnjqHSAMflH+ABvBM4SEpBVMckD1zqcYLKmM3BB7D9eNffP/JUSY3eWw9opN8PhzIa16NdCF4McFFETVE/0zqBHKCmzXQLnOKKuS4rWkrSFIYPjwlZ8D2dn39d349D06gz4yenKMxS50kTOq1xki/eAynOob1NJm8+bZn55qAM24e8oRPncMH0AZU0YNHdWRIuvTBxBsQPew8vs8p0jm5/G3K9od3nVXFTpcOe5B4f2maN1qBiRW8BjTyWKQZjaCJjWSr3Qb/USvIJ+tSpALsxN3Yg==
Received: from [66.196.81.164] by nm7.access.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jul 2016 23:58:39 -0000
Received: from [98.138.104.98] by tm10.access.bullet.mail.bf1.yahoo.com with NNFMP; 23 Jul 2016 23:58:39 -0000
Received: from [127.0.0.1] by smtp118.sbc.mail.ne1.yahoo.com with NNFMP; 23 Jul 2016 23:58:39 -0000
X-Yahoo-Newman-Id: 585405.16786.bm@smtp118.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: bW5YCPwVM1koSv4xXY_Net1sc2NxplW.7pZ91tydmKLe7KY U.LwHCwLVgwgnW6X.l2.pyQxaeUKRLpqsLvTwXUlnDV4P6igaEw3OHt_e.YM pOW7vWaBpXpHHnWisaZ460t0EAHZQ84KAWb5qU4NhNNMXhM.fitwfbWVwMTU j1gm2cYhySdQAalOUr_2FZq_3pA52F57EdACBEwPi7oa9tFTq.Hd9pD81tuq .Za3Uz32R6uHbct9PfIoRbK9qqm4c37b6ImqE8uMJWyncbd6w_pbRtF4YzsT Q6zzupnBtpsjVdzrRmT3xe1lEZ51ECMk9OIPBuuVWFP0_EEIU22BzcHvjw_y 9YUxJtMNlArBvrbG2oJAujQwxyXr5xC8YUczWtcqsgMvllaZkXUqsf3_WCjm bYumBnkPpaY_lSWK7h69Cz62sGj_9jA43Kv65Tq2zoTTf9bxzzpcyWcZ7lw7 hJCRi6dTDdZ9Mx_cO6uoPJ..j8HxWyouzitwaQATeERweahgeJ_axyBNoyoQ gUz6TgdxJwVWzKl_HGJH7PQF0lWmtpkaSq43BRw--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.153] (209-6-88-55.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com [209.6.88.55]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 9A89F1C6033 for ; Sat, 23 Jul 2016 19:58:37 -0400 (EDT)
To: sidr@ietf.org
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com> <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn>
From: David Mandelberg 
Message-ID: <579404A8.50201@mandelberg.org>
Date: Sat, 23 Jul 2016 19:58:32 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fOJgvuKPhCDb1hKpQClUfV8obaw7FiaHh"
Archived-At: 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sat, 23 Jul 2016 23:58:49 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--fOJgvuKPhCDb1hKpQClUfV8obaw7FiaHh
Content-Type: multipart/mixed; boundary="gS454THiHQe2NdrVIbUBMApajdcgilKr8"
From: David Mandelberg 
To: sidr@ietf.org
Message-ID: <579404A8.50201@mandelberg.org>
Subject: Re: [sidr] two stranded docuemnts - stake time
References: 
 <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com>
 <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>
 <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn>
In-Reply-To: <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn>

--gS454THiHQe2NdrVIbUBMApajdcgilKr8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Di, enjoy. You have my permission to take over SLURM. Let me know if
there's anything I can do to help.

On 07/22/2016 05:48 AM, Declan Ma wrote:
> Sandy & Chris,
>=20
> Thank Steve for recommending me to take over SLURM.=20
>=20
> With David=E2=80=99s permission, I would be happy to assume responsibil=
ity for SLURM.
>=20
> I think SLURM is quite important to RPKI operation in term of local net=
work.=20
>=20
> SLURM provides a simple way to enable INR holders to establish a local,=
 customized view of the RPKI, by overriding RPKI repository data if neede=
d.
>=20
> In particular, I was exchanging notes with David earlier on the use of =
multiple SLURM files among others, which I believe is worth more text in =
the next version of SLURM.
>=20
> Di
>=20
>> =E5=9C=A8 2016=E5=B9=B47=E6=9C=8821=E6=97=A5=EF=BC=8C19:42=EF=BC=8CSte=
phen Kent  =E5=86=99=E9=81=93=EF=BC=9A
>>
>> Sandy & Chris,
>>
>> I believe Chris' declaration is premature.
>>
>> I anticipate that Dr. Ma may want to take over slurm, with David's per=
mission.
>>
>> With a few minor tweaks the use cases doc can be done.
>>
>> Steve
>>
>>
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>=20
>=20
>=20
>=20
>=20
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr
>=20


--=20
David Eric Mandelberg / dseomn
http://david.mandelberg.org/


--gS454THiHQe2NdrVIbUBMApajdcgilKr8--

--fOJgvuKPhCDb1hKpQClUfV8obaw7FiaHh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAleUBKgACgkQRKlmUHCg4sCQDgCcDI/doWkf78bOG34arW3l4zeJ
9CYAn0j7cFGaUHNJe8aH8JK3Lm/joGW+
=uJ3h
-----END PGP SIGNATURE-----

--fOJgvuKPhCDb1hKpQClUfV8obaw7FiaHh--


From nobody Sun Jul 24 10:24:54 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FA8312D56D for ; Sun, 24 Jul 2016 10:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level: 
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQV7aov_lND0 for ; Sun, 24 Jul 2016 10:24:50 -0700 (PDT)
Received: from relay.kvm02.ops-netman.net (relay.ops-netman.net [192.110.255.59]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 938B712D556 for ; Sun, 24 Jul 2016 10:24:49 -0700 (PDT)
Received: from mail.ops-netman.net (unknown [208.76.12.119]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by relay.kvm02.ops-netman.net (Postfix) with ESMTPS id 6DAB240918; Sun, 24 Jul 2016 17:24:46 +0000 (UTC)
Received: from morrowc-glaptop4.roam.corp.google.com.ops-netman.net (static-96-241-182-39.washdc.fios.verizon.net [96.241.182.39]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.ops-netman.net (Postfix) with ESMTPSA id 322338812DF; Sun, 24 Jul 2016 17:24:46 +0000 (UTC)
Date: Sun, 24 Jul 2016 18:24:45 +0100
Message-ID: 
From: Chris Morrow 
To: Stephen Kent 
In-Reply-To: <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com>
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>    <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/24.3 Mule/6.0 (HANACHIRUSATO)
Organization: Operations Network Management, Ltd.
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=ISO-2022-JP
Archived-At: 
Cc: Chris Morrow , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Sun, 24 Jul 2016 17:24:52 -0000

At Fri, 22 Jul 2016 11:48:30 -0400,
Stephen Kent  wrote:
> 
> [1  ]
> Chris,
> 
> Here is my message to the SIDR list from 6/16:
> 

great, thanks!

> 
>    I read the latest version of this document and have a few comments,
>    some of which I have made before, to no avail ;-).
> 
>    I still find the wording of the three examples in Section 4 to be
>    unnecessarily informal. I$B!G(Bve provided suggested text for previous
>    versions of this document that probably is still applicable, since
>    the examples do not seem to have changed much. It seems preferable
>    to describe the first motivating case without reference to a
>    specific RIR. (Including a parenthetical note about the historical
>    precedent of a Dutch court order involving RIPE is relevant and
>    might be included.) There is language in the adverse actions
>    document that could be used here to be more formal, less folksy.
>    Since adverse actions is now a Wg document, one might even cite
>    sections of it to support the examples. In the second example, the
>    term $B!H(Bborrowed$B!I(B is not defined. I think I know what is implied, and
>    it seems inappropriate to possibly condone advertisement of address
>    space allocated to another party, just because that party is not
>    advertising the space to the global Internet. Why not just stick
>    with private address space in this example? The third example is a
>    six-line, run-on sentence, so it$B!G(Bs not easy for a reader to be
>    certain what the example really implies.
> 
>    The Notes section (5) seems to offer an analysis of requirement for
>    potential solutions to address the use cases. Maybe a better section
>    title is warranted.
> 
>    David$B!G(Bs SLURM document describes a mechanism that seems to address
>    the local, customized view requirements described in Section 4.
>    (David says that it addresses the second and maybe third uses cases,
>    but I think he was modest in his assertion.) SLURM could support the
>    first use case, if the community decided on a mechanism to
>    distribute SLURM files in response to a CA being compelled to modify
>    RPKI data. (It would be easy to ad a digital signature to the files,
>    to provide authentication and integrity, but the there$B!G(Bs the little
>    issue of key management and a suitable trust model $B!D(B) The design
>    accommodates merging of multiple SLURM files, meeting that
>    requirement as stated in this section. Note that SLURM does not
>    require modifying ROAs or GB records. It is a post-processing
>    mechanism using $B!H(Blocal$B!I(B configuration data that overrides the global
>    data acquired from the RPKI. This suggests that some of the comments
>    in Section 5 are not accurate, e.g., ones that allude to the
>    problems posed by not having keys to sign ROAs, etc. Although there
>    is a need to achieve the effect of modifying, creating and/or
>    replacing ROAs and GB records, that effect does not have to involve
>    signatures on the affected data, as suggested in the first and third
>    paragraphs of Section 5.
> 
>    Typos:
> 
>    $B!D(B to be a formally formally defined set $B!D(B (repeated word)
> 
>    $B!D(B 'recipes' should be mergable (mergeable?)
> 
>    The Security Considerations text seems unduly negative. The approach
>    being proposed here is not violating global security, because the
>    results are intended to be local. How about the following wording:
> 
>    The use cases described in Section 4, and the notes for suggested
>    solution approaches in Section 5, are not intended to undermine the
>    security provided by the RPKI. Rather they identify potential
>    obstacles to widespread adoption of the RPKI, and suggest changes
>    that would enable network operators to generate custom $B!H(Bviews$B!I(B of
>    the RPKI for use on a local basis. Providing the ability to create
>    local RPKI views does not adversely affect global routing security.
> 
> [2  ]
> 


From nobody Mon Jul 25 06:20:26 2016
Return-Path: 
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A55127078; Mon, 25 Jul 2016 06:20:23 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160725132023.11408.42667.idtracker@ietfa.amsl.com>
Date: Mon, 25 Jul 2016 06:20:23 -0700
Archived-At: 
Cc: sidr@ietf.org
Subject: [sidr] I-D Action: draft-ietf-sidr-adverse-actions-01.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 25 Jul 2016 13:20:23 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing of the IETF.

        Title           : Adverse Actions by a Certification Authority (CA) or Repository Manager in the Resource Public Key Infrastructure (RPKI)
        Authors         : Stephen Kent
                          Di Ma
	Filename        : draft-ietf-sidr-adverse-actions-01.txt
	Pages           : 25
	Date            : 2016-07-25

Abstract:
   This document analyzes actions by or against a CA or independent
   repository manager in the RPKI that can adversely affect the Internet
   Number Resources (INRs) associated with that CA or its subordinate
   CAs.  The analysis is based on examination of the data items in the
   RPKI repository, as controlled by a CA (or independent repository
   manager) and fetched by Relying Parties (RPs).  The analysis is
   performed from the perspective of an affected INR holder.  The
   analysis does not purport to be comprehensive; it does represent an
   orderly way to analyze a number of ways that errors by or attacks
   against a CA or repository manager can affect the RPKI and routing
   decisions based on RPKI data.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-adverse-actions/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-sidr-adverse-actions-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-adverse-actions-01


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Mon Jul 25 08:26:13 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFB912D0F6 for ; Mon, 25 Jul 2016 08:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GAVDW5QdAVxQ for ; Mon, 25 Jul 2016 08:26:11 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BB5E12D85C for ; Mon, 25 Jul 2016 08:26:11 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:47905 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bRhld-0008mk-58 for sidr@ietf.org; Mon, 25 Jul 2016 11:26:05 -0400
To: sidr 
From: Stephen Kent 
Message-ID: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com>
Date: Mon, 25 Jul 2016 11:26:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Subject: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Mon, 25 Jul 2016 15:26:12 -0000

Folks,

I have just posted the -01 version of the adverse actions document. It 
contains the edits I noted in my response to Tim on 7/19, as well as the 
revisions to the intro in response to feedback from Sandy and Randy.

Please send any comments on the revised version to the list.

I want to thank Daiming Li of ZDNS for transforming my revisions into a 
new .txt file suitable for posting.

Steve


From nobody Tue Jul 26 07:14:13 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1482212DF17 for ; Tue, 26 Jul 2016 07:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prC0yTVWGi_U for ; Tue, 26 Jul 2016 07:14:07 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFEC512DB8C for ; Tue, 26 Jul 2016 06:57:44 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bS2rc-0008GJ-Sr; Tue, 26 Jul 2016 15:57:42 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-62.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bS2rc-0007dr-Nw; Tue, 26 Jul 2016 15:57:40 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=us-ascii
From: Tim Bruijnzeels 
In-Reply-To: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com>
Date: Tue, 26 Jul 2016 15:57:40 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com>
To: Stephen Kent 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071990b5ae4620551a273992e24cd1cf7222
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 26 Jul 2016 14:14:12 -0000

Hi Steve, list,

I still have an issue with the word "adverse" used in this document, and =
especially the first line in the introduction:

   In the context of this document, any change to the Resource Public
   Key Infrastructure (RPKI) [RFC6480] that results in a diminution of
   the set of Internet Numeric Resources (INRs) associated with an INR
   holder contrary to the holder's wishes is termed "adverse".

To me the word "adverse" communicates an unfavourable, possibly even =
malicious, action by an adversary. It implies that for conscious actions =
by a parent CA against the will by a child CA, the parent is "wrong" and =
the child is "right" (the victim of something that is "adverse"). As I =
said earlier there are circumstances where we as RIPE NCC are bound to =
reclaim resources from holders against their will. And however =
"unwanted" this may be by the holder of the resources, this is not =
because we bear these holders any ill will (and actually in most cases =
there is no dispute). Reclaiming resources is based on policy discussed =
in a bottom-up policy development process in our address policy working =
group. Calling this "adverse" implies that the holder is "right", and =
RIPE NCC is "wrong" in these cases.

I strongly believe that this document should not take sides. This may be =
what the authors intended in the first place, but then I would be much =
more comfortable if the word used was "unwanted". I believe this term is =
also more appropriate when the cause of the problem is unintentional (an =
error/glitch).

Tim



> On 25 Jul 2016, at 17:26, Stephen Kent  wrote:
>=20
> Folks,
>=20
> I have just posted the -01 version of the adverse actions document. It =
contains the edits I noted in my response to Tim on 7/19, as well as the =
revisions to the intro in response to feedback from Sandy and Randy.
>=20
> Please send any comments on the revised version to the list.
>=20
> I want to thank Daiming Li of ZDNS for transforming my revisions into =
a new .txt file suitable for posting.
>=20
> Steve
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Tue Jul 26 11:41:27 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6641B12D904 for ; Tue, 26 Jul 2016 11:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBO35sY_kLyH for ; Tue, 26 Jul 2016 11:41:24 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4503B12D903 for ; Tue, 26 Jul 2016 11:41:24 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:49622 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bS7Hv-000NNv-Jv; Tue, 26 Jul 2016 14:41:07 -0400
From: Stephen Kent 
To: Tim Bruijnzeels 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>
Message-ID: 
Date: Tue, 26 Jul 2016 14:41:07 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 26 Jul 2016 18:41:25 -0000

Tim,

> Hi Steve, list,
>
> I still have an issue with the word "adverse" used in this document, and especially the first line in the introduction:
>
>     In the context of this document, any change to the Resource Public
>     Key Infrastructure (RPKI) [RFC6480] that results in a diminution of
>     the set of Internet Numeric Resources (INRs) associated with an INR
>     holder contrary to the holder's wishes is termed "adverse".
>
> To me the word "adverse" communicates an unfavourable, possibly even malicious, action by an adversary.

The term adverse is appropriate as used in this document. When I look up 
the term I find the following primary definitions:

     unfavorable or antagonistic in purpose or effect, opposed to one's 
interests, causing harm, etc.

Synonyms include inimical and injurious.

These meanings are precisely what is intended here.

>   It implies that for conscious actions by a parent CA against the will by a child CA, the parent is "wrong" and the child is "right" (the victim of something that is "adverse").
You seem to be imposing your own interpretation here. Your description 
above is not consistent with dictionary definitions or normal English 
usage. There is no sense that an adversely affected entity is 
necessarily right.
> As I said earlier there are circumstances where we as RIPE NCC are bound to reclaim resources from holders against their will. And however "unwanted" this may be by the holder of the resources, this is not because we bear these holders any ill will (and actually in most cases there is no dispute). Reclaiming resources is based on policy discussed in a bottom-up policy development process in our address policy working group. Calling this "adverse" implies that the holder is "right", and RIPE NCC is "wrong" in these cases.
Use of the term does not imply that the INR holder is right and the CA 
is wrong. The fact that you keep using RIPE as the example CA suggests, 
to me, that you are biased and very defensive, in your interpretation of 
the term.
> I strongly believe that this document should not take sides. This may be what the authors intended in the first place, but then I would be much more comfortable if the word used was "unwanted". I believe this term is also more appropriate when the cause of the problem is unintentional (an error/glitch).
The term is appropriate irrespective of the source or motivation of the 
action.

Steve


From nobody Tue Jul 26 16:21:16 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 861CF12DBA0 for ; Tue, 26 Jul 2016 16:21:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htjecCO0I65B for ; Tue, 26 Jul 2016 16:21:13 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 801A212DB8F for ; Tue, 26 Jul 2016 16:21:13 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bSBj8-0006e8-5M; Tue, 26 Jul 2016 23:25:30 +0000
Date: Wed, 27 Jul 2016 08:21:09 +0900
Message-ID: 
From: Randy Bush 
To: Stephen Kent 
In-Reply-To: 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net> 
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Tue, 26 Jul 2016 23:21:14 -0000

>> To me the word "adverse" communicates an unfavourable, possibly even
>> malicious, action by an adversary.
> 
> The term adverse is appropriate as used in this document. When I look
> up the term I find the following primary definitions:
> 
>      unfavorable or antagonistic in purpose or effect, opposed to
> one's interests, causing harm, etc.
> 
> Synonyms include inimical and injurious.
> 
> These meanings are precisely what is intended here.

and what tim, and others, are trying to say is that exactly those
meanings are inappropriate.  we do not really know intent, contracts,
and business/social context.

i picked the first example of an 'adverse action' in your document and
explained how it can be normal operations (and it is said you have fixed
it, tyvm).  i had hopes you would induce.

operations and deployment are messy.  apologies.

tim made a fair suggeston of a lighter word.

randy


From nobody Tue Jul 26 21:12:41 2016
Return-Path: 
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D05612D9D7; Tue, 26 Jul 2016 21:12:40 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160727041240.30913.25419.idtracker@ietfa.amsl.com>
Date: Tue, 26 Jul 2016 21:12:40 -0700
Archived-At: 
Cc: sidr@ietf.org
Subject: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-06.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 27 Jul 2016 04:12:40 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing of the IETF.

        Title           : Use Cases for Localized Versions of the RPKI
        Author          : Randy Bush
	Filename        : draft-ietf-sidr-lta-use-cases-06.txt
	Pages           : 5
	Date            : 2016-07-26

Abstract:
   There are a number of critical circumstances where a localized
   routing domain needs to augment or modify its view of the Global
   RPKI.  This document attempts to outline a few of them.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-lta-use-cases/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-06

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-lta-use-cases-06


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Wed Jul 27 10:39:02 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2CC412D0FD for ; Wed, 27 Jul 2016 10:38:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.487
X-Spam-Level: 
X-Spam-Status: No, score=-5.487 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Huu5VAVLGnX for ; Wed, 27 Jul 2016 10:38:57 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F064612D0E6 for ; Wed, 27 Jul 2016 10:38:56 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:51258 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bSSnG-000MSN-Hc; Wed, 27 Jul 2016 13:38:54 -0400
From: Stephen Kent 
To: Randy Bush 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>  
Message-ID: 
Date: Wed, 27 Jul 2016 13:38:54 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: multipart/alternative; boundary="------------C3891FEAD8E18829E0111099"
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 27 Jul 2016 17:39:00 -0000

This is a multi-part message in MIME format.
--------------C3891FEAD8E18829E0111099
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Randy,

I read your comments carefully, and I'm puzzled by several of them.

Your said, for example:
> and what tim, and others, are trying to say is that exactly those
> meanings are inappropriate.  we do not really know intent, contracts,
> and business/social context.
the introduction says:

    Thus this document examines the implications of adverse actions with
    respect to
    INRs irrespective of the cause of the actions.


That text was trying to indicate that , for example, nothing to do with 
whether an action is adverse. But, I have revised the intro to make this 
clearer.
> i picked the first example of an 'adverse action' in your document and
> explained how it can be normal operations (and it is said you have fixed
> it, tyvm).  i had hopes you would induce.
Your comments persuaded me to revise the text in question and to note 
that not all examples of competing ROAs or certs represent adverse 
actions. That, IMHO, was an appropriate and adequate change. You didn't 
say that you found the term "adverse" to be a problem.

> tim made a fair suggeston of a lighter word.
Tim offered no suggestion for a different term, which is not helpful. 
Moreover, his tone communicated bias and defensiveness, which is also 
not helpful.

Nonetheless, I have revised the introduction to address the cited 
concerns, but I have not adopted a new term, because:
     - it's reasonable, if one understands the definition
     - nobody has offered any alternative, much less a better 
alternative, that encompasses the full range of actions that may be he 
result of errors, attacks, etc.

Steve
--------

1.Introduction

In the context of this document, any change to the Resource Public

Key Infrastructure (RPKI) [RFC6480] that modifies the set of Internet 
Numeric Resources (INRs) associated with an INR holder, and that is 
contrary to the holder's wishes, is termed "adverse". An action that 
results inan adverse charge (as defined above), may be the result of an 
attack on a CA [RFC7132], an error by a CA, or an error by or an attack 
on a repository operator. *Note that the CA that allocated the affected 
INRs may be acting in accordance with established policy, and thus the 
change may be legally justified, even though viewed as adverse by the 
INR holder. This document examines the implications of adverse actions 
with respect to INRs irrespective of the cause of the actions.*

Additionally, when a ROA or router certificate is created that

"competes" with an existing ROA or router certificate (respectively), 
the creation of the new ROA or router certificate may be adverse.(A 
newer ROA competes with an older ROA if the newer ROA points to a 
different ASN, contains the same or a more specific prefix, and is 
issued by a different CA.A newer router certificate competes with an 
older router certificate if the newer one contains the same ASN a 
different public key, and is issued by a different CA.)Note that 
transferring resources, or changing of upstream providers may yield 
competing ROAs and/or router certificates, under some circumstances. 
Thus not all instances of competition are adverse actions.

As noted above, adverse changes to RPKI data may arise due to several 
types of causes. A CA may make a mistake in managing the RPKI objects it 
signs, or it may be subject to an attack. If an attack allows an 
adversary to use the private key of that CA to sign RPKI objects, then 
the effect is analogous to the CA making mistakes. There is also the 
possibility that a CA or repository operator may be subject to legal 
measures that compel them to make adverse changes to RPKI data.In many 
cases, such actions may be hard to distinguish from mistakes or attacks, 
other than with respect to the time required to remedy the adverse 
action.(Presumably the CA will take remedial action when a mistake or an 
attack is detected, so the effects are similar in these cases. If a CA 
has been legally compelled to effect an adverse change, remediation will 
likely not be swift.)

This document analyzes the various types of actions by a CA (or

independent repository operator) that can adversely affect the INRs

associated with that CA, as well as the INRs of subordinate CAs.The

analysis is based on examination of the data items in the RPKI

repository, as controlled by a CA (or independent repository operator) 
and fetched by Relying Parties (RPs).The analysis is done from the 
perspective of an affected INR holder.




--------------C3891FEAD8E18829E0111099
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit


  
    
  
  
    
Randy,

    

    I read your comments carefully, and I'm puzzled by several of them.

    

    Your said, for example:

    

      
and what tim, and others, are trying to say is that exactly those
meanings are inappropriate.  we do not really know intent, contracts,
and business/social context.

    

    the introduction says: 

    

    
Thus this document examines the implications of adverse
      actions with respect to

      INRs irrespective of the cause of the actions. 

    

    

    That text was trying to indicate that , for example, nothing to do
    with whether an action is adverse. But, I have revised the intro to
    make this clearer.

    

      
i picked the first example of an 'adverse action' in your document and
explained how it can be normal operations (and it is said you have fixed
it, tyvm).  i had hopes you would induce.

    

    Your comments persuaded me to revise the text in question and to
    note that not all examples of competing ROAs or certs represent
    adverse actions. That, IMHO, was an appropriate and adequate change.
    You didn't say that you found the term "adverse" to be a problem.

    

    

      
tim made a fair suggeston of a lighter word.


    

    Tim offered no suggestion for a different term, which is not
    helpful. Moreover, his tone communicated bias and defensiveness,
    which is also not helpful.

    

    Nonetheless, I have revised the introduction to address the cited
    concerns, but I have not adopted a new term, because:

        - it's reasonable, if one understands the definition

        - nobody has offered any alternative, much less a better
    alternative, that encompasses the full range of actions that may be
    he result of errors, attacks, etc.

    

    Steve

    --------

    

    
    
1.  Introduction

    
 

    
In the context of this document, any
        change to the Resource
        Public

    
Key Infrastructure (RPKI) [RFC6480]
        that modifies the set of
        Internet Numeric Resources (INRs) associated with an INR holder,
        and that is
        contrary to the holder's wishes, is termed "adverse". An action
        that
        results in  an adverse
        charge (as defined
        above), may be the result of an attack on a CA [RFC7132], an
        error by a CA, or
        an error by or an attack on a repository operator. Note that
          the CA that
          allocated the affected INRs may be acting in accordance with
          established
          policy, and thus the change may be legally justified, even
          though viewed as
          adverse by the INR holder. This document examines the
          implications of adverse
          actions with respect to INRs irrespective of the cause of the
          actions.

    
 

    
Additionally, when a ROA or router
        certificate is created that

    
"competes" with an existing ROA or
        router certificate (respectively),
        the creation of the new ROA or router certificate may be
        adverse.  (A newer ROA
        competes with an older ROA if
        the newer ROA points to a different ASN, contains the same or a
        more specific
        prefix, and is issued by a different CA. 
        A newer router certificate competes with an older router
        certificate if
        the newer one contains the same ASN a different public key, and
        is issued by a
        different CA.)  Note that
        transferring
        resources, or changing of upstream providers may yield competing
        ROAs and/or
        router certificates, under some circumstances. Thus not all
        instances of
        competition are adverse actions.

    
 

    
As noted above, adverse changes to RPKI
        data may arise due to
        several types of causes. A CA may make a mistake in managing the
        RPKI objects
        it signs, or it may be subject to an attack. If an attack allows
        an adversary
        to use the private key of that CA to sign RPKI objects, then the
        effect is
        analogous to the CA making mistakes. There is also the
        possibility that a CA or
        repository operator may be subject to legal measures that compel
        them to make
        adverse changes to RPKI data.  In many cases,
        such actions may be hard to distinguish from mistakes or
        attacks, other than
        with respect to the time required to remedy the adverse action.  (Presumably the CA will
        take remedial action
        when a mistake or an attack is detected, so the effects are
        similar in these
        cases. If a CA has been legally compelled to effect an adverse
        change,
        remediation will likely not be swift.)
    

    
 

    
This document analyzes the various
        types of actions by a CA (or

    
independent repository operator) that
        can adversely affect the
        INRs

    
associated with that CA, as well as the
        INRs of subordinate
        CAs.  The

    
analysis is based on examination of the
        data items in the RPKI

    
repository, as controlled by a CA (or
        independent repository operator)
        and fetched by Relying Parties (RPs). 
        The analysis is done from the perspective of an affected
        INR holder.

    
    
    
    
    
    
    
    
    
    

    

  


--------------C3891FEAD8E18829E0111099--


From nobody Wed Jul 27 12:05:19 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1AF112D836 for ; Wed, 27 Jul 2016 12:05:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O32QzXT1o135 for ; Wed, 27 Jul 2016 12:05:16 -0700 (PDT)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de [130.133.4.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6109612D522 for ; Wed, 27 Jul 2016 12:05:16 -0700 (PDT)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69]) by outpost.zedat.fu-berlin.de (Exim 4.85) with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (envelope-from ) id <1bSU8l-003AFk-Bf>; Wed, 27 Jul 2016 21:05:11 +0200
Received: from x5ce7e24d.dyn.telefonica.de ([92.231.226.77] helo=mw-PC.fritz.box) by inpost2.zedat.fu-berlin.de (Exim 4.85) with esmtpsa (TLSv1:AES256-SHA:256) (envelope-from ) id <1bSU8k-001vkQ-VT>; Wed, 27 Jul 2016 21:05:11 +0200
Date: Wed, 27 Jul 2016 21:02:57 +0200
From: Matthias Waehlisch 
To: Stephen Kent 
In-Reply-To: 
Message-ID: 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>   
User-Agent: Alpine 2.00 (WNT 1167 2008-08-23)
X-X-Sender: waehl@mail.zedat.fu-berlin.de
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Originating-IP: 92.231.226.77
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 27 Jul 2016 19:05:17 -0000

Hi Steve,

On Wed, 27 Jul 2016, Stephen Kent wrote:

> Tim offered no suggestion for a different term, which is not helpful. 
>
  the suggestion was "unwanted".

  I just had a brief look into "Internet Security Glossary, Version 2" 
(https://tools.ietf.org/html/rfc4949), "corrupted" could be an 
alternative but I suppose it's still not light version.



Cheers
  matthias


From nobody Wed Jul 27 13:13:40 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83EFE12D501 for ; Wed, 27 Jul 2016 13:13:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.488
X-Spam-Level: 
X-Spam-Status: No, score=-5.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XrCG88dg66R1 for ; Wed, 27 Jul 2016 13:13:37 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE2E112D500 for ; Wed, 27 Jul 2016 13:13:36 -0700 (PDT)
Received: from ssh.bbn.com ([192.1.122.15]:51431 helo=COMSEC.fios-router.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1bSVCm-00054F-Pv; Wed, 27 Jul 2016 16:13:24 -0400
To: Matthias Waehlisch 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>    
From: Stephen Kent 
Message-ID: <9b33dd4f-6361-626d-5e0b-fa6d4ba3b260@bbn.com>
Date: Wed, 27 Jul 2016 16:13:24 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: 
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Wed, 27 Jul 2016 20:13:38 -0000

Matthias,


> Hi Steve,
>
> On Wed, 27 Jul 2016, Stephen Kent wrote:
>
>> Tim offered no suggestion for a different term, which is not helpful.
>>
>    the suggestion was "unwanted".
I reread Tim's message; I don't interpret it as having suggested 
"unwanted" as an alternative. What I see is Tim noting that the changes 
are unwanted by the INR holder. That's true, but the term evocative, 
i.e., it fails to communicate the fact that the changes adversely effect 
the INR holder.
> I just had a brief look into "Internet Security Glossary, Version 2"
> (https://tools.ietf.org/html/rfc4949), "corrupted" could be an
> alternative but I suppose it's still not light version.
Corruption usually implies an unauthorized change, an integrity 
violation. Suppression of an update to the RPKI repository system would 
not be accurately characterized as corruption, yet it is one of the 
actions we consider.

Steve


From nobody Wed Jul 27 17:11:01 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9DC12DB4B for ; Wed, 27 Jul 2016 17:11:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.187
X-Spam-Level: 
X-Spam-Status: No, score=-8.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7DIAAQ24KHEK for ; Wed, 27 Jul 2016 17:10:59 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6882912DB3A for ; Wed, 27 Jul 2016 17:10:57 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.psg.com) by ran.psg.com with esmtp (Exim 4.82) (envelope-from ) id 1bSYud-0004jc-5o; Thu, 28 Jul 2016 00:10:55 +0000
Date: Thu, 28 Jul 2016 09:10:53 +0900
Message-ID: 
From: Randy Bush 
To: Stephen Kent 
In-Reply-To: <9b33dd4f-6361-626d-5e0b-fa6d4ba3b260@bbn.com>
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>     <9b33dd4f-6361-626d-5e0b-fa6d4ba3b260@bbn.com>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 00:11:01 -0000

>>> Tim offered no suggestion for a different term, which is not helpful.
>> the suggestion was "unwanted".
> I reread Tim's message; I don't interpret it as having suggested 
> "unwanted" as an alternative.

that is clear.  others, such as matthias and i, did.  but this is not
productive.

to be clear, i hereby suggest s/adverse/unwanted/

randy


From nobody Thu Jul 28 01:31:12 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75E4612D143 for ; Thu, 28 Jul 2016 01:31:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gb2ICVS6gCLG for ; Thu, 28 Jul 2016 01:31:09 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAAC912B062 for ; Thu, 28 Jul 2016 01:31:08 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bSgie-000BGc-Kc; Thu, 28 Jul 2016 10:31:05 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-133.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bSgie-0006jp-CW; Thu, 28 Jul 2016 10:31:04 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: text/plain; charset=us-ascii
From: Tim Bruijnzeels 
In-Reply-To: 
Date: Thu, 28 Jul 2016 10:31:04 +0200
Content-Transfer-Encoding: 7bit
Message-Id: <7DD46C12-3E5E-44B0-9423-46A4F464AAA7@ripe.net>
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net>     <9b33dd4f-6361-626d-5e0b-fa6d4ba3b260@bbn.com> 
To: Randy Bush 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: ----------
X-RIPE-Spam-Report: Spam Total Points:   -10.7 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a071977c2fc25d431ff9616764297a18652d2
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 08:31:10 -0000

> On 28 Jul 2016, at 02:10, Randy Bush  wrote:
> 
>>>> Tim offered no suggestion for a different term, which is not helpful.
>>> the suggestion was "unwanted".
>> I reread Tim's message; I don't interpret it as having suggested 
>> "unwanted" as an alternative.
> 
> that is clear.  others, such as matthias and i, did.  but this is not
> productive.
> 
> to be clear, i hereby suggest s/adverse/unwanted/

To be clear, that was my intended suggestion

Tim


> 
> randy
> 
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Thu Jul 28 01:43:28 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9F5A12D0A6 for ; Thu, 28 Jul 2016 01:43:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.186
X-Spam-Level: 
X-Spam-Status: No, score=-3.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVIfsLYw9FhN for ; Thu, 28 Jul 2016 01:43:26 -0700 (PDT)
Received: from mahimahi.ripe.net (mahimahi.ripe.net [IPv6:2001:67c:2e8:11::c100:1372]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ECC312D78C for ; Thu, 28 Jul 2016 01:43:26 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by mahimahi.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bSguZ-000Be0-C2; Thu, 28 Jul 2016 10:43:24 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-133.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bSguZ-0005Ky-6Q; Thu, 28 Jul 2016 10:43:23 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_D29A4F0A-1B4C-464D-8ED8-34A9609D1C02"
From: Tim Bruijnzeels 
In-Reply-To: 
Date: Thu, 28 Jul 2016 10:43:22 +0200
Message-Id: 
References: <76dad5c8-114a-19fe-6fc2-cf3c45e0f666@bbn.com> <227BF007-90BD-4301-A349-FC01A1A5969A@ripe.net> 
To: Stephen Kent 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points:   -8.0 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE           BODY: HTML included in message 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60% [score: 0.4345]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719e3c771a84a98babcb6651931be3ec6fa
Archived-At: 
Cc: sidr 
Subject: Re: [sidr] adverse actions -01 posted
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 08:43:28 -0000

--Apple-Mail=_D29A4F0A-1B4C-464D-8ED8-34A9609D1C02
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=windows-1252

Hi Steve,

> On 26 Jul 2016, at 20:41, Stephen Kent  wrote:
>=20
>> As I said earlier there are circumstances where we as RIPE NCC are =
bound to reclaim resources from holders against their will. And however =
"unwanted" this may be by the holder of the resources, this is not =
because we bear these holders any ill will (and actually in most cases =
there is no dispute). Reclaiming resources is based on policy discussed =
in a bottom-up policy development process in our address policy working =
group. Calling this "adverse" implies that the holder is "right", and =
RIPE NCC is "wrong" in these cases.
> Use of the term does not imply that the INR holder is right and the CA =
is wrong. The fact that you keep using RIPE as the example CA suggests, =
to me, that you are biased and very defensive, in your interpretation of =
the term.

I keep using RIPE as an example because I am speaking out of my own =
experience - an experience that I believe is relevant to this =
discussion. And while I expect that others who act as parent CA, at any =
level, might share my concern, I don't presume to speak on their behalf.


Tim




--Apple-Mail=_D29A4F0A-1B4C-464D-8ED8-34A9609D1C02
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=windows-1252

Hi Steve,

On 26 Jul 2016, at 20:41, =
Stephen Kent <kent@bbn.com> wrote:

As I said earlier there are circumstances where we as RIPE =
NCC are bound to reclaim resources from holders against their will. And =
however "unwanted" this may be by the holder of the resources, this is =
not because we bear these holders any ill will (and actually in most =
cases there is no dispute). Reclaiming resources is based on policy =
discussed in a bottom-up policy development process in our address =
policy working group. Calling this "adverse" implies that the holder is =
"right", and RIPE NCC is "wrong" in these cases.
Use of the term does not imply =
that the INR holder is right and the CA is wrong. The fact that you keep =
using RIPE as the example CA suggests, to me, that you are biased and =
very defensive, in your interpretation of the =
term.

I keep using RIPE as an example because I am speaking out of =
my own experience - an experience that I believe is relevant to this =
discussion. And while I expect that others who act as parent CA, at any =
level, might share my concern, I don't presume to speak on their =
behalf.


Tim



=

--Apple-Mail=_D29A4F0A-1B4C-464D-8ED8-34A9609D1C02--


From nobody Thu Jul 28 05:36:59 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8588A12DFC3 for ; Thu, 28 Jul 2016 05:36:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level: 
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eo9votIbNA-i for ; Thu, 28 Jul 2016 05:36:44 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57E012DFAE for ; Thu, 28 Jul 2016 05:36:43 -0700 (PDT)
Received: from titi.ripe.net ([193.0.23.11]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bSkYK-00097J-P4 for sidr@ietf.org; Thu, 28 Jul 2016 14:36:42 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-133.ripe.net) by titi.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bSkYK-0006V8-Ko; Thu, 28 Jul 2016 14:36:40 +0200
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Tim Bruijnzeels 
In-Reply-To: <579404A8.50201@mandelberg.org>
Date: Thu, 28 Jul 2016 14:36:40 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <9DE63079-8715-439D-9DD0-F4A697DC4D1E@ripe.net>
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com> <953A2A6D-FAF1-4E99-AD62-048E5A844228@zdns.cn> <579404A8.50201@mandelberg.org>
To: sidr 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points:   -8.8 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 BAYES_40               BODY: Bayes spam probability is 20 to 40% [score: 0.3950]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a0719a83b1f860d3d8199a9947d347da9f445
Archived-At: 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 12:36:54 -0000

Hi all,

I believe SLURM is useful work.

I know that RPSTIR has an implementation, but the RIPE NCC RPKI =
Validator (yes, we need a cool name..) has been implementing the same =
semantics for a long time (years) - using a different format. I do not =
know whether rcynic has implemented similar. Rob?

Two implementation have implemented similar behaviour independently. In =
any case I think there is benefit in having a common format and =
semantics defined, and I supported adoption.

But.. I do have concerns and questions about the *current* format =
defined in the document. It represents the RPSTIR implementation. I have =
been meaning to discuss and comment as an RP implementor but =
unfortunately have not been able to do so, due to other priorities. =
Going forward I appreciate that Declan Ma volunteers to take on the work =
as author, but I think it would be best to have author representatives =
of each of the three RPs to ensure that the resulting configuration file =
and semantics are understood by all and feasible to implement by all.

In short I would like to volunteer to co-author and would kindly ask Rob =
if he would be willing. I have no problems with moving this to sidr-ops =
and having the discussion on content then and there.

Tim



> On 24 Jul 2016, at 01:58, David Mandelberg  =
wrote:
>=20
> Di, enjoy. You have my permission to take over SLURM. Let me know if
> there's anything I can do to help.
>=20
> On 07/22/2016 05:48 AM, Declan Ma wrote:
>> Sandy & Chris,
>>=20
>> Thank Steve for recommending me to take over SLURM.=20
>>=20
>> With David=E2=80=99s permission, I would be happy to assume =
responsibility for SLURM.
>>=20
>> I think SLURM is quite important to RPKI operation in term of local =
network.=20
>>=20
>> SLURM provides a simple way to enable INR holders to establish a =
local, customized view of the RPKI, by overriding RPKI repository data =
if needed.
>>=20
>> In particular, I was exchanging notes with David earlier on the use =
of multiple SLURM files among others, which I believe is worth more text =
in the next version of SLURM.
>>=20
>> Di
>>=20
>>> =E5=9C=A8 2016=E5=B9=B47=E6=9C=8821=E6=97=A5=EF=BC=8C19:42=EF=BC=8CSte=
phen Kent  =E5=86=99=E9=81=93=EF=BC=9A
>>>=20
>>> Sandy & Chris,
>>>=20
>>> I believe Chris' declaration is premature.
>>>=20
>>> I anticipate that Dr. Ma may want to take over slurm, with David's =
permission.
>>>=20
>>> With a few minor tweaks the use cases doc can be done.
>>>=20
>>> Steve
>>>=20
>>>=20
>>> _______________________________________________
>>> sidr mailing list
>>> sidr@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sidr
>>=20
>>=20
>>=20
>>=20
>>=20
>>=20
>> _______________________________________________
>> sidr mailing list
>> sidr@ietf.org
>> https://www.ietf.org/mailman/listinfo/sidr
>>=20
>=20
>=20
> --=20
> David Eric Mandelberg / dseomn
> http://david.mandelberg.org/
>=20
> _______________________________________________
> sidr mailing list
> sidr@ietf.org
> https://www.ietf.org/mailman/listinfo/sidr


From nobody Thu Jul 28 07:32:24 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F87112D7AD for ; Thu, 28 Jul 2016 07:32:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.186
X-Spam-Level: 
X-Spam-Status: No, score=-3.186 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ykzRu33OQH3k for ; Thu, 28 Jul 2016 07:32:17 -0700 (PDT)
Received: from molamola.ripe.net (molamola.ripe.net [IPv6:2001:67c:2e8:11::c100:1371]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E367412D78D for ; Thu, 28 Jul 2016 07:32:16 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by molamola.ripe.net with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1bSmM7-0007Bd-C4; Thu, 28 Jul 2016 16:32:12 +0200
Received: from sslvpn.ripe.net ([193.0.20.230] helo=vpn-133.ripe.net) by nene.ripe.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1bSmM7-0005XV-7J; Thu, 28 Jul 2016 16:32:11 +0200
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/alternative; boundary="Apple-Mail=_FE1FA483-63A2-492B-9ED5-A80EBB143675"
From: Tim Bruijnzeels 
In-Reply-To: <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com>
Date: Thu, 28 Jul 2016 16:32:10 +0200
Message-Id: <99F55C95-7589-4594-B1B1-8988682FBB46@ripe.net>
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>    <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com>
To: Stephen Kent 
X-Mailer: Apple Mail (2.3124)
X-ACL-Warn: Delaying message
X-RIPE-Spam-Level: --------
X-RIPE-Spam-Report: Spam Total Points:   -8.0 points pts rule name              description ---- ---------------------- ------------------------------------ -7.5 ALL_TRUSTED            Passed through trusted hosts only via SMTP -1.3 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.0 HTML_MESSAGE           BODY: HTML included in message 0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60% [score: 0.4124]
X-RIPE-Signature: 784d7acfe6559f2a0b602ec6519a07198e812b62ce4be12dd189c93f7bb788d9
Archived-At: 
Cc: Chris Morrow , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 14:32:23 -0000

--Apple-Mail=_FE1FA483-63A2-492B-9ED5-A80EBB143675
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8

Hi,

> On 22 Jul 2016, at 17:48, Stephen Kent  wrote:
>=20
> It seems preferable to describe the first motivating case without =
reference to a specific RIR.

Although I appreciate that Randy is trying to explain the case in terms =
anyone can understand, it would be preferable to keep it general.

> (Including a parenthetical note about the historical precedent of a =
Dutch court order involving RIPE is relevant and might be included.)

If there was such a precedent, but there isn't. I have raised this =
before, but again...

The incident you refer to is in fact a case where the FBI asked the =
Dutch police to enforce an order issued by a US court, which would =
demand that the RIPE NCC take all measures to ensure that the =
suspect=E2=80=99s IP address registration was not transferred or =
amended.

And while the RIPE NCC initially carried out this order (to freeze, not =
remove/modify etc) it also immediately sought legal advice, and =
following that advice it was concluded that there was no legal basis for =
the order.

So, as far as precedents go, this is a different case altogether (freeze =
contact information, not remove/modify routing information), and =
actually points in the opposite direction.

More details here:
=
https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/summons-of-=
the-ripe-ncc-against-the-state-of-the-netherlands



Tim






--Apple-Mail=_FE1FA483-63A2-492B-9ED5-A80EBB143675
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=utf-8

Hi,

On =
22 Jul 2016, at 17:48, Stephen Kent <kent@bbn.com> wrote:

It seems preferable =
to describe the first motivating case without reference to a specific =
RIR.

Although I =
appreciate that Randy is trying to explain the case in terms anyone can =
understand, it would be preferable to keep it general.

(Including a parenthetical note about the historical =
precedent of a Dutch court order involving RIPE is relevant and might be =
included.)

If there was such a precedent, but there isn't. I have raised =
this before, but again...

The incident you refer to is in fact a case where the FBI =
asked the Dutch police to enforce an order issued by a US court, which =
would demand that the RIPE NCC take all measures to ensure that the =
suspect=E2=80=99s IP address registration was not transferred or =
amended.

And =
while the RIPE NCC initially carried out this order (to freeze, not =
remove/modify etc) it also immediately sought legal advice, and =
following that advice it was concluded that there was no legal basis for =
the order.

So, =
as far as precedents go, this is a different case altogether (freeze =
contact information, not remove/modify routing information), and =
actually points in the opposite direction.

More details here:
https://www.ripe.net/publications/news/about-ripe-ncc-and-ripe/=
summons-of-the-ripe-ncc-against-the-state-of-the-netherlands



Tim





=

--Apple-Mail=_FE1FA483-63A2-492B-9ED5-A80EBB143675--


From nobody Thu Jul 28 07:38:34 2016
Return-Path: 
X-Original-To: sidr@ietf.org
Delivered-To: sidr@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF3412D505; Thu, 28 Jul 2016 07:38:30 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: internet-drafts@ietf.org
To: 
X-Test-IDTracker: no
X-IETF-IDTracker: 6.29.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20160728143830.12900.82903.idtracker@ietfa.amsl.com>
Date: Thu, 28 Jul 2016 07:38:30 -0700
Archived-At: 
Cc: sidr@ietf.org
Subject: [sidr] I-D Action: draft-ietf-sidr-lta-use-cases-07.txt
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 14:38:30 -0000

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Secure Inter-Domain Routing of the IETF.

        Title           : Use Cases for Localized Versions of the RPKI
        Author          : Randy Bush
	Filename        : draft-ietf-sidr-lta-use-cases-07.txt
	Pages           : 5
	Date            : 2016-07-28

Abstract:
   There are a number of critical circumstances where a localized
   routing domain needs to augment or modify its view of the Global
   RPKI.  This document attempts to outline a few of them.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-sidr-lta-use-cases/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-sidr-lta-use-cases-07

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-sidr-lta-use-cases-07


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/


From nobody Thu Jul 28 08:08:23 2016
Return-Path: 
X-Original-To: sidr@ietfa.amsl.com
Delivered-To: sidr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B4FB12D63A for ; Thu, 28 Jul 2016 08:08:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level: 
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hk9JaK3w_kJQ for ; Thu, 28 Jul 2016 08:08:20 -0700 (PDT)
Received: from gw1.turbomail.org (gw1.turbomail.org [159.8.83.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6128512D80F for ; Thu, 28 Jul 2016 08:08:15 -0700 (PDT)
X-TM-DID: 73d9ba99db0d0bfee63b5afc4f30e9af
Content-Type: text/plain; charset=gb2312
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Declan Ma 
In-Reply-To: <99F55C95-7589-4594-B1B1-8988682FBB46@ripe.net>
Date: Thu, 28 Jul 2016 23:03:53 +0800
Content-Transfer-Encoding: quoted-printable
Message-Id: 
References:  <87E65996-2ACD-4A3A-8D20-1C7911CBBB72@tislabs.com> <58c60c65-b96c-4984-4ba4-4d4e64e51538@bbn.com>    <4866b582-0016-2136-1dc6-e95946eeff78@bbn.com> <99F55C95-7589-4594-B1B1-8988682FBB46@ripe.net>
To: Tim Bruijnzeels 
X-Mailer: Apple Mail (2.3124)
Archived-At: 
Cc: Chris Morrow , sidr 
Subject: Re: [sidr] two stranded docuemnts - stake time
X-BeenThere: sidr@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Secure Interdomain Routing 
List-Unsubscribe: , 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: , 
X-List-Received-Date: Thu, 28 Jul 2016 15:08:22 -0000

> =D4=DA 2016=C4=EA7=D4=C228=C8=D5=A3=AC22:32=A3=ACTim Bruijnzeels =
 =D0=B4=B5=C0=A3=BA
>=20
> Hi,
>=20
>> On 22 Jul 2016, at 17:48, Stephen Kent  wrote:
>>=20
>> It seems preferable to describe the first motivating case without =
reference to a specific RIR.
>=20
> Although I appreciate that Randy is trying to explain the case in =
terms anyone can understand, it would be preferable to keep it general.

And adverse actions I-D offers expressions to support the example. =
Sections of it might be cited as well.=20

Di